Uncategorized

Mathematical gamester no more

Posted on May 24, 2010. Filed under: Uncategorized |

The amazing mathematical gamester Martin Gardner passed away. May his soul rest in puzzles.

Read Full Post | Make a Comment ( None so far )

FRAVIA Passed Away

Posted on June 24, 2009. Filed under: Uncategorized |

Read Full Post | Make a Comment ( None so far )

Overview on rootkits

Posted on May 20, 2009. Filed under: Uncategorized |

Interesting article on rootkit overview can be found at SecurityFocus

Read Full Post | Make a Comment ( None so far )

WinDbg 6.11.1.402 released

Posted on February 8, 2009. Filed under: Uncategorized |

get it from WHDC. Or www.windbg.org for quick links

Read Full Post | Make a Comment ( 1 so far )

Getting NETMassDownloader to work behind proxy

Posted on February 11, 2008. Filed under: Uncategorized |

After struggling for few minutes, I added code to NETMassDownloader to provide proxy credentials.

Steps:

Download NETMassDownloader source from CodePlex. Open the solution in Visual Studio.

In DownloadLibrary project open PDBWebClient.cs. In the constructor add the following code:

  public PDBWebClient()

  {

//...

//...

  base.Proxy = new System.Net.WebProxy(new Uri("webproxyUri"));

  base.Proxy.Credentials = new System.Net.NetworkCredential("username", "password", "domain");

 } Build the solution and run it. It should work without hitches.    

Updated (18-2-2008): Kerem has made v 1.2 available. This takes proxy details as parameter. You can download it here. Thanks Kerem.

Read Full Post | Make a Comment ( 3 so far )

DELL OptiPlex 755 XP SP2 installation BSOD

Posted on January 25, 2008. Filed under: Debugging, Uncategorized |

Just got DELL OptiPlex 755 (with STMicro TPM chip). It comes with Vista Ultimate.

When we tried to install XP SP2 from boot, just when windows starts, after loading setup drivers, we end up with BSOD crash with stop code 0x0000007B. Naturally, this stop code points to some issues with IDE controllers.

I looked into the BIOS and seen that we have a SATA hard disk. Fine. Next step is to look at which controller it is using. In this case by default it is set to AHCI (Advanced Host Controller Interface). I had my suspicions on this and changed this to use ATA and tried to install XP SP2. Voila! It worked!

Sidenote: I also draw debugging cartoons and other gags at my website: http://www.simianart.com. For debugging cartoons visit Dump Analysis Site

Have fun.

Read Full Post | Make a Comment ( 54 so far )

Vista lmCompatibilityLevel setting

Posted on December 27, 2007. Filed under: Uncategorized |

finally, after struggling to get applications communicate correctly with proxy server on Windows Vista, I found that setting lmCompatibilityLevel setting to 2 make all of them work. Including Windows Vista Update which was always givng 0x80072eef error.
see this article: http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/

Powered by ScribeFire.

Read Full Post | Make a Comment ( 1 so far )

OllyDbg: Break on access

Posted on November 26, 2007. Filed under: Uncategorized |

I’m not able to set Break on access (memory break point) in OllyDbg. there is no visual indication that this breakpoint is set. 😦 Breakpoints list too does not show this)

Powered by ScribeFire.

Read Full Post | Make a Comment ( None so far )

Objref Moniker issue. How to release?

Posted on August 20, 2007. Filed under: Uncategorized |

We were using ObjRef moniker to represent instance of an object in our product. Idea is to get monikers for two instances and pass them into a function. After this function returns we get the objects represented by the monikers and call Release() on them. To get objref moniker we use API CreateObjRefMoniker() and finally call IMoniker::GetDisplayName() interface method. GetDisplayName() method increments the ref-count and returns which we finally release it with obj->Release() call as said above.

Our product was crashing when we retrieve monikers, use them and release() them during second operation. One operation constitutes retrieving two monikers of two instances, use them and call Release() on them. Second operation is similar with two new instances, two monikers, use them and Release() on them.

When I debugged, I saw the following pattern (addresses are fake, just for example. This is first operation):

Obj1 – this pointer- 0x00aaaaaa – ref_count =1

Get IUnknown and IMoniker pointers (not considering increment in ref_count values here for simplicity. Anyway, autoptr releases them before function returns)

Call GetDisplayName() on these objects. Immediately after calling GetDisplayName() we have:

Obj1 – this pointer- 0x00aaaaaa – ref_count =2

Call Release() on the created instance (we have moniker string anyway, object is living)

Obj1 – this pointer- 0x00aaaaaa – ref_count =1

Same steps as above for Object 2.

