All Blog Entries

  1. PE Validator Script

    Checking the validity of a PE file is a very difficult task, but checking a .NET assembly is even more complicated, since you have to check the tables integrity, the code integrity, the stack integrity etc. Ok, there's already a tool that does that provided by the .NET framework. However, that tool isn't perfect either and doesn't check some other problems. When I wrote my .NET compiler I spent literally days figuring out what was wrong one time or another time in the format I produced, and the MS tools didn't help. But let's not go OT, I just wanted to say that this a topic on the woodmann forum triggered my interest because it was a good opportunity to test the CFF Explorer's scripting capabilities. So, yesterday I took two hours and wrote a little script (called PE Validator Script) which checks for some of the most common problems in a PE. Since it's a script (thus opensource) it can be expanded easily.

    You can find it in the extensions repository:

    Here are the current checks:

    -- check CRC32 (useful for drivers)
    -- check number of rva and sizes
    -- check image size
    -- check sections
    -- check that EP is valid
    -- check that EP is in code
    -- check that the EP section is executable
    -- check data directories RVAs
    -- check whether the API IsDebuggerPresent is imported

    Don't be too serious about it, it's just a thing I did for fun.
  2. KeGetCurrentIrql can't return HIGH_LEVEL

    I was playing with IRQL and spotted one interesting thing. If IRQL is raised to HIGH_LEVEL, then KeGetCurrentIrql will return wrong ifno about IRQL:

    .text:800123B8 ; __fastcall KfRaiseIrql(x)
    .text:800123B8                 public @KfRaiseIrql@4
    .text:800123B8 @KfRaiseIrql@4  proc near     
    .text:800123B8                 movzx   edx, cl
    .text:800123BB                 movzx   ecx, ds:_HalpIRQLtoTPR[edx]
    .text:800123C2                 mov     eax, ds:0FFFE0080h
    .text:800123C7                 mov     ds:0FFFE0080h, ecx
    .text:800123CD                 shr     eax, 4
    .text:800123D0                 movzx   eax, ds:_HalpVectorToIRQL[eax]
    .text:800123D7                 retn
    .text:800123D7 @KfRaiseIrql@4  endp
    Decode IRQL to Task Priority Register [APIC_base+0x80]

    .text:80012398 _HalpIRQLtoTPR  db   0h  <--- PASSIVE_LEVEL (0)
    .text:80012399                 db  3Dh  <--- APC_LEVEL  (1)
    .text:8001239A                 db  41h  <--- DISPATCH_LEVEL (2)
    .text:8001239B                 db  41h  
    .text:8001239C                 db  51h  
    .text:8001239D                 db  61h  <--- CMCI_LEVEL (5)
    .text:8001239E                 db  71h
    .text:8001239F                 db  81h 
    .text:800123A0                 db  91h
    .text:800123A1                 db 0A1h
    .text:800123A2                 db 0B1h 
    .text:800123A3                 db 0B1h 
    .text:800123A4                 db 0B1h 
    .text:800123A5                 db 0B1h 
    .text:800123A6                 db 0B1h
    .text:800123A7                 db 0B1h 
    .text:800123A8                 db 0B1h
    .text:800123A9                 db 0B1h 
    .text:800123AA                 db 0B1h
    .text:800123AB                 db 0B1h 
    .text:800123AC                 db 0B1h
    .text:800123AD                 db 0B1h 
    .text:800123AE                 db 0B1h
    .text:800123AF                 db 0B1h 
    .text:800123B0                 db 0B1h
    .text:800123B1                 db 0B1h 
    .text:800123B2                 db 0B1h
    .text:800123B3                 db 0C1h  <--- PROFILE_LEVEL (27)
    .text:800123B4                 db 0D1h  <--- CLOCK1/2_LEVEL (28)
    .text:800123B5                 db 0E1h  <--- IPI_LEVEL  (29)
    .text:800123B6                 db 0EFh  <--- POWER_LEVEL(30)
    .text:800123B7                 db 0FFh  <--- HIGH_LEVEL (31)
    Also there is a array used to decode Task Priority Register to IRQL:

