среда, 26 сентября 2012 г.

EmProviderRegister/EmpProviderRegister callbacks

This two exported functions were introduces in vista and totally undocumented. I`ll show how to dump all installed Emp callbacks here.

Check first how they used - for example in apci.sys:

    push offset _AcpiEmProviderHandle
    push 2 ; arg4
    push offset _CallbackReg ; arg3
    push 2 ; arg2
    push offset _EntryReg ; arg1
    push [ebp+arg_0]
    call _EmProviderRegister


Clear enough - arg1 is pointer to some EmpEntries, arg2 is size of EmpEntries, arg3 is pointer to EmpCallbacks and arg4 is size of EmpCallbacks. Last arg returns registered HANDLE. Lets check how EmpEntries & EmpCallbacks look:

вторник, 25 сентября 2012 г.

wincheck rc8.25

Download mirror
Changelog:
  • add some initial support of windows server 2012 rtm
  • add -wnf option to show WNF notifiers
  • some bugs was fixed

Common Lisp: A Gentle Introduction to Symbolic Computation

I finished reading this old (1989 !) but still cool book today. It is not so funny as "Land of Lisp" but it  has code to play tic-tac-toe ! And I am really impressed bcs "classical" recursive factorial function was introduced only in the middle of books at page 237

I am not crazy enough to use emacs so for all code samples and exercises I used LispIDE and ecl. It seems that this combination is not officially supported but it works fine - you just need to choose right ecl2.exe in Settings->Set Lisp path menu. The only drawback is that DOCUMENTATION function doesn`t work in my ecl version

суббота, 22 сентября 2012 г.

IDA loader of .dcu files from XE3

Download mirror
It seems that xe3 has only minor changes - when I just add correct signatures I got only 352 badly parsed .dcu files from total 1521 !
x64 debug versions are not supported
Also it would be cool if next version of delphi has version ΧΞΣ, he-he

среда, 19 сентября 2012 г.

C++ Programming Language (4th Edition) - wtf ?

March 25, 2013
 Extensively rewritten to present the C++11 language
1040 pages. prooflink.
Previous edition also had 1040 pages. I just cannot imagine how it is possibly.

bug in "The Algorithm Design Manual", Second Edition ?

Сitation from subchapter 8.7.2 When are Dynamic Programming Algorithms Efficient? on page 315:
Let LP' [i, j, S] denote the longest simple path from i to j, where the intermediate vertices on this path are exactly those in the subset S. Thus, if S = {a, b, c}, there are exactly six paths
consistent with S: iabcj, iacbj, ibacj, ibcaj, icabj, and icbaj. This state space is at most 2**n, and thus smaller than enumerating the paths
Wait, if this is exponent we must have 2 ** 3 = 8 paths. But actually this is factorial ! Why Skiena claims that this is exponent ?

пятница, 14 сентября 2012 г.

WNF notifiers

It seems that windows 8 has some new (undocumented as usually) mechanism to call user-mode code from kernel - WNF
There are several new exported functions in ntdll.dll related to it:
  • RtlAllocateWnfSerializationGroup
  • RtlEqualWnfChangeStamps
  • RtlPublishWnfStateData
  • RtlQueryWnfMetaNotification
  • RtlQueryWnfStateData
  • RtlQueryWnfStateDataWithExplicitScope
  • RtlRegisterForWnfMetaNotification
  • RtlSubscribeWnfStateChangeNotification
  • RtlTestAndPublishWnfStateData
  • RtlUnsubscribeWnfNotificationWaitForCompletion
  • RtlUnsubscribeWnfNotificationWithCompletionCallback
  • RtlUnsubscribeWnfStateChangeNotification
  • RtlWaitForWnfMetaNotification
  • RtlWnfCompareChangeStamp
  • RtlWnfDllUnloadCallback
  • RtlpWnfNotificationThread - this one really called from kernel mode
Also several new functions in SSDT:
  • NtWaitForWnfNotifications
  • NtUnsubscribeWnfStateChange
  • NtUpdateWnfStateData
  • NtSubscribeWnfStateChange
  • NtQueryWnfStateData
  • NtQueryWnfStateNameInformation 
  • NtDeleteWnfStateName
  • NtDeleteWnfStateData
  • NtCreateWnfStateName
I`ll describe here only user-mode structure which holds pointers to notifiers

понедельник, 10 сентября 2012 г.

wincheck rc8.24

Download
Changelog:
  • update udis86 with lots of new intructions
  • -k option now able to correctly kill "critical processes" (there are too many smarties around who use RtlSetProcessIsCritical)
  • add dumping of debug port for each process
  • add dumping of ntdll!g_dwLastErrorToBreakOn
  • some bugs was fixed

суббота, 8 сентября 2012 г.

AVX structure

It seems that AVX has crazy structure. Obvious first step is order on opcode byte. Then for each opcode we need yet 4 tables for pp. Next for 66 prefix we need yet 3 tables for 0f, 0f38 & 0f3a. And anyway we have ambiguity:
  • for W field: vmovd - 128.W0 vs vmovq - 128.W1
  • for vvvv field: vmovss - NDS.LIG.WIG vs vmovss - LIG.WIG
  • for L field: vzeroall - 256.WIG vs vzeroupper - 128.WIG
Wrote simple perl script for instructions parsing and simple ordering

среда, 5 сентября 2012 г.

Gray Hat Python

I have finished reading of this slim book and I am really disappointed:
  • python sucks. The only reasons why I am still using it are NetworkX and PyKd
  • CreateRemoteThread doesn`t work since vista times and I am sure this was known in 2009. Actually whole book is full of such little irritating things which just don`t work
  • Immunity debugger & idapython were described very laconically
  • PyEmu is sooooo sloooooow...
[sarcasm mode on]
Why we still don`t have excellent books like "gray hat assembler", "bloody and dirty perl" or "haskell quantum physics lean and mean for dummies in 24 hours" ?
[sarcasm mode off]

    вторник, 4 сентября 2012 г.

    udis86 update

    I added today support for tzcnt + new code page for 0f 7a opcodes from sse5a:
    • frczps
    • frczpd
    • frczss
    • frczsd
    • cvtph2ps
    • cvtps2ph
    • phaddbw
    • phaddbd
    • phaddbq
    • phaddwd
    • phaddwq
    • phadddq
    • phaddubw
    • phaddubd
    • phaddubq
    • phadduwd
    • phadduwq
    • phaddudq
    • phsubbw
    • phsubwd
    • phsubdq
    New version can be downloaded here