一键导入
malware-analysis
Windows PE malware analysis — kill chain, IOC extraction, MITRE ATT&CK mapping
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Windows PE malware analysis — kill chain, IOC extraction, MITRE ATT&CK mapping
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Patch binary code in Binary Ninja using natural language — read, assemble, write, verify
Patch binary code in IDA Pro using natural language — read, assemble, write, verify
Systematic binary deobfuscation — string decryption, control flow flattening (CFF) removal, opaque predicate elimination, mixed boolean-arithmetic (MBA) simplification, bogus control flow, instruction substitution reversal, dead code removal, and anti-disassembly fixes. Trigger: deobfuscate, unobfuscate, deobfuscation, CFF, flatten, opaque predicate, MBA, obfuscated, OLLVM, Tigress, VMProtect, string decryption, junk code, bogus control flow, instruction substitution, anti-disassembly
Write and execute Binary Ninja Python scripts — full API reference included
Write and execute IDAPython scripts — full API reference included
Expert ELF malware analysis — packing, toolchain ID, kill chain, persistence, C2, rootkits, cryptominers, Go/Rust/Mirai patterns, MITRE ATT&CK mapping
| name | Malware Analysis |
| description | Windows PE malware analysis — kill chain, IOC extraction, MITRE ATT&CK mapping |
| tags | ["malware","windows","pe","stealer","rat","loader"] |
Task: Malware Analysis. You are analyzing a potentially malicious Windows PE binary. Defang all IOCs (hxxps://, [.]).
Before analysis, check for obfuscation:
/deobfuscation firstCrypto constant hunting: When you find RC4 S-box or AES constants via search_strings, use xrefs_to on the constant's address (not the S-box itself) → finds KSA/key schedule → decompile that → xrefs_to on it → finds the encrypt/decrypt wrapper. Do NOT use hex pattern search for KSA byte-swap — too many false positives.
Use built-in tools for initial survey:
get_binary_info — format, architecture, size, function countlist_imports — group by DLL, identify capabilities:
list_strings + search_strings — look for URLs, API paths, user agents, mutex names, file extensions, registry paths, app paths (Discord, Telegram, Chrome)list_exports — exported functions and ordinalsBatch these calls: get_binary_info + list_imports + list_exports can run in parallel.
decompile_functionfunction_xrefs to map the call graph from entryFor network malware:
For loader/dropper:
For stealers:
For RATs:
Produce a compact triage first (~12 lines), then offer a detailed report:
Binary: mal.exe | PE x86-64 | 1519 funcs | 92 imports
Packing: None (entropy <7.0 all sections)
Crypto: RC4 x 5 constants
IAT: KERNEL32 only — runtime LoadLibrary/GetProcAddress resolution
Targets: Chrome, Brave, Edge
C2: hxxps://example[.]com/api/config
Verdict: Stealer. RC4 string enc, dynamic API resolution.
Include: classification, capabilities, IOCs (defanged), kill chain, MITRE ATT&CK mapping.