    .data:8001D218 _HalpVectorToIRQL db   0h        <--- PASSIVE_IRQL                                       
    .data:8001D219                   db 0FFh
    .data:8001D21A                   db 0FFh
    .data:8001D21B                   db    1        <--- APC_LEVEL
    .data:8001D21C                   db    2        <--- DISPATCH_LEVEL
    .data:8001D21D                   db 0FFh
    .data:8001D21E                   db 0FFh
    .data:8001D21F                   db 0FFh
    .data:8001D220                   db 0FFh
    .data:8001D221                   db 0FFh
    .data:8001D222                   db 0FFh
    .data:8001D223                   db 0FFh
    .data:8001D224                   db  1Bh        PROFILE_LEVEL
    .data:8001D225                   db  1Ch        CLOCK1/2_LEVEL
    .data:8001D226                   db  1Dh        IPI_LEVEL and POWER LEVEL
                                                    are different in Task priority sub-class
                                                    (lower 8bits of Task Priority Register)     
    .data:8001D227                   db  1Eh        POWER_LEVEL
    Basically if we are running at HIGH_LEVEL, KeGetCurrentIrql will always return POWER_LEVEL. Calculaion is simple here, it uses Task Priority, upper 8 bits of TPR (Task Priority Register) as index into _HalpVectorToIRQL or better name would be _HalpTPRtoIRQL for this 2nd array.

    So are you sure that you are running at HIGH_IRQL? or POWER_LEVEL?
  3. aMSN Input Validation Error

    Risk: Low
    Tipology: Input Validation Error

    All aMSN versions, both on Windows and Linux platorms.

    As Microsoft MSN, aMSN have a nice feature for Exporting and Importing the list of
    contacts you have.

    This list is dumped into an XML file (file extension .ctt), with this structure

    <?xml version=1.0″?>
    <service name=.NET Messenger Service>
    <contact> your_contact@xxxx.yy</contact>

    aMSN does not Validate correctly the Contacts you insert, precisely does not parse
    the format of this file, and suddenly when you import a malformed Contact List it

    here an example of malformed input list

    <?xml version=1.0″?>
    <service name=.NET Messenger Service>


    Or another possibility

    <?xml version=1.0″?>
    <service name=.NET Messenger Service>

    This will cause a freeze of aMSN..

    If you use the same 鍍rick with Ms Messenger, a MessageBox will advice you of the malformed

    See you to the next post
  4. .NET unpackme

    Hey guys, check out my .NET unpackme over at

    I first want to give people time to have fun with it. Afterwards, I'll explain its inner workings so that you may all understand whats really going on in .NET.

    In the sad case that no one unpacks it, I'll post a solution anyways. I'll give it a couple of weeks... in the meantime, I got some new previously unseen JIT hooks in the works. You'll love em
  5. softice nmi hook

    NMI (int 0x02) is by default setup as TaskGate, which means that it points to TSS Descriptor where is stored TSS needed to transfer execution to r0 when NMI occurs.

    sice not running:

    00000002	0.00003269	TaskGate: 02 [58:00000000] DPL=0 P	
    00000003	0.00004917	 + TSS at 80872568 - cs:eip = [08:8086698C]
    sice running:
    00000002	0.00004665	IdtGate : 02 [08:B45AE617] DPL=0 P
    No practical rce use, but still funny thing
  6. HP printer and cpu at 100%

    I値l be in New York City from Thursday, I have too many things to prepare right now, and I don稚 have time to end this story. Anyway, I thought it might be interesting to write something about this strange behaviour. It痴 only a sort of preview, I hope to complete it in the near future.

    I have a new printer, it痴 an hp c4380. Don稚 know if it痴 good or not, I don稚 print too much. It was really easy to install and it works fine for me, I have nothing to complain about it until some days ago when I noticed something strange. When the system starts, I sometimes happen to see the cpu at 100%:

    As you can see it happens when the system starts. It痴 one of the starting process for sure. I opened ProcessExplorer just to have an idea about what痴 going on:

    Svchost is used to load one or more services, there痴 a specific list of services to load inside the registry. The problem doesn稚 reside in svchost process, but it痴 inside the specific loaded service. How to find it? ProcessExplorer is a great tool, it gives out a lot of information. Just click on the process item and you will have all the necessary information about the process. I知 interested in the command line section which is: 鼎:\WINDOWS\system32\svchost.exe -k HPService. Ok, the problem should be inside HPService. To locate the name of the dll you can browse through the process properties, you値l easily find out the dll: HPSLPSVC32.DLL

    This service belongs to hp printer and it痴 used to check hp痴 peripherals connected through the net. The service is automatically started (have a look at services.msc utility). I made some tries discovering that the problem arises when one or more computers connected to the lan are offline. I知 pretty sure there痴 an error inside the dll, but how to find out where the problem is located at? In case like that, when the cpu works at 100%, the problem resides inside a loop. The process is waiting for something that won稚 be received; it痴 impossible to quit from it due to of a programming error. It could be an error on a variable initialization/update but there are many possibilities, there痴 not a general explaination.

