Table of Contents Intro The malware sample used in this blog post Dealing with decoded bytes into new memory map Memory allocation and passing control Viewing new bytes in ID...

Intro Sometimes you need to dig a little to really find where the start of malicious code is in a binary. Sometimes it is not obvious from static analysis how exactly code flows to the malicious p...

Intro With a given binary it is very simple to view the Import Address Table (IAT) and see what DLLs it imports and further, what functions are used within those DLLs. In my case, I needed to do t...

Intro This is really more of a reference table post to show the PEB/TEB/TIB structure notable offsets that are commonly seen in malware as it performs references after fetching the Process Environm...

Intro This is a follow on to the first post on this, Manually Unpacking Malware, where I talked about a way to break on the real entry point of a packed malware sample. This is a second technique ...

Intro This post is intended to show one technique that can be used in an attempt to unpack a sample that is suspected to be packed by either a known packer or something unknown or even custom. The...

Intro A large amount of malware that targets businesses is through phishing attacks, and that is no different where I work. We have been getting an influx of excel attachments in phishing document...

Ghidra error on auto-analysis In my flarevm using Windows 10 I have Visual Studio 2019 Community edition installed for building C/C++ programs as needed. When performing the initial auto-analysis ...

Goal This is a quick guide to get you started on installing FlareVM by FireEye and setting up Ghidra for reverse engineering malware. The FlareVM installation is a script you can run that will turn...

General thoughts With past experience with Offensive Security, the training format was familiar which sped things up a bit for consuming the content. The Offensive Security Certified Expert (OSCE)...