lucasg.github.io blog about rss github

Writing a custom dash docset for Powershell docs

Powershell has became the default shell since Windows 10 Creator’s Update and it’s starting to become more than just a framework for malware deployment (not my words). Apart from the langage itself which feel alien to me (is it a shell ? a scripting langage ? a programming langage ? a duck ?) my biggest gripe with Powershell is the lack of documentation accessible from an offline network (or simply without direct access to the Internet). For a shell that have been created for sysadmins, you would imagine MS would have thought of shipping Powershell with “batteries included”. I can not count the amount of times I needed to do a powershell-related search on my smartphone while operating on a detached network.

Secondly, until recently there was no easy way to query help for a specific API (for example Get-ChildItem). There is evidently the Get-Help cmdlet which show the “manpage” associated with the specific cmdlet but that too grab the documentation from the Internet ! At least since Powershell 3.0 there is also the Save-Help cmdlet which can do a bulk download of the manpages of every posh modules installed on a system and Update-Help to update it on a separate machine.

Look Ma ! It's like on a Unix system !

However I’m not a haxx0r elite programmer and for the life of me I can’t spend my time in a text-based console world. I grew up with click-based interfaces and browsers (not necessarly web browsers) therefore I’m way more at ease searching for information in an environment where a “mistype” cannot do serious damages on the system. I also like to click-click on colored boxes and purple links :smile:

Maybe to alleviate my silent issue (I’m surely not the only one bothered by this), the people frommicrosoft.docs.com recently launched a Powershell modules browser in which you can do full-text search for Powershell Cmdlet :

This a great improvement but unfortunately it’s still online only. However the docs structure is sufficiently simple and well structured enough to be packaged in a dash docset for offline viewing. What follow in this blog post is how I proceed to build the docset as well as some “tips” for more advanced/obscure topics such as package navigation links and themes support.

TLDR : the generation script is here https://github.com/lucasg/powershell-docset but is subject to regular changes and breakages. Better download only the generated docsets : https://github.com/lucasg/powershell-docset/releases

Porting an historic Python2 module into Python3

Python 3 is almost 10 years old. If its adoption has been long and arduous, now it’s recognized that Python 3 will end up supplanting Python 2.7. However, if most of the popular libraries already are Python 3 ready, that’s not the case for the rest of the tail.

While there is a trove of fantastic RE tools written in Python, most of them are written for Python 2.7. This is partially explained by the fact that the reverse engineering community had a significant “old guard” that still insist on using Hiew, SoftIce and VC6 when reversing code (along with software “jocks” activating every experimental security bells and whistle for fun and profit). I also hold HexRays partially responsible for this situation since they keep on shipping IDA without any Python3 support (maybe in the v7, who knows ?).

pdbparse is a really useful Python module/script for parsing PDB files (debug symbols files on Windows) especially on a Linux host. It’s pretty much the historical goto solution across the RE board. Problem though, it’s becoming deprecated (the project is 5 y.o) and there is only a Python 2.7 build available. What following is my adventure into attempting to “resuscitate” a Python2 legacy project and hopefully a tutorial for others.

Summary :

NB : This cheatsheet from the future people is awesome when dealing with Python2/3 compatibility issues

Introducing Depedencies

Recently I wanted to study the way C# can interop with native code, notably via the use of enlightened C++ dlls (C++/CLI as Microsoft calls it).

The best way to learn about a subject is by making stuff, so I decided to write a C# application embedding native code. Since I don’t know much about C#, I choosed to reimplement an existing software : the venerable Depedency Walker which is used by pretty much all the Windows devs over 40 y.o. I.ve known to troubleshoot their dll load dependency issues.

I end up writing a full fledged GUI application that partially mimics the features of depends.exe and I learn a lot about WPF and the dying art of desktop GUI development in the process.

dependencies-banner-tablet-unblurred

You can get it here : https://lucasg.github.io/Dependencies/.

Listing KnownDlls

The KnownDlls is a nifty little trick used by Windows to speed up the loading of “default” system shared libraries, using a COW (Copy on Write) mechanism for fast mapping in memory.

One question though, is it possible to list all the dll under KnownDlls ?

The sad state of PE parsing

The title of this blog’s post might be clickbaity, but here the executive summary : there is no gold standard open source library for PE parsing and features extraction in “native” (i.e. unmanaged) code. Moreso all widely-used PE parsing libraries contains subtle flaws.

Downloading dash docsets

Dash docsets and the compatible viewers (Dash on OSX, Velocity on Windows and Zeal on Linux/X-Plat) are a godsend for whoever work/develop offline (or on a limited bandwith). It also has the benefit of being a one-stop shop for documentation (no need to have multiple tabs opened for $ProgrammingLanguage; $BuildPipelineTechno; $VersionControlSoftware; etc.).

Velocity

However I recently wanted to set up Velocity on a truly disconnected computer and unfortunately the application desperately wants to download the official dash docset. I had to find another way to get them.

How Control Flow Integrity is implemented in Windows 10

This blog post resume a month of work analyzing how Windows has implemented Control Flow Integrity in Win10 build 14393 and 14986.

A lot have been said about CFG, the Windows’s version of control flow integrity. It has been released first in Windows 8.1 Update 3 (KB3000850) in 2014 and had been improved upon since. Coming recently with the Windows 10 Anniversary Update (i.e. build 14393) several new features like longjmp hardening.

