Monday, January 23, 2017

hdd memo

Make performance tests: HD Tune
Check health of ssd: Crystal Disk Info (it doesn't work if ssd in RAID as I see; one server goes down after start of this util)

Saturday, January 21, 2017

C++ snippets memo

hand-made scope_guard without boost scope_guard & other stuff:

std::shared_ptr<void> l(nullptr, [](void*){ system("pause"); });

example of such 'scope_guard' - temp_dir which guaranteed be deleted when out of scope:

std::string temp_filename = MyGetTempFilename();
std::shared_ptr<void> l(nullptr, [temp_filename](void*){
    boost::filesystem::remove(temp_filename);
});


thread & lambda - as for me, useful pattern - especially for unit-testing:

thread to lambda:
std::thread t([](){
    std::this_thread::sleep_for(std::chrono::seconds(1));
    system("taskkill /F /IM calc.exe");
});
t.join();


shared_ptr + placement new

std::shared_ptr<boost::interprocess::interprocess_mutex>
    placement_shared_ptr(
        new(region.get_address())boost::interprocess::interprocess_mutex,
        [](boost::interprocess::interprocess_mutex* l)
        {
            l->~interprocess_mutex();;
        }
    );


boost::thread_group replace to std::thread pattern

std::vector<std::thread> my_threads;
for (size_t i = 0; i < (size_t)threads_num; ++i)
{
    my_threads.push_back(std::thread(std::bind(&MyClass::RunThread, this,
        parameters
        )));
}
for (size_t i = 0; i < my_threads.size(); i++)
{
    my_threads[i].join();
}


.

Thursday, November 10, 2016

boost::filesystem::remove_all, RemoveDirectory WinAPI function and 'The directory is not empty' error

Problem

Sometime boost::filesystem::remove_all on windows (or RemoveDirectoryA/RemoveDirectoryW WinAPI functions, which are called into remove_all windows implementation) returns stupid error 'The directory is not empty'.

Problem solving in short

Windows have some problems with long paths (which length more than 260 symbols), and if you want to handle such paths, you need to write instead of C:\my_long_filename stuff like \\?\C:\my_long_filename.
If you have directory C:\dir where located file with long name, RemoveDirectory winapi function called with this path returns error 'The directory is not empty'. But if you call it with \\?\C:\dir parameter - it will work fine.
So, instead of using boost::filesystem::remove_all you can use something like that:

void RemoveAll(const std::wstring & path)
{
    std::wstring current_path = path;

    if (current_path.substr(0, 4) != L"\\\\?\\")
    {
        current_path = L"\\\\?\\" + current_path;
    }

    boost::filesystem::remove_all(current_path);
}

Tuesday, September 13, 2016

Useful links:

Rot13 in Windows:
https://blog.didierstevens.com/2006/07/24/rot13-is-used-in-windows-you%E2%80%99re-joking/

UserAssist - thing, which stores in registry (in Rot13) what did you run on your PC. And useful util for viewing:
https://blog.didierstevens.com/programs/userassist/

Undetectable windows payload generation (metasploit generates shellcode, then python code generated, who executed this shellcode, then it's aes encrypted & pack to the mzpe):
https://github.com/nccgroup/Winpayloads
(description of UAC bypass used by link (again IFileOperation) - https://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html)

Masquerade-PEB powershell script (for UAC bypass):
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Masquerade-PEB.ps1
with interesting idea:

one more UAC bypass:
https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC

Masquerade-PEB uses NtQueryInformationProcess to get a handle to powershell's
PEB. From there itreplaces a number of UNICODE_STRING structs in memory to
give powershell the appearance of a different process. Specifically, the
function will overwrite powershell's "ImagePathName" & "CommandLine" in
_RTL_USER_PROCESS_PARAMETERS and the "FullDllName" & "BaseDllName" in the
_LDR_DATA_TABLE_ENTRY linked list.

This can be useful as it would fool any Windows work-flows which rely solely
on the Process Status API to check process identity. A practical example would
be the IFileOperation COM Object which can perform an elevated file copy if it
thinks powershell is really explorer.exe ;)!


