Amber Chalia Introduction In this post, I demonstrate how to write a simple in-memory shellcode loader using the Windows API. The loader reads an XOR-encrypted reverse shell payload from disk, decrypts it in memory, and executes it — avoiding detection from basic signature-based AV. Tools Used Code Sections XOR Encryption Script (Python) C Loader Code Explanation Break … Read more
“Understanding how shellcode actually resolves API addresses — not just calling functions blindly.” When I started exploring shellcode and reverse engineering, I kept running into examples that used Windows APIs without explaining how those functions were actually found or called in shellcode. I wanted to go deeper — to really understand how to write a … Read more
Introduction: Why Build a Reverse Shell in Assembly? Ever wondered how low-level code can create a powerful remote shell? In this post, we’ll dive into crafting a Linux reverse shell using x86 assembly. This shellcode connects back to an attacker’s system, spawns a shell, and redirects input/output over the network—all in a compact, efficient package. … Read more
Before you read this post, make sure to check out my blog on Native API, as I’m using the same template here. So, what is Direct Syscall? In simple terms, Direct Syscall means invoking system calls directly, without relying on Windows Native APIs like NtCreateFile or NtOpenProcess. Instead of calling these functions through ntdll.dll, we … Read more
Proof of Concept Explanation Now lets discuss the code before i forget how it works, winternl.h is used to include the Windows Native API functions and types like NTSTATUS. typedef is used to define a data type so that we don’t have to explain it to the compiler again and again. For NtAllocateVirtualMemory, you need … Read more
What is Dynamic API Resolution? Dynamic API Resolution is a technique where Windows API function addresses are resolved at runtime, instead of being imported and declared upfront when the program is compiled or loaded. In simpler terms — rather than saying: “Hey system, I’ll need VirtualProtect and WriteProcessMemory, here’s the list in advance.” You say: … Read more
Introduction AMSI (Anti-Malware Scan Interface) is a Windows feature that allows security solutions to inspect scripts and detect malicious content at runtime. In this post, we’ll explore how to bypass AMSI detection for a known malicious PowerShell command — Invoke-Mimikatz — using Frida to hook and manipulate the AmsiScanBuffer function at runtime. What is AMSI? … Read more
After learning about suspended processes in our previous post, today we will focus on how malware developers use suspended processes to inject shellcode or other malicious code into the memory of a legitimate process. Let’s dive into Process Hollowing. What is process Hollowing Process Hollowing is a technique where a malicious program creates a legitimate … Read more
What is a Suspended Process? A suspended process is a process that starts without immediately executing its main thread. Now, what is the main thread? That’s a great question! You can think of the main thread like the main() function in C/C++. When a process is created in a suspended state, it means the process … Read more