================================================================
RECOMMENDED LEARNING PATH
================================================================
1. C Programming
2. Assembly (x86/x64)
3. PE Format & Windows Internals
4. Debugging & Dynamic Analysis
5. Reverse Engineering
6. Shellcode Engineering
7. Exploit Development
8. Malware Internals & Code Injection
9. EDR Evasion Concepts
10. Kernel Mode Programming
11. Active Directory Tradecraft
12. Firmware / Hypervisor Research
================================================================
SECTION A — FOUNDATIONS
================================================================
----------------------------------------------------------------
A1. PE FILE INTERNALS
----------------------------------------------------------------
- DOS Header / NT Headers
Every PE starts with IMAGE_DOS_HEADER (MZ magic), then IMAGE_NT_HEADERS
containing the file and optional headers
- Section Headers & Alignment
.text (code), .data, .rdata, .rsrc — each has raw vs virtual alignment
- Import Table (IAT / INT)
List of DLLs and functions the binary needs; resolved by the loader at startup
- Export Table
Functions a DLL exposes to callers; has name, ordinal, and address arrays
- Relocations
Base relocation table used when image can't load at preferred base address
- TLS Callbacks
Thread Local Storage callbacks run BEFORE the entry point — common anti-debug
trick since many debuggers break at EP, not TLS
- Delayed Imports
Imports resolved lazily at first call rather than at load time
- Forwarded Exports
An export that redirects to a function in another DLL
(e.g., kernel32!Beep -> kernelbase!Beep)
- Resource Section (.rsrc)
Embedded resources: icons, strings, version info, and sometimes payloads
- Manual Mapping
Parsing and loading a PE by hand: map sections, fix relocations, resolve IAT,
call TLS callbacks, then call entry point — foundation of reflective loading
- Relocation Fixups
Patching absolute addresses when image loads at a different base than preferred
----------------------------------------------------------------
A2. WINDOWS INTERNALS
----------------------------------------------------------------
- Object Manager
Kernel subsystem managing all named/unnamed kernel objects
(files, events, mutexes, processes, threads)
- Handle Tables
Per-process table mapping handle values to kernel object pointers
- Access Tokens & Security Reference Monitor (SRM)
Tokens carry user SID, group SIDs, privileges; SRM enforces access checks
- ALPC (Advanced Local Procedure Call)
High-performance IPC mechanism used internally by Windows (replaces LPC)
- Executive & Kernel layers
HAL -> Kernel -> Executive (Ob, Mm, Io, Se, Ps, etc.) -> Subsystems
- Virtual Memory Manager (VMM)
Manages VADs, page tables, working sets, paged/non-paged pool
- I/O Manager & IRP
Manages driver stack communication via I/O Request Packets
- Session & Desktop isolation
Sessions separate user contexts; desktops isolate window stations
----------------------------------------------------------------
A3. SHELLCODE ENGINEERING
----------------------------------------------------------------
- Position-Independent Code (PIC)
Code that works regardless of where it's loaded — no hardcoded addresses;
uses delta offsets or GetPC techniques
- GetPC Techniques
Getting the current instruction pointer value at runtime
(e.g., CALL/POP trick, LEA RIP-relative on x64)
- Null-Byte Avoidance
Many injection vectors treat 0x00 as string terminator; shellcode must
avoid null bytes through instruction substitution
- Encoder / Decoder Stubs
XOR, ROT, or custom encoders wrap shellcode; decoder runs first,
decodes in-place, then jumps to payload
- Syscall Shellcode
Shellcode that invokes syscalls directly without relying on API stubs
- Alphanumeric Shellcode
Shellcode restricted to printable ASCII characters — bypasses filters
that only allow text input
- Egg Hunters
Small shellcode that searches process memory for a unique tag (egg)
preceding the real payload — useful when injection space is limited
- Staged vs Stageless Payloads
Stageless: entire payload in one blob
Staged: small stager downloads and executes the real payload from a C2
- Stack Pivoting
Redirect the stack pointer (RSP/ESP) to attacker-controlled memory
to enable ROP chain execution
- ROP Chains (Return-Oriented Programming)
Chain together existing code "gadgets" (ending in RET) to execute
arbitrary logic without injecting new code — bypasses DEP/NX
================================================================
SECTION B — EXPLOITATION
================================================================
----------------------------------------------------------------
