Monday, December 16, 2019

Node Package Manager (NPM) Client hacked

NPM (originally short for Node Package Manager) is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. 

Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue.

The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a booby-trapped npm package via the npm CLI.

Source (Dec 11, 2019) : https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Wednesday, December 11, 2019

CSharp : Convert a GUID to a Darwin Descriptor and back

Here's how to convert/decode a GUID into Darwin Descriptor in C-Sharp

Darwin Descriptor is an encoded string and when decoded produces a combination of the ProductCode, Feature & ComponentId(s) and generally used for Windows installer, because it provides feature resilience through a mechanism called COM Advertising.

Here's an example of a Darwin Descriptor, which you may have though was a virus entry in your registry!

"w_1^VX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5Z"

decoded yields a GUID, feature name, and a GUID.

{91120000-0030-0000-0000-0000000ff1ce}EXCELFiles{0638c49d-bb8b-4cd1-b191-052e8f325736}

"Darwin Descriptor," is actually an encoded representation of a specific product, component, and feature. 

Note: A "Compressed GUID" is a intermediate format, that rearranges the GUID and is Base85 encoded (using a restricted set) and has a length of 20 characters long and used to create Darwin Descriptors. 

Those cryptic-looking strings (that looks like malware) in your registry are actually Darwin Descriptors and can be located at the following locations; 

  • HKCR\Installer\Assemblies and HKCR\Installer\Components
  • HKCR\Installer\Win32Assemblies
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{aSID}\Products\{compressed}\Features{targetpath}











To decode Darwin Descriptors en masse, use RegtoText tool (free demo available). 

Here's the code to convert a regular GUID into Darwin Descriptor in C-Sharp and vice-versa

 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
using System;
//#####################################################################################################################
//https://metadataconsulting.blogspot.com/2019/12/CSharp-Convert-a-GUID-to-a-Darwin-Descriptor-and-back.html
//#####################################################################################################################
public static class Program
{
 class GUID2DD
    {
        //   Conversion of this VB code to C# by http://metadataconsulting.blogspot.com/
        //   Some portions modernized, but an interesting exercise converting from a old language unexpressive to more modern lang
        //   Source Code: https://www.symantec.com/connect/articles/working-darwin-descriptors
        //
        //   Auto VB translators 
        //   1.https://www.developerfusion.com/tools/convert/vb-to-csharp/?batchId=8e249124-06d2-4955-a238-dc2914a9cd3d - not good
        //   2.https://www.carlosag.net/tools/codetranslator/ - super fast!

        
        //  'VB Code - Copyright EdT 2012
        //  'Script converts standard GUID to Darwin Descriptor and vice versa
        //  'A standard GUID requires 38 characters and contains 5 groups of hexadecimal characters separated by dashes.
        //  'The valid format for a standard GUID is:
        //  '{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
        //  'where X is a hex digit (0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F).
        // 
        //  'This program can copy the result of the conversion process to the clipboard.
        //  'To do this it uses the MS Office Word automation object, so for this to work,
        //  'a version of MSOffice must be present. Unfortunately, VBScript does not have
        //  'a native method for copying variables to the clipboard.
      
        public string GetConvertedGUID(string strProductCode) {
            
            string Block1;
            string Block2;
            string Block3;
            string Block4;
            string strMungedCode = string.Empty; 
            long Dec1;
            long Dec2;
            long Dec3;
            long Dec4;
            string strPart1; 
            string strPart2; 
            string strPart3; 
            string strPart4; 
            
            const int intArraySize = 32;
            int[] arrSequence = new int[]{2, 3, 4, 5, 6, 7, 8, 9, 16, 17, 18, 19, 11, 12, 13, 14, 28, 29, 26, 27, 23, 24, 21, 22, 36, 37, 34, 35, 32, 33, 30, 31};
            
           // Generate the RegProduct Code
            for (int intIndex = 0; intIndex <= (intArraySize - 1); intIndex++) 
            {
                strMungedCode = (strMungedCode + strProductCode.Substring((arrSequence[intIndex] - 1), 1));
            }
        
