Mar. 27, 2025
A random page with some information of the PE format file and its main headers.
Main usage: malware development and malware research.
Considerations
- RVA (Relative Virtual Address): Offset from Image Base. To obtain the absolute virtual address the calculation “Image Base + RVA” must be performed. Several PE sections include RVAs.
- Check the official Microsoft documentation if you want to know more! This is only a summary and my personal studies about the topic.
IMAGE_DOS_HEADER structure definition from winnt.h.- First 64 bytes of the PE file.
- Was very important in the MS-DOS era, right now it is not.
- The actual Windows OS loader uses a field in this header to navigate to the new executable header , which is the header containing most of the needed information.
- Kept in the binaries for compatibility purposes.
We only want to know about the first and last members of this header:
Sep. 19, 2024
Heaven’s gate lore
The Heaven’s Gate tutorial was written by an anonymous hacker going online as Roy G. Biv, a member of a group called 29A.
After the group disbanded and their e-zine’s site went down, the Heaven’s Gate technique was later reprinted in the 2009 edition of the Valhalla hacker e-zine . I personally would check this resource, as it was the first time the technique was commented.
Feb. 28, 2024
Prelude
Around this last month I have been digging into the Malware Development world. I have always wanted to expand my knowledge within this field, and I felt like it was the moment to do so.
As mentioned in many other blogposts, Sektor7 Malware Development Essentials course was a good point to start. Nevertheless, I found this course very short and I felt like most of the important concepts are ignored (e.g., what is a handle?) and are just used like if I already know them.
Feb. 28, 2024
Custom function declaration. Used when hooking, to get a pointer to the original function to get it dinamically resolved via IAT and then override this pointer, or to craft a new function that points to a shellcode with the function behavior (used in reflective DLL shellcode)
Case of getting the function pointer to a resolving Windows API call:
Feb. 28, 2024
Shellcodes that will be useful for testing/developing your malware.
I usually work on the same OS and with the same Compiler version for better reproducibility so here are my specs:
- Windows 10 Pro 22H2
- OS Build 19045.4046
- MSVC vc.exe compiler (64-bit and 32-bit) version 19.41.34123
Shellcodes are not encrypted. You should encrypt them if you want evasion, as these shellcodes are public and not crafted manually by me.