================================================================
RECOMMENDED LEARNING PATH
================================================================
1. C Programming
2. Assembly (x86/x64)
3. PE Format & Windows Internals
4. Debugging & Dynamic Analysis
5. Reverse Engineering
6. Shellcode Engineering
7. Exploit Development
8. Malware Internals & Code Injection
9. EDR Evasion Concepts
10. Kernel Mode Programming
11. Active Directory Tradecraft
12. Firmware / Hypervisor Research
================================================================
SECTION A — FOUNDATIONS
================================================================
----------------------------------------------------------------
A1. PE FILE INTERNALS
----------------------------------------------------------------
- DOS Header / NT Headers
Every PE starts with IMAGE_DOS_HEADER (MZ magic), then IMAGE_NT_HEADERS
containing the file and optional headers
- Section Headers & Alignment
.text (code), .data, .rdata, .rsrc — each has raw vs virtual alignment
- Import Table (IAT / INT)
List of DLLs and functions the binary needs; resolved by the loader at startup
- Export Table
Functions a DLL exposes to callers; has name, ordinal, and address arrays
- Relocations
Base relocation table used when image can't load at preferred base address
- TLS Callbacks
Thread Local Storage callbacks run BEFORE the entry point — common anti-debug
trick since many debuggers break at EP, not TLS
- Delayed Imports
Imports resolved lazily at first call rather than at load time
- Forwarded Exports
An export that redirects to a function in another DLL
(e.g., kernel32!Beep -> kernelbase!Beep)
- Resource Section (.rsrc)
Embedded resources: icons, strings, version info, and sometimes payloads
- Manual Mapping
Parsing and loading a PE by hand: map sections, fix relocations, resolve IAT,
call TLS callbacks, then call entry point — foundation of reflective loading
- Relocation Fixups
Patching absolute addresses when image loads at a different base than preferred
----------------------------------------------------------------
A2. WINDOWS INTERNALS
----------------------------------------------------------------
- Object Manager
Kernel subsystem managing all named/unnamed kernel objects
(files, events, mutexes, processes, threads)
- Handle Tables
Per-process table mapping handle values to kernel object pointers
- Access Tokens & Security Reference Monitor (SRM)
Tokens carry user SID, group SIDs, privileges; SRM enforces access checks
- ALPC (Advanced Local Procedure Call)
High-performance IPC mechanism used internally by Windows (replaces LPC)
- Executive & Kernel layers
HAL -> Kernel -> Executive (Ob, Mm, Io, Se, Ps, etc.) -> Subsystems
- Virtual Memory Manager (VMM)
Manages VADs, page tables, working sets, paged/non-paged pool
- I/O Manager & IRP
Manages driver stack communication via I/O Request Packets
- Session & Desktop isolation
Sessions separate user contexts; desktops isolate window stations
----------------------------------------------------------------
A3. SHELLCODE ENGINEERING
----------------------------------------------------------------
- Position-Independent Code (PIC)
Code that works regardless of where it's loaded — no hardcoded addresses;
uses delta offsets or GetPC techniques
- GetPC Techniques
Getting the current instruction pointer value at runtime
(e.g., CALL/POP trick, LEA RIP-relative on x64)
- Null-Byte Avoidance
Many injection vectors treat 0x00 as string terminator; shellcode must
avoid null bytes through instruction substitution
- Encoder / Decoder Stubs
XOR, ROT, or custom encoders wrap shellcode; decoder runs first,
decodes in-place, then jumps to payload
- Syscall Shellcode
Shellcode that invokes syscalls directly without relying on API stubs
- Alphanumeric Shellcode
Shellcode restricted to printable ASCII characters — bypasses filters
that only allow text input
- Egg Hunters
Small shellcode that searches process memory for a unique tag (egg)
preceding the real payload — useful when injection space is limited
- Staged vs Stageless Payloads
Stageless: entire payload in one blob
Staged: small stager downloads and executes the real payload from a C2
- Stack Pivoting
Redirect the stack pointer (RSP/ESP) to attacker-controlled memory
to enable ROP chain execution
- ROP Chains (Return-Oriented Programming)
Chain together existing code "gadgets" (ending in RET) to execute
arbitrary logic without injecting new code — bypasses DEP/NX
================================================================
SECTION B — EXPLOITATION
================================================================
----------------------------------------------------------------