            Block1 = strMungedCode.Substring(0, 8);
            Block2 = strMungedCode.Substring(8, 8);
            Block3 = strMungedCode.Substring(16, 8);
            Block4 = strMungedCode.Substring(24, 8);
            Dec1 = HextoDec(Block1);
            strPart1 = DecToBase85(Dec1);
            Dec2 = HextoDec(Block2);
            strPart2 = DecToBase85(Dec2);
            Dec3 = HextoDec(Block3);
            strPart3 = DecToBase85(Dec3);
            Dec4 = HextoDec(Block4);
            strPart4 = DecToBase85(Dec4);

            return (strPart1.ReverseString()
                        + (strPart2
                        + (strPart3 + strPart4.ReverseString())));
        }

        public long HextoDec(string strHex)
        {
 
            //string strDigit;
            //int intDigit;
            //int intValue;
            
            long lngResult = 0;

            ////for (int intIndex = strHex.Length; (intIndex <= 1); intIndex = (intIndex + -1)) 
            //for (int intIndex = strHex.Length; intIndex >= 1; intIndex--)
            //{
               
            //    strDigit = strHex.Substring((intIndex - 1), 1);
                
            //    intDigit = (("0123456789ABCDEF".IndexOf(strDigit.ToUpper()) + 1) - 1);
                
            //    if ((intDigit >= 0)) {
                    
            //        //intValue = (intDigit * (16 | (strHex.Length - intIndex)));
            //        // TODO: Warning!!! The operator should be an XOR ^ instead of an OR, but not available in CodeDOM

            //        //Mon 09-Dec-19 6:54pm metadataconsulting.ca - XOR used
            //        intValue = (intDigit * (16 ^ (strHex.Length - intIndex)));
                    
            //        lngResult = (lngResult + intValue);
            //    }
            //    else {
                    
            //        lngResult = 0;
            //        intIndex = 0;
            //        //stop the loop
            //    }
            
            //}

            lngResult = Convert.ToInt64(strHex, 16); 
            return lngResult;
    
        }
        private string DecitoHex(int ddec)
        {
            //// Must return eight hex bytes
            //decimal hex1;
            //string hex2 = ""; 
            //int hexlen;

            //while ((strDec > 15)) {

            //    hex1 = (( (strDec / 16) - (int)(strDec / 16) ) * 16);

            //    hex2 = ("0123456789ABCDEF".Substring(hex1.ToString(), 1) + hex2);
            //    strDec = int((strDec / 16));

            //    hex2 = ("0123456789ABCDEF".Substring(strDec, 1) + hex2);
            //    hexlen = hex2.Length;
            //    DecToHex = (string((8 - hexlen), "0") + hex2);
            //}

            return ddec.ToString("X8");
        }

    
        public string DecToBase85(long strDecimal) {
     
            // Multiples of 85 = 85, 7225, 614125, 52200625
            
            int strDec = (int)strDecimal;

            string Base85 = "!$%&\'()*+,-.0123456789=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{}~";
            
            int num;
            string quint1;
            string quint2;
            string quint3;
            string quint4;
            string quint5;
            //int Offset;
            
            quint1 = "!";
            quint2 = "!";
            quint3 = "!";
            quint4 = "!";
            quint5 = "!";

            if ((strDecimal < 85))
            {
                //quint1 = Base85.Substring(strDec, 1);
                long mod = strDecimal % 85;
                num = (int)mod;
                quint1 = Base85.Substring(num, 1);
            }

            if (strDecimal > 84 && strDecimal < 7225)
            {
                //    Offset = strDec;
                //    strDec = (int)((strDec / 85));
                //    num = (((Offset / 85) 
                //                - strDec) 
                //                * 85);
                //    quint1 = Base85.Substring(num, 1);
                //    quint2 = Base85.Substring(strDec, 1);

                num = (int)(strDecimal / 85) % 85;
                quint1 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod;
                quint2 = Base85.Substring(num, 1);
                
            }

            if (((strDecimal > 7224) && (strDecimal < 614125)))
            {
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint1 = Base85.Substring(num, 1);
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint2 = Base85.Substring(num, 1);
                //quint3 = Base85.Substring(strDec, 1);

                num = (int)(strDecimal / 7225) % 85;
                quint1 = Base85.Substring(num, 1);

                num = (int)(strDecimal / 85) % 85;
                quint2 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod;
                quint3 = Base85.Substring(num, 1);

