Thursday, June 6, 2019

Ply is awesome

https://github.com/iovisor/ply

You can do kernel tracing and stuff.
specify a kprobe by symbol or by address and you can also get register and stack information.

Monday, October 29, 2018

Solving a more than a decade's old internet problem

I saw the website was down and thought it was wrong that you couldn't arrange icons in that configuration.
There's a lot wrong in the world today, but we can make things right for at least someone.


// how to add to desktop right click menu - https://www.howtogeek.com/howto/windows-vista/add-any-application-to-the-desktop-right-click-menu-in-vista/
// add key to HKEY_CLASSES_ROOT/Directory\Background\shell\<your menu name>\command
// value is the program that you want to run

#include "stdafx.h"
#define UNICODE
#define _UNICODE
#include <windows.h>
#include <shlobj.h>
#include <exdisp.h>
#include <shlwapi.h>
#include <atlbase.h>
#include <atlstr.h>
#include <atlalloc.h>
#include <stdio.h>
#include <Lmcons.h>
#include <string>
#include <iostream>
#include <fstream>

using namespace std;

void FindDesktopFolderView(REFIID riid, void **ppv)
{
 CComPtr<IShellWindows> spShellWindows;
 spShellWindows.CoCreateInstance(CLSID_ShellWindows);

 CComVariant vtLoc(CSIDL_DESKTOP);
 CComVariant vtEmpty;
 long lhwnd;
 CComPtr<IDispatch> spdisp;
 spShellWindows->FindWindowSW(
  &vtLoc, &vtEmpty,
  SWC_DESKTOP, &lhwnd, SWFO_NEEDDISPATCH, &spdisp);

 CComPtr<IShellBrowser> spBrowser;
 CComQIPtr<IServiceProvider>(spdisp)->
  QueryService(SID_STopLevelBrowser,
   IID_PPV_ARGS(&spBrowser));

 CComPtr<IShellView> spView;
 spBrowser->QueryActiveShellView(&spView);

 spView->QueryInterface(riid, ppv);
}

class CCoInitialize {
public:
 CCoInitialize() : m_hr(CoInitialize(NULL)) { }
 ~CCoInitialize() { if (SUCCEEDED(m_hr)) CoUninitialize(); }
 operator HRESULT() const { return m_hr; }
 HRESULT m_hr;
};

int __cdecl wmain(int argc, wchar_t **argv)
{
 TCHAR username[UNLEN + 1];
 DWORD size = UNLEN + 1;
 GetUserName((TCHAR*)username, &size);
 LPWSTR szPath[MAX_PATH] = { 0 };

 ofstream write;

 SHGetSpecialFolderPath(NULL,
  * szPath,
  CSIDL_DESKTOPDIRECTORY,
  FALSE);

 WCHAR* DES_folder = new WCHAR[MAX_PATH];
 HRESULT hr = SHGetFolderPathW(0, CSIDL_DESKTOP, 0, 0, DES_folder);
 if (SUCCEEDED(hr)) {
  std::wstring desktopfoldername1 = DES_folder;
  std::string desktopfoldername(desktopfoldername1.begin(), desktopfoldername1.end());
  desktopfoldername += "\\fukU";
  for (int i = 1; i <= 200; ++i) {
   std::string filename = to_string(i) + ".txt";
   std::string newfilename = desktopfoldername + filename;
   write.open(newfilename, ios::out | ios::binary);
   write.close(); 
  }
 }

 Sleep(3000);

