Malware rarely executes blindly. Before dropping payloads, it enumerates operating system artifacts to decide where it’s running and whether to proceed. This post walks through the main Windows tar...

Modern malware doesn’t just run-it looks around first. It checks where it is, who it’s talking to, and whether anyone’s watching. If your environment screams “virtual machine” or “sandbox,” many sa...

The suspicious sample under analysis is an RTF document designed to embed and execute malicious OLE objects. As with any document-based malware, the first step is to calculate its hashes and collec...

In the malware landscape, PDF documents have long been one of the most popular attack vectors. Thanks to vulnerabilities in Adobe Reader and its plugins, a seemingly harmless file can become the en...

Explanation on how to implement process enumeration in Windows and Linux, showing examples with APIs, access to the PEB, and use of the /proc system What does this technique consist of? Process en...

This blog post are the notes of the essential concepts of the legacy BIOS bootup process and the different infections methods used by the malware at that time. This blog post mainly relies in the i...

In recent years, many EDR vendors have implemented user mode hooking. This allows EDR systems to analyze and potentially redirect code executed in the context of Windows APIs. If the code does not ...

In this post, we’ll explore API hooking, a technique used to intercept and be able to modify function calls in software. We’ll delve into the different types of function hooking, focusing on Inline...

Security Descriptors provide a way to configure access relationships between objects. More often than we would like, administrators configure too many permissions, opening new attack paths. In othe...

In this post, I’ll walk you through one of the challenges from Maldev Academy: creating a program in Rust that connects to an HTTP/HTTPS web page, downloads a shellcode, and performs Early Bird APC...