            }

            if (((strDecimal > 614124) && (strDecimal < 52200625)))
            {
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint1 = Base85.Substring(num, 1);

                num = (int)(strDecimal / 614125) % 85;
                quint1 = Base85.Substring(num, 1);
                
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint2 = Base85.Substring(num, 1);

                num = (int)(strDecimal / 7225) % 85;
                quint2 = Base85.Substring(num, 1);
              
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint3 = Base85.Substring(num, 1);
                //quint4 = Base85.Substring(strDec, 1);

                num = (int)(strDecimal / 85) % 85;
                quint3 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod;
                quint4 = Base85.Substring(num, 1);
            }

            if ((strDecimal > 52200624))
            {
                
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                                
                num = (int)(strDecimal/52200625) % 85; 
                quint1 = Base85.Substring(num, 1);

                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);

                num = (int)(strDecimal / 614125) % 85; 
                quint2 = Base85.Substring(num, 1);
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);

                num = (int)(strDecimal / 7225) % 85;
                quint3 = Base85.Substring(num, 1);
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                num = (int)(strDecimal / 85) % 85;
                quint4 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod; 
                quint5 = Base85.Substring(num, 1);
            }
        
            return (quint1 
                        + (quint2 
                        + (quint3 
                        + (quint4 + quint5))));
            
        }



        
        //Function DDtoHex(darwin) renamed from VB
        public string DDtoGUID(string darwin) {
            string quad1;
            string quad2;
            string quad3;
            string quad4;
            string mungedStr;
            quad1 = darwin.Substring(0, 5);
            quad1 = QuadtoHex(quad1);
            quad2 = darwin.Substring(5, 5);
            quad2 = QuadtoHex(quad2);
            quad3 = darwin.Substring(10, 5);
            quad3 = QuadtoHex(quad3);
            quad4 = darwin.Substring(15, 5);
            quad4 = QuadtoHex(quad4);
            mungedStr = (quad1 
                        + (quad2 
                        + (quad3 + quad4)));
            return ReconstructProductCode(mungedStr);
        }
    
        public string QuadtoHex(string quad) {
            
            char chr;
            string Base85;
            int b85;
            int ddec;
            Base85 = "!$%&\'()*+,-.0123456789=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{}~";
            ddec = 0;
            for (int i = 5; i >= 1; i--)
            {
                //chr = (char)quad.Substring((i - 1), 1);
                chr = quad[(i-1)];  
                b85 = ((Base85.IndexOf(chr) + 1) - 1);
                ddec = (ddec + b85);
                if ((i > 1)) {
                    ddec = (ddec * 85);
                }
            
            }

            return DecitoHex(ddec);
        }


    
        public string ReconstructProductCode(string munged) {
            
            string strProductCode;
            const int intArraySize = 32;
            strProductCode = "{";
            
            int[] arrSequence = new int[]{1, 2, 3, 4, 5, 6, 7, 8, 13, 14, 15, 16, 9, 10, 11, 12, 23, 24, 21, 22, 19, 20, 17, 18, 31, 32, 29, 30, 27, 28, 25, 26};
            // // Generate the Product Code
            for (int intIndex = 0; (intIndex 
                        <= (intArraySize - 1)); intIndex++) {
                strProductCode = (strProductCode + munged.Substring((arrSequence[intIndex] - 1), 1));
                if (((intIndex == 7) 
                            || ((intIndex == 11) 
                            || ((intIndex == 15) 
                            || (intIndex == 19))))) {
                    strProductCode = (strProductCode + "-");
                }
            
            }
        
            return (strProductCode + "}");
        }
    }
 
 public static string ReverseString(this string s)
 {
  if (string.IsNullOrEmpty(s))
   return s; 

  char[] array = new char[s.Length];
  int forward = 0;
  for (int i = s.Length - 1; i >= 0; i--)
  {
   array[forward++] = s[i];
  }
  return new string(array);
 }

 
 public static void Main()
 {
   GUID2DD conv = new GUID2DD();

  string code = "w_1^VX!!!!!!!!!MKKSk"; 
  //string code = "{91120000-0030-0000-0000-0000000ff1ce}"; //expect from above
  string result = string.Empty;

  // check if this is a GUID
  if ((code.Length == 38))
  {

   if ((code.Substring(0, 1) == "{"))
    result = conv.GetConvertedGUID(code);

