Articles

Here you can find articles I've written about things, mostly reverse engineering, but also other stuff.

Cobalt Strike's Malleable C2 under the hood

A quick look at how Cobalt Strike's Malleable C2 feature is implemented in beacons.

FormBook - Hiding in plain sight

Short post about how the FormBook malware hides its encrypted strings in plain sight

IDA Tricks - Dealing with inlined data

Position-independent code frequently has data (e.g. strings) inlined into the code, accessed by using a call-pop pair over the data to load its address. As a side effect, it does not play well with IDA's graph view because it confuses the disassembly pass. With a bit of IDAPython we can solve that problem.

Automatic removal of junk instructions through state tracking

Code obfuscated with junk instructions can be near-unreadable. I propose a proof-of-concept solution to automatically remove junk instructions for static code analysis using the Triton framework.

IDA Tricks - Handling dynamic imports

Malicious code oftentimes uses structs to store dynamically resolved API addresses. Without additional work, it leaves the disassembly in IDA in a less-than-optimal state. This article shows how to solve that problem.