CTF恶意软件分析指南：反混淆、网络流量与PE文件逆向实战技巧

ctf-malware by ljagiello/ctf-skills

599 周安装量

694 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware

自动化数据分析安全

🇨🇳中文介绍

CTF 恶意软件与网络分析

针对恶意软件分析 CTF 挑战的快速参考。每种技术在此处都有一行命令说明；完整细节和代码请参阅支持文件。

附加资源

scripts-and-obfuscation.md - JavaScript 反混淆、PowerShell 分析、eval/base64 解码、垃圾代码检测、十六进制载荷、Debian 包分析、动态分析技术（strace/ltrace、网络监控、内存字符串提取、自动化沙箱执行）、用于恶意软件检测的 YARA 规则、Shellcode 分析（Unicorn Engine、Capstone）、恶意软件内存取证（Volatility 3 malfind、进程注入检测）、反分析技术（虚拟机检测、时间规避、API 哈希、进程注入）
c2-and-protocols.md - C2 流量模式、自定义加密协议、RC4 WebSocket、基于 DNS 的 C2、网络指标、PCAP 分析、AES-CBC、加密算法识别、Telegram 机器人恢复、Poison Ivy RAT Camellia 解密
pe-and-dotnet.md - PE 分析（peframe、pe-sieve、pestudio）、.NET 分析（dnSpy、AsmResolver）、LimeRAT 提取、沙箱规避、恶意软件配置提取、PyInstaller+PyArmor

混淆脚本

将 eval/bash 替换为 echo 以打印底层代码；提取 base64/hex 数据块并用 file 分析。参见 scripts-and-obfuscation.md。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

JavaScript 与 PowerShell 反混淆

JS：将 eval 替换为 console.log，解码 unescape()、atob()、String.fromCharCode()。
PowerShell：解码 -enc base64，将 IEX 替换为输出。参见 scripts-and-obfuscation.md。

NOP 雪橇、push/pop 对、死写、无条件跳转到下一条指令。过滤以提取真实的 call 目标。参见 scripts-and-obfuscation.md。

PCAP 与网络分析

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

在非常规端口上寻找 C2。使用 strings | grep 提取 IP/域名。参见 c2-and-protocols.md。

自定义加密协议

流密码在两个方向上共享密钥流状态；按时间顺序连接所有载荷。
ChaCha20 密钥流提取：发送空字节（0 XOR 任何值 = 任何值）。参见 c2-and-protocols.md。

信标、DGA、DNS 隧道、带有自定义标头的 HTTP(S)、编码载荷。参见 c2-and-protocols.md。

RC4 加密的 WebSocket C2

使用 tcprewrite 重映射端口，添加 RSA 密钥用于 TLS 解密，在二进制文件中查找 RC4 密钥。参见 c2-and-protocols.md。

AES：0x637c777b S-box；ChaCha20：expand 32-byte k；TEA/XTEA：0x9E3779B9；RC4：顺序 S-box 初始化。参见 c2-and-protocols.md。

恶意软件中的 AES-CBC

密钥 = 硬编码字符串的 MD5/SHA256；IV = 密文的前 16 字节。参见 c2-and-protocols.md。

peframe malware.exe      # 快速分类
pe-sieve                 # 运行时分析
pestudio                 # 静态分析 (Windows)

.NET 恶意软件分析

使用 dnSpy/ILSpy 进行反编译；使用 AsmResolver 进行编程式分析。LimeRAT C2：使用 MD5 派生密钥的 AES-256-ECB。参见 pe-and-dotnet.md。

恶意软件配置提取

检查 .data 节、PE/.NET 资源、注册表键、加密的配置文件。参见 pe-and-dotnet.md。

虚拟机检测、调试器检测、时间检查、环境检查、分析工具检测。参见 pe-and-dotnet.md。

虚拟机检测（CPUID、MAC 前缀、注册表、磁盘大小）、时间规避（sleep/RDTSC 沙箱检测）、API 哈希（ROR13/DJB2/CRC32 + hashdb 查找）、进程注入（空洞化、APC、CreateRemoteThread）、环境检查。参见 scripts-and-obfuscation.md。

PyInstaller + PyArmor 解包

使用 pyinstxtractor.py 提取，使用 PyArmor-Unpacker 处理受保护的代码。参见 pe-and-dotnet.md。

Telegram 机器人证据恢复

使用恶意软件源码中的机器人令牌调用 getUpdates 和 getFile API。参见 c2-and-protocols.md。

ar -x package.deb && tar -xf control.tar.xz  # 检查 postinst 脚本

用于恶意软件检测的 YARA 规则

编写 YARA 规则以匹配字节模式、字符串和正则表达式来检查文件或内存转储。检测 XOR 循环（{31 ?? 80 ?? ?? 4? 75}）、base64 数据块、编码的 PowerShell。使用 yarac 编译以加速扫描。参见 scripts-and-obfuscation.md。

使用 objdump -b binary -m i386:x86-64 反汇编，使用 Unicorn Engine 模拟（安全地挂钩系统调用），或使用 Capstone 进行编程式反汇编。寻找 XOR 解码器存根。参见 scripts-and-obfuscation.md。

恶意软件内存取证

vol3 windows.malfind 检测注入的代码（PAGE_EXECUTE_READWRITE 且无映射文件）。windows.pstree 显示可疑的父子进程关系。使用 yarascan.YaraScan 扫描内存。参见 scripts-and-obfuscation.md。

网络指标快速参考

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

🇺🇸English

CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Additional Resources

scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection)
c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

Obfuscated Scripts

Replace eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.

JavaScript & PowerShell Deobfuscation

JS: Replace eval with console.log, decode unescape(), atob(), String.fromCharCode().
PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md.

Junk Code Detection

NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md.

PCAP & Network Analysis

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.

Custom Crypto Protocols

Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.

C2 Traffic Patterns

Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.

RC4-Encrypted WebSocket C2

Remap port with tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.

Identifying Encryption Algorithms

AES: 0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.

AES-CBC in Malware

Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.

PE Analysis

peframe malware.exe      # Quick triage
pe-sieve                 # Runtime analysis
pestudio                 # Static analysis (Windows)

See pe-and-dotnet.md.

.NET Malware Analysis

Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.

Malware Configuration Extraction

Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.

Sandbox Evasion Checks

VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.

Anti-Analysis Techniques

VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.

PyInstaller + PyArmor Unpacking

pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.

Telegram Bot Evidence Recovery

Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md.

Debian Package Analysis

ar -x package.deb && tar -xf control.tar.xz  # Check postinst scripts

See scripts-and-obfuscation.md.

YARA Rules for Malware Detection

Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.

Shellcode Analysis

Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.

Memory Forensics for Malware

vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.

Network Indicators Quick Reference

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

Weekly Installs

536

Repository

ljagiello/ctf-skills

GitHub Stars

664

First Seen

Feb 1, 2026

Security Audits

Gen Agent Trust HubWarn SocketWarn SnykFail

Installed on

codex525

opencode524

github-copilot511

gemini-cli510

amp509

kimi-cli508

DOCX文件创建、编辑与分析完整指南 - 使用docx-js、Pandoc和Python脚本

41,800 周安装