Articles
Here you can find articles I've written about things, mostly reverse engineering, but also other stuff.
-
Cobalt Strike's Malleable C2 under the hood
2020-08-15
-
A quick look at how Cobalt Strike's Malleable C2 feature is implemented in beacons.
-
FormBook - Hiding in plain sight
2019-05-02
-
Short post about how the FormBook malware hides its encrypted strings in plain sight
-
IDA Tricks - Dealing with inlined data
2018-06-04
-
Position-independent code frequently has data (e.g. strings) inlined into the code, accessed by using a
call-pop
pair over the data to load its address. As a side effect, it does not play well with IDA's graph view because it confuses the disassembly pass. With a bit of IDAPython we can solve that problem. -
Automatic removal of junk instructions through state tracking
2018-05-18
-
Code obfuscated with junk instructions can be near-unreadable. I propose a proof-of-concept solution to automatically remove junk instructions for static code analysis using the Triton framework.
-
IDA Tricks - Handling dynamic imports
2018-05-16
-
Malicious code oftentimes uses structs to store dynamically resolved API addresses. Without additional work, it leaves the disassembly in IDA in a less-than-optimal state. This article shows how to solve that problem.