Running Jekyll on WSL (Windows Subsystem for Linux)

Since Windows is my daily driver at home, I’m genuinely interested by the arrival of WSL (Windows Subsystem on Linux) with the build 14393 last year. For me, the main use of WSL will be to run webservers locally (dns, apache, nodejs, etc.) without having to set up a whole VM (and configuring network) to run them.

I start by converting my local version of Jekyll, that I run on my PC in order to “debug” my posts before pushing them to github.

Renaming a Win32 executable to main.exe launch the Xbox DVR popup

Recently I’ve stumble upon the following question on Stack Overflow : windows-10-naming-programs-main-exe-cause-them-to-show-pop-up. The user Ether Frog has noticed that renaming any executable to main.exe triggers the Xbox Game DVR recorder when launching the executable on Windows 10.

I’ve done some digging over the weekend and I have found over 2000 special exe names which will trigger the same behaviour, not just main.exe.

This post does contain most of my answer on the SO platform, but I also explain my reverse engineering process.

How to create and debug a process automatically on windows

Recently I had to write a custom loader which will dynamically retrieve a bunch of informations (loaded modules list, imports, etc.) for several hundreds of executables. The first way involves to launch every exe with cdb and cry when it comes to write windbg scripts in order to exports the needed infomations (I’m not frankly excited about their new shiny Javascript scripting engine built for windbg ). The other way is to write a lightweight debugger using specific Windows API.

Guess which way I went ?

Enable non-signed drivers to be loaded and ran under Windows

“Recents” Windows (from XP up to 10) force by default drivers to be signed (i.e. by Verisign) in order to be launched. This behavior, which has greatly reduced the attack surface for malware creators, can be a hindrance when you want to develop custom drivers. Here’s how to disable it.

Eudyptula Challenge

A few months ago I started the Eudyptula challenge, which is a series of coding tests designed to present how to hack and contribute to the Linux kernel for a newcommer like myself.

HACKVent 2014 - Day 21 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the challenge at day 21, in which we will learn how to get banned from casino and bingo parties.

HACKVent 2014 - Day 20 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the twentieth challenge, in which we will constantly be called a “hobo”.

HACKVent 2014 - Day 19 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

HACKVent 2014 - Day 17 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the challenge at day 17, in which we will crush handshake.

HACKVent 2014 - Day 16 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the challenge at day 16, in which we will unroll snakes.

HACKVent 2014 - Day 15 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the challenge at day 15, in which we will learn about a useful trick for black hats.

HACKVent 2014 - Day 14 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the challenge at day 14, in which we will rediscover the social inequalities through cracking.

HACKVent 2014 - Day 13 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the challenge at day 13, in which we will talk to extraterrestrial beings.

HACKVent 2014 - Day 12 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the mid-point challenge at day 12, concerning reverse engineering SQL scripts.

HACKVent 2014 - Day 11 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

HERE_S_THE_WRITE-UP_FOR_THE_ELEVENTH_CHALLENGE__IN_WHICH_WE_WILL~1.

HACKVent 2014 - Day 10 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the tenth challenge, in which I debug SQL queries without knowing a thing about SQL.

HACKVent 2014 - Day 09 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the ninth challenge, in which we will learn how to spy on our girlfriend by reading her text messages.

HACKVent 2014 - Day 08 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the first “medium” challenge at day 8, which consist of running potentially malicious arbitrary code on your machine.

HACKVent 2014 - Day 07 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

This challenge has revealed to be one of the hardest I cracked, mainly because I had a lot of difficulties to identify the encryption mechanism and was misled several times. Since I was away from home the day it went live, I also solved it only the day after.

Here’s the write-up for the seventh challenge, which will put a considerable strain on your eyesight.

HACKVent 2014 - Day 06 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the sixth challenge, which has been solved during a hangover.

HACKVent 2014 - Day 05 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the fifth challenge, in which we will compare apples and oranges.

HACKVent 2014 - Day 04 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the fourth challenge, which has nothing to do with dominoes.

HACKVent 2014 - Day 03 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the third challenge, which will refresh your historical knowledge of the Antiquity Era.

HACKVent 2014 - Day 02 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the second challenge, which is focused on base64 encoding and internet time machines.

HACKVent 2014 - Day 01 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the first challenge, which revolves around url shorteners.

Foxit PDF Creator can fuck your software up

I stumbled across a curious bug at work today. I’m currently updating some old bits of code managing the printing of a report ( the software’s current configuration and whats not), the files had not been modified for almost ten years. At one point my XPS output crashed (it couldn’t handle the "\r\n" chars) so I decided to take a look at the PDF version.

Misheard lyrics

I’m currently listening the Decade Mix made by Flight Facilities on SoundCloud - which is by the way a great 4-hour session of songs recounting 40 years of (western) music - when I stumbled upon a old song I didn’t know the name of. Having a pre-shaazam mentality, I tend to focus on the lyrics and typing them into google search bar to hopefully retrieve the name.

Cryptopals - Set [1] - Detect single-character XOR

Not a long time ago, I started to give myself into the Cryptopals Matasano challenge. Knowing little about cryptographics, I thought that was a good idea to learn a thing or two about encryption, as well as brushing off my C skills (I’m currently a C++ guy).

Building Libreoffice from source

Being clearly annoyed by the pivot table not being supported by LibreOffice Calc (well it’s actually the xlsx export which is broken), I decided to build the libreoffice core from source from my Mint VM. It wasn’t simple.