Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.
One App-V library stands out from all the rest because it only has one exported function named IllBeBack...
That's right!
A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.
A common programming idiom when writing position independent code (PIC) is to expand a string literal into its individual characters when instantiating a local variable.
void f() {
// Example 1: A normal instantiation with a string literal
char a[]{ "a long string" };
// Example 2: The Pic idiom for instantiating a string
C++11 introduced the constexpr keyword for defining a constant expression.
A constant expression is a variable or function that may be evaluated at compile time. This has many uses, including extending a switch statement to support full strings.
C++ only supports using an integer as the condition in a switch statement and an integer that is known at compile time in a case statement.
You can define a hash function and use it to convert a string to an integer to use in a switch statement.
If you define that hash function as a constexpr you can use it to convert a string literal to an integer to use in a case statement as well.
These are my notes on FireEye's yara rules for it's red team's tools.
These are the public projects that I could identify to be directly associated with a tool:
| Project | Source |
|---|---|
| AndrewSpecial | https://github.com/hoangprod/AndrewSpecial |
| BloodHound | https://github.com/BloodHoundAD/BloodHound |