Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk
detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was
able to exploit two different PostScript vulnerabilities in Lexmark printers.
The presentation is a good primer for those interested in further researching
the Lexmark PostScript stack, and also those interested in how PostScript
interpreter exploitation can be approached in general.

The slides for the talk can be downloaded here.

I recently came across a malware sample that included the following, mysterious string: There are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023): 961c151d2e87f2686a955a9be24d316f1362bf21 2.1.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.5.0 961c151d2e87f2686a955a9be24d316f1362bf21 3.6.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.9.1 … Continue reading →

It may sound a bit counterintuitive, but some very known lolbins often make it to places that no one ever thought would be possible… Continuing the topic I started a few days earlier, today I will explore a few more … Continue reading →

Nearly two years ago I published a quick summary of my analysis of NSRL data. I believe I was the first one to publicly evaluate this data set, and I still stand by the harsh conclusions I reached back then, … Continue reading →

A few days ago @kernelv0id asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file … Continue reading →

This is probably the most unusual blog post I have ever written here… Oh, well… — TL;DR; My wife and I recently stayed at a pretty expensive hotel. I won’t name and shame, but it’s fair to say they didn’t … Continue reading →

It’s easy to say ‘we follow the Sun’ or ‘we deliver that 24/7/365 service’. The story doesn’t end there though – the delivery part of this promise has a different story to tell. The one that is rarely talked about, … Continue reading →

The moment I heard of machine code and its opcodes… I fell in love. Being able to understand machine code from just looking at the binary (okay, mostly its hexadecimal representation) felt like magic. And since many simple x86 assembly … Continue reading →

I really don’t know if this is the first post in the series, or just a one-off that is also, the last. There are many fantastic blog posts out there that deal with the most popular Linux persistence tricks, f.ex. … Continue reading →

Even in 2023 Dexray seems to be delivering value to DFIR practitioners. I am always very humbled by unsolicited additions to Dexray code, because it means the tool is still alive, despite the fact it was written in archaic (by … Continue reading →

Reading articles about criminals enjoying (I really hope they are not just flexing) drinking the emperor of all Champagnes aka Dom Pérignon, makes me feel that they are potentially missing out on so many opportunities! Not only Dom Pérignon is … Continue reading →

Nearly 2 years ago I published the first part, so it’s time for a quick update. And this time I am publishing the file as well – note that it cannot be used for commercial purposes, but hope you will … Continue reading →

Over the years I have made a lot of attempts to systematically extract Windows API information from various sources, but primarily, of course, from Microsoft help documentation available at different times, in different forms and file formats. If you need … Continue reading →

Okay, okay, yup, it is a series now. Part two is here! Browsing available Ubuntu apps one can find a lot of interesting software. One of them is kchmviewer. Its purpose is to view CHM files – outdated, but still … Continue reading →

Update After I posted it, @netspooky pinged me with some additional info. Apparently, this technique is known since at least 2019 and was demoed by @zer0pwn first. This blog post from MCG describes various offensive techniques focused on .desktop and … Continue reading →

Back in a day (90s/2000s), if you wanted an email, there were lots of (free) email providers available. With a minimum of effort one could sign up to as many free email services available at that time as possible. No … Continue reading →

There is a lot talk about whoami.exe recently, so here’s one more post about it… When we talk about whoami.exe we often think of it in ‘atomic’ terms. You run it, and you get the results. But by doing so … Continue reading →

I love exploring unexplored software paths. And not necessarily on the assembly level – and that’s because often… it’s not even necessary. They often lead me to some really weird places f.ex. discovering a software that reads a memory address … Continue reading →

Update Don’t read the old post. It’s a result of an experiment and the experiment failed 🙂 Thanks to _BradleyVX who pointed out the hallucinations that sneaked in to the below list. Don’t do AI at home, kids! If you … Continue reading →

Here’s an old-school file name-based research… it is not game changing, it won’t bring any immediate solution, but it’s still worth doing today… The software we install (focus here is on Windows, as usual) creates a loooot of files, and … Continue reading →

Inspired by Phill Moore’s new project called Ruler, I combed my collection of all old HijackThis logs (that I web scraped a long time ago) looking for paths that may be associated with security software. Unlike Phill’s, the resulting data … Continue reading →

‘Blade Runner’ – the cult classic movie – teaches us that the (non-)human traits/behaviors can be detected with a so-called Voight-Kampff test. This post is about discussing (not designing yet) a similar test for our threat hunting purposes… The key … Continue reading →

If you’ve been reading my blog for a while now you will know that I love to challenge my threat hunting game with a lot of err…. banalities. And not the banalities I can ignore, but a lot of these … Continue reading →

Over a decade ago I posted some random copyright banner stats from my (relatively small by today’s standards) malware repo. I really liked these stats back then and I still like them today. Why? These banners are great ‘low hanging … Continue reading →

Many Windows tools support commands f.ex.: We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.: This breaks many hard-coded detections. … Continue reading →

The little known secret of regsvr32.exe is… You ready? You can load multiple DLLs at the same time. Yup. And not just one extra, but many. Let’s have a look at an example: regsvr32.exe c:\WINDOWS\system32\hhctrl.ocx foo will first load c:\WINDOWS\system32\hhctrl.ocx … Continue reading →

When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceExProcess API… Since the iernonce.dll library is loaded using … Continue reading →

There is an archaic feature that regsvr32.exe leverages to autoregister libraries associated with file extensions. For this to work, it expects an AutoRegister key to be present under the file extension handler with a default value pointing to the library … Continue reading →

In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command … Continue reading →