Fixed a bug reported by icy. It was causing crashes in executables without sections when calculating their PE size.
Qt’s GUI Thread
If you’re a Qt developer, you surely are aware of the fact that you can only display GUI elements and access them from the main thread. This limitation as far as I know is mostly bound to the limitations of X and it isn’t to exclude that multithreading support for GUIs will be added soon.
This limitation never caused me any trouble, since the signal & slots mechanism is thread-safe and communicating between threads and GUI elements can be achieved through it. However, yesterday I needed to show a messagebox in a method and, in case the code is not executing in the main thread, show a native win32 MessageBox instead of a QMessageBox (of course, only on Windows can I do that, on other platforms when I’m not in the main thread, I won’t show anything).
Anyway, here’s a simple method to establish if we’re running the GUI thread:
bool isGuiThread()
{
if (QCoreApplication::instance()->thread() == QThread::currentThread())
return true;
return false;
} As you can see this is a pointer comparision, but can we rely on the value returned by currentThread? Yes, we can since the pointer is associated with the thread itself as we can see from the code of the method:
QThread *QThread::currentThread()
{
QThreadData *data = QThreadData::current();
Q_ASSERT(data != 0);
return data->thread;
}
// thread_win.cpp
QThreadData *QThreadData::current()
{
qt_create_tls();
QThreadData *threadData = reinterpret_cast(TlsGetValue(qt_current_thread_data_tls_index));
if (!threadData) {
QThread *adopted = 0;
if (QInternal::activateCallbacks(QInternal::AdoptCurrentThread, (void **) &adopted)) {
Q_ASSERT(adopted);
threadData = QThreadData::get2(adopted);
TlsSetValue(qt_current_thread_data_tls_index, threadData);
adopted->d_func()->running = true;
adopted->d_func()->finished = false;
static_cast(adopted)->init();
} else {
threadData = new QThreadData;
// This needs to be called prior to new AdoptedThread() to
// avoid recursion.
TlsSetValue(qt_current_thread_data_tls_index, threadData);
threadData->thread = new QAdoptedThread(threadData);
threadData->deref();
}
if (!QCoreApplicationPrivate::theMainThread) {
QCoreApplicationPrivate::theMainThread = threadData->thread;
} else {
HANDLE realHandle = INVALID_HANDLE_VALUE;
#if !defined(Q_OS_WINCE) || (defined(_WIN32_WCE) && (_WIN32_WCE>=0x600))
DuplicateHandle(GetCurrentProcess(),
GetCurrentThread(),
GetCurrentProcess(),
&realHandle,
0,
FALSE,
DUPLICATE_SAME_ACCESS);
#else
realHandle = (HANDLE)GetCurrentThreadId();
#endif
qt_watch_adopted_thread(realHandle, threadData->thread);
}
}
return threadData;
} qt_create_tls just calls once for every thread TlsAlloc and if the data for the current thread hasn’t been set yet, it is set with TlsSetValue. So, we can rely on a pointer comparision.
Server Bug: Reupload
Today I received the following email from my hosting provider:
[…] Security is our highest priority and the last years we have taken dramatic measures to build the most secure hosting environment around.
Unfortunately we have however been affected by the Linux kernel vulnerability (CVE-2009-2692) for a 24 hour period. Due to our architecture this exploit did not compromise personal data and all customer records are safe.
After updating the kernel on our systems we scanned all customer accounts and found that your index was removed. Therefore we kindly ask you to check your webpage and reupload your index page if it is missing.
We sincerely apologize for this incident and will take measures to ensure to prevent such incidents in the future.
The index pages of both rcecafe and ntcore were missing in fact. For precaution I reuploaded both pages completely.
Native Blocks Pre-Alpha
Here’s a presentation of my new tool. I called it Native Blocks. It’s a re-assembler basically. Since a written presentation would take me too much time I prepared a video presentation.
Again, this is a pre-alpha. This tool will soon support other technologies such as java, actionscript and maybe even x86. Right now it only supports .NET (and even .NET support will be hugely improved, like for instance supporting the direct modification of assemblies without having to use Rebel.NET).
The development of this tool depends mainly on the interest of people.
As I can be considered a student from now on, I would like to earn some extra money by writing tools such as this one. I have still my job as consultant, but it’s a very limited partime, because I just became a student.
This tool is in my opinion pretty good, it is not only good for deobfuscation purposes but also patching and assembling on the fly.
If this tool can be sold, then the support of technologies will depend on requests. I think I’ll add Java immediately and after that maybe x86/x64. Again it depends.
Suggestions and comments are welcome.
