Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Discussions

androidi androidi
  • Malware in GTA5 mod made with C# (maybe) & workstation ​virtualizat​ion

    There might be a way to prevent code from that byte array to atleast call apis that are not in the readable code. Those unpackers and other obfuscators tend to be super easy to spot too as their execution pattern tends to be the same: unpack and run the just unpacked stuff and make api calls that are obfuscated. If obfuscated code is easy to spot by eye, it's not impossible to spot by computer as well with the right algo.

    Lot of malware also does pretty much same things. So you could try to stop them in act but the whole point here was to make easy to use isolation that the malware can't detect and has easier maintenance than full vm. (with 3rd party sandbox solutions it's really hard to say how secure they really are so I'm not using them)

    The slowness issue can be solved by doing it only once and then having some service from which you can dl the recompiled executable based on signature or the hash of the original exe and where it came from. This could be optimized by only downloading the recompiled code and then ignoring executable code in the original exe, avoiding need to transfer resources.

  • Malware in GTA5 mod made with C# (maybe) & workstation ​virtualizat​ion

    (the linked post mentions C# but the wording leaves it a bit open what was really used)

    Instead of talking about "trust" I'll go with my usual "trust no one" and instead think about situation where every downloaded executable needs to be considered malicious and how to make handling that situation as easy as possible. The key here is to make it easy to determine whether particular download is malicious or not. If user ops to trust anyway well that's their option. But those of us who choose to never trust should have our life made easier.

    Instead of "anti-virus" (which according to the gta5forum thread, none in virustotal alerted about this. anti-virus is a trust based concept - it requires me to trust the AV vendor and wait till they have analyzed everything I want to run) ...

    ... have a hook in OS that decompiles executables before running them and then compiles the decompiled code and runs that instead. This ensures that every bit of code on the system is a) moddable should you want/need to b) easier to verify with code analysis tools for malicious behavior. Then ...

    ... if user wants to run code that didn't decompile cleanly, they need to approve that or opt to run them in some sort of "secure desktop" that is essentially a virtual machine that's super easy to use, embedded right to the Windows shell. eg. No need to install VM software, you could just have multiple desktops and then checkbox would turn them into VM. Then various drives and folders could be disabled from the VM from right click context menu. Also you could opt to set the vm desktop to be clean except for stuff that was installed (updates apps). So after clicking that box, all apps installed on "host" would appear in the VM clean but in state that was like if the app was just installed, without user data. (obviously any Windows updates installed in the "root desktop" would get installed also into the virtualized desktops without taking any more space on disk unless you opted out of that. So the virtualized desktops are essentially same as the first user desktop by default, and user the opts out of existing things instead of needing to re-install everything like in VM's today)

    For "bonus points", everything in the VM secure desktops would be fully auditable from a "root desktop" which had tools similar to process monitor/explorer, sysmon etc and was able to monitor all the secure desktops, so malware running in the secure desktop vm's would not be able to see that any monitoring tools are even in use.

    http://gtaforums.com/topic/794383-malware-inside-angry-planes-noclip-mod/page-7#entry1067465309

  • What have you used C# stackalloc for?

    So are the pointer operations under C#'s unsafe safer than plain old C pointers incase a bug slips to release optimized build? The reference source did not mention what kind of speed gain was had from the use of the unsafe I was simply surprised to see that there without note of what kind of relative gain was to be had vs non-unsafe version.

    I leave benchmark results in comments when doing optimization - sort of leaving a rationale in the comments for why is something done in a particular manner that may not be obvious later. Maybe your internal code has that and it's just not in the reference source?

    msdn says "it is your responsibility to ensure that your code does not introduce security risks or pointer errors". If you have someone reviewing your code then that helps so for MS code maybe this is a lesser deal (particularly if you have a verifier that can handle the unsafe code).

     

  • What have you used C# stackalloc for?

    I was just wondering about the gains had by doing this (I use c# so I can avoid having unsafe things in my networking stuff - didn't really expect it in something that could parse hostile input but maybe the gains justify it IDK). & No clue on what caused that one instance one slow step. It just made me look into it for sign of network code (which would've been surprising had I found any).

