Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Table of Contents

English Pages

Acknowledgements, Bounties, Citations, Credits, Kudos, References, Rewards and Thanks
Advisories, (some) Comments and Disclosures posted on Security Mailing Lists
Application Verifier Provider
Assorted Bookmarks of MSDN, MSKB and TechNet Articles and Pages
Bugs in Module Loader of Windows® 10 and LINK.EXE Version 14.*
Bugs in NTDLL.dll of non-english Editions of Windows® Embedded POSReady 2009 alias Windows® XP
Command Line Logger
Contact
CPUID Enumerator and Decoder
cURL Binary Executables for Windows® NT
Custom AutoPlay Handler
CVE Identifiers
Deficiencies in GCC’s Code Generator and Optimiser
Demonstration of Drive-by Downloads
(Diversions in) Saturating Integer Arithmetic
DLL Minesweeper – not just a Game only for Software Developers, (Penetration) Testers and Administrators
Donald Knuth’s Algorithm D, its Implementation in Hacker’s Delight, and Elsewhere
EICAR Standard Anti-Virus Test File
Executable Installers Considered Harmful
Exploits for MS15-132
Fast(est) Double-Word Integer Division
Generate (Self-issued and Self-signed) X.509 Certificates with CertReq.exe
Gimmick of the Day (or Week, Month, Year, …)
Directory Identifiers
MSDM Product Key Reader
WPBT Command Line Reader
Environment Viewer
Easter Date Calculator
Guardian for CWE-428
HTML4 Entities, plus many Special Characters
Idiosyncrasies – Odd, Surprising, Un(der)documented or Weird (Mis)behaviour of Microsoft® Windows NT
Imperfect Forward Secrecy
Installation of Microsoft® Windows® 7 SP1 with Slipstreamed Update Packages
Internet Component Download
mailto: URL Protocol Handler for GMail
Mal(icious Soft)ware Evading Detection
Meltdown, Spectre, Spectre-NG and Foreshadow Update Check Utility
Microsoft® Visual C Compiler Helper Routines: Poor and Stupid Implementation
Microsoft®’s Excellence in Desinformation and Incompetence
Minimalist Runtime Library for Microsoft® C Compiler
Mitigate some Exploits for Windows’® User Account Control
Named HTML Colors
NoScript (and NoFlash) for Microsoft® Internet Explorer (and Microsoft Office)
Not Quite so Optimising (and Buggy) Microsoft® Visual C Compiler
Notification and Disclosure Policy
Odds and Ends for Microsoft® Windows® NT
P(h)un Intended: Phamous Quotes, Phunny Spaces, Phancy Backslashes, plus Phorged Environment Variables, for a Phabulous Backlash
Prevent Bypass of AppLocker and SAFER alias Software Restriction Policies
Protection Against Exploitation of CWE-428
Skype – or Redmond, You’ve got a Problem!
SMBIOS Decoder
Stop Malware with Software Restriction Policies alias SAFER
Tempest in the ‘TEMP’ Directory
Terms and Conditions
Tidbits – Tiny Console Applications plus some Scripts
Group Policy Scripts
Client Registration Demonstration
Privileged Process Launcher
Interactive SYSTEM Process Launcher
Privilege Twiddler
Really Known SIDs Enumerator
Security Descriptor Definition Language Decoder
Security Descriptor Inspector
8.3 File and Directory Name Changer
Directory Change Notifier
Debug String Monitor
Non-interactive Symbolic Debugger
Product Key Validator
Shim Database Decoder
Registry Policy Reader
Registry INF Dumper
Offline Registry Reader
Portable Executable Version Information Reader
Portable Executable Resource Enumerator
Portable Executable Metadata Reader
UU Encoder
Base64 Encoder
MSVC Helper Library
True Lies – or What LLVM Claims, but Fails to Deliver
Unicode Homoglyphs – or .ΒΑΤ out of Hell
Unknown DLLs, API Sets and Forwarded Exports: when Compatibility means Vulnerability
Vulnerabilities Introduced by Windows Defender
Vulnerability and Exploit Detector
Windows Calendar and Windows Mail for Microsoft® Windows® 7

German Page

Kleinigkeiten (für Windows)
Note: the german HTML page is quite (out)dated and only kept to preserve history!

Embedded Sources

The (i386 and AMD64 assembly) sources of several well-known (builtin, intrinsic and regular) compiler runtime functions of GCC, LLVM’s Clang and Microsoft’s Visual C embedded within some of the HTML pages listed above are for use with either the GNU assembler, as, or the Microsoft Macro Assembler, ML.EXE respectively ML64.EXE; they are generally (up to an order of magnitude) faster and smaller than the functions provided in the runtime libraries shipped with the compilers.
as Sources
absdi2.s
absvdi2.s
addvdi3.s
ashldi3.s
ashrdi3.s
divdi3.s
divmoddi4.s
gcddi3.s
lshldi3.s
moddi3.s
muldi3.s
mulodi4.s
mulvdi3.s
negdi2.s
negvdi2.s
subvdi3.s
udivdi3.s
umoddi3.s
udivmoddi4.s
absti2.s
absvti2.s
addvti3.s
ashlti3.s
ashrti3.s
cmpti2.s
divmodti4.s
divti3.s
gcdti3.s
lshlti3.s
modti3.s
multi3.s
muloti4.s
mulvti3.s
negti2.s
negvti2.s
parityti2.s
subvti3.s
ucmpti2.s
udivmodti4.s
udivmodti4.s
ML.EXE Sources
alldiv.asm
alldvrm.asm
allmul.asm
allrem.asm
allshl.asm
allshr.asm
aulldiv.asm
aulldvrm.asm
aullrem.asm
aullshr.asm
divdi3.asm
moddi3.asm
muldi3.asm
udivdi3.asm
umoddi3.asm
udivmoddi4.asm
ML64.EXE Sources
udivmodti4.asm
udivmodti4.asm
divmodti4.asm
udivmoddi4.asm

