RSS Security

πŸ”’
❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Wine tasting, again

10 July 2021 at 16:51
By: adam
In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided […]

KillBit legacy – in search for ActiveX Lolbins

11 June 2021 at 22:07
By: adam
ActiveX is dead. Unless used outside of the browser, locally, lolbin-ically. Back in a day companies loved to implement extra functionality for the web via their own ActiveX controls and […]

Shopping for LOLbins

10 June 2021 at 22:13
By: adam
In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that […]

A story about Procmon (no, not that one – its misbehaving client)

26 May 2021 at 22:49
By: adam
We all love Process Monitor, but what we love even more are its undocumented features. Checking program’s accepted command line arguments we can quickly discover that it can be called […]

Excellent Conversions (and downloads)

23 May 2021 at 22:19
By: adam
This one was on a back burner for a while too. C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with […]

BYOT – Bring Your Own Telemetry

20 May 2021 at 21:33
By: adam
Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… […]

Beyond good ol’ Run key, Part 134

3 May 2021 at 19:19
By: adam
This one is for historical reasons, primarily. Old Adobe Photoshop/ImageReady used to have a feature called β€œJump to” which is neatly described here. The feature was implemented via a simple […]

Non-debugging uses of CDB

3 May 2021 at 12:25
By: adam
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it […]

Debug Environment Variable are \o/

3 May 2021 at 11:56
By: adam
Looking at the list of debug environment variables one can immediately spot a lot of room for abuse. One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point […]

SleepStudy logs

3 May 2021 at 11:09
By: adam
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I […]

Cur\o/bin

2 May 2021 at 13:53
By: adam
This post wraps up another Twitter thread I started a few days ago: If you ever get bored using β€œcopy” to copy files you can always use … curl: curl […]

Throwing LOLBIN a tar ball

2 May 2021 at 13:42
By: adam
This post summarizes some of the findings I posted on Twitter the other day. While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command […]

Gup \o/ bin

2 May 2021 at 13:39
By: adam
Notepad ++ comes with a built-in Updater called GUP typically located here: c:\Program Files (x86)\Notepad++\updater\GUP.exe It is a generic downloader that accepts a range of command line arguments, and while […]

FTP.EXE Lolbin v2

2 May 2021 at 11:38
By: adam
@0gtweetβ€˜s tweet inspired me to look at lolbin stuff again (as it is often the case). So… everyone knows we can use ftp.exe as a lolbin and using COMSPEC trick […]

Playing CAPAeira with Yara rules

20 April 2021 at 21:46
By: adam
Writing Yara rules is easy. Writing good Yara rules is … testing – both as an adjective and a verb. There is a class of Yara rules – the one […]

Yara & maldoc pics

7 April 2021 at 22:06
By: adam
Update It took only a few minutes for @0xkyle to point me to Halogen project. Nice one! Old post This is a little trick that you may find handy for […]

ELF sections stats

13 March 2021 at 23:02
By: adam
If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never […]

Beyond good ol’ Run key, Part 133

5 March 2021 at 23:18
By: adam
Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it […]

Event ID 7039 – out…pid a pid

26 February 2021 at 19:18
By: adam
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than […]
❌