How EDR Detects Dynamic API Resolution at Runtime
Endpoint Detection and Response (EDR) solutions closely monitor how processes interact with the Windows loader. One common behavioral signal used by EDRs is dynamic API resolution, which is frequently abused by malware to evade static analysis and signature-based detection. This section explains, from a custom EDR (NORM) perspective, how dynamic API resolution can be detected…
From URL to Execution: Assembling a Payload Entirely In-Memory
If you’re new to malware development (maldev), the sheer complexity can be overwhelming. How do you even begin to understand something as advanced as in-memory execution? The answer is simple: you break it down. This post is the culmination of my first major milestone: combining five core sub-projects into a single, functional loader that downloads…
WinAPI Shellcode Loader for AV Bypass
Introduction In this post, I demonstrate how to write a simple in-memory shellcode loader using the Windows API. The loader reads an XOR-encrypted reverse shell payload from disk, decrypts it in memory, and executes it — avoiding detection from basic signature-based AV. Tools Used Code Sections XOR Encryption Script (Python) C Loader Code Explanation Break…