Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
148 articles across all categories — page 12 of 17
Container files like ISO and IMG strip the Mark-of-the-Web from everything inside them when mounted as a drive. How BumbleBee and Emotet exploited this, what Microsoft changed, and how analysts triage containers today.
When Microsoft blocked internet-marked macros in 2022, attackers pivoted to LNK files. The binary structure, embedded command abuse, and the QakBot delivery chain that made LNK the dominant initial access vector of 2023.
Stolen bytes, nanomites, PE header erasure, guard page anti-dumping, and the anticipatory unpacking methodology — how to reconstruct a fully functional PE when the packer fights every step of the process.
How malware corrupts disassembler output and misleads analysts — opaque predicates, SEH-based hidden control flow, overlapping instructions, indirect jumps, and TLS callbacks — with the exact bypass for each.
How malware encrypts its configuration, C2 addresses, and string constants — multi-key XOR, encrypted config blocks in Cobalt Strike and Emotet, per-string encryption with zeroing, and FLOSS for runtime string recovery.
How malware fingerprints VMware, VirtualBox, and automated sandboxes through artefact checks, hardware queries, and behavioural tests — and how to build a convincing lived-in analysis VM that passes all checks.
Every major debugger detection technique — API-based, PEB-based, timing, hardware breakpoint scanning, TLS callbacks, trap flag, and interrupt-based — with the exact bypass for each.
The four layers of self-defence in sophisticated malware — debugger detection, VM detection, data protection, and code misdirection — with the analyst countermeasures for each layer.
Writing YARA rules for endpoint detection and Snort/Suricata rules for network detection — rule structure, string modifiers, condition logic, and how to test and validate both rule types against real samples.