Just Let It Trickle

Plug in to CL’s Kitchen

Fri, 25 Jan 2013 16:40:00 +0000

It's well known that Visual Studio's C compiler hasn't progressed much beyond C89, save for things like variadic macros. What might not be quite as well known is that to rectify this a bit, somebody created a C99 to C89 converter. A decent tool to be sure, but it doesn't integrate well into Visual Studio. Being a seperate program means you have to fudge things to run it instead of cl.exe, or you have to set a pre-build step, save the processed output and then compile those files instead of the ones in your project. It's not terribly friendly for IDE purposes. Wouldn't it be nice if there was a way to intercept the compilation and process the source files as it goes? What isn't well known is that you can do that, with compiler plugins.

The good news about these plugins is that unlike IDE ones such as Visual AssistX, the support is directly in the compiler so you don't have to have a pay-for version to use them. You see, not only does cl.exe have the plethora of options it displays as help, it has undocumented ones too. Ones which allow you to change or add compiler passes and pass your own arguments to them.

Continue reading on Just Let It Flow...

Dropping Like Files - Zipping Without Libraries on Windows

Wed, 17 Oct 2012 20:54:00 +0000

If you haven't been living under a rock (or in a non-Windows world) you'll know that since XP, Windows has had zip file extraction and creation. You may also know that what it doesn't have, is a defined API so us normals can leverage it programmatically. But there are ways and means.

Think about it, the usual way you'd interact with zip files is through the shell. You'd highlight a bunch a files and "Send To" a Compressed Folder or drag them into an existing folder and voila. There's obviously some code behind that's actually doing those things, and since you can do them from 'Open File' dialogs and the like, it can't be code within the Explorer executable.

You can search Google all you want, but you'll only find that MSDN isn't sandbagging and there are no directly exported functions to create zips. What you may find is that shell32 and friends do have functions and interfaces to duplicate the Shell's methods of dragging, dropping and sending to, so that seems a good lead to follow...

Continue reading on Just Let It Flow

Things Up Microsoft's Sleeve - Console Graphics

Mon, 08 Oct 2012 15:05:00 +0000

CreateConsoleScreenBuffer, what a fabulous function. You ask it nicely, and it gives you as many 'console window content' buffers as you want. With the other supporting functions it's everything you need for a AAA game (ascii-art-animation natch). But backup a minute here. what's that mysteriously reserved parameter for and why is there a flags argument with a weasely worded "only supported screen buffer type"? Sounds like there's something else it can (or at least could) do.

Sure enough, there is. For the function really doesn't just have one defined buffer type, it has two. The second is the truthfully, if optimistically, named CONSOLE_GRAPHICS_BUFFER. Now doesn't that sound fancy? I mean, non-ascii graphics in the console, groovy!

The creation of this 'graphics buffer' works via the magic of that bogus 'reserved' last parameter. Forget about your regions and device contexts though, where we're going is much more low-tech.

Read the rest on Just Let It Flow

WindowWatcher is Here

Fri, 22 Jun 2012 00:23:00 +0000

Way back in the mysts o' tyme I told a tale of a little picture-in-picture / interactive zoom tool I was working on. Well, a whole year and 4 months later I got round to fixing the buggy bits and wrote some help pages. Now it's ready for public consumption as an Installer, or just a Zip.

It's simple to use. You pick an open window

And you get another window (optionally always on top) that displays th chosen windows' live client area:

From there you can interact with the source window just as you would the real one with mouseover effects, button clicks etc But that's a bit boring, and with large windows the contents are all small like, so what you can do is select an area

and be zoomed into that

Then you can resize the window to enlarge or reduce the size of the content

Finally, because it'd be rude not to, you can still interact with the now zoomed and enlarged content

If you prefer to see it in moving action, I whipped up an 'ad' on my first go round last year.

http://www.youtube.com/embed/A5k8pKAUtOg?rel=0

It requires Windows Vista, 7, or 8 and Aero to be enabled and that's about it. It weighs in at about 150K soaking wet and uses a whopping 1.5MB of memory, so if it looks useful, have a go with it.

Installer, Zip.

Native Only Apps with VS Express for Win8

Sun, 03 Jun 2012 01:40:00 +0000

Microsoft say "Visual Studio Express 2012 for Windows 8 provides tools for Metro style app development. To create desktop apps, you need to use Visual Studio Professional 2012, or higher."

That isn't quite true. In fact, there's no quite about it. In the current RC version on MSDN, it's downright wrong, and simple to achieve too.

So how do you do it?

Before starting the IDE, navigate to
%programfiles%\msbuild\Microsoft.cpp\v4.0\v110\1033
Open general_appcontainer.xml and find the line that contains
Open the IDE and create a Visual C++->Blank App (XAML) project

When created, you can delete almost all things it puts in there. The xaml files, the appxmanifest, the assets and common folders and if you don't need or want precompiled headers you can delete both pch files too.

Now, right click the project file and change these values:

Configuration Properties->General and switch Metro Style App to false.

And there you go! You can compile and debug native, WinRT-less apps using the old guard of WNDCLASSEX and GetModuleHandle type stuff from when men were men and women even moreso. You'll need to readd UNICODE, _UNICODE, _DEBUG/NDEBUG to the preprocessor directives if you need them, and re-enable pdb-generation and the subsystem type in the linker settings.

The only major downside is that the Win32 SDK that comes with this version is severely lacking many major things such as bits for the common controls and GDI32.lib etc. If you have an older SDK you can point it at though, it's isn't that bad. if you don't, you'll also have to remove the entries that aren't kernel32.lib and user32.lib in Linker->Input or generate lib files from the dlls using link.exe.

What does turning the Metro switch off do?

Unsets C/C++->General->Consume Windows Runtime Extensions (No)
This removes the dependency on vscorlib110.dll

Unsets the WINAPI_FAMILY define, which winapifamily.h defaults to WINAPI_FAMILY_DESKTOP_APP
This enables the functions marked in the SDK as being for desktop apps only (basically all the ones you're familiar with from Win32).

Unsets Linker->Windows Metadata->Generate Windows Metadata
Stops the generation of winmd files which have no purpose for non WinRT apps

Removes the non IDE Linker setting: /AppContainer
This turns off the new for Windows 8 IMAGE_DLLCHARACTERISTICS_APPCONTAINER flag in the Optional PE Header, and lowers the OS and Subsystem version of the generated exe down to 6.0 (Vista) levels (the default is 6.2 (Win 8))

And that's about it as important stuff goes. Deleting one character and changing three others has turned Microsoft from paragons of virtue, into rotten stinking liars.

If you're only interested in the updated C++ 11 toolchain, it's probably just easier to copy the VC\bin, VC\include and VC\lib directories and use them side by side with your current install of VS. The compiler binaries run on Vista+ as long as msvcr110.dll is in the path somewhere.

No Hooks Please, We're British - Thread Creation Notification

Sat, 26 May 2012 02:31:00 +0000

If what you're writing already requires a dll, or you can augment an existing one, then you're already set and can use the fact that DllMain gets called when threads are created and destructed to your advantage. If you're not, or can't then you're pretty much stuck for an answer. Conventional wisdom on the web seems to revolve around hooking CreateThread or even use the kernel based notification scheme. However making a whole driver is overkill and with several methods of creating threads called at various levels of Windows, hooking isn't always sufficient either, especially if you want to execute code in the thread context. WMI is also a technical possibility, but with its '10,000 lines of code where 10 will do' philosophy, that's where its staying.

Dll thread_attach notifications work because when threads are created and torn down, ntdll loops around the internal structures corresponding to each module loaded in the process and calls their entry point if they meet certain criteria. The structure for the exe is included in the enumeration but as it doesn't identify as a dll, its entry point isn't called. The thing to do then, is modify the structure to a) look like a dll and b) make it think our entry point is a DllMain...

Continue reading on Just Let It Flow

Leveraging Windows' Built In Disassembler

Wed, 25 Apr 2012 15:33:00 +0000

Wait, there's a disassembler built into Windows? Well, only in the sense that a supermarket that has the ingredients to build a cake. There's no ready made pastry hidden away in the depths of system32, unlike there is for file hashing .

What there is though, is an aisle full of ingredients going by the name of DbgEng.dll. This fellow forms part of the debugging tools triumverate with its more illustrious counterpart dbghelp.dll and the mysterious symsrv.dll. DbgEng contains the interfaces which make up WinDbg's core functionality, a portion of such is disassembling. So, being the sort of chef who would appear on a Gordon Ramsay show in quite short order, I rustled up a quick messily coded bun.

It's not IDA or Hiew, it's not meant to be. But for an 'objdump -d' like, quick and dirty tool that handles the 3 most common Windows architectures (as well as ARM and Alpha!) and doesn't require a toolchain to be installed, it's perfectly acceptable for my uses. It may be for others too, so have at it if you should so desire.

Download it here

AMD64 output with symbols.

ARM output from files compiled by eMbedded VC.

The code was to be part of a larger project which never was and so, is in a terrible state mixed with this library and that. In scant consolation, below are the basic steps to how it works, and how you can do it yourself if you're suitably deranged. The help for these interfaces and functions is on MSDN (obviously) and also the debugger.chm help file that comes with the Debugging Tools For Windows package which also houses the up to date headers, libs, and other helpful little programs.

Pseudocode steps

- The lesser known tool is certutil.exe, the command line to hash files is
certutil -hashfile
Hash name can be SHA1, SHA256, SHA384, SHA512, MD2, MD4, MD5, must be uppercase

Chroot-ing in Windows - As Easy As A:, B:, C:

Tue, 17 Jan 2012 00:22:00 +0000

Linux people who have to work in Windows are sometimes found lamenting about the basic tools it has which are absent from Microsoft's product. While recent developments of Windows have implemented variously featured versions of whoami, ln, cat, grep, ps and chmod, one app that's so far evaded the conversion is chroot.

Whatever the reason may be for its absence, it is definitely not because there's is no support mechanism for it. Just like in Linux, it's a single function call.

NtSetInformationProcess(hProcess, ProcessDeviceMap, &hObjectDirectory, sizeof(hObjectDirectory));

Ok, so it's technically one function call, but there needs to be a bit of setup beforehand...

Continue reading on Just Let it Flow

Bagging Some Property - Getting A Windows User's Picture Tile

Tue, 03 Jan 2012 18:18:00 +0000

It doesn't sound like it should be so hard. I mean, the shell has managed to produce it every time you've logged on since Windows XP. MSDN has a page dedicated to user profiles that includes a section on where it is and how its treated. It details that a users picture lives in their temp directory, except for most times when it doesn't. It's not wrong in its description. The picture will turn up if you open the User Account control panel, but if you're trying to grab it programatically, asking the user to open Control Panel and all that or even worse, opening it from your own code and killing the window just as quick aren't fantastic solutions.

If you’ve searched for this before or being otherwise snooping through the shell’s exported functions, you may have seen something called SHGetUserPicturePath or its ex version SHGetUserPicturePathEx. Just the sound of their names elicit sounds of joy, a joy that the long search is over. And it should be, except that it isn't. For one thing, up until a few weeks ago there was no public record of how to use them or what they do, at least not one picked up by Google. Now that’s been rectified (with the docs above) and given the MSDN page, 2+2 would suggest these are the functions called upon opening the control panel.

Continue reading on Just Let It Flow

Detailing the Hookers – Underneath the Sheets

Mon, 18 Jul 2011 06:13:00 +0000

We all need ideas. Whether you've just finished something, or are getting a little bit bored with your current project you can't help but let your mind drift to the next cool thing you'll create. Sometimes the ideas come thick and fast, other times they're like gold dust. When I'm in the second camp, and reading the various boards I read, I will quite happily steal other peoples.

One such board is Sysinternals'. They do winternals, I do winternals, they have a suggestion section and I want ideas. It's a perfect fit. On a previous visit, one of the suggestions I found was for a program that could list active hooks. Given my previous excursions into user/win32k territory, it didn't seem like it'd be too hard. And apart from the digging around assembly listings for the structure offsets, it wasn't, and that was more time-intensive than difficult. At any rate, I am now the owner of 14 versions of win32k.sys' symbols. I don't even have 14 games on my computer!

Rather than just dumping a download link and saying what it does (like I semi-did last time), I thought I'd deconstruct the hows and why's of the kernel side of the query. Needless to say, much of what follows is discussion of undocumented things. I am aware this makes Raymond Chen cry. Sorry fella.

Continue reading on Just Let It Flow

Apologies to BenS1, I didn't notice the comment on the previous blog entry. Looks like I went and did what you were after anyway