Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
148 articles across all categories — page 15 of 17
How if/else, for, while, and switch statements compile to x86 — recognising these patterns in IDA Pro and Ghidra to reconstruct program logic from raw disassembly.
Running malware safely in an isolated VM and monitoring the three dimensions of behaviour — process activity, file and registry changes, and network traffic — to build a complete runtime profile.
How ASLR, DEP, and stack canaries make exploitation harder — the mechanism behind each mitigation, its known bypass techniques, and why understanding them helps analysts recognise evasion in the wild.
How Windows arranges a process in virtual memory — the stack, heap, PE sections, and kernel space — and why understanding this layout is essential for interpreting debugger output and recognising exploitation patterns.
Extracting intelligence from embedded strings — the strings command, FLOSS for stack strings and XOR-decoded content, and what to look for in the output to build a rapid behavioural profile.
Reading the IAT to infer malware behaviour before execution — suspicious API patterns, what a stripped IAT means, and how to use PEStudio to map capabilities from imports alone.
Shannon entropy as a packing and encryption detector — how to read per-section entropy values, what each range means, and why high entropy in the code section almost always means packed malware.
The internal structure of Windows executables — DOS header, PE signature, File Header, Optional Header, Data Directories, section table, and the anomalies that signal malware.
Cryptographic hashing as the first step of any malware triage — MD5, SHA-256, fuzzy hashing with ssdeep, querying VirusTotal, and why the hash is the case identifier for every report.