Smuggling payloads and tools in, using WIM images We often hear of attackers bringing in their payloads via virtual drive images (f.ex. vhd,vhdx)... 2024-12-31 00:20:44 | 阅读: 15 | 收藏 | Hexacorn - www.hexacorn.com wim mounted lowpart totalbytes highpart

WIMMOUNTDATA ADS In my old post I listed a number of ‘good Alternate Data Streams (ADS)’, and one of them wa... 2024-12-28 23:32:9 | 阅读: 18 | 收藏 | Hexacorn - www.hexacorn.com dism wim imagefile 3908

MoNotificationUxStub.exe lolbin When you run MoNotificationUxStub.exe on Windows Server 2025, it will try to load the follo... 2024-12-27 00:16:22 | 阅读: 22 | 收藏 | Hexacorn - www.hexacorn.com windows library uus umpdc

MLEngineStub.exe lolbin When you run MLEngineStub.exe on Windows 2025, it will try to locate the following non-exis... 2024-12-27 00:7:47 | 阅读: 22 | 收藏 | Hexacorn - www.hexacorn.com windows uus mlengine caveat

la57setup.exe & OOBEFodSetup.exe lolbin When you run la57setup.exe or OOBEFodSetup.exe on Windows Server 2025, they will try to loa... 2024-12-26 23:44:11 | 阅读: 13 | 收藏 | Hexacorn - www.hexacorn.com windows library dism la57setup

3 little secrets of netsh.exe It is typical for many of us to discover ‘the cool thing’, and then quickly move on to research... 2024-12-25 23:15:42 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com netsh scriptfile aliasfile lolbin careful

Windows Server 2025 and MsMpEng.exe Post navigation← PreviousPosted on 202... 2024-12-22 00:37:54 | 阅读: 25 | 收藏 | Hexacorn - www.hexacorn.com windows defender repeat waaaay

Beyond good ol’ Run key, Part 146 I did consider writing about:C:\Windows\System32\WptsExtensions.dllbut this phantom... 2024-12-20 13:17:9 | 阅读: 24 | 收藏 | Hexacorn - www.hexacorn.com windows phantom loaded

Beyond good ol’ Run key, Part 145 Windows Server 2022 launches ctfmon.exe during its start and this process’ DLL dependencies... 2024-12-20 00:46:42 | 阅读: 19 | 收藏 | Hexacorn - www.hexacorn.com windows launches ctfmon phantom library

Windows Server 2022 and MsMpEng.exe Running Procmon in a boot mode is a very powerful research tool. In this short post I want... 2024-12-20 00:28:1 | 阅读: 23 | 收藏 | Hexacorn - www.hexacorn.com defender procmon windows clearly surprised

dns.exe and its quirks This is not a proper research yet. I just happened to stumble upon an interesting artifact... 2024-12-15 00:21:35 | 阅读: 21 | 收藏 | Hexacorn - www.hexacorn.com windows backup rfc5011 dnssec artifact

Promoting a Windows 2022 server to Domain Controller and DNS Server I asked myself what tangible artifacts present on a file system can immediately tell us tha... 2024-12-11 07:44:34 | 阅读: 21 | 收藏 | Hexacorn - www.hexacorn.com experiment windows slightly edited myself

Not installing the installers, part 4 This old series is not very exciting. Decompiling goodware installation scripts will never... 2024-12-7 08:32:10 | 阅读: 18 | 收藏 | Hexacorn - www.hexacorn.com installers ratio rtools44 rtools43 ifcexporter

ExecCmd64 lolbin If you have ASRock Polychrome RGB installed on your system you may find this interesting ex... 2024-12-7 07:1:13 | 阅读: 22 | 收藏 | Hexacorn - www.hexacorn.com asrock execcmd64 aproduct polychrome asrrgbled

1 little known secret of ShellExec_RunDLL The ShellExec_RunDLL API is now exposed by both shell32.dll and windows.storage.dll.It... 2024-11-30 18:40:12 | 阅读: 26 | 收藏 | Hexacorn - www.hexacorn.com rundll shellexec windows shell32 fmask

Mapping the API mapping/code redundancy In my last post I have shown that some of the shell32.dll functions are now mapped to windo... 2024-11-30 03:23:33 | 阅读: 22 | 收藏 | Hexacorn - www.hexacorn.com windows kernelbase gdi32full edgehtml overlapping

Windows.Storage.lol This is a bit surprising, but the recent versions of windows.storage.dll export a number of... 2024-11-29 06:28:1 | 阅读: 17 | 收藏 | Hexacorn - www.hexacorn.com windows shell32 rundll32 rundll shellexec

Browsing the browsers This a weird post; it doesn’t give many answers and it pretty much focuses on describing results... 2024-11-28 08:0:19 | 阅读: 18 | 收藏 | Hexacorn - www.hexacorn.com chrome opera coowon vivaldi msedge

Portability of old Windows programs… Many people believe that native Windows programs are so deeply integrated with OS that there is... 2024-11-24 03:2:44 | 阅读: 23 | 收藏 | Hexacorn - www.hexacorn.com windows calculator revert sfp kinda

How to debug Windows service processes in the most old-school possible way… Debugging Service Processes on Windows is a bit tricky – the old IFO / Debugger trick doesn’t wo... 2024-11-23 18:28:53 | 阅读: 17 | 收藏 | Hexacorn - www.hexacorn.com debugger svc eb runaway