πŸ”’
There are new articles available, click to refresh the page.
βœ‡ Hexacorn Ltd

Not installing the installers, part 2

By: adam β€”
In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]
βœ‡ Hexacorn Ltd

Not installing the installers

By: adam β€”
Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]
βœ‡ Hexacorn Ltd

Hijacking HijackThis

By: adam β€”
Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]
βœ‡ Hexacorn Ltd

Infosec Salaries – the myth and the reality

By: adam β€”
Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; […]
βœ‡ Hexacorn Ltd

The Anti-VM trick that is kinda… personal

By: adam β€”
I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a […]
βœ‡ Hexacorn Ltd

Good file… (What is it good for) Part 3

By: adam β€”
We have our sampleset. We have our metadata. What’s next? You can very quickly script searches that will look for specific files, or their properties. I mentioned section names, PDB […]
βœ‡ Hexacorn Ltd

Good file… (What is it good for) Part 2

By: adam β€”
This series talks about β€˜good’ files. That is, files (samples) produced by reputable vendors, often signed, and hopefully not compromised by stolen certificates, vulnerabilities, supply-chain attacks or bothered by other […]
βœ‡ Hexacorn Ltd

Good file… (What is it good for) Part 1

By: adam β€”
Most of (anti-) malware researchers focus on malware samples, because… it’s only natural in this line of work. For a while now I try to focus on the opposite – […]
βœ‡ Hexacorn Ltd

Delphi API monitoring with Frida, Part 3

By: adam β€”
In part 1 and part 2 we looked at individual APIs and I hinted we can automate generation of handlers. Today we will do exactly that. The attached python code […]
βœ‡ Hexacorn Ltd

Delphi API monitoring with Frida, Part 2

By: adam β€”
In my previous post I have demoed a simple example of Frida-based Delphi API monitor. Let’s look at one more example β€” this time the strings are stored in a […]
βœ‡ Hexacorn Ltd

Analysing NSRL data set for fun and because… curious, Part 2

By: adam β€”
This is the second post discussing what we can find inside the NSRL data set. At this stage we know it’s not only file hashes, but also sections of executables […]
βœ‡ Hexacorn Ltd

Analysing NSRL data set for fun and because… curious

By: adam β€”
Last year I took a very quick look at NSRL hash set. Being de facto golden standard of good hashes I was curious what sort of data is actually included […]
βœ‡ Hexacorn Ltd

Delphi API monitoring with Frida

By: adam β€”
This is just a simple proof of concept that can be extended to build a full-blown Delphi API Monitor. Delphi lives in its own API ecosystem. Reversing Delphi applications requires […]
βœ‡ Hexacorn Ltd

Dexray v2.32

By: adam β€”
I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any […]
βœ‡ Hexacorn Ltd

Beyond good ol’ Run key, Part 138

By: adam β€”
This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]
βœ‡ Hexacorn Ltd

Beyond good ol’ Run key, Part 137

By: adam β€”
This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]
βœ‡ Hexacorn Ltd

Yara Carpet Bomber, Part 2

By: adam β€”
Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find […]
βœ‡ Hexacorn Ltd

Beyond good ol’ Run key, Part 136

By: adam β€”
I love Office-based Persistence mechanisms, because there is always… one more to discover πŸ™‚ Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the […]
βœ‡ Hexacorn Ltd

Yara Carpet Bomber

By: adam β€”
A lot of people are sharing their Yara creation (look for #100DaysofYARA tag on Twitter), so I thought I will share a bit too. This is a very unusual way […]
❌