B1. EXPLOIT DEVELOPMENT
----------------------------------------------------------------
- Buffer Overflow (Stack)
Overwrite return address on the stack to redirect execution
- Buffer Overflow (Heap)
Corrupt heap metadata or adjacent allocations to gain control
- Use-After-Free (UAF)
Access memory after it has been freed; if reallocated with attacker
data, leads to type confusion or code execution
- Heap Corruption
Corrupt allocator metadata (free lists, chunk headers) to redirect writes
- Format String Vulnerabilities
Uncontrolled format strings (%n, %x) allow arbitrary read/write
- Integer Overflows / Underflows
Arithmetic wrapping leads to incorrect size calculations and
exploitable allocations
- Race Conditions (TOCTOU)
Time-of-check vs time-of-use: win a race between check and use
to substitute a different resource
- DEP / NX Bypass
Data Execution Prevention marks memory non-executable;
bypassed via ROP, ret2libc, or JIT spraying
- ASLR Bypass
Address Space Layout Randomization randomized base addresses;
bypassed via info leaks, partial overwrites, heap spraying, or brute force
- ROP / JOP / COP
Return/Jump/Call Oriented Programming — code reuse attack variants
- Heap Feng Shui
Carefully shape heap layout to place attacker data adjacent to
target structures before triggering a vulnerability
- SEH Exploitation (Windows)
Overwrite Structured Exception Handler chain to redirect execution
on exception
- Browser Exploitation Concepts
JIT compiler abuse, sandbox escapes, type confusion in JS engines,
renderer vs browser process privilege separation
- Kernel Exploitation Basics
NULL pointer dereference, pool overflows, race conditions in drivers,
token stealing shellcode to escalate to SYSTEM
================================================================
SECTION C — MALWARE INTERNALS
================================================================
----------------------------------------------------------------
C1. PROCESS & MEMORY INTERNALS
----------------------------------------------------------------
- Process Hollowing
Spawn a legit process suspended, hollow out its memory, replace with payload
- Process Doppelganging
Use NTFS transactions to load a modified executable without touching disk
- Process Herpaderping
Map an executable image, modify it on disk after mapping but before
section validation — confuses scanners that scan from disk
- Process Ghosting
Create a file, mark it for deletion, map it as an image, then run it —
appears to run from an already-deleted file
- PEB Walking
Manually find loaded modules via the Process Environment Block (no API calls)
- VAD Manipulation
Tamper with Virtual Address Descriptors to hide memory regions
- Page Table Manipulation
Directly manipulate page tables at a lower level than VAD tricks
- Heap Spraying
Fill heap with shellcode to increase odds of hitting it on overflow
- Pool Spraying
Kernel-mode equivalent of heap spraying; targets kernel pool allocations
- EXE Packing (Custom Packer)
Compress/encrypt an executable; stub decompresses and runs it at runtime
- DLL Memory Loading (Reflective DLL Injection)
Load a DLL from a byte buffer in memory instead of from disk
- Thread Hijacking
Suspend an existing thread, redirect its instruction pointer, resume it
- Memory Patching
Overwrite bytes in a running process to change its behavior
----------------------------------------------------------------
C2. HOOKING TECHNIQUES
----------------------------------------------------------------
- Inline Hooking
Patch first 5 bytes of a function with a JMP to your handler
- Trampoline Hooks
Inline hook that also preserves and calls the original function
- Detours-style Hook
Microsoft Detours approach — robust inline hook with trampoline
- IAT Hooking
Replace function pointers in the Import Address Table
- VTable Hooking
Overwrite C++ virtual function table pointers
- GOT/PLT Hooking (Linux)
Overwrite Global Offset Table entries to redirect function calls
- SSDT Hooking
Hook the kernel's System Service Descriptor Table (kernel mode)
- Kernel Callback Hooking
Tamper with PsSetCreateProcessNotifyRoutine and similar callbacks
to blind EDR/AV kernel drivers
- IRP Hooking
Hook I/O Request Packets in kernel drivers
- SYSENTER / SYSCALL Hooking
Modify MSRs to intercept syscall entry point
----------------------------------------------------------------
C3. CODE INJECTION TECHNIQUES
----------------------------------------------------------------
- Classic DLL Injection
WriteProcessMemory + CreateRemoteThread -> LoadLibrary
- APC Injection
Queue an Async Procedure Call to a thread's APC queue
- Early Bird Injection
Inject via APC before the process fully initializes
- SetThreadContext Injection
