@sylix/coworker 2.0.10 → 2.0.12

package/dist/skills/defaults/security/anti-reversing-techniques/SKILL.md

@@ -0,0 +1,559 @@
+---
+name: anti-reversing-techniques
+description: Understand anti-reversing, obfuscation, and protection techniques encountered during software analysis. Use when analyzing protected binaries, bypassing anti-debugging for authorized analysis, or understanding software protection mechanisms.
+---
+
+> **AUTHORIZED USE ONLY**: This skill contains dual-use security techniques. Before proceeding with any bypass or analysis:
+>
+> 1. **Verify authorization**: Confirm you have explicit written permission from the software owner, or are operating within a legitimate security context (CTF, authorized pentest, malware analysis, security research)
+> 2. **Document scope**: Ensure your activities fall within the defined scope of your authorization
+> 3. **Legal compliance**: Understand that unauthorized bypassing of software protection may violate laws (CFAA, DMCA anti-circumvention, etc.)
+>
+> **Legitimate use cases**: Malware analysis, authorized penetration testing, CTF competitions, academic security research, analyzing software you own/have rights to
+
+# Anti-Reversing Techniques
+
+Understanding protection mechanisms encountered during authorized software analysis, security research, and malware analysis. This knowledge helps analysts bypass protections to complete legitimate analysis tasks.
+
+## Anti-Debugging Techniques
+
+### Windows Anti-Debugging
+
+#### API-Based Detection
+
+```c
+// IsDebuggerPresent
+if (IsDebuggerPresent()) {
+    exit(1);
+}
+
+// CheckRemoteDebuggerPresent
+BOOL debugged = FALSE;
+CheckRemoteDebuggerPresent(GetCurrentProcess(), &debugged);
+if (debugged) exit(1);
+
+// NtQueryInformationProcess
+typedef NTSTATUS (NTAPI *pNtQueryInformationProcess)(
+    HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
+
+DWORD debugPort = 0;
+NtQueryInformationProcess(
+    GetCurrentProcess(),
+    ProcessDebugPort,        // 7
+    &debugPort,
+    sizeof(debugPort),
+    NULL
+);
+if (debugPort != 0) exit(1);
+
+// Debug flags
+DWORD debugFlags = 0;
+NtQueryInformationProcess(
+    GetCurrentProcess(),
+    ProcessDebugFlags,       // 0x1F
+    &debugFlags,
+    sizeof(debugFlags),
+    NULL
+);
+if (debugFlags == 0) exit(1);  // 0 means being debugged
+```
+
+**Bypass Approaches:**
+
+```python
+# x64dbg: ScyllaHide plugin
+# Patches common anti-debug checks
+
+# Manual patching in debugger:
+# - Set IsDebuggerPresent return to 0
+# - Patch PEB.BeingDebugged to 0
+# - Hook NtQueryInformationProcess
+
+# IDAPython: Patch checks
+ida_bytes.patch_byte(check_addr, 0x90)  # NOP
+```
+
+#### PEB-Based Detection
+
+```c
+// Direct PEB access
+#ifdef _WIN64
+    PPEB peb = (PPEB)__readgsqword(0x60);
+#else
+    PPEB peb = (PPEB)__readfsdword(0x30);
+#endif
+
+// BeingDebugged flag
+if (peb->BeingDebugged) exit(1);
+
+// NtGlobalFlag
+// Debugged: 0x70 (FLG_HEAP_ENABLE_TAIL_CHECK |
+//                 FLG_HEAP_ENABLE_FREE_CHECK |
+//                 FLG_HEAP_VALIDATE_PARAMETERS)
+if (peb->NtGlobalFlag & 0x70) exit(1);
+
+// Heap flags
+PDWORD heapFlags = (PDWORD)((PBYTE)peb->ProcessHeap + 0x70);
+if (*heapFlags & 0x50000062) exit(1);
+```
+
+**Bypass Approaches:**
+
+```assembly
+; In debugger, modify PEB directly
+; x64dbg: dump at gs:[60] (x64) or fs:[30] (x86)
+; Set BeingDebugged (offset 2) to 0
+; Clear NtGlobalFlag (offset 0xBC for x64)
+```
+
+#### Timing-Based Detection
+
+```c
+// RDTSC timing
+uint64_t start = __rdtsc();
+// ... some code ...
