Hexacorn
@hexacorn.bsky.social
Red Brain, Blue Fingers
Malware Analysis, Reverse Engineering, Threat Hunting, Detection Engineering, DFIR, Security Research, Programming, Curiosities, Software Archaeology, Puzzles, Bad dad jokes
https://www.hexacorn.com/blog/
[email protected]
Malware Analysis, Reverse Engineering, Threat Hunting, Detection Engineering, DFIR, Security Research, Programming, Curiosities, Software Archaeology, Puzzles, Bad dad jokes
https://www.hexacorn.com/blog/
[email protected]
Reposted by Hexacorn
Just saw an extended version
November 20, 2025 at 11:26 PM
Just saw an extended version
Reposted by Hexacorn
Random experiment to see if cheating in school could be stopped by designing math problems for children that AI will refuse to handle. Results are mixed.
November 21, 2025 at 1:43 AM
Random experiment to see if cheating in school could be stopped by designing math problems for children that AI will refuse to handle. Results are mixed.
less known way to calculate sha256 of files on Windows
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
November 14, 2025 at 7:35 PM
less known way to calculate sha256 of files on Windows
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
disksnapshot -c -k -v c:\test
will print out file info including sha256 for every file in the directory
Reposted by Hexacorn
Just when you think you know your way around Linux.. binfmt_misc: Hold my beer.
dfir.ch/posts/today_...
dfir.ch/posts/today_...
Today I learned: binfmt_misc | dfir.ch
Technical blog by Stephan Berger (@malmoeb)
dfir.ch
October 30, 2025 at 11:43 AM
Just when you think you know your way around Linux.. binfmt_misc: Hold my beer.
dfir.ch/posts/today_...
dfir.ch/posts/today_...
'One Battle After Another' and 'Frankenstein' brought my wife and I back to the cinema in recent weeks and it was totally worth it. Nothing beats the experience of a full immersion that only cinema can deliver. It helps that both movies are long.
November 1, 2025 at 8:01 PM
'One Battle After Another' and 'Frankenstein' brought my wife and I back to the cinema in recent weeks and it was totally worth it. Nothing beats the experience of a full immersion that only cinema can deliver. It helps that both movies are long.
October 20, 2025 at 9:40 PM
October 19, 2025 at 1:13 AM
October 19, 2025 at 12:43 AM
October 18, 2025 at 11:58 PM
October 17, 2025 at 10:12 PM
@sixtyvividtails.bsky.social any idea what fdwReason=5 stands for? you can find it inside verifier.dll / AVrfpMiniLoadAttach call - lots of LdrQueryImageFileKeyOption checks
October 6, 2025 at 12:32 AM
@sixtyvividtails.bsky.social any idea what fdwReason=5 stands for? you can find it inside verifier.dll / AVrfpMiniLoadAttach call - lots of LdrQueryImageFileKeyOption checks
October 6, 2025 at 12:25 AM
Reposted by Hexacorn
Close your eyes and ✨imagine:
From a low-integrity process (from LPAC even), you can inject your data anywhere you want:
privileged tasks, PPL/protected processes, the OS kernel itself, and VTL1 trustlets.
Now open your eyes. It is not hypothetical.
It is the reality. Read it on page 33.
From a low-integrity process (from LPAC even), you can inject your data anywhere you want:
privileged tasks, PPL/protected processes, the OS kernel itself, and VTL1 trustlets.
Now open your eyes. It is not hypothetical.
It is the reality. Read it on page 33.
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
October 5, 2025 at 12:14 AM
Close your eyes and ✨imagine:
From a low-integrity process (from LPAC even), you can inject your data anywhere you want:
privileged tasks, PPL/protected processes, the OS kernel itself, and VTL1 trustlets.
Now open your eyes. It is not hypothetical.
It is the reality. Read it on page 33.
From a low-integrity process (from LPAC even), you can inject your data anywhere you want:
privileged tasks, PPL/protected processes, the OS kernel itself, and VTL1 trustlets.
Now open your eyes. It is not hypothetical.
It is the reality. Read it on page 33.
October 4, 2025 at 9:00 PM
September 19, 2025 at 11:14 PM
September 19, 2025 at 10:19 PM
September 8, 2025 at 11:46 PM
September 3, 2025 at 11:36 PM
DLL ForwardSideloading
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
August 19, 2025 at 10:32 PM
DLL ForwardSideloading
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
August 17, 2025 at 12:09 AM
Reposted by Hexacorn
@volexity.com has released updates to its #opensource GoResolver project and more! This work was part of a project for one of our #summerinternship students. Read more details about Volexity’s updated GoResolver projects + other #golang tools in our special blog post!
Go Get 'Em: Updates to Volexity Golang Tooling
Volexity’s GoResolver tool was released in April 2025 to help with analysis of these samples, reducing analyst load when working with obfuscated Golang binaries. However, there are still some difficul...
www.volexity.com
August 11, 2025 at 7:05 PM
@volexity.com has released updates to its #opensource GoResolver project and more! This work was part of a project for one of our #summerinternship students. Read more details about Volexity’s updated GoResolver projects + other #golang tools in our special blog post!
Reposted by Hexacorn
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 6, 2025 at 8:49 PM
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
CVE-2005-4560 and Windows Macros + all exploit packs roll in their graves when they see ClickFix and FileFix...
July 14, 2025 at 7:35 PM
CVE-2005-4560 and Windows Macros + all exploit packs roll in their graves when they see ClickFix and FileFix...