0xBAADF00D

Where good things happen to bad code…

 
 
Mar 12
28
2012

console

One of my first posts to this blog involved modifying the Windows command line to make it a bit more friendly to work with. Well it has been a long time since that post and I’ve decided to revisit the topic because I’ve since refined my command line experience.

Some people who need to do a lot of command line work in windows choose to run cygwin and bash, but that unfortunately is not an option for me so I’ve thrown together a bunch of opensource and freeware utilities to make the environment a bit more pleasant to work with.

Here are the goods:

Console which is a Windows console replacement that hides the actual cmd console window and pipes all input/output into a multi-tabbed interface that supports things like copy on select and ctrl+c/ctrl+v copy and paste, among other things. Trust me, if you spend a lot of time in the Windows console you want this.

It you are going to be using console, they I highly recommend getting a decent font for it. I personally prefer Deja Vu Sans Mono 9pt which you can get here.

I also prefer linux style font smoothing over Windows and have been using MacType to change the Windows font rasterizer, you can find more information here.

The last thing is a control code interpreter for cmd.exe like we use to have in the old days with ansi.sys. Ansicon is a great little application that does just that.

So now what…:

I still like the content of my command prompt with the line separated path info and input line, but it would be nice to have a visible separator between command inputs so I can quickly tell what the output was from the last command run. I decided on a clean blue line that stretches across the screen with green text. I tried a lot of color combinations and this one seemed the easiest on the eyes.

$E[s$E[K$E[44m$E[5C.$E[K$E[u$E[44m$E[1m$E[32m[$T$H$H$H$H$H$H]$E[44m:$M:$E[44m[$P]$E[40m$E[33m$_:$E[37m

Ok lets break this down…

$E represents and escape which will be followed by a control code, so every time you see $E you know a control code is next.

$E[s   Tells the interpreter to save the cursor position
$E[K   clear the line
$E[44  Set background color to blue
$E[5C  Move cursor forward
.      Type a '.' character
$E[K   Clear the line
$E[u   Restore cursor position
$E[44m Blue background ( high intensity )
$E[1m  High intensity
$E[32m Green text ( high intensity )
[      Type a '[' character
$T     Insert the time
$H     Delete character
$H     Delete character
$H     Delete character
$H     Delete character
$H     Delete character
$H     Delete character
[      Type a ']' character
$E[44m Blue background ( high intensity )
:      Type the ':' character
$M     Show remote machine name
:      Type the ':' character
$E[44m Blue background ( high intensity )
[      Type the '[' character
$P     Insert current path
]      Type the ']' character
$E[40m Black background
$E[33m Yellow text ( high intensity )
$_     Insert line break
:      Type ':' character
$E[37m White text ( high intensity )

So that is all there is to it.. There is a lot more stuff you could do with ANSI control codes, experiment and see what works for you..

Jan 11
31
2011

I understand trying to protect your IP, I really do, but that understanding stops when it comes to making your user’s life miserable. This is what Pinnacle Studio did to me for about half a day.. Half a day I’ll never get back, and let me tell you, half a day at this point in my life is easily like a week of time from my 20s.

So the story goes like this… I got a bizarre series of questions from one of my good friends over IM. I went back and forth a few times and just kind of dismissed it. Two days later I had the exact same exchange and the bot filter in my head got tripped. This was definitely some kind of bot I was talking to. So I alerted him that his account my have been compromised and helped him scan his box to make sure nothing got past the no pest strip. All was good. Then I decided to give my own system a shakedown just for good measure. It found the regular host of false positive baddies that I have lying around for recovering passwords and the like, NirSoft and Sysinternals stuff.

The thing that got my attention was an apparent rootkit that was discovered that was reported as being critical and was known to spoof browser logins and steal passwords. Now I’m seriously paranoid about the security of my system and watch every process like a hawk, and I don’t really engage in any dangerous activities anyway, but since I’m paranoid I understand every system has it’s weakness and mine is no exception.

