Initial commit: Defender overview slides and notes

Markdown breakdowns and HTML slide decks covering the Microsoft
Defender static analysis pipeline from entry point through verdict.

Author: HackingLZ

.gitignore

@@ -0,0 +1,42 @@
+# macOS
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Codex / Claude local state
+.claude/
+.codex/
+
+# Editors / IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Python
+__pycache__/
+*.pyc
+.pytest_cache/
+.mypy_cache/
+
+# Node / JS
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Build / coverage artifacts
+dist/
+build/
+coverage/
+*.lcov
+
+# Env / secrets
+.env
+.env.*
+*.pem
+*.key
+
+# OS / misc
+Thumbs.db

README.md

@@ -0,0 +1,55 @@
+# Windows Defender Scan Pipeline — Reverse Engineering Reference
+
+A reverse engineering breakdown of the 13-stage scan pipeline inside **mpengine.dll** (v1.1.24120.x, 14.3 MB, PE32 x86) — the core engine DLL behind Windows Defender / Microsoft Defender Antivirus. Every file, script, and memory buffer scanned on a Windows machine flows through this single monolithic binary.
+
+Each stage is documented with reconstructed data structures, pseudocode, address-level references, RTTI class hierarchies, and string table extractions from the binary itself.
+
+## Disclaimer
+
+This material is provided for educational and research purposes only.
+All findings and technical claims should be independently validated in your own environment before you rely on them.
+
+## Repository Structure
+
+```
+├── master_slide.html          # Slide launcher — links to all 14 decks
+├── md/                        # Detailed written docs (one per stage)
+│   ├── 00_overview.md         # Master overview, data structures, entry points
+│   ├── 01_entry_point.md      # through
+│   └── 13_verdict_resolution.md
+├── slides/                    # HTML slide decks (one per stage)
+│   ├── 00_overview_slides.html
+│   ├── ...
+│   ├── 13_verdict_resolution_slides.html
+│   └── deck_master_nav.js     # Shared nav controls (Back, Master, Prev/Next Deck)
+```
+
+Each stage has two artifacts:
+
+| Format | Path pattern | Content |
+|--------|--------------|---------|
+| Markdown | `md/NN_<stage>.md` | Full writeup with pseudocode, tables, and address references |
+| Slides | `slides/NN_<stage>_slides.html` | Visual presentation deck for the same material |
+
+Open `master_slide.html` in a browser to navigate across all decks.
+
+## Pipeline Stages
+
+The scan pipeline is sequential — each stage can produce detections, collect attributes for downstream stages, or recursively invoke the entire pipeline on extracted content.
+
+| # | Stage | What It Does |
+|---|-------|-------------|
+| 00 | **Overview** | End-to-end map of the pipeline architecture, `ScanContext` / `ThreatRecord` data structures, and the `__rsignal` / `rsignal` export API |
+| 01 | **Entry Point** | How `__rsignal` and `rsignal` receive scan commands, dispatch by command code, and initialize the `ScanContext` for execution |
+| 02 | **Friendly File** | SHA-256/SHA-512 trusted-file whitelist lookup — files that match are immediately returned clean, short-circuiting the rest of the pipeline |
+| 03 | **Static Engine Cascade** | 11 signature engines that fire in a fixed order over raw file bytes: STATIC, PEHSTR, PEHSTR_EXT, MACRO, KCRCE, BRUTE, NID, DBVAR, VDLL_SIG, ARHSTR, and MSILFLAG |
+| 04 | **Attribute Collection** | Continuous collection of string-tag attributes into the scan context — fed into the AAGGREGATOR boolean evaluator at Stage 11 |
+| 05 | **PE Emulation** | Full x86/x64/ARM CPU emulator embedded in the engine: 198 emulated Windows APIs, 973 virtual DLLs, FOP opcode tracing, and behavioral telemetry for dynamic unpacking |
+| 06 | **Unpacked Content** | Recursive rescan of PE sections and files dropped by the emulator — feeds unpacked content back through the full pipeline |
+| 07 | **Container Extraction** | Recursive extraction of child objects from archives, Office docs, PDFs, installers, and other containers via pluggable nUFS format handlers |
+| 08 | **Script Deobfuscation** | NScript fixed-point deobfuscation engine for PowerShell, VBScript, JScript, and Batch — iteratively simplifies obfuscated scripts until stable |
+| 09 | **BRUTE Matching** | Format-agnostic content matching over raw, unpacked, and deobfuscated buffers — catches patterns the format-specific engines miss |
+| 10 | **Lua Scripts** | Lua 5.1 detection runtime executing rule sets through custom `mp.*` APIs — the most flexible detection layer in the engine |
+| 11 | **Attribute Evaluation** | AAGGREGATOR boolean evaluation: combines all collected attributes via AND/OR/NOT logic trees to produce composite threat detections |
+| 12 | **MAPS Cloud Lookup** | Cloud escalation to Microsoft MAPS for low-confidence local detections — includes FASTPATH quick-response and full sample submission |
+| 13 | **Verdict Resolution** | Final stage: merges all detections, deduplicates, applies severity ranking, filters infrastructure markers, and returns the single highest-priority verdict |