Redirect a suspended thread's context registers to shellcode
- Fiber Injection
Hijack user-mode fibers to execute code inside a target process
- Transacted Hollowing
Variant of Doppelganging using TxF (Transactional NTFS)
- Heaven's Gate
Switch from 32-bit to 64-bit mode mid-execution to bypass hooks
- Atom Bombing
Use Windows global atom tables as a data smuggling channel
- ptrace Injection (Linux)
Use ptrace() syscall to read/write memory and registers of a process
- LD_PRELOAD Hijacking (Linux)
Force a process to load your shared library before all others
----------------------------------------------------------------
C4. EVASION & ANTI-ANALYSIS
----------------------------------------------------------------
- API Unhooking
Restore ntdll from a clean copy to remove AV/EDR hooks
- Direct Syscalls
Invoke syscalls by number, bypassing hooked user-mode API stubs
- Indirect Syscalls
JMP into ntdll's syscall instruction to avoid non-module execution
- Syscall Stomping
Overwrite an unused syscall stub with your own to blend in
- Unhooking via KnownDlls Cache
Load clean ntdll from the KnownDlls section object
- ETW Patching
Patch ETW to blind event logging and telemetry
- Call Stack Spoofing / Return Address Spoofing
Fake the call stack to hide the real caller from EDR stack walking
- Sleep Obfuscation
Encrypt shellcode in memory while sleeping to evade memory scanning
- Stack Encryption
Encrypt the stack during sleep/wait periods
- Gargoyle Memory Hiding
Mark shellcode as non-executable while not running; flip back on timer
- Timing Attacks / Sleep Skipping Detection
Detect sandbox time acceleration; behave benignly when detected
- PPID Spoofing
Fake the parent process ID of a spawned process
- Misleading Disassembly
Insert junk bytes or overlapping instructions to fool disassemblers
- Hardware Breakpoint Detection
Scan Dr0-Dr7 registers to detect hardware breakpoints
- AMSI Bypass
Patch or tamper with the Antimalware Scan Interface to blind
script-based detection
================================================================
SECTION D — PRIVILEGE & CREDENTIALS
================================================================
----------------------------------------------------------------
D1. CREDENTIAL & PRIVILEGE TECHNIQUES
----------------------------------------------------------------
- Token Impersonation
Steal/duplicate another process's access token
- Pass-the-Hash
Authenticate using an NTLM hash without the plaintext password
- LSASS Dumping
Extract credential material from LSASS process memory
- DPAPI Abuse
Decrypt Chrome cookies, WiFi passwords, Windows credentials via
CryptProtectData / CryptUnprotectData
- Kerberoasting
Request TGS tickets for SPNs and crack service account passwords offline
- Golden Ticket
Forge a Kerberos TGT using the KRBTGT hash — full domain access
- Silver Ticket
Forge a TGS for a specific service without touching the DC
- Shadow Credentials
Add key credentials to an AD object as a stealthy backdoor
- Skeleton Key
Patch LSASS to accept a universal master password
- UAC Bypass
Escalate to high-integrity without a UAC prompt
- ACL Abuse
Exploit weak permissions on registry keys, services, or files
================================================================
SECTION E — ACTIVE DIRECTORY TRADECRAFT
================================================================
----------------------------------------------------------------
E1. AD ATTACKS & ABUSE
----------------------------------------------------------------
- DCSync
Impersonate a DC to request password hashes via MS-DRSR replication protocol
- DCShadow
Register a rogue DC temporarily to push malicious AD changes
- BloodHound Graph Abuse
Use BloodHound-collected AD relationship data to find attack paths
to Domain Admin
- Constrained Delegation Abuse
Abuse services allowed to delegate to specific targets to impersonate users
- Resource-Based Constrained Delegation (RBCD)
Write msDS-AllowedToActOnBehalfOfOtherIdentity to gain impersonation rights
- NTLM Relay
Capture and relay NTLM authentication to authenticate to other services
- PetitPotam
Coerce a DC to authenticate to an attacker via MS-EFSRPC — feeds NTLM relay
- PrinterBug (SpoolSample)
Abuse the Print Spooler to coerce DC authentication
- Zerologon (CVE-2020-1472)
Cryptographic flaw in Netlogon — set DC machine account password to empty
- AdminSDHolder Abuse
Modify AdminSDHolder ACL to propagate permissions to protected groups
- SID History Abuse
Add high-priv SID to a user's SID history as a stealthy backdoor
- Kerberos Delegation (Unconstrained)
Machines with unconstrained delegation store TGTs — coerce DC auth to steal it
================================================================