B1. EXPLOIT DEVELOPMENT
----------------------------------------------------------------
- Buffer Overflow (Stack)
Overwrite return address on the stack to redirect execution
- Buffer Overflow (Heap)
Corrupt heap metadata or adjacent allocations to gain control
- Use-After-Free (UAF)
Access memory after it has been freed; if reallocated with attacker
data, leads to type confusion or code execution
- Heap Corruption
Corrupt allocator metadata (free lists, chunk headers) to redirect writes
- Format String Vulnerabilities
Uncontrolled format strings (%n, %x) allow arbitrary read/write
- Integer Overflows / Underflows
Arithmetic wrapping leads to incorrect size calculations and
exploitable allocations
- Race Conditions (TOCTOU)
Time-of-check vs time-of-use: win a race between check and use
to substitute a different resource
- DEP / NX Bypass
Data Execution Prevention marks memory non-executable;
bypassed via ROP, ret2libc, or JIT spraying
- ASLR Bypass
Address Space Layout Randomization randomized base addresses;
bypassed via info leaks, partial overwrites, heap spraying, or brute force
- ROP / JOP / COP
Return/Jump/Call Oriented Programming — code reuse attack variants
- Heap Feng Shui
Carefully shape heap layout to place attacker data adjacent to
target structures before triggering a vulnerability
- SEH Exploitation (Windows)
Overwrite Structured Exception Handler chain to redirect execution
on exception
- Browser Exploitation Concepts
JIT compiler abuse, sandbox escapes, type confusion in JS engines,
renderer vs browser process privilege separation
- Kernel Exploitation Basics
NULL pointer dereference, pool overflows, race conditions in drivers,
token stealing shellcode to escalate to SYSTEM
================================================================
SECTION C — MALWARE INTERNALS
================================================================
----------------------------------------------------------------
C1. PROCESS & MEMORY INTERNALS
----------------------------------------------------------------
- Process Hollowing
Spawn a legit process suspended, hollow out its memory, replace with payload
- Process Doppelganging
Use NTFS transactions to load a modified executable without touching disk
- Process Herpaderping
Map an executable image, modify it on disk after mapping but before
section validation — confuses scanners that scan from disk
- Process Ghosting
Create a file, mark it for deletion, map it as an image, then run it —
appears to run from an already-deleted file
- PEB Walking
Manually find loaded modules via the Process Environment Block (no API calls)
- VAD Manipulation
Tamper with Virtual Address Descriptors to hide memory regions
- Page Table Manipulation
Directly manipulate page tables at a lower level than VAD tricks
- Heap Spraying
Fill heap with shellcode to increase odds of hitting it on overflow
- Pool Spraying
Kernel-mode equivalent of heap spraying; targets kernel pool allocations
- EXE Packing (Custom Packer)
Compress/encrypt an executable; stub decompresses and runs it at runtime
- DLL Memory Loading (Reflective DLL Injection)
Load a DLL from a byte buffer in memory instead of from disk
- Thread Hijacking
Suspend an existing thread, redirect its instruction pointer, resume it
- Memory Patching
Overwrite bytes in a running process to change its behavior
----------------------------------------------------------------
C2. HOOKING TECHNIQUES
----------------------------------------------------------------
- Inline Hooking
Patch first 5 bytes of a function with a JMP to your handler
- Trampoline Hooks
Inline hook that also preserves and calls the original function
- Detours-style Hook
Microsoft Detours approach — robust inline hook with trampoline
- IAT Hooking
Replace function pointers in the Import Address Table
- VTable Hooking
Overwrite C++ virtual function table pointers
- GOT/PLT Hooking (Linux)
Overwrite Global Offset Table entries to redirect function calls
- SSDT Hooking
Hook the kernel's System Service Descriptor Table (kernel mode)
- Kernel Callback Hooking
Tamper with PsSetCreateProcessNotifyRoutine and similar callbacks
to blind EDR/AV kernel drivers
- IRP Hooking
Hook I/O Request Packets in kernel drivers
- SYSENTER / SYSCALL Hooking
Modify MSRs to intercept syscall entry point
----------------------------------------------------------------
C3. CODE INJECTION TECHNIQUES
----------------------------------------------------------------
- Classic DLL Injection
WriteProcessMemory + CreateRemoteThread -> LoadLibrary
- APC Injection
Queue an Async Procedure Call to a thread's APC queue
- Early Bird Injection
Inject via APC before the process fully initializes
- SetThreadContext Injection