    What I did is to attach a debugger to the right svchost process hinstance. It痴 pretty easy to locate the guilty loop, you only have to break on dll access. Here痴 a snippet taken from the loop I was talking before:
    10025D00  mov    eax, dword_100AC550
    10025D05  mov    ecx, [edi+4]
    10025D08  push   eax ; dwMilliseconds: 1000 ms
    10025D09  push   ecx ; hHandle
    10025D0A  call   ebx ; WaitForSingleObject
    10025D0C  mov    edx, [edi+10h]
    10025D0F  push   edx ; hEvent = 0
    10025D10  mov    esi, eax ; eax = WAIT_FAILED
    10025D12  call   ebp ; SetEvent
    10025D14  cmp    esi, WAIT_TIMEOUT
    10025D1A  jnz    short loc_10025D27
    10025D1C  mov    eax, [edi]
    10025D1E  mov    edx, [eax+24h]
    10025D21  mov    ecx, edi
    10025D23  call   edx ; call sub_100255E0
    10025D25  jmp    short loc_10025D00
    10025D27  cmp    esi, WAIT_FAILED
    10025D2A  jnz    short loc_10025D3A
    10025D2C  mov    eax, dword_100AC550
    10025D31  push   eax ; dwMilliseconds
    10025D32  call   ds:Sleep
    10025D38  jmp    short loc_10025D00
    Well, as you can see from the comments there are two problems:
    1. WaitForSingleObject returns WAIT_FAILED
    2. SetEvent痴 parameter is 0

    I tried to call GetLastError after the two calls and the result was an ERROR_INVALID_HANDLE system error code. Pretty obvious eh!
    I don稚 know where to look for now, an error on CreateEvent痴 return value could be an answer. After a quick glance everything seems to be ok, but I need to check carefully.

    The problem occours to many people out there. It was reported on HP forum support in March 2007, but the problem still exists. To solve (momentarily) it, it痴 pretty easy: just set the service from automatic to manual Anyway it could be interesting to find out where the problem resides, I値l try to check when my trip will end.
  7. Explorer Suite III (CFF Explorer VII)

    Scripting documentation:


    - Fixed a lot of bugs
    - Fixed a minor bug in the MetaData tables
    - Fixed minor resizing bug on Vista
    - General improvements
    - Significantly improved the interface
    - Improved Resource Editor
    - Improved Rebuilder (added checksum update and strip debug directory)
    - Improved Data Directories viewer
    - Improved Hex Editor
    - Improved Sections Dialog (added section's hex view)
    - Improved MetaData Tables
    - Extended the SDK
    - Added powerful very scripting language
    - Added documentation for the scripting language
    - Added security features for the scripting language
    - Added support for generic files
    - Added Name Unmangler
    - Added Debug Directory
    - Added Dependency Walker
    - Added Quick Disassembler (x86, x64)

    Hope you like it..
  8. Reversity Speech and Logs Available

    Hi there,

    is possible to download the pdf and logs of First Reversity Session on Crypto and Reverse Engineering here:

    Have a nice Day,
  9. Control Flow Deobfuscation Part 1

    Control Flow Obfuscation is one of the biggest protection mechanisms used in commercial protections for intermediate languages like IL (.NET) and Java bytecode. It is also used a bit in some native protectors, mostly to hide their own code, but I won't go into that. I'll use pseudocode for the examples.

    The basic idea behind control flow obfuscation is that spaghetti code is hard to read. So the protectors transform normal code into spaghetti code, with lots of spurious branches. You can repair this by hand, but as functions get bigger this becomes a huge PITA. So we must write a program to do it for us.

    I'll assume we have access to the bytecode in the program. Also we'll make use of some primitive operations on this bytecode. These problems are straightforward to tackle, all you need is the documentation and some (much ) time.

    To reorganize the function we will use a two-step approach:
    1. Make a Control Flow Graph from the bytecode.
    2. Make bytecode from the CFG.

    You might think "That doesn't do anything!", but the trick is that we read in bytecode that is obfuscated and write out bytecode that is simple to read. Both form the same control flow graph, so the meaning is not changed.

    English example:
    • Obfuscated: "The bike, that is owned by John, who has blue eyes, needs to be repaired."
    • Graph:
    • Simplified: "John has blue eyes. His bike needs to be repaired."

    Of course this isn't a perfect analogy but I hope you see what I mean.

    Building the CFG
    Let's see what we want from the CFG:
    • Have vertices with some amount of bytecode
    • Have edges that show the connection between vertices.
      • E.g. if vertex 1 branches to vertex 2 we want an edge from 1 to 2. Note that this edge has a direction: it doesn't go from 2 to 1.
      • We need a label on the edge that shows the type of connection. For instance if vertex 1 branches to vertex 2 if some condition is true, and to vertex 3 if it is false, we would have this graph:
    • Every vertex has one entry point and one exit point.

    (if this is all gibberish for you, please read up on graphs before continuing)

    The last point ensures our CFG is a proper Directed Graph.
    In practice you'll want to keep the edge information with the vertex it comes from, but this changes nothing to the basic ideas.

