This week a new vulnerability was found in Windows:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it.

The fix does not remove any functionality from the system, all pictures will continue to be visible. You can download it here:

http://www.hexblog.com/security/files/wmffix_hexblog14.exe

It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003.

Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.

I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.

If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.

I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

The fix can be applied in the automatic mode using the following command line:

wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES


These switches do not suppress dialog boxes about installation errors.
The /LOG="file" switch can be added to the command line to create a log file.

The usual software disclaimer applies...

File: wmffix_hexblog14.exe (the source code is included)

UPD: more error checking
UPD: Version 1.1 with Win2000 support
UPD: Version 1.2: if the hotfix has already been applied to the system, inform the user at the second installation attempt.
UPD: Version 1.3: added support for Windows 2000 SP4
UPD: added information about silent mode
UPD: comments are turned off. a discussion forum is available here
UPD: Version 1.4: completely silent mode, suitable for use in the scripts (see this entry for more details)

There is no need to reinstall anything!
Old hotfixes are perfectly ok.

Posted by Ilfak Guilfanov at 06:53 AM | Permalink | Comments (157) | TrackBacks (33)

So far this is the absolute record for the binary size of one division/remainder/multiplication operation:

35 instructions, 87 bytes of code just to calculate a remainder of division by 2:

long long smod(long long x) { return x % 2; }

(compiled by gcc 3.4.4)

Anyone to come up with a longer single arithmeric operation?

Posted by Ilfak Guilfanov at 03:00 PM | Permalink | Comments (19)

Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won't miss anything important.

Single stepping is generally easy but if the program uses SEH exceptions to hide its logic, it is becomes more difficult. It is not obvious from the listing where the exception handler resides and what it will do. All what we get when an exception happens it its name and some additional information like the current EIP. Luckily the debugger gets the exception notifications before the application and we can pass the exception to the application or mask it at our will.

Since we do not want to disturb the program behavior we will pass all exceptions to the application:

Do NOT press Yes if you want to single step the exception handler. We will need to set an additional breakpoint at the beginning of the exception handler and get control as soon as the system executes it. For that we will start with the Task Information Block. It has a dedicated segment (press Ctrl-S to open this window, see TIB in the segment name):

Let's convert the first dword of this segment to an offset (press O):

and follow it by pressing Enter. We will find another dword at the target address. It contains another offset in its turn. This sequence of dwords is part of the exception handler chain. After each dword there is a pointer to an exception handler. We will pick the first exception handler since it will get control:

We found the exception handler and can put a breakpoint at it. After that we can press F9, pass the exception to the application, and and continue single stepping at the handler:

That's how we get into an exception handler. Now let's consider the problem of returning to the 'normal' application execution from it.

If we single step through the whole exception handler and it finishes its work, we will find ourselves in ntdll.dll. We do not want to single step the system kernel, much faster is to skip it and continue in our program. The NtContinue() function is used to resume the execution. It looks like this:

Single stepping this function would not work and we would lose control! The call gate would let the program run at full speed.

We need to find out the EIP which will be assigned to the program by the system and put a breakpoint there.

The NtContinue() function takes one parameter - the process context structure. This structure contains the values of all processor registers to be used after the exception. EIP register is also present in this structure.

Let's open the structures window (Ctrl-F9) and insert (Ins) a new structure called CONTEXT:

IDA knows about this structure and will complete the definition for us.

The next step is to apply the context structure to the address pointed by the parameter of NtContinue():

Now the new EIP is visible and clearly commented. We only need to put a breakpoint at it and press F9 to return to our application from the exception handler.

This is how we return from an exception handler.

We learned how to get into an exception handler and return from it. By the way, when we return, we could check the processor registers and if the application has thrashed some of them (thrashed hardware debug registers?) we could restore them. Also, when we enter the exception handler, we could erase the debug register values so that the application can not check them to detect the debugger.

Ah yes, almost forgot to tell you: these actions can be automated and hooked to a hotkey.... Nice plugin idea, isn't it? :)

Posted by Ilfak Guilfanov at 11:28 PM | Permalink | Comments (6)

How do you spell "I love you" in Greek?...

In IDA Pro you can create unicode strings. They are displayed nicely in the listing as long as they use the Latin script:

But any unicode string with Kanji characters, Cyrillic, or any other non-trivial script the listing looks gibberish:

This is not much better than a hexadecimal dump. Alas, IDA can not display non-Latin unicode characters in the listing.

I created a sample program to illustrate the point. It displays "I love you" in many languages. Please note that the language selection is somewhat arbitrary :) Some of the phrases were found in forums. Many phrases were copied from this great site.

Here is how the program looks on the screen:

(please tell me if you find any errors in the text)

What our plugin will do: it will retrieve the current unicode string from the database and display it on the screen. Very simple, isn't it? Since IDA API can not be used, we will have to create our own window with an edit control and will display the string there. We will use regular Windows functions like CreateWindow and SetWindowText to display the string. The plugin and its source code can be downloaded here.

Here is the result of the plugin:

When we move the cursor from one string to another, the window contents are refreshed:

In the ideal world the string contents would be displayed right in the listing and our plugin would not be necessary. This is a possible future improvement for IDA but it is quite laborious to add true unicode support (please do not hold your breath).

The same idea can be used for many other things. A plugin could display, for example, PE files resources and render bitmaps or dialog boxes in a dedicated window. We could also use a window to display graphs or charts of any type. Or we could open a window and display the result of our own analysis, say, in the spectral form :)

While this plugin uses bare Windows API, I'm sure that the MFC library as well as .Net (or Java based interface) can be used too. There are so many things one can do with a plugin!

Here are the source files and binaries:
Sample file
Unispector plugin

Posted by Ilfak Guilfanov at 01:54 PM | Permalink | Comments (9)