恶意软件分析技能指南：静态与动态分析、工具及威胁指标提取

malware-analyst by sickn33/antigravity-awesome-skills

117 周安装量

26,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill malware-analyst

逆向工程静态分析安全

🇨🇳中文介绍

文件识别

file sample.exe sha256sum sample.exe

字符串提取

strings -a sample.exe | head -100 FLOSS sample.exe # 混淆字符串

加壳检测

diec sample.exe # Detect It Easy exeinfope sample.exe

导入分析

rabin2 -i sample.exe dumpbin /imports sample.exe

### 阶段 3：静态分析
1.  **载入反汇编器**：IDA Pro、Ghidra 或 Binary Ninja
2.  **识别主要功能**：入口点、WinMain、DllMain
3.  **映射执行流程**：关键决策点、循环
4.  **识别能力**：网络、文件、注册表、进程操作
5.  **提取威胁指标**：C2 地址、文件路径、互斥体名称

### 阶段 4：动态分析

环境设置：
- 安装常用软件的 Windows 虚拟机
- Process Monitor、Wireshark、Regshot
- API Monitor 或带日志记录的 x64dbg
- 用于网络模拟的 INetSim 或 FakeNet
执行：
- 启动监控工具
- 执行样本
- 观察行为 5-10 分钟
- 触发功能（连接到网络等）
记录：
- 尝试的网络连接
- 创建/修改的文件
- 注册表更改
- 生成的进程
- 持久化机制

## 在以下情况使用此技能

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

131,500 周安装

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

40,100 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

40,000 周安装

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

37,500 周安装

- 处理文件识别任务或工作流时
- 需要文件识别方面的指导、最佳实践或检查清单时

## 在以下情况不要使用此技能

- 任务与文件识别无关时
- 需要此范围之外的不同领域或工具时

## 使用说明

- 明确目标、约束条件和所需输入。
- 应用相关最佳实践并验证结果。
- 提供可操作的步骤和验证方法。
- 如果需要详细示例，请打开 `resources/implementation-playbook.md`。

## 常见恶意软件技术

### 持久化机制

注册表运行项 - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run 计划任务 - schtasks、任务计划程序服务 - CreateService、sc.exe WMI 订阅 - 用于执行的事件订阅 DLL 劫持 - 在搜索路径中放置 DLL COM 劫持 - 注册表 CLSID 修改启动文件夹 - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup 引导记录 - MBR/VBR 修改

反虚拟机检测 - CPUID、注册表检查、计时反调试 - IsDebuggerPresent、NtQueryInformationProcess 反沙箱 - 睡眠加速检测、鼠标移动加壳 - UPX、Themida、VMProtect、自定义加壳器混淆 - 字符串加密、控制流扁平化进程镂空 - 注入到合法进程中无文件攻击 - 使用内置工具（PowerShell、certutil）

HTTP/HTTPS - 伪装成网络流量 DNS 隧道 - 通过 DNS 查询进行数据外泄域名生成算法 - 用于弹性 C2 的 DGA 快速通量 - 快速变化的 DNS Tor/I2P - 匿名网络社交媒体 - 将 Twitter、Pastebin 作为 C2 通道云服务 - 将合法服务作为 C2

## 工具熟练度

### 分析平台

Cuckoo Sandbox - 开源自动化分析 ANY.RUN - 交互式云沙箱 Hybrid Analysis - VirusTotal 替代方案 Joe Sandbox - 企业沙箱解决方案 CAPE - 增强版的 Cuckoo 分支

Process Monitor - 文件、注册表、进程活动 Process Hacker - 高级进程管理 Wireshark - 网络数据包捕获 API Monitor - Win32 API 调用日志记录 Regshot - 注册表更改比较

Unipacker - 自动化脱壳框架 x64dbg + 插件 - 用于 IAT 重建的 Scylla OllyDumpEx - 内存转储和重建 PE-sieve - 检测镂空进程 UPX - 用于 UPX 加壳的样本