    With this info, we can make a simple recursive function to construct the CFG:
    already_done_vertices = empty
    cfg_of_function = makecfg(entry_point_of_function)
    function makecfg(current_instruction):
        vertex myvertex
        if current_instruction is in already_done_vertices
            myvertex = the appropriate vertex in already_done_vertices
            myvertex.bytecode   = bytecode of current_instruction
            myvertex.branchtype = branch type of current_instruction
            myvertex.edges    = empty
            add myvertex to already_done_vertices
            for each target of current_instruction
                add makecfg(target) to myvertex.edges
        return myvertex
    Note that the bytecode of a branch is nothing. Its only significance is in the branchtype and the targets. Most instructions have a branch type of "always" with a target that is the next instruction. The branch type relates to the targets, f.i. "top_of_stack != 0" may go to the first target if true, or the second target if false.

    Of course in a real implementation you want to keep the number of vertices and edges low, so you lump together as many instructions as you can without breaking the rules, splitting them when necessary.

    Well, that's it for now, in part 2 (and maybe 3) I'll show how to make bytecode from the CFG.
  10. Dvd movie and easter egg

    I like to go to the cinema, I adore movies. I have a lot of dvd movies at home. Special features included in almost all dvd are something I like particularly. What I dislike are the easter eggs included in the disc. There are often small and stupid clips behind easter eggs. They are nowadays documented everywhere around the net, but the question is: how did they find them?

    The common way is trying to push every buttons on your remote control hoping to see something strange around the dvd menu. This is the most easiest way, you have only to spend some time with a remote control in your hand. Otherwise, you can try inspecting the files stored inside the dvd. I don稚 have any experience with this kind of things so I did some searches on the net. From all the programs I tried I was impressed by one: PgcEdit. As stated in the documentation PgcEdit offers an easy to understand view of the DVD痴 programming. It allows you to edit, via easy to use GUIs, all the DVD痴 commands with their legal values, without any limitations except those imposed by the DVD standard.
    There痴 a little problem, I have no idea about the dvd standard Anyway, I gave it a try.

    When you open a disc PcgEdit extracts all the necessary information filling two edit boxes. The image below represents a snippet taken from one of the two boxes.

    Don稚 know what you think but these are only some meaningless items for me. When you click on an item the other box is filled with some other information which are much more understandable. Here are some of them:

    I知 not able to fully understand the instructions above, but I can get the general meaning of each line. It痴 like a dead list produced by a disassembler, a series of commands.

    Reading through the help I致e found something interesting, PgcEdit has a debugger inside; it lets you see what happens when a dvd is launched. I don稚 know the meaning of the information retrieved by PgcEdit, but I do know how to use a debugger, and this one seems to be really simple. I値l try to find out an easter egg using PgcEdit痴 debugger. I only spent some time on this debugger and I don稚 know anything about dvd standard, anyway I値l try to explain my adventure using the right words.

    The dvd film I知 going to inspect is titled Big fish, aTim Burton痴 movie. An easter egg could be everywhere inside the dvd, I値l try to find something inside the main menu title which is showed in the next image:

    It痴 an animated menu and you can navigate through the 6 options, from 撤lay movie to 典railers, seems like you can稚 move the cursor outside these items.

    To start a debugging session you have to select 典race mode from one of the PgcEdit痴 menu items (using Ctrl-T is much more easy). The debugger is really simple but it has almost everything. It痴 possible to set a breakpoint on GPRM (Global Parameter Registers), on SPRM (System Parameter Registers), pre/post PGC (Program Chain), all menus and all titles. It痴 possible to watch all the registers and log almost everything. It痴 the only dvd debugger I have tried so far, but it seems to be quite complete.

    When you are in Trace mode the debugger is stopped at the first instruction:
    1 (JumpSS) Jump to VMGM PGC 1
    which is inside 天MG, First Play PGC item. VMGM stands for Video Manager Menu.
    The dvd video structure is divided into some levels, I知 at the the first one and it痴 used to play an introductive video or some preliminary information. After that the main menu appears. In this case there is nothing before the main menu and the instruction (it痴 clearly a jump instruction to 天MGM PGC 1″) will bring me to the dvd main menu.

    LU should be Language Unit and I think the number inside brackets represents the item痴 length, 14 seconds.

