ctf-malware
The ctf-malware skill provides techniques and tools for analyzing malware in capture-the-flag competitions, including static PE/.NET binary inspection, dynamic behavior monitoring with strace and ltrace, C2 traffic pattern recognition, custom cryptographic protocol decryption, memory forensics with Volatility 3, YARA rule development, shellcode emulation, and anti-analysis evasion detection. Use this skill when reverse-engineering obfuscated scripts, trojanized packages, encrypted communications, malware configurations, or identifying indicators of compromise in CTF challenges.
git clone --depth 1 https://github.com/ljagiello/ctf-skills /tmp/ctf-malware && cp -r /tmp/ctf-malware/ctf-malware ~/.claude/skills/ctf-malwareSKILL.md
# CTF Malware & Network Analysis
Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.
## Prerequisites
**Python packages (all platforms):**
```bash
pip install yara-python pefile capstone oletools unicorn pycryptodome \
volatility3 dissect.cobaltstrike
```
**Linux (apt):**
```bash
apt install strace ltrace tshark binwalk binutils
```
**macOS (Homebrew):**
```bash
brew install wireshark binwalk binutils ghidra
```
**Manual install:**
- dnSpy — [GitHub](https://github.com/dnSpy/dnSpy), .NET decompiler (Windows)
## Additional Resources
- [scripts-and-obfuscation.md](scripts-and-obfuscation.md) - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection), trojanized plugin analysis with custom alphabet C2 decoding
- [c2-and-protocols.md](c2-and-protocols.md) - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
- [pe-and-dotnet.md](pe-and-dotnet.md) - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor
---
## When to Pivot
- If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to `/ctf-reverse`.
- If the main job is network reconstruction, disk carving, or host artifact recovery, switch to `/ctf-forensics`.
- If the challenge turns into public attribution or infrastructure tracing, switch to `/ctf-osint`.
## Quick Start Commands
```bash
# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20
# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe
# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50
# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'
# YARA scan
yara -r rules.yar suspicious_file
```
## Obfuscated Scripts
- Replace `eval`/`bash` with `echo` to print underlying code; extract base64/hex blobs and analyze with `file`. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).
## JavaScript & PowerShell Deobfuscation
- JS: Replace `eval` with `console.log`, decode `unescape()`, `atob()`, `String.fromCharCode()`.
- PowerShell: Decode `-enc` base64, replace `IEX` with output. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).
## Junk Code Detection
- NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real `call` targets. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).
## PCAP & Network Analysis
```bash
tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload
```
Look for C2 on unusual ports. Extract IPs/domains with `strings | grep`. See [c2-and-protocols.md](c2-and-protocols.md).
## Custom Crypto Protocols
- Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
- ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See [c2-and-protocols.md](c2-and-protocols.md).
## C2 Traffic Patterns
- Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See [c2-and-protocols.md](c2-and-protocols.md).
## RC4-Encrypted WebSocket C2
- Remap port with `tcprewrite`, add RSA key for TLS decryption, find RC4 key in binary. See [c2-and-protocols.md](c2-and-protocols.md).
## Identifying Encryption Algorithms
- AES: `0x637c777b` S-box; ChaCha20: `expand 32-byte k`; TEA/XTEA: `0x9E3779B9`; RC4: sequential S-box init. See [c2-and-protocols.md](c2-and-protocols.md).
## AES-CBC in Malware
- Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See [c2-and-protocols.md](c2-and-protocols.md).
## PE Analysis
```bash
peframe malware.exe # Quick triage
pe-sieve # Runtime analysis
pestudio # Static analysis (Windows)
```
See [pe-and-dotnet.md](pe-and-dotnet.md).
## .NET Malware Analysis
- Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See [pe-and-dotnet.md](pe-and-dotnet.md).
## Malware Configuration Extraction
- Check .data section, PE/.NET resources, registry keys, encrypted config files. See [pe-and-dotnet.md](pe-and-dotnet.md).
