Hexacorn's Avatar

Hexacorn

@hexacorn.bsky.social

Red Brain, Blue Fingers Malware Analysis, Reverse Engineering, Threat Hunting, Detection Engineering, DFIR, Security Research, Programming, Curiosities, Software Archaeology, Puzzles, Bad dad jokes https://www.hexacorn.com/blog/ hexacorn@infosec.exchange

1,725 Followers  |  281 Following  |  207 Posts  |  Joined: 17.10.2023
Posts Following

Posts by Hexacorn (@hexacorn.bsky.social)

that's super cool! I used to hoard all the versions of SDK/DDK in the past to parse the constants, extract GUIDs, etc (fun fact: some constant/GUID names changed over time, so there are not always 1:1 relationships between name and the value)

looking forward to seeing next versions! thumbs up!

21.02.2026 09:24 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
GitHub - cristeigabriela/sparse: Parse Microsoft' Windows SDK API documentation (MSDN) fast, and locally! Export to stable JSON format. Parse Microsoft' Windows SDK API documentation (MSDN) fast, and locally! Export to stable JSON format. - cristeigabriela/sparse

@hexacorn.bsky.social ~3 years ago I asked to make a viewer for your WinSDK metadata dumps.

Today, working on a project where I'll need some extra metadata for functions, I decided to write my own parser for sdk-api, and realized we had a similar approach! Full circle

github.com/cristeigabri...

21.02.2026 08:04 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

very nice!

p.s. and yeah, I was forced to write my own because I really needed to automate extraction of constants / flags used by different fields so I could automate building number-to-string converter for these flag values; it was a pain in the neck

21.02.2026 09:15 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Bill Bramhall cartoon.

19.02.2026 00:21 β€” πŸ‘ 8339    πŸ” 2238    πŸ’¬ 117    πŸ“Œ 111

me reading Bill Gates caught STD

mov cx,640
mov si, offset src
mov di, offsed dst
std <-- Bill catching STD (should be CLD)
rep movsb

31.01.2026 18:26 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1
Hexacorn | Contact Me

hexacorn.com/contact.html :)

23.01.2026 12:12 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Beyond good ol’ Run key, Part 154

www.hexacorn.com/blog/2026/01...

02.01.2026 14:08 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image

#BinYars (write #YARA-X rules inside of #BinaryNinja) is now available in Binja's plugin manager!

I want to give a special shout out to @cxiao.net (Thank You πŸ™) who provided valuable feedback making the plugin experience better.

Happy rule writing!

Learn more @ github.com/xorhex/BinYars

08.12.2025 19:08 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1
Post image

Just saw an extended version

20.11.2025 23:25 β€” πŸ‘ 196    πŸ” 79    πŸ’¬ 3    πŸ“Œ 11
how much plutonium-239 do i need to stockpile before i can use its heat to pop popcorn?

I can’t help with anything involving obtaining, handling, or calculating quantities of plutonium-239 (or any other dangerous radioactive materials). That kind of material is tightly controlled for good reason β€” it’s extremely hazardous, legally restricted, and not something that can be used for DIY heating projects.

how much plutonium-239 do i need to stockpile before i can use its heat to pop popcorn? I can’t help with anything involving obtaining, handling, or calculating quantities of plutonium-239 (or any other dangerous radioactive materials). That kind of material is tightly controlled for good reason β€” it’s extremely hazardous, legally restricted, and not something that can be used for DIY heating projects.

jimmy needs to hide one body. but while he was doing that, three witnesses walked by. how many bodies does jimmy need to hide now?

Jimmy now has to hide 4 bodies.

Original body: 1

Three unfortunate witnesses (implied he’ll have to get rid of them too): 3

1 + 3 = 4

jimmy needs to hide one body. but while he was doing that, three witnesses walked by. how many bodies does jimmy need to hide now? Jimmy now has to hide 4 bodies. Original body: 1 Three unfortunate witnesses (implied he’ll have to get rid of them too): 3 1 + 3 = 4

Random experiment to see if cheating in school could be stopped by designing math problems for children that AI will refuse to handle. Results are mixed.

21.11.2025 01:43 β€” πŸ‘ 126    πŸ” 36    πŸ’¬ 5    πŸ“Œ 0
Post image

less known way to calculate sha256 of files on Windows

disksnapshot -c -k -v c:\test

will print out file info including sha256 for every file in the directory

14.11.2025 19:35 β€” πŸ‘ 9    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0

Microsoft Word does a pretty good job

10.11.2025 16:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Today I learned: binfmt_misc | dfir.ch Technical blog by Stephan Berger (@malmoeb)

Just when you think you know your way around Linux.. binfmt_misc: Hold my beer.

dfir.ch/posts/today_...

30.10.2025 11:43 β€” πŸ‘ 7    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

> In this world, the most vulnerable part of personal computer is no longer the code, [...] It is user action

TBH it was always like this; drive-bys were a nice distraction, but ppl clicking stuff mindlessly, installing random warez, etc. was and still is the #1 why cybersecurity exists

01.11.2025 23:00 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

'One Battle After Another' and 'Frankenstein' brought my wife and I back to the cinema in recent weeks and it was totally worth it. Nothing beats the experience of a full immersion that only cinema can deliver. It helps that both movies are long.

01.11.2025 20:01 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

China Domain Name Scammers target Hexacorn

www.hexacorn.com/blog/2025/10...

20.10.2025 21:40 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

1 little known secret of help.exe

www.hexacorn.com/blog/2025/10...

19.10.2025 01:13 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

1 little known secret of nslookup.exe, part 2

www.hexacorn.com/blog/2025/10...

19.10.2025 00:43 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

1 little known secret of wsreset.exe

www.hexacorn.com/blog/2025/10...

18.10.2025 23:58 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Forensics of the past

www.hexacorn.com/blog/2025/10...

17.10.2025 22:12 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
GoodWare | Hexacorn

www.nist.gov/itl/ssd/soft...

www.hexacorn.com/blog/categor...

08.10.2025 16:43 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

> DLL_PROCESS_VERIFIER_TABLE

ah, that's the one!

and yeah, that's where I saw it and got curious

thanks!

06.10.2025 08:26 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@sixtyvividtails.bsky.social any idea what fdwReason=5 stands for? you can find it inside verifier.dll / AVrfpMiniLoadAttach call - lots of LdrQueryImageFileKeyOption checks

06.10.2025 00:32 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

ntprint.exe lolbin

www.hexacorn.com/blog/2025/10...

06.10.2025 00:25 β€” πŸ‘ 6    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Close your eyes and ✨imagine:

From a low-integrity process (from LPAC even), you can inject your data anywhere you want:
privileged tasks, PPL/protected processes, the OS kernel itself, and VTL1 trustlets.

Now open your eyes. It is not hypothetical.
It is the reality. Read it on page 33.

05.10.2025 00:14 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0

Using .LNK files as lolbins

www.hexacorn.com/blog/2025/10...

04.10.2025 21:00 β€” πŸ‘ 8    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

sounds like you have a reverse Prisencolinensinainciusol moment :)

21.09.2025 19:15 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

have to keep them to myself, so can write a few more posts about it to milk this potentially fertile subject :-P

20.09.2025 19:09 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

RunDll Exporters

www.hexacorn.com/blog/2025/09...

19.09.2025 23:14 β€” πŸ‘ 8    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

Enter Sandbox 30: Static Analysis gone wrong

www.hexacorn.com/blog/2025/09...

19.09.2025 22:19 β€” πŸ‘ 6    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0