Packinging Apps into Single Files

Tuesday, May 9, 2017

One of the hallmarks of easy-to-use tools is simple installation, preferably no installation at all. The classic example is the Sysinternals tools. Each tool is a single executable, self contained, and can be run from anywhere, including network shares and web locations. These tools have no dependencies (except for built-in Windows DLLs), or so it seems. One canonical example is Process Explorer that hides within it two binaries. The first is a kernel driver, used to extract information from the system that cannot be done from user mode (such as reading values of kernel variables), and the other is a 64...
tags: , , , ,
no comments

Enhanced GFlags Tool

Monday, April 3, 2017

The well-known GFlags tool, part of the Debugging tools for Windows package allows manipulating a 32-bit flags value maintained by the kernel and per-process. Strictly speaking, Gflags allows changing more than just these flags, such as adding the Debugger value to an image file entry that indicates which executable should be activated whenever the original image is executed. GFlags has a crude user interface that has not been updated for ages. The first annoyance with its UI is the lack of a minimize button. Here's a screenshot: The tool provides a way to change flags for three...
no comments

Monitoring ALPC Messages

Sunday, February 12, 2017

The Advanced (or Asynchronous if you prefer) Local Procedure Calls (ALPC) is the internal communication mechanism Windows components use as an inter-process communication (IPC) mechanism for message exchange. Conceptually, it's similar in principle to Remote Procedure Calls (RPC), with client and server ports, but does not use any networking, and is optimized for different message sizes. ALPC messages can reveal the hidden communication between various processes that are almost invisible otherwise. Conceptually, hooking ALPC messages is possible but not easy. First, the user mode and kernel mode APIs are undocumented. Second, hooking would likely involve all processes for which...
no comments

MEF Tip: Initializing Objects

Monday, December 5, 2016

I like MEF. Maybe it's because of the default way MEF binds – using custom attributes; I like the declarative nature of attributes. Anyway, MEF exports declare their dependencies through the Import attribute. Here is a simple class export that has some imports:class AppManager {         ILogger _logger;         IFileService _fileService;     public AppManager() {        _logger.LogMessage("AppManager created");    }     public void DoWork() {        var filename = _fileService.GetFileForOpen();        if (filename == null)            return;         _logger.LogMessage("Opening file...");         var lines = File.ReadAllLines(filename);        _logger.LogMessage("Reading done.");         Console.WriteLine($"Read {lines.Length} lines of text.");    }} The AppManager class has two dependencies – an ILogger implementation and...
no comments

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

BgInfo – WPF Style

Sunday, August 28, 2016

The well-known BgInfo Sysinternals tool can be used to display on the desktop a configurable set of information items regarding the system, such as physical memory size, CPU type, machine name, domain, volumes, network information and much more. BgInfo writes "its thing" on the desktop by replacing the wallpaper with a custom one that can be simply a layering over the user selected one, or configured with some color or image, etc. Once BgInfo sets the wallpaper, it exits. Just for fun, I wanted to create a similar tool, but take a different approach. Changing the wallpaper is a cool approach,...

PE Explorer (Work in progress)

Saturday, July 16, 2016

The other day I wanted to take a look at a DLL file and see its imports, exports, resources and other interesting information. There are several tools out there that show part of this information, some of which are not free, so I thought why not create a Portable Executable (PE) Viewer for myself? If nothing else, at least to gain a better understanding of the PE format. The PE format is called "Portable" because it's not essentially tied to Windows and can represent files on any OS. The format has evolved over the years but still retains its backwards...
no comments

Tip for using static in C# 6

Friday, January 1, 2016

One of the new features introduced in C# 6 is the "using static" keyword that is aimed at simplifying repeated access to static members of a particular class. A classic example is using Console.WriteLine a lot. In this case it can be simplified. Instead of: class Program {    static void Main(string args) {        Console.WriteLine("Hello, world!");        Console.WriteLine("This is C# 6 in action!");    }}  We can write: using static System.Console; class Program {    static void Main(string args) {        WriteLine("Hello, world!");        WriteLine("This is C# 6 in action!");    }}  Another common example might be using a lot of math calculations with the static methods of the System.Math class. Here's some method calculating points along the circumference of a circle: static IEnumerable<Point> CalcPoints(double radius, int count) {    for(int i = 0; i < count; i++) {        var x = radius * Math.Cos(2 * Math.PI * i / count);        var y = radius * Math.Sin(2 * Math.PI * i / count);        yield return new Point(x, y);    }}  All that Math stuff can be simplified like so: using static System.Math; … static IEnumerable<Point> CalcPoints(double radius, int count) {    for(int i = 0; i < count; i++) {        var x = radius * Cos(2 * PI * i / count);        var y = radius * Sin(2 * PI * i / count);        yield return new Point(x, y);    }}  Certainly convenient. One feature that is still missing, in my humble opinion, is allowing "using static"...
one comment

The many ways of getting process information

Sunday, November 29, 2015

Processes are one of the most fundamental building blocks in Windows (and most other operating systems for that matter, even if the term is differently named). These are management objects, managing various resources such as memory and handles, to be used by actual executing threads within that process. Various tools, such as Task Manager and Process Explorer show information about processes, but how can we get that information programmatically? At first, it seems rather easy. If we’re working in .NET, then all we have to do is call the static Process.GetProcesses method and receive back an array of...
no comments

Launching Windows Store Apps Programmatically

Saturday, October 24, 2015

Windows Apps (a.k.a. Store apps or Metro apps) run in a dedicated sandbox, providing “extra protection” from outside apps and OS as opposed to classic Windows applications. One consequence of this is that launching a Windows App using a classic CreateProcess call will generally fail. For example, if we run the Weather app that comes with Windows and look at the command line that was used to start the process (e.g. using Task Manager or Process Explorer), this is what we see: "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe"      -ServerName:App.AppX2m6wj6jceb8yq7ppx1b3drf7yy51ha6f.mca Clearly, there...