Make performance tests: HD Tune
Check health of ssd: Crystal Disk Info (it doesn't work if ssd in RAID as I see; one server goes down after start of this util)
tech notes of yet another programmer
Monday, January 23, 2017
Saturday, January 21, 2017
C++ snippets memo
hand-made scope_guard without boost scope_guard & other stuff:
std::shared_ptr<void> l(nullptr, [](void*){ system("pause"); });
example of such 'scope_guard' - temp_dir which guaranteed be deleted when out of scope:
std::string temp_filename = MyGetTempFilename();
std::shared_ptr<void> l(nullptr, [temp_filename](void*){
boost::filesystem::remove(temp_filename);
});
thread & lambda - as for me, useful pattern - especially for unit-testing:
thread to lambda:
std::thread t([](){
std::this_thread::sleep_for(std::chrono::seconds(1));
system("taskkill /F /IM calc.exe");
});
t.join();
shared_ptr + placement new
std::shared_ptr<boost::interprocess::interprocess_mutex>
placement_shared_ptr(
new(region.get_address())boost::interprocess::interprocess_mutex,
[](boost::interprocess::interprocess_mutex* l)
{
l->~interprocess_mutex();;
}
);
boost::thread_group replace to std::thread pattern
std::vector<std::thread> my_threads;
for (size_t i = 0; i < (size_t)threads_num; ++i)
{
my_threads.push_back(std::thread(std::bind(&MyClass::RunThread, this,
parameters
)));
}
for (size_t i = 0; i < my_threads.size(); i++)
{
my_threads[i].join();
}
.
std::shared_ptr<void> l(nullptr, [](void*){ system("pause"); });
example of such 'scope_guard' - temp_dir which guaranteed be deleted when out of scope:
std::string temp_filename = MyGetTempFilename();
std::shared_ptr<void> l(nullptr, [temp_filename](void*){
boost::filesystem::remove(temp_filename);
});
thread & lambda - as for me, useful pattern - especially for unit-testing:
thread to lambda:
std::thread t([](){
std::this_thread::sleep_for(std::chrono::seconds(1));
system("taskkill /F /IM calc.exe");
});
t.join();
shared_ptr + placement new
std::shared_ptr<boost::interprocess::interprocess_mutex>
placement_shared_ptr(
new(region.get_address())boost::interprocess::interprocess_mutex,
[](boost::interprocess::interprocess_mutex* l)
{
l->~interprocess_mutex();;
}
);
boost::thread_group replace to std::thread pattern
std::vector<std::thread> my_threads;
for (size_t i = 0; i < (size_t)threads_num; ++i)
{
my_threads.push_back(std::thread(std::bind(&MyClass::RunThread, this,
parameters
)));
}
for (size_t i = 0; i < my_threads.size(); i++)
{
my_threads[i].join();
}
.
Thursday, November 10, 2016
boost::filesystem::remove_all, RemoveDirectory WinAPI function and 'The directory is not empty' error
Problem
Sometime boost::filesystem::remove_all on windows (or RemoveDirectoryA/RemoveDirectoryW WinAPI functions, which are called into remove_all windows implementation) returns stupid error 'The directory is not empty'.
Problem solving in short
Windows have some problems with long paths (which length more than 260 symbols), and if you want to handle such paths, you need to write instead of C:\my_long_filename stuff like \\?\C:\my_long_filename.
If you have directory C:\dir where located file with long name, RemoveDirectory winapi function called with this path returns error 'The directory is not empty'. But if you call it with \\?\C:\dir parameter - it will work fine.
So, instead of using boost::filesystem::remove_all you can use something like that:
void RemoveAll(const std::wstring & path)
{
std::wstring current_path = path;
if (current_path.substr(0, 4) != L"\\\\?\\")
{
current_path = L"\\\\?\\" + current_path;
}
boost::filesystem::remove_all(current_path);
}
Sometime boost::filesystem::remove_all on windows (or RemoveDirectoryA/RemoveDirectoryW WinAPI functions, which are called into remove_all windows implementation) returns stupid error 'The directory is not empty'.
Problem solving in short
Windows have some problems with long paths (which length more than 260 symbols), and if you want to handle such paths, you need to write instead of C:\my_long_filename stuff like \\?\C:\my_long_filename.
If you have directory C:\dir where located file with long name, RemoveDirectory winapi function called with this path returns error 'The directory is not empty'. But if you call it with \\?\C:\dir parameter - it will work fine.
