whitequark,
@whitequark@mastodon.social avatar

opening a random .dll in WinSxS in a disassembler just to feel something

whitequark,
@whitequark@mastodon.social avatar

ok this worked, i have felt something

i'm not sure what but it's definitely a number of things

whitequark,
@whitequark@mastodon.social avatar

i want a tool that lets you programmatically query the analysis database of every .dll on a windows machine to find out how an API is used

whitequark, (edited )
@whitequark@mastodon.social avatar

have you ever looked at the implementation of the COM QueryInterface method after MSVC is done with it?

18+ sanfierro,

@whitequark What's winapi and what's the difference with win32? Are those synonymous?

18+ whitequark,
@whitequark@mastodon.social avatar

@sanfierro win32 is the platform name in general. winapi is the, well, API, the programming interface

most people glean what is meant from the context anyways

whitequark,
@whitequark@mastodon.social avatar

i have also discovered that wil exists, which is apparently an open source header-only library; it's used a lot in various system components https://github.com/microsoft/wil

it's basically a lightweight Win32 API wrapper for C++. it looks super useful

it does use exceptions, which is a somewhat questionable choice, though if it's good enough for system components it's good enough for me I guess?

18+ resuna,
@resuna@ohai.social avatar

@whitequark Just glancing at the documentation it looks like the exceptions are optional.

18+ whitequark,
@whitequark@mastodon.social avatar

@resuna yea I realized it after reading closer

whitequark,
@whitequark@mastodon.social avatar

it is an interesting read https://github.com/microsoft/wil/blob/master/include/wil/win32_helpers.h

whitequark,
@whitequark@mastodon.social avatar

hey what the heck, this looks like a really useful trick to debug system processes that are launched by gods know what

18+ whitequark, (edited )
@whitequark@mastodon.social avatar

reverse engineering idea: a script that goes over every single dll in system32, examines them for registry access, and gives you a summary of registry keys accessed by each

18+ whitequark,
@whitequark@mastodon.social avatar

this is slightly complicated by the amount of completely bespoke registry access wrappers that microsoft has around

like this links wil which has wil::reg but uses something totally different

18+ whitequark,
@whitequark@mastodon.social avatar

it goes through an unbelievable amount of wrapping

three functions in i hit an external call to... whatever this is

this function has literally 5 google search results

18+ whitequark,
@whitequark@mastodon.social avatar

one of these results is https://w.pedump.me/function/GetPersistedRegistryLocationW which looks like a legitimately useful resource

let's open kernelbase.dll and look at what carnage is hiding inside

18+ whitequark,
@whitequark@mastodon.social avatar

hardware brain damage and software brain damage are currently fighting over my brain deciding that "Rtl" is supposed to mean "Realtek" or "runtime library [ntdll]"

18+ whitequark,
@whitequark@mastodon.social avatar

what the fuck is GetProcAddressForCaller

18+ whitequark, (edited )
@whitequark@mastodon.social avatar

it... looks like GetProcAddress can return different DLLs for the same HMODULE depending on which function is calling it? this is absolutely wild what the fuck

18+ whitequark,
@whitequark@mastodon.social avatar

this code is doing something completely unhinged

why does it rotate the callback address by a variable amount specified in a global variable

what is it hiding

18+ whitequark,
@whitequark@mastodon.social avatar

wait... CsrClientConnectToServer uses LdrGetProcAddressForCaller to vary the behavior depending on who's calling it?

18+ whitequark,
@whitequark@mastodon.social avatar

the internals of the DLL loader are absolutely wild, this is one of the most interesting things about the OS

18+ whitequark,
@whitequark@mastodon.social avatar

oh, so THIS is how application manifests actually work!!

Rairii,
@Rairii@fedi.nano.lgbt avatar

@whitequark i think this technique is an old security thing, like xpsp2-era or something like that?

18+ whitequark,
@whitequark@mastodon.social avatar

@Rairii but it's just a fixed address

this seems completely pointless

Rairii,
@Rairii@fedi.nano.lgbt avatar

@whitequark it's in kuser_shared_data, it's the same address used for Encode/DecodeSystemPointer and probably an inlined implementation of that

i was correct though, xpsp2 is exactly when that structure element was added

18+ whitequark,
@whitequark@mastodon.social avatar

@Rairii https://learn.microsoft.com/en-us/previous-versions/bb432255(v=vs.85) what is this even for

what is the threat model

18+ jevinskie,
@jevinskie@mastodon.social avatar

@whitequark I’m doing this for hidden superpower Quartus ini settings… I need to get back and finish it.

There are some great ones like:
gregg_is_the_greatest_toy_master = 1

https://github.com/jevinskie/quartus-config-finder

18+ bk1e,
@bk1e@mastodon.social avatar

@whitequark Alignment: lawful DWORD

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • thenastyranch
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • ethstaker
  • Youngstown
  • mdbf
  • slotface
  • everett
  • rosin
  • ngwrru68w68
  • kavyap
  • khanakhh
  • cubers
  • provamag3
  • tacticalgear
  • osvaldo12
  • GTA5RPClips
  • cisconetworking
  • modclub
  • Durango
  • Leos
  • normalnudes
  • megavids
  • tester
  • anitta
  • JUstTest
  • lostlight
  • All magazines
    •