     

     

  • What have you used C# stackalloc for?

    I started using Uri's more so using UriBuilder too. During debug there was a 1s delay when new UriBuilder("url") was made. So I went around with ILSpy to see what's up (I don't think UriBuilder goes to network - maybe VS did look up some symbols or something).

    In http://referencesource.microsoft.com/system/net/System/URI.cs.html#577 this is actually using fixed and not stackalloc

            char* ptr = stackalloc char[num2 - num];
            length = 0;
            while (num < num2)
            {
                short* arg_15E_0 = ref *(short*)ptr;
                ushort expr_155 = length;
                length = expr_155 + 1;
                *(arg_15E_0 + (IntPtr)expr_155 * 2) = (short)uriString[num];
                num += 1;
            }
            err = Uri.CheckSchemeSyntax(ptr, length, ref syntax);

     

    private unsafe static ParsingError CheckSchemeSyntax(char* ptr, ushort length, ref UriParser syntax)
    {
        char c = *ptr;
        if (c < 'a' || c > 'z')
        {
            if (c < 'A' || c > 'Z')
            {
                return ParsingError.BadScheme;
            }
            *ptr = (c | ' ');
        }
        for (ushort num = 1; num < length; num += 1)
        {
            char c2 = ptr[num];
            if (c2 < 'a' || c2 > 'z')
            {
                if (c2 >= 'A' && c2 <= 'Z')
                {
                    ptr[num] = (c2 | ' ');
                }
                else if ((c2 < '0' || c2 > '9') && c2 != '+' && c2 != '-' && c2 != '.')
                {
                    return ParsingError.BadScheme;
                }
            }
        }
        string lwrCaseScheme = new string(ptr, 0, (int)length);
        syntax = UriParser.FindOrFetchAsUnknownV1Syntax(lwrCaseScheme);
        return ParsingError.None;
    }

  • Anyone with HttpClient experience and working code? edit: looks like server issue

    ... edit: I have/had a problem where HttpClient times out repeatedly while wget downloads same file quickly. But that was yesterday. Now I can't repro this... both wget and httpclient take forever (httpclient times out still with default timeout)

  • C# BCL WriteAllText and encoding. Is the default what you'd expect?

    Incase it's relevant, the download started like this:

    <?xml version="1.0" encoding="UTF-8"?> ...

     

  • C# BCL WriteAllText and encoding. Is the default what you'd expect?

    MSDN: "This method uses UTF-8 encoding without a Byte-Order Mark (BOM), so using the GetPreamble method will return an empty byte array. If it is necessary to include a UTF-8 identifier, such as a byte order mark, at the beginning of a file, use the WriteAllText(String, String, Encoding) method overload with UTF8 encoding."

     

    1) How does this make sense

    2) If the file is always overwritten with the no encoding overload, isn't it "edge case" in that scenario to not want a BOM?

    Idea: The xml summary for WriteAllText should tell you to use the overload if you want UTF8 with BOM or something else.

     

  • C# BCL WriteAllText and encoding. Is the default what you'd expect?

    ...Changing CultureInfo didn't do anything for the default

  • C# BCL WriteAllText and encoding. Is the default what you'd expect?

    EDIT: I was talking about html but noticed it's xml

    I'm not sure what is going here. I suppose my Windows locale configuration might have effect here but how come the no encoding specified is different from Encoding.Default.. Whut?

     

    xml size, download and save method :
    HttpClient...  .Content.CopyToAsync(File.OpenWrite(...));

      84 645 Download to stream              OK

    HttpClient...  .Content.ReadAsStringAsync();
    File.WriteAllText(...,...,[Encoding]);
      84 645 Encoding.GetEncoding(1252)      OK
      84 645 Encoding.Default                OK
     169 292 Encoding.Unicode                OK
      84 812 Encoding.UTF8                   OK
      84 645 Encoding.ASCII                  garbage (? symbols after links in xml)
      84 809 No encoding specd               garbage (Â symbols after links in xml)