Thursday, June 25, 2009

Opera Is The Browser to Sample Music

Ok,  i found it pretty  easy  to  combine google,  myspace and opera into the machine to try - out a new Rock Band.  

Opera has the customisable  search  feature.

Google has a nice search  and a brilliant "feeling  lucky"  feature.

Myspace has nice feature of playing  sample songs of the musician if you  are on his page.

So  let's try  to do  it  with bare hands first.

let's craft  an  URL to show us a myspace page of great  Finnish  Melodic Death Metal  band


Aha,  found one. but  to directly  navigate to  that  page  we need  to  use "feeling  lucky" feature .

No problems. Let's add  a new variable to  the URL.

It works ,  we go stright to the page and can  listening  to  music without pressing  a key.

Now,  let's  integrate the search into  Opera.

  1. Go to menu   tools/preferences/search tab . 
  2. Press "add" .
  3. Specify :
  • Name : myspace
  • Keyword : m
  • Address : 

It is done .

Now you  can  write in  addres field of Opera : m Insomnium and go  directly  to  the page .

Friday, June 5, 2009

RIP Fravia

Fravia passed away on Sunday, 3rd May 2009

thank you  , my  teacher  for everything  you've done.

I  hope your  reincarnation is underway .

Wednesday, April 29, 2009

I  am now a proud owner of Google Android - enabled HTC G1 t-mobile Gadget.

Trying to make use of it.

first  impressions : it downloaded update via GRPS and that  has put  $10 to my  mobile bill. 

Not  very  nice. Good thing it is on our company.


Thursday, April 9, 2009

setupapi problem with browsers : malware

Recently i have found IE and Opera misbehave on my system.
Ie just crashes, and opera does not download anything , crashing upon trying to download. drweb - cure-it found infected setupapi.dll in bin forlder of opera, IE & firefox. i removed them and voila- all works like a charm.

Before that i removed a rootkit driver and winlogon plugin dll.

a massive attack , must i say. Looks like a 0-day exploit.

File: 509fff07.sys 
MD5: 013baa9555f638680f8e0485d838c290

A-Squared Found Backdoor.Winnt!IK
AntiVir Found TR/Rootkit.Gen
ArcaVir Found nothing
Avast Found Win32:Rootkit-gen
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.142
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found Backdoor.Winnt
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found Mal/TDSSPack-G

VirusBuster Found nothing

VBA32 Found Malware-Cryptor.Win32.General.3 (probable variant)

that  one is more famous and stupid

File: crypts.dll

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 9e1715c7898a8cd97a162711886989dc 
Packers detected: PE_PATCH.UPX, UPX

A-Squared Found Trojan-Spy.Finanz.J!IK
AntiVir Found TR/Dldr.Age.orh.1.A
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.DownLoad.33838
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.bqus
Ikarus Found Trojan-Spy.Finanz.J
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.bqus
NOD32 Found Win32/TrojanDownloader.Agent.ORH
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found nothing

Thursday, March 5, 2009

How to do windows logon with smartcard

If you try to implement GINA replacement that fully supports all features that native msgina.dll supports , you have to implement smart card login (PKI). And here comes the problem. The information on how to do that is very limited. There is no even correct structures defnition available. It was not documented . Now it is defined in SDK , but not for systems earlier then Vista.(eg :Windows XP ).
I am speaking of

ULONG CspDataLength;
WCHAR pinData[256];

Compare it with msdn definition :

Somewhat different , eh?

typedef struct _KERB_SMARTCARD_CSP_INFO {
DWORD dwCspInfoLen;
DWORD MessageType;
ULONG nCardNameOffset;
ULONG nReaderNameOffset;
ULONG nContainerNameOffset;
ULONG nCSPNameOffset;
TCHAR bBuffer[1024];

Once again Compare it with MSDN definition .

And now the struct that should be supplied to LsaLogonUser as AuthenticationInformation parameter.

struct FullPacket

Note : this is the most mystic thing that spoiled hours and days of debugging:

The LogonDomainName, UserName, and Password members of the MSV1_0_INTERACTIVE_LOGON structure must point to buffers in memory that are contiguous to the structure itself. The value of the AuthenticationInformationLength parameter must take into account the length of these buffers.

Yessss! And all others  , like  CardName, ReaderName,ContainerName,CSPName.

And one more thing ,  despite what  the msdn sais  about  KERB_SMARTCARD_CSP_INFO.MessageType

The type of message being passed. This member must be set to 1.

- for XP  it shold be 0.  I believe it is a version of the structure. 

That  is all  for now.  The clever one  can do the rest  ;)

Note : tested on 32bit  Windows XP & 2k3;

Wednesday, February 25, 2009

Hunting an evil Trojan bot : on viruses and antiviruses

OK , recently i have found that my computer behaves weird.
Bad browsing experience for example. Trying to reach our corporate email with no success.The email is hosted with goggle apps . is resoled to some ip address. After some researches and guesses i have found that :

is "slightly "altered.

long listing here:

# localhost
# Some shit to block
# Karl Spermsky
# danilOFF
# Symantec
# Eset NOD32
# antivir
# mcafee
# Avast
# Bitdefender
# Agnitum
# Comodo
# ClamAv
# F-Secure
# Norman
# Panda
# VBA32
# Other shit
# even more shit
# Have a nice day, motherfuckers!
Hm, it seems that the botnet has me.