So I got out my trusty copy of Rootkit Revealer and let it chew on the system for a while, and wouldn’t you know it, it turned up the same set of registry keys as suspicious. The keys contained ‘embedded nulls’. From the Rootkit Revealer page:

Key name contains embedded nulls.
The Windows API treats key names as null-terminated strings, whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit. The Reghide sample code at Sysinternals demonstrates this technique, which is used by both malware and rootkits to hide Registry data. Use the Sysinternals Regdellnull utility to delete keys with embedded nulls.

Here are the keys:

Details: HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
Details: HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
Details: HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}
Details: HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}
Details: HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}
Details: HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}
Details: HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
Details: HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}
Details: HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}
Details: HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
Details: HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
Details: HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}

At this point a slowly burning panic set in, because like I said before, I have a healthy dose of paranoia. A single false positive is one thing, but two starts to give the reported incursion some weight..

Searching around the net just deepened the paranoia as more and more people reported all kinds of horrible things with the same registry keys. I still wasn’t 100% convinced this was a legitimate hit, something told me we could all have the same application installed, because the reports were so different in every case it seemed like the registry keys were the only thing that was the same. Then I stumbled on a forum post in the Spybot Search & Destroy forum. They found that Pinnacle Studio 9 was hiding registration/licensing information using those keys. So basically they were using rootkit methods for general use.

While some people might say that it is up to the detection software to filter out legitimate software from malicious software, I just don’t agree. This approach was a decision by Pinnacle, and not a decision that effected the quality of their software or contributed to a novel feature that gave me more return for my investment. All it did was make it easier for them to do something at the expense of my system. I just think there is something unethical about that behavior and I’m not going to start some kind of online campaign. I’m just going to not give Pinnacle any more of my money and look for a competing product that does not muck about in my system’s internals to solve a problem they are having.

Jan 10
3
2010

Recently I starting having problems burning DVDs, specifically DVD-Rs at my burner’s max speed in Nero Buring ROM 6.6. The exact error I was getting was:

“Power calibration error”

I didn’t change my buring process, or the type of stuff I was backing up, and I didn’t change the media I normally use. So I just thought my burner was dirty, or was failing. It was going on somewhere near 5 years and I use it a lot. Having it fail was a distinct possibility. So I started searching around the net and reading in forums to try to understand what could be causing the problem. It was looking more and more like hardware failure.

Then by chance I used ImgBurn, and I saw the following warning in the log:

“SPTD can have a detrimental effect on drive performance.”

So I decided to do some more digging and found out that SPTD stands for SCSI Pass-Through Direct. Which is a device driver developed by Duplex Secure Ltd which provides a new method of access to storage devices. It is something used by Daemon Tools, which I had installed not to long ago to do some work with ISO images, and then promptly forgot about.

So I uninstalled Daemon Tools and tried to burn another disc. I was surprised to find that the burn failed again with the same error. I took a look in my registry, in the drivers section to see that SPTD was still installed and there was no clear way to remove it.

So it was back to searching through forums. I found a few posts that described messy manual ways of removing the driver from the system. The best way I found was to download the driver installer from: www.duplexsecure.com and then when prompted, click the ‘uninstall’ button.

After a reboot, no more problems burning DVDs at any speed or media format. What a long and painful road…

Nov 09
12
2009

So I pretty much live on the command line in windows ( cmd.exe ), call me old fashioned, but I like the power and flexibility. One thing that irritated me is that, by default, my input prompt keeps shifting right with the length of my directory tree and I have less and less room to enter my commands. What I really want is something that looks like this:

[9:46]::[C:\temp]
:

Where the colon ‘:’ is my input prompt and takes up very little room.

This can easily be accomplished with the PROMPT command in the command shell:

PROMPT [$T$H$H$H$H$H$H]:$M:[$P]$_:

What the above example says is create a prompt with the time which looks like this:

11:19:15.24

Then use $H which is backspace to delete the last 6 characters, so we are left with:

11:19

the $M is just a nice to have feature that lists the name of the remote drive you are on, if that is the case, and the $P lists the current drive and path.

The last thing is the $_ which adds a carriage return and line feed, which gives you the clean line to type your input on.