 CCoInitialize init;
 CComPtr<IFolderView> spView;
 FindDesktopFolderView(IID_PPV_ARGS(&spView));

 int counter = 0;
 int x[117] = { 394,394,394,394,396,400,399,406,400,449,486,513,448,486,512,637,641,639,639,655,707,745,769,777,777,774,775,892,902,903,906,908,911,1023,994,962,960,1004,1033,1065,493,498,509,507,518,535,564,589,622,655,673,683,694,686,823,825,825,823,825,822,1289,1275,1261,1248,1255,1227,1227,1242,1245,1259,1231,1254,1250,1239,1219,1186,1157,1154,1111,1098,1113,1120,1092,1133,1180,1214,1204,1258,1271,1310,1318,1318,1370,1384,1381,1423,1465,1513,1540,1544,1507,1467,1435,1414,1419,1370,1380,1363,1367,1366,1351,1319,1365,1366,1345,1311,1287 };
 int y[117] = { 192,214,243,256,287,357,424,501,508,188,204,203,357,359,376,202,268,334,380,454,509,471,432,376,319,278,217,137,205,273,341,408,465,165,200,230,331,386,427,461,613,688,760,831,881,907,936,902,877,833,774,726,693,636,601,659,697,762,824,943,120,139,149,161,178,210,260,318,382,416,435,474,534,592,612,599,620,654,631,678,696,751,779,801,844,834,727,809,857,810,765,708,801,813,853,858,863,820,778,704,658,638,671,650,615,586,543,509,428,362,313,296,270,226,177,140,122 };

 CComPtr<IEnumIDList> spEnum;
 spView->Items(SVGIO_ALLVIEW, IID_PPV_ARGS(&spEnum));
 for (CComHeapPtr<ITEMID_CHILD> spidl;
  spEnum->Next(1, &spidl, nullptr) == S_OK;
  spidl.Free()) {
  POINT pt;
  spView->GetItemPosition(spidl, &pt);
  pt.x = x[counter];
  pt.y = y[counter];
  if (counter != 116)
   counter += 1;


  PCITEMID_CHILD apidl[1] = { spidl };
  spView->SelectAndPositionItems(
   1, apidl, &pt, SVSI_POSITIONITEM);
 }
 return 0;
}

Wednesday, August 29, 2018

Tuesday, May 22, 2018

Ignorance .gdbinit

I hate looking up commands to transfer windbg to gdb commands
Sometimes the gdb on a system doesn't have the python support.
So, here's a gdbinit to lay into my ignorance

============BEGIN===============
set disassembly-flavor intel
layout asm
layout regs

define kv
bt
end

define k
bt
end

define g
c
end

define t
stepi
end

define p
nexti
end

define lm
info sharedlibrary
end

define lmvm
info files
end

define bp
break $arg0
end

define ba
break $arg0
end

define bl
info breakpoints
end

define bd
disable $arg0
end

define be
enable $arg0
end

define bc
clear $arg0
end

define r
info registers
end

define u
x/i $arg0
end
============END===============

Wednesday, January 4, 2017

Building Webkit on Windows

https://webkit.org/webkit-on-windows/#installing-developer-tools

Follow this.  But, make sure you install all the dependent tools at the root of c: without spaces.  For whatever reason the build fails hard if there are spaces on the path.  WTH!!! Pay attention on your installs to make sure they don't install to "Program Files". Doing this will enable you to curse much less than normal and will give you some source to audit for a browser that normally runs iOS or MacOS.  Unholy I know.  :)

Tuesday, December 29, 2015

windbg - Dumping a dll from a debugged process to disk

http://stackoverflow.com/a/1644723
http://blogs.msdn.com/b/debuggingtoolbox/archive/2009/09/23/special-command-saving-modules-using-writemem.aspx

I found this useful when looking at a application that didn't have the dll on the file system for some reason.  This was for the newest build of an application I was taking apart and I found it weird so I had to resort to the debugger.

Worst case, if you wanna just IDA, just do a memory snapshot with IDA when attached to the app you're working with.

Hope this helps someone.

Friday, December 25, 2015

commands for clones and snapshots with free esxi

http://blog-lrivallain.rhcloud.com/2015/02/26/play-vm-snapshots-esxi-command-line-tools/

It's been a while.  But I now have 2 esxi boxes at the house.  This is useful for those folks that want to clone and linked clone on the free.