This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
Slides from Borja Burgos' talk "Docker For the Developer" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#dockerdev
El objetivo de esta conferencia es la de dar a conocer uno de los ataques más empleados para ganar privilegios de administrador en sistemas Windows 7, 8 y 10, los "bypass UAC attacks", así como la de mostrar un nuevo método basado en uno ya conocido para realizar este tipo de ataques en sistemas Windows 8 y 10.
https://www.youtube.com/watch?v=2B5lB0uJxTE&t=4840s
Presentation from my conference in Lublin. Details, photos and video could be found there http://tryshchenko.com/events/ . Feel free to ask any questions.
You’ve heard about Docker, maybe you use it already as a development environment for virtualising your project on your local machine. But running your application or website with Docker in production is a whole different deal. In this session you’ll get a deeper insight into working with Docker in practice. Starting with the 101 of concepts we’ll go through a practical scenario for hosting, automatically deploying and monitoring an application in production with recommendations for a variety of tools and services.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
Slides from Borja Burgos' talk "Docker For the Developer" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#dockerdev
El objetivo de esta conferencia es la de dar a conocer uno de los ataques más empleados para ganar privilegios de administrador en sistemas Windows 7, 8 y 10, los "bypass UAC attacks", así como la de mostrar un nuevo método basado en uno ya conocido para realizar este tipo de ataques en sistemas Windows 8 y 10.
https://www.youtube.com/watch?v=2B5lB0uJxTE&t=4840s
Presentation from my conference in Lublin. Details, photos and video could be found there http://tryshchenko.com/events/ . Feel free to ask any questions.
You’ve heard about Docker, maybe you use it already as a development environment for virtualising your project on your local machine. But running your application or website with Docker in production is a whole different deal. In this session you’ll get a deeper insight into working with Docker in practice. Starting with the 101 of concepts we’ll go through a practical scenario for hosting, automatically deploying and monitoring an application in production with recommendations for a variety of tools and services.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
Matt Summers, NCC Group - Web technology has changed a lot in the last 25 years but the underlying transport mechanism has stayed the same. The web we have today was not designed for the plethora of new device types and communication methods but things are changing and you probably don’t even know it. You probably don’t even notice the problem because it is so ingrained. In this presentation we are going to delve into the problems with the web and how we use it today. We will also take an in depth look at the proposed solutions for the next generation web and the implications that come with it.
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011
BINARY PLANTING
QUICK SUMMARY
(DLL hijacking, DLL preloading,
Unsafe library loading...)
3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011
DLL, EXE
you
bad guy
4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. Current Working Directory (CWD)
6. PATH
5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011
EXE Search Order
CreateProcess(“SomeApp.exe”)
1. The directory from which the application loaded
2. Current Working Directory (CWD)
3. C:WindowsSystem32
4. C:WindowsSystem
5. C:Windows
6. PATH
6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011
EXE Search Order
ShellExecute(“SomeApp.exe”)
1. Current Working Directory (CWD)
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. PATH
7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011
Our Past Research
• Extended scope: Launching EXEs
• Improved attack vector: WebDAV
• We looked at 200+ leading Windows apps
• Found 500+ binary planting bugs (120+ EXE, 400+ DLL)
• Guidelines for developers
http://www.binaryplanting.com/guidelinesDevelopers.htm
• Guidelines for administrators
http://www.binaryplanting.com/guidelinesAdministrators.htm
• Free Online Binary Planting Exposure Test
http://www.binaryplanting.com/test.htm
• Advanced binary planting (COM-Servers)
• Executing code through IE8 on Windows XP – two clicks only
• Executing code through IE9 on Windows 7 – right click, add to archive
9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011
PERSISTENCE
#1 - PERSISTENCE IN SOFTWARE
#2 – PERSISTENCE ON COMPUTER
10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011
#1 - PERSISTENCE IN SOFTWARE
(Everywhere You Look)
11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011
Microsoft (Sysinternals) Process Monitor
1. Filter: Path Contains <our-path>
2. Launch Application
3. Exclude irrelevant entries
4. Look for DLL and EXE accesses
5. Plant DLL/EXE
6. Re-launch Application
7. If successful, see call stack
12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011
Example: Real Player
I used to load
rio500.dll from CWD.
Wait... I still do.
Publicly reported in February 2010
by Taeho Kwon and Zhendong Su
http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011
Real Player on Windows XP (mpeg)
21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011
Real Player on Windows XP (avi)
22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011
Example: Opera
I fixed a DLL hijacking
bug but what
the heck is this
“EXE planting”?
Windows XP: dwmapi.dll (fixed in 10.62)
24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011
Binary Planting Issues Found
Real Player
• WinXP: RealPlay.exe loading planted rapi.dll upon startup
• Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup
• RealPlay.exe loading planted rio500.dll upon exit
• RealPlay.exe loading planted rio300.dll upon exit
• RealShare.exe loading planted pnrs3260.dll upon startup
Opera
• WinXP: Opera.exe loading planted rundll32.exe upon opening a
downloaded ZIP
25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011
#2 - PERSISTENCE ON COMPUTER
(Turning Downloads Folder
Into a Minefield)
26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. Current Working Directory (CWD)
6. PATH
32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011
Downloads folder “mine field” problem
Why is it cool?
Persistent – “download today, exploit months later”
Installers usually get elevated privileges
Whose fault is it?
Installers loading DLLs from their neighborhood is expected behavior
Browsers keep downloads on disk until manually deleted
Chrome download dialog is clickjackable
Chrome trusts EXE files from already visited sites
InstallShield calls “msiexec.exe” without full path
How could it be fixed?
All downloaded executables should have modified names:
Cryptbase(0).dll, msiexec(0).exe
33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011
Binary Planting: Guidelines For Researchers
Stay current
Make sure you’re working with the latest version of the product
Make sure your O/S is up to date
Try different O/S versions
Different DLLs, different drivers, codecs etc.
Try different data files
Different formats (file extensions), different content
Try it from remote
ShellExecute will issue a security warning when launching from a share
Locate the culprit
Check the call stack to find which module is responsible for the bug, then
check the module’s details to find the author
34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011
Binary Planting: Guidelines For Developers
Use only absolute paths
LoadLibrary(“relative.dll”) - FAIL
CreateProcess(“notepad.exe”) – FAIL
ShellExecute(“cmd.exe”) - FAIL
CWD use
Set CWD to a safe location, quickly
Call SetDllDirectory(“”)
Observe file system operations on all supported O/S versions
Different DLLs, different drivers, codecs etc.
Maximize code coverage
Different formats (file extensions), different content
35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011
Resources
Tools
Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645
Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028
Files
“Malicious” DLL
www.binaryplanting.com/demo/windows_address_book/wab32res.dll
www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll
“Malicious” EXE: C:WindowsSystem32calc.exe (what else?)
Knowledge
www.binaryplanting.com
blog.acrossecurity.com
36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011
Pregunt(e|a)s
Mitja Kolsek
ACROS d.o.o.
www.acrossecurity.com
mitja.kolsek@acrossecurity.com
Twitter: @acrossecurity