I’m sure you’ve seen the following warning before:
But have you ever wondered where the Windows Security Center gets its info? (BTW, Microsoft renamed it Windows Action Center in Windows 7).
It gets the information from the Windows Management Instrumentation interface, and more precisely, the WMI name spaces \root\SecurityCenter and \root\SecurityCenter2. I wrote a small script to display this info:
You can download the script here.
It’s also possible to modify this WMI information. Say you’ve uninstalled an antivirus program, but that it still shows up in the Windows Security Center. Then you can delete the WMI information with utility wbemtest.exe.
Start wbemtest (if you’re on Windows Vista or 7, you need to elevate wbemtest) and click on connect.
Type the name space you want to change: \root\SecurityCenter or \root\SecurityCenter2 (SecurityCenter2 is a recent addition). And then connect.
Click onEnum Classes…
Then click OK
Then double-click the type of information you want to change. Here we change AntiVirusProduct:
Then click Instances
And now you can change the information. Here we delete it:
Just like EMET, HeapLocker can allocate a page at address 0 (null or 0x00000000) to mitigate null pointer dereferencing.
I actually implemented this code in HeapLocker because I wanted to find out how one can allocate a page at address 0. You see, when you call VirtualAlloc with address 0, VirtualAlloc will allocate a page at an address chosen by VirtualAlloc, and not at address 0. So I would think that the trick is to call VirtualAlloc with address 1, and that VirtualAlloc will allocate a page that contains address 1, and that this page must start at boundary 0.
But the problem is that you get an error when you try to allocate a page at address 1 with VirtualAlloc. Ivanlef0u explains this in his blogpost (French). VirtualAlloc rejects addresses inferior to 0x1000, one must use NtAllocateVirtualMemory to successfully allocate address 1.
I wrote another script for my 010 Editor.
Like its name implies, DumpStrings will dump all the strings (ASCII and UNICODE) found in a file, or a selection in a file, to the output tab.
Strings must be at least 5 characters long (defined with a #define statement in the script).
UNICODE support is very simple for the moment: 7-bit values in a 16-bit character (MSB or LSB).
Take into account that this is not designed for large files: it will take too long. But its easy to analyze partial files without having to save the selection for analysis with another strings tool.
My TaskManager.xls spreadsheet is very popular, so here’s a new version.
I’ve added a couple of columns with info I need (the Filename, the process Creation time and a 32/64 bit indicator).
And this new version also enables the debug privilege to display info for processes of other users. Of course, you need the debug privilege in first place for this to work. So you have to be a local admin, and if you use an OS with UAC, you have to elevate the Excel application (run as administrator).
TaskManager.xls works on 64-bit Windows, provided you use 32-bit Excel. It doesn’t work on 64-bit Excel yet, I’ll release a new version that does later.