Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Discussions

Blue Ink Blue Ink
  • Invent a better solution for a deceptively simple problem (AKA how I change de folder)

    Technically there is a way: DLL injection. Minus the DLL injection part... as it turns out, kernel32 is always loaded in every process at the same address and SetCurrentDirectory is compatible with LPTHREAD_START_ROUTINE, so you can call CreateRemoteThread without having to write a DLL.

    Here's a rough proof of concept (as in: written in a rush, tested for two minutes on exactly one machine)

    #include "stdafx.h"
    #include <Windows.h>
    #include <TlHelp32.h>
    
    DWORD GetParentProcessId () {
      DWORD processId = GetCurrentProcessId ();
      HANDLE snapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, processId);
    
      if (snapshot == INVALID_HANDLE_VALUE) {
        _tprintf (_T("Cannot create shapshot.\n"));
        ExitProcess (0);
      }
    
      PROCESSENTRY32 processEntry;
      processEntry.dwSize = sizeof (PROCESSENTRY32);
      if (Process32First (snapshot, &processEntry)) {
        do {
          if (processEntry.th32ProcessID == processId) {
            return processEntry.th32ParentProcessID;
          }
        }  while (Process32Next (snapshot, &processEntry));
      }
    
      ExitProcess (0);
    }
    
    BOOL EnableDebugPrivileges () {
      HANDLE token;
      LUID sedebugnameValue;
      TOKEN_PRIVILEGES privileges;
    
      if (OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES| TOKEN_QUERY, &token)) {
        if (LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
          privileges.PrivilegeCount = 1;
          privileges.Privileges[0].Luid = sedebugnameValue;
          privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    
          if (AdjustTokenPrivileges (token, FALSE, &privileges, sizeof (privileges), NULL, NULL)) {
            CloseHandle (token);
            return TRUE;
          }
        }
        CloseHandle (token);    
      }
    
      return FALSE;
    }
    
    int _tmain (int argc, _TCHAR* argv []) {
      DWORD processId = GetCurrentProcessId ();
      DWORD parentProcessId = GetParentProcessId ();
      _TCHAR pathname [MAX_PATH];
    
      if (argc < 2) {
        if (GetCurrentDirectory (MAX_PATH, pathname)) {
          _tprintf (_T ("%s\n"), pathname);
        }
        return 0;
      }
    
      if (_tclen (argv [1]) >= MAX_PATH) {
        _tprintf (_T ("The filename or extension is too long.\n"));
        return 0;
      }
    
      if (! SetCurrentDirectory (argv [1])) {
        _tprintf (_T ("The system cannot find the path specified.\n"));
      }
    
      //TODO: get the actual casing in the pathname
      wcscpy_s (pathname, argv [1]);
    
      if (! EnableDebugPrivileges ()) {
        _tprintf (_T ("Error: Cannot enable debug privileges."));
        return 0;
      }
    
      HANDLE target = OpenProcess (PROCESS_ALL_ACCESS, FALSE, parentProcessId);
      if (target != INVALID_HANDLE_VALUE) {
        HMODULE kernel32 = LoadLibrary (_T("kernel32.dll"));
        if (kernel32 != NULL) {
          FARPROC address = GetProcAddress (kernel32, "SetCurrentDirectoryW");
          if (address != NULL) {
            LPVOID remoteMemory = VirtualAllocEx (target, 0, sizeof (pathname), MEM_COMMIT| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            if (remoteMemory != NULL) {
              if (WriteProcessMemory (target, remoteMemory, pathname, sizeof (pathname), NULL)) {
                HANDLE handle = CreateRemoteThread (target, NULL, 0, (LPTHREAD_START_ROUTINE) address, remoteMemory, 0, NULL);
                if (handle == NULL) {
                  _tprintf (_T ("Error: %d"), GetLastError ());
                } else {
                  WaitForSingleObject (handle, 1000);
                  CloseHandle (handle);
                }
              }
              VirtualFreeEx (target, remoteMemory, 0, MEM_RELEASE);
            }
          }
          FreeLibrary (kernel32);
        }
        CloseHandle (target);
      }
      return 0;
    }
    

    A couple of notes:

    1) Due to the assumption about kernel32, the program must match the "bitness" of the command prompt.