Files

X.509 Certificates

CER (base-64) encoded
KANTHAK.CER
ROOT.CER

Makefiles and Source Files

Most of the makefiles (for Microsoft’s NMAKE.EXE) and source files (for Microsoft’s Visual C compilers) listed below are documented or referenced in the HTML pages listed above.
Note: the makefiles contain source code as inline files; some also refer to additional (binary) files which have to be downloaded separately!
Makefiles
BTI_RDCL.MAK
DETOUR.MAK
DLLDUMMY.MAK
EICAR.MAK
FUBAR.MAK
GIMMICK.MAK
INTEGER.MAK
NOMSVCRT.MAK
OFFENDER.MAK
QUIRKS.MAK
SENTINEL.MAK
SNAFU.MAK
TEMPEST.MAK
TIDBITS.MAK
WPBT.MAK
Source Files
FUBAR.C
NOMSVCRT.C
NOMSVCRT.H
SNAFU.C

Scripts

Almost all scripts listed below are documented or referenced in the HTML pages listed above.
Note: some scripts need additional files, be sure to download them all!
Batch Scripts
AUTOPLAY.CMD
CWE-428.CMD
ELEVATE.CMD
GUARDIAN.CMD
HIJACK.CMD
IOAV.CMD
MANIFEST.CMD
NETPLWIZ.CMD
OFFENDER.CMD
PRINTUI.CMD
PROGRAM.CMD
SAFER.CMD
SENTINEL.CMD
SLOPPY.CMD
SLOPPY7D.CMD
SLOPPY7X.CMD
Registry Scripts
APPDATA.REG
AUTOPLAY.REG
CALENDAR.REG
CommonAppData.reg
COMPUTER.REG
CONTACTS.REG
DESKTOP.REG
HOME.REG
IE_SAFER.REG
INTERNET.REG
LIBRARY.REG
LocalAppData.reg
MAIL.REG
MEDIA.REG
MESSENGER.REG
NEWS.REG
OE_STALE.REG
PROFILE.REG
S-1-5-20.REG
SENTINEL.REG
WUAU.REG
Scheduler Task Definition
SRP_TASK.XML
Setup Scripts
APPCERT.INF
APPINIT.INF
AUTOPLAY.INF
BOOTSECT.INF
CLIENTS.INF
DECORATE.INF
DIRID.INF
DISKMGMT.INF
EICAR.INF
GMAIL.INF
HOTMAIL.INF
LDID.INF
MALWARE.INF
MEIUDF.INF
MOTW.INF
MSDN.INF
MSICD.INF
MSKB.INF
NETTFTPD.INF
NT6_PFS.INF
NT6_SAFER.INF
NT6_SUPER.INF
NT60_PFS.INF
NTX_SAFER.INF
POWELIKS.INF
REGEDIT.INF
SCRIPTS.INF
SDDL.INF
SENTINEL.INF
SUBMENUS.INF
TECHNET.INF
TINYPDF.INF
UACAMOLE.INF
UACSEVEN.INF
UNICODE.INF
VRFKNTHK.INF
WINCAL.INF
WINMAIL.INF
XP_FIXIT.INF
XP_SAFER.INF
XP_SHELL.INF
XP_SUPER.INF
Visual Basic Scripts
APPDATA.VBS
AUTOPLAY.VBS
HOLIDAY.VBS
HOME.VBS
PROFILE.VBS
TRACKER.VBS
UNICODE.VBS
Windows Script Host Scripts
ELEVATE.WSF
HIJACK.WSF
MANIFEST.WSF
What every Windows administrator or developer should must absolutely and definitively know about DLL (pre)loading … at least:
How the NT Loader works
The NT DLL Loader: basic operation
The NT DLL loader: dynamic unloads
The NT DLL Loader: DLL callouts (DllMain) – DLL_PROCESS_ATTACH deadlocks
The NT DLL Loader: reentrancy – play along at home!
The NT DLL Loader: DLL_PROCESS_ATTACH reentrancy – step 1 – LoadLibrary()
The NT DLL Loader: DLL_PROCESS_ATTACH reentrancy – step 2 – GetProcAddress()
The NT DLL Loader: DLL_PROCESS_ATTACH reentrancy – step 3 – quality requirements
The NT DLL Loader: DLL_PROCESS_ATTACH reentrancy – step 4 – ramifications of questionable quality
The NT DLL Loader: DLL_PROCESS_ATTACH reentrancy – wrap up
The NT DLL Loader: FreeLibrary()
DLL Preloading Attacks
MS09-014: Addressing the Safari Carpet Bomb vulnerability
More information about the DLL Preloading remote attack vector
An update on the DLL-preloading remote attack vector
MS14-019 – Fixing a binary hijacking via .cmd or .bat file
Load Library Safely
Triaging a DLL planting vulnerability
Downloads Folder: A Binary Planting Minefield
Carpet Bombing and Directory Poisoning
Bypassing Application Whitelisting
Dynamic-Link Library Security
Dynamic-Link Library Search Order
Insecure Library Loading Could Allow Remote Code Execution
Secure loading of libraries to prevent DLL preloading attacks
Microsoft Security Advisory: Insecure library loading could allow remote code execution

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Notification and Disclosure Policy

I detect bugs, weaknesses and (security) vulnerabilities in software quite often and (try to) report them to developers and vendors.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):


Copyright © 1995–2024 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>