Update 2026-3-29-Creative approaches to coding a FUD Stagers.md

g3tsyst3m · web-flow · commit 18181890b3d4 · 2026-03-29T22:55:24.000-04:00
diff --git a/_posts/2026-3-29-Creative approaches to coding a FUD Stagers.md b/_posts/2026-3-29-Creative approaches to coding a FUD Stagers.md
@@ -73,7 +73,7 @@ def dwnlod_scode(url):
         return None
 ```
 
-In the code above is pretty straightforward.  My shellcode is located in a file that resides on my Github repo and I've reversed the URL string to thwart static analysis efforts. :hurtrealbad: I've also renamed the file extension to something random, in this case `.dyno` as that is not a typical windows file extension and it will not receive as much scrutiny as say a `.bin` file extension.  Finally, we return the bytes of the shellcode we just downloaded in the shel_ly variable. 
+In the code above is pretty straightforward.  My shellcode is located in a file that resides on my Github repo and I've reversed the URL string to thwart static analysis efforts.  I've also renamed the file extension to something random, in this case `.dyno` as that is not a typical windows file extension and it will not receive as much scrutiny as say a `.bin` file extension.  Finally, we return the bytes of the shellcode we just downloaded in the shel_ly variable. 
 
 Part 3 - Eggsecuting Shellcode in Memory 🥚
 -
@@ -488,7 +488,7 @@ for entry in pe.DIRECTORY_ENTRY_IMPORT:
 Part 4 - Cast and Execute!
 -
 
-Lastly, this code snippet filters to kernel32.dll imports only.  We then match against b"VirtualAlloc", without that string ever appearing plaintext :hurtrealbad:
+Lastly, this code snippet filters to kernel32.dll imports only.  We then match against b"VirtualAlloc", without that string ever appearing in plaintext.
 
 `imp.address` is the on-disk VA of the IAT slot.  Subtracting `pe.OPTIONAL_HEADER.ImageBase` converts it to an RVA.  Adding base converts the RVA to the actual runtime address of the slot.
 

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ def dwnlod_scode(url):`
`73`	`73`	`return None`
`74`	`74`	```
`75`	`75`
`76`		-In the code above is pretty straightforward. My shellcode is located in a file that resides on my Github repo and I've reversed the URL string to thwart static analysis efforts. :hurtrealbad: I've also renamed the file extension to something random, in this case `.dyno` as that is not a typical windows file extension and it will not receive as much scrutiny as say a `.bin` file extension. Finally, we return the bytes of the shellcode we just downloaded in the shel_ly variable.
	`76`	+In the code above is pretty straightforward. My shellcode is located in a file that resides on my Github repo and I've reversed the URL string to thwart static analysis efforts. I've also renamed the file extension to something random, in this case `.dyno` as that is not a typical windows file extension and it will not receive as much scrutiny as say a `.bin` file extension. Finally, we return the bytes of the shellcode we just downloaded in the shel_ly variable.
`77`	`77`
`78`	`78`	`Part 3 - Eggsecuting Shellcode in Memory 🥚`
`79`	`79`	`-`
`@@ -488,7 +488,7 @@ for entry in pe.DIRECTORY_ENTRY_IMPORT:`
`488`	`488`	`Part 4 - Cast and Execute!`
`489`	`489`	`-`
`490`	`490`
`491`		`-Lastly, this code snippet filters to kernel32.dll imports only. We then match against b"VirtualAlloc", without that string ever appearing plaintext :hurtrealbad:`
	`491`	`+Lastly, this code snippet filters to kernel32.dll imports only. We then match against b"VirtualAlloc", without that string ever appearing in plaintext.`
`492`	`492`
`493`	`493`	`imp.address` is the on-disk VA of the IAT slot. Subtracting `pe.OPTIONAL_HEADER.ImageBase` converts it to an RVA. Adding base converts the RVA to the actual runtime address of the slot.
`494`	`494`