seclab-taskflows/src/seclab_taskflows/toolboxes/container_shell_malware_analysis.yaml at cdb43f3cb7cd2337deb46ddbf56220bca5725140 · GitHubSecurityLab/seclab-taskflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# SPDX-FileCopyrightText: GitHub, Inc.
# SPDX-License-Identifier: MIT

seclab-taskflow-agent:
  filetype: toolbox
  version: "1.0"

server_params:
  kind: stdio
  command: python
  args: ["-m", "seclab_taskflows.mcp_servers.container_shell"]
  env:
    CONTAINER_IMAGE: "seclab-shell-malware-analysis:latest"
    CONTAINER_WORKSPACE: "{{ env('CONTAINER_WORKSPACE', required=False) }}"
    CONTAINER_TIMEOUT: "{{ env('CONTAINER_TIMEOUT', '60') }}"
    CONTAINER_PERSIST: "{{ env('CONTAINER_PERSIST', required=False) }}"
    CONTAINER_PERSIST_KEY: "{{ env('CONTAINER_PERSIST_KEY', required=False) }}"
    LOG_DIR: "{{ env('LOG_DIR') }}"

confirm:
  - shell_exec

server_prompt: |
  ## Container Shell (malware analysis)
  You have access to an isolated Docker container for binary and malware analysis.
  The working directory is /workspace — place samples here before analysis.
  ALL tooling runs inside the container. Note: /workspace is bind-mounted from
  the host, so files written there are visible on the host side as well.

  Available tools:
  - file, strings, xxd, hexdump  — initial triage / string extraction
  - objdump, readelf, nm         — ELF structure and disassembly
  - radare2 (r2, rabin2, rasm2)  — reverse engineering and disassembly framework
  - binwalk                      — firmware / archive extraction and analysis
  - yara                         — pattern/signature matching
  - exiftool                     — metadata extraction
  - checksec                     — binary security feature detection
  - capstone (Python)            — disassembly library for scripting
  - pwntools (Python)            — exploit development / binary analysis library
  - volatility3                  — memory forensics framework
  - python3                      — scripting and automation

  Recommended workflow:
  1. `file <sample>` — identify type
  2. `strings -n 8 <sample>` — extract strings
  3. `rabin2 -I <sample>` — binary info (arch, bits, security features)
  4. `r2 -A -q -c "pdf @ main" <sample>` — disassemble main function