SECTION F — DEFENSIVE INTERNALS & EDR CONCEPTS
================================================================
----------------------------------------------------------------
F1. EDR / DETECTION ENGINEERING INTERNALS
----------------------------------------------------------------
- AMSI (Antimalware Scan Interface)
Windows API that allows AV/EDR to inspect script content
(PowerShell, VBScript, JScript) before execution
- ETW (Event Tracing for Windows) Providers & Consumers
Kernel and user-mode components emit structured events;
EDRs subscribe to security-relevant providers for telemetry
- ETWTI (ETW Threat Intelligence)
ETW provider specifically for kernel-level process/thread telemetry
used by modern EDRs; harder to blind than user-mode hooks
- Sysmon Internals
Sysinternals tool using kernel callbacks and ETW to log process
creation, network, registry, file, and driver events
- Userland vs Kernel Telemetry
Userland (IAT/inline hooks on ntdll) vs kernel (callbacks, ETW, minifilters)
— kernel telemetry is far harder to evade
- Minifilter Drivers
Kernel drivers that attach to the filter manager to intercept file I/O;
used by AV/EDR to scan files on access
- Kernel Callbacks
PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine,
CmRegisterCallback — EDRs use these for visibility; malware tries to remove them
- CFG (Control Flow Guard)
Compiler+OS mitigation: validates indirect call targets against a bitmap
of valid function entry points
- CET / Hardware Shadow Stack
Intel CET pushes return addresses to a separate shadow stack protected
by hardware; defeats ROP chains that corrupt the normal stack
- PatchGuard (KPP)
Kernel Patch Protection: periodically checks integrity of SSDT, IDT,
GDT, and other kernel structures; BSODs on tampering
- HVCI / VBS (Hypervisor-Protected Code Integrity / Virtualization Based Security)
Uses a hypervisor to isolate the kernel credential store and enforce
code integrity — makes unsigned kernel code execution nearly impossible
- Protected Process Light (PPL)
Restricts which processes can open handles to sensitive processes
(like LSASS) with certain access rights
- LSASS Protection
RunAsPPL registry key makes LSASS a protected process;
requires a signed driver to dump it
================================================================
SECTION G — REVERSE ENGINEERING
================================================================
----------------------------------------------------------------
G1. REVERSE ENGINEERING SKILLS
----------------------------------------------------------------
- Static Analysis
Reading disassembly without running it (IDA Pro, Ghidra, Binary Ninja)
- Dynamic Analysis
Running under a debugger (x64dbg, WinDbg)
- Anti-Debug Tricks
IsDebuggerPresent, NtQueryInformationProcess, timing checks, TLS callbacks
- Hardware Breakpoint Detection
Detect debuggers via debug register inspection (Dr0-Dr7)
- Unpacking
Extracting real payload from a packed/compressed executable
- Deobfuscation
Recovering readable code from obfuscated or encrypted samples
- Binary Patching
Modifying compiled binaries to change behavior
- Binary Diffing
Comparing two binary versions to find changes (Diaphora, BinDiff)
— essential for patch analysis and 1-day research
- Emulation / Unicorn Engine
Run shellcode in an emulated CPU without a full OS environment
- Taint Tracking / Symbolic Execution
Track attacker-controlled data flow through a binary (Angr, Triton)
- Debugger Scripting
Automate analysis with IDAPython, x64dbg's Python API, WinDbg JS
================================================================
SECTION H — LINUX & CROSS-PLATFORM
================================================================
----------------------------------------------------------------
H1. LINUX TECHNIQUES
----------------------------------------------------------------
- ptrace Injection
Linux syscall for process inspection/control; abuse for code injection
- LD_PRELOAD Hijacking
Force a process to load your shared library before system libraries;
override functions like read(), write(), getuid()
- GOT / PLT Hooking
Overwrite Global Offset Table to redirect function calls in ELF binaries
- ELF Internals
ELF header, program headers, section headers, dynamic segment,
symbol tables — Linux equivalent of PE format knowledge
- /proc Manipulation
/proc/[pid]/mem for reading/writing process memory;
/proc/[pid]/maps for layout; used in Linux injection techniques
- eBPF Rootkits
Extended Berkeley Packet Filter programs run in kernel context;
can hook syscalls and hide processes/network connections
- Linux Capabilities Abuse
Fine-grained privilege system (CAP_SYS_ADMIN, CAP_NET_RAW, etc.)
