Maarten Van Horenbeecks’s post gave me the idea for a new feature for my XORSearch tool: searching for a list of strings. This is achieved with the -f option, like this:
XORSearch -f urls malware.exe
urls is a text file containing a list of URLs to search for.
You’ll still have to use a script if you want to search in more than one file.
And there is something new about the XORSearch.exe in the ZIP file. First one to post a comment with the correct answer gets an honorable mention 😉
Sometimes I read the following programmer’s question:
When I launch my program from the command line, I get a new prompt immediately. What API should I call to let my program display a new prompt only when it is done?
This is often related to scripting: calling this kind of program from a BAT file is a problem, because the BAT file will continue executing while the program is still running.
In fact, this behavior is not defined through coding in the program itself, but by a setting in the header of the program. For WIN32 applications, the value of the SUBSYSTEM parameter is 2 (IMAGE_SUBSYSTEM_WINDOWS_GUI) for a GUI application and 3 (IMAGE_SUBSYSTEM_WINDOWS_CUI) for a console application. A programmer can change this setting by selecting the appropriate option for his compiler. And if one can’t recompile the program, just use a binary editor or a PE file editor. It’s important to understand that console applications are not limited to console interaction, and GUI applications are not limited to GUI interaction. A console application can create windows and a GUI application can create consoles.
It is the shell (cmd.exe) that decides if it waits for the end of the launched program or not, based on the value of the SUBSYSTEM parameter. Take a look at the source code of cmd.exe for ReactOS (this is Open Source):
After your program is successfully started (CreateProcess), the shell will check if the new process is a console or GUI application (IsConsoleProcess). If it’s a console application, the shell will wait for the program to terminate (WaitForSingleObject), and then it will set the ErrorLevel to the return code. But if it’s a GUI application, it will not wait and it will set the ErrorLevel immediately to 0. That is why you immediately get a new command prompt when you launch a GUI application from the shell: it’s the shell itself that decides not to wait.
So if a programmer wants cmd.exe to wait for the end of its program, he has to declare it as a console application, even if it uses a GUI. There is a drawback however, because when this program is launched from explorer.exe (and not cmd.exe), a console will be automatically created by Windows. The only trick I found to avoid this is to hide the console programmaticaly (but it will still appear briefly when your program is stared).
You can try the following experiment to better understand the SUBSYSTEM parameter without resorting to programming:
The title of this post is inspired by Mark Russinovich‘s posts. I explain why there is a category of executables with a digital signature that don’t show a “Digital Signatures” tab in the properties dialog, and I release a tool to manipulate digital signatures.
Executables (PE files) can have a digital signature, Microsoft calls this signature AuthentiCode. There are 2 different ways to sign a PE file: by adding a digital signature to the PE file (embedded digital signature) or by adding a hash of the PE file to a security catalog file (filetype .CAT).
The Properties dialog of a file hosts a Digital Signatures tab when the PE file has an embedded digital signature, like this Windows patch from Microsoft:
But when a file is signed via a security catalog file, the Digital Signatures tab is not displayed. Notepad is a good example:
To check the digital signature of this category of files, one uses Microsoft’s signtool or Mark’s sigcheck utility:
These tools will calculate the hash of the file, look it up in the appropriate security catalog file and check the signature of the security catalog file. One can find security catalog files in directory C:\windows\system32\catroot:
For an embedded digital signature, the location of the signature is at the end of the signed file. Look for DATA_DIR Security in IMAGE_DATA_DIRECTORIES of the optional PE header. It has a pointer (4 bytes) to the signature and the length (4 bytes) of the signature. The pointer is just the offset in the binary file. When these bytes are all zero (0x00), the PE file has no embedded digital signature.
Here is the PE header of another Windows patch:
In this patch, the signature entry can be found at offset 0xF4E00 in the file and is 0x2428 bytes long:
The first 4 bytes of the signature entry is the size, the following 4 bytes is a constant (0x00020200), and the rest is the PKCS7 signature. This signature can be extracted with a binary editor and parsed with openssl:
Finally, I wrote a small Python program to manipulate embedded digital signatures. Features of disitool:
My first post for 2008 has to be about Windows Server 2008.
It looks like the UserAssist entries for Windows Server 2008 have the same format as for Windows Vista, my UserAssist tool can also extract the data from Windows Server 2008:
Like Vista, the Windows Server 2008 browserui.dll file (version 6.0.6001.17051) contains only 5 UEME strings:
UEME_RUNPATH
UEME_CTLCUACount:ctor
UEME_CTLSESSION
UEME_RUNPIDL
UEME_RUN
As a Belgian citizen, the federal government issued me an electronic ID (eID). It’s essentially a smart card with personal data, my picture (jpeg) and a couple of X.509 certificates for authentication and digital signing.
One of its applications is authentication on web sites. And this is already possible now, provided I’ve a smart card reader and I install the necessary software provided by the federal government.
Now take a look at the properties of the Windows setup file for the eID client software:
Now I expect to see something here, but it’s missing. Do you miss it too? Here’s a hint:
That’s right, the installation program is not digitally signed (AuthentiCode). Neither are any of the executables installed by the installation program.
I’m surprised that the government invests in a PKI to issue IDs to all its citizens, yet it doesn’t deem it necessary to invest in a delivery mechanism that certifies the origin and integrity of the client software.
As I promised last week, here are the technical details of the Pocket EICAR Test File Server.
I bought a mini AVR web server from Tuxgraphics, it’s an AVR microcontroller with an Ethernet controller on a small PCB. The goal is to integrate some sensors (like temperature) and actuators (central heating) into my home network, but my first project was to learn to program it and develop a small web server framework.
