Avant Browser

For a little over a month now, I've been using "Avant Browser" - a "wrapper" of sorts around Internet Explorer. I saw it, got curious, and tried it. I suppose Firefox can do much of the same (or more, depending on extensions), but I just like the way Avant Browser does things. One thing I really find useful is the "Groups" function - take a bunch of websites, throw them in a Group, and then you can open one or all of the sites in the group. It's a bit like "Favorites, evolved". I used to set up batch files that would spawn 20-30 web pages each in its own instance of iexplore.exe. That was slow and tedious to maintain. Avant Browser makes it easy. There are plenty of other features as well, but I'm sure it's been covered in depth elsewhere. It works, and that's all there is to it.


Rootkits in 2005

James Butler and Sherri Sparks have some articles on SecurityFocus.com about Windows Rootkits...

Windows rootkits in 2005, part one

Windows rootkits in 2005, part two


Wrong file, ASP.NET. Thanks anyways.

The other day, on a test server, ASP.NET was giving the following message:

Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

Compiler Error Message: CS0016: Could not write to output file 'c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\somepath\10d62725\cb6c7d34\k_kdx1bc.dll' -- 'Access is denied. '

Of course, it wasn't quite that simple. There was no problem accessing that folder, as FILEMON from Sysinternals verified when I set the filter to "Temporary ASP.NET Files". So I then set the filter to CSC.EXE, and noted that it was failing with ACCESS DENIED on C:\Windows\Temp\RES6.TMP running under NT AUTHORITY\NETWORK SERVICE. In the C:\Windows folder, there was a TEMP folder, and a TEMP.DELETETHIS folder. The ACL on the TEMP.DELETETHIS folder had an ACE for NETWORK SERVICE, but the ACL on the TEMP folder did not. The creation date of the new TEMP folder was roughly 1 week ago. So it appears that the installation of ASP.NET added an ACE on the original TEMP folder that would allow ASP.NET / NETWORK SERVICE to do what it needed to do. However, when someone decided they wanted a new TEMP folder on the server, the new TEMP folder inherited the permissions from WINDOWS and as such an ACE for NETWORK SERVICE was not placed on the new folder. Renaming TEMP to TEMP.HOLD and renaming TEMP.DELETETHIS back to TEMP solved the problem. Definitely an argument for better change control on the servers, as well as potentially further restricting access. But much of that is beyond my control...

At any rate... the first hit in a google for CS0016 takes you to the MSKB which almost nails it on the head, but in this case winds up kind of bending the nail so you have to take the hammer and try to pound the nail upright again, and then... er... nevermind.


An Assembly is a Page?

I spent the better part of the day chasing down what was ultimately a check-box in Internet Explorer's Advanced options. Blech.

The problem was that IE was failing to load a user control, and not being very helpful in determining why the control wouldn't load.

The control would load properly using HTTP, but would fail under HTTPS. Sysinternals' Filemon and Regmon showed no anomalous behavior. Debugging with cordbg wasn't particularly useful - the information wasn't really pointing me anywhere. The IEHOST log file (http://support.microsoft.com/?kbid=313892) didn't provide much more than the fusion log, which contained:
*** Assembly Binder Log Entry (xx/yy/zzzz @ aa:bb:cc QM) ***

The operation failed.Bind result: hr = 0x80070002. The system cannot find the file specified.

Assembly manager loaded from: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
Running under executable C:\Program Files\Internet Explorer\iexplore.exe
--- A detailed error log follows.

=== Pre-bind state information ===
LOG: Where-ref bind. Location = https://localhost/path/assemblyname.dll
LOG: Appbase = https://localhost
LOG: Initial PrivatePath = bin
LOG: Dynamic Base = NULL
LOG: Cache Base = NULL
LOG: AppName = NULL
Calling assembly : (Unknown).

LOG: Processing DEVPATH.
LOG: Policy not being applied to reference at this time (private, custom, partial, or location-based assembly bind).
LOG: Attempting download of new URL https://localhost/path/assemblyname.dll
LOG: All probing URLs attempted and failed.

And yet the IIS log was showing that the assembly was being requested and returned successfully to the client.

Eventually, I encountered the following KB article:"How to run a user control assembly that is hosted on Internet Information Services (IIS) in Internet Explorer"
which states:

"To successfully download a user control under these conditions, the client setting for the Do not save encrypted pages to disk setting must be cleared."

Simply clearing that check box allowed IE to download and instantiate the control.



Linksys - Linksux?

Linksys won't replace my BEFCMU10 cable modem even though Tech Support led me on with talk of a 1-time replacement (out of warranty replacement). The modem is nearly 3 years old, but why even mention the 1-time replacement deal if it's only something they do for 30 days after the one-year warranty expires? Linksys seemed very disorganized - like customer service didn't know what tech support was doing, and vice versa. Not impressed. Also not impressed when I asked the best way to dispose of the modem. Though she later admitted she didn't know what was in the modem, she suggested that I should just put it out with the garbage.