That’s all there is to it, you can use this page to add your own tweaks..


Nov 09
4
2009

While cleaning up my command line tools package DSToolBox I ran across a bug while upgrading to the latest release of TCLAP. Which is a header only template library for command line parsing.

One of the cooler aspects of the library is that it can handle all kinds of type conversions for you so you don’t have to worry about casting them yourself.

This feature is what caused the problem when compiling with the Zc:wchar_t- compiler switch in VC8.

The switch sets the ‘Treat wchar_t as Built-In type’ option to ‘No’.

This is all well and good until we have two templates that resemble the example below:

template<>
struct ArgTraits<wchar_t> {
typedef ValueLike ValueCategory;
};
 
template<>
struct ArgTraits<unsigned short> {
typedef ValueLike ValueCategory;
};

Since wchar_t is no longer treated as a built in type by the compiler, it falls back ( basically ) to:

typedef unsigned short wchar_t;

This causes the compiler to complain with:

error C2766: explicit specialization; ArgTraits<unsigned short>' has already been defined

Since we want to have the library support both types if wchar_t is a real type we can use built in defines to #ifdef it out:

#ifdef _MSC_VER
    #ifndef _NATIVE_WCHAR_T_DEFINED
        #define TCLAP_DONT_DECLARE_WCHAR_T_ARGTRAITS
    #endif
#endif
 
#ifndef TCLAP_DONT_DECLARE_WCHAR_T_ARGTRAITS
 
template<>
struct ArgTraits<wchar_t> {
typedef ValueLike ValueCategory;
};
 
#endif

This way if wchar_t is a built in type we get both template specializations, but if it isn’t we only get one.

Nov 09
3
2009

A few years ago I did some work adding text-to-speech capabilities to the WinFrotz2002  inform interpreter by David Kinder called, simply enough, WinFrotzTTS  2002. The visually impaired gaming community took an interested and I was suddenly in the position of doing support. So I thought the best thing to do was quickly put together a web site to manage all the support stuff. So people could share information and I could advertise a bit about the project.

Back then PHP-Nuke was the CMS to use so that is what I installed, along  with Gallery for screenshots  and phpBB for forums.

Time passed and activity on the site dropped way off, to the point where the only thing really being used was the downloads.

I pretty much forgot about it, until the bots found the site and defeated the captcha. All of the sudden there were hundreds of new accounts along with thousands or comments and posts.

So I shut down registration and began my clean up.

Cleaning up the bogus accounts and forum posts was easy. It was a simple SQL statement in phpMyAdmin, and poof, they were all gone.

But the Gallery was a completely different story, and this is where the fun starts..

Gallery stores album info in flat files in your albums directory. In my case the file I was interested in was photos.dat. This contained all the comments for the 7 images I had posted. I could have deleted them with the admin interface, but there were close to 25k comments. Unfortunately the file was just an output of a php object serialization. I suppose I could take the time to do this elegantly with php. But I had about an hour to get it done and didn’t want to invest much to save a gallery with 7 images, I wanted a quick fix.

So here is what I did.

I brought the photos.dat file into the editplus editor and added new lines before and after every ‘{‘ and every ‘}’, otherwise it is next to impossible to read.

Next I looked for the start of a comments block:

s:8:"comments";

Then it is followed by the comments array:

a:1:{i:0;O:7:"Comment":5:{s:11:"commentText";s:31:"Just testing the comment system";s:10:"datePosted";i:1257276467;s:8:"IPNumber";s:14:"179.42.278.176";s:4:"name";s:9:" (user)";s:3:"UID";s:14:"none";}}

the a:1 says that the comment block is an array with one element, if there were 50 comments it would say a:50.

So the next thing I did was remove every thing in the array and set the size to 0:

a:0{}

Then I went to the next comment block in the file and did the same exact thing.

I then went back and removed the new lines from before and after the ‘{‘ and the ‘}’ so the text was all in one long line.

I copied the file back up to the server and presto, no more comments.

Hope that helps anyone in a similar situation.

DreamCycle

Categories

Recent Posts

Recent Comments

    Archives