    How to proceed? I tried stepping some commands but it痴 not so interesting so it痴 better if you use some clever breakpoints. Right click on an item from the left box and a popup menu will appear. From this popup menu it痴 possible to set a breakpoint on the selected item. When the program flow reaches the item the debugger should break. There are many items inside the box, they are divided into 3 groups:
    - VMGM
    - VTSM
    - VTST
    How to identify the right item? The main menu痴 length is 52 seconds so I did a scan over the items trying to locate the one with length equals to 52. There are some items with the same length (52 seconds); I知 not totally sure about the meaning of the 0:52 value so I decided to take another way. Spying through the debugger痴 menu I found an interesting option: 釘reak at all menus. When you set this option the debugger will break every time it encounters a menu. I had 3 breaks and then a new box appeared (it doesn稚 mean that there are 3 menu to be shown). The box contains the information about the main menu. The breaks occurred on these items:

    - VMGM LU 1 (en), 1 (0:14)
    - VTSM 4, LU 1 (en), 1 (dummy) RootM
    - VTSM 4, LU 1 (en), 6 (0:52) 16b.

    VTSM stands for Video Title Set Menu and it contains all the information about a specific menu. This one seems to be the menu I was looking for and now I知 pretty sure about the fact that 52 is the length (in seconds) of the animated menu. When the time reaches 52 the animated menu starts again, like an infinite loop. So, I知 interested in the last entry, if you click on this item you値l see the commands inside the dead list box. There are some pre and post commands; pre commands are executed before the reproduction (post commands are executed after):

    堵prm(i) refers to a register, there are 16 Global Parameter Registers and they can contain a value in the 0/65535 range. From what I have seen they are often filled with SPRM values; there are 24 System Parameter Registers and they contain the current player settings. That痴 why gprm registers get information from sprm registers, the dvd internal programming code needs to know where is running on.
    The words inside brackets (mov, and, or) define the operation. i.e.: Instruction number 2 is used to store 0 into register 8, pretty simple. Ok, back to the box now:

    This is the box that is shown, it痴 the main menu (I edited the image adding the text). As you can see it shows the *gui* without pictures of course. It痴 pretty easy to identify the buttons at the bottom of the image, they represent the 6 options. There are two more buttons (7 and 8) at the top of the picture, btw. You can navigate through the buttons using the keyboard or mouse, the highlighted button is the current selected one. When you switch from a button to another PgcEdit痴 debugger is able to show what kind of commands will be executed, you can see the next instruction that will be performed. After some tries I understood how to reach button number 8, just click on keyboard痴 key-up from button 5. When you switch to button number 8 nothing is shown; some commands are executed but I had the impression that it痴 only a check routine used to see which kind of button has been pressed. Button 7 is another story because when you press it the current post commands are executed. Anyway, without looking at the post commands it痴 obvious that there痴 something behind button number 7, which is our easter egg for sure!
    Why did they (dvd痴 authors) use button number 8? As far as I know there aren稚 dvd player with a mouse control, if you want to move through the menu you can only use your remote control. With a remote control you have 4 direction痴 buttons and you can move the pointer from a voice to another using them. Button number 8 is a bridge from button number 5 to 7. I think it痴 used because they wanted to hide the easter egg a little bit more.

    It痴 time to see the hidden feature, load the film with your preferred player. Move the pointer over the hat and a red star magically appears. Click and enjoy the clip (nothing special btw).

    My dvd adventure ends here, It was a nice unusual debugging session. Is there another way to discover an easter egg? Don稚 know and I don稚 care about it, I think I値l check for easter eggs browsing the net in the future haha!
  11. Collaborative RCE Tool Library contents so far

    This should hopefully both give you all a picture of the usefulness of the Collaborative RCE Tool Library (, and also get Google kick-started on indexing it in a good way.

    Tools so far are, in alphabetical order: ...
  12. - dr6 saving

    Recenly I wrote a lille driver to test this feature with my softice, I didn't need it realy, but who know when it will become usefull.

    Whole concept consist of setting dr7.GD to 1, and waiting for mov drX/reg or mov reg/drX to occur. Here is a little quote from IA32 manual:

    GD (general detect enable) flag (bit 13)
    Enables (when set) debug-register protection, which causes a debug exception
    to be generated prior to any MOV instruction that accesses a debug register.
    When such a condition is detected, the BD flag in debug status register DR6 is
    set prior to generating the exception. This condition is provided to support incircuit
    emulators. (When the emulator needs to access the debug registers,
    emulator software can set the GD flag to prevent interference from the program
    currently executing on the processor.) The processor clears the GD flag upon
    entering to the debug exception handler, to allow the handler access to the
    debug registers.
    Basically what this means is that GD is cleared each time int 1 exception occurs. This is done in the way so handler can examine dr6 for BS (indicates single steping) or other flags like BT, BD and B0-B1. If GD wouldn't be cleared in dr7 on int1 exception then handler would fall into infinite loop trying to access dr6 no matter what caused int1 as GD would constantly cause int1 to be called. This simply tells us that we have to set dr7.GD everytime when int 1 is generated no matter if we handle exception or pass it lower in the chain. Neet

