Yet another short one, courtesy of @tiraniddo who pointed me to this Microsoft article describing SERVICE_FAILURE_ACTIONSW structure. In essence, you use it to tell service controller what to do when […]

At the time I looked at certutil I spotted one interesting bit – its manifest included a reference to ‘certadm.dll’ and ‘comClass’. Once I spotted it I immediately jumped hoping […]

I very rarely republish content of other blogs, but today, for many reasons really, I feel obliged to republish one of the most relevant DFIR posts ever: The Alexiou Principle […]

Early Visual Basic program crackers knew that if you put a breakpoint in a right place, you can intercept strings entered into a text/input box. Once you do that, finding […]

I got bored again and as a result added support for G-Data Q files that start with a \xCA\xFE\xBA\xBE magic. The decrypted files (apart from the main sample) use extensions […]

In my last post I boasted about my tool that could dump memory blocks that included plain vanilla perl, or .bat code obfuscated using a number of ‘2exe’ converters. Boasting […]

One of my favorite TV Series is Dexter. Early seasons were so-so, focused on a cheap thrill, lame TV that you can see all over the place. As the series […]

Okay, we can dump heap buffers. What’s next? What about a sandbox-like, IOC generator & payload dumper? In its most basic version we will run a sample and our handlers […]

Analyzing memory dumps comes with a price – ‘good’ information overload. One that annoys me a lot is running URl/domain extraction tools over the memdump and finding tones of legitimate […]

Added yet another file type to the list – K7 <md5>.qtn. The latest version of DeXRAY can be downloaded here. DeXRAY supports: AhnLab (V3B) Amiti (IFC) ASquared (EQF) Avast ([email protected]=’-chest- […]

I recently learned there is a lot of new (to me) AV companies that I never heard of. As such, it became an opportunity to update DeXRAY with additional decryption […]

In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name […]

This is an idea I have not tested in practice, but it emerged in response to a simple question: What if sysmon, 4688, EDR command line logging couldn’t catch a […]

Stuart pinged me about an issue with appid_calc.pl, so I updated the tool to fix the bug. You can download appid_calc from here. And Brian did another run over dexray […]

I like extracting data from many samples because this way I often discover new things. Combing through a set of manifest files I have extracted from a large sampleset of […]

In my older post I mentioned TestHooks in a context of Windows Update. Studying Windows 10 binaries brings more interesting findings. Few days ago I stumbled upon Test_TestHookIndex string inside […]

This is yet another odd behavior I spotted using Procmon. I was curious what .manifest files may be missing on my test Windows 10 system. The idea was that if […]

This is the first version of this article. Due to nuances, and things I forgot while writing its first version I will come back to it to fix stuff I […]

I thought Propagate technique is a dead horse. Described, implemented, used in malware. But. There is perhaps one more possibility, or four. When you open Windows Explorer and Ribbons are […]