+uint64_t end = __rdtsc();
+if ((end - start) > THRESHOLD) exit(1);
+
+// QueryPerformanceCounter
+LARGE_INTEGER start, end, freq;
+QueryPerformanceFrequency(&freq);
+QueryPerformanceCounter(&start);
+// ... code ...
+QueryPerformanceCounter(&end);
+double elapsed = (double)(end.QuadPart - start.QuadPart) / freq.QuadPart;
+if (elapsed > 0.1) exit(1);  // Too slow = debugger
+
+// GetTickCount
+DWORD start = GetTickCount();
+// ... code ...
+if (GetTickCount() - start > 1000) exit(1);
+```
+
+**Bypass Approaches:**
+
+```
+- Use hardware breakpoints instead of software
+- Patch timing checks
+- Use VM with controlled time
+- Hook timing APIs to return consistent values
+```
+
+#### Exception-Based Detection
+
+```c
+// SEH-based detection
+__try {
+    __asm { int 3 }  // Software breakpoint
+}
+__except(EXCEPTION_EXECUTE_HANDLER) {
+    // Normal execution: exception caught
+    return;
+}
+// Debugger ate the exception
+exit(1);
+
+// VEH-based detection
+LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ep) {
+    if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) {
+        ep->ContextRecord->Rip++;  // Skip INT3
+        return EXCEPTION_CONTINUE_EXECUTION;
+    }
+    return EXCEPTION_CONTINUE_SEARCH;
+}
+```
+
+### Linux Anti-Debugging
+
+```c
+// ptrace self-trace
+if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1) {
+    // Already being traced
+    exit(1);
+}
+
+// /proc/self/status
+FILE *f = fopen("/proc/self/status", "r");
+char line[256];
+while (fgets(line, sizeof(line), f)) {
+    if (strncmp(line, "TracerPid:", 10) == 0) {
+        int tracer_pid = atoi(line + 10);
+        if (tracer_pid != 0) exit(1);
+    }
+}
+
+// Parent process check
+if (getppid() != 1 && strcmp(get_process_name(getppid()), "bash") != 0) {
+    // Unusual parent (might be debugger)
+}
+```
+
+**Bypass Approaches:**
+
+```bash
+# LD_PRELOAD to hook ptrace
+# Compile: gcc -shared -fPIC -o hook.so hook.c
+long ptrace(int request, ...) {
+    return 0;  // Always succeed
+}
+
+# Usage
+LD_PRELOAD=./hook.so ./target
+```
+
+## Anti-VM Detection
+
+### Hardware Fingerprinting
+
+```c
+// CPUID-based detection
+int cpuid_info[4];
+__cpuid(cpuid_info, 1);
+// Check hypervisor bit (bit 31 of ECX)
+if (cpuid_info[2] & (1 << 31)) {
+    // Running in hypervisor
+}
+
+// CPUID brand string
+__cpuid(cpuid_info, 0x40000000);
+char vendor[13] = {0};
+memcpy(vendor, &cpuid_info[1], 12);
+// "VMwareVMware", "Microsoft Hv", "KVMKVMKVM", "VBoxVBoxVBox"
+
+// MAC address prefix
+// VMware: 00:0C:29, 00:50:56
+// VirtualBox: 08:00:27
+// Hyper-V: 00:15:5D
+```
+
+### Registry/File Detection
+
+```c
+// Windows registry keys
+// HKLM\SOFTWARE\VMware, Inc.\VMware Tools
+// HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
+// HKLM\HARDWARE\ACPI\DSDT\VBOX__
+
+// Files
+// C:\Windows\System32\drivers\vmmouse.sys
+// C:\Windows\System32\drivers\vmhgfs.sys
+// C:\Windows\System32\drivers\VBoxMouse.sys
+
+// Processes
+// vmtoolsd.exe, vmwaretray.exe
+// VBoxService.exe, VBoxTray.exe
+```
+
+### Timing-Based VM Detection
+
+```c
+// VM exits cause timing anomalies
+uint64_t start = __rdtsc();
+__cpuid(cpuid_info, 0);  // Causes VM exit
+uint64_t end = __rdtsc();
+if ((end - start) > 500) {
+    // Likely in VM (CPUID takes longer)
+}
+```
+
+**Bypass Approaches:**
+
+```
+- Use bare-metal analysis environment
+- Harden VM (remove guest tools, change MAC)
+- Patch detection code
+- Use specialized analysis VMs (FLARE-VM)
+```
+
+## Code Obfuscation
+
+### Control Flow Obfuscation
+
+#### Control Flow Flattening
+
+```c
+// Original
+if (cond) {
+    func_a();
+} else {
+    func_b();
+}
+func_c();
+
+// Flattened
+int state = 0;
+while (1) {
+    switch (state) {
+        case 0:
+            state = cond ? 1 : 2;
+            break;
+        case 1:
+            func_a();
+            state = 3;
+            break;
+        case 2:
+            func_b();
+            state = 3;
+            break;
+        case 3:
