Windows Archives - Rahim Soft - Part 2 Apr 2026

Hardcoded in plaintext at offset 0x1A3F of the DLL. RSWATCH.EXE registers as a Windows service named “Rahim Soft Watch Service” with a description: “Monitors database integrity.”

In archival samples, we found a hardcoded backdoor credential:

The Windows Archives project continues to catalog such “abandonware with teeth.” Part 3 will examine Rahim Soft’s kernel hooking mechanisms on Windows XP SP2, and their eerie similarity to modern EDR bypass techniques. End of Part 2 deep write-up. Archive checksum (reference): SHA-256 of RAHIMDB.DLL v2.1: 7A4F2B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6 Windows Archives - Rahim soft - Part 2

This explains why modern AV flags it generically: not because it’s malicious per se, but because its behavior overlaps with known stealth patterns . RAHIMDB.DLL exports a function RS_ExecuteRaw that accepts a string parameter. Under normal conditions, it processes indexed sequential access method (ISAM) queries. However, passing a string longer than 260 bytes triggers an unusual debug print :

The file is not a true VXD but a disguised NT native API injector. Static analysis reveals a PE stub that, when loaded, calls ZwSetSystemInformation to hook interrupt 2Eh—essentially a rootkit-like persistence mechanism predating commercial rootkits by 3–4 years. Hardcoded in plaintext at offset 0x1A3F of the DLL

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers

Note: Since “Rahim Soft” is not a widely documented mainstream Microsoft project, this write-up treats it as a of a fictional or legacy software archive, focusing on system artifacts, deprecated Windows components, and reverse-engineering themes common in enterprise archival research. Windows Archives: Rahim Soft – Part 2 Unpacking the Binary Ghosts of Legacy Middleware 1. Introduction: The Archive Deepens In Part 1 of the Windows Archives investigation, we established the skeletal structure of Rahim Soft —a mid-90s to early-2000s middleware provider whose software distribution vectors lingered in corporate Windows NT 4.0, Windows 2000, and early XP builds. Part 2 shifts focus from metadata recovery to dynamic artifact reconstruction and cross-version behavioral analysis . Archive checksum (reference): SHA-256 of RAHIMDB

RS: Executing raw: [string] But crucially, the function does not sanitize input—it passes the buffer directly to an internal _system() call. This makes , provided the attacker controls the query string.

rs_backup_user / rs_admin_1999