TrainSec Academy - Where pros train pros

You can know how something works and still not understand it. I have seen analysts explain every function in a sample and still miss what actually matters. Because knowing is technical. Understanding is contextual. Malware analysis sits right in that gap. MAoS is not about knowing more. It is about understanding better. 📖 amazon.com/dp/B0FQDGZGZW If you feel that gap in your work, this is exactly where the book focuses. #MalwareAnalysis #ReverseEngineering #MAoS #CyberSecurity

A Windows list pointer often isn’t pointing where you think it is. This post from @zodiacon explains LIST_ENTRY, circular lists, CONTAINING_RECORD, and why the same pattern shows up in processes, threads, and loaded modules. trainsec.net/library/window…

Some of the most effective malware I have seen was not sophisticated. No complex obfuscation. No advanced techniques. Nothing that would impress in a demo. What made it effective was how it was used. Malware does not operate in isolation. It operates inside decisions, timing, and context. If you only analyze code, you miss the operation. That is a big part of what MAoS tries to show. 📖 amazon.com/dp/B0FQDGZGZW If you have ever underestimated a simple sample, this will resonate. #MalwareAnalysis #ThreatResearch #MAoS #CyberSecurity

If you want a clean Win32 exercise that’s practical and still relevant on modern Windows, this is a great one from @zodiacon. Control Panel is still supported, which means you can still build your own .cpl applets. This post shows the DLL approach in C++: implement CPlApplet, add resources (name/description/icon), install/register the applet, and debug it using the right host process. Read: trainsec.net/library/window…

And it's not only using BYOVD and drivers, but using other simpler techniques -> trainsec.net/courses/edr-in…

MAoS was not written in isolation. It was written between real investigations, real deadlines, and real operational pressure. That influenced the tone of the book. I was not trying to create something flashy. I wanted to document a way of thinking that actually holds under pressure 🔥 If you work with malware in real environments, not just controlled labs, you will probably feel that difference. 📖 amazon.com/dp/B0FQDGZGZW If you are serious about sharpening how you think about malware, start here. #MalwareAnalysis #ThreatResearch #DFIR #MAoS #CyberSecurity

New in the Knowledge Library: Hiding a Windows service from enumeration. Why Services.msc / sc query can miss a running service (permissions + SCM), and why registry-based tools may still see it. trainsec.net/library/window…

Many developers and researchers view WinDbg as the tool of last resort. Something crashes, nothing else helps, and eventually someone opens WinDbg and starts digging. But that mindset misses the real power of the tool. WinDbg is not just a debugger used in emergencies. It is one of the most powerful research tools available for understanding how Windows actually works. Microsoft engineers use it to debug the operating system itself. With the right setup and workflow, it becomes a microscope for exploring Windows internals. On April 7th, 2026, @zodiacon will be running a LIVE 4-hour masterclass where he will use WinDbg specifically as a research platform for exploring Windows components. trainsec.net/windows-resear…

Nobody: Absolutely nobody: Hardware people: lets get doom running on a pregnancy test

New in the Knowledge Library: Windows system programming in Rust @zodiacon. windows crate features, unsafe Win32 boundaries, Toolhelp process enumeration, and UTF-16 handling. trainsec.net/library/window…

I have written about bypass techniques before. They are interesting. They are clever. They are fun to analyze. But they age quickly. What stays relevant much longer is understanding patterns, constraints, and tradeoffs in how malware is written and operated. Techniques expire. Thinking compounds. That is why MAoS does not focus on trendy bypass tricks. It focuses on analytical maturity. 📖 amazon.com/dp/B0FQDGZGZW If you care about durable knowledge rather than temporary tricks, this book was built for that. #MalwareAnalysis #OffensiveSecurity #ThreatResearch #MAoS #CyberSecurity

When an attack bypasses an EDR, it is easy to blame the tool. But in most cases I have seen, the issue was not technical. It was assumptions. Assumptions about how attackers behave. Assumptions about what is normal. Assumptions about what should trigger Attackers do not just write code. They study defensive habits. That tension between offense and defense changes how you analyze malware ⚔️ That perspective influenced large parts of MAoS. 📖 amazon.com/dp/B0FQDGZGZW If you work in detection or incident response, this is a framework worth exploring. #DetectionEngineering #EDR #MalwareAnalysis #MAoS #CyberSecurity

The 17th edition of Warsaw IT Days is taking place online on March 19th and at the PGE National Stadium in Warsaw on March 20th, and I have the pleasure of participating as a speaker. In addition to my presentation, you can also enjoy over 300 lectures across 25 different thematic tracks. Join and hear about the latest trends and solutions in IT and data science, take advantage of the opportunity to deepen your technical knowledge, and exchange experiences with a community of over 10,000 industry specialists and managers. More information and registration at: warszawskiedniinformatyki.pl/en/

New issue of .NET R&D Digest! Thx to @konradkokosa, @MatKainer, @spolsky, @AntonMartyniuk, @stevejgordon, @KooKiz, @lemire, @zodiacon, @STeplyakov and other g8 authors for g8 content! olegkarasik.wordpress.com/2026/03/02/net… #dotnet

New Knowledge Library entry from @zodiacon : Windows TLS (Thread-Local Storage) explained. How TLS slots work on Windows, and a practical use case: preventing recursion when hooking HeapAlloc and logging allocations. trainsec.net/library/window…

New in the Knowledge Library: Looking Into Windows Access Masks @zodiacon Where they show up (handles + ACEs), how to inspect them (Process Explorer, security UI, debugger), and why “ALL_ACCESS” is often the wrong default. trainsec.net/library/window…

Why EDR Failures Are Rarely Technical When an attack bypasses an EDR, it is easy to blame the tool. But in most cases I have seen, the issue was not technical. It was assumptions. Assumptions about how attackers behave. Assumptions about what is normal. Assumptions about what should trigger. Attackers do not just write code. They study defensive habits. That tension between offense and defense changes how you analyze malware ⚔️ That perspective influenced large parts of MAoS. 📖 amazon.com/dp/B0FQDGZGZW If you work in detection or incident response, this is a framework worth exploring. #DetectionEngineering #EDR #MalwareAnalysis #MAoS #CyberSecurity

A lot of performance issues come from incorrect assumptions. ReSharper has a GetModuleReference method which iterates over the references of a project to find a specific module. The underlying storage is a list. It seems reasonable at first: how many references can there be in a typical project? 10? 20? Well, it turns out that a simple aspnetcore project, created with 'dotnet new webapi', has 309 references before even adding any external library! Because of this oversight, GetModuleReference was responsible for up to 4% of total CPU usage during Visual Studio startup in some of our performance tests. Replacing the storage with a map brought it down to 0.5%.

🎙️ In the latest episode ofBehind the Binary, Kevin Harris drops a hot take on the AI hype: 🔥 "There is no AI. We have not invented AI yet... it’s not demonstrating intelligence, it's reflecting your own back at you." One of the problem's this brings up is how the models are optimized - for plausibility and not truth. In this episode: ❌ Why replacing Tier 1 support with AI is a mistake. 📈 The "Sigmoid Curve" of AI growth. 🔓Fundamental security flaws in the Model Context Protocol (MCP). Listen to the full episode on Apple Podcasts 👇 podcasts.apple.com/us/podcast/ep2…

WE ARE LIVE!!