+            func_c();
+            return;
+    }
+}
+```
+
+**Analysis Approach:**
+
+- Identify state variable
+- Map state transitions
+- Reconstruct original flow
+- Tools: D-810 (IDA), SATURN
+
+#### Opaque Predicates
+
+```c
+// Always true, but complex to analyze
+int x = rand();
+if ((x * x) >= 0) {  // Always true
+    real_code();
+} else {
+    junk_code();  // Dead code
+}
+
+// Always false
+if ((x * (x + 1)) % 2 == 1) {  // Product of consecutive = even
+    junk_code();
+}
+```
+
+**Analysis Approach:**
+
+- Identify constant expressions
+- Symbolic execution to prove predicates
+- Pattern matching for known opaque predicates
+
+### Data Obfuscation
+
+#### String Encryption
+
+```c
+// XOR encryption
+char decrypt_string(char *enc, int len, char key) {
+    char *dec = malloc(len + 1);
+    for (int i = 0; i < len; i++) {
+        dec[i] = enc[i] ^ key;
+    }
+    dec[len] = 0;
+    return dec;
+}
+
+// Stack strings
+char url[20];
+url[0] = 'h'; url[1] = 't'; url[2] = 't'; url[3] = 'p';
+url[4] = ':'; url[5] = '/'; url[6] = '/';
+// ...
+```
+
+**Analysis Approach:**
+
+```python
+# FLOSS for automatic string deobfuscation
+floss malware.exe
+
+# IDAPython string decryption
+def decrypt_xor(ea, length, key):
+    result = ""
+    for i in range(length):
+        byte = ida_bytes.get_byte(ea + i)
+        result += chr(byte ^ key)
+    return result
+```
+
+#### API Obfuscation
+
+```c
+// Dynamic API resolution
+typedef HANDLE (WINAPI *pCreateFileW)(LPCWSTR, DWORD, DWORD,
+    LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
+
+HMODULE kernel32 = LoadLibraryA("kernel32.dll");
+pCreateFileW myCreateFile = (pCreateFileW)GetProcAddress(
+    kernel32, "CreateFileW");
+
+// API hashing
+DWORD hash_api(char *name) {
+    DWORD hash = 0;
+    while (*name) {
+        hash = ((hash >> 13) | (hash << 19)) + *name++;
+    }
+    return hash;
+}
+// Resolve by hash comparison instead of string
+```
+
+**Analysis Approach:**
+
+- Identify hash algorithm
+- Build hash database of known APIs
+- Use HashDB plugin for IDA
+- Dynamic analysis to resolve at runtime
+
+### Instruction-Level Obfuscation
+
+#### Dead Code Insertion
+
+```asm
+; Original
+mov eax, 1
+
+; With dead code
+push ebx           ; Dead
+mov eax, 1
+pop ebx            ; Dead
+xor ecx, ecx       ; Dead
+add ecx, ecx       ; Dead
+```
+
+#### Instruction Substitution
+
+```asm
+; Original: xor eax, eax (set to 0)
+; Substitutions:
+sub eax, eax
+mov eax, 0
+and eax, 0
+lea eax, [0]
+
+; Original: mov eax, 1
+; Substitutions:
+xor eax, eax
+inc eax
+
+push 1
+pop eax
+```
+
+## Packing and Encryption
+
+### Common Packers
+
+```
+UPX          - Open source, easy to unpack
+Themida      - Commercial, VM-based protection
+VMProtect    - Commercial, code virtualization
+ASPack       - Compression packer
+PECompact    - Compression packer
+Enigma       - Commercial protector
+```
+
+### Unpacking Methodology
+
+```
+1. Identify packer (DIE, Exeinfo PE, PEiD)
+
+2. Static unpacking (if known packer):
+   - UPX: upx -d packed.exe
+   - Use existing unpackers
+
+3. Dynamic unpacking:
+   a. Find Original Entry Point (OEP)
+   b. Set breakpoint on OEP
+   c. Dump memory when OEP reached
+   d. Fix import table (Scylla, ImpREC)
+
+4. OEP finding techniques:
+   - Hardware breakpoint on stack (ESP trick)
+   - Break on common API calls (GetCommandLineA)
+   - Trace and look for typical entry patterns
+```
+
+### Manual Unpacking Example
+
+```
+1. Load packed binary in x64dbg
+2. Note entry point (packer stub)
+3. Use ESP trick:
+   - Run to entry
+   - Set hardware breakpoint on [ESP]
+   - Run until breakpoint hits (after PUSHAD/POPAD)
+4. Look for JMP to OEP
+5. At OEP, use Scylla to:
+   - Dump process
+   - Find imports (IAT autosearch)
+   - Fix dump
+```
+
+## Virtualization-Based Protection
+
+### Code Virtualization
+
+```
+Original x86 code is converted to custom bytecode
+interpreted by embedded VM at runtime.