So, instead of using boost::filesystem::remove_all you can use something like that:
void RemoveAll(const std::wstring & path)
{
std::wstring current_path = path;
if (current_path.substr(0, 4) != L"\\\\?\\")
{
current_path = L"\\\\?\\" + current_path;
}
boost::filesystem::remove_all(current_path);
}
Tuesday, September 13, 2016
Useful links:
Rot13 in Windows:
https://blog.didierstevens.com/2006/07/24/rot13-is-used-in-windows-you%E2%80%99re-joking/
UserAssist - thing, which stores in registry (in Rot13) what did you run on your PC. And useful util for viewing:
https://blog.didierstevens.com/programs/userassist/
Undetectable windows payload generation (metasploit generates shellcode, then python code generated, who executed this shellcode, then it's aes encrypted & pack to the mzpe):
https://github.com/nccgroup/Winpayloads
(description of UAC bypass used by link (again IFileOperation) - https://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html)
Masquerade-PEB powershell script (for UAC bypass):
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Masquerade-PEB.ps1
with interesting idea:
one more UAC bypass:
https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC
Masquerade-PEB uses NtQueryInformationProcess to get a handle to powershell's
PEB. From there itreplaces a number of UNICODE_STRING structs in memory to
give powershell the appearance of a different process. Specifically, the
function will overwrite powershell's "ImagePathName" & "CommandLine" in
_RTL_USER_PROCESS_PARAMETERS and the "FullDllName" & "BaseDllName" in the
_LDR_DATA_TABLE_ENTRY linked list.
This can be useful as it would fool any Windows work-flows which rely solely
on the Process Status API to check process identity. A practical example would
be the IFileOperation COM Object which can perform an elevated file copy if it
thinks powershell is really explorer.exe ;)!
Interesting case, how to run stuff in context of InstallUtil.exe from win dir! It can be god damn autorun, for example:
http://www.blackhillsinfosec.com/?p=4881
How to run console program with parameters, when cmd.exe disabled:
http://www.blackhillsinfosec.com/?p=5257
some interesting tool:
https://github.com/goldshtn/etrace
CVE-2016-3308 - corrupt heap in win32k
https://github.com/55-AA/CVE-2016-3308
blind sql framework
http://www.darknet.org.uk/2016/09/bbqsql-blind-sql-injection-framework/
LLMNR/NBNS spoofer:
https://github.com/Kevin-Robertson/Inveigh
Rot13 in Windows:
https://blog.didierstevens.com/2006/07/24/rot13-is-used-in-windows-you%E2%80%99re-joking/
UserAssist - thing, which stores in registry (in Rot13) what did you run on your PC. And useful util for viewing:
https://blog.didierstevens.com/programs/userassist/
Undetectable windows payload generation (metasploit generates shellcode, then python code generated, who executed this shellcode, then it's aes encrypted & pack to the mzpe):
https://github.com/nccgroup/Winpayloads
(description of UAC bypass used by link (again IFileOperation) - https://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html)
Masquerade-PEB powershell script (for UAC bypass):
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Masquerade-PEB.ps1
with interesting idea:
one more UAC bypass:
https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC
Masquerade-PEB uses NtQueryInformationProcess to get a handle to powershell's
PEB. From there itreplaces a number of UNICODE_STRING structs in memory to
give powershell the appearance of a different process. Specifically, the
function will overwrite powershell's "ImagePathName" & "CommandLine" in
_RTL_USER_PROCESS_PARAMETERS and the "FullDllName" & "BaseDllName" in the
_LDR_DATA_TABLE_ENTRY linked list.
This can be useful as it would fool any Windows work-flows which rely solely
on the Process Status API to check process identity. A practical example would
be the IFileOperation COM Object which can perform an elevated file copy if it
thinks powershell is really explorer.exe ;)!