Interesting case, how to run stuff in context of InstallUtil.exe from win dir! It can be god damn autorun, for example:
http://www.blackhillsinfosec.com/?p=4881

How to run console program with parameters, when cmd.exe disabled:
http://www.blackhillsinfosec.com/?p=5257

some interesting tool:
https://github.com/goldshtn/etrace

CVE-2016-3308 - corrupt heap in win32k
https://github.com/55-AA/CVE-2016-3308

blind sql framework
http://www.darknet.org.uk/2016/09/bbqsql-blind-sql-injection-framework/

LLMNR/NBNS spoofer:
https://github.com/Kevin-Robertson/Inveigh


Tuesday, August 9, 2016

notes of yara 3.5.0 compiling

It's modified version of my 'notes of yara 3.4.0 compiling' post

 

What's good in 3.5.0 in comparison with 3.4.0


Official description is quite short, so I watched commits:
  • speed up into 2.6x times! - https://twitter.com/plusvic/status/763753320381046784
  • bugfixes: ~70 bugfixes - some of them led to crashes - I personally occured crashes bcs of 2 bugs, which is fixed by now
  • new stuff:
    • length operator ! (don't know who will really use it)
    • useful stuff in pe module:
      • imports(dll_name)
      • imports(dll_name, ordinal)
      • is_dll()
      • is_3bit()
      • is_64bit()
      • 2 new functions in 'rich_signature' in 'pe' module:
        • version(version, [toolid])
        • toolid(toolid, [version])
Also in my yara module I will need to change stuff like:
    foreach_memory_block(context, block)
to
    foreach_memory_block(iterator, block)
and declare this iterator before, and change the way how to deal with this stuff - now need to write smth like 'block_data = block->fetch_data(block);'

and also struct _YR_MATCH changed - match->length became match->match_length so I'd need to fix it in my module source accordingly.

tools & version:

  • windows 8.1
  • visual studio 2013
  • yara library 3.5.0

foreword

Just notes of yara compiling process on windows with visual studio. I will compile without CUCKOO support - bcs I don't need this.


action


1) unpack archive

2) go to yara-3.5.0\windows\lib and delete all these libraries. I prefer to compile everything what I need by myself. And these libraries will interfere with libraries which I will compile.

3) open solution: .\yara-3.5.0\windows\vs2010\yara.sln

4) open 'utils.h' -> replace '#define YR_API EXTERNC __declspec(dllexport)' to '#define YR_API EXTERNC' (bcs I don't like exported symbols in my exe files, and link I wanna statically)

5) choose platform & mode

6) set runtime library for all projects (yara & yarac & libyara):
    properties -> c/c++ -> code generation -> runtime library -> /MTd for debug or /MT for release
    (you can select several projects in time - using 'ctrl'+left_mouse_button_click)

7) add to "Preprocessor Definitions" of 'libyara' project
    (Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions)
    lines to not conflict with mysql c connector, for example:
strlcat=libyara_internal_strlcat

8) open 'strutils.c' and replace '#if !HAVE_STRLCAT && !defined(strlcat)' to '#if !HAVE_STRLCAT', open 'strutils.h' and make the same.

9) Go to libyara properties:
    Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
    and delete CUCKOO from this list.
Then go to libyara properties:
    Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
    and delete jansson64.lib from this list.

10) Here are you must choose - you want to compile it with openssl or without.
Why do you need openssl in yara library:
    - Generate an import hash: https://www.mandiant.com/blog/tracking-malware-import-hashing/ (uses define HAVE_LIBCRYPTO)
    - PE module of yara can extract some info from pe digital signature certificate. (uses define HAVE_LIBCRYPTO)
#if defined(HAVE_LIBCRYPTO)
begin_struct_array("signatures");
  declare_string("issuer");
  declare_string("subject");
  declare_integer("version");
  declare_string("algorithm");
  declare_string("serial");
  declare_integer("not_before");
  declare_integer("not_after");
  declare_function("valid_on", "i", "i", valid_on);
  end_struct_array("signatures");
declare_integer("number_of_signatures");
#endif   

    - HASH module of yara can calc provide you cryptographic hash functions: md5, sha1, sha256, checksum32 (uses define HASH, appeared in 3.3.0 version)
   
If you need some of this functionality - you need to build openssl & you need add for all projects:
    - Additional library directory
    - library file of openssl (libeay32.lib on my pc)
    - add HASH_MODULE to preprocessor of libyara project

If you don't need this functionality
    - delete HAVE_LIBCRYPTO from "Preprocessor Definitions" of libyara, and insert HAVE_TIMEGM line - else you get undefined type 'tm'.
        Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
    - delete libeay64.lib from
        Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies

11) If you need add your module - you need add it to 'libyara\modules\module_list'

After that everything will compiles fine.