Redirect a suspended thread's context registers to shellcode
- Fiber Injection
Hijack user-mode fibers to execute code inside a target process
- Transacted Hollowing
Variant of Doppelganging using TxF (Transactional NTFS)
- Heaven's Gate
Switch from 32-bit to 64-bit mode mid-execution to bypass hooks
- Atom Bombing
Use Windows global atom tables as a data smuggling channel
- ptrace Injection (Linux)
Use ptrace() syscall to read/write memory and registers of a process
- LD_PRELOAD Hijacking (Linux)
Force a process to load your shared library before all others
----------------------------------------------------------------
C4. EVASION & ANTI-ANALYSIS
----------------------------------------------------------------
- API Unhooking
Restore ntdll from a clean copy to remove AV/EDR hooks
- Direct Syscalls
Invoke syscalls by number, bypassing hooked user-mode API stubs
- Indirect Syscalls
JMP into ntdll's syscall instruction to avoid non-module execution
- Syscall Stomping
Overwrite an unused syscall stub with your own to blend in
- Unhooking via KnownDlls Cache
Load clean ntdll from the KnownDlls section object
- ETW Patching
Patch ETW to blind event logging and telemetry
- Call Stack Spoofing / Return Address Spoofing
Fake the call stack to hide the real caller from EDR stack walking
- Sleep Obfuscation
Encrypt shellcode in memory while sleeping to evade memory scanning
- Stack Encryption
Encrypt the stack during sleep/wait periods
- Gargoyle Memory Hiding
Mark shellcode as non-executable while not running; flip back on timer
- Timing Attacks / Sleep Skipping Detection
Detect sandbox time acceleration; behave benignly when detected
- PPID Spoofing
Fake the parent process ID of a spawned process
- Misleading Disassembly
Insert junk bytes or overlapping instructions to fool disassemblers
- Hardware Breakpoint Detection
Scan Dr0-Dr7 registers to detect hardware breakpoints
- AMSI Bypass
Patch or tamper with the Antimalware Scan Interface to blind
script-based detection
================================================================
SECTION D — PRIVILEGE & CREDENTIALS
================================================================
----------------------------------------------------------------
D1. CREDENTIAL & PRIVILEGE TECHNIQUES
----------------------------------------------------------------
- Token Impersonation
Steal/duplicate another process's access token
- Pass-the-Hash
Authenticate using an NTLM hash without the plaintext password
- LSASS Dumping
Extract credential material from LSASS process memory
- DPAPI Abuse
Decrypt Chrome cookies, WiFi passwords, Windows credentials via
CryptProtectData / CryptUnprotectData
- Kerberoasting
Request TGS tickets for SPNs and crack service account passwords offline
- Golden Ticket
Forge a Kerberos TGT using the KRBTGT hash — full domain access
- Silver Ticket
Forge a TGS for a specific service without touching the DC
- Shadow Credentials
Add key credentials to an AD object as a stealthy backdoor
- Skeleton Key
Patch LSASS to accept a universal master password
- UAC Bypass
Escalate to high-integrity without a UAC prompt
- ACL Abuse
Exploit weak permissions on registry keys, services, or files
================================================================
SECTION E — ACTIVE DIRECTORY TRADECRAFT
================================================================
----------------------------------------------------------------
E1. AD ATTACKS & ABUSE
----------------------------------------------------------------
- DCSync
Impersonate a DC to request password hashes via MS-DRSR replication protocol
- DCShadow
Register a rogue DC temporarily to push malicious AD changes
- BloodHound Graph Abuse
Use BloodHound-collected AD relationship data to find attack paths
to Domain Admin
- Constrained Delegation Abuse
Abuse services allowed to delegate to specific targets to impersonate users
- Resource-Based Constrained Delegation (RBCD)
Write msDS-AllowedToActOnBehalfOfOtherIdentity to gain impersonation rights
- NTLM Relay
Capture and relay NTLM authentication to authenticate to other services
- PetitPotam
Coerce a DC to authenticate to an attacker via MS-EFSRPC — feeds NTLM relay
- PrinterBug (SpoolSample)
Abuse the Print Spooler to coerce DC authentication
- Zerologon (CVE-2020-1472)
Cryptographic flaw in Netlogon — set DC machine account password to empty
- AdminSDHolder Abuse
Modify AdminSDHolder ACL to propagate permissions to protected groups
- SID History Abuse
Add high-priv SID to a user's SID history as a stealthy backdoor
- Kerberos Delegation (Unconstrained)
Machines with unconstrained delegation store TGTs — coerce DC auth to steal it
================================================================