Interesting case, how to run stuff in context of InstallUtil.exe from win dir! It can be god damn autorun, for example:
http://www.blackhillsinfosec.com/?p=4881
How to run console program with parameters, when cmd.exe disabled:
http://www.blackhillsinfosec.com/?p=5257
some interesting tool:
https://github.com/goldshtn/etrace
CVE-2016-3308 - corrupt heap in win32k
https://github.com/55-AA/CVE-2016-3308
blind sql framework
http://www.darknet.org.uk/2016/09/bbqsql-blind-sql-injection-framework/
LLMNR/NBNS spoofer:
https://github.com/Kevin-Robertson/Inveigh
Tuesday, August 9, 2016
notes of yara 3.5.0 compiling
It's modified version of my 'notes of yara 3.4.0 compiling' post
What's good in 3.5.0 in comparison with 3.4.0
Official description is quite short, so I watched commits:
- speed up into 2.6x times! - https://twitter.com/plusvic/status/763753320381046784
- bugfixes: ~70 bugfixes - some of them led to crashes - I personally occured crashes bcs of 2 bugs, which is fixed by now
- new stuff:
- length operator ! (don't know who will really use it)
- useful stuff in pe module:
- imports(dll_name)
- imports(dll_name, ordinal)
- is_dll()
- is_3bit()
- is_64bit()
- 2 new functions in 'rich_signature' in 'pe' module:
- version(version, [toolid])
- toolid(toolid, [version])
foreach_memory_block(context, block)
to
foreach_memory_block(iterator, block)
and declare this iterator before, and change the way how to deal with this stuff - now need to write smth like 'block_data = block->fetch_data(block);'
and also struct _YR_MATCH changed - match->length became match->match_length so I'd need to fix it in my module source accordingly.
tools & version:
- windows 8.1
- visual studio 2013
- yara library 3.5.0
foreword
Just notes of yara compiling process on windows with visual studio. I will compile without CUCKOO support - bcs I don't need this.action
1) unpack archive
2) go to yara-3.5.0\windows\lib and delete all these libraries. I prefer to compile everything what I need by myself. And these libraries will interfere with libraries which I will compile.
3) open solution: .\yara-3.5.0\windows\vs2010\yara.sln
4) open 'utils.h' -> replace '#define YR_API EXTERNC __declspec(dllexport)' to '#define YR_API EXTERNC' (bcs I don't like exported symbols in my exe files, and link I wanna statically)
5) choose platform & mode
6) set runtime library for all projects (yara & yarac & libyara):
properties -> c/c++ -> code generation -> runtime library -> /MTd for debug or /MT for release
(you can select several projects in time - using 'ctrl'+left_mouse_button_click)
7) add to "Preprocessor Definitions" of 'libyara' project
(Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions)
lines to not conflict with mysql c connector, for example:
strlcat=libyara_internal_strlcat
8) open 'strutils.c' and replace '#if !HAVE_STRLCAT && !defined(strlcat)' to '#if !HAVE_STRLCAT', open 'strutils.h' and make the same.
9) Go to libyara properties:
Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
and delete CUCKOO from this list.
Then go to libyara properties:
Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
and delete jansson64.lib from this list.
10) Here are you must choose - you want to compile it with openssl or without.
Why do you need openssl in yara library:
- Generate an import hash: https://www.mandiant.com/blog/tracking-malware-import-hashing/ (uses define HAVE_LIBCRYPTO)
- PE module of yara can extract some info from pe digital signature certificate. (uses define HAVE_LIBCRYPTO)
#if defined(HAVE_LIBCRYPTO)
begin_struct_array("signatures");
declare_string("issuer");
declare_string("subject");
declare_integer("version");
declare_string("algorithm");
declare_string("serial");
declare_integer("not_before");
declare_integer("not_after");
declare_function("valid_on", "i", "i", valid_on);
end_struct_array("signatures");
declare_integer("number_of_signatures");
#endif
- HASH module of yara can calc provide you cryptographic hash functions: md5, sha1, sha256, checksum32 (uses define HASH, appeared in 3.3.0 version)
If you need some of this functionality - you need to build openssl & you need add for all projects:
- Additional library directory
- library file of openssl (libeay32.lib on my pc)
- add HASH_MODULE to preprocessor of libyara project
If you don't need this functionality
- delete HAVE_LIBCRYPTO from "Preprocessor Definitions" of libyara, and insert HAVE_TIMEGM line - else you get undefined type 'tm'.
Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
- delete libeay64.lib from
Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
11) If you need add your module - you need add it to 'libyara\modules\module_list'
After that everything will compiles fine.