Hmmm... Cisco. Doesn't Cisco own Linksys?
"Ultimate disposal of this product should be handled according to all national laws and regulations"

From Motorola SB5100 manual:
"Recycling your Motorola Equipment
Please do not dispose of this product with your residential or commercial waste. Some countries or regions, such as the European Union, have set up systems to collect and recycle electrical and electronic waste items. Contact your local authorities for information about practices established for your region. If collection systems are not available, call Motorola Customer Service for assistance."

Apparently, Linksys makes cable modems that are environmentally friendly.

Yeah, right.


Free Visual Studio Express until Nov. 7, 2006

Microsoft has made the Visual Studio 2005 Express editions free for one year!
From the above link are links available to download:
Visual Web Developer 2005 Express
Visual Basic 2005 Express
Visual C# 2005 Express
Visual C++ 2005 Express
Visual J# 2005 Express
SQL Server Express

Download them before November 7, 2006, and they're free to use forever.


Very Bad Things...

Whoa... Ran across this a while ago, and again just this AM. But the first time I saw it was too late.
"When you restart a computer that is running Windows Server 2003 or Windows 2000 Server, the computer stops responding, or the "Applying computer settings" screen appears for longer than you expect"

Ran into a system where we could not install a service using the Win32 API CreateService (API would hang). We were also unable to delete a service using DeleteService. Tried various techniques to troubleshoot the problem, but the system wasn't even able to shutdown gracefully. Thought there might be a virus so we had the admin of the system run a scan. Nothing turned up. Wound up trying INSTSRV from the Resource Kit. That too would hang. But I used Dr. Watson to get a memory dump of the process and analyzed it in WinDBG to verify that it, too, was hanging in CreateService. We thought that perhaps there was something installed on the system that was causing some sort of a conflict, so we tried to stop a number of services on the system. Amazingly, none of the services would stop - they would get into a state of "Stopping", and stay there. Customer said they had other problems with the system, too, and were considering replacing it. So we didn't do anything more with the system. But one of the services I noted on the system that would have problems from time to time was "APCPBEAgent" (referenced in the above KB article) - it would sometimes remain in a state of "Starting" for 5+ minutes. I suspect that the problems with the system were a direct result of the issue outlined in the KB article.

This problem occurs because of a problem with version 6.x of APC PowerChute Business Edition Software. APC has issued the following official statement about this issue:

The APC 6.x software uses Sun Microsystems Java Cryptography Extension(JCE) 1.2.1 Package. The digital certificate that was used to sign the JCE 1.2.1 jar files expired on July 27, 2005. Because of this, the system causes the above detailed symptoms.





Interesting story on a potential "alternative" use of computer worms for "good" rather than evil.

"He [Dave Aitel] said nematodes can be automatically created from available vulnerability information and even showed off a new programming language to create the worms."

Not sure this is the way of the future, but...


Sony in a DRM pickle?

Looks like Mark Russinovich (Sysinternals) has found a DRM protection scheme that hides itself using techniques commonly exhibited by rootkits. There are a number of interesting issues raised around this matter...


Unexpected behavior with FindFirstFile...

Recently, a developer was experiencing some odd behavior with MFC's CFileFind class. It seems that it was returning files that didn't match the wildcard pattern specified. The code was something like:
CFileFind finder;
BOOL bWorking = finder.FindFile( "0011????????.xxx" );
while( bWorking )
        bWorking = finder.FindNextFile();
        // ...

CFileFind uses the Win32 functions FindFirstFile and FindNextFile. After working with various variations on filenames that (to some extent) match the specified pattern, I was able to determine that files with a name of 00117777.xxx were being matched. OK... the doc on MSDN for FindFirstFile MSDN states:
The search includes the long and short file names.

This gave me an idea. I created about 1000 files in the same directory, with a name generated from a format string like 4454%08x, and tested with my sample program. I got some hits in the search for 0011????????.xxx! Turns out, Windows was creating 8.3 filenames for these files, and the generated 8.3 filenames were like 0011d4~1.xxx. The "false positives" were files which had short file names that matched the desired pattern.

The developer is unable to rely solely on the results of the FindNextFile call, and he has to do a sanity check to make sure that every file that CFileCind indicates is a match, is truly what he's looking for.


Run more than one instance of REGEDIT

On Windows XP and Server 2003, REGEDIT takes a command line parameter that indicates a new instance should be opened up if an existing instance is already running.

REGEDIT -m (or /m) does the trick...

I assume the 'm' is for "multiple"...


Bart's Preinstalled Environment

This one's been around a bit I'm sure, but it looks pretty cool:
Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
"It will give you a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on."Haven't had a chance to try it yet. That could be a good thing, or a bad thing... :)



http://www.win.tue.nl/sequoiaview/ has a cool program called SequoiaView, but it hasn't been updated since November of 2002. It shows which files and folders from a specified base folder take up the most space using "squarified cushion treemaps".


Image File Execution Options: Good, Evil, Fun.

