πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Beyond good ol’ Run key, Part 130

19 October 2020 at 21:58
By: adam
Yet another short one, courtesy of @tiraniddo who pointed me to this Microsoft article describing SERVICE_FAILURE_ACTIONSW structure. In essence, you use it to tell service controller what to do when […]

manifest comclass curiosity

22 October 2020 at 22:02
By: adam
At the time I looked at certutil I spotted one interesting bit – its manifest included a reference to β€˜certadm.dll’ and β€˜comClass’. Once I spotted it I immediately jumped hoping […]

The Alexiou Principle

29 October 2020 at 23:49
By: adam
I very rarely republish content of other blogs, but today, for many reasons really, I feel obliged to republish one of the most relevant DFIR posts ever: The Alexiou Principle […]

Memory buffers for… initiated

4 November 2020 at 23:28
By: adam
Early Visual Basic program crackers knew that if you put a breakpoint in a right place, you can intercept strings entered into a text/input box. Once you do that, finding […]

DeXRAY 2.23 update

10 November 2020 at 23:20
By: adam
I got bored again and as a result added support for G-Data Q files that start with a \xCA\xFE\xBA\xBE magic. The decrypted files (apart from the main sample) use extensions […]

Memory buffers for… initiated, part 2 – Frida(y) edition

12 November 2020 at 22:44
By: adam
In my last post I boasted about my tool that could dump memory blocks that included plain vanilla perl, or .bat code obfuscated using a number of β€˜2exe’ converters. Boasting […]

Where all the Cyber Tooth Fairies go?

13 November 2020 at 23:31
By: adam
One of my favorite TV Series is Dexter. Early seasons were so-so, focused on a cheap thrill, lame TV that you can see all over the place. As the series […]

Memory buffers for… initiated, part 3 – Frida(y) edition

14 November 2020 at 00:06
By: adam
Okay, we can dump heap buffers. What’s next? What about a sandbox-like, IOC generator & payload dumper? In its most basic version we will run a sample and our handlers […]

When good URLs are bad for business

15 November 2020 at 17:54
By: adam
Analyzing memory dumps comes with a price – β€˜good’ information overload. One that annoys me a lot is running URl/domain extraction tools over the memdump and finding tones of legitimate […]

DeXRAY 2.24 update

16 November 2020 at 22:54
By: adam
Added yet another file type to the list – K7 <md5>.qtn. The latest version of DeXRAY can be downloaded here. DeXRAY supports: AhnLab (V3B) Amiti (IFC) ASquared (EQF) Avast ([email protected]=’-chest- […]

DeXRAY 2.25 update

17 November 2020 at 19:05
By: adam
I recently learned there is a lot of new (to me) AV companies that I never heard of. As such, it became an opportunity to update DeXRAY with additional decryption […]

Re-sauce, Part 2

18 November 2020 at 23:19
By: adam
In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name […]

Commander Minority Report

21 November 2020 at 00:55
By: adam
This is an idea I have not tested in practice, but it emerged in response to a simple question: What if sysmon, 4688, EDR command line logging couldn’t catch a […]

Updated appid_calc.pl & dexray.pl

26 November 2020 at 22:56
By: adam
Stuart pinged me about an issue with appid_calc.pl, so I updated the tool to fix the bug. You can download appid_calc from here. And Brian did another run over dexray […]

Re-sauce, Part 3

27 November 2020 at 22:36
By: adam
I like extracting data from many samples because this way I often discover new things. Combing through a set of manifest files I have extracted from a large sampleset of […]

TestHooks, take 2

2 December 2020 at 23:20
By: adam
In my older post I mentioned TestHooks in a context of Windows Update. Studying Windows 10 binaries brings more interesting findings. Few days ago I stumbled upon Test_TestHookIndex string inside […]

csrss.exe and its manifests

5 December 2020 at 23:23
By: adam
This is yet another odd behavior I spotted using Procmon. I was curious what .manifest files may be missing on my test Windows 10 system. The idea was that if […]

FaaS for noobs

6 December 2020 at 00:53
By: adam
This is the first version of this article. Due to nuances, and things I forgot while writing its first version I will come back to it to fix stuff I […]

Propagate, Ribbonate

22 December 2020 at 00:09
By: adam
I thought Propagate technique is a dead horse. Described, implemented, used in malware. But. There is perhaps one more possibility, or four. When you open Windows Explorer and Ribbons are […]
❌