A year in review: 2019-2020

This article was published on the 16th of June 2020.

The Binary Analysis Course now exists for two years, and I’ve not seen any reason to stop. On the contrary, I have many more ideas to further explore, which will result in additional articles. In this article, the progress of the course, the highlights of the past year, and the future direction of the course will be discussed.

The course’s progress

In last year’s review, I wrote about my desire to further focus on native binaries with Ghidra. I fiddled around with Ghidra quite a bit, which resulted in several blogs where it was used. The Corona DDoS bot was the biggest article where I used it, and currently is the longest article in the whole course. Additionally, I also wrote about the usage of Ghidra in two CrackMe challenges. The first challenge came from the PvIB CTF of 2018, the second challenge was made by myself for HackFest 2019. As such, I did dive more into native binaries.

The other question that I raised in last year’s review, was based on how to use my time. I could make videos about malware analysis as an addition, or replacement, of my blogs. Alternatively I could continue to write blogs. I thought about this for a while, and even though the creation of videos still has my interest, I decided to continue with blogging. Its a format I prefer, and is easier to split up in smaller parts. As for the time I have for my blogs: I seem to have managed to continue with roughly the same output as I used to, but without a schedule. What really helps me manage my time well, is the way I obtain new samples: the community shared plenty of interesting samples, making the selection less time intensive on my end. I’d like to thank all those that shared samples with me, regardless if I wrote about them.

I am also happy with the way the course is currently developing, as it gradually progresses into more difficult samples. The term difficult can be somewhat confusing, since some people have more trouble with specific aspects, but in general, some topics are considered more difficult than others.

Currently, the course has been updated in 32 iterations, 13 of which in the past year. There are now 46 articles in the course, meaning the size of the course has slightly more than doubled in size. Only a single chapter has been added: analysis scripts. The chapter contains two posts, one of which was moved from the malware analysis chapter, and one that was newly added.

The highlights

The highlights have higher peaks in traffic on my site, compared to other articles that I published. Based on last year’s highlights, as well as this year’s, one might think it is obvious to focus only on the interesting areas. However, the course cannot be made out of such articles alone, as there need to be articles that explain the fundamentals as well.

In August, the writeup about the PvIB CTF write-up from 2018 generated quite some traffic. My analysis of the Corona DDoS bot in October generated the most traffic out of any article of the last year. The blog post about my rejected 36C3 talk regarding the structure of an article also generated quite some traffic, although its not a technical article. In November, I wrote about the technical analysis of another CrackMe, whereas in March I wrote about searching samples, and about a multi-stage loading process by the Gorgon Group.

Overall, the traffic rose to a steady count of roughly 18 000 visitors a month. The statistics for that are rather rough, as I divide the total monthly traffic by the size of an average page load. The traffic in-between articles has risen, and become more steady as well. Overall, I now reach the same amount of people when posting about something, as I did last year when several people shared my content. Needless to say, sharing my content is always welcome, as that is the basis of this blog: to convey knowledge.

Note that it is hard to count traffic on other sites, as I have no figures about visitors there. Some of the posts in this course, like the Corona locker, got featured on the BleepingComputer.

The future

The future for this course is bright, as there are many more articles coming up. I am personally interested in unpacking samples, as well as deobfuscating code. As such, I plan to invest some time into the analysis scripts chapter. Additionally, I will focus on samples that consist of multiple stages, as it further digs into the analytical way of thinking that is required during the analysis.

To conclude

The final part of this year in review article is dedicated to everybody who messaged me with tips, tricks, ideas, questions, suggestions, or simply to express gratitude. In particular, I’d like to thank the Malware Research group members, the Incident Response community members, as well as my colleagues at ABN AMRO: Lalit Bhakuni, Armand Piers, Eveline van Hout, and many others.


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.