SECTION F — DEFENSIVE INTERNALS & EDR CONCEPTS
================================================================
----------------------------------------------------------------
F1. EDR / DETECTION ENGINEERING INTERNALS
----------------------------------------------------------------
- AMSI (Antimalware Scan Interface)
Windows API that allows AV/EDR to inspect script content
(PowerShell, VBScript, JScript) before execution
- ETW (Event Tracing for Windows) Providers & Consumers
Kernel and user-mode components emit structured events;
EDRs subscribe to security-relevant providers for telemetry
- ETWTI (ETW Threat Intelligence)
ETW provider specifically for kernel-level process/thread telemetry
used by modern EDRs; harder to blind than user-mode hooks
- Sysmon Internals
Sysinternals tool using kernel callbacks and ETW to log process
creation, network, registry, file, and driver events
- Userland vs Kernel Telemetry
Userland (IAT/inline hooks on ntdll) vs kernel (callbacks, ETW, minifilters)
— kernel telemetry is far harder to evade
- Minifilter Drivers
Kernel drivers that attach to the filter manager to intercept file I/O;
used by AV/EDR to scan files on access
- Kernel Callbacks
PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine,
CmRegisterCallback — EDRs use these for visibility; malware tries to remove them
- CFG (Control Flow Guard)
Compiler+OS mitigation: validates indirect call targets against a bitmap
of valid function entry points
- CET / Hardware Shadow Stack
Intel CET pushes return addresses to a separate shadow stack protected
by hardware; defeats ROP chains that corrupt the normal stack
- PatchGuard (KPP)
Kernel Patch Protection: periodically checks integrity of SSDT, IDT,
GDT, and other kernel structures; BSODs on tampering
- HVCI / VBS (Hypervisor-Protected Code Integrity / Virtualization Based Security)
Uses a hypervisor to isolate the kernel credential store and enforce
code integrity — makes unsigned kernel code execution nearly impossible
- Protected Process Light (PPL)
Restricts which processes can open handles to sensitive processes
(like LSASS) with certain access rights
- LSASS Protection
RunAsPPL registry key makes LSASS a protected process;
requires a signed driver to dump it
================================================================
SECTION G — REVERSE ENGINEERING
================================================================
----------------------------------------------------------------
G1. REVERSE ENGINEERING SKILLS
----------------------------------------------------------------
- Static Analysis
Reading disassembly without running it (IDA Pro, Ghidra, Binary Ninja)
- Dynamic Analysis
Running under a debugger (x64dbg, WinDbg)
- Anti-Debug Tricks
IsDebuggerPresent, NtQueryInformationProcess, timing checks, TLS callbacks
- Hardware Breakpoint Detection
Detect debuggers via debug register inspection (Dr0-Dr7)
- Unpacking
Extracting real payload from a packed/compressed executable
- Deobfuscation
Recovering readable code from obfuscated or encrypted samples
- Binary Patching
Modifying compiled binaries to change behavior
- Binary Diffing
Comparing two binary versions to find changes (Diaphora, BinDiff)
— essential for patch analysis and 1-day research
- Emulation / Unicorn Engine
Run shellcode in an emulated CPU without a full OS environment
- Taint Tracking / Symbolic Execution
Track attacker-controlled data flow through a binary (Angr, Triton)
- Debugger Scripting
Automate analysis with IDAPython, x64dbg's Python API, WinDbg JS
================================================================
SECTION H — LINUX & CROSS-PLATFORM
================================================================
----------------------------------------------------------------
H1. LINUX TECHNIQUES
----------------------------------------------------------------
- ptrace Injection
Linux syscall for process inspection/control; abuse for code injection
- LD_PRELOAD Hijacking
Force a process to load your shared library before system libraries;
override functions like read(), write(), getuid()
- GOT / PLT Hooking
Overwrite Global Offset Table to redirect function calls in ELF binaries
- ELF Internals
ELF header, program headers, section headers, dynamic segment,
symbol tables — Linux equivalent of PE format knowledge
- /proc Manipulation
/proc/[pid]/mem for reading/writing process memory;
/proc/[pid]/maps for layout; used in Linux injection techniques
- eBPF Rootkits
Extended Berkeley Packet Filter programs run in kernel context;
can hook syscalls and hide processes/network connections
- Linux Capabilities Abuse
Fine-grained privilege system (CAP_SYS_ADMIN, CAP_NET_RAW, etc.)
