This post is totally Iconic
Over 6 years ago I decided to pursue yet another silly idea: extract all the unique .ico files from PE resources from as many samples as I can. This exercise yielded ~450K unique .ico files. If I...
View ArticleRundll32.exe bomb
Update Turns out @sixtyvividtails has already discovered the very same issue via a minimalist PE file back in June. Touche! Old Post This is a silly example of a basic mistake leading to a funny...
View ArticleThe delayed import-table phantomDLL opportunities
Many native OS PE files still rely on delayed imports. When APIs imported this way are called for the first time, a so-called delay load helper function is executed first – it loads the actual delayed...
View ArticleDexray v2.34
I have updated the code to fix a few bugs that Роман Д. pointed out. Thank you Роман! Download the latest version here.
View ArticleRundll32 goes to hell…
Parsing command line invocations is fun, because it’s impossible to do it right (all the time). Imagine a test DLL that exports a function called foobar. We place this DLL in c:\test directory and name...
View ArticleUsing Guids to guide the ID of samples’ capabilities or unique (attributable)...
A few days ago Karsten asked me what tool did I use for GUID extraction. I replied that it was my own old tool written waaaay before yara’s birth. In this post I will elaborate on this bit a bit… …...
View ArticleThe Sweet16 – the oldbin lolbin called setup16.exe
I don’t even know how to start. I wrote about old InstallShield setup before, and today’s topic is very similar – the old, yet still present setup file residing (on Win10, 11) in the following...
View Articleadvpack.dll and IEAdvpack.dll logging capability
There is a very old hack out there that enables logging for the advpack.dll and IEAdvpack.dll DLLs. Many of their functions include the logging, so enabling this may help to pick up some old-school...
View ArticleBeyond good ol’ Run key, Part 143
This entry is a bit convoluted, but it’s still quite interesting. I have discovered it today only to google around and find out someone posted the info about it back in 2013. So, I will describe what...
View ArticleInstalling latest Ghidra w/o installing it
Today I wanted to upgrade my Ghidra setup so I downloaded its latest version. Now, I really don’t like running installers in general, because they clutter the system and the Registry, so I was nicely...
View ArticleGoing reverse on reversing tools…
One of the oldest and most popular reversing tools is IDA Pro (usually bundled with its multiple decompilers&plug-ins). Over the years, the creators of this tool introduced a lot of substantial...
View ArticleSome notes on Windows 11 Notepad
The new win11 version of Notepad accepts a few command line options that i have not seen documented anywhere (or only documented partially). so analyzing this key and its children may have some DFIR...
View ArticleProcmonning the Win11_24H2 build
This is a bunch of random notes from running Procmon on Win11_24H2 build. We all know about autorun.inf that OS is checking when we attach a new device to the system, but on new devices the system is...
View ArticleBeating the dead horse, only to inject it some more…
The windows shatter attack is so old that it’s time for someone to reinvent it. This someone could be me. While looking at wscadminui.exe I noticed that it expects 2 arguments: the first one is a...
View ArticleThe different type of relocation aka Moving between countries in practice 1/n
I originally wrote this bit in 2016 and posted it on my (now no longer existing) personal blog. Over last 2 decades my wife and I moved quite often, pursuing better life, adventure, and most...
View ArticleBeyond good ol’ Run key, Part 144
The Acrobat Reader is a very popular software installed on millions of computers worldwide. Today I noticed that anytime AcroRd32.exe program starts (tested with the latest version 24.4) it checks the...
View ArticleAdobeFips – Adobe Reader Lolbin
Sometimes ‘research’ means browsing the folders of the ‘installed ‘target’ and… just executing programs present inside these directories to see what they do. During this very engaging and fascinating...
View ArticleHow to debug Windows service processes in the most old-school possible way…
Debugging Service Processes on Windows is a bit tricky – the old IFO / Debugger trick doesn’t work anymore, because services run in their own session. Also, when you attempt to debug a service process...
View ArticlePortability of old Windows programs…
Many people believe that native Windows programs are so deeply integrated with OS that there is no way to move them between these different OS versions. And it’s fair to say that at first this belief...
View ArticleBrowsing the browsers
This a weird post; it doesn’t give many answers and it pretty much focuses on describing results of a simple task of data hoarding… When people think of a ‘browser’ they usually think of a software...
View Article