Monday, December 16, 2019

Node Package Manager (NPM) Client hacked

NPM (originally short for Node Package Manager) is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. 

Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue.

The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a booby-trapped npm package via the npm CLI.

Source (Dec 11, 2019) : https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Wednesday, December 11, 2019

CSharp : Convert a GUID to a Darwin Descriptor and back

Here's how to convert/decode a GUID into Darwin Descriptor in C-Sharp

Darwin Descriptor is an encoded string and when decoded produces a combination of the ProductCode, Feature & ComponentId(s) and generally used for Windows installer, because it provides feature resilience through a mechanism called COM Advertising.

Here's an example of a Darwin Descriptor, which you may have though was a virus entry in your registry!

"w_1^VX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5Z"

decoded yields a GUID, feature name, and a GUID.

{91120000-0030-0000-0000-0000000ff1ce}EXCELFiles{0638c49d-bb8b-4cd1-b191-052e8f325736}


Note: A "Compressed GUID" is a intermediate format, that rearranges the GUID and is Base85 encoded (using a restricted set) and has a length of 20 characters long and used to create Darwin Descriptors. 

Those cryptic-looking strings (that looks like malware) in your registry are actually Darwin Descriptors and can be located at the following locations; 

  • HKCR\Installer\Assemblies and HKCR\Installer\Components
  • HKCR\Installer\Win32Assemblies
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{aSID}\Products\{compressed}\Features{targetpath}











To decode Darwin Descriptors en masse, use RegtoText tool (free demo available). 

Here's the code to convert a regular GUID into Darwin Descriptor in C-Sharp and vice-versa

 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
using System;
//#####################################################################################################################
//https://metadataconsulting.blogspot.com/2019/12/CSharp-Convert-a-GUID-to-a-Darwin-Descriptor-and-back.html
//#####################################################################################################################
public static class Program
{
 class GUID2DD
    {
        //   Conversion of this VB code to C# by http://metadataconsulting.blogspot.com/
        //   Some portions modernized, but an interesting exercise converting from a old language unexpressive to more modern lang
        //   Source Code: https://www.symantec.com/connect/articles/working-darwin-descriptors
        //
        //   Auto VB translators 
        //   1.https://www.developerfusion.com/tools/convert/vb-to-csharp/?batchId=8e249124-06d2-4955-a238-dc2914a9cd3d - not good
        //   2.https://www.carlosag.net/tools/codetranslator/ - super fast!

        
        //  'VB Code - Copyright EdT 2012
        //  'Script converts standard GUID to Darwin Descriptor and vice versa
        //  'A standard GUID requires 38 characters and contains 5 groups of hexadecimal characters separated by dashes.
        //  'The valid format for a standard GUID is:
        //  '{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
        //  'where X is a hex digit (0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F).
        // 
        //  'This program can copy the result of the conversion process to the clipboard.
        //  'To do this it uses the MS Office Word automation object, so for this to work,
        //  'a version of MSOffice must be present. Unfortunately, VBScript does not have
        //  'a native method for copying variables to the clipboard.
      
        public string GetConvertedGUID(string strProductCode) {
            
            string Block1;
            string Block2;
            string Block3;
            string Block4;
            string strMungedCode = string.Empty; 
            long Dec1;
            long Dec2;
            long Dec3;
            long Dec4;
            string strPart1; 
            string strPart2; 
            string strPart3; 
            string strPart4; 
            
            const int intArraySize = 32;
            int[] arrSequence = new int[]{2, 3, 4, 5, 6, 7, 8, 9, 16, 17, 18, 19, 11, 12, 13, 14, 28, 29, 26, 27, 23, 24, 21, 22, 36, 37, 34, 35, 32, 33, 30, 31};
            
           // Generate the RegProduct Code
            for (int intIndex = 0; intIndex <= (intArraySize - 1); intIndex++) 
            {
                strMungedCode = (strMungedCode + strProductCode.Substring((arrSequence[intIndex] - 1), 1));
            }
        
            Block1 = strMungedCode.Substring(0, 8);
            Block2 = strMungedCode.Substring(8, 8);
            Block3 = strMungedCode.Substring(16, 8);
            Block4 = strMungedCode.Substring(24, 8);
            Dec1 = HextoDec(Block1);
            strPart1 = DecToBase85(Dec1);
            Dec2 = HextoDec(Block2);
            strPart2 = DecToBase85(Dec2);
            Dec3 = HextoDec(Block3);
            strPart3 = DecToBase85(Dec3);
            Dec4 = HextoDec(Block4);
            strPart4 = DecToBase85(Dec4);

            return (strPart1.ReverseString()
                        + (strPart2
                        + (strPart3 + strPart4.ReverseString())));
        }

        public long HextoDec(string strHex)
        {
 
            //string strDigit;
            //int intDigit;
            //int intValue;
            
            long lngResult = 0;

            ////for (int intIndex = strHex.Length; (intIndex <= 1); intIndex = (intIndex + -1)) 
            //for (int intIndex = strHex.Length; intIndex >= 1; intIndex--)
            //{
               
            //    strDigit = strHex.Substring((intIndex - 1), 1);
                
            //    intDigit = (("0123456789ABCDEF".IndexOf(strDigit.ToUpper()) + 1) - 1);
                
            //    if ((intDigit >= 0)) {
                    
            //        //intValue = (intDigit * (16 | (strHex.Length - intIndex)));
            //        // TODO: Warning!!! The operator should be an XOR ^ instead of an OR, but not available in CodeDOM

            //        //Mon 09-Dec-19 6:54pm metadataconsulting.ca - XOR used
            //        intValue = (intDigit * (16 ^ (strHex.Length - intIndex)));
                    
