CTF Malware & Network Analysis
Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.
Prerequisites
Python packages (all platforms):
�CODEBLOCK0
Linux (apt):
�CODEBLOCK1
macOS (Homebrew):
�CODEBLOCK2
Manual install:
- - dnSpy — GitHub, .NET decompiler (Windows)
Additional Resources
- - scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection)
- c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
- pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor
When to Pivot
- - If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to
/ctf-reverse. - If the main job is network reconstruction, disk carving, or host artifact recovery, switch to
/ctf-forensics. - If the challenge turns into public attribution or infrastructure tracing, switch to
/ctf-osint.
Quick Start Commands
CODEBLOCK3
Obfuscated Scripts
- - Replace
eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.
JavaScript & PowerShell Deobfuscation
- - JS: Replace
eval with console.log, decode unescape(), atob(), String.fromCharCode(). - PowerShell: Decode
-enc base64, replace IEX with output. See scripts-and-obfuscation.md.
Junk Code Detection
- - NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real
call targets. See scripts-and-obfuscation.md.
PCAP & Network Analysis
CODEBLOCK4
Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.
Custom Crypto Protocols
- - Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
- ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.
C2 Traffic Patterns
- - Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.
RC4-Encrypted WebSocket C2
- - Remap port with
tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.
Identifying Encryption Algorithms
- - AES:
0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.
AES-CBC in Malware
- - Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.
PE Analysis
CODEBLOCK5
See pe-and-dotnet.md.
.NET Malware Analysis
- - Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.
Malware Configuration Extraction
- - Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.
Sandbox Evasion Checks
- - VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.
Anti-Analysis Techniques
VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.
PyInstaller + PyArmor Unpacking
- -
pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.
Telegram Bot Evidence Recovery
- - Use bot token from malware source to call
getUpdates and getFile APIs. See c2-and-protocols.md.
Debian Package Analysis
CODEBLOCK6
See scripts-and-obfuscation.md.
YARA Rules for Malware Detection
Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.
Shellcode Analysis
Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.
Memory Forensics for Malware
INLINECODE26� detects injected code (PAGEEXECUTEREADWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.
Network Indicators Quick Reference
CODEBLOCK7
CTF 恶意软件与网络分析
针对恶意软件分析CTF挑战的快速参考。每种技术在此提供一行命令;完整代码详见支持文件。
前置条件
Python包(全平台):
bash
pip install yara-python pefile capstone oletools unicorn pycryptodome \
volatility3 dissect.cobaltstrike
Linux(apt):
bash
apt install strace ltrace tshark binwalk binutils
macOS(Homebrew):
bash
brew install wireshark binwalk binutils ghidra
手动安装:
- - dnSpy — GitHub,.NET反编译器(Windows)
其他资源
- - scripts-and-obfuscation.md - JavaScript去混淆、PowerShell分析、eval/base64解码、垃圾代码检测、十六进制载荷、Debian包分析、动态分析技术(strace/ltrace、网络监控、内存字符串提取、自动化沙箱执行)、恶意软件检测YARA规则、Shellcode分析(Unicorn Engine、Capstone)、恶意软件内存取证(Volatility 3 malfind、进程注入检测)、反分析技术(VM检测、定时规避、API哈希、进程注入)
- c2-and-protocols.md - C2流量模式、自定义加密协议、RC4 WebSocket、基于DNS的C2、网络指标、PCAP分析、AES-CBC、加密标识、Telegram机器人恢复、Poison Ivy RAT Camellia解密
- pe-and-dotnet.md - PE分析(peframe、pe-sieve、pestudio)、.NET分析(dnSpy、AsmResolver)、LimeRAT提取、沙箱规避、恶意软件配置提取、PyInstaller+PyArmor
何时切换
- - 如果样本实际上只是普通的crackme、打包的挑战二进制文件或自定义虚拟机,没有恶意软件行为,请切换到/ctf-reverse。
- 如果主要任务是网络重建、磁盘刻录或主机工件恢复,请切换到/ctf-forensics。
- 如果挑战转向公开归因或基础设施追踪,请切换到/ctf-osint。
快速启动命令
bash
静态分析
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20
PE分析
python3 -c import pefile; pe=pefile.PE(mal.exe); print(pe.dump_info()) | head
peframe mal.exe
动态分析(沙箱环境!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50
网络指标
strings suspicious_file | grep -E [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
strings suspicious_file | grep -iE http|ftp|ws://
YARA扫描
yara -r rules.yar suspicious_file
混淆脚本
JavaScript与PowerShell去混淆
- - JS:将eval替换为console.log,解码unescape()、atob()、String.fromCharCode()。
- PowerShell:解码-enc base64,将IEX替换为输出。详见scripts-and-obfuscation.md。
垃圾代码检测
PCAP与网络分析
bash
tshark -r file.pcap -Y tcp.stream eq X -T fields -e tcp.payload
在非常用端口上寻找C2。使用strings | grep提取IP/域名。详见c2-and-protocols.md。
自定义加密协议
C2流量模式
RC4加密的WebSocket C2
识别加密算法
- - AES:0x637c777b S盒;ChaCha20:expand 32-byte k;TEA/XTEA:0x9E3779B9;RC4:顺序S盒初始化。详见c2-and-protocols.md。
恶意软件中的AES-CBC
PE分析
bash
peframe malware.exe # 快速分类
pe-sieve # 运行时分析
pestudio # 静态分析(Windows)
详见pe-and-dotnet.md。
.NET恶意软件分析
- - 使用dnSpy/ILSpy进行反编译;使用AsmResolver进行程序化分析。LimeRAT C2:使用MD5派生密钥的AES-256-ECB。详见pe-and-dotnet.md。
恶意软件配置提取
沙箱规避检测
反分析技术
VM检测(CPUID、MAC前缀、注册表、磁盘大小)、定时规避(sleep/RDTSC沙箱检测)、API哈希(ROR13/DJB2/CRC32 + hashdb查找)、进程注入(进程空心化、APC、CreateRemoteThread)、环境检测。详见scripts-and-obfuscation.md。
PyInstaller + PyArmor解包
Telegram机器人证据恢复
Debian包分析
bash
ar -x package.deb && tar -xf control.tar.xz # 检查postinst脚本
详见scripts-and-obfuscation.md。
恶意软件检测YARA规则
编写YARA规则,匹配文件或内存转储中的字节模式、字符串和正则表达式。检测XOR循环({31 ?? 80 ?? ?? 4? 75})、base64数据块、编码的PowerShell。使用yarac编译以加快扫描速度。详见scripts-and-obfuscation.md。
Shellcode分析
使用objdump -b binary -m i386:x86-64反汇编,使用Unicorn Engine模拟(安全挂钩系统调用),或使用Capstone进行程序化反汇编。查找XOR解码器存根。详见scripts-and-obfuscation.md。
恶意软件内存取证
vol3 windows.malfind检测注入代码(无映射文件的PAGEEXECUTEREADWRITE)。windows.pstree揭示可疑的父子关系。使用yarascan.YaraScan进行YARA内存扫描。详见scripts-and-obfuscation.md。
网络指标快速参考
bash
strings malware | grep -E [0-9]{1,3}\.[0-9]{1,3
