Ug_0Security asked, and I am answering 🙂 Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one […]

With file handlers being yet again a topic du jour it was only natural to try answering a question — how many file protocols are really out there? I tried […]

In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]

Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]

Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]

Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; […]

I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a […]

We have our sampleset. We have our metadata. What’s next? You can very quickly script searches that will look for specific files, or their properties. I mentioned section names, PDB […]

This series talks about ‘good’ files. That is, files (samples) produced by reputable vendors, often signed, and hopefully not compromised by stolen certificates, vulnerabilities, supply-chain attacks or bothered by other […]

Most of (anti-) malware researchers focus on malware samples, because… it’s only natural in this line of work. For a while now I try to focus on the opposite – […]

In part 1 and part 2 we looked at individual APIs and I hinted we can automate generation of handlers. Today we will do exactly that. The attached python code […]

In my previous post I have demoed a simple example of Frida-based Delphi API monitor. Let’s look at one more example — this time the strings are stored in a […]

This is the second post discussing what we can find inside the NSRL data set. At this stage we know it’s not only file hashes, but also sections of executables […]

Last year I took a very quick look at NSRL hash set. Being de facto golden standard of good hashes I was curious what sort of data is actually included […]

This is just a simple proof of concept that can be extended to build a full-blown Delphi API Monitor. Delphi lives in its own API ecosystem. Reversing Delphi applications requires […]

I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any […]

This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]

This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]

Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find […]