Category Archives: Windows

Windows API Hash List 2

    ModuleName= C:\Windows\SysWOW64\ntdll.dll (0xDF956BA6)        Export: A_SHAFinal(0x736DA974)        Export: A_SHAInit(0xBFC6BCC1)        Export: A_SHAUpdate(0xCF06FD70)        Export: AlpcAdjustCompletionListConcurrencyCount(0x23B53BE8)        Export: AlpcFreeCompletionListMessage(0x02E14901)        Export: AlpcGetCompletionListLastMessageInformation(0x9254AE4E)        Export: AlpcGetCompletionListMessageAttributes(0x1B542730)        Export: AlpcGetHeaderSize(0x5C9A17B2)        Export: AlpcGetMessageAttribute(0x4F2DB942)        Export: AlpcGetMessageFromCompletionList(0xE0E08C02)        Export: AlpcGetOutstandingCompletionListMessageCount(0x199B910D)        Export: AlpcInitializeMessageAttribute(0x65D95C89)        Export: AlpcMaxAllowedMessageLength(0xF650E8D2)        Export: AlpcRegisterCompletionList(0xBD8E2C03)        Export: AlpcRegisterCompletionListWorkerThread(0x8D3B647D)        Export: AlpcRundownCompletionList(0xC366721E)        Export: AlpcUnregisterCompletionList(0x7B09D25B)        Export: AlpcUnregisterCompletionListWorkerThread(0x64F5C9F9)        … Continue reading

Posted in Malware, Malware Analyzer, Windows | Tagged , , , | 4 Comments

Windows API Hash List 1

ModuleName= C:\Windows\SysWOW64\ntdll.dll (0x4414F3EA)    Export: A_SHAFinal(0xB52E8E6D)    Export: A_SHAInit(0xD79837F8)    Export: A_SHAUpdate(0xDFAE19E0)    Export: AlpcAdjustCompletionListConcurrencyCount(0xA77D0476)    Export: AlpcFreeCompletionListMessage(0x2920205C)    Export: AlpcGetCompletionListLastMessageInformation(0x95C9D24A)    Export: AlpcGetCompletionListMessageAttributes(0x84E6036A)    Export: AlpcGetHeaderSize(0x42F64B93)    Export: AlpcGetMessageAttribute(0xB72849E5)    Export: AlpcGetMessageFromCompletionList(0x11805C1C)    Export: AlpcGetOutstandingCompletionListMessageCount(0x7221A333)    Export: AlpcInitializeMessageAttribute(0x2B912CBB)    Export: AlpcMaxAllowedMessageLength(0x1D1A5ECA)    Export: AlpcRegisterCompletionList(0xC58077B1)    Export: AlpcRegisterCompletionListWorkerThread(0x6C8FB1A7)    Export: AlpcRundownCompletionList(0xCE43D86C)    Export: AlpcUnregisterCompletionList(0x3A4B6F61)    Export: AlpcUnregisterCompletionListWorkerThread(0xB93F2C9E)    Export: … Continue reading

Posted in Malware, Malware Analyzer, Windows | Tagged , , | 1 Comment

MITM Gmail SMTP STARTTLS Traffic in LAB machines

During auditing we may face with the challenge of MITM Gmail SMTP STARTTLS traffic to retrieve the email content/credentials. Most of the .Net programs does NOT allow connecting to a Secure server using a self-signed certificates. I used starttls-mitm (https://github.com/ipopov/starttls-mitm) … Continue reading

Posted in .Net, Google, Malware Analyzer, Tools, Windows | Tagged , , , | 1 Comment

pcap2file using Suricata in windows/linux

There is no easy way to automatically extract the files from the PCAP(not PCAP-NG). We can use Suricata to extract the files (atleast whatever files transferred over HTTP). Here are the steps to configure and extract the files from the … Continue reading

Posted in Tools, Web, Windows | Tagged , , , , , | 1 Comment

Python and DDK

There is no easy way to call DDK functions from python. In the end, we need to create an extension for python and use that to call these functions. I have used ActivePython for that. Here is a simple python … Continue reading

Posted in python, Windows, Windows VC++ | Tagged , , , , | Leave a comment

Visual Studio linking error with .lib files

Recently when I was developing a small python extension code , I faced a linking error. I looked into the functions and other things. Everything was looking good. In the end, I noticed that library I am including is for … Continue reading

Posted in python, Windows, Windows VC++ | Tagged , , , , , | Leave a comment

List of registry keys involved in reboot pending decision

1)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile                                 => != 02)  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations => Any value       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations2                                       Locate all entries with a status of “Pending.”3)  HKEY_LOCAL_MACHINE\SYSTEM\CurrentSetXXX\Control\Session Manager\4)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired5)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\6)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory7)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting8)  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DVDRebootSignal9)  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending10) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress11) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\CurrentRebootAttempts

Posted in Windows | Tagged , | Leave a comment

tcpreplay for windows (using scapy-python)

Running tcpreplay in windows is a tedious job. As far as I have searched, I couldn’t able to find any tcpreplay binary that runs in windows(newer) or an alternative. We need to compile the tcpreplay source code using cygwin and … Continue reading

Posted in Pentest, Tools, Windows | Tagged , , , , , , , , , | 7 Comments

Assembly language programming using visual studio 2010

Recently we faced with the issue of including assembly code in a project. After lot of Googling we got the following links. Just sharing these links. http://stackoverflow.com/questions/2839710/how-to-inline-assembler-in-c-under-visual-studio-2010http://msdn.microsoft.com/en-us/library/26td21ds%28v=VS.80%29.aspxhttp://www.deconflations.com/2011/masm-assembly-in-visual-studio-2010/http://oradim.blogspot.in/2009/03/jmp-around-win64-with-ml64exe-and.htmlhttp://msdn.microsoft.com/en-us/magazine/cc300794.aspxhttp://blogs.msdn.com/b/oldnewthing/archive/2004/01/14/58579.aspx

Posted in C/C++, Reversing, Windows, Windows VC++ | Tagged | Leave a comment

Microsoft Attack Surface Analyzer Command line option

Microsoft Attack Surface Analyzer is a nice tool to analyze the modifications made by a product. Many a times we may need to automate this. Microsoft provided command line options to automate this. Usage: Attack Surface Analyzer.exe [arguments]   /Baseline <file>     … Continue reading

Posted in Code review experiance, SDLC, Windows | Tagged , | Leave a comment