What is Dynamic API Resolution? Dynamic API Resolution is a technique where Windows API function addresses are resolved at runtime, instead of being imported and declared upfront when the program is compiled or loaded. In simpler terms — rather than saying: “Hey system, I’ll need VirtualProtect and WriteProcessMemory, here’s the list in advance.” You say: … Read more
Introduction AMSI (Anti-Malware Scan Interface) is a Windows feature that allows security solutions to inspect scripts and detect malicious content at runtime. In this post, we’ll explore how to bypass AMSI detection for a known malicious PowerShell command — Invoke-Mimikatz — using Frida to hook and manipulate the AmsiScanBuffer function at runtime. What is AMSI? … Read more
After learning about suspended processes in our previous post, today we will focus on how malware developers use suspended processes to inject shellcode or other malicious code into the memory of a legitimate process. Let’s dive into Process Hollowing. What is process Hollowing Process Hollowing is a technique where a malicious program creates a legitimate … Read more
What is a Suspended Process? A suspended process is a process that starts without immediately executing its main thread. Now, what is the main thread? That’s a great question! You can think of the main thread like the main() function in C/C++. When a process is created in a suspended state, it means the process … Read more