Converting an EXE to a DLL

I’ve been doing some crazy experiments on running an EXE as a DLL. Here are some parts of my research.

Case #1

Let’s take a simple example like a MessageBox.

After compiling to an EXE we have to change the characteristics under NT Header->File Header to a DLL file. I will use the value 0x2000 | 0x2| 0x100 = 0x2102.


Random Compiler Experiments on Arrays

One day a guy asked me how to print a 2d string array in C. So I coded an example for him. But just for curiosity, I examined the assembly code. In C both string[0][1] and *(*string + 1) are the same. But in reality, the compiler writes the assembly code in 2 different ways. If we use string[0][1] it will directly move the value from the stack. When we dereference a pointer *(*string + 1) it will actually dereference the address pointed inside the register. This happens only in the MinGW GCC compiler. I compiled this using the latest on Windows which is 8.2.0-3 by the time I am writing this.

The assembly code in the left is this one.

#include <stdio.h>
int main() {
    char *string[][2] = { 
    printf("%s %s\n", string[0][0], string[0][1]);

The assembly code on the right is this.

#include <stdio.h>
int main() {
    char *string[][2] = { 
    printf("%s %s\n", **string, *(*string + 1));


Analyzing an AutoHotKey Malware

I found this malware spreading through the Facebook messenger. Thanks to Rashan Hasaranga for notifying me this in the first place. It was targeting Sri Lankan people on Facebook. It was a compressed “.bz” file which was spreading via the messenger. The name had “video_” and a random number.

After I downloaded the files, I checked the file hashes. I couldn’t find any analysis done before. So, I decided to get to the bottom of this. The malicious files have the extension as “.com” instead of an exe. However, it’s a compiled exe, renaming this to “com” will still run as an exe by the Windows loader.

These are the samples I found. However, they all contain the same malware. I found 2 authors compiled this from 2 different machines. Read along 😊

Shellcode to Dump the Lsass Process

Here’s the shellcode I wrote for curiosity and ended up working nicely 🙂

This shellcode is for Windows 10 and Server 2019 x86_64.


Determining Registry Keys of Group Policy Settings

One night I was curious about how the Group Policy Manager sets the policies using registry keys. The GUI displays detailed descriptions but not the backend registry key the target policy uses.
Of course, if you Google a policy you can end up finding the target registry value or have a look at the “C:\windows\policydefinitions” folder for the admx files. But I wanted to see for myself how this works behind the scenes. So, I used the API Monitor to monitor the APIs and check the values manually.

Let’s have a look at the policy where we can disable the right click.

The process is “mmc.exe”, the Microsoft Management Console. The Local Group Policy Editor – “gpedit.msc” is just one snap-in of it.

Linux Reverse Engineering CTFs for Beginners

After a while, I decided a write a short blog post about Linux binary reversing CTFs in general. How to approach a binary and solving for beginners. I personally am not a fan of Linux reverse engineering challenges in general, since I focus more time on Windows reversing. I like windows reverse engineering challenges more. A reason me liking Windows is as a pentester daily I encounter Windows machines and it’s so rare I come across an entire network running Linux. Even when it comes to exploit development it’s pretty rare you will manually develop an exploit for a Linux software while pentesting. But this knowledge is really useful when it comes to IoT, since almost many devices are based on Linux embedded. If you want to begin reverse engineering and exploit development starting from Linux would be a good idea. I too started from Linux many years ago. Saying that since some people when they see a reverse engineering challenge they try to run away. So if you are a newbie I hope this content might be useful for you to begin with.

The ELF Format

Let’s first have a look at the ELF headers. The best way to learn more about this in detail is to check the man pages for ELF.

Here’s in more detail. The “e_shoff” member holds the offset to the section header table. The “sh_offset” member holds the address to the section’s first byte.

eCPTX Passed !

First of all, a huge thank you to eLearnSecurity for gifting me this great course last year. I am happy to say that I passed eCPTX in my first attempt. I think companies must look for this certificate when hiring for pentesters in the future. Because in the real world most of the time I pentest Windows environments, so this exam perfectly fits into the day to day job I do. The attacks were the same I had to perform in the real world.

As always their material was well documented. I’ve learned so much of new things I never knew before. There were so much of things to research.

I had no issues with the lab, but however, I do not like the fact that we have to press OK to extend the lab or else the lab will disconnect. Due to this, sometimes I had to start over again when the shells died. Apart from that, I would like to mention that it’s better to have some more labs for the material to practice with a good Active Directory environment.

This is the best exam I’ve done in pentesting, a really awesome challenge in 2 days. I started my journey with eLearnSecurity when I was 18 and now I’m 22 and within these few years I’ve learned a lot and helped me become good at what I do 🙂

For the guys who are going to take this exam you really need to focus on the following areas.

  • Advanced penetration testing processes and methodologies
  • Advanced Exploitation using Metasploit and Empire
  • Network/traffic manipulation
  • Pivoting
  • Advanced Lateral Movement (WMI, PS Remoting, DCOM, etc.)
  • Advanced Active Directory Information Gathering, Enumeration and Reconnaissance
  • Custom Attack Vector Development
  • Active Directory and Windows internals
  • Knowledge of Windows authentication weaknesses
  • Web application Manual exploitation
  • Stealthy Scanning and Profiling the target
  • Advanced Persistence / Backdooring
  • Privilege escalation


PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Recently I was interested in exploring the PE headers and writing simple programs to manipulate different headers. There are thousands of applications and code to be found on this topic. I started by exploring this Windows structure called “LOADED_IMAGE”.

I fired up WinDBG and had a close a look how these look like with mapped memory addresses.


EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327)

I brought a 4G modem from EE to browser internet when I’m outside. It’s a portable 4G WiFi mobile broadband modem as seen below.

You can find this 4G modem from these websites:

One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named “Alcatel OSPREY3_MINI Modem Device Helper”. I was wondering how this was installed, and then I figured that it’s my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.

C:\&gt;sc qc &quot;Alcatel OSPREY3_MINI Modem Device Helper&quot;
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

But you can’t directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the “EE40” folder and W00t! It had been set to “Everyone:(OI)(CI)(F)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

Haxing Minesweeper

Recently I tweeted a screenshot where I won the Minesweeper game by looking at the mine field from the memory. I posted this for no reason, just for fun since I was happy that I finally won this game. I used to play this game back in 2002 in Windows XP and I never won this game, I never even understood how this game works until today when I read how it really works 😀

In few minutes my notifications were flooded, I didn’t expect to get this much of likes. Some people asked me a tutorial on this. I thought of writing a very quick blog post on this. Pardon me if I missed anything.