Introducing alternative strings and a tool of true tools

February 17, 2017 in Silly

Business is a world of words. Politics is a world of nuances.  The very same principle applies to data analysis – strings are readable, and alternative strings are readable alternatively. Given the fact the alternative strings have never been paid attention to, I introduce a new script that aims at fixing this issue.

The alt-strings.pl script is written in perl and is very simple to use. All you need to do is to run it using the following syntax:

  • perl alt-strings.pl <filename>

The resulting output is very easy to interpret – here are two examples:

  • Running the script using its own code as an input shows a number of neglected blank characters:

 

  • Running the script on calc.exe – note the ‘frozen’ color of the window which indicates the next-gen AI algorithm is broadcasting the bells and other weird characters to the user making the analysis great again

Beyond good ol’ Run key, Part 59

January 29, 2017 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

In my last post I talked about Bluetooth. I have a mixed luck testing anything related to this technology…

You see, there is that one more potential persistence mechanism associated with Bluetooth which I was unable to test successfully. Despite my efforts it didn’t work, but this is probably because I don’t have a proper set up. Perhaps people owning a laptop with the Windows 8 on it (and not Windows 8.1 or newer) could give it a go… It is another documented feature of Windows, so it should work.

So… there is a thing called ‘Bluetooth Software Radio Switch Function Prototypes’ described on the Microsoft page here.

Adding the entry

  • HKLM\SYSTEM\CurrentControlSet\Services\
    
    BTHPORT\Parameters\Radio Support\
    
    SupportDLL = Path to DLL

should allow vendors to register a DLL that will handle requests to Bluetooth radio to switch it on or off.

The Microsoft page provides a link to another page that is describing the sample source code demonstrating to programmers how to build your own supporting DLL. The funny thing is that the demo code uses a different key (BthServ instead of BTHPORT service) than the previous page, and a Unicode path instead of an ANSI path provided in the documentation. Searching for strings within c:\windows directory I could find references to BTHPORT\Parameters\Radio Support and not BthServ\Parameters\Radio Support so the documentation is probably okay, and the demo is not.

Well, in any case. It should work.