The simplest thing that came to mind mind is to download antivirus and run it.
Here comes the bride: dr web free scanning tool.
It finds nothing importnt thow .
ok, hands on.
First i downloaded gmer. and it shows a number of hooked APIs in different User mode Apps.
trying to hunt the hooker with the debugger gives me nothing , but hey , we have more tools.
I downloaded sysinternal's rootkit revealer that  was able to  locate
hidden files.

The most interesting was %SystemRoot%\system32\twex.exe.

Registry editor located the start of this malware under userinit.
If you try to remove the value - it gets restored immediately .
So we need to remove the file. as it is hidden from API we cannot kill it .
Yet again sysinternals saves our day.
using Move files utility we can schedule the rename of the file during boot.

That is all.

Also i found this tool to be quqite handy: HookShark -userland rootkit revealer.

Friday, February 13, 2009

Using .Net in GINA . WebServices, remoting, XML etc.,

Microsoft states:

Do not use high level languages, libraries, frameworks, virtual machines or runtimes in core operating system processes

We recommend that you only use C languages and Win32 APIs for any add-in components that are loaded by core operating system processes. Two examples of core operating system processes are Winlogon.exe and Lsass.exe. 

The behavior of any high-level language, framework, or runtime in the components that are loaded by core operating system processes is undefined. For example, the Microsoft .NET Framework and the common language runtime were not designed to run in the context of core operating system processes. The following is a partial list of high-level languages, frameworks, and runtimes where the behavior is undefined in the context of core operating system processes: 

.NET Framework languages
Visual Basic .NET
Managed Extensions for C++
common language runtime
Microsoft Component Object Model (COM)
Microsoft COM+
Microsoft Distributed Component Object Model (DCOM) 
Microsoft Foundation Classes (MFC)
Microsoft ActiveX Template Library (ATL) framework

Well, we discovered several glitches with .NET usage inside winlogon process.

The most annoying  thing was  "Configuration system failed to initialize" exception ,  when using anything XML-related.

The exact reason for this error  is not quote clear as there is  no reasonable CLR debugger to  debug CLR code . But  what  is clear is the fact that .Net cannot find config files inside winlogon process. No wonders here as we are under System account which does not have interactive profile created. 

After  some research  using Reflector -  (a brilliant tool ,  btw ) and searching the web we have found the solution to this problem . Altho  applied to ASP,  it was suitable to  our case as well.

After  some modifications we have made it like this:

I used code formatting for the web to present the code.

using System;
using System.Configuration;
using System.Configuration.Internal;
using System.Reflection;
using System.Security;
using System.Security.Permissions;
using System.Windows.Forms;
using Utils;

namespace CfgReplace

public class ReplacementConfigSystem : IInternalConfigSystem
public static void InstallHook()
ReplacementConfigSystem rcs = new ReplacementConfigSystem();

private Configuration _base;
private IInternalConfigSystem _original;
private readonly string _appPath;
private Configuration _WSEConfiguration;

/// <summary>
/// Create an object that wraps a Configuration object and can plug into
/// ConfigurationManager.
/// </summary>
public ReplacementConfigSystem()

_base = ConfigurationManager.OpenMachineConfiguration();
_appPath = Help.GetAppPath() + "xxx.dll";
_WSEConfiguration = ConfigurationManager.OpenExeConfiguration(_appPath);

public void InstallUsingInternalMethod()

const BindingFlags flags = BindingFlags.Static | BindingFlags.NonPublic;
Type configManType = typeof(ConfigurationManager);
configManType.InvokeMember("s_initState", flags | BindingFlags.SetField, null, null, new object[] { 0 });
configManType.InvokeMember("SetConfigurationSystem", flags | BindingFlags.InvokeMethod, null, null, new object[] { this, true });


#region IInternalConfigSystem Members
/// <summary>
/// Return the requested Section from the Configuration object.
/// Sections are handled differently by ConfigurationManager, so
/// this method reconstructs the Section in an appropriate manner.
/// </summary>
/// <param name="configKey">Key name</param>
/// <returns></returns>
public object GetSection(string configKey)

ConfigurationSection section = //get the section from what ever place you want
return section;


public void RefreshConfig(string sectionName)

_base = ConfigurationManager.OpenExeConfiguration(_appPath);

public bool SupportsUserConfig


return false;

Hi . This is  my  first  post here.

I am going  to write this and that  about research  results and interesting findings .

It' been a while.

I am going to publish  things about .NET, Windows,  hacks, reverse engineering, software processes and stuff. And i do not  expect to write here much  about politics and personal stuff. 

Here i grant everyone the right  to  use my  code ,  published here in their own works of any kind.

Give me the credit , if you  wish ,  for example - give  a link to this blog.

I can  be reached via skype : Sergey.Rogachov