Weekly Log #1: Malware Loaders, Shellcode, and the path to ROP
May 08, 2026
weekly log
malware analysis
pwn
exploit
This week focus
This week I was mostly busy analyzing complicated, obfuscated malware and finishing most of the “Toddler’s Bottle” stages at pwnable.kr
Malware Analysis: Bash Backdoors and .NET Injectors
I published two major writeups this week based on recent research:
- FreePBX Bash Backdoor: Analyzed an highly obfuscated script targeting Linux servers. It was interesting to map out its extreamly evasive persistence mechanisms (multiple hidden cron jobs) and how it attempts to add root users and open SSH backdoors.
- Prophile Malware: A much more advanced loader written in IronPython. This was a great exercise in analyzing Fileless execution, as it uses RijndaelManaged (AES) to decrypt .NET assemblies and dynamically loads them into memory using Reflection to inject into legitimate Windows services.
Low-Level Exploitation: Shellcode & ROP
- Introduction to ROP: I started researching Return-Oriented Programming (ROP). The core concept is instead of injecting new code, we hijack the execution flow to chain together small snippets of existing executable code (“gadgets”) that end in a
retinstruction. - Shellcode Basics: I researched how shellcode works and built a basic shellcode using shellcraft from pwntools.
Goals for Next Week
The main goal for next week is to move from theory to practice with ROP. I plan to dive deep into building actual ROP chains, utilizing tools like pwntools to find gadgets, and successfully exploit a binary with a non-executable stack.