July 4, 2012 in Forensic Riddles
Most Windows APIs accepting strings as parameters are described on MSDN as FooBar and if they support ANSI/Unicode versions they refer to FooBarA, FooBarW e.g. CreateFile points to CreateFileA for ANSI and CreateFileW for Unicode (Wide).
Are there any functions out there that do not follow this pattern, or slightly derive from it or perhaps extend it?
April 27, 2012 in Forensic Riddles
It’s been a while since I posted a riddle, so here is a new one – this should be an easy one:
Two different Windows executables have been executed on the same version of Windows system and under identical (ideal) conditions. Dynamic analysis shown that each of them produces completely different artefacts on a test system, but the in-depth code analysis shown that they have an identical source code. What files are these?
February 15, 2012 in Forensic Riddles
This should be a trivial one, but hopefully it’s interesting nevertheless.
Question: what happened here?
February 5, 2012 in Forensic Riddles
This is the 4th and the last time . Until I come up, or find out (send me your ideas!) about other ways of doing so.
Question is the same: what happened here?
- No malware
- No Unicode
- No case-sensitive file-names
- No blank characters
February 1, 2012 in Forensic Riddles
This is the 3rd time
Question is the same: what happened here? No malware, no Unicode, no case-sensitive file-names:
January 26, 2012 in Forensic Riddles
This is a second part of the riddle – this time there is no Unicode characters, no GUI attacks, nothing malicious.
Question: What happened here?
January 21, 2012 in Forensic Riddles
This is a riddle with multiple answers – some are super trivial, some are probably not and actually raise interesting questions about Windows. We will explore some of them one by one.
Question: What happened here?
January 13, 2012 in Forensic Riddles
Malware is often using one of these 3 APIs to launch new processes:
- ShellExecute (Ansi and Wide versions)
- CreateProcess (Ansi and Wide versions + all CreateProcess* family e.g. CreateProcessInternal, CreateProcessAsUser, etc.)
There is at least one more API function that could be also used to launch executables. What is its name?
Have a good weekend!
December 30, 2011 in Forensic Riddles
Many Microsoft articles say that modifying certain registry keys require computer to be restarted for the changes to be taken into account.
Question: Why? And why sometimes these changes are taken into account immediately (i.e. without restart)?
Have a good weekend and Happy New Year 2012!
December 23, 2011 in Forensic Riddles
Many malware authors use external .bat/.cmd files to delete the .exe dropper, because it is non-trivial to self-delete while the malware is still running. In the past it was possible to use Gary Nebbett’s famous self-deleting executable trick and it worked for Windows NT and Windows 2000. However, it doesn’t work under newer versions of Windows.
Is it possible to create a self-deleting executable for newer version of Windows?