Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
148 articles across all categories — page 14 of 17
How to recover the cleartext payload from obfuscated JavaScript using eval interception, browser DevTools breakpoints, and CyberChef — with patterns for Base64, string concatenation, character codes, and nested eval.
Drive-by download attack chains, URL deception techniques, exploit kits, and safe investigation tools — how to analyse a suspicious URL without visiting it.
The key differences between x86 and x64 that matter for reverse engineering — sixteen registers, the Microsoft x64 ABI calling convention, shadow space, RIP-relative addressing, and reading API calls in x64dbg.
How attackers abuse legitimate signed Windows binaries to download payloads, execute code, and bypass security controls — with command examples for nine LOLBins and detection strategies using Sysmon.
How malware intercepts Windows API calls using inline trampoline hooks and IAT hooks — the mechanics of each, what trampolines are, rootkit hiding via NtQueryDirectoryFile, and detection tools.
The four primary code injection techniques — classic DLL injection, reflective DLL injection, process hollowing, and APC injection — with API sequences, detection indicators, and analyst countermeasures.
How malicious DLLs differ from executables, why DllMain is the primary attack vector, and how to analyse DLL exports using rundll32 — including ordinal-only exports and service-mode DLLs.
The four core Windows API call sequences every analyst must recognise — registry persistence, keylogging, HTTP C2 communication, and dropper/downloader behaviour — with assembly-level examples.
Basic blocks, control flow graphs, CFG construction in IDA Pro and Ghidra, and the obfuscation techniques malware uses to corrupt disassembler output — with practical bypass approaches for each.