.NET MetaData Tables Reports
I updated the scripting language of the old CFF Explorer which now provides a function to automatically create reports of .NET metadata tables. The function is called LogPrintStruct and is to be used along with the logging functions the scripting provides. Here’s a small script you can find in the “Scripts” directory of the CFF Explorer which creates a report of all .NET tables contained in an assembly:
[cc lang=”lua”]– this script generates a report of a PE’s .NET metadata tables.
filename = GetOpenFile(“Open…”, “All\n*.*\nexe\n*.exe\ndll\n*.dll\n”)
if filename == null then
return
end
hPE = OpenFile(filename)
if hPE == null then
return
end
if GetOffset(hPE, PE_DotNETDirectory) == null then
MsgBox(“The current is not a valid .NET assembly.”, “Error”, MB_ICONEXCLAMATION)
end
repname = GetSaveFile(“Save Report As..”, “Text File\n*.txt\n”)
if repname == null then
return
end
hReport = CreateLog(repname)
if hReport == null then
return
end
fieldsToLog = {
PE_MetaDataTable_Module,
PE_MetaDataTable_TypeRef,
PE_MetaDataTable_TypeDef,
PE_MetaDataTable_Field,
PE_MetaDataTable_Method,
PE_MetaDataTable_Param,
PE_MetaDataTable_InterfaceImpl,
PE_MetaDataTable_MemberRef,
PE_MetaDataTable_Constant,
PE_MetaDataTable_CustomAttribute,
PE_MetaDataTable_FieldMarshal,
PE_MetaDataTable_DeclSecurity,
PE_MetaDataTable_ClassLayout,
PE_MetaDataTable_FieldLayout,
PE_MetaDataTable_StandAloneSig,
PE_MetaDataTable_EventMap,
PE_MetaDataTable_Event,
PE_MetaDataTable_PropertyMap,
PE_MetaDataTable_Property,
PE_MetaDataTable_MethodSemantics,
PE_MetaDataTable_MethodImpl,
PE_MetaDataTable_ModuleRef,
PE_MetaDataTable_TypeSpec,
PE_MetaDataTable_ImplMap,
PE_MetaDataTable_FieldRVA,
PE_MetaDataTable_Assembly,
PE_MetaDataTable_AssemblyProcessor,
PE_MetaDataTable_AssemblyOS,
PE_MetaDataTable_AssemblyRef,
PE_MetaDataTable_AssemblyRefProcessor,
PE_MetaDataTable_AssemblyRefOS,
PE_MetaDataTable_File,
PE_MetaDataTable_ExportedType,
PE_MetaDataTable_ManifestResource,
PE_MetaDataTable_NestedClass,
PE_MetaDataTable_GenericParam,
PE_MetaDataTable_MethodSpec,
PE_MetaDataTable_GenericParamConstraint
}
fieldNames = {
“Module”,
“TypeRef”,
“TypeDef”,
“Field”,
“Method”,
“Param”,
“InterfaceImpl”,
“MemberRef”,
“Constant”,
“CustomAttribute”,
“FieldMarshal”,
“DeclSecurity”,
“ClassLayout”,
“FieldLayout”,
“StandAloneSig”,
“EventMap”,
“Event”,
“PropertyMap”,
“Property”,
“MethodSemantics”,
“MethodImpl”,
“ModuleRef”,
“TypeSpec”,
“ImplMap”,
“FieldRVA”,
“Assembly”,
“AssemblyProcessor”,
“AssemblyOS”,
“AssemblyRef”,
“AssemblyRefProcessor”,
“AssemblyRefOS”,
“File”,
“ExportedType”,
“ManifestResource”,
“NestedClass”,
“GenericParam”,
“MethodSpec”,
“GenericParamConstraint”
}
LogPrint(hReport, “.NET metadata tables report for \”” .. filename .. “\”\n\n”)
loggedTables = 0
for i = 0, #fieldsToLog – 1 do
if GetOffset(hPE, fieldsToLog[i]) != null then
if loggedTables > 0 then
LogPrint(hReport, “\n\n\n”)
end
LogPrint(hReport, fieldNames[i] .. ” Table\n”)
LogPrint(hReport, “———————————————\n\n”)
LogPrintStruct(hPE, hReport, fieldsToLog[i])
loggedTables = loggedTables + 1
end
end
— Open the report?
CloseLog(hReport)
nRet = MsgBox(“Open report file?”, “.NET Tables Report”, MB_ICONQUESTION | MB_YESNO)
if nRet == IDYES then
ExecuteAppAndWait(@”C:\Windows\System32\notepad.exe”, GetShortPathName(repname))
end[/cc]
A generated report file looks like this:
[cc lang=”asm”].NET metadata tables report for “K:\Explorer Suite\Setup\Signature Explorer.exe”
Module Table
———————————————
1.
Generation: 0
Name: 1 (Signature Explorer.exe)
Mvid: 1
EncId: 0
EncBaseId: 0
TypeRef Table
———————————————
1.
ResolutionScope: 6
Name: 18 (Control)
Namespace: 20 (System.Windows.Forms)
2.
ResolutionScope: A
Name: 35 (Enum)
Namespace: 3A (System)
3.
ResolutionScope: 6
Name: 41 (Button)
Namespace: 20 (System.Windows.Forms)
4.
ResolutionScope: 6
Name: 48 (Form)
Namespace: 20 (System.Windows.Forms)
5.
ResolutionScope: A
Name: 4D (Object)
Namespace: 3A (System)
6.
ResolutionScope: A
Name: 54 (ValueType)
Namespace: 3A (System)
etc.[/cc]
I included this new feature because many developers asked me to. Reading the generated report files is much easier than manually reading the raw .NET format. The current scripting system won’t be implemented in the newer CFF Explorer, I only inserted this new feature because it will take me much more time to release the newer CFF Explorer.
Thanks to CodeRipper for signalling a corrupted .NET assembly which caused the CFF Explorer to crash when opening it. I improved the integrity checks.