πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Not installing the installers, part 2

22 May 2022 at 21:05
By: adam
In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]

Not installing the installers

21 May 2022 at 22:22
By: adam
Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]

Hijacking HijackThis

20 May 2022 at 21:46
By: adam
Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]

Infosec Salaries – the myth and the reality

21 April 2022 at 23:00
By: adam
Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; […]

The Anti-VM trick that is kinda… personal

16 April 2022 at 21:19
By: adam
I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a […]

Good file… (What is it good for) Part 3

13 March 2022 at 01:02
By: adam
We have our sampleset. We have our metadata. What’s next? You can very quickly script searches that will look for specific files, or their properties. I mentioned section names, PDB […]

Good file… (What is it good for) Part 2

11 March 2022 at 23:09
By: adam
This series talks about β€˜good’ files. That is, files (samples) produced by reputable vendors, often signed, and hopefully not compromised by stolen certificates, vulnerabilities, supply-chain attacks or bothered by other […]

Good file… (What is it good for) Part 1

4 March 2022 at 23:27
By: adam
Most of (anti-) malware researchers focus on malware samples, because… it’s only natural in this line of work. For a while now I try to focus on the opposite – […]

Delphi API monitoring with Frida, Part 3

20 February 2022 at 19:14
By: adam
In part 1 and part 2 we looked at individual APIs and I hinted we can automate generation of handlers. Today we will do exactly that. The attached python code […]

Delphi API monitoring with Frida, Part 2

19 February 2022 at 23:05
By: adam
In my previous post I have demoed a simple example of Frida-based Delphi API monitor. Let’s look at one more example β€” this time the strings are stored in a […]

Analysing NSRL data set for fun and because… curious, Part 2

6 February 2022 at 22:38
By: adam
This is the second post discussing what we can find inside the NSRL data set. At this stage we know it’s not only file hashes, but also sections of executables […]

Analysing NSRL data set for fun and because… curious

4 February 2022 at 22:45
By: adam
Last year I took a very quick look at NSRL hash set. Being de facto golden standard of good hashes I was curious what sort of data is actually included […]

Delphi API monitoring with Frida

28 January 2022 at 22:39
By: adam
This is just a simple proof of concept that can be extended to build a full-blown Delphi API Monitor. Delphi lives in its own API ecosystem. Reversing Delphi applications requires […]

Dexray v2.32

23 January 2022 at 00:07
By: adam
I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any […]

Beyond good ol’ Run key, Part 138

23 January 2022 at 00:03
By: adam
This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]

Beyond good ol’ Run key, Part 137

22 January 2022 at 01:08
By: adam
This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]

Yara Carpet Bomber, Part 2

18 January 2022 at 23:15
By: adam
Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find […]

Beyond good ol’ Run key, Part 136

18 January 2022 at 19:23
By: adam
I love Office-based Persistence mechanisms, because there is always… one more to discover πŸ™‚ Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the […]

Yara Carpet Bomber

16 January 2022 at 15:50
By: adam
A lot of people are sharing their Yara creation (look for #100DaysofYARA tag on Twitter), so I thought I will share a bit too. This is a very unusual way […]
❌