Wednesday, June 1, 2016
build libzippp in visual studio 2013
Here are some c++ wrapper over libzip - https://github.com/ctabin/libzippp
But it has terrible building system
--------------------------------------------------------------------
and for using it as static library, go to libzippp.h, add #include <cstdint> and change:
#ifdef WIN32
typedef long long libzippp_int64;
typedef unsigned long long libzippp_uint64;
//special declarations for windows to use libzippp from a DLL
#define SHARED_LIBRARY_EXPORT __declspec(dllexport)
#define SHARED_LIBRARY_IMPORT __declspec(dllimport)
#else
//standard ISO c++ does not support long long
typedef long int libzippp_int64;
typedef unsigned long int libzippp_uint64;
#define SHARED_LIBRARY_EXPORT
#define SHARED_LIBRARY_IMPORT
#endif
to
typedef int64_t libzippp_int64;
typedef uint64_t libzippp_uint64;
#define SHARED_LIBRARY_EXPORT
#define SHARED_LIBRARY_IMPORT
--------------------------------------------------------------------
headers paths for libzippp:
D:\projects\libraries\libzip-1.1.3\lib
D:\projects\libraries\libzip-1.1.3\xcode
headers paths for tests:
D:\projects\libraries\libzippp\libzippp
lib paths for debug tests:
D:\projects\libraries\libzippp\x64\Debug
D:\projects\libraries\libzip-1.1.3\_build_x64_static_mt_mtd\lib\Debug
D:\projects\libraries\zlib-1.2.8\_libraries_debug
lib paths for release tests:
D:\projects\libraries\libzippp\x64\Release
D:\projects\libraries\libzip-1.1.3\_build_x64_static_mt_mtd\lib\Release
D:\projects\libraries\zlib-1.2.8\_libraries_release
lib files:
libzippp.lib
zipstatic.lib
zlibstat.lib
And respect for the author of libzippp - despite of bad building system, I hope project will be useful)
But it has terrible building system
- in it hardcoded version of visual studio (well, it's fixable)
- in it hardcoded version of libzip (hardcoded version: 1.1.2, last version: 1.1.3 - well, and it's fixable)
- it's difficult to change building script to adjust zlib & libzip - for example for static linking.
--------------------------------------------------------------------
and for using it as static library, go to libzippp.h, add #include <cstdint> and change:
#ifdef WIN32
typedef long long libzippp_int64;
typedef unsigned long long libzippp_uint64;
//special declarations for windows to use libzippp from a DLL
#define SHARED_LIBRARY_EXPORT __declspec(dllexport)
#define SHARED_LIBRARY_IMPORT __declspec(dllimport)
#else
//standard ISO c++ does not support long long
typedef long int libzippp_int64;
typedef unsigned long int libzippp_uint64;
#define SHARED_LIBRARY_EXPORT
#define SHARED_LIBRARY_IMPORT
#endif
to
typedef int64_t libzippp_int64;
typedef uint64_t libzippp_uint64;
#define SHARED_LIBRARY_EXPORT
#define SHARED_LIBRARY_IMPORT
--------------------------------------------------------------------
headers paths for libzippp:
D:\projects\libraries\libzip-1.1.3\lib
D:\projects\libraries\libzip-1.1.3\xcode
headers paths for tests:
D:\projects\libraries\libzippp\libzippp
lib paths for debug tests:
D:\projects\libraries\libzippp\x64\Debug
D:\projects\libraries\libzip-1.1.3\_build_x64_static_mt_mtd\lib\Debug
D:\projects\libraries\zlib-1.2.8\_libraries_debug
lib paths for release tests:
D:\projects\libraries\libzippp\x64\Release
D:\projects\libraries\libzip-1.1.3\_build_x64_static_mt_mtd\lib\Release
D:\projects\libraries\zlib-1.2.8\_libraries_release
lib files:
libzippp.lib
zipstatic.lib
zlibstat.lib
And respect for the author of libzippp - despite of bad building system, I hope project will be useful)
building libzip in visual studio 2013
As always - x64, static, debug/release.
You need compiled zlib - I wrote of compiling zlib here
Download from http://www.nih.at/libzip/index.html archive libzip-1.1.3.tar.gz, unpack.
md _build_x64_static_mt_mtd
cd _build_x64_static_mtd
if you want to use only static lib
debug: Md -> MTd, build
release: Md -> MT, build
You need compiled zlib - I wrote of compiling zlib here
Download from http://www.nih.at/libzip/index.html archive libzip-1.1.3.tar.gz, unpack.
md _build_x64_static_mt_mtd
cd _build_x64_static_mtd
if you want to use only static lib
- go to 'D:\projects\libraries\libzip-1.1.3\lib\CMakeLists.txt' & comment pre-last block & uncomment last block.
- go to D:\projects\libraries\libzip-1.1.3\lib\zip.h and insert into the beginning (after include guard): #define ZIP_STATIC
- go to D:\projects\libraries\libzip-1.1.3\lib\compat.h and replace '#define ZIP_EXTERN __declspec(dllexport)' -> '#define ZIP_EXTERN'
debug: Md -> MTd, build
release: Md -> MT, build
Labels:
building,
libzip,
visualstudio,
windows,
zlib
Subscribe to:
Posts (Atom)