+
+Original:     VM Protected:
+mov eax, 1    push vm_context
+add eax, 2    call vm_entry
+              ; VM interprets bytecode
+              ; equivalent to original
+```
+
+### Analysis Approaches
+
+```
+1. Identify VM components:
+   - VM entry (dispatcher)
+   - Handler table
+   - Bytecode location
+   - Virtual registers/stack
+
+2. Trace execution:
+   - Log handler calls
+   - Map bytecode to operations
+   - Understand instruction set
+
+3. Lifting/devirtualization:
+   - Map VM instructions back to native
+   - Tools: VMAttack, SATURN, NoVmp
+
+4. Symbolic execution:
+   - Analyze VM semantically
+   - angr, Triton
+```
+
+## Bypass Strategies Summary
+
+### General Principles
+
+1. **Understand the protection**: Identify what technique is used
+2. **Find the check**: Locate protection code in binary
+3. **Patch or hook**: Modify check to always pass
+4. **Use appropriate tools**: ScyllaHide, x64dbg plugins
+5. **Document findings**: Keep notes on bypassed protections
+
+### Tool Recommendations
+
+```
+Anti-debug bypass:    ScyllaHide, TitanHide
+Unpacking:           x64dbg + Scylla, OllyDumpEx
+Deobfuscation:       D-810, SATURN, miasm
+VM analysis:         VMAttack, NoVmp, manual tracing
+String decryption:   FLOSS, custom scripts
+Symbolic execution:  angr, Triton
+```
+
+### Ethical Considerations
+
+This knowledge should only be used for:
+
+- Authorized security research
+- Malware analysis (defensive)
+- CTF competitions
+- Understanding protections for legitimate purposes
+- Educational purposes
+
+Never use to bypass protections for:
+
+- Software piracy
+- Unauthorized access
+- Malicious purposes

package/dist/skills/defaults/security/auditor.md

@@ -0,0 +1,168 @@
+---
+name: security-auditor
+description: Expert security auditor specializing in DevSecOps, comprehensive cybersecurity, and compliance frameworks. Masters vulnerability assessment, threat modeling, secure authentication (OAuth2/OIDC), OWASP standards, cloud security, and security automation.
+---
+
+# Security Auditor
+
+Expert security auditor specializing in DevSecOps, application security, and comprehensive cybersecurity practices.
