Monitoring ALPC Messages

Sunday, February 12, 2017

The Advanced (or Asynchronous if you prefer) Local Procedure Calls (ALPC) is the internal communication mechanism Windows components use as an inter-process communication (IPC) mechanism for message exchange. Conceptually, it's similar in principle to Remote Procedure Calls (RPC), with client and server ports, but does not use any networking, and is optimized for different message sizes. ALPC messages can reveal the hidden communication between various processes that are almost invisible otherwise. Conceptually, hooking ALPC messages is possible but not easy. First, the user mode and kernel mode APIs are undocumented. Second, hooking would likely involve all processes for which...
no comments

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

BgInfo – WPF Style

Sunday, August 28, 2016

The well-known BgInfo Sysinternals tool can be used to display on the desktop a configurable set of information items regarding the system, such as physical memory size, CPU type, machine name, domain, volumes, network information and much more. BgInfo writes "its thing" on the desktop by replacing the wallpaper with a custom one that can be simply a layering over the user selected one, or configured with some color or image, etc. Once BgInfo sets the wallpaper, it exits. Just for fun, I wanted to create a similar tool, but take a different approach. Changing the wallpaper is a cool approach,...
no comments

PE Explorer (Work in progress)

Saturday, July 16, 2016

The other day I wanted to take a look at a DLL file and see its imports, exports, resources and other interesting information. There are several tools out there that show part of this information, some of which are not free, so I thought why not create a Portable Executable (PE) Viewer for myself? If nothing else, at least to gain a better understanding of the PE format. The PE format is called "Portable" because it's not essentially tied to Windows and can represent files on any OS. The format has evolved over the years but still retains its backwards...
no comments

WPF Tip – Limiting the number of items in an ItemsControl

Sunday, May 29, 2016

This sounds like a simple thing – how do we limit the number of items in an ItemsControl or one of its derivatives, such as a DataGrid. The problem is that the DataGrid can be sorted and perhaps filtered using an ICollectionView. Let's say we have a DataGrid that shows a list of Process objects with some of their properties shown. Sorting comes practically for free – we just need to set the SortMemberPath of a DataGridColumn and the DataGrid will take care of the rest. Let's further assume that we have a TextBox that allows filtering of process objects by...
no comments

QSlice – WPF Style

Saturday, May 21, 2016

Old timers may be familiar with the Windows NT/2000 Resource kit tool named QSlice that shows the relative CPU consumption of processes graphically. QSlice can still be found floating on the web somewhere. Here's a screenshot: It still works on Windows 10 version 1511 ("Threshold 2"), but fails to launch properly on latest builds of "Redstone 1" ("Anniversary Update"). Regardless, I thought it was high time to create a modern sequel to QSlice, given that the original has poor user interface – no sorting or filtering (always sorted by process ID). I created a WPF version of QSlice, complete with sorting...
no comments

How should the Next WPF Version Look Like?

Friday, June 26, 2015

Microsoft has announced the next WPF version, as part of the new .NET 4.6. I’ve heard the news that WPF is back in development and it made me pretty happy; it was about time! A few months back, Microsoft started to talk about what to expect in this new update. Unfortunately, I was disappointed to see that there’s really nothing new. The feature list is mostly performance enhancements (which should have been done a long time ago), allowing interop with Direct3D 11/12 instead of Direct3D 9 (this was overdue as well), some improvements to the default control templates and...
one comment

Build 2015 Impressions

Saturday, May 2, 2015

The Build 2015 conference just ended. It was one of the most important Build/PDC conferences since the Build/PDC inception. Most (if not all) sessions are available on channel 9, and even those that attended Build (myself included) were in only a fraction of the sessions since there were about 10 of them in each time slot. To get a good overview of the various announcements and get links to important downloads, you should head to this post in the Visual Studio blog. What follows are my own impressions and opinions on some of what I experienced at this year’s...
no comments

Data Binding for a WPF TreeView

Saturday, July 12, 2014

Although the Windows Runtime (WinRT) is all the hype these days (in the Microsoft world at least), WPF is still in heavy use in the “desktop apps” space. To me, WPF is the inspiration for everything XAML-based that came out after it – mainly Silverlight and WinRT. WinRT (and Silverlight before it) still plays catchup to all the WPF features (although WinRT has some nice features not present in the current version of WPF) – there’s even a “user voice” asking to bring some of WPF’s features to WinRT, such as multi bindings, binding in style setters, data typed...
one comment