Before yesterdayHexacorn Ltd
A few more protocol handlers :)
7 June 2022 at 21:40
Ug_0Security asked, and I am answering π Not all of them are just from win11, but itβs just a quick diff between what I saw back in 2018 and one [β¦]
Not installing the installers, part 3
5 June 2022 at 16:38
With file handlers being yet again a topic du jour it was only natural to try answering a question β how many file protocols are really out there? I tried [β¦]
Not installing the installers, part 2
22 May 2022 at 21:05
In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich [β¦]
Not installing the installers
21 May 2022 at 22:22
Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you [β¦]
Hijacking HijackThis
20 May 2022 at 21:46
Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones [β¦]
Infosec Salaries β the myth and the reality
21 April 2022 at 23:00
Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; [β¦]
The Anti-VM trick that is kinda⦠personal
16 April 2022 at 21:19
I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a [β¦]
Good file⦠(What is it good for) Part 3
13 March 2022 at 01:02
We have our sampleset. We have our metadata. Whatβs next? You can very quickly script searches that will look for specific files, or their properties. I mentioned section names, PDB [β¦]
Good file⦠(What is it good for) Part 2
11 March 2022 at 23:09
This series talks about βgoodβ files. That is, files (samples) produced by reputable vendors, often signed, and hopefully not compromised by stolen certificates, vulnerabilities, supply-chain attacks or bothered by other [β¦]
Good file⦠(What is it good for) Part 1
4 March 2022 at 23:27
Most of (anti-) malware researchers focus on malware samples, becauseβ¦ itβs only natural in this line of work. For a while now I try to focus on the opposite β [β¦]
Delphi API monitoring with Frida, Part 3
20 February 2022 at 19:14
In part 1 and part 2 we looked at individual APIs and I hinted we can automate generation of handlers. Today we will do exactly that. The attached python code [β¦]
Delphi API monitoring with Frida, Part 2
19 February 2022 at 23:05
In my previous post I have demoed a simple example of Frida-based Delphi API monitor. Letβs look at one more example β this time the strings are stored in a [β¦]
Analysing NSRL data set for fun and because⦠curious, Part 2
6 February 2022 at 22:38
This is the second post discussing what we can find inside the NSRL data set. At this stage we know itβs not only file hashes, but also sections of executables [β¦]
Analysing NSRL data set for fun and because⦠curious
4 February 2022 at 22:45
Last year I took a very quick look at NSRL hash set. Being de facto golden standard of good hashes I was curious what sort of data is actually included [β¦]
Delphi API monitoring with Frida
28 January 2022 at 22:39
This is just a simple proof of concept that can be extended to build a full-blown Delphi API Monitor. Delphi lives in its own API ecosystem. Reversing Delphi applications requires [β¦]
Dexray v2.32
23 January 2022 at 00:07
I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesnβt really conform to any [β¦]
Beyond good olβ Run key, Part 138
23 January 2022 at 00:03
This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The [β¦]
Beyond good olβ Run key, Part 137
22 January 2022 at 01:08
This is a neat persistence trick you can useβ¦ if you got access to TrustedInstallerβ¦ The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out [β¦]
Yara Carpet Bomber, Part 2
18 January 2022 at 23:15
Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find [β¦]