πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Cur\o/bin

2 May 2021 at 13:53
By: adam
This post wraps up another Twitter thread I started a few days ago: If you ever get bored using β€œcopy” to copy files you can always use … curl: curl […]

SleepStudy logs

3 May 2021 at 11:09
By: adam
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I […]

Debug Environment Variable are \o/

3 May 2021 at 11:56
By: adam
Looking at the list of debug environment variables one can immediately spot a lot of room for abuse. One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point […]

Non-debugging uses of CDB

3 May 2021 at 12:25
By: adam
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it […]

Beyond good ol’ Run key, Part 134

3 May 2021 at 19:19
By: adam
This one is for historical reasons, primarily. Old Adobe Photoshop/ImageReady used to have a feature called β€œJump to” which is neatly described here. The feature was implemented via a simple […]

BYOT – Bring Your Own Telemetry

20 May 2021 at 21:33
By: adam
Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… […]

Excellent Conversions (and downloads)

23 May 2021 at 22:19
By: adam
This one was on a back burner for a while too. C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with […]

A story about Procmon (no, not that one – its misbehaving client)

26 May 2021 at 22:49
By: adam
We all love Process Monitor, but what we love even more are its undocumented features. Checking program’s accepted command line arguments we can quickly discover that it can be called […]

Shopping for LOLbins

10 June 2021 at 22:13
By: adam
In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that […]

KillBit legacy – in search for ActiveX Lolbins

11 June 2021 at 22:07
By: adam
ActiveX is dead. Unless used outside of the browser, locally, lolbin-ically. Back in a day companies loved to implement extra functionality for the web via their own ActiveX controls and […]

Wine tasting, again

10 July 2021 at 16:51
By: adam
In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided […]

Trololololobin and other lolololocoasters

9 October 2021 at 06:44
By: adam
In my older tweet I gave an example of a surgical way to inject process into a chain of executed programs and launch them at a predetermined position in a […]

Dexray v2.31

11 November 2021 at 22:17
By: adam
With help of @simpo13 Dexray now supports Defender for Mac quarantine files. Thanks @simpo13! Download it here.

Mapping Chrome extension IDs to their names

24 December 2021 at 23:35
By: adam
It’s been a long time since I did any forensic research, so today is the day. There is no old phrase coined yet β€” your forensic investigations’ results are as […]

Putting .inf files and NSRL database to a better use

25 December 2021 at 23:08
By: adam
When you look at a large repository of clean files there is always an opportunity to find something interesting. For instance, list of precursors to forensic artifacts that one can […]

Beyond good ol’ Run key, Part 135

16 January 2022 at 09:50
By: adam
These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? πŸ™‚ Still, good to document some of it in a more permanent […]

Windows Installation animation

16 January 2022 at 10:04
By: adam
While looking at \Windows\system32\oobe\ files I had a quick check what FirstLogonAnim.exe does and discovered that on top of accepting the following command line arguments: /zdp (for Zero Day Package) […]

ms-cxh and ms-cxh-full handlers

16 January 2022 at 10:46
By: adam
Another 2 bits I posted to Twitter β€” noticed that there is a built-in β€œms-cxh” handler that was unknown to me (CXH stands for Cloud Experience Host) and there is […]

Yara Carpet Bomber

16 January 2022 at 15:50
By: adam
A lot of people are sharing their Yara creation (look for #100DaysofYARA tag on Twitter), so I thought I will share a bit too. This is a very unusual way […]
❌