Table of Contents Intro The malware sample used in this blog post The KSA and PRGA functions Observing call into function Key-scheduling algorithm (KSA) KSA identity permutatio...

Table of Contents Intro Attribution My IDA Pro 7.6 plugin scripts (rough conversion of theirs) Details Color coding instructions IAT Resolution The IDA Pr...

Table of Contents Intro The malware sample used in this blog post Visual of observed flows Notable Techniques Hiding strings via single byte pushes to stack Getting DllBase...

Table of Contents Intro The malware sample used in this blog post Dealing with decoded bytes into new memory map Memory allocation and passing control Viewing new bytes in ID...

Intro Sometimes you need to dig a little to really find where the start of malicious code is in a binary. Sometimes it is not obvious from static analysis how exactly code flows to the malicious p...

Intro With a given binary it is very simple to view the Import Address Table (IAT) and see what DLLs it imports and further, what functions are used within those DLLs. In my case, I needed to do t...

Intro This is really more of a reference table post to show the PEB/TEB/TIB structure notable offsets that are commonly seen in malware as it performs references after fetching the Process Environm...

Intro This is a follow on to the first post on this, Manually Unpacking Malware, where I talked about a way to break on the real entry point of a packed malware sample. This is a second technique ...

Intro This post is intended to show one technique that can be used in an attempt to unpack a sample that is suspected to be packed by either a known packer or something unknown or even custom. The...

Intro A large amount of malware that targets businesses is through phishing attacks, and that is no different where I work. We have been getting an influx of excel attachments in phishing document...