  }
  else if ((code.Length == 20))
  {

   result = conv.DDtoGUID(code);
  }
  else
  {

   result = "Format of string submitted does not match that of a regular GUID or a Darwin Descriptor. Entries must" +
    " be of the form {xxxxxxxx-xxxx-xxxx-xxxx-Xxxxxxxxxxxx} or xxxxxxxxxxxxxxxxxxxx (len=20)";
  }

  Console.WriteLine(code+"  => " + result);

 }
}

Saturday, November 16, 2019

Super Fast Base64 Encode Decode Tool/Editor for Windows

Free Hex Editor

Free Hex Editor is a tool that can open any file in their raw format, examining the bytes (hexadecimal values) that make up the file. The tool is written in C++ make it super fast to open large files. 

You can edit inspect system files, disks, disk images, memory, and log files; patch errors, and examine disk structures. Be cautious with this tool! Changes are irreversible. 


With new Version 1.7.3.+ supports Base64 encoding and decoding - Get it here.  

Need lightning fast Base64 encoding and decoding feature with MIME image support in an actual downloadable Windows executable?  

With this tool you can Base64 encode and decode any file. However, Image files with extensions (.BMP, .GIF, .ICO, .JPEG, .JPG, .PNG, .SVG., .TIF, .TIFF, .WEBP) will included the proper Multi-Purpose Internet Mail Extension (MIME) type for those supported images. So supported  images will be Base64 encoded with following prefix in the file export.

Take for example a Base64 encoded .PNG will look like; 


data:image/png;base64, iVBORw0KGgoAAAA ...

Other of image types examples are image/jpeg, image/png, and image/svg+xml.


For the uninitiated, MIME is type of Internet standard originally developed to allow the exchange of different types of data files through e-mail messages, and used to set "Content-Type:" as well.  Some refer to this as a 'media type' or MIME type is a standard that indicates the nature and format of a document, file, or assortment of bytes. It is defined and standardized in IETF's RFC 6838.






























The above will export a 10-tooth-black-gear.b64. Opening the file in Frhed you get MIME type with base64 encoded file.












Importing the MIME encoded file, Frhed will convert the file into proper image extension







Thursday, November 14, 2019

77% of sites use at least one vulnerable jQuery library

A Snyk study reports that 77% of sites use at least one vulnerable JavaScript library and pointed out jQuery was detected in 79% of the top 5,000 URLs from Alexa.

The most popular open source JavaScript frameworks, Angular and React, and three other frontend JavaScript ecosystem projects - Vue.js, Bootstrap and jQuery all suffer from highly severity XSS vulnerabilities. 


Below is slide 36 of the Snyk  "The state of JavaScript frameworks security report 2019". report  listing jQuery libraries vulnerability severty status.



Source

Tuesday, November 12, 2019

CSharp : Convert a GUID to a Compressed Packed GUID


Here's how to compress and decompress Packed GUIDs or some people refer to them as Compressed GUIDs in C-Sharp


Input GUID         {12345678-ABCD-EFAB-1234-ABCDEFABCDEF}
Packed GUID is 87654321DCBABAFE2143BADCFEBADCFE

A Packed GUID format is loosely defined  as having a length of 32 characters, where the GUID is rearranged and the braces '{' and dashes '-' are removed.


Note: A "Compressed GUID" is a intermediate format, that rearranges the GUID and is Base85 encoded (using a restricted set) and has a length of 21 characters long and used to create Darwin Descriptors.  
A Darwin Descriptor is an encoded string and when decoded produces a combination of the ProductCode, Feature & ComponentId(s) and generally used for Windows installer, because it provides feature resilience through a mechanism called COM Advertising
Here's an example of a Darwin Descriptor, which you may have though was a virus entry in your registry!
"w_1^VX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5Z" 
decoded yields a GUID, feature name, and a GUID.
{91120000-0030-0000-0000-0000000ff1ce}EXCELFiles{0638c49d-bb8b-4cd1-b191-052e8f325736}


To decode Darwin Descriptors that are in the registry, use RegtoText tool to decode all values en masse (free demo available). 


