forked from OpenRCE/Malware-Analysis-Training
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO.txt
17 lines (11 loc) · 1.19 KB
/
TODO.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
* Restructure the PE format section. I like the order you suggested dealing with it at a high-level first, showing it in Olly/LordPE and then start digging into the details of relevant headers...
* Make a high-level, abstract view of a PE file; headers, directories and sections (with file layout and in-memory layout). Show code/data separation. Talk about virtual and raw addresses. Show that in the context of the overall memory space layout of the application, zooming out
* I also want to do some quick drawings for the packer exercise depicting the slack space, the stub code, etc, just to make it more obvious what we are doing.
* Add section about OEP finding (I have my code laying around, do you have yours?)
-Get scripts
-Add basic slides (in packer reconstruction)
-Commit
* Add mention of IDA's fixes for certain PE parsing problems and anti-disassembly tricks
* pydbg dumping + pefile import reconstruction (I have scripts to do a full dump with pydbg/vtrace and then do a "find-intermodular-calls" with the help of pefile)
-Add small section in packer reconstruction, pose it as an exercise
* prolog finding and image reconstruction (have scripts to clean-up a dump, could have some notes on those)