Research Archive
Full Index
Sort the full archive by date or title, filter it by tag, and keep the broader shape of the work in view while you search for a specific note.
Sorted by latest first. Showing 1-9 of 47.
Process Anatomy
windows processes
An in-depth look at Fondue.EXE, CLI options, the "rude app" checks, the handoff to APPWIZ.CPL and a bit of DLL side-loading.
Field Notes
other
An RE deep dive at why Microsoft Defender can create an svchost.exe process without the usual service-host command-line flags.
A deep dive look at dllhost.exe and how it works.
Living off the Land
lolbins
A look at how DISM's sandbox path can be combined with the provider loader to redirect provider DLL loading from a copied DISM directory.
Notes from reversing DismHost.exe, the out-of-process COM host used by DISM image sessions.
Source code analysis of the Windows Terminal delegation chain and how the per-user DelegationConsole and DelegationTerminal values can be abused to start a custom console through the normal default terminal handoff flow.
Exploring the SensorLogonTask.exe utility, its functionality, and how it can be used a some sort of Living off the Land Binary (LOLBin), if you can call it that.
An exploration of the `calc.exe` binary, its relationship with `Win32Calc.exe` and `CalculatorApp.exe`, and how it serves as a launcher for the modern Calculator app on Windows.
A list of commonly abused COM objects that can be instantiated and manipulated using PowerShell for malicious purposes, along with examples of how they can be used in attack scenarios.