In example code below, I use "compressed GUID" to describe Packed GUID. 


using System;
using System.Collections.Generic; 

//
public class Program
{
 public static bool IsHex(IEnumerable<char> chars)
 {
  bool isHex; 
  foreach(var c in chars)
  {
   isHex = ((c >= '0' && c <= '9') || 
      (c >= 'a' && c <= 'f') || 
      (c >= 'A' && c <= 'F'));

   if(!isHex)
    return false;
  }
  return true;
    }
 public static void Main()
 {
     //Source - http://www.hanselman.com/blog/BATCHFILEVOODOODetermineIfMultipleAndWhichVersionsOfAnMSIinstalledProductAreInstalledUsingUpgradeCode.aspx
     //like to but to bulky - https://docs.microsoft.com/en-us/dotnet/standard/base-types/how-to-define-and-use-custom-numeric-format-providers
     //https://installpac.wordpress.com/2008/03/31/packed-guids-darwin-descriptors-and-windows-installer-reference-counting/
   
        //PROTO    
     //{12345678-ABCD-WXYZ-1234-ABCDEFGHIJKL}
     //should be-> 87654321DCBAZYXW2134BADCFEHGJILK
     //string inStrGUID = "{12345678-ABCD-WXYZ-1234-ABCDEFGHIJKL}"; //cannot use this contrived GUID has hex values above > (A-F) 
     
     string inStrGUID = "{12345678-ABCD-EFAB-1234-ABCDEFABCDEF}"; 
     string expectedCompressedGUID = "87654321DCBABAFE2143BADCFEBADCFE";
     //https://docs.microsoft.com/en-us/dotnet/api/system.guid.parse?view=netframework-4.7.2 - N has no dashes
     string outputFormat = "N"; //outputFormat can be N, D, B, P - N has no dashes
     string outCompressedGuid = ""; 
     string outDecompressedGuid = ""; 
     
     Guid inGuid = new Guid();
     Guid outGuid = new Guid(); 
     Guid outDCGuid = new Guid(); 
  
     bool isValidGuid = Guid.TryParse(inStrGUID, out inGuid); 
  
     Console.WriteLine("Input GUID " + inStrGUID+ " is valid? "+isValidGuid); 
        
     if (isValidGuid) {
      
      string raw = inGuid.ToString("N"); //N for no dashes
      char[] aRaw = raw.ToCharArray();
      //compressed format reverses 11 byte sequences of the original guid
      int[] revs
       = new int[]{8, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2};
      int pos = 0;
      for (int i = 0; i < revs.Length; i++)
      {
       Array.Reverse(aRaw, pos, revs[i]);
       pos += revs[i];
      }
      string newstrGuid = new string(aRaw);
      
      bool isoutValidGuid = Guid.TryParse(newstrGuid, out outGuid); 
      
      if ( isoutValidGuid ) {
       
      //GUID in registry are all caps.
      outCompressedGuid = outGuid.ToString(outputFormat).ToUpper(); 
      
       Console.WriteLine("out  CGUID "+   outGuid.ToString("B").ToUpper()+" before full compression (removal of dashes) here for readability"); //for readability
      
       Console.WriteLine("\nCompressed guid is "+ outCompressedGuid );
         
       
       if (outCompressedGuid == expectedCompressedGUID) 
        Console.WriteLine("Matched expectations."); 
      else
       Console.WriteLine("Did not met expectations.");   
       
       
      } else
       Console.WriteLine("Failed to compress GUID."); 
     }
     
     Console.WriteLine("\nInput Compressed GUID " + outCompressedGuid); 
  
   
   char[] chrArrCGUID = outCompressedGuid.ToCharArray();
     
     //Here's a typical GUID Compressed in a Registry Key       
     //what if ? S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxx - split on new char[] {' ','-'} check any that are length 32 
  
     //Expand/Decompress/Decrypt Compressed GUID
     if (outCompressedGuid.Length == 32 && Program.IsHex(chrArrCGUID)==true){ //validate potential Compressed GUID
         
      int[] reversalidxs= new int[]{8, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2};
       
      int pos = 0;
      for (int i = 0; i < reversalidxs.Length; i++)
      {
       Array.Reverse(chrArrCGUID, pos, reversalidxs[i]);
       pos += reversalidxs[i];
      }
      string newstrGuid = new string(chrArrCGUID);
      
      bool isoutValidDCGuid = Guid.TryParse(newstrGuid, out outDCGuid );
      
      if ( isoutValidDCGuid ) {
       
       //GUID in registry are all caps.
       outDecompressedGuid = outDCGuid.ToString("B").ToUpper(); 

