Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
148 articles across all categories — page 13 of 17
RAM acquisition, Volatility 3 essential plugins — pslist, psscan, malfind, dlllist, netscan, cmdline — and a structured workflow for detecting injected code, hidden processes, and network connections in a memory dump.
How to identify XOR encoding, standard cryptographic algorithms (AES, RC4, MD5), and custom Base64 alphabets in malware binaries using constant detection, signsrch, and FindCrypt2.
How fileless malware executes entirely in memory using PowerShell download cradles, .NET reflection, WMI event subscriptions, and registry-resident payloads — with detection strategies and multi-technology attack chain analysis.
Base64 encoded commands, string concatenation, compression streams, AMSI bypass techniques, Script Block Logging, and de-obfuscation tools — how to recover the cleartext payload from any PowerShell obfuscation layer.
The Original Entry Point concept, the ESP hardware breakpoint technique for finding it, and the Scylla workflow for dumping and rebuilding the Import Address Table into an analysable PE.
The four structural indicators of packing, how packers work, common packer families from UPX to VMProtect, and how to use Detect-It-Easy to identify the packer before attempting to unpack.
VBA macro infection chains, document format identification, olevba analysis, P-Code, Excel 4.0 XLM macros, DDEAUTO, remote template injection, and malicious OneNote files — with a complete triage workflow.
RTF file structure, why attackers prefer it, CVE-2017-11882 and CVE-2017-0199, OLE object extraction with rtfobj, shellcode analysis with scdbg, and high-risk indicator recognition.
PDF file structure, attack vectors — embedded JavaScript, launch actions, embedded files — and a practical triage workflow using pdfid.py and pdf-parser.py to extract and analyse malicious content.