This is my lobby of malware analysis documentation sites and tips that I usually quickly check when in the need of finding information about a specific structure, library, technique, etc. Instead of having 200 firefox bookmarks, this repository has the objective of storing all my notes in the most simple and usefull way to just Ctrl+F the information that I need, and quickly find the notes I already have made in the subject.
- VBinDiff: Quickly check binary differences from a cmd. link
- Multi Algorithm Hashing creator: Creates a DB of hashes link
- OleTools: Python tools to analyze doc[x], xls[x], ppt[x], rtf, mht, mhtml, pub and vsd link
- https://hex-rays.com/blog/tag/idatips/
- https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
- IDA Pro Shortcuts
- Intel Manual
- msmfc64 (MFC64 WinMain detector)
- vc32rtf
- vc32seh (SEH for vc64 7-14)
- vc32ucrt
- vc64rtf
- vc64seh
- vc64ucrt
- ntapi
- ntapi64_win7
- ntddk64_win7 (it’s usually necessary while analyzing kernel drivers)
- mssdk64_win7 (usually inserted automatically).
- IMAGE_DOS_HEADERS: Represents the DOS header format.
- IMAGE_NT_HEADERS: Represents the PE header format. link
- IMAGE_OPTIONAL_HEADER32: Represents the optional header format (part of NT_HEADER STRUCT). link
- IMAGE_DATA_DIRECTORY: Represents the data directory. link
- IMAGE_EXPORT_DIRECTORY: link https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
- PEB: Contains process information. link
- PEB_LDR_DATA: Contains information about the loaded modules for the process. link
- LDR_DATA_TABLE: link
- NOP Slide: Local Project
- ROP Chaining
- Anti-Analysis RTF \bin: The picture is in binary format. The numeric parameter N is the number of bytes that follow. Unlike all other controls, this control word takes a 32-bit parameter. link
Calling Conventions wiki
- __cdecl: Default calling convention for x86 C compilers. Variables pushed on the stack and return on eax.
- __fastcall: Uses registers for the first four arguments (default in x64):
- Microsoft x64 calling convention: The first four arguments are placed onto the registers RCX, RDX, R8, R9
Magic Numbers link
Sometimes, when analyzing documents or binary objets, could be interesting to check if any of the mmost common magic numbers used in exploiting are there like for example Compound FIles (CFBF) using D0CF11E0A1B11AE1.
AlphaGolang: Parser of functions, and creates a folder structure that stores all the functions from each library. Link
3D Games: Edit the .vmx file and add vmmouse.present = "FALSE" to avoid weird movements ingame Stuck at starting the VM: Hardware compatibility back to 16.2