RSS Security

πŸ”’
❌ About FreshRSS
There are new articles available, click to refresh the page.
β˜‘ β˜† βœ‡ Hexacorn Ltd

Wine tasting, again

By: adam β€”
In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

KillBit legacy – in search for ActiveX Lolbins

By: adam β€”
ActiveX is dead. Unless used outside of the browser, locally, lolbin-ically. Back in a day companies loved to implement extra functionality for the web via their own ActiveX controls and […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Shopping for LOLbins

By: adam β€”
In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

A story about Procmon (no, not that one – its misbehaving client)

By: adam β€”
We all love Process Monitor, but what we love even more are its undocumented features. Checking program’s accepted command line arguments we can quickly discover that it can be called […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Excellent Conversions (and downloads)

By: adam β€”
This one was on a back burner for a while too. C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

BYOT – Bring Your Own Telemetry

By: adam β€”
Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Beyond good ol’ Run key, Part 134

By: adam β€”
This one is for historical reasons, primarily. Old Adobe Photoshop/ImageReady used to have a feature called β€œJump to” which is neatly described here. The feature was implemented via a simple […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Non-debugging uses of CDB

By: adam β€”
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Debug Environment Variable are \o/

By: adam β€”
Looking at the list of debug environment variables one can immediately spot a lot of room for abuse. One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

SleepStudy logs

By: adam β€”
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Cur\o/bin

By: adam β€”
This post wraps up another Twitter thread I started a few days ago: If you ever get bored using β€œcopy” to copy files you can always use … curl: curl […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Throwing LOLBIN a tar ball

By: adam β€”
This post summarizes some of the findings I posted on Twitter the other day. While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Gup \o/ bin

By: adam β€”
Notepad ++ comes with a built-in Updater called GUP typically located here: c:\Program Files (x86)\Notepad++\updater\GUP.exe It is a generic downloader that accepts a range of command line arguments, and while […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

FTP.EXE Lolbin v2

By: adam β€”
@0gtweetβ€˜s tweet inspired me to look at lolbin stuff again (as it is often the case). So… everyone knows we can use ftp.exe as a lolbin and using COMSPEC trick […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Playing CAPAeira with Yara rules

By: adam β€”
Writing Yara rules is easy. Writing good Yara rules is … testing – both as an adjective and a verb. There is a class of Yara rules – the one […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Yara & maldoc pics

By: adam β€”
Update It took only a few minutes for @0xkyle to point me to Halogen project. Nice one! Old post This is a little trick that you may find handy for […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

ELF sections stats

By: adam β€”
If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Beyond good ol’ Run key, Part 133

By: adam β€”
Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it […]
β˜‘ β˜† βœ‡ Hexacorn Ltd

Event ID 7039 – out…pid a pid

By: adam β€”
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than […]
❌