Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
46 articles in "Education" — page 1 of 6
Stolen bytes, nanomites, PE header erasure, guard page anti-dumping, and the anticipatory unpacking methodology — how to reconstruct a fully functional PE when the packer fights every step of the process.
How malware corrupts disassembler output and misleads analysts — opaque predicates, SEH-based hidden control flow, overlapping instructions, indirect jumps, and TLS callbacks — with the exact bypass for each.
How malware encrypts its configuration, C2 addresses, and string constants — multi-key XOR, encrypted config blocks in Cobalt Strike and Emotet, per-string encryption with zeroing, and FLOSS for runtime string recovery.
How malware fingerprints VMware, VirtualBox, and automated sandboxes through artefact checks, hardware queries, and behavioural tests — and how to build a convincing lived-in analysis VM that passes all checks.
Every major debugger detection technique — API-based, PEB-based, timing, hardware breakpoint scanning, TLS callbacks, trap flag, and interrupt-based — with the exact bypass for each.
The four layers of self-defence in sophisticated malware — debugger detection, VM detection, data protection, and code misdirection — with the analyst countermeasures for each layer.
Writing YARA rules for endpoint detection and Snort/Suricata rules for network detection — rule structure, string modifiers, condition logic, and how to test and validate both rule types against real samples.
RAM acquisition, Volatility 3 essential plugins — pslist, psscan, malfind, dlllist, netscan, cmdline — and a structured workflow for detecting injected code, hidden processes, and network connections in a memory dump.
How to identify XOR encoding, standard cryptographic algorithms (AES, RC4, MD5), and custom Base64 alphabets in malware binaries using constant detection, signsrch, and FindCrypt2.