Glossary

Plain-language definitions of SEO terms used across the blog.

Virtualization Obfuscation: An advanced obfuscation technique that translates native instructions into a custom bytecode executed by an embedded interpreter, defeating standard disassemblers.
Symbolic Execution: A program analysis technique that executes code with symbolic (abstract) values instead of concrete inputs, exploring multiple paths simultaneously.
NOP Sled: A sequence of NOP (no-operation) instructions prepended to shellcode so that imprecise jumps still land in executable payload territory.
Patching: Modifying the bytes of a binary on disk or in memory to change its behavior — for example to bypass a license check or disable anti-debug code.
Entropy: A measure of randomness in binary data — high entropy in a section indicates compression or encryption, a hallmark of packed malware.
YARA: A pattern-matching tool and rule language used to identify and classify malware samples based on textual or binary signatures.
Dynamic Analysis: Analyzing a binary by actually running it, observing its behavior in real time using debuggers, sandboxes, and system monitoring tools.
Static Analysis: Examining a binary without executing it — using disassemblers, decompilers, and file-format parsers to understand its structure and logic.
Sandbox: An isolated execution environment that runs a suspicious binary, monitors its behavior, and prevents it from affecting the real system.
Gadget: A short sequence of existing instructions ending in a RET (or similar) used as a building block in Return-Oriented Programming chains.
Return-Oriented Programming (ROP): An exploitation technique that chains small existing code snippets ending in RET instructions to execute arbitrary logic without injecting new code.
Shellcode: Self-contained position-independent machine code injected and executed in a target process, typically as an exploit payload.
Obfuscation: Intentional transformation of code or data to make it harder to understand, while preserving the original program's behavior.
Packer: A tool that compresses or encrypts an executable and wraps it with a stub that decompresses/decrypts it at runtime before transferring control to the original code.
Basic Block: A maximal straight-line sequence of instructions with a single entry point and a single exit (branch or return) — the node unit of a CFG.
Control Flow Graph (CFG): A directed graph representing all possible execution paths through a function, with nodes as basic blocks and edges as branches.
Single-Stepping: Executing one instruction at a time in a debugger to observe the exact effect of each operation on registers and memory.
Breakpoint: An instruction or hardware trigger in a debugger that pauses execution when the program reaches a specific address or condition.
API Hooking: Intercepting calls to API or library functions at runtime to monitor, modify, or redirect their behavior.
System Call: A controlled transition from user space to the OS kernel to request a privileged operation such as reading a file or allocating memory.
Endianness: The byte order in which multi-byte integers are stored in memory: little-endian (LSB first) or big-endian (MSB first).
Stripped Binary: An executable from which the symbol table and debug information have been removed, making reverse engineering significantly harder.
Symbol Table: A section of a binary that maps function and variable names to their addresses, present in debug or non-stripped builds.
Relocation: The process of adjusting hardcoded addresses in a binary when it is loaded at a different base address than the one assumed at compile time.
Import Address Table (IAT): A table inside a PE binary filled by the Windows loader with the runtime addresses of imported DLL functions.
Original Entry Point (OEP): The entry point of an executable before a packer or protector modified it — the address where the original code starts after unpacking.
Entry Point: The virtual address where the OS loader transfers control to a binary after loading it into memory.
ELF Format: Executable and Linkable Format — the standard binary file format on Linux and most Unix-like systems for executables, shared libraries, and object files.
PE Format: Portable Executable — the binary file format used by Windows executables (.exe, .dll, .sys) that defines headers, sections, and import tables.
Instruction Set Architecture (ISA): The complete specification of a processor's instructions, registers, and addressing modes that software can rely on.
ABI: Application Binary Interface — the low-level contract covering calling conventions, data layout, and system call mechanics between compiled components.
Calling Convention: The agreed rules for how a function call passes arguments, returns values, and manages the stack and registers.
Heap: The region of memory used for dynamic allocations (malloc/new), managed by the runtime allocator rather than the CPU automatically.
Stack: A LIFO memory region that grows downward, used for return addresses, local variables, and saved registers during function calls.
Register: A small, ultra-fast storage location built directly into the CPU, used to hold operands, addresses, and CPU state during execution.
Operand: The argument(s) to an assembly instruction — the registers, memory addresses, or immediate values it acts upon.
Mnemonic: The short human-readable name for a CPU instruction, such as MOV, PUSH, or CALL, used in assembly language.
Opcode: The numeric byte(s) in machine code that identify which operation the CPU should execute.
Debugger: A tool that lets an analyst pause, inspect, and modify a running process — the cornerstone of dynamic analysis.
Decompiler: A tool that attempts to reconstruct high-level source code (C, pseudocode) from compiled binary machine code.
Disassembler: A tool that converts raw binary machine code back into human-readable assembly language mnemonics.