master_slide.html

@@ -0,0 +1,156 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Master Slide Navigator</title>
+<style>
+*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+:root{
+  --bg:#070a14;
+  --bg2:#10182b;
+  --fg:#eef2ff;
+  --fg2:#c2cce8;
+  --fg3:#92a0c7;
+  --line:rgba(172,190,240,.28);
+  --accent:#59d3ff;
+  --accent2:#8bff92;
+}
+html,body{height:100%}
+body{
+  font-family:system-ui,-apple-system,Segoe UI,Roboto,Helvetica,Arial,sans-serif;
+  color:var(--fg);
+  background:
+    radial-gradient(1200px 700px at -10% -20%,rgba(89,211,255,.18),transparent 60%),
+    radial-gradient(900px 500px at 110% 120%,rgba(139,255,146,.14),transparent 60%),
+    linear-gradient(145deg,var(--bg),#0c1324 60%,#09101e);
+  min-height:100%;
+  padding:28px;
+}
+.wrap{max-width:1300px;margin:0 auto;display:grid;gap:20px}
+.hero{background:rgba(16,24,43,.65);border:1px solid var(--line);border-radius:18px;padding:24px}
+.kicker{font-size:12px;letter-spacing:.14em;text-transform:uppercase;color:var(--fg3)}
+h1{font-size:clamp(1.9rem,4vw,3.2rem);line-height:1.12;margin-top:10px}
+p{margin-top:10px;color:var(--fg2);line-height:1.5}
+.actions{margin-top:18px;display:flex;flex-wrap:wrap;gap:10px}
+.btn{
+  display:inline-flex;align-items:center;justify-content:center;
+  padding:10px 14px;border-radius:10px;
+  border:1px solid var(--line);
+  color:var(--fg);text-decoration:none;background:rgba(7,10,20,.6);
+  font-weight:600;font-size:14px
+}
+.btn.primary{border-color:rgba(89,211,255,.6);box-shadow:0 0 0 1px rgba(89,211,255,.28) inset}
+.btn.good{border-color:rgba(139,255,146,.55);box-shadow:0 0 0 1px rgba(139,255,146,.25) inset}
+.btn[aria-disabled="true"]{opacity:.35;pointer-events:none}
+.grid{display:grid;grid-template-columns:repeat(3,minmax(0,1fr));gap:12px}
+.card{
+  display:block;
+  background:rgba(16,24,43,.62);
+  border:1px solid var(--line);
+  border-radius:14px;
+  padding:14px;
+  color:inherit;
+  text-decoration:none;
+}
+.card:hover{border-color:rgba(89,211,255,.5);transform:translateY(-1px)}
+.idx{font-size:11px;letter-spacing:.1em;text-transform:uppercase;color:var(--fg3)}
+.name{font-weight:700;font-size:16px;margin-top:6px;line-height:1.25}
+.meta{font-size:12px;color:var(--fg2);margin-top:8px}
+.footer{font-size:12px;color:var(--fg3)}
+@media(max-width:980px){.grid{grid-template-columns:repeat(2,minmax(0,1fr));}}
+@media(max-width:640px){body{padding:16px}.hero{padding:18px}.grid{grid-template-columns:1fr}}
+</style>
+</head>
+<body>
+<div class="wrap">
+  <section class="hero">
+    <div class="kicker">Presentation Control</div>
+    <h1>Master Slide Navigator</h1>
+    <p>Use this page to jump between deck files, or continue in sequence to the next stage. In any deck, pressing next on the final slide automatically opens the next deck.</p>
+    <div class="actions">
+      <a id="back-btn" class="btn" href="#">Back</a>
+      <a class="btn primary" href="slides/00_overview_slides.html#1">Start Full Sequence</a>
+      <a id="continue-btn" class="btn good" href="slides/00_overview_slides.html#1">Continue to Next Deck</a>
+      <a id="resume-btn" class="btn" href="slides/00_overview_slides.html#1">Resume Current Deck</a>
+    </div>
+  </section>
+
+  <section class="grid" id="deck-grid"></section>
+
