Skip to content

Twitter icon Follow me?

09 Feb Google Making Gmail Into a Communications Hub http://bit.ly/apWJZH

08 Feb FreeFixer v0.53 released today: http://www.freefixer.com/about/release-notes.html

07 Feb C++: A language for next generation web apps? ;) http://stevehanov.ca/blog/index.php?id=95

06 Feb freddy84.exe, new Koobface variant. 45% of the anti-virus programs detects it: http://www.freefixer.com/library/file/51500/

05 Feb Oracle rushes out patch for gaping server hole http://bit.ly/boXwLE

05 Feb Mozilla Firefox hit by malware add-ons http://bit.ly/d47gCw

05 Feb SafePcAv Scareware http://bit.ly/aUr8Hh

05 Feb Does Blippy really pose a security risk? http://bit.ly/dxNNBg

04 Feb MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities http://bit.ly/d2EnBY

04 Feb A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang http://bit.ly/9J9eLx

04 Feb Microsoft warns of new IE data-leakage vulnerability http://bit.ly/d44erz

03 Feb PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild http://bit.ly/aN7fJA

03 Feb Starting to build a tiny API for FreeFixer's online file library: http://www.freefixer.com/library/

03 Feb How did you do on the Webmaster Quiz? http://bit.ly/aDd0AI

03 Feb Adobe CTO Defends Flash Against Apple, HTML5 http://bit.ly/aheJAq

02 Feb Code execution holes in iPhone OS, iPod Touch http://bit.ly/ckdALv

23 April 2009

Porting Native API calls to Windows 7

I'm currently porting FreeFixer for the Windows 7 platform. Luckily the different flavors of Windows does not differ that much from one release to another, so most of the unit tests worked without any changes to the existing code.

There's one piece of code that needed an update though, and it's the rootkit detection plugin, which in its current state detects hidden processes. This plugin uses the Windows Native API. The Native API is incompletely documented and used internally by the Windows NT operating systems (NT, XP, 2000, Vista, Win7, etc). FreeFixer calls the Native API by putting the system calls index in the eax register, and then using sysenter or int 2Eh depending on the platform. By using this procedure, FreeFixer can bypass some of the rootkit hooking techniques that hide running processes.

There is one problem though, the system call index numbers have changed from release to release, and Windows 7 was not exception, so the code needed an update. The following lists some of the index numbers for the Windows 7 platform: 

NtQuerySystemInformation  = 0x106
NtQueryInformationProcess = 0xe4
NtReadVirtualMemory       = 0x105
NtOpenProcess             = 0xbf

Hope this helps if you are porting your Native API calls to Windows 7.

Permalink | Comments

20 February 2009

OpenProcess and Audiodg.exe

I'm currently working on getting my malware removal tool FreeFixer up and running on the Windows Vista platform. FreeFixer woks by scanning the registry and the file system to find unwanted software. It is also enumerating processes, their file names and their modules. This is were I ran into some minor problem. On Windows XP I had previously obtained the SeDebugPrivilege privilege (defined as SE_DEBUG_NAME) and then opened all processes with the OpenProcess system call and passing PROCESS_QUERY_INFORMATION | PROCESS_VM_READ as the requested access. However, on Windows Vista OpenProcess failed on Audiodg.exe, with the ERROR_ACCESS_DENIED error code.

Audiodg.exe - a protected process

Windows Vista introduced a new type of process, the protected process. Protected processes are there to enhance support for digital rights management functionality in Windows Vista. [1]

A typical protected process does not allow injecting a thread into the process, accessing virtual memory of process, debugging the process, duplicate handles of the process, changing the quota or working set of a process.
You cannot open a typical protected process with PROCESS_QUERY_INFORMATION nor PROCESS_VM_READ. Luckily Vista introduced the PROCESS_QUERY_LIMITED_INFORMATION, which is a limited version of the PROCESS_QUERY_INFORMATION access right. This will allow you to open the process with OpenProcess and at least get the full path of the protected process. I think - please correct me if I'm wrong - that it's not possible to enumerate the modules of audiodg.exe from without the help of a kernel-mode component?

Permalink | Comments

How to toggle tab size in Visual Studio using a macro

Here's a code snippet that toggles the C/C++ editor's tab size between 2, 4 and 8:

' Author: Roger Karlsson
' http://rogerkarlsson.com/blogs/programming/toggle-tab-size/
Public Module ToggleTabSize

    ' Toggle the C/C++ editor's tab size between 2, 4 and 8.
    Sub Toggle()
        Dim props As EnvDTE.Properties = DTE.Properties("TextEditor", "C/C++")
        Dim ts As EnvDTE.Property
        Dim ins As EnvDTE.Property

        ts = props.Item("TabSize")
        ins = props.Item("IndentSize")

        If ts.Value = 2 Then
            ts.Value = 4
            ins.Value = 4
        ElseIf ts.Value = 4 Then
            ts.Value = 8
            ins.Value = 8
        Else
            ts.Value = 2
            ins.Value = 2
        End If
    End Sub

End Module

Permalink | Comments

How to get the module handle in an ATL DLL

In Visual C++ 6.0 you can use _Module.m_hInst to get the module handle in an Active Template Library (ATL) DLL project. In ATL 7.0, which comes with Visual Studio 2003 and Visual Studio 2005, "_Module" has been replaced and you can use the m_hInst member in _AtlBaseModule: 



const HMODULE hLib = _AtlBaseModule.m_hInst;

Permalink | Comments