The board is ready for operation, I just had to solder 2 wires to provide power and a programming connector. You’ll need an AVR In-System Programmer to upload your compiled C program to the microcontroller. Tuxgraphics sells one that plugs in a USB port, and has the big advantage for me that it comes with a Linux Live-CD with all the programming tools on it. This way, I didn’t have to spend time to build my own developing environment. First I tested the web server, programmer and LiveCD on a real computer with an example from Tuxgraphics. After being satisfied that it worked, I created a virtual machine, booted from the LiveCD, configured networking and sshd and now I develop on that VM. But because it’s a LiveCD and settings are not persisted, I have to take a snapshot before shutting down the VM.
The board has an Ethernet controller, this means that you have to implement the IP functions you need in software on the AVR microcontroller. For example, to get a ping reply from the pocket server, you have to write code to identify the ICMP request, build the reply and transmit it, like this:
Likewise, you have to write code to handle ARP requests, which are essential for IP operation.
And for HTTP web serving, you have to implement TCP connections (e.g. SYN SYN-ACK ACK), parse the HTTP requests and send the corresponding replies. Building on Tuxgraphics’ example, I developed a simple framework to serve static and dynamic HTML pages. All is in the website array that is initialized in the InitWebsite function:
Use one entry per web page. The first pointer of each entry points to the URL you want to server, like /info.html. The second pointer is the content type, like HTML or plain text. And the third pointer points to the static content you want to serve. Set this pointer to NULL for dynamic content.
So if you just want to serve static pages for HTTP GET requests, modifying the code doesn’t require real programming skills. In the source code, just change the MAC address and IP address, redimension the website array and populate it with your pages.
But for dynamic pages, you’ll have to write a function that generates the dynamic content, and call that function when the dynamic page is requested:
In this example, we check if the index of the requested page (iHTTPURL) equals the index of the status.html page (URL_STATUS). If it does, we call the MakeStatusResponse function that will generate the web page displaying a counter.
You have to realize that this is a very basic HTTP server. It doesn’t keep state for the connections and it’s not multithreaded. If you need a more robust embedded web server, there are solutions like the FOX Board, it runs the BOA web server under Linux.
Download:
MD5: A8D42CA6628A699C4C76A8412639CEDF
SHA256: 20760F7085830C73BBAE4C1D962D625429920079EFD9A5F38372953B1B5C7896
Untar and make. To program the mini AVR web server: make load_eicar
I recently had to inspect the SSL certificate of an e-mail provider (secure POP connection) . Here is a quick HOWTO using the Google Mail website as an example.
Issue this command on a box with openssl:
openssl s_client -connect mail.google.com:443 > google
Then cancel the command with CTRL-C.
A base64 representation of the web site’s certificate will be included in the output you redirected to the google file:
To inspect the certificate with openssl, use this command:
openssl x509 -in google -text
Or convert it to a certificate in DER format and open it on a Windows box:
openssl x509 -in google -outform DER -out google.der
Like last year, I produced an anti-virus related Season’s Greetings movie.
The movie is hosted here on YouTube, and you can find a hires version (XviD) here.
Next week, you’ll get the technical details of this pocked web server.
Happy New Year!
I added the SafeBoot registry keys for Windows 2000 SP4 Professional to the zip file and updated the post.
I’ve developed a new application for my N800, psurveil (Photo Surveillance). It automatically takes pictures with the N800’s build-in camera at regular intervals and stores them as jpeg files.
You can find the installation package here (unzip and copy the deb package to your N800) and the source code here. And be careful, it’s beta. On my N800, it takes about 30 seconds to start, and it doesn’t run as root.
So if you’ve got a baby and are looking for an excuse to get an N800, this turns your N800 in a baby monitor, kinda.
From the source code:
psurveil (Photo Surveillance) is a program for the Nokia N800.
It automatically takes pictures with the N800’s build-in camera at regular intervals
and stores them as jpeg files.
usage:
– Pop out the camera, and close all programs using the camera.
– Start psurveil. On my N800, it takes very long to start, sometimes a half minute.
– Use the menu to review the settings.
– Interval is the number of minutes between pictures.
– Repeats is the number of pictures to take, minus 1.
– Folder is the directory to store the pictures. The directory must exist.
Settings are stored with GConf, and there is no input validation.
– Click on the “Start surveillance” buttons to start the surveillance. A first picture
is immediately saved, and another picture every Interval minutes, and this Repeats times.
The filename of the jpeg is composed with the date & time when the picture was taken.
There is no monitoring of free diskspace.
Example:
The settings for this example are:
– Interval=1
– Repeats=3
– folder=/home/user/MyDocs/.images
These settings will take 4 pictures over a period of 4 minutes, starting when the button is clicked.
Pictures are stored in the Images folder:
20071127-194647.jpeg
20071127-194747.jpeg
20071127-194847.jpeg
20071127-194947.jpeg
I developed this program by merging the example_camera.c and example_alarm.c Maemo example programs.
There are some quirks in the real-time video display, they originate from the example_camera.c program.
If you know how to fix this, let me know.
I’m not an experienced Maemo developer (neither GTK developer), this is my first program for the N800,
so use this program at your own risk, and respect the privacy of others.
I put my code for this program in the Public Domain. For the code copy-pasted from the examples,
read the copyright below.
Todo (no guarantee that these ever get done):
– Input validation
– Folder creation
– Toggle to flip the picture
–
History:
22/11/2007 example_camera and example_alarm merged
23/11/2007 jpeg filename is current date & time
25/11/2007 0.1.3 added menu & menu functions
26/11/2007 coded settings dialog
27/11/2007 0.2.0 code review
28/11/2007 0.2.1 input validation for numbers in settings dialog
Didier Stevens 