+
+## Capabilities
+
+### DevSecOps & Security Automation
+
+- **Security pipeline integration**: SAST, DAST, IAST, dependency scanning in CI/CD
+- **Shift-left security**: Early vulnerability detection, secure coding practices
+- **Security as Code**: Policy as Code with OPA, security infrastructure automation
+- **Container security**: Image scanning, runtime security, Kubernetes security policies
+- **Supply chain security**: SLSA framework, SBOM, dependency management
+- **Secrets management**: HashiCorp Vault, cloud secret managers, rotation automation
+
+### Modern Authentication & Authorization
+
+- **Identity protocols**: OAuth 2.0/2.1, OpenID Connect, SAML 2.0, WebAuthn, FIDO2
+- **JWT security**: Proper implementation, key management, token validation
+- **Zero-trust architecture**: Identity-based access, continuous verification
+- **Multi-factor authentication**: TOTP, hardware tokens, biometric authentication
+- **Authorization patterns**: RBAC, ABAC, ReBAC, policy engines
+
+### OWASP & Vulnerability Management
+
+- **OWASP Top 10 (2021)**: Broken access control, cryptographic failures, injection
+- **OWASP ASVS**: Application Security Verification Standard
+- **Vulnerability assessment**: Automated scanning, manual testing
+- **Threat modeling**: STRIDE, PASTA, attack trees
+
+### Application Security Testing
+
+- **Static analysis (SAST)**: SonarQube, Checkmarx, Veracode, Semgrep, CodeQL
+- **Dynamic analysis (DAST)**: OWASP ZAP, Burp Suite, Nessus
+- **Dependency scanning**: Snyk, WhiteSource, OWASP Dependency-Check
+- **Container scanning**: Aqua Security, Anchore, Twistlock
+
+### Cloud Security
+
+- **Cloud security posture**: AWS Security Hub, Azure Security Center
+- **Infrastructure security**: Cloud security groups, IAM policies
+- **Data protection**: Encryption at rest/in transit, key management
+
+### Compliance & Governance
+
+- **Regulatory frameworks**: GDPR, HIPAA, PCI-DSS, SOC 2, ISO 27001
+- **Compliance automation**: Policy as Code, continuous compliance monitoring
+- **Incident response**: NIST framework, forensics, breach notification
+
+### Secure Coding & Development
+
+- **Input validation**: Parameterized queries, input sanitization
+- **Encryption**: TLS configuration, symmetric/asymmetric encryption
+- **Security headers**: CSP, HSTS, X-Frame-Options, SameSite
+
+## Key Patterns
+
+### SAST Integration in CI/CD
+
+```yaml
+# GitHub Actions - Security scanning
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Run SAST (Semgrep)
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: auto
+          
+      - name: Dependency scanning
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          
+      - name: Container scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+```
+
+### OAuth 2.0 Implementation
+
+```python
+# FastAPI OAuth2 with JWT
+from fastapi import FastAPI, Depends, HTTPException
+from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from jose import JWTError, jwt
+from datetime import datetime, timedelta
+
+SECRET_KEY = "your-secret-key"  # Use environment variable
+ALGORITHM = "HS256"
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+
+async def get_current_user(token: str = Depends(oauth2_scheme)):
+    credentials_exception = HTTPException(
+        status_code=401,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        username: str = payload.get("sub")
+        if username is None:
+            raise credentials_exception
+    except JWTError:
+        raise credentials_exception
+    return username
+
+@app.post("/token")
+async def login(form_data: OAuth2PasswordRequestForm = Depends()):
+    # Verify credentials
+    user = verify_user(form_data.username, form_data.password)
+    if not user:
+        raise HTTPException(status_code=401, detail="Incorrect username or password")
+    
+    access_token = jwt.encode(
+        {"sub": user.username, "exp": datetime.utcnow() + timedelta(minutes=30)},
+        SECRET_KEY,
+        algorithm=ALGORITHM
+    )
+    return {"access_token": access_token, "token_type": "bearer"}
+```
+
+### RBAC Implementation
+
+```python
+from enum import Enum
+from fastapi import Depends, HTTPException
+
+class Role(str, Enum):
+    ADMIN = "admin"
+    USER = "user"
+    GUEST = "guest"
+
+class Permission(str, Enum):
+    READ = "read"
+    WRITE = "write"
+    DELETE = "delete"
+
+# Role-permission mapping
+ROLE_PERMISSIONS = {
+    Role.ADMIN: [Permission.READ, Permission.WRITE, Permission.DELETE],
+    Role.USER: [Permission.READ, Permission.WRITE],
+    Role.GUEST: [Permission.READ],
+}
+
+def check_permission(role: Role, permission: Permission) -> bool:
+    return permission in ROLE_PERMISSIONS.get(role, [])
+```
+
+## Best Practices
+
+1. **Defense in depth** - Multiple security layers
+2. **Least privilege** - Grant minimum required permissions
+3. **Never trust input** - Validate everything
+4. **Fail securely** - No information leakage
+5. **Shift left** - Security early in development
+6. **Automate security** - CI/CD integration
+7. **Regular audits** - Continuous monitoring