    Now we come to dr6 issue when softice is active(well when mov reg,dr6 occurs, but without sice I have no idea why this would be usefull - syser maybe???), if we watch and log activity of softice when stepover occurs we may see this:

    0xB43517FE : mov dr3, esi
    dr updated : 0xBA642A93        <------ step over instruction
    0xB4351801 : mov dr7, ebx
    dr updated : 0x00FF07C0        <------ set dr7 and wait
    0xBA328683 : mov eax, dr6
    dr value moved : 0xFFFF0FF8    <------ dr6 properly updated :)
    0xB42BE589 : mov eax, dr6
    dr value moved : 0xFFFF0FF8
    0xB42BE596 : mov dr6, eax
    dr updated : 0xFFFF0FF0
    Now you may see that dr6.B3 is set, but this is done because I save dr6, and update it properly. Well still it's a walkaround for saving as I don't know any other better way to save it. Now let's descibe this problem, and why and how it happens:

    When we enter int 1h (dr3 was hit), dr6 will have value as shown above: 0xFFFF0FF8, as we don't handle this exception, we have to set dr7.GD again, and pass it to the lower handler. Lower handle in the chain will access dr6, and cause dr6 to look like this : 0xFFFF2FF0 (BD set). Now if we emulate mov reg, dr6 with value 0xFFFF0FF0 (we clear BD flag from dr6), handler will not know that actually dr3 was hit which will lead to unhandled exception in kernel mode:

    BugCheck 1000008E, {80000004, ba5e6c7b, b5cb0194, 0}

    Followup: MachineOwner

    kd> !analyze -v
    * *
    * Bugcheck Analysis *
    * *

    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG. This will let us see why this breakpoint is
    Arg1: 80000004, The exception code that was not handled
    Arg2: ba5e6c7b, The address that the exception occurred at
    Arg3: b5cb0194, Trap Frame
    Arg4: 00000000
    Now let's take a little look into IA32 manual to see what really happens (older one):

    Note that the contents of the DR6 register are never cleared by the processor. To avoid any
    confusion in identifying debug exceptions, the debug handler should clear the register before
    returning to the interrupted program or task.
    but is this really a true? now if we take a look into newer one:

    Certain debug exceptions may clear bits 0-3. The remaining contents of the DR6
    register are never cleared by the processor. To avoid confusion in identifying debug exceptions,
    debug handlers should clear the register before returning to the interrupted
    We may see that certain debug exception may clear B0-B3 but they don't say which ones. Obviously BD debug exception is the one. So may walkaround was to follow certain logic, of int1 handler:

    1. when int1 occurs I save dr6 always
    2. when dr6 update occurs I save it (mov dr6, reg)
    3. when I detect mov reg, dr6, I update dr6 with proper value which was saved.

    Hope this will be usefull to someone Actually our friendly neighbour yates wrote similar code long time ago : but it has this little flaw in it.

    ps. I really like how ms describes unhandled_exception :

    This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    but ... shit happens

  13. The Windows Vista Issue

    Windows XP brought a lot of enthusiasm to most programmers and common users loved it too. XP officially introduced the NT kernel for everyone, not just for servers. It was a great step forward, and most people who earlier disliked Windows had now trouble criticizing it from a technical point of view.

    Windows Vista, unfortunately, wasn't going to satisfy everybody. There's got to be a reason (even more than one) if PC World wrote that Vista is the biggest tech disappointment of the year 2007. Not that PC World's opinion is 100% reliable and in the article it mostly criticizes Vista for the wrong reasons. However, one fact remains: many users decided not to upgrade to Vista and some even downgraded to XP.

    Microsoft is a big company whose interest is making money like all companies, that's pretty clear, but in the process Microsoft shouldn't leave behind all the people who made of Windows what it is now. Windows is so important because of three factors:

    a) the quality of the operating system
    b) the number of people who use it
    c) the number of applications developed for it

    The c) factor is really important, because it's sort of the backbone of Microsoft's success. I don't want to imply that Microsoft is going to lose millions of dollars, because the current Mark Russinovich will use another OS instead of Windows (would be a little hard for him, since he's employed by Microsoft now), but maybe the next Pietrek / Russinovich won't be a Windows expert. If Microsoft leaves behind the developers community it'll reflect directly upon the users community. In my opinion Microsoft is taking chances for no good reason.

    In my opinion it's better to make less money on the long-term, than making a lot of money in just one year and losing in the process a lot of costumers.

    I tried to make a list of all the things which would have been made Vista the best product of 2007. Ok, let's not exaggerate, but surely it wouldn't have been the worst one. Keep in mind that the points in the list are not ordered by relevance, but, if not casual, by logical connection.

