Rikune / Examples示例

Analysis Examples分析示例

Real-world scenarios demonstrating Rikune's analysis capabilities. 展示 Rikune 分析能力的实际场景。

01

Threat Assessment威胁评估

Quick risk evaluation of an unknown PE binary — headers, imports, entropy, packer detection, and initial threat scoring. 快速评估未知 PE 二进制文件的风险 — 头信息、导入表、熵值、加壳检测和初始威胁评分。

sample.ingest pe.headers pe.imports detect.compiler
02

Malware Family Identification恶意软件家族识别

Classify a sample against known families using behavioral signatures, YARA rules, and capa capabilities. 使用行为签名、YARA 规则和 capa 能力检测将样本与已知家族进行分类。

yara.scan capa.analyze intel.family.classify
03

Packer Detection & Unpacking加壳检测与脱壳

Identify packers/protectors (UPX, Themida, VMProtect) and unpack samples for further analysis. 识别加壳器/保护器(UPX、Themida、VMProtect)并脱壳进行深入分析。

detect.compiler pe.sections upx.unpack
04

.NET Assembly Analysis.NET 程序集分析

Extract CLR metadata, type definitions, method signatures, and resources from managed assemblies. 从托管程序集中提取 CLR 元数据、类型定义、方法签名和资源。

sample.ingest dotnet.metadata dotnet.resources
05

IOC ExtractionIOC 提取

Extract C2 servers, URLs, IPs, domains, mutexes, and file artifacts for threat intelligence sharing. 提取 C2 服务器、URL、IP、域名、互斥体和文件特征,用于威胁情报共享。

intel.c2.extract intel.ioc.export pe.strings
06

Batch Screening批量筛查

Screen a directory of samples using the staged pipeline — fast triage, then deep analysis on flagged items. 使用分阶段流水线筛查目录下的样本 — 先快速分诊,然后对标记项进行深度分析。

sample.ingest workflow.analyze.start workflow.summarize
07

Import/Export Analysis导入/导出分析

Map API usage patterns — identify suspicious imports (crypto, network, process injection), DLL dependencies. 映射 API 使用模式 — 识别可疑导入(加密、网络、进程注入)、DLL 依赖关系。

pe.imports pe.exports ghidra.xrefs
08

String & Crypto Analysis字符串与加密分析

Extract obfuscated strings with FLOSS, detect cryptographic constants, and find encryption routines. 使用 FLOSS 提取混淆字符串,检测密码学常量,查找加密例程。

floss.strings pe.strings capa.analyze
09

Frida InstrumentationFrida 动态插桩

Generate and deploy Frida scripts for runtime API hooking, string decryption, and anti-debug bypass. 生成和部署 Frida 脚本进行运行时 API Hook、字符串解密和反调试绕过。

frida.hook frida.trace

Walkthrough: Threat Assessment演练:威胁评估

Here's a complete workflow for assessing an unknown sample: 以下是评估未知样本的完整工作流:

Step 1 — Ingest the sample步骤 1 — 导入样本

MCP Tool Call
{
  "name": "sample.ingest",
  "arguments": {
    "path": "C:\\samples\\suspicious.exe"
  }
}

Step 2 — Run staged analysis步骤 2 — 运行分阶段分析

MCP Tool Call
{
  "name": "workflow.analyze.start",
  "arguments": {
    "sample_id": "sha256:a1b2c3...",
    "goal": "threat_assessment"
  }
}

Step 3 — Get the summary步骤 3 — 获取摘要

MCP Tool Call
{
  "name": "workflow.summarize",
  "arguments": {
    "sample_id": "sha256:a1b2c3..."
  }
}

Step 4 — Export IOCs步骤 4 — 导出 IOC

MCP Tool Call
{
  "name": "intel.ioc.export",
  "arguments": {
    "sample_id": "sha256:a1b2c3...",
    "format": "stix"
  }
}