I published the following diary on isc.sans.edu: “Defenders, Know Your Operating System Like Attackers Do!“:
Not a technical diary today but more a reflection… When I’m teaching FOR610, I always remind students to “RTFM” or “Read the F… Manual”. I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters.
Many attackers have a very deep knowledge of how targeted operating systems are behaving and what are the controls in place or features that could be (ab)used by malicious code. When you’re analyzing malware samples, it’s very important to quickly spot interesting blocks of code (by learning which interesting OS feature they use). A classic example is the API call VirtualAllocEx() which allocates a region of memory within the virtual address space of a specified process… [Read more]