dpnmw/agents
1
0
Fork 0
mirror of https://github.com/wshobson/agents.git synced 2026-03-18 17:47:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

style: format all files with prettier

Browse Source
This commit is contained in:
Seth Hobson
2026-01-19 17:07:03 -05:00
parent 8d37048deb
commit 56848874a2
355 changed files with 15215 additions and 10241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
plugins/reverse-engineering/skills/anti-reversing-techniques/SKILL.md
View File

@@ -4,6 +4,7 @@ description: Understand anti-reversing, obfuscation, and protection techniques e
---
> **AUTHORIZED USE ONLY**: This skill contains dual-use security techniques. Before proceeding with any bypass or analysis:
>
> 1. **Verify authorization**: Confirm you have explicit written permission from the software owner, or are operating within a legitimate security context (CTF, authorized pentest, malware analysis, security research)
> 2. **Document scope**: Ensure your activities fall within the defined scope of your authorization
> 3. **Legal compliance**: Understand that unauthorized bypassing of software protection may violate laws (CFAA, DMCA anti-circumvention, etc.)
@@ -58,6 +59,7 @@ if (debugFlags == 0) exit(1); // 0 means being debugged
```
**Bypass Approaches:**
```python
# x64dbg: ScyllaHide plugin
# Patches common anti-debug checks
@@ -96,6 +98,7 @@ if (*heapFlags & 0x50000062) exit(1);
```
**Bypass Approaches:**
```assembly
; In debugger, modify PEB directly
; x64dbg: dump at gs:[60] (x64) or fs:[30] (x86)
@@ -128,6 +131,7 @@ if (GetTickCount() - start > 1000) exit(1);
```
**Bypass Approaches:**
```
- Use hardware breakpoints instead of software
- Patch timing checks
@@ -185,6 +189,7 @@ if (getppid() != 1 && strcmp(get_process_name(getppid()), "bash") != 0) {
```
**Bypass Approaches:**
```bash
# LD_PRELOAD to hook ptrace
# Compile: gcc -shared -fPIC -o hook.so hook.c
@@ -252,6 +257,7 @@ if ((end - start) > 500) {
```
**Bypass Approaches:**
```
- Use bare-metal analysis environment
- Harden VM (remove guest tools, change MAC)
@@ -297,6 +303,7 @@ while (1) {
```
**Analysis Approach:**
- Identify state variable
- Map state transitions
- Reconstruct original flow
@@ -320,6 +327,7 @@ if ((x * (x + 1)) % 2 == 1) { // Product of consecutive = even
```
**Analysis Approach:**
- Identify constant expressions
- Symbolic execution to prove predicates
- Pattern matching for known opaque predicates
@@ -347,6 +355,7 @@ url[4] = ':'; url[5] = '/'; url[6] = '/';
```
**Analysis Approach:**
```python
# FLOSS for automatic string deobfuscation
floss malware.exe
@@ -383,6 +392,7 @@ DWORD hash_api(char *name) {
```
**Analysis Approach:**
- Identify hash algorithm
- Build hash database of known APIs
- Use HashDB plugin for IDA
@@ -535,6 +545,7 @@ Symbolic execution: angr, Triton
### Ethical Considerations
This knowledge should only be used for:
- Authorized security research
- Malware analysis (defensive)
- CTF competitions
@@ -542,6 +553,7 @@ This knowledge should only be used for:
- Educational purposes
Never use to bypass protections for:
- Software piracy
- Unauthorized access
- Malicious purposes

5
plugins/reverse-engineering/skills/binary-analysis-patterns/SKILL.md
View File

@@ -12,6 +12,7 @@ Comprehensive patterns and techniques for analyzing compiled binaries, understan
### x86-64 Instruction Patterns
#### Function Prologue/Epilogue
```asm
; Standard prologue
push rbp ; Save base pointer
@@ -35,6 +36,7 @@ ret
#### Calling Conventions
**System V AMD64 (Linux, macOS)**
```asm
; Arguments: RDI, RSI, RDX, RCX, R8, R9, then stack
; Return: RAX (and RDX for 128-bit)
@@ -53,6 +55,7 @@ call func
```
**Microsoft x64 (Windows)**
```asm
; Arguments: RCX, RDX, R8, R9, then stack
; Shadow space: 32 bytes reserved on stack
@@ -72,6 +75,7 @@ add rsp, 0x28
### ARM Assembly Patterns
#### ARM64 (AArch64) Calling Convention
```asm
; Arguments: X0-X7
; Return: X0 (and X1 for 128-bit)
@@ -88,6 +92,7 @@ ret
```
#### ARM32 Calling Convention
```asm
; Arguments: R0-R3, then stack
; Return: R0 (and R1 for 64-bit)