Obj2 – this pointer – 0x00bbbbbb – ref_count=1

Obj2 – this pointer – 0x00bbbbbb – ref_count=2

Obj2 – this pointer – 0x00bbbbbb – ref_count=1

Use the moniker strings and finally call Release() on the objects represented by the Monikers.

MonikerObj1->Release() – 0x00aaaaaa – ref_count=0

MonikerObj2->Release() – 0x00bbbbbb – ref_count=0

Both objects are destroyed. Everything ok.

During Second Operation, when we create new object, COM is creating the object at the same location as first time (perhaps, reusing the memory location?):

Second_Obj1 – this pointer – 0x00aaaaaa – ref_count=1

Get IUnknown and IMoniker pointers (not considering increment in ref_count values here for simplicity. Anyway, autoptr releases them before function returns)

Call GetDisplayName() on these objects. Immediately after calling GetDisplayName() we have:

Obj1 – this pointer- 0x00aaaaaa – ref_count =1 [HERE IS THE DIFFERENCE. GetDisplayName() did not increment the ref_count.]

Call Release() on the created instance. We assumed Moniker String is present and object will be living.

Obj1->Release() — 0x00aaaaaa – ref_count=0 [OBJECT IS DESTROYED. MONIKER STRING WE HAVE POINTS TO NON-LIVING OBJECT]

Now, we create another instance. Since previous one is destroyed, COM yet again creates new instance at the same location!!!

Obj2 – this pointer – 0x00aaaaaa – ref_count=1

Call GetDisplayName(). This time too it does not increment. So we finally we ended up with moniker string representing non-living object during second operation. During final release() we end up with crash.

So, What is causing GetDisplayName() not to increment ref_count during second operation? I searched the net and couldn’t find an answer. So I decided to disassemble Ole32.dll and analyze it.

I’ll skip the details. Here is the crux: Internally, this pointer gets marshaled, Ole32 maintains some kind of PIDTable. Some kind of hash is performed and “this” pointer gets cached. During GetDisplayName(), a lookup is performed with “this” pointer. If it is not found, a new CIDObject() is created and ref_count is incremented on the “this” pointer. It is then cached. Next time, if same “this” pointer comes along, GetDisplayName() simply returns from the cache. I believe this is default implementation to speed up. During this time, “this” ref_count is NOT incremented.

To solve this issue, we need to somehow clear this cache. I’ve set access breakpoint in this table with WinDbg and seen that during CoUninitialize() IMarshal::DisconnectObject() method is called which tries to call release on the cached “This” pointer and clears the cache. Gotcha! All I need now is to know if Ole32 exposes any method which internally calls IMarshal::DisconnectObject(). A simple MSDN search gave me promising API ::CoDisconnectObject(). Still, documentation is not clear on whether it clears the cache I’m looking at. Fire PEBrowsePro, disassemble Ole32!CoDisconnectObject(). Preliminary analysis showed that lookup is performed on PIDTable. Due to virtual method calls, it not clear from disassembly what exactly happens.

Anyway, to test it out, I called ::CoDisconnectObject( &monikerobj1, 0); and followed it in WinDbg. I see that the cache is indeed cleared and the object is correctly destroyed.

So, this is what I learned. To release ObjRef Moniker correctly, one must call ::CoDisconnectObject(), instead of calling Release() on it.

Read Full Post | Make a Comment ( None so far )

Stupid Sify Broadband client

Posted on August 20, 2007. Filed under: Uncategorized |

Yet another issue with Sify BBClient. It doesn’t recognize BitDefender antivirus software installed on the system. It always asks me to install Anti-Virus first and connect to the net. Effectively no connection until I install AV recognized by it!

Fired up ollydbg and debugged the app. When it connects to the Sify gateway, it gets an XML which contains recognized AV products. something like:

<Tool Desc=”McAfee ManagedVirusScan” key=”HKEY_LOCAL_MACHINE\Software\McAfee\ManagedServices” action=”RS”/>
<Tool Desc=”TrendMicro” key=”HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin” action=”RS”/>

So all this stupid app does is check if Registry entry key is present. If it is, then you have it. So what I did is simply add PC-cillin registry entry and voila! it thinks my system has what it expects and allows me connect to the net.

To,

The Manager,

SIFY Broadband dept.

Hire some decent programmers to write your apps. Not those losers passing out of Private engg. colleges. Do you have design documents atleast? or was it ad-hoc development? How the hell can you allow only McAfee, Norton and Trend products in your recognized AV List? Ignorance or stupidity?

Read Full Post | Make a Comment ( None so far )

« Previous Entries

Liked it here?
Why not try sites on the blogroll...