    What Microsoft should change:

    1) Let's start from the silliest thing: Windows Vista's Aero is not available in Vista Home Basic edition. Aero is described as "Elegant Windows Aero desktop experience" feature. But that's just silly, it can't be a feature for which the user pays extra money. Vista Home Basic retail edition costs 250 euros (367 USD)! For that price, I think, it's highly immoral to exclude such a silly feature as Aero. Microsoft can't make money from Aero, it's just unprofessional and the company loses credibility. And this brings us right to the next point.

    2) Only Vista Business and Vista Ultimate can be virtualized (run on VMWare, VirtualPC etc.). Microsoft applied license restrictions to Vista Home (both Basic and Premium) making it impossible to virtualize, at least legally, these two editions. Again, that's unprofessional and, from a technical point of view, horrible. This point is very important. Microsoft should just offer more tools/services (e.g. Bitlocker) in its more expensive editions. It's just wrong to put use restrictions in its less expensive editions.

    3) It should be possible to disable driver verification permanently at boot time (this means without forcing the user to press F8 on every boot). A way of replying to this point is to say that many hardware manufacturers would force the user to disable the driver verification in order to use their drivers, but that's non-sense! No serious manufacturer would do that. Let's take for example TrueCrypt. It's a top quality free software and, of course, works through a file system driver. Why should the author/company pay 500$ (or less) for a 1-year certificate to sign their driver? Ok, it's not a problem for TrueCrypt, since this product was famous long time before Vista came along. Its community surely will cover all the expenses, I suppose. But what about a new project which may start now. Should the developer invest 500$ for something which might not even cover his expenses? Oh, sure, 500$ isn't that much, and he can pay this amount without selling his computer, but the questions are: is it right? Will he? And the user himself why shouldn't he be able to run his driver if he absolutely wants to? That, of course, without being bothered by the terrible F8 or by installing a test certificate? Again, this is a very serious credibility issue, which shouldn't easily be dismissed. I'm not even sure if this policy was introduced only for security reasons or even because driver signatures are expensive and TrueSign (owned by Microsoft) is making good money out of this. Anyway, if Microsoft wants to make money out of driver developers, it should sell documentation or compilers. Libraries and header files should be given for free (as they currently are). I can't emphasize this enough: trying to make money out of everything can be very counterproductive.

    4) Lower the prices! Microsoft can't be offering an operating system which can't be virtualized and doesn't have Aero for 250 euros (367 USD) (retail edition price). To have these luxuries you have to pay at least 300 euros (440 USD).

    5) .NET is a great thing, no doubt about it. But it will never totally replace native C/C++ programs. So, PLEASE, keep the MSDN up to date, fix the broken links and enrich the contents! I'm a huge fan of the .NET technology, but it's just a fact that developers love C/C++ (not that managed C++ thing) and they'll never give up developing with it. And that's right, because .NET can't be a replacement for everything (and never will be). I'm sure the community would really appreciate this point.

    6) Microsoft strenght on the market is given by its kernel, by its libraries and, at last but not least, by its hardware support. If there was a freeware (or sold at, let's say, ten bucks) open source system with a NT-like kernel (NTFS support included) and with the same hardware support, it could run a modified WINE (like ReactOS) to support Win32; and that would be part of the end of Microsoft's domain, since most of the users would migrate to it (and even most of Microsoft's products would run on it). Thus, Microsoft shouldn't push too hard with Windows prices, because all the Aeros, UACs, defenders and bitlockers can't compete with a free/cheap system.

    7) Microsoft is running too fast. Many directions are right, but developers won't follow blindly. What's with Win32? It's old, ok, but does Microsoft really think that .NET and WinFX will completely replace it? If Microsoft thinks that the future is going to be something like "kernel in C/C++ and all GUI applications in .NET (WPF, Forms, WinFX etc.)", then it's betting wrong. Ok, the native C++ code could be contained in external dlls, but even that won't happen. I learned C# pretty early in my life, but even I would never give up writing native code, so it's impossible to expect that from people who are much older than me. Maybe in 30 years if Microsoft maintains its leadership...
    Also, why should a new Windows edition come out every X years? An edition should come out when it's ready, not when it's supposed to and Vista wasn't ready to come out (let's think about all the things which were cut out of that version because of time issues). But I don't expect this to happen: marketing rules.

    8) Just abandon the DRM "technology". DRM is just wrong and lame. Windows is becoming more and more a closed box where nobody can look inside or change something. Degrading / preventing on purpose audio/video output is, again, unprofessional. I call these sort of things "dirty programming". These kind of checks in the code are just garbage which pollute the beauty of the code itself. Every software is, in my opinion, a piece of art. Dirty programming is like writing the market price with a black marker over one of Monet's pictures.