— misconfigurations lead to container escapes and privilege escalation
- cron / systemd Persistence
Classic persistence via crontab entries or malicious systemd units
================================================================
SECTION I — PERSISTENCE MECHANISMS
================================================================
- Registry Run Keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Scheduled Tasks
Via COM or XML; survive reboots
- COM Hijacking
Replace a legitimate COM object with your own DLL
- DLL Proxying / DLL Side-Loading
Malicious DLL named to match what a legit app expects; forward real exports
- WMI Subscriptions
Trigger payloads on system events
- Boot/Login Scripts via GPO
Scripts in SYSVOL executed at boot/login
- SID History Abuse
Add high-priv SID to user's history as a stealthy backdoor
- SIH Abuse
Abuse Windows maintenance scheduled tasks
- Boot/Pre-OS (Bootkit)
MBR/VBR level persistence
================================================================
SECTION J — FIRMWARE & HARDWARE
================================================================
- UEFI Bootkit
Persist in SPI flash firmware (LoJax, CosmicStrand) — survives reinstalls
- SMM (System Management Mode) Rootkit
Executes in SMRAM, invisible to OS; triggered by SMIs
- PCIe DMA Attacks
Read/write host memory via PCIe/Thunderbolt without CPU (PCILeech)
- ACPI Table Tampering
Embed malicious code in custom ACPI methods
================================================================
SECTION K — HYPERVISOR & VM CONCEPTS
================================================================
- VM Exits
Conditions that cause a guest VM to trap back to the hypervisor (VMM);
hypervisors monitor sensitive instructions via VM exits
- EPT Hooking (Extended Page Tables)
Hook guest physical memory mappings at the hypervisor level —
invisible to the guest OS; used in stealth monitors and rootkits
- Blue Pill Rootkit Concept
Transparently insert a hypervisor under a running OS; OS is unaware
it's now a VM guest
- Hypervisor Introspection (VMI)
Inspect guest VM memory and state from the hypervisor without
touching the guest — powerful for transparent monitoring
- Intel VT-x Internals
VMX root/non-root operation, VMCS fields, VMLAUNCH/VMRESUME,
EPT, VPID — foundational for building a hypervisor
- CPUID Fingerprinting
Detect virtualization via CPUID hypervisor bit and vendor strings
- Timing-Based VM Detection
RDTSC delta differences between bare metal and VM environments
- SGX Enclaves
Intel Software Guard Extensions — isolated encrypted memory regions
even the OS/hypervisor can't read; used for secrets and anti-analysis
- TPM Abuse Concepts
Trusted Platform Module sealing/unsealing secrets tied to platform state;
research into PCR manipulation and TPM-based malware resilience
================================================================
SECTION L — NETWORK, C2 & TRAFFIC EVASION
================================================================
- C2 Protocol Mimicry
Disguise traffic as: HTTPS, DNS, MS Graph API, Telegram, Slack, OneDrive
- JA3 / JA3S Fingerprinting
Fingerprint TLS clients/servers from handshake parameters;
EDRs/NDRs use this to identify C2 tools
- JARM Fingerprint Spoofing
Manipulate active TLS fingerprint to avoid C2 server identification
- HTTP/2 C2
Use HTTP/2 multiplexing to blend C2 traffic into normal web traffic
- QUIC-Based Transport
UDP-based protocol; harder to inspect than TCP/TLS streams
- Domain Fronting
Route C2 through a CDN; largely mitigated, replaced by CDN impersonation
- Dead Drop Resolvers
Store C2 address in a public service (Twitter, Pastebin, GitHub)
so the real C2 IP never appears in the binary
- DGA (Domain Generation Algorithms)
Algorithmically generate hundreds of domain names; only the attacker
knows which one is registered today
- Fast Flux DNS
Rapidly rotate IPs behind a C2 domain to evade IP blocklists
- Peer-to-Peer Botnets
Decentralized C2 with no single point of failure; nodes relay commands
- Traffic Shaping
Throttle and time C2 beacons to mimic normal user browser traffic
- Covert Channels
Hide data in protocol fields not meant for data (DNS TXT, ICMP payload,
