Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
46 articles in "Education" — page 3 of 6
The key differences between x86 and x64 that matter for reverse engineering — sixteen registers, the Microsoft x64 ABI calling convention, shadow space, RIP-relative addressing, and reading API calls in x64dbg.
How attackers abuse legitimate signed Windows binaries to download payloads, execute code, and bypass security controls — with command examples for nine LOLBins and detection strategies using Sysmon.
How malware intercepts Windows API calls using inline trampoline hooks and IAT hooks — the mechanics of each, what trampolines are, rootkit hiding via NtQueryDirectoryFile, and detection tools.
The four primary code injection techniques — classic DLL injection, reflective DLL injection, process hollowing, and APC injection — with API sequences, detection indicators, and analyst countermeasures.
How malicious DLLs differ from executables, why DllMain is the primary attack vector, and how to analyse DLL exports using rundll32 — including ordinal-only exports and service-mode DLLs.
The four core Windows API call sequences every analyst must recognise — registry persistence, keylogging, HTTP C2 communication, and dropper/downloader behaviour — with assembly-level examples.
Basic blocks, control flow graphs, CFG construction in IDA Pro and Ghidra, and the obfuscation techniques malware uses to corrupt disassembler output — with practical bypass approaches for each.
How if/else, for, while, and switch statements compile to x86 — recognising these patterns in IDA Pro and Ghidra to reconstruct program logic from raw disassembly.
Running malware safely in an isolated VM and monitoring the three dimensions of behaviour — process activity, file and registry changes, and network traffic — to build a complete runtime profile.