Archive for the ‘Windows’ Category


April 16, 2013 Leave a comment

Welcome to CrossFPC, a free toolkit to integrate the FreePascal compiler, targetting various OS and hardware platforms, as a cross-compiler into the Embarcadero Delphi IDE.

Using an integrated toolchain, CrossFPC enables you to cross-compile your Windows® Delphi® applications to 32 bit native Linux applications for both X86 and ARM without ever leaving the IDE. In addition you can compile 64 Bit Windows applications.

This is pretty cool. You can basically stay within Delphi on Windows and compile console applications (via FreePascal) for:

  • 32/64 bit Windows (useful if not on XE2 or newer for the 64-bit compilation)
  • 32/64 bit x86 Linux
  • ARM

Apparently it integrates best with Delphi 7, which I downloaded from Embarcadero’s website since they provide licensed old IDE’s for free if you have a current license:



Categories: Delphi, Programming, Windows

Remotely perform a network capture without installing anything

April 16, 2013 Leave a comment

If you need to capture a network trace of a client or server without installing Wireshark or Netmon this might be helpful for you. (This feature works on Windows 7/2008 R2 and above).

The short version:

1. Open an elevated command prompt and run: "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl" (make sure you have a \temp directory or choose another location).

2. Reproduce the issue or do a reboot if you are tracing a slow boot scenario.

3. Open an elevated command prompt and run: "netsh trace stop"

Your trace will be stored in c:\temp\nettrace-boot.el or where ever you saved it. You can view the trace on another machine using netmon.

Categories: Network, Tech, Windows

Capturing credentials from ‘Encrypted RunAs’ software

March 20, 2013 24 comments

UPDATED:  5/30/2013 to cover same flaw in EnSc.exe.

There is a reason that the RunAs program doesn’t accept credentials on the command line…because people would embed passwords. Microsoft developer Raymond Chen writes:

If this offends you and you want to be insecure and pass the password on the command line anyway (for everyone to see in the command window title bar), you can write your own program that calls the CreateProcessWithLogonW function.

Enter the many products that offer a way to “securely” embed credentials in a shortcut or file in order to launch an executable as an administrator.

Wingnut Software offers their commercial ‘Encrypted RunAs‘ application as a way for administrators to created encrypted shortcut commands that will launch applications with Administrative credentials. The selling point is that these credentials (which an administrator would provide when creating the shortcut) are protected in an encrypted command.

So I thought I’d download it and take a look at how it protects against the username and password being monitored and captured by a user with only standard USER rights. Note that I am *not* testing how well ERunAs encrypts the command…it appears to encrypt the command and credentials as strongly as advertised. However, I’m looking to see what happens after ERunAs decrypts everything and has to pass data to the operating system (and if I can capture that).

Spoiler, as a standard user I could monitor the parameters passed by ERunAs to the CreateProcessWithLogonW API and see the administrator’s username and password that were encrypted in the shortcut:


Encrypted RunAs is a small utility that is designed to make the job of Administrators a little easier, it can be used to run applications or software installations with access rights a standard user does not have.


I created an encrypted shortcut to run “notepad.exe” as the local administrator named “ALincoln” with a password of “Fubard123”.

Using the free API Monitor application, I was able to run it as a standard user (see below, I’m demonstrating I’m a standard user and that API Monitor is not elevated, but running with limited user rights), and I set a filter within API Monitor on the CreateProcessWithLogonW API.


From there I called ERunAs.exe, supplying the “Notepad.eras” file as it’s parameter (just like the shortcut does that Encrypted RunAs creates):


And seconds after clicking OK, I can see that the CreateProcessWithLogonW API was called by ERunAs.exe and I can see the parameters passed in clear text:


This means that if a standard user can access ERunAs.exe and the command it uses, the user can capture the administrative credentials used.

Now, I’ve been picking on 1 product so far, but I’ve confirmed this same method works to capture credentials from JoeWare’s CPAU, and Quimeras’ TqcRunas. I would expect this to work with any application that passes credentials to the CreateProcessWithLogonW API.


Based on feedback from a commenter, I also looked at EnSc (Encrypted Shortcut Creator). I found that using the same method as above, I can still capture the administrator’s credentials at the time the process is called. This can be done by a user without administrative rights…meaning any user that runs an EnSc created shortcut or has access to the shortcut, and the “ensc.db” file created by the program on first run (when master password is set).


ensc2 ensc3

Categories: OS Internals, Tech, Windows

Extract an Embedded EXE or DLL using FileInsight

December 30, 2012 2 comments

FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

I use FileInsight on a regular basis when analyzing malware, and have found that its greatest asset to me is the Python based plugin system. One developer has already posted some very useful plugins for malware analysis on GitHub.