       //Console.WriteLine("\nInput Compressed GUID "+   outDCGuid.ToString("B").ToUpper()+" this line for comparison only"); //for readability
       Console.WriteLine("Output Decomprsd GUID "+   outDCGuid.ToString("N").ToUpper()+" this line for comparison only"); //for readability

       Console.WriteLine("\nDecompressed compressed guid is "+ outDecompressedGuid );
     }
     
     }
     else 
     Console.WriteLine("Failed to decompressed CGUID.");  
  
 }
 
}

Sunday, November 10, 2019

Why are malware viruses so widespread?

This is the perennial question, that will not die. Here's one major reason why.

Microsoft security engineer Matt Miller from Microsoft Security Response Center
 gave a recent presentation at a security conference tracking malware attacks across Microsoft software for the last 12 years. In slide 10 of the presentation, he states around 70 percent of all Microsoft patches were fixes for memory safety bugs

The reason for this high percentage is because Windows operating system has been written mostly in C and C++. These "memory-unsafe" programming languages that allow developers fine-grained control of the memory addresses where their code can be executed, but also can leave gaping holes. 

Like Windows, Apple Macintosh operating system and Iphone OS (which is a variant of Unix, a Linux predecessor) and Linux variants are all written in "memory-unsafe" C or C++, primarily for speed. Kernels have been traditionally written in C. C's philosophy was to trust the programmer.

It would require a tremendous effort to re-write, the OS into a memory safe language.

Specifically, as of 26 September 2018, using then-current 20,088,609 LOC (lines of code) for the Linux kernel version 4.14.14  and the current US National average programmer salary of $75,506 show it would cost approximately $14 Billion dollars to rewrite the existing GPL-2.0 code that existing contributors still have claimed to if they decided to rescind the grant of license to the kernel source.  Source: https://en.wikipedia.org/wiki/Linux_kernel

What is a Memory-unsafe bug?

Memory-unsafe bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses, accessing other parts of the system to gain elevated privileges or impregnate custom malware code into that adjacent memory space.

Memory-unsafe bugs have similar terms such as buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free --all describe memory safety vulnerabilities. 










































There is a tension for whom the responsibility resides with, the language/compiler or the operating system. 

The C philosophy is always trust the programmer. And also not checking bounds allows a C program to run faster. The problem is that C/C++ doesn't actually do any boundary checking with regards to arrays. It depends on the OS to ensure that you are accessing valid memory.

There is only one solution and that is to re-write the entire Windows Operating system in a memory-safe language like Rust. That is starting to be addressed

Here's a brief review of one unsafe memory bug, stack overflow.




































Source Slides : https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf

Stack Overflow Attack Source Slides
https://www.slideshare.net/gumption/buffer-overflow-attacks-7024353


Friday, November 8, 2019

Around 70 percent of all Microsoft patches were fixes for memory safety bugs over the last 12 years

Why are malware viruses so wide spread?

This is the perennial question, that will not die. Here's one major reason why.

Microsoft security engineer Matt Miller from Microsoft Security Response Center
 gave a presentation at security conference stated it very succinctly in his slides, that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs (see slide 10). 

The reason for this high percentage is because Windows has been written mostly in C and C++, two "memory-unsafe" programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. 

Memory-unsafe bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses, accessing other parts of the system to gain elevated privileges or impregnate custom malware code into that adjacent memory space.


Memory-unsafe bugs have similar terms such as buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free --all describe memory safety vulnerabilities. 











































There is a tension for whom the responsibility resides with, the language/compiler or the operating system. 

The C philosophy is always trust the programmer. And also not checking bounds allows a C program to run faster. The problem is that C/C++ doesn't actually do any boundary checking with regards to arrays. It depends on the OS to ensure that you are accessing valid memory.

There is only one solution and that is to re-write the entire Windows Operating system in a memory-safe language like Rust. That is starting to be addressed

Here's a brief review of one unsafe memory bug,  image courtesy of stack overflow.




































Source Slides : https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf

Stack Overflow Attack Source Slides
https://www.slideshare.net/gumption/buffer-overflow-attacks-7024353