— misconfigurations lead to container escapes and privilege escalation
- cron / systemd Persistence
Classic persistence via crontab entries or malicious systemd units
================================================================
SECTION I — PERSISTENCE MECHANISMS
================================================================
- Registry Run Keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Scheduled Tasks
Via COM or XML; survive reboots
- COM Hijacking
Replace a legitimate COM object with your own DLL
- DLL Proxying / DLL Side-Loading
Malicious DLL named to match what a legit app expects; forward real exports
- WMI Subscriptions
Trigger payloads on system events
- Boot/Login Scripts via GPO
Scripts in SYSVOL executed at boot/login
- SID History Abuse
Add high-priv SID to user's history as a stealthy backdoor
- SIH Abuse
Abuse Windows maintenance scheduled tasks
- Boot/Pre-OS (Bootkit)
MBR/VBR level persistence
================================================================
SECTION J — FIRMWARE & HARDWARE
================================================================
- UEFI Bootkit
Persist in SPI flash firmware (LoJax, CosmicStrand) — survives reinstalls
- SMM (System Management Mode) Rootkit
Executes in SMRAM, invisible to OS; triggered by SMIs
- PCIe DMA Attacks
Read/write host memory via PCIe/Thunderbolt without CPU (PCILeech)
- ACPI Table Tampering
Embed malicious code in custom ACPI methods
================================================================
SECTION K — HYPERVISOR & VM CONCEPTS
================================================================
- VM Exits
Conditions that cause a guest VM to trap back to the hypervisor (VMM);
hypervisors monitor sensitive instructions via VM exits
- EPT Hooking (Extended Page Tables)
Hook guest physical memory mappings at the hypervisor level —
invisible to the guest OS; used in stealth monitors and rootkits
- Blue Pill Rootkit Concept
Transparently insert a hypervisor under a running OS; OS is unaware
it's now a VM guest
- Hypervisor Introspection (VMI)
Inspect guest VM memory and state from the hypervisor without
touching the guest — powerful for transparent monitoring
- Intel VT-x Internals
VMX root/non-root operation, VMCS fields, VMLAUNCH/VMRESUME,
EPT, VPID — foundational for building a hypervisor
- CPUID Fingerprinting
Detect virtualization via CPUID hypervisor bit and vendor strings
- Timing-Based VM Detection
RDTSC delta differences between bare metal and VM environments
- SGX Enclaves
Intel Software Guard Extensions — isolated encrypted memory regions
even the OS/hypervisor can't read; used for secrets and anti-analysis
- TPM Abuse Concepts
Trusted Platform Module sealing/unsealing secrets tied to platform state;
research into PCR manipulation and TPM-based malware resilience
================================================================
SECTION L — NETWORK, C2 & TRAFFIC EVASION
================================================================
- C2 Protocol Mimicry
Disguise traffic as: HTTPS, DNS, MS Graph API, Telegram, Slack, OneDrive
- JA3 / JA3S Fingerprinting
Fingerprint TLS clients/servers from handshake parameters;
EDRs/NDRs use this to identify C2 tools
- JARM Fingerprint Spoofing
Manipulate active TLS fingerprint to avoid C2 server identification
- HTTP/2 C2
Use HTTP/2 multiplexing to blend C2 traffic into normal web traffic
- QUIC-Based Transport
UDP-based protocol; harder to inspect than TCP/TLS streams
- Domain Fronting
Route C2 through a CDN; largely mitigated, replaced by CDN impersonation
- Dead Drop Resolvers
Store C2 address in a public service (Twitter, Pastebin, GitHub)
so the real C2 IP never appears in the binary
- DGA (Domain Generation Algorithms)
Algorithmically generate hundreds of domain names; only the attacker
knows which one is registered today
- Fast Flux DNS
Rapidly rotate IPs behind a C2 domain to evade IP blocklists
- Peer-to-Peer Botnets