    9) Offer a way to permanently disable Patch Guard. This isn't, of course, something for common users, but for experts who need total control of their systems. Again, this point is about Microsoft's credibility in the eyes of the developers community. Trying to prevent developers and revers messing with the system is not good, because experts lose interst in a closed box which cannot be played with. If Symantec is allowed to modify the kernel, then there's no excuse for preventing other to do the same. It's just unfair and in this case lame (Symantec: bleah!).

    10) XP was a very good operating system. I'm still running XP SP2 on my laptop and it works perfectly. There's got to be a reason if XP support was extended to the year 2014, whereas Vista support ends in 2012. Ok, they might change their mind and extend Vista's support, but the fact remains. So, don't ruin XP through updates with Vista-like features.

    11) Ok, the UAC is necessary, but limit the number of dialog boxes which annoy the user only for important things. Create a light version of the UAC which allows to modify system objects which aren't critical for the system (at least not for the common user). Need an example? Changing the system time/date is not critical for most people! Make it possible to run some Microsoft applications like regedit or administrative tools without UAC confirmation dialog. How? There are plenty of ways, like signing those application with a special Microsoft signature. I don't want to say to throw away the existing UAC, just create an alternative!

    I don't think Microsoft will ever follow one of these points, but who knows...

    As for me, it's not like I discovered Vista yesterday. In fact, I was one of the first users of Vista x64 and one ...
  14. Windbg 電t output converter

    How many times did you create a structure starting from Windbg's dt command output? It sometimes happens especially if you use Ida or if you need to code something. It痴 something that makes me feel unhappy. It痴 a boring job for sure, particularly when you have to deal with big structures (i.e. ethread). There are some ready made definitions online, but there痴 not a standard definition for a single structure. Most of the time it depends on the OS you are running on.

    All I want to do is to convert dt痴 output into a struct definition. The output to convert is something like (obtained by Windbg using 電t _list_entry command):
    +0ラ000 Flink            : Ptr32 _LIST_ENTRY
    +0ラ004 Blink            : Ptr32 _LIST_ENTRY
    And this is what I want to generate:
    typedef struct _LIST_ENTRY
    struct _LIST_ENTRY* Flink;    // 0ラ000
    struct _LIST_ENTRY* Blink;    // 0ラ004
    I知 not a Windbg guru and I don稚 know if there is a quickest way, so the idea is to write something able to perform (almost all) the convertion.

    The gui is pretty simple, it contains two edit boxes and two buttons, nothing more. The convertion process starts by pressing the 鼎onvert button, the program converts the data stored inside the clipboard. The left box will be filled with the clipboard痴 contents while the other box will contain the converted structure. What to store inside the clipboard? Look at the picture below:

    Selected text is what you have to store into clipboard, everything starts from 狙 character. Once you have saved the text you can convert the structure. Here痴 the result:

    The edit box is editable, it痴 necessary because most of the time it痴 hard to predict the right type to display. I don稚 know if it痴 possible to perform a perfect convertion, the aim of this tool is to speed up the convertion process. With some minor changes you should be able to obtain a perfect convertion.

    This tool is not totally complete, I have some more things to add. As usual I didn稚 test it too much because I prefer to fix it when a bug occours. Anyway, it seems to work fine and you can contact me for comment/criticism/suggestion/etcetc.

    ps. HAPPY NEW YEAR!!!
    Attached Thumbnails Attached Files
  15. MmGetSystemRoutineAddress : forwards on vista

    Very frustrating when you figure that this export can't resolve forwarded APIs. Here is one example from Vista:

    .edata:8002F485 ; Exported entry   1. ExAcquireFastMutex
    .edata:8002F485                 public ExAcquireFastMutex
    .edata:8002F485 ExAcquireFastMutex db 'ntoskrnl.ExiAcquireFastMutex',0
    .edata:8002F4A2 aExreleasefastm db 'ExReleaseFastMutex',0
    .edata:8002F4B5 ; Exported entry   2. ExReleaseFastMutex
    .edata:8002F4B5                 public ExReleaseFastMutex
    .edata:8002F4B5 ExReleaseFastMutex db 'ntoskrnl.ExiReleaseFastMutex',0
    .edata:8002F4D2 aExtrytoacquire db 'ExTryToAcquireFastMutex',0
    .edata:8002F4EA ; Exported entry   3. ExTryToAcquireFastMutex
    .edata:8002F4EA                 public ExTryToAcquireFastMutex
    .edata:8002F4EA ExTryToAcquireFastMutex db 'ntoskrnl.ExiTryToAcquireFastMutex',0
    When you use MmGetSystemRoutineAddress it will return to you address of string. It won't resolve forwarded API properly.

    The best way is to use own MmGetSystemRoutineAddress instead of the one provided by windows kernel...
Page 9 of 11 FirstFirst ... 234567891011 LastLast