Table of Contents
English Pages
- Acknowledgements, Bounties, Citations, Credits, Kudos, References, Rewards and Thanks
- Advisories, (some) Comments and Disclosures posted on Security Mailing Lists
- Application Verifier Provider
- Assorted Bookmarks of MSDN, MSKB and TechNet Articles and Pages
- Blunder – Microsoft®’s Excellence in Disinformation and Incompetence
- Bugs in Module Loader of Windows™ 10 and
LINK.EXE
Version 14.*
- Bugs in
NTDLL.dll
of non-english Editions of Windows™ Embedded POSReady 2009 alias Windows™ XP
- Bugs, Faults, Quirks and Vulnerabilities in the Command Shell of Windows NT™
- Command Line Logger
- Contact and Feedback
- CPUID Enumerator and Decoder
- cURL Binary Executables for Windows™ NT
- Custom AutoPlay Handler
- CVE Identifiers
- Deficiencies in GCC’s Code Generator and Optimiser
- Demonstration of
Drive-by Downloads
- (Diversions in) Saturating Integer Arithmetic
- DLL Minesweeper – not just a Game only for Software Developers, (Penetration) Testers and Administrators
- Donald Knuth’s
Algorithm D
, its Implementation in Hacker’s Delight
, and Elsewhere
- EICAR Standard Anti-Virus Test File
- Error Page
- Executable Installers Considered Harmful
- Exploits for MS15-132
- Fast(est) Double-Word Integer Division
- Generate (Self-issued and Self-signed) X.509 Certificates with
CertReq.exe
- Gimmick of the Day (or Week, Month, Year, …)
- Directory Identifiers
- MSDM Product Key Reader
- WPBT Command Line Reader
- Environment Viewer
- Easter Date Calculator
- Guardian for CWE-428
- Homepage
- HTML4 Entities, plus many Special Characters
- Idiosyncrasies – Inconsistent, Odd, Surprising, Un(der)documented or Weird (Mis)behaviour of Microsoft® Windows NT
- Imperfect Forward Secrecy
- Installation of Microsoft® Windows™ 7 SP1 with Slipstreamed Update Packages
- Internet Component Download
mailto:
URL Protocol Handler for GMail
- Mal(icious Soft)ware Evading Detection
- Meltdown, Spectre, Spectre-NG and Foreshadow Update Check Utility
- Microsoft® Visual C Compiler Helper Routines: Poor and Stupid Implementation
- Minimalist Runtime Library for Microsoft® C Compiler
- Mitigate some Exploits for Windows’™ User Account Control
- MIME content types
- Named HTML Colors
NoScript
(and NoFlash
) for Microsoft® Internet Explorer (and Microsoft Office)
- Not Quite so
Optimising
(and Buggy) Microsoft® Visual C Compiler
- Notification and Disclosure Policy
- Odds and Ends for Microsoft® Windows™ NT
- P(h)un Intended: Phamous Quotes, Phunny Spaces, Phancy Backslashes, plus Phorged Environment Variables, for a Phabulous Backlash
- Prevent Bypass of AppLocker and SAFER alias Software Restriction Policies
- Protection Against Exploitation of CWE-428
- Shell Namespace:
Shell Instance Objects
and Shell Links
- Skype – or
Redmond, You’ve got a Problem!
- SMBIOS Decoder
- Stop Malware with Software Restriction Policies alias SAFER
- Tempest in the ‘TEMP’ Directory
- Terms and Conditions
- Tidbits – Tiny Console Applications plus some Scripts
- Group Policy Scripts
- Client Registration Demonstration
- Privileged Process Launcher
- Interactive
SYSTEM
Process Launcher
- Privilege Twiddler
- Really Known SIDs Enumerator
- Security Descriptor Definition Language Decoder
- Security Descriptor Inspector
- 8.3 File and Directory Name Changer
- Directory Change Notifier
- Hardlink Enumerator
- Debug String Monitor
- Non-interactive Symbolic Debugger
- Product Key Validator
- Shim Database Decoder
- Registry Policy Reader
- Registry INF Dumper
- Offline Registry Reader
- Portable Executable Version Information Reader
- Portable Executable Resource Enumerator
- Portable Executable Metadata Reader
- Language Enumerator
- Locale Enumerator
- Network Enumerator
- SLIC ACPI Table & XrML Digital License Decoder
- UU Encoder
- Base64 Encoder
- MSVC Helper Library
- MSVC Helper Library
True Lies
– or What LLVM Claims, but Fails to Deliver
- Unattended (Hardened) Installation of Microsoft® Windows™ 7
- Unicode Homoglyphs – or
.ΒΑΤ
out of Hell
Unknown
DLLs, API Sets and Forwarded Exports: when Compatibility means Vulnerability
- Vulnerabilities Introduced by Windows Defender
- Vulnerability and Exploit Detector
- Windows Calendar and Windows Mail for Microsoft® Windows™ 7
German Page
- Kleinigkeiten (für Windows)
Note: the german
HTML page is
quite (out)dated and only kept to preserve history!