Decentralized C2 with no single point of failure; nodes relay commands
- Traffic Shaping
Throttle and time C2 beacons to mimic normal user browser traffic
- Covert Channels
Hide data in protocol fields not meant for data (DNS TXT, ICMP payload,
HTTP headers, image steganography)
- C2 Over WebSocket / gRPC
Modern protocol channels that blend naturally into enterprise traffic
- Living Off the Land (LOLBins)
Use built-in Windows binaries to avoid dropping files:
mshta, regsvr32, cscript, wmic, certutil, rundll32, msiexec, bitsadmin
================================================================
SECTION M — ADVANCED RESEARCH TOPICS
================================================================
- DKOM (Direct Kernel Object Manipulation)
Directly modify kernel structures (e.g., unlink a process from
ActiveProcessLinks to hide it from task managers)
- Object Callbacks
ObRegisterCallbacks — kernel mechanism for object open/duplicate
notification; abused by anti-cheat and rootkits alike
- Heaven's Gate Variants
Beyond 32->64 mode switch: variants for syscall table switching
and wow64 layer abuse
- Gargoyle Memory Hiding
Execute shellcode, then mark it non-executable and hide it in heap;
re-arm via timer to re-execute later
- Sleep Obfuscation Techniques
Encrypt implant in memory during sleep: Ekko, Foliage, Cronos variants
- Stack Encryption
XOR or AES the stack during wait periods to evade memory scanning
- Return Address Spoofing
Overwrite return addresses on the stack to fake call origin
- Intel VT-x Internals
VMCS, EPT, VM exits — foundation for building custom hypervisors
- Kernel Patch Protection (PatchGuard) Internals
How PatchGuard works: encrypted timer callbacks, integrity checks,
randomized scheduling — and why bypassing it is extremely difficult
- ETWTI (ETW Threat Intelligence Provider)
Kernel ETW provider emitting thread/process events used by modern EDRs;
patching it requires kernel access and triggers PatchGuard
================================================================
SECTION N — LEARNING RESOURCES
================================================================
Courses:
- OSCP (Offensive Security Certified Professional)
- OSED (Offensive Security Exploit Developer)
- CRTO (Certified Red Team Operator)
- CRTE (Certified Red Team Expert — AD focused)
- Sektor7 Malware Development (intro + intermediate + rootkits)
- SANS FOR610 (Reverse Engineering Malware)
- SANS SEC760 (Advanced Exploit Development)
- TCM Security Malware Analysis Courses
Books:
- The Shellcoder's Handbook
- Practical Malware Analysis (Sikorski & Honig)
- Windows Internals Parts 1 & 2 (Russinovich et al.)
- The Art of Memory Forensics
- Rootkits: Subverting the Windows Kernel
- Hacking: The Art of Exploitation (Erickson)
- The Web Application Hacker's Handbook
Disassemblers / Decompilers:
- IDA Pro (industry standard)
- Ghidra (free, NSA open-source)
- Binary Ninja (scriptable, modern UI)
- Cutter / Rizin (free open-source)
Debuggers:
- x64dbg (Windows user-mode)
- WinDbg / WinDbg Preview (kernel + user-mode)
- GDB + pwndbg/peda (Linux)
Dynamic Instrumentation:
- Frida (scriptable, cross-platform)
- DynamoRIO (binary translation framework)
- PIN (Intel) (x86 instrumentation)
System Inspection:
- Process Hacker / System Informer
- Process Monitor (ProcMon)
- API Monitor
Network Analysis:
- Wireshark
- Zeek / Bro
- Fakenet-NG (dynamic network analysis for malware)
Emulation / Symbolic Execution:
- Unicorn Engine (CPU emulation)
- Angr (symbolic execution)
- Triton (dynamic taint + symbolic)
Hardware / DMA:
- PCILeech / MemProcFS
Practice Environments:
- TryHackMe
- HackTheBox
- VulnHub
- Any.run (online sandbox)
- MalwareBazaar (real samples)
- Flare-VM (Windows RE environment)
- REMnux (Linux RE environment)
- pwn.college (exploit development)
================================================================
NOTE: These concepts are for educational purposes —
malware analysis, red teaming, CTFs, and security research.
