Windows SuperFetch file format – partial specification

According to ForensicWiki (

SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications (…)
Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory. These files appear to start with the prefix Ag and have a .db extension. The format of these files is not known…

When I read above statement I just couldn’t resist and I’ve decided to take up a challenge. Below you can read what I’ve found, as a bonus I’ve also prepared simple dumper for SuperFetch .db files (attached at the end of this post).
Continue reading →

Mixing x86 with x64 code

Few months ago I was doing some small research about possibility of running native x64 code in 32-bits processes under the WoW64 layer. I was also checking it the other way round: run native x86 code inside 64-bits processes. Both things are possible and as far as I googled some people used it already:

Unfortunately I wasn’t aware of any of above results when I was doing my research, so I’ll just present my independent insights ;)

Continue reading →

UPX “accidentally” increments LoadCount for DLLs

When I was preparing last dirtyJOE update I’ve noticed that under some circumstances python DLLs are not freed from memory. What was even more interesting, this behaviour was occurring only in ready to release version of application. I’ve tested few scenarios and I figured out that the problem lays in UPX loader.

I’ll try to explain what exactly happens.

Continue reading →

Using Python scripts in dirtyJOE

Python scripting in dirtyJOE can be used to modify CONSTANT_Utf8 objects from Constant Pool. One of the main use is decryption of CONSTANT_Utf8 objects in obfuscated .class files. Decrypted objects are useful in forensic analysis, they can be also used to translate obfuscated java application.


I’ll show how to use python scripting on sample obfuscated java malware called Boonana. Mentioned malware appeared in october 2010 and was obfuscated with Zelix KlassMaster 5.3.3E (according to entry in constant pool “ZKM5.3.3E”).

Continue reading →

dirtyJOE v1.4

New version of dirtyJOE is available for download from

Short change-log:

  • Python scripting for Utf8 objects
  • drag’n’drop support
  • ability to copy disassembly to clipboard
  • ability to change font in disassembly windows
  • update check on startup

I’ll publish short tutorial about python scripting in the next blog post (it is already available as a part of help file)

dirtyJOE – Java Overall Editor

Post moved from OpenRCE, original date: Saturday, September 18 2010

dirtyJOE – Java Overall Editor is a complex editor and viewer for compiled java binaries (.class files). Current version still have some limitations, but hopefully those will be removed within the next releases.

dirtyJOE is free for non-commercial use.

dirtyJOE is entirely written in C++, no third party libraries were used.

Main features:

  • Viewer for: constant pool, methods, fields, attributes
  • Editor for: constant pool, bytecode

You can download it from

When memory management goes bad…

Post moved from OpenRCE, original date: Thursday, March 4 2010

Few months ago I’ve encountered a strange behavior in cmd.exe when I wanted to list some big collection of files and execute some command on every single file. I used for this task ‘for’ command similar to this:

for /R c:\ %c in (*.*) do echo %c >> cmd_ptc.log

After few hours of processing I get a very disturbing message:

"Not enough storage is available to process this command."

Actually cmd.exe can eat all memory available for the process. I decided to check why it needs such amount of memory and if it will be possible fix it. Below you can find link to the full article and package with the fixed binaries (from Windows Vista SP2, password: and binaries

Happy reading !

Hacker Challenge 2008

Post moved from OpenRCE, original date: Wednesday, April 15 2009

My reports from Hacker Challenge 2008 are already available online:

(zip archives contains original challenge, cracked binary and report)

Phase 1:

Phase 3 (third place in “quality of report” category):

Old dbghelp and an old exploit…

Post moved from OpenRCE, original date: Friday, January 30 2009

Recently I’ve came across some “strange” problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I’ve figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). Continue reading →