Follow me?
10 Mar Adobe Reader and targeted malware attacks http://bit.ly/aca2dp
10 Mar FreeFixer v0.54 up and running.
10 Mar Microsoft plugs dangerous Excel security holes http://bit.ly/9gFw2F
09 Mar Don't Play Poker on an Infected Table - Part Three http://bit.ly/bYmTsP
09 Mar New Microsoft IE zero-day flaw under attack http://bit.ly/aSavzR
09 Mar Amazon Is Building a Better Browser for Kindle http://bit.ly/b6ws6T
09 Mar Vodafone HTC Magic shipped with Conficker, Mariposa malware http://bit.ly/cSy8IV
09 Mar There are currently a problems while clicking some of the "more info" links in the FreeFixer application. Looking into this right now.
09 Mar Meet the Winners of Webmonkey's Google I/O Giveaway http://bit.ly/a0fGv3
08 Mar Researchers build 8,000-strong smartphone botnet http://bit.ly/dn09OL
08 Mar Download Mosaic and Browse 1993's Web http://bit.ly/awxEVO
08 Mar Fetch as Googlebot Mobile and Claim your Sidewiki comment - added to Webmaster Tools Labs! http://bit.ly/aTPAN5
08 Mar Getting FreeFixer v0.54 ready for release.
08 Mar Energizer battery charger contains backdoor http://bit.ly/9Bm3mt
07 Mar Had to add the undocumented <var name="Setup64Bit" value="1"/> setting to the Ghost Installer script to get 64-bit mode.
05 Mar Police arrest Mariposa botnet masters, 12M+ hosts compromised http://bit.ly/94VpKE
04 Mar Microsoft Patch Tuesday heads-up: 2 bulletins, 8 vulnerabilities http://bit.ly/a1EFxW
03 Mar Microsoft to Double Down on HTML5 With IE 9 http://bit.ly/bw7APk
03 Mar Sharing the verification love http://bit.ly/d3gAgd
03 Mar Google's SEO Report Card http://bit.ly/cCjAL5
23 April 2009
Porting Native API calls to Windows 7
I'm currently porting FreeFixer for the Windows 7 platform. Luckily the different flavors of Windows does not differ that much from one release to another, so most of the unit tests worked without any changes to the existing code.
There's one piece of code
that needed an update though, and it's the rootkit detection
plugin, which in its current state detects hidden processes.
This plugin uses the
Windows Native API.
The Native API is incompletely documented and used internally by the
Windows NT operating systems (NT, XP, 2000, Vista, Win7, etc).
FreeFixer calls the Native API by putting the system calls index in the eax register,
and then using sysenter or int 2Eh depending on the platform.
By using this procedure, FreeFixer can bypass some of the rootkit hooking
techniques that hide running processes.
There is one problem though, the system call index numbers have changed from release to release, and Windows 7 was not exception, so the code needed an update. The following lists some of the index numbers for the Windows 7 platform:
NtQuerySystemInformation = 0x106 NtQueryInformationProcess = 0xe4 NtReadVirtualMemory = 0x105 NtOpenProcess = 0xbf
Hope this helps if you are porting your Native API calls to Windows 7.
20 February 2009
OpenProcess and Audiodg.exe
I'm currently working on getting my malware removal tool FreeFixer up and running on
the Windows Vista platform. FreeFixer woks by scanning the registry and the file system to find unwanted software.
It is also enumerating
processes, their file names and their modules. This is were I ran into some minor problem. On Windows XP I had previously
obtained the SeDebugPrivilege privilege (defined as SE_DEBUG_NAME) and then opened
all processes with the OpenProcess system call and passing PROCESS_QUERY_INFORMATION | PROCESS_VM_READ as the
requested access.
However, on Windows Vista OpenProcess failed on Audiodg.exe, with the ERROR_ACCESS_DENIED
error code.
Audiodg.exe - a protected process
Windows Vista introduced a new type of process, the
protected process. Protected processes are there
to enhance support for digital rights management functionality in Windows Vista
.
[1]
A typical protected process does not allow
injecting a thread into the process,
accessing virtual memory of process,
debugging the process,
duplicate handles of the process,
changing the quota or working set of a process.
You cannot open a typical protected process with PROCESS_QUERY_INFORMATION nor PROCESS_VM_READ.
Luckily Vista introduced the PROCESS_QUERY_LIMITED_INFORMATION, which is a limited version of the
PROCESS_QUERY_INFORMATION access right. This will allow you to open the process with OpenProcess
and at least get the full path of the protected process. I think - please correct me if I'm wrong - that
it's not possible to enumerate the modules of audiodg.exe from without the help of a kernel-mode component?
How to toggle tab size in Visual Studio using a macro
Here's a code snippet that toggles the C/C++ editor's tab size between 2, 4 and 8:
' Author: Roger Karlsson
' http://rogerkarlsson.com/blogs/programming/toggle-tab-size/
Public Module ToggleTabSize
' Toggle the C/C++ editor's tab size between 2, 4 and 8.
Sub Toggle()
Dim props As EnvDTE.Properties = DTE.Properties("TextEditor", "C/C++")
Dim ts As EnvDTE.Property
Dim ins As EnvDTE.Property
ts = props.Item("TabSize")
ins = props.Item("IndentSize")
If ts.Value = 2 Then
ts.Value = 4
ins.Value = 4
ElseIf ts.Value = 4 Then
ts.Value = 8
ins.Value = 8
Else
ts.Value = 2
ins.Value = 2
End If
End Sub
End Module
How to get the module handle in an ATL DLL
In Visual C++ 6.0 you can use _Module.m_hInst to get the module handle
in an Active Template Library (ATL) DLL project. In ATL 7.0, which comes with
Visual Studio 2003 and Visual Studio 2005, "_Module" has been replaced
and you can use the m_hInst member in _AtlBaseModule:
const HMODULE hLib = _AtlBaseModule.m_hInst;