9
plugins/reverse-engineering/skills/memory-forensics/SKILL.md
View File

@@ -12,6 +12,7 @@ Comprehensive techniques for acquiring, analyzing, and extracting artifacts from
### Live Acquisition Tools
#### Windows
```powershell
# WinPmem (Recommended)
winpmem_mini_x64.exe memory.raw
@@ -27,6 +28,7 @@ DumpIt.exe
```
#### Linux
```bash
# LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
@@ -39,6 +41,7 @@ sudo cp /proc/kcore memory.elf
```
#### macOS
```bash
# osxpmem
sudo ./osxpmem -o memory.raw
@@ -83,6 +86,7 @@ vol -f memory.raw -s /path/to/symbols windows.pslist
### Essential Plugins
#### Process Analysis
```bash
# List processes
vol -f memory.raw windows.pslist
@@ -104,6 +108,7 @@ vol -f memory.raw windows.cmdline
```
#### Network Analysis
```bash
# Network connections
vol -f memory.raw windows.netscan
@@ -113,6 +118,7 @@ vol -f memory.raw windows.netstat
```
#### DLL and Module Analysis
```bash
# Loaded DLLs per process
vol -f memory.raw windows.dlllist --pid <PID>
@@ -128,6 +134,7 @@ vol -f memory.raw windows.moddump --pid <PID>
```
#### Memory Injection Detection
```bash
# Detect code injection
vol -f memory.raw windows.malfind
@@ -140,6 +147,7 @@ vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
```
#### Registry Analysis
```bash
# List registry hives
vol -f memory.raw windows.registry.hivelist
@@ -152,6 +160,7 @@ vol -f memory.raw windows.registry.hivescan --dump
```
#### File System Artifacts
```bash
# Scan for file objects
vol -f memory.raw windows.filescan

52
plugins/reverse-engineering/skills/protocol-reverse-engineering/SKILL.md
View File

@@ -330,9 +330,11 @@ export SSLKEYLOGFILE=/tmp/keys.log
# Protocol Name Specification
## Overview
Brief description of protocol purpose and design.
## Transport
- Layer: TCP/UDP
- Port: XXXX
- Encryption: TLS 1.2+
@@ -340,44 +342,52 @@ Brief description of protocol purpose and design.
## Message Format
### Header (12 bytes)
| Offset | Size | Field | Description |
|--------|------|-------------|--------------------------|
| 0 | 4 | Magic | 0x50524F54 ("PROT") |
| 4 | 2 | Version | Protocol version (1) |
| 6 | 2 | Type | Message type identifier |
| 8 | 4 | Length | Payload length in bytes |
| Offset | Size | Field | Description |
| ------ | ---- | ------- | ----------------------- |
| 0 | 4 | Magic | 0x50524F54 ("PROT") |
| 4 | 2 | Version | Protocol version (1) |
| 6 | 2 | Type | Message type identifier |
| 8 | 4 | Length | Payload length in bytes |
### Message Types
| Type | Name | Description |
|------|---------------|--------------------------|
| 0x01 | HELLO | Connection initiation |
| 0x02 | HELLO_ACK | Connection accepted |
| 0x03 | DATA | Application data |
| 0x04 | CLOSE | Connection termination |
| Type | Name | Description |
| ---- | --------- | ---------------------- |
| 0x01 | HELLO | Connection initiation |
| 0x02 | HELLO_ACK | Connection accepted |
| 0x03 | DATA | Application data |
| 0x04 | CLOSE | Connection termination |
### Type 0x01: HELLO
| Offset | Size | Field | Description |
|--------|------|-------------|--------------------------|
| 0 | 4 | ClientID | Unique client identifier |
| 4 | 2 | Flags | Connection flags |
| 6 | var | Extensions | TLV-encoded extensions |
| Offset | Size | Field | Description |
| ------ | ---- | ---------- | ------------------------ |
| 0 | 4 | ClientID | Unique client identifier |
| 4 | 2 | Flags | Connection flags |
| 6 | var | Extensions | TLV-encoded extensions |
## State Machine
```
[INIT] --HELLO--> [WAIT_ACK] --HELLO_ACK--> [CONNECTED]
|
DATA/DATA
|
[CLOSED] <--CLOSE--+
|
DATA/DATA
|
[CLOSED] <--CLOSE--+
```
## Examples
### Connection Establishment
```
Client -> Server: HELLO (ClientID=0x12345678)
Server -> Client: HELLO_ACK (Status=OK)
Client -> Server: DATA (payload)
```
```
### Wireshark Dissector (Lua)