## Sandbox Evasion Checks
- VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See [pe-and-dotnet.md](pe-and-dotnet.md).
## Anti-Analysis Techniques
VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md#anti-analysis-techniques).
## Trojanized Plugin Analysis
Diff malicious plugin against official release to find injected code in try/except blocks. Custom alphabet rotation (`C[(C.index(ch) - offset) % len(C)]`) decodes C2 domain, XOR decodes endpoint path. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md#trojanized-plugin-analysis-with-custom-alphabet-c2-decoding-inshack-2018).
## PyInstaller + PyArmor Unpacking
- `pyinstxtractor.py` to extract, PyArmor-UnProvides AI and machine learning techniques for CTF challenges. Use when attacking ML models, crafting adversarial examples, performing model extraction, prompt injection, membership inference, training data poisoning, fine-tuning manipulation, neural network analysis, LoRA adapter exploitation, LLM jailbreaking, or solving AI-related puzzles.
Provides cryptography attack techniques for CTF challenges. Use when attacking encryption, hashing, signatures, ZKP, PRNG, or mathematical crypto problems involving RSA, AES, ECC, lattices, LWE, CVP, number theory, Coppersmith, Pollard, Wiener, padding oracle, GCM, key derivation, or stream/block cipher weaknesses.
Provides digital forensics and signal analysis techniques for CTF challenges. Use when analyzing disk images, memory dumps, event logs, network captures, cryptocurrency transactions, steganography, PDF analysis, Windows registry, Volatility, PCAP, Docker images, coredumps, side-channel power traces, DTMF audio spectrograms, packet timing analysis, CD audio disc images, or recovering deleted files and credentials.
Provides miscellaneous CTF challenge techniques for problems that do not cleanly fit the main categories. Use for encoding puzzles, pyjails, bash jails, RF/SDR, DNS oddities, unicode tricks, esoteric languages, QR or audio puzzles, constraint solving, game theory, unusual sandbox escapes, and hybrid logic puzzles. Prefer a more specific skill first when the challenge is mainly web, pwn, reverse, forensics, malware, OSINT, or crypto. Treat this as the fallback skill for genuine cross-category or edge-case challenges, not the default starting point.
Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records, username enumeration, reverse image search, Google dorking, Wayback Machine, Tor relays, FEC filings, or identifying unknown data like hashes and coordinates.
Provides binary exploitation techniques for CTF challenges. Use when you already have a vulnerable native target or service and need to turn memory corruption or low-level primitives into code execution or privilege escalation, such as buffer overflows, format strings, heap bugs, ROP, ret2libc, shellcode, kernel exploitation, seccomp bypass, sandbox escape, or Windows/Linux exploit chains. Do not use it when the main blocker is understanding what the binary does; use reverse engineering first. Do not use it for pure web bugs, disk or packet forensics, or standalone crypto/math challenges.
Provides reverse engineering techniques for CTF challenges. Use when the main job is to understand how a compiled, obfuscated, packed, or virtualized target works before exploiting or solving it, including binaries, APKs, WASM, firmware, custom VMs, bytecode, game clients, malware-like loaders, and anti-debug or anti-analysis logic. Do not use it when the vulnerability is already understood and the remaining task is exploitation; use pwn instead. Do not use it for pure web workflows, log or disk forensics, or standalone crypto problems unless reversing the implementation is the real blocker.
Provides web exploitation techniques for CTF challenges. Use when the target is primarily an HTTP application, API, browser client, template engine, identity flow, or smart-contract frontend/backend surface, including XSS, SQLi, SSTI, SSRF, XXE, JWT, auth bypass, file upload, request smuggling, OAuth/OIDC, SAML, prototype pollution, and similar web bugs. Do not use it for native binary memory corruption, reverse engineering of standalone executables, disk or memory forensics, or pure cryptanalysis unless the web flaw is still the main path to the flag.