Always operate within legal boundaries and in authorized
environments (your own lab, CTFs, bug bounty programs).
================================================================
Wednesday, June 3, 2026
OFFENSIVE SECURITY / MALWARE ANALYSIS / REVERSE ENGINEERING Concept Reference List — Complete Edition
Monday, June 1, 2026
Reverse Engineering: Understanding the Thoughts Behind Systems
A software program or hardware system is usually the result of people organizing ideas, logic, constraints, and decisions to solve a problem. The final product becomes a kind of “frozen thinking” expressed through:
- code
- circuit layouts
- protocols
- algorithms
- mechanical structures
- data formats
- timing behavior
- UI decisions
- optimization tricks
So reverse engineering is often the process of working backward from the finished system to understand:
- what problem the creators were solving
- how the system works internally
- why certain design decisions were made
- what assumptions or constraints existed
- how components interact
In software, that may involve:
- studying binaries
- analyzing assembly
- tracing execution
- reconstructing algorithms
- understanding data structures
In hardware, it may involve:
- tracing PCB connections
- identifying chips
- analyzing signals
- reconstructing schematics
- understanding timing and electrical behavior
So in a philosophical sense, reverse engineering can feel like “reading the engineers’ thought process” indirectly through the artifact they created.
But it’s important to understand a distinction:
You are not literally reading their thoughts — you are inferring them from evidence left behind in the design.
Sometimes those inferences are accurate.
Sometimes multiple different thought processes could produce the same result.
For example:
- an unusual algorithm might reveal a performance optimization mindset
- extra security checks may reveal concern about tampering
- elegant modular design may show emphasis on maintainability
- messy duplicated logic may show deadline pressure or rapid iteration
Experienced reverse engineers often become good at recognizing “engineering fingerprints”:
- compiler patterns
- coding styles
- architectural habits
- optimization strategies
- hardware design conventions
In that sense, reverse engineering is partly technical analysis and partly reasoning about human design decisions.
Software Architectures for Arduino and Embedded Systems
1 - Monolithic Architecture
Monolithic architecture is the simplest and most common approach used in small Arduino projects. In this design, nearly all functionality is placed directly inside the main Arduino sketch using the setup() and loop() functions. Sensor reading, display handling, communication, and control logic are all processed sequentially inside a single program structure.
This architecture is easy to understand and requires minimal memory, making it suitable for beginners and small microcontrollers such as the Arduino Uno and Nano. However, as the project grows larger, the code can become difficult to maintain because all system components are tightly connected.
2 - Modular Architecture
Modular architecture divides the firmware into separate modules or source files, where each module handles a specific responsibility such as sensor management, display control, communication, or storage.
This approach improves code organization, readability, debugging, and reusability. Developers can modify one module without affecting the rest of the system significantly. Modular architecture is widely used in medium-sized Arduino and embedded projects because it provides better scalability compared to monolithic designs.
3 - Layered Architecture
Layered architecture organizes firmware into multiple logical layers. Common layers include application logic, middleware or services, hardware abstraction, drivers, and direct hardware interaction.
Each layer communicates with the layer directly below or above it. This structure improves portability and maintainability because hardware-specific code is separated from application logic. Layered architecture is common in professional embedded systems and advanced microcontroller frameworks.
4 - Event-Driven Architecture
Event-driven architecture is based on reacting to events instead of continuously checking every subsystem in sequence. Events may include button presses, timer expirations, sensor triggers, serial communication, or network messages.
When an event occurs, the firmware executes a corresponding handler function. This architecture improves responsiveness and is commonly used in menu systems, IoT devices, robotics, and automation systems.
5 - State Machine Architecture
State machine architecture organizes firmware behavior into defined states such as idle, running, paused, error, or sleep. The system transitions between these states depending on conditions or events.
This architecture provides predictable system behavior and simplifies debugging. State machines are widely used in robotics, automation controllers, industrial systems, and embedded devices that require clear operational flow.