+  <div class="footer">Tip: from any deck, press <code>M</code> to return to this master slide.</div>
+</div>
+
+<script>
+(function(){
+  const decks = [
+    { file: "slides/00_overview_slides.html", title: "00 Overview" },
+    { file: "slides/01_entry_point_slides.html", title: "01 Entry Point" },
+    { file: "slides/02_friendly_file_slides.html", title: "02 Friendly File" },
+    { file: "slides/03_static_engine_cascade_slides.html", title: "03 Static Engine Cascade" },
+    { file: "slides/04_aaggregator_collection_slides.html", title: "04 AAGGREGATOR Collection" },
+    { file: "slides/05_pe_emulation_slides.html", title: "05 PE Emulation" },
+    { file: "slides/06_unpacked_content_slides.html", title: "06 Unpacked Content" },
+    { file: "slides/07_container_extraction_slides.html", title: "07 Container Extraction" },
+    { file: "slides/08_script_deobfuscation_slides.html", title: "08 Script Deobfuscation" },
+    { file: "slides/09_brute_matching_slides.html", title: "09 BRUTE Matching" },
+    { file: "slides/10_lua_scripts_slides.html", title: "10 Lua Scripts" },
+    { file: "slides/11_aaggregator_evaluation_slides.html", title: "11 AAGGREGATOR Evaluation" },
+    { file: "slides/12_maps_cloud_lookup_slides.html", title: "12 MAPS Cloud Lookup" },
+    { file: "slides/13_verdict_resolution_slides.html", title: "13 Verdict Resolution" }
+  ];
+
+  const grid = document.getElementById("deck-grid");
+  decks.forEach(function(deck, i){
+    const card = document.createElement("a");
+    card.className = "card";
+    card.href = deck.file + "#1";
+    card.innerHTML =
+      '<div class="idx">Deck ' + String(i + 1).padStart(2, "0") + ' of ' + String(decks.length).padStart(2, "0") + '</div>' +
+      '<div class="name">' + deck.title + '</div>' +
+      '<div class="meta">Open deck at slide 1</div>';
+    grid.appendChild(card);
+  });
+
+  const params = new URLSearchParams(location.search);
+  const fromRaw = Number(params.get("from"));
+  const fromIndex = Number.isInteger(fromRaw) ? fromRaw : -1;
+
+  const backBtn = document.getElementById("back-btn");
+  const continueBtn = document.getElementById("continue-btn");
+  const resumeBtn = document.getElementById("resume-btn");
+
+  backBtn.addEventListener("click", function(e){
+    e.preventDefault();
+    if (window.history.length > 1) {
+      window.history.back();
+      return;
+    }
+    if (fromIndex >= 0 && fromIndex < decks.length) {
+      location.href = decks[fromIndex].file + "#1";
+      return;
+    }
+    location.href = decks[0].file + "#1";
+  });
+
+  if (fromIndex >= 0 && fromIndex < decks.length) {
+    resumeBtn.href = decks[fromIndex].file + "#1";
+    resumeBtn.textContent = "Resume " + decks[fromIndex].title;
+
+    if (fromIndex + 1 < decks.length) {
+      continueBtn.href = decks[fromIndex + 1].file + "#1";
+      continueBtn.textContent = "Continue: " + decks[fromIndex + 1].title;
+    } else {
+      continueBtn.textContent = "At Final Deck";
+      continueBtn.setAttribute("aria-disabled", "true");
+    }
+  } else {
+    resumeBtn.textContent = "Resume Current Deck";
+    resumeBtn.setAttribute("aria-disabled", "true");
+    continueBtn.href = decks[0].file + "#1";
+    continueBtn.textContent = "Continue to Next Deck";
+  }
+})();
+</script>
+</body>
+</html>