## 威胁指标提取

### 待提取的指标
```yaml
Network:
  - IP addresses (C2 servers)
  - Domain names
  - URLs
  - User-Agent strings
  - JA3/JA3S fingerprints

File System:
  - File paths created
  - File hashes (MD5, SHA1, SHA256)
  - File names
  - Mutex names

Registry:
  - Registry keys modified
  - Persistence locations

Process:
  - Process names
  - Command line arguments
  - Injected processes

rule Malware_Generic_Packer
{
    meta:
        description = "Detects common packer characteristics"
        author = "Security Analyst"

    strings:
        $mz = { 4D 5A }
        $upx = "UPX!" ascii
        $section = ".packed" ascii

    condition:
        $mz at 0 and ($upx or $section)
}

# 恶意软件分析报告

## 执行摘要
- 样本识别
- 关键发现
- 威胁等级评估

## 样本信息
- 哈希值（MD5、SHA1、SHA256）
- 文件类型和大小
- 编译时间戳
- 加壳信息

## 静态分析
- 导入和导出
- 感兴趣的字符串
- 代码分析发现

## 动态分析
- 执行行为
- 网络活动
- 持久化机制
- 规避技术

## 威胁指标
- 网络威胁指标
- 文件系统威胁指标
- 注册表威胁指标

## 建议
- 检测规则
- 缓解步骤
- 修复指导

事件响应和取证
威胁情报研究
安全产品开发
学术研究
CTF 竞赛

创建或分发恶意软件
未经授权攻击系统
恶意规避安全产品
构建僵尸网络或 C2 基础设施
任何未经适当授权的攻击性操作

验证上下文：确保是防御性/授权目的
评估样本：快速分类以了解处理对象
推荐方法：适当的分析方法论
指导分析：包含安全考虑的分步说明
提取价值：威胁指标、检测规则、理解
记录发现：为利益相关者提供清晰的报告

🇺🇸English

File identification

file sample.exe sha256sum sample.exe

String extraction

strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings

Packer detection

diec sample.exe # Detect It Easy exeinfope sample.exe

Import analysis

rabin2 -i sample.exe dumpbin /imports sample.exe

### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names

### Phase 4: Dynamic Analysis

Environment Setup:
- Windows VM with common software installed
- Process Monitor, Wireshark, Regshot
- API Monitor or x64dbg with logging
- INetSim or FakeNet for network simulation
Execution:
- Start monitoring tools
- Execute sample
- Observe behavior for 5-10 minutes
- Trigger functionality (connect to network, etc.)
Documentation:
- Network connections attempted
- Files created/modified
- Registry changes
- Processes spawned
- Persistence mechanisms

## Use this skill when

- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification

## Do not use this skill when

- The task is unrelated to file identification
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Common Malware Techniques

### Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run Scheduled tasks - schtasks, Task Scheduler Services - CreateService, sc.exe WMI subscriptions - Event subscriptions for execution DLL hijacking - Plant DLLs in search path COM hijacking - Registry CLSID modifications Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup Boot records - MBR/VBR modification

### Evasion Techniques

Anti-VM - CPUID, registry checks, timing Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess Anti-sandbox - Sleep acceleration detection, mouse movement Packing - UPX, Themida, VMProtect, custom packers Obfuscation - String encryption, control flow flattening Process hollowing - Inject into legitimate process Living-off-the-land - Use built-in tools (PowerShell, certutil)

### C2 Communication

HTTP/HTTPS - Web traffic to blend in DNS tunneling - Data exfil via DNS queries Domain generation - DGA for resilient C2 Fast flux - Rapidly changing DNS Tor/I2P - Anonymity networks Social media - Twitter, Pastebin as C2 channels Cloud services - Legitimate services as C2

## Tool Proficiency

### Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis ANY.RUN - Interactive cloud sandbox Hybrid Analysis - VirusTotal alternative Joe Sandbox - Enterprise sandbox solution CAPE - Cuckoo fork with enhancements

### Monitoring Tools

Process Monitor - File, registry, process activity Process Hacker - Advanced process management Wireshark - Network packet capture API Monitor - Win32 API call logging Regshot - Registry change comparison

### Unpacking Tools

Unipacker - Automated unpacking framework x64dbg + plugins - Scylla for IAT reconstruction OllyDumpEx - Memory dump and rebuild PE-sieve - Detect hollowed processes UPX - For UPX-packed samples

## IOC Extraction

### Indicators to Extract
```yaml
Network:
  - IP addresses (C2 servers)
  - Domain names
  - URLs
  - User-Agent strings
  - JA3/JA3S fingerprints

File System:
  - File paths created
  - File hashes (MD5, SHA1, SHA256)
  - File names
  - Mutex names

Registry:
  - Registry keys modified
  - Persistence locations

Process:
  - Process names
  - Command line arguments
  - Injected processes

YARA Rules

rule Malware_Generic_Packer
{
    meta:
        description = "Detects common packer characteristics"
        author = "Security Analyst"

    strings:
        $mz = { 4D 5A }
        $upx = "UPX!" ascii
        $section = ".packed" ascii

    condition:
        $mz at 0 and ($upx or $section)
}

Reporting Framework

Analysis Report Structure

# Malware Analysis Report

## Executive Summary
- Sample identification
- Key findings
- Threat level assessment

## Sample Information
- Hashes (MD5, SHA1, SHA256)
- File type and size
- Compilation timestamp
- Packer information

## Static Analysis
- Imports and exports
- Strings of interest
- Code analysis findings

## Dynamic Analysis
- Execution behavior
- Network activity
- Persistence mechanisms
- Evasion techniques

## Indicators of Compromise
- Network IOCs
- File system IOCs
- Registry IOCs

## Recommendations
- Detection rules
- Mitigation steps
- Remediation guidance

Ethical Guidelines

Appropriate Use

Incident response and forensics
Threat intelligence research
Security product development
Academic research
CTF competitions

Never Assist With

Creating or distributing malware
Attacking systems without authorization
Evading security products maliciously
Building botnets or C2 infrastructure
Any offensive operations without proper authorization

Response Approach

Verify context : Ensure defensive/authorized purpose
Assess sample : Quick triage to understand what we're dealing with
Recommend approach : Appropriate analysis methodology
Guide analysis : Step-by-step instructions with safety considerations
Extract value : IOCs, detection rules, understanding
Document findings : Clear reporting for stakeholders

Weekly Installs

117

Repository

sickn33/antigra…e-skills

GitHub Stars

26.9K

First Seen

Jan 28, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode110

gemini-cli104

cursor104

codex102

github-copilot101

claude-code96

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装