Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
46 articles in "Education" — page 4 of 6
How ASLR, DEP, and stack canaries make exploitation harder — the mechanism behind each mitigation, its known bypass techniques, and why understanding them helps analysts recognise evasion in the wild.
How Windows arranges a process in virtual memory — the stack, heap, PE sections, and kernel space — and why understanding this layout is essential for interpreting debugger output and recognising exploitation patterns.
Extracting intelligence from embedded strings — the strings command, FLOSS for stack strings and XOR-decoded content, and what to look for in the output to build a rapid behavioural profile.
Reading the IAT to infer malware behaviour before execution — suspicious API patterns, what a stripped IAT means, and how to use PEStudio to map capabilities from imports alone.
Shannon entropy as a packing and encryption detector — how to read per-section entropy values, what each range means, and why high entropy in the code section almost always means packed malware.
The internal structure of Windows executables — DOS header, PE signature, File Header, Optional Header, Data Directories, section table, and the anomalies that signal malware.
Cryptographic hashing as the first step of any malware triage — MD5, SHA-256, fuzzy hashing with ssdeep, querying VirusTotal, and why the hash is the case identifier for every report.
How to build a safe, isolated malware analysis environment — VM configuration, pre-built distributions, and the complete tool stack organised by category.
Controlled execution in a debugger — stepping, the three breakpoint types, exception handling, and execution modification techniques that analysts use to bypass anti-debugging and expose hidden malware behaviour.