HTTP headers, image steganography)
- C2 Over WebSocket / gRPC
Modern protocol channels that blend naturally into enterprise traffic
- Living Off the Land (LOLBins)
Use built-in Windows binaries to avoid dropping files:
mshta, regsvr32, cscript, wmic, certutil, rundll32, msiexec, bitsadmin
================================================================
SECTION M — ADVANCED RESEARCH TOPICS
================================================================
- DKOM (Direct Kernel Object Manipulation)
Directly modify kernel structures (e.g., unlink a process from
ActiveProcessLinks to hide it from task managers)
- Object Callbacks
ObRegisterCallbacks — kernel mechanism for object open/duplicate
notification; abused by anti-cheat and rootkits alike
- Heaven's Gate Variants
Beyond 32->64 mode switch: variants for syscall table switching
and wow64 layer abuse
- Gargoyle Memory Hiding
Execute shellcode, then mark it non-executable and hide it in heap;
re-arm via timer to re-execute later
- Sleep Obfuscation Techniques
Encrypt implant in memory during sleep: Ekko, Foliage, Cronos variants
- Stack Encryption
XOR or AES the stack during wait periods to evade memory scanning
- Return Address Spoofing
Overwrite return addresses on the stack to fake call origin
- Intel VT-x Internals
VMCS, EPT, VM exits — foundation for building custom hypervisors
- Kernel Patch Protection (PatchGuard) Internals
How PatchGuard works: encrypted timer callbacks, integrity checks,
randomized scheduling — and why bypassing it is extremely difficult
- ETWTI (ETW Threat Intelligence Provider)
Kernel ETW provider emitting thread/process events used by modern EDRs;
patching it requires kernel access and triggers PatchGuard
================================================================
SECTION N — LEARNING RESOURCES
================================================================
Courses:
- OSCP (Offensive Security Certified Professional)
- OSED (Offensive Security Exploit Developer)
- CRTO (Certified Red Team Operator)
- CRTE (Certified Red Team Expert — AD focused)
- Sektor7 Malware Development (intro + intermediate + rootkits)
- SANS FOR610 (Reverse Engineering Malware)
- SANS SEC760 (Advanced Exploit Development)
- TCM Security Malware Analysis Courses
Books:
- The Shellcoder's Handbook
- Practical Malware Analysis (Sikorski & Honig)
- Windows Internals Parts 1 & 2 (Russinovich et al.)
- The Art of Memory Forensics
- Rootkits: Subverting the Windows Kernel
- Hacking: The Art of Exploitation (Erickson)
- The Web Application Hacker's Handbook
Disassemblers / Decompilers:
- IDA Pro (industry standard)
- Ghidra (free, NSA open-source)
- Binary Ninja (scriptable, modern UI)
- Cutter / Rizin (free open-source)
Debuggers:
- x64dbg (Windows user-mode)
- WinDbg / WinDbg Preview (kernel + user-mode)
- GDB + pwndbg/peda (Linux)
Dynamic Instrumentation:
- Frida (scriptable, cross-platform)
- DynamoRIO (binary translation framework)
- PIN (Intel) (x86 instrumentation)
System Inspection:
- Process Hacker / System Informer
- Process Monitor (ProcMon)
- API Monitor
Network Analysis:
- Wireshark
- Zeek / Bro
- Fakenet-NG (dynamic network analysis for malware)
Emulation / Symbolic Execution:
- Unicorn Engine (CPU emulation)
- Angr (symbolic execution)
- Triton (dynamic taint + symbolic)
Hardware / DMA:
- PCILeech / MemProcFS
Practice Environments:
- TryHackMe
- HackTheBox
- VulnHub
- Any.run (online sandbox)
- MalwareBazaar (real samples)
- Flare-VM (Windows RE environment)
- REMnux (Linux RE environment)
- pwn.college (exploit development)
================================================================
NOTE: These concepts are for educational purposes —
malware analysis, red teaming, CTFs, and security research.
Always operate within legal boundaries and in authorized
environments (your own lab, CTFs, bug bounty programs).
================================================================
Wednesday, June 3, 2026
OFFENSIVE SECURITY / MALWARE ANALYSIS / REVERSE ENGINEERING Concept Reference List — Complete Edition
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment