Skip to main content

Posts

Showing posts from April, 2013

Deep Dive to Windows, Part 4

Launched a process sample_Hello through WinDbg and observed following events: ModLoad: 00400000 0041c000    Sample_Hello.exe ModLoad: 77980000 77b00000    ntdll.dll ModLoad: 76b10000 76c20000    C:\Windows\syswow64\kernel32.dll ModLoad: 76d20000 76d67000    C:\Windows\syswow64\KERNELBASE.dll ModLoad: 67fd0000 680ce000    C:\Windows\WinSxS\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_e4a70117006762dd\MSVCP80D.dll ModLoad: 670e0000 67201000    C:\Windows\WinSxS\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_e4a70117006762dd\MSVCR80D.dll ModLoad: 77050000 770fc000    C:\Windows\syswow64\msvcrt.dll (3c0.1324): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=fb480000 edx=0008e3c8 esi=fffffffe edi=00000000 eip=77a20fab esp=0018fb08 ebp=0018fb34 iopl=0          nv up ei pl zr na pe...

Detect Antivirus installed on Windows 7

In this article, I've tried to show how we can detect antivirus product installed on a Windows system. The code is written is specifically for Windows 7. The basic idea here is to use WMI from C++. Here are the steps: 1. To Setup WMI consumer, set up COM by calling CoInitializeEx . 2. Initialized COM process security by calling CoInitializeSecurity . 3. Obtained the initial locator to WMI by calling CoCreateInstance. 4. Obtained a pointer to IWbemServices for the root\cimv2 namespace on the local computer by calling IWbemLocator::ConnectServer . 5. Set IWbemServices proxy security so the WMI service can impersonate the client by calling CoSetProxyBlanket . 6.Used the IWbemServices pointer to make requests of WMI. This executes a WQL query for the antivirus product installed by calling IWbemServices::ExecQuery . The following WQL query is one of the method arguments. SELECT * FROM AntiVirusProduct The result of this query is stored in an IEnumWbemClassO...

About Windows Executable File Size

This post is basically an effort to know what happens when we compile a simple Hello World program on Windows. In this case, I've used Visual Studio 2005. First I've written a small usual Hello World program with all default settings provided by Visual Studio 2005. The program looks like below: int main(void) {     printf("Hello World build on VS 2005--Default\n");     return 0; } The program compiled against the default C-runtime library. No changes have been done in any settings. I've built it in Debug as well as in release mode. In Debug build, the program size is  40 KB . In release build: Its size is 6 KB . Now I've written another Hello World Program but switched off the default C-Runtime library. Rather, I've used the standard Windows library and provided definitions of functions like printf as well as the CRT start-up function. I've also switched off Buffer Security Check and Basic Runtime checks set to Default. The last two setti...

HDD enumeration and info retreive - another way

In this part I tried to enumerate all physical hard disk drive (HDD) attached to the system and tried to query to those attached physical drive to get the disk information like Vendor ID, Product ID, Product Revision, Serial number etc. In my last blog, I've tried to get physical hard disk drive count through volume map, but in this post, I tried get it through "SetupDiGetClassDevs" API. All the SetupDiXXX APIs are very powerful APIs. These APIs along with DeviceIoControl API helps to retrieve very useful information regarding devices. So, I'm not going to talk much on this rather let MSDN to speak about this APIs. Let's see what are other information that we can get on HDD attached to the system through the usage of this API: void printStorageDeviceProperty(UCHAR *outBuf, const DWORD returnedLength) {     PSTORAGE_DEVICE_DESCRIPTOR            devDesc;     PUCHAR       ...