Drawing inspiration from those plugins, I decided to write a FileInsight plugin to aid in extracting embedded binaries. While this technique is popular with malware ‘droppers’, it is used by legitimate applications as well. I plan to walk through an example using the free (and legitimate) tool PsExec (from Microsoft SysInternals) to extract the embedded Windows service from it.

Let’s begin

NOTE: This requires that you have the Python interpreter installed. I install Python 2.7.x from

First install my “Extract Embedded EXE” plugin by grabbing it from the GitHub repository:

Please follow the instructions included in the README.txt to install it.

Next, download PsExec here:

Ok, we are ready to begin. Start FileInsight and open “psexec.exe”:


Search for the Embedded EXE / DLL

NOTE: Some EXE’s may have multiple embedded binaries, so you may want to repeat this process several times to get all the binaries extracted.

Now we need to search for an EXE embedded within this PsExec.exe. Click on the Search tab at the top of the screen and click Find. I suggest searching for This program and checking the Match Case checkbox. However, searching for MZ will work as well, but you might have to step over more false positive results in your search for the embedded EXE.


Run the Embedded EXE Extract plugin script

Once you have found it, you must highlight the M in the MZ header. With M still selected, click the Plugins tab and select the “Embedded EXE Extract” plugin.


After the script runs, a new tab will be opened containing the newly carved binary and in the Scripting window you will see some information about the size of the PE file, which was calculated by the script.


To save this new file, click on the Home tab and select Save File:


Categories: Disassembly, Tech, Windows

inception — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc

December 23, 2012 1 comment

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any machine you have physical access to.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.

The tool works over any interface that expands and can master the PCIe bus. This includes FireWire, Thunderbolt, ExpressCard and PCMCIA (PC-Card).

More importantly, this works on Windows 8/7/Vista/XP, Mac OSX 10.5 -> 10.8, Ubuntu 11.04+, and Linux Mint 12+.

How it works

Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.

This will certainly add a new dimension to penetration tests that I perform…

Excellent OllyDbg tutorials

December 11, 2012 4 comments

If you are interested in learning how to use OllyDbg to understand how to reverse engineer or modify executables, DLL’s, etc, the tutorials at The Legend of Random are very well done.

Currently there are over 25 tutorials that are progressively more difficult:

  1. What is reverse engineering?
  2. Introducing OllyDBG
  3. Using OllyDBG, Part 1
  4. Using OllyDBG, Part 2
  5. Our First (Sort Of) Crack
  6. Our First (True) Crack
  7. More Crackmes
  8. Frame Of Reference
  9. No Strings Attached
  10. The Levels of Patching
  11. Breaking In Our Noob Skills
  12. A Tougher NOOBy Example
  13. Cracking a Real Program
  14. How to remove nag screens
  15. Using the Call Stack.
  16. Dealing with Windows Messages.
  17. Self Modifying Code.
  18. Bruteforcing.
  19. Working with Delphi Binaries.
  20. Time Trials and Hardware Breakpoints.
  21. Creating patchers.
  22. Dealing with Visual Basic Binaries, Part 1.
  23. Dealing with Visual Basic Binaries, Part 2.
  24. Anti-Debugging Techniques.
  25. Code Caves and PE Sections.
  26. TLS Callbacks.


Also, I recommend using their custom packaged version of OllyDbg which includes many useful plugins already bundled in.


Categories: Disassembly, Tech, Windows

vdebug: cross platform debugger

August 11, 2012 Leave a comment

vdebug google code site and more info here:

Essentially, vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it!

winexe: a psexec-like client for accessing Windows from Linux

August 9, 2012 2 comments

winexe remotely executes commands on WindowsNT/2000/XP/2003 systems from GNU/Linux (probably also other Unices capable to compile Samba4).

For example, here is how to obtain a remote shell using winexe, from a BackTrack Linux (this requires the admin credentials of the remote system):

winexe --user Administrator --password=P@ssw0rd // cmd.exe

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


Categories: Linux, Tech, Windows

Automated Generic Function Naming in IDA

August 9, 2012 Leave a comment

Great IDA Python script for automatically renaming functions based on the Windows API call(s). This helps to quickly identify certain functions and to organize them by their likely purpose.

The author has a nice write-up with screenshots.

You can grab the IDA Python script here [].

Categories: Disassembly, Tech, Windows

XCA: Cross platform GUI for creating SSL certs with OpenSSL

August 9, 2012 Leave a comment

There are some of you that know your way around OpenSSL’s options in your sleep, but for me, I found this tool to be very helpful in learning the available options *and* creating SSL certificates for testing purposes with those options.

Works on Linux, Windows, BSD, and OS X.


  • Start your own PKI and create all kinds of certificates, requests or CRLs
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests to a OpenSSL config file
  • Create name and/or extension templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Supports v3 extensions as flexible as OpenSSL but user friendlier
Categories: Apple, Linux, Network, Tech, Windows