Most Windows APIs accepting strings as parameters are described on MSDN as FooBar and if they support ANSI/Unicode versions they refer to FooBarA, FooBarW e.g. CreateFile points to CreateFileA for ANSI and CreateFileW for Unicode (Wide).

Are there any functions out there that do not follow this pattern, or slightly derive from it or perhaps extend it?

Answer here

It’s been a while since I posted a riddle, so here is a new one – this should be an easy one:

Two different Windows executables have been executed on the same version of Windows system and under identical (ideal) conditions. Dynamic analysis shown that each of them produces completely different artefacts  on a test system, but the in-depth code analysis shown that they have an identical source code. What files are these?

Answer here

This should be a trivial one, but hopefully it’s interesting nevertheless.
Question: what happened here?

Answer here

This is the 4th and the last time . Until I come up, or find out (send me your ideas!) about other ways of doing so.

Question is the same: what happened here?

• No malware
• No Unicode
• No case-sensitive file-names
• No blank characters

Answer here

This is the 3rd time

Question is the same: what happened here? No malware, no Unicode, no case-sensitive file-names:

Answer here

This is a second part of the riddle – this time there is no Unicode characters, no GUI attacks, nothing malicious.

Question: What happened here?

Answer here

This is a riddle with multiple answers – some are super trivial, some are probably not and actually raise interesting questions about Windows. We will explore some of them one by one.

Question: What happened here?

Answer here

Malware is often using one of these 3 APIs to launch new processes:

• WinExec
• ShellExecute (Ansi and Wide versions)
• CreateProcess (Ansi and Wide versions + all CreateProcess* family e.g. CreateProcessInternal, CreateProcessAsUser, etc.)

Question:

There is at least one more API function that could be also used to launch executables. What is its name?

Have a good weekend!

Answer here

Many Microsoft articles say that modifying certain registry keys require computer to be restarted for the changes to be taken into account.

Question: Why? And why sometimes these changes are taken into account immediately (i.e. without restart)?

Have a good weekend and Happy New Year 2012!

Answer here

Many malware authors use external .bat/.cmd files to delete the .exe dropper, because it is non-trivial to self-delete while the malware is still running. In the past it was possible to use Gary Nebbett’s famous self-deleting executable trick and it worked for Windows NT and Windows 2000. However, it doesn’t work under newer versions of Windows.

Question:

Is it possible to create a self-deleting executable for newer version of Windows?

Answer here