Embedded Sources
The (i386 and AMD64 assembly) sources of
several well-known (builtin, intrinsic and regular) compiler runtime
functions of GCC,
LLVM’s Clang and
Microsoft’s Visual C embedded
within some of the
HTML pages
listed above are for use with either the
GNU assembler,
as
,
or the Microsoft Macro Assembler,
ML.EXE
respectively
ML64.EXE
;
they are generally (up to an order of magnitude) faster and smaller
than the functions provided in the runtime libraries shipped with
the compilers.
as
Sources
absdi2.s
absvdi2.s
addvdi3.s
ashldi3.s
ashrdi3.s
divdi3.s
divdi3.s
divmoddi4.s
gcddi3.s
lshrdi3.s
moddi3.s
moddi3.s
muldi3.s
mulodi4.s
mulvdi3.s
negdi2.s
negvdi2.s
subvdi3.s
udivdi3.s
udivdi3.s
umoddi3.s
umoddi3.s
udivmoddi4.s
udivmoddi4.s
udivmoddi4.s
absti2.s
absvti2.s
addvti3.s
ashlti3.s
ashrti3.s
cmpti2.s
divmodti4.s
divti3.s
gcdti3.s
lshrti3.s
modti3.s
multi3.s
muloti4.s
mulvti3.s
negti2.s
negvti2.s
parityti2.s
subvti3.s
ucmpti2.s
udivmodti4.s
udivmodti4.s
udivmodti4.s
udivmodti4.s
ML.EXE
Sources
alldiv.asm
alldvrm.asm
allmul.asm
allrem.asm
allshl.asm
allshr.asm
aulldiv.asm
aulldvrm.asm
aullrem.asm
aullshr.asm
divdi3.asm
moddi3.asm
muldi3.asm
udivdi3.asm
umoddi3.asm
udivmoddi4.asm
ML64.EXE
Sources
*ti?.asm
udivmodti4.asm
udivmodti4.asm
divmodti4.asm
udivmoddi4.asm
Files
- Cabinet Files
FORWARD.CAB
FORWARDX.CAB
TIDBITS.CAB
- Policy Files
REGISTRY.POL
S-1-5-20.POL
X.509 Certificates
- CER (base-64) encoded
KANTHAK.CER
ROOT.CER
- DER (binary) encoded
KANTHAK.DER
ROOT.DER
Makefiles and Source Files
NMAKE Reference
Most of the makefiles (for Microsoft’s
NMAKE.EXE
)
and source files (for Microsoft’s
Visual C compilers) listed below are documented or
referenced in the
HTML pages
listed above.
Note: the makefiles contain source code as
inline files
;
some also refer to additional (binary) files which have to be
downloaded separately!
- Makefiles
ASM_DEMO.MAK
BTI_RDCL.MAK
DETOUR.MAK
DLLDUMMY.MAK
EICAR.MAK
FUBAR.MAK
GIMMICK.MAK
INTEGER.MAK
LDR_DEMO.MAK
MSC_DEMO.MAK
NOMSVCRT.MAK
NOMSVCRT.MAK
OFFENDER.MAK
QUIRKS.MAK
SENTINEL.MAK
SHA1.MAK
SHA2-256.MAK
SHA2-512.MAK
SNAFU.MAK
TEMPEST.MAK
TIDBITS.MAK
TLS_DEMO.MAK
WPBT.MAK
- Source Files
FUBAR.C
NOMSVCRT.C
NOMSVCRT.H
NOMSVCRT.H
SNAFU.C
Scripts
Almost all scripts listed below are documented or referenced in the
HTML pages
listed above.
