If you’re new to malware development (maldev), the sheer complexity can be overwhelming. How do you even begin to understand something as advanced as in-memory execution? The answer is simple: you break it down. This post is the culmination of my first major milestone: combining five core sub-projects into a single, functional loader that downloads … Read more
Introduction In this post, I demonstrate how to write a simple in-memory shellcode loader using the Windows API. The loader reads an XOR-encrypted reverse shell payload from disk, decrypts it in memory, and executes it — avoiding detection from basic signature-based AV. Tools Used Code Sections XOR Encryption Script (Python) C Loader Code Explanation Break … Read more
Before you read this post, make sure to check out my blog on Native API, as I’m using the same template here. So, what is Direct Syscall? In simple terms, Direct Syscall means invoking system calls directly, without relying on Windows Native APIs like NtCreateFile or NtOpenProcess. Instead of calling these functions through ntdll.dll, we … Read more
What is a Suspended Process? A suspended process is a process that starts without immediately executing its main thread. Now, what is the main thread? That’s a great question! You can think of the main thread like the main() function in C/C++. When a process is created in a suspended state, it means the process … Read more