Lightnews — Scholar-powered news

Hexacorn

@hexacorn.bsky.social

1.7K followers 280 following 190 posts

Red Brain, Blue Fingers Malware Analysis, Reverse Engineering, Threat Hunting, Detection Engineering, DFIR, Security Research, Programming, Curiosities, Software Archaeology, Puzzles, Bad dad jokes https://www.hexacorn.com/blog/ [email protected]

www.hexacorn.com

Posts Media Videos Starter Packs

Hexacorn @hexacorn.bsky.social · 15h

www.nist.gov/itl/ssd/soft...

www.hexacorn.com/blog/categor...

GoodWare | Hexacorn

www.hexacorn.com

Hexacorn @hexacorn.bsky.social · 2d

> DLL_PROCESS_VERIFIER_TABLE

ah, that's the one!

and yeah, that's where I saw it and got curious

thanks!

Hexacorn @hexacorn.bsky.social · 3d

@sixtyvividtails.bsky.social any idea what fdwReason=5 stands for? you can find it inside verifier.dll / AVrfpMiniLoadAttach call - lots of LdrQueryImageFileKeyOption checks

Hexacorn @hexacorn.bsky.social · 3d

ntprint.exe lolbin

www.hexacorn.com/blog/2025/10...

2 6

Reposted by Hexacorn

sixtyvividtails @sixtyvividtails.bsky.social · 4d

Close your eyes and ✨imagine:

From a low-integrity process (from LPAC even), you can inject your data anywhere you want:
privileged tasks, PPL/protected processes, the OS kernel itself, and VTL1 trustlets.

Now open your eyes. It is not hypothetical.
It is the reality. Read it on page 33.

Paged Out! @pagedout.bsky.social · 4d

pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!

Please please please share to spread the news - thank you!

5 6

Hexacorn @hexacorn.bsky.social · 4d

Using .LNK files as lolbins

www.hexacorn.com/blog/2025/10...

1 3 7

Hexacorn @hexacorn.bsky.social · 17d

sounds like you have a reverse Prisencolinensinainciusol moment :)

1 1

Hexacorn @hexacorn.bsky.social · 18d

have to keep them to myself, so can write a few more posts about it to milk this potentially fertile subject :-P

Hexacorn @hexacorn.bsky.social · 19d

RunDll Exporters

www.hexacorn.com/blog/2025/09...

1 2 8

Hexacorn @hexacorn.bsky.social · 19d

Enter Sandbox 30: Static Analysis gone wrong

www.hexacorn.com/blog/2025/09...

2 6

Hexacorn @hexacorn.bsky.social · Sep 8

Beyond good ol’ Run key, Part 151

www.hexacorn.com/blog/2025/09...

2 3

Hexacorn @hexacorn.bsky.social · Sep 3

DLL ForwardSideloading, Part 2

www.hexacorn.com/blog/2025/09...

1 2 9

Hexacorn @hexacorn.bsky.social · Aug 20

no idea :(
but it does include this:

Hexacorn @hexacorn.bsky.social · Aug 20

found one unsigned from Reaqltek

www.virustotal.com/gui/file/011...

testker -> kerberos.Spinitialize

1 2

Hexacorn @hexacorn.bsky.social · Aug 20

haha right? and I want to know, for sure!

Hexacorn @hexacorn.bsky.social · Aug 19

DLL ForwardSideloading

www.hexacorn.com/blog/2025/08...

using forwarded DLL functions for sideloading purposes

1 5 11

Hexacorn @hexacorn.bsky.social · Aug 17

Beyond good ol’ Run key, Part 150

www.hexacorn.com/blog/2025/08...

1 2 7

Hexacorn @hexacorn.bsky.social · Aug 16

very creative!

Hexacorn @hexacorn.bsky.social · Aug 14

Life of a blogger

1 1

Reposted by Hexacorn

Volexity @volexity.com · Aug 11

@volexity.com has released updates to its #opensource GoResolver project and more! This work was part of a project for one of our #summerinternship students. Read more details about Volexity’s updated GoResolver projects + other #golang tools in our special blog post!

Go Get 'Em: Updates to Volexity Golang Tooling

Volexity’s GoResolver tool was released in April 2025 to help with analysis of these samples, reducing analyst load when working with obfuscated Golang binaries. However, there are still some difficul...

www.volexity.com

1 10 10

Reposted by Hexacorn

Olaf Hartong @olafhartong.nl · Aug 6

During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.

github.com/olafhartong/...

Slides available here:
github.com/olafhartong/...

GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.

A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR

github.com

15 24

Hexacorn @hexacorn.bsky.social · Jul 24

feels like security research -- ideas, hypothesis, lots of digging in code, only to find out it's impossible due to some unforeseen conditions blocking the execution path we hoped to exploit; or gathering large data set (TBs) hoping to find something cool, only to discover it's very uninteresting

Hexacorn @hexacorn.bsky.social · Jul 19

I bert they are just throwing some nuanced Rust references at you :)

Hexacorn @hexacorn.bsky.social · Jul 14

CVE-2005-4560 and Windows Macros + all exploit packs roll in their graves when they see ClickFix and FileFix...