Note: some scripts need additional files, be sure
to download them all!
Note: the
Unix® shell scripts contain source code as
here documents.
- Batch Scripts
AUTOPLAY.CMD
CWE-428.CMD
ELEVATE.CMD
FUBAR.CMD
GUARDIAN.CMD
HIJACK.CMD
IOAV.CMD
MANIFEST.CMD
NETPLWIZ.CMD
OFFENDER.CMD
PRINTUI.CMD
PROGRAM.CMD
SAFER.CMD
SENTINEL.CMD
SLOPPY.CMD
SLOPPY7D.CMD
SLOPPY7X.CMD
- Registry Scripts
APPDATA.REG
AUTOPLAY.REG
CALENDAR.REG
CommonAppData.reg
COMPUTER.REG
CONTACTS.REG
DESKTOP.REG
HOME.REG
IE_SAFER.REG
INTERNET.REG
LIBRARY.REG
LocalAppData.reg
MAIL.REG
MEDIA.REG
MESSENGER.REG
NEWS.REG
OE_STALE.REG
PROFILE.REG
S-1-5-20.REG
SENTINEL.REG
WUAU.REG
- Scheduler Task Definition
SRP_TASK.XML
- Setup Scripts
APPCERT.INF
APPINIT.INF
AUTOPLAY.INF
BOOTSECT.INF
CLIENTS.INF
DECORATE.INF
DIRID.INF
DISKMGMT.INF
EICAR.INF
GMAIL.INF
HOTMAIL.INF
LDID.INF
MALWARE.INF
MEIUDF.INF
MORRO.INF
MOTW.INF
MSDN.INF
MSICD.INF
MSKB.INF
NETTFTPD.INF
NT6_PFS.INF
NT6_SAFER.INF
NT6_SUPER.INF
NT60_PFS.INF
NTX_SAFER.INF
POWELIKS.INF
REGEDIT.INF
SCRIPTS.INF
SDDL.INF
SENTINEL.INF
SUBMENUS.INF
TECHNET.INF
TINYPDF.INF
UACAMOLE.INF
UACSEVEN.INF
UNICODE.INF
VRFKNTHK.INF
WAB.INF
WINCAL.INF
WINMAIL.INF
XP_FIXIT.INF
XP_SAFER.INF
XP_SHELL.INF
XP_SUPER.INF
- Unix® Shell Scripts
128-bit.sh
clmul.sh
fpu-math.sh
integer.sh
memory.sh
sse-math.sh
string.sh
- Visual Basic Scripts
APPDATA.VBS
AUTOPLAY.VBS
DIGITALID.VBS
HOLIDAY.VBS
HOME.VBS
PRODUCTID.VBS
PROFILE.VBS
TEMPEST.VBS
TRACKER.VBS
UNICODE.VBS
UNIQUE.VBS
VIRTUAL.VBS
- Windows Script Host Scripts
ELEVATE.WSF
HIJACK.WSF
MANIFEST.WSF
Links
- What every Windows administrator or developer
should must absolutely and definitively know
about
DLL (pre)loading
… at least:
- How the NT Loader works
- The NT DLL Loader: basic operation
- The NT DLL loader: dynamic unloads
- The NT DLL Loader: DLL callouts (DllMain) –
DLL_PROCESS_ATTACH
deadlocks
- The NT DLL Loader: reentrancy – play along at home!
- The NT DLL Loader:
DLL_PROCESS_ATTACH
reentrancy – step 1 – LoadLibrary()
- The NT DLL Loader:
DLL_PROCESS_ATTACH
reentrancy – step 2 – GetProcAddress()
- The NT DLL Loader:
DLL_PROCESS_ATTACH
reentrancy – step 3 – quality requirements
- The NT DLL Loader:
DLL_PROCESS_ATTACH
reentrancy – step 4 – ramifications of questionable quality
- The NT DLL Loader:
DLL_PROCESS_ATTACH
reentrancy – wrap up
- The NT DLL Loader:
FreeLibrary()
- DLL Preloading Attacks
- MS09-014: Addressing the Safari Carpet Bomb vulnerability
- More information about the DLL Preloading remote attack vector
- An update on the DLL-preloading remote attack vector
- MS14-019 – Fixing a binary hijacking via .cmd or .bat file
- Load Library Safely
- Triaging a DLL planting vulnerability
- Downloads Folder: A Binary Planting Minefield
- Carpet Bombing and Directory Poisoning
- Bypassing Application Whitelisting
- Dynamic-Link Library Security
- Dynamic-Link Library Search Order
- Insecure Library Loading Could Allow Remote Code Execution
- Secure loading of libraries to prevent DLL preloading attacks
- Microsoft Security Advisory: Insecure library loading could allow remote code execution
Contact and Feedback
If you miss anything here, have additions, comments, corrections,
criticism or questions, want to give feedback, hints or tipps,
report broken links, bugs, deficiencies, errors, inaccuracies,
misrepresentations, omissions, shortcomings, vulnerabilities or
weaknesses, …: don’t hesitate to
contact me
and feel free to ask, comment, criticise, flame, notify or report!