I like the Image File Execution Options section of the registry. Many developers I've encountered aren't familiar with it, though. It's under-used, and that's a shame. (For some background on IFEO, check out http://blogs.msdn.com/junfeng/archive/2004/04/28/121871.aspx and http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx.) So far, I've been able to use it for many things, including perhaps some things that it wasn't intended for. The most common value to set for a particular application is the "Debugger" REG_SZ value. This sets up another program to run as a debugger for the desired program. So, for example, if you set a "Debugger" value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe to something like "devenv /debugexe", VS.NET would open up (provided DevEnv.exe is in the path), ready for you to begin a debugging session for Windows' Calculator program.

Now, depending on how you look at it, this can be good or it can be bad. Windows doesn't verify that the "debugger" is truly a debugger - it just spawns the application in the debugger value. This means that you can put "notepad.exe" in the debugger value under calc.exe, and every time you try to run "calculator", notepad will run instead. Mark Russinovich and Bryce Cogswell use this technique to implement the "Replace Task Manager" feature of their AWESOME Process Explorer utility (check out http://www.sysinternals.com/ for a LOAD of Really Useful utilities as well as other great info). Get Process Explorer, enable the option in the "Options" menu, and check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe - the debugger value points to procexp.exe.

I've used IFEO to halt multi-part viruses and malware that continuously spawn multiple programs, where each component is responsible for, among other things, keeping other components alive. If the executables are predictably named, you can set a debugger entry for that exectable to run a "singleton" application (like regedit.exe, which allows only one instance of itself to be run under most conditions). Then you can kill the process and watch regedit open up. Do the same thing for the other bad program, and you can go about cleaning the system. Of course, this doesn't help in cases where the malware is fully contained in DLLs, but that's beyond the scope of this.

The other side of the above is that before too long, if it's not happening already, the malware authors will use IFEO to run their own junk. They could set a debugger value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe, and that process would launch and then spawn Explorer. Or it could spawn BadProgram2.exe, then Explorer.exe, and then exit. This would be difficult to trace for a few reasons, one of which is how unknown the IFEO section of the registry is. I see that the most recent version of Sysinternals' AutoRuns (also by Mark Russinovich and Bryce Cogswell) - version 8.11 as I write this - adds detection of "image file hijacks", which I take to mean the very idea presented above. This is a good thing, but I hope it was added to be PROactive rather than REactive.

Another way I've used the "debugger" value for an executable in IFEO is to debug processes that run on other desktops. Inetinfo.exe (IIS), DLLHOST.EXE (COM+ apps), W3Wp.exe (IIS 6 World Wide Web Worker Process), and a slew of other programs can be "debugged" this way, even on production systems. Let's face it - how many times does the customer let you install a debugger on their system? :) . Even if you could install a debugger on a customer's system, if you set the debugger value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3Wp.exe to "devenv.exe /debugexe" and did something to kick off an instance of the World Wide Web Worker Process, VS.NET would start, but you probably wouldn't see it - the devenv.exe process would be running, but there would be no way to interact with it. Sometimes, you don't need to interactively debug the application to determine what the problem is. Enter Dependency Walker from http://www.dependencywalker.com/ . If you're able to get this relatively small (compared to debugger packages!) program on the system, just set up the debugger value of the desired process to something like:

"c:\path to\depends.exe" /c /pb /od:c:\temp\whatever.dwi

(run depends /? for a full description of available command line options)

This will cause Dependency Walker to be invoked when the desired process is to be started. "/c" tells Dependency Walker to run in "console mode", "/pb" tells it to profile the target application automatically, and "/od:" specifies that Dependency Walker should create a "DWI" (the native file format for Dependency Walker) file at c:\temp after the target application terminates. This is key - you need to wait for the application to terminate. So, for W3Wp.exe, you could unload the application from IIS Manager. At that point, the specified DWI file will be created, and it can be loaded into Dependency Walker (just run the program) via drag & drop, or File Open. You can control some of the information captured by using the other "/p?" options, or you can run Dependency Walker, profile a dummy app (like calc.exe) and select all of the options you want for the next round - the help for Dependency Walker's "/p?" options states that "If this option is not specified, then the setting from the last time you ran Dependency Walker will be used". At any rate, you can do this if you need more info. I've used this technique to launch Dependency Walker to profile an app to determine what DLLs were missing or unreachable (path-wise) by the target process, or if the wrong version of the DLL was being picked up by the target process, or why a process was crashing.

Anyone else use these (or similar) tools/utilities? Anyone else use Image File Execution Options? Anyone know specifically how to interpret the ApplicationGoo REG_BINARY value of an entry in Image File Execution Options? It's related to "Application Compatibility", but...


Microsoft is giving away...

... free electronic versions of the following books:

Introducing Visual Basic 2005 for Developers
Get all 8 chapters separately, or as one download.

Upgrading Microsoft Visual Basic 6.0 to Microsoft Visual Basic .NET
Get all 21 chapters separately, or as one download.


OutputDebugString: The Untold Story

Found an interesting dissection of OutputDebugString today... http://www.unixwiz.net/techtips/outputdebugstring.html


Real blogging?

Just opened an account up at Blogger.com; I intend to migrate my existing blog (which was kind of an experiment) to this blog, but I want to play around here a bit first. I anticipate this will be a bit more "natural" than the previous blogging service I was using. That's about it for now - I want to see what things look like and poke around a bit.