unSafe.sh - 不安全
我的收藏
今日热榜
公众号文章
导航
Github CVE
Github Tools
编码/解码
文件传输
Twitter Bot
Telegram Bot
Rss
黑夜模式
Using Guids to guide the ID of samples’ capabilities or unique (attributable) properties…
A few days ago Karsten asked me what tool did I use for GUID extraction. I replied that it was m...
2024-10-3 07:8:5 | 阅读: 4 |
收藏
|
Hexacorn - www.hexacorn.com
guids
cwindows
csecurity
windows
Rundll32 goes to hell…
Parsing command line invocations is fun, because it’s impossible to do it right (all the ti...
2024-9-22 06:43:6 | 阅读: 20 |
收藏
|
Hexacorn - www.hexacorn.com
rundll32
invocations
foobar
regexes
666
Dexray v2.34
I have updated the code to fix a few bugs that Роман Д. pointed out. Thank you Роман!Do...
2024-9-21 05:21:42 | 阅读: 4 |
收藏
|
Hexacorn - www.hexacorn.com
Роман
pointed
download
The delayed import-table phantomDLL opportunities
Many native OS PE files still rely on delayed imports. When APIs imported this way are called fo...
2024-9-15 05:31:5 | 阅读: 7 |
收藏
|
Hexacorn - www.hexacorn.com
delayed
89ab
imports
Rundll32.exe bomb
This is a silly example of a basic mistake leading to a funny discovery…When I was expe...
2024-9-12 06:8:46 | 阅读: 8 |
收藏
|
Hexacorn - www.hexacorn.com
rundll32
uxlib
syswow64
wdsutil
phantom
This post is totally Iconic
Over 6 years ago I decided to pursue yet another silly idea: extract all the unique .ico fi...
2024-9-8 06:32:22 | 阅读: 12 |
收藏
|
Hexacorn - www.hexacorn.com
iconic
667
square
sad
pursue
The art of underDLLoading
In my previous post I created a posh artisan .exe file ornamented with a large number of intrica...
2024-9-7 06:46:24 | 阅读: 7 |
收藏
|
Hexacorn - www.hexacorn.com
windows
fondue
directplay
dialog
The art of overDLLoading
Some time ago I came up with a silly idea: i’d like to build an executable that statically...
2024-9-6 07:5:25 | 阅读: 20 |
收藏
|
Hexacorn - www.hexacorn.com
windows
python
fasm
sensical
caveat
Technical debt of C:\Windows\System path
Thanks to @sixtyvividtails who corrected a mistake I made in the earlier version of the pos...
2024-9-6 05:9:13 | 阅读: 12 |
收藏
|
Hexacorn - www.hexacorn.com
windows
searched
maintains
procmon
loaded
Rundll32 and Phantom DLL lolbins, 32-bit version
As I have shown in the last post, there exists a class of DLLs on Windows OS that load othe...
2024-9-5 05:0:46 | 阅读: 9 |
收藏
|
Hexacorn - www.hexacorn.com
windows
22h2
imports
payload
essence
Rundll32 and Phantom DLL lolbins
This may be a new, kinda ephemereal addition to the lolbin world (not sure if anyone covere...
2024-9-4 05:23:10 | 阅读: 20 |
收藏
|
Hexacorn - www.hexacorn.com
windows
rundll32
updateapi
tssrvlic
ducsps
Enter Sandbox 29: The subtle art of reversing persuasion – pushing samples to run…
Every once in a while you will run into samples that themselves do not run.Some use anti- te...
2024-8-14 07:15:15 | 阅读: 15 |
收藏
|
Hexacorn - www.hexacorn.com
library
ordinal
windows
rsrc
comctl32
Counting the API arguments…
Today Matt posted a half-joking twit about the acceptable number of arguments that can be p...
2024-8-8 05:59:28 | 阅读: 9 |
收藏
|
Hexacorn - www.hexacorn.com
candidate
descending
acceptable
microsoft
merging
The value-proposition of building and maintaining an internal Threat Hunting team…
The IT/cyber Buy vs. Build discussions often focus on, and present the issue at hand as a zerosu...
2024-8-3 07:10:38 | 阅读: 4 |
收藏
|
Hexacorn - www.hexacorn.com
roi
asset
security
processes
feeds
High Fidelity detections are Low Fidelity detections, until proven otherwise, Part 2
In my last post I looked at ‘good’ file names. Today I will look at them again. Sort of…...
2024-8-2 06:29:34 | 阅读: 4 |
收藏
|
Hexacorn - www.hexacorn.com
windows
winload
dirty
evan
crime
High Fidelity detections are Low Fidelity detections, until proven otherwise
A few days ago Nas kicked off an interesting discussion on Xitter about detections’ quality. I l...
2024-7-14 08:8:16 | 阅读: 9 |
收藏
|
Hexacorn - www.hexacorn.com
kicked
decompiled
software
illustrate
stupid
Writing a Frida-based VBS API monitor, Take two
In my previous post I introduced a simple VBS API Monitor developed using Frida framework....
2024-7-8 02:34:33 | 阅读: 11 |
收藏
|
Hexacorn - www.hexacorn.com
windows
realized
naive
memory
pointed
Writing a Frida-based VBS API monitor
I love experimenting with Frida and I have presented a few different API Monitoring prototypes b...
2024-7-7 08:4:13 | 阅读: 6 |
收藏
|
Hexacorn - www.hexacorn.com
msgbox
vbscript
cscript
windows
dispatcher
Enter Sandbox 28: Automated access primitives extraction
In my previous post about TI I hinted that malware sample sandboxing (f.ex. extracting configs,...
2024-6-23 07:25:53 | 阅读: 12 |
收藏
|
Hexacorn - www.hexacorn.com
intercepted
sandboxing
hardcoded
families
sitting
Couple of Splunk/SPL Gotchas, Part 2
It’s been nearly 5 years since I dropped this old post about Splunk Gotchas. Okay, in fairness,...
2024-6-16 07:47:59 | 阅读: 11 |
收藏
|
Hexacorn - www.hexacorn.com
gotcha
spl
indexes
invocations
octets
Previous
1
2
3
4
5
6
7
8
Next