Wednesday, June 1, 2016

build libzippp in visual studio 2013

Here are some c++ wrapper over libzip - https://github.com/ctabin/libzippp
But it has terrible building system
  • in it hardcoded version of visual studio (well, it's fixable)
  • in it hardcoded version of libzip (hardcoded version: 1.1.2, last version: 1.1.3 - well, and it's fixable)
  • it's difficult to change building script to adjust zlib & libzip - for example for static linking.
So, it's much easier to create empty project (god bless this project have one cpp & one h file (and one more cpp for tests - author has tests - that's really cool)). So, just create solution with 2 projects - libzippp & tests. Adjust headers, path to headers, lib files, path to lib files, change /MD to /MT & /MTd accordingly and build. Check if tests works fine. Done)

--------------------------------------------------------------------
and for using it as static library, go to libzippp.h, add #include <cstdint> and change:

#ifdef WIN32
        typedef long long libzippp_int64;
        typedef unsigned long long libzippp_uint64;
       
        //special declarations for windows to use libzippp from a DLL
        #define SHARED_LIBRARY_EXPORT __declspec(dllexport)
        #define SHARED_LIBRARY_IMPORT __declspec(dllimport)
#else
        //standard ISO c++ does not support long long
        typedef long int libzippp_int64;
        typedef unsigned long int libzippp_uint64;
       
        #define SHARED_LIBRARY_EXPORT
        #define SHARED_LIBRARY_IMPORT
#endif


to

typedef int64_t libzippp_int64;
typedef uint64_t libzippp_uint64;

#define SHARED_LIBRARY_EXPORT
#define SHARED_LIBRARY_IMPORT

--------------------------------------------------------------------


headers paths for libzippp:
D:\projects\libraries\libzip-1.1.3\lib
D:\projects\libraries\libzip-1.1.3\xcode


headers paths for tests:
D:\projects\libraries\libzippp\libzippp

lib paths for debug tests:
D:\projects\libraries\libzippp\x64\Debug
D:\projects\libraries\libzip-1.1.3\_build_x64_static_mt_mtd\lib\Debug
D:\projects\libraries\zlib-1.2.8\_libraries_debug


lib paths for release tests:
D:\projects\libraries\libzippp\x64\Release
D:\projects\libraries\libzip-1.1.3\_build_x64_static_mt_mtd\lib\Release
D:\projects\libraries\zlib-1.2.8\_libraries_release


lib files:
libzippp.lib
zipstatic.lib
zlibstat.lib


And respect for the author of libzippp - despite of bad building system, I hope project will be useful)
 

building libzip in visual studio 2013

As always - x64, static, debug/release.
You need compiled zlib - I wrote of compiling zlib here
Download from http://www.nih.at/libzip/index.html archive libzip-1.1.3.tar.gz, unpack.

md _build_x64_static_mt_mtd
cd _build_x64_static_mtd
if you want to use only static lib
  • go to 'D:\projects\libraries\libzip-1.1.3\lib\CMakeLists.txt' & comment pre-last block & uncomment last block.
  • go to D:\projects\libraries\libzip-1.1.3\lib\zip.h and insert into the beginning (after include guard): #define ZIP_STATIC 
  • go to D:\projects\libraries\libzip-1.1.3\lib\compat.h and replace '#define ZIP_EXTERN __declspec(dllexport)' -> '#define ZIP_EXTERN'
cmake .. -G "Visual Studio 12 2013 Win64" -DZLIB_LIBRARY:FILEPATH="D:/projects/libraries/zlib-1.2.8/_libraries_debug/zlib.lib" -DZLIB_INCLUDE_DIR:PATH="D:/projects/libraries/zlib-1.2.8"
debug: Md -> MTd, build
release: Md -> MT, build