    2) The program doesn't require elevation, but I wouldn't be surprised if it didn't work for a restricted user.

    EDIT: fixed a bad typo in VirtualFreeEx

  • IE9 copy & paste removes line returns

    @androidi: It doesn't seem to be Google's fault this time: the minimum repro I could find is:

    <div style="display: table">
      <div>
        This text cannot be selected
      </div>
    </div>

    If you remove the "display: table" directive, or remove the inner nested div, the problem disappears. Weird...

  • Happy birthday, Linux!

    Hey, I thought nobody was supposed to comment on Windows 8 until build.

    //TODO: find an appropriate smiley

  • Channel 9 show idea

    ,cbae wrote

    *snip*

    That's why I think they shouldn't call the new version Windows 8. They should call it Windows 7 R2. How long as Apple's OS been stuck on "version" 10?

    Maybe Apple feared back compatibility. Lots of programmers have written incredibly bad code when checking for version numbers, maybe because they don't think their application will stay around long enough, or because they don't think they will still be around when the excrement hits the ventilation system. Or something... but historically, bumping up the major version number has proved to be a big source of headaches.

  • Toshiba Mango, waterproof.

    @JoshRoss: I don't think that alone would suffice: repelling water is great, but it doesn't take a very large droplet to short a USB connector. I just hope they didn't overuse the ugly silicone plug covers.

  • Select Case behavior

    ,evildictait​or wrote

    *snip*

    Every time you write your own hash function a cryptographer somewhere cries.

     

    @Blue Ink: If you're writing hardware code that is timing sensitive and writing it in something other than C or assembly, then you're doing it wrong.

    Obviously. And using C would still expose you to the subtle difference between eager and short-circuit operators... unfortunately mine wasn't an academic example.

    As for the other comment, I think the hash function has little to do with what blowdart was referring to. If you use a method that fails early (such as short-circuit evaluation, or even just memcmp) when comparing some secret value with another submitted by the attacker, you may be giving away how much of the submitted value is correct. It's the same as making a combination lock that emits a louder tick whenever you hit on a partial result.

    In the end, someone may cry, but it won't necessarily be a cryptographer.

  • Worthless Hardware Latency ​Qualificati​on

    @exoteric: It's a minefield. WHQL may be imperfect, but there are two things that keep everybody reasonably happy: it's perceived as a level field and failures are not publicly disclosed. Neither condition would ever be possible with a public beta and things would get ugly real quick.

  • Worthless Hardware Latency ​Qualificati​on

    @androidi: no, it's the job of Nvidia to write a driver that performs as it should. What WHQL is all about is making sure that a bad driver doesn't cause a blue screen. Performance is none of their concerns.

    And even if it were, they may not get their job done: hardware manufacturer will go to extreme lengths to beat the competition while passing WHQL with flying colors... there's an old post by Raymond Chen on the subject. Recommended read.

  • Realtime 3D scanning and ​reconstruct​ion with Kinect

    ,kettch wrote

    @W3bbo: Why does it have to be done with only RGB cameras?

    [snip]

    Probably because we have overwhelming evidence that it can be done, at least using some biological substitutes of an RGB camera.

  • Select Case behavior

    ,Adam​Speight2008 wrote

    *snip*

    The boolean value could be result of a side effecting function. Or the evaluate of each takes a while. Why even evaluate the second argument if you don't need to?

    That was my point exactly. By using & instead of &&, either you are wasting time, or your code relies on obscure side-effects. Neither is desirable, unless you are dealing with...

    ,blowdart wrote

    *snip*

    Timing attacks on security functions Smiley Some functions should never exit early on failure - comparing hash values for example.

    This is a legitimate case where short-circuiting is undesirable, and that can also happen elsewhere (for instance, time sensitive code in firmware). Yet, in these cases I prefer not to rely on a subtle difference and express my intent more clearly. Maintenance happens.