6 - Finite State Machine (FSM)
A finite state machine is a formal implementation of a state machine where transitions between states are explicitly defined.
FSMs are commonly used in communication protocols, menu systems, LED animation controllers, and sequential process control because they provide clear and structured logic flow.
7 - Cooperative Multitasking
Cooperative multitasking simulates multitasking without using an operating system. The firmware is divided into multiple short tasks that execute repeatedly inside the main loop.
Each task must return quickly so other tasks can execute without delays. Timing is commonly handled using millis() instead of blocking functions such as delay(). This architecture is extremely popular in Arduino development.
8 - Scheduler-Based Architecture
Scheduler-based architecture uses a scheduler to determine when tasks should run. Tasks may execute periodically at fixed intervals such as every few milliseconds or seconds.
This approach simplifies timing management and improves organization in projects containing multiple timed operations. Scheduler libraries are commonly used in automation and sensor-based systems.
9 - RTOS Architecture
RTOS architecture uses a real-time operating system such as FreeRTOS to manage multitasking. Tasks run independently and may use priorities, queues, semaphores, and synchronization mechanisms.
This architecture enables true multitasking and is commonly used on advanced microcontrollers such as ESP32, STM32, and RP2040. RTOS systems are suitable for complex real-time applications but require more memory and system resources.
10 - Actor Architecture
Actor architecture divides the system into independent software actors that communicate through messages instead of shared variables.
Each actor processes information independently, improving modularity and concurrency handling. This architecture is more common in advanced embedded systems and multicore microcontrollers.
11 - Service-Oriented Architecture
Service-oriented architecture divides firmware into services such as networking, storage, display management, sensor processing, or LED control.
Each service provides specific functionality through defined APIs. This architecture improves separation of concerns and is commonly used in IoT firmware and smart device systems.
12 - Plugin Architecture
Plugin architecture allows features or modules to be added or removed independently. In Arduino systems, plugins are usually compile-time modules because smaller microcontrollers typically cannot load binary modules dynamically.
This architecture is common in configurable firmware such as LED effect systems and home automation controllers.
13 - Component-Based Architecture
Component-based architecture builds the system using reusable software components. Each component encapsulates its own functionality and interfaces.
This approach improves reusability and maintainability and is commonly used in robotics frameworks, GUI systems, and large embedded applications.
14 - Dataflow Architecture
Dataflow architecture organizes processing as a flow of data through multiple stages such as acquisition, filtering, transformation, and output.
This architecture is useful in digital signal processing, sensor fusion, audio processing, and data streaming systems because it clearly represents how information moves through the firmware.
15 - Interrupt-Driven Architecture
Interrupt-driven architecture uses hardware or software interrupts to respond immediately to important events such as timer overflows, UART communication, encoder pulses, or GPIO changes.
Interrupts improve responsiveness and timing precision. However, interrupt handlers must remain short and efficient to avoid system instability.
16 - Reactive Architecture
Reactive architecture continuously reacts to changing system conditions. Examples include responding to sensor thresholds, battery voltage changes, or communication events.
This architecture is widely used in automation systems, smart sensors, and adaptive embedded devices.
17 - Command Architecture
Command architecture processes commands received from serial communication, EEPROM, SD cards, filesystems, or network interfaces.
Commands may control LEDs, animations, settings, or device operations. This approach is useful in configurable firmware, scripting systems, and automation controllers.
18 - Pipeline Architecture
Pipeline architecture divides operations into sequential stages where data flows from one stage to another.
For example, a system may read data, decode it, process it, and display it in separate stages. This architecture is useful for streaming systems, binary processing, and LED animation engines.
19 - MVC Architecture
MVC stands for Model-View-Controller. This architecture separates application data, visual representation, and user interaction into different sections.
Although less common in small embedded systems, MVC is useful in touchscreen interfaces, menu-driven systems, and graphical user interfaces.
20 - Hardware Abstraction Layer (HAL)
A hardware abstraction layer provides generic interfaces for hardware operations while hiding low-level hardware details.
Instead of directly controlling registers or GPIO pins throughout the firmware, the application uses abstracted hardware functions. HAL improves portability and simplifies migration between different microcontroller platforms such as AVR, ESP32, STM32, and RP2040.