Use the
X.509
certificate
to send
S/MIME
encrypted mail.
Note: email in weird format and without a proper
sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
Terms and Conditions
By using this site, you signify your agreement to these terms and
conditions. If you do not agree to these terms and conditions, do
not use this site!
- The software and the documentation on this site are provided
as is
without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising
from the use of the software or the documentation.
- Permission is granted to use the current version of
the software and the current version of the
documentation solely for personal private and non-commercial
purposes.
An individuals use of the software or the documentation in his or
her capacity or function as an agent, (independent) contractor,
employee, member or officer of a business, corporation or
organisation (commercial or non-commercial) does not qualify as
personal private and non-commercial purpose.
- Without written approval from the author the software or the
documentation must not be used for a business, for
commercial, corporate, governmental, military or organisational
purposes of any kind, or in a commercial, corporate, governmental,
military or organisational environment of any kind.
- Redistribution of the software and the documentation is allowed only
in unmodified form of its current version and free
of charge.
Notification and Disclosure Policy
I detect bugs, weaknesses and (security) vulnerabilities in software
quite often and (try to) report them to developers and vendors.
- If you are a software developer or vendor but failed to provide an
email address for reporting bugs, weaknesses and/or (security)
vulnerabilities within your software and its documentation or failed
to publish an email address on your web site I usually disclose the
bugs, weaknesses and/or (security) vulnerabilities immediately.
- If the email address provided within your software and its
documentation or published on your web site is invalid or reports
sent to this mailbox bounce I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities immediately.
- If you receive a bug, weakness and/or (security) vulnerability
report I expect at least an (immediate)
acknowledgement of receipt and a qualified reply in the course of
one week.
- If you don’t acknowledge the receipt or don’t reply
within one week I usually resend the notification once, eventually
with Cc: to
CERT/CC.
- If you again don’t acknowledge the receipt or don’t
reply within another week I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities then without further notice.
- If you consider a bug, weakness and/or (security) vulnerability I
reported to you not as (security) vulnerability I
usually disclose it immediately.
- If you decline to fix a bug, weakness and/or (security)
vulnerability I reported to you I usually disclose it immediately.
- I expect that you assign or request a
CVE®
identifier for every security vulnerability I report to you and
notify me when done.
- I usually set a disclosure date 45 days after the initial bug,
weakness and/or (security) vulnerability report.
- If you can’t meet this initial deadline and need more time to
provide a fix or inform your customers I will grant an extension of
the initial deadline if you provide convincing arguments to me.
- If the set deadline expires I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities then without further notice.
- I expect regular progress and/or status updates every other week,
especially if you can’t meet the (initial or extended)
deadline.
- If you don’t send progress and/or status updates on your own I
will eventually request them from you.
- If you don’t reply to a progress and/or status update request
within one week I usually disclose the bugs, weaknesses and/or
(security) vulnerabilities then without further notice.
- I usually disclose the bugs, weaknesses and/or (security)
vulnerabilities once you provide a fix or publish a (security)
advisory or bulletin.
Data Protection Declaration
This web page records no (personal) data and stores no
cookies
in the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<hosting@telekom.de>
+49 800 5252033
The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):
- the (pseudonymised)
IP address;
- the date and time of the request;
- the URL of
the requested web page or file;
- the Referer and User-Agent
HTTP
headers sent by the web browser;
- the result (success or failure) of the request;
- the amount of data received and sent.
Copyright © 1995–2024 • Stefan Kanthak •
<stefan.kanthak@nexgo.de>