            //        lngResult = (lngResult + intValue);
            //    }
            //    else {
                    
            //        lngResult = 0;
            //        intIndex = 0;
            //        //stop the loop
            //    }
            
            //}

            lngResult = Convert.ToInt64(strHex, 16); 
            return lngResult;
    
        }
        private string DecitoHex(int ddec)
        {
            //// Must return eight hex bytes
            //decimal hex1;
            //string hex2 = ""; 
            //int hexlen;

            //while ((strDec > 15)) {

            //    hex1 = (( (strDec / 16) - (int)(strDec / 16) ) * 16);

            //    hex2 = ("0123456789ABCDEF".Substring(hex1.ToString(), 1) + hex2);
            //    strDec = int((strDec / 16));

            //    hex2 = ("0123456789ABCDEF".Substring(strDec, 1) + hex2);
            //    hexlen = hex2.Length;
            //    DecToHex = (string((8 - hexlen), "0") + hex2);
            //}

            return ddec.ToString("X8");
        }

    
        public string DecToBase85(long strDecimal) {
     
            // Multiples of 85 = 85, 7225, 614125, 52200625
            
            int strDec = (int)strDecimal;

            string Base85 = "!$%&\'()*+,-.0123456789=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{}~";
            
            int num;
            string quint1;
            string quint2;
            string quint3;
            string quint4;
            string quint5;
            //int Offset;
            
            quint1 = "!";
            quint2 = "!";
            quint3 = "!";
            quint4 = "!";
            quint5 = "!";

            if ((strDecimal < 85))
            {
                //quint1 = Base85.Substring(strDec, 1);
                long mod = strDecimal % 85;
                num = (int)mod;
                quint1 = Base85.Substring(num, 1);
            }

            if (strDecimal > 84 && strDecimal < 7225)
            {
                //    Offset = strDec;
                //    strDec = (int)((strDec / 85));
                //    num = (((Offset / 85) 
                //                - strDec) 
                //                * 85);
                //    quint1 = Base85.Substring(num, 1);
                //    quint2 = Base85.Substring(strDec, 1);

                num = (int)(strDecimal / 85) % 85;
                quint1 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod;
                quint2 = Base85.Substring(num, 1);
                
            }

            if (((strDecimal > 7224) && (strDecimal < 614125)))
            {
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint1 = Base85.Substring(num, 1);
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint2 = Base85.Substring(num, 1);
                //quint3 = Base85.Substring(strDec, 1);

                num = (int)(strDecimal / 7225) % 85;
                quint1 = Base85.Substring(num, 1);

                num = (int)(strDecimal / 85) % 85;
                quint2 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod;
                quint3 = Base85.Substring(num, 1);

            }

            if (((strDecimal > 614124) && (strDecimal < 52200625)))
            {
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint1 = Base85.Substring(num, 1);

                num = (int)(strDecimal / 614125) % 85;
                quint1 = Base85.Substring(num, 1);
                
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint2 = Base85.Substring(num, 1);

                num = (int)(strDecimal / 7225) % 85;
                quint2 = Base85.Substring(num, 1);
              
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                //quint3 = Base85.Substring(num, 1);
                //quint4 = Base85.Substring(strDec, 1);

                num = (int)(strDecimal / 85) % 85;
                quint3 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod;
                quint4 = Base85.Substring(num, 1);
            }

            if ((strDecimal > 52200624))
            {
                
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                                
                num = (int)(strDecimal/52200625) % 85; 
                quint1 = Base85.Substring(num, 1);

                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);

                num = (int)(strDecimal / 614125) % 85; 
                quint2 = Base85.Substring(num, 1);
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);

                num = (int)(strDecimal / 7225) % 85;
                quint3 = Base85.Substring(num, 1);
                //Offset = strDec;
                //strDec = (int)((strDec / 85));
                //num = (((Offset / 85) 
                //            - strDec) 
                //            * 85);
                num = (int)(strDecimal / 85) % 85;
                quint4 = Base85.Substring(num, 1);

                long mod = strDecimal % 85;
                num = (int)mod; 
                quint5 = Base85.Substring(num, 1);
            }
        
            return (quint1 
                        + (quint2 
                        + (quint3 
                        + (quint4 + quint5))));
            
        }



        
        //Function DDtoHex(darwin) renamed from VB
        public string DDtoGUID(string darwin) {
            string quad1;
            string quad2;
            string quad3;
            string quad4;
            string mungedStr;
            quad1 = darwin.Substring(0, 5);
            quad1 = QuadtoHex(quad1);
            quad2 = darwin.Substring(5, 5);
            quad2 = QuadtoHex(quad2);
            quad3 = darwin.Substring(10, 5);
            quad3 = QuadtoHex(quad3);
            quad4 = darwin.Substring(15, 5);
            quad4 = QuadtoHex(quad4);
            mungedStr = (quad1 
                        + (quad2 
                        + (quad3 + quad4)));
            return ReconstructProductCode(mungedStr);
        }
    
        public string QuadtoHex(string quad) {
            
            char chr;
            string Base85;
            int b85;
            int ddec;
            Base85 = "!$%&\'()*+,-.0123456789=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{}~";
            ddec = 0;
            for (int i = 5; i >= 1; i--)
            {
                //chr = (char)quad.Substring((i - 1), 1);
                chr = quad[(i-1)];  
                b85 = ((Base85.IndexOf(chr) + 1) - 1);
                ddec = (ddec + b85);
                if ((i > 1)) {
                    ddec = (ddec * 85);
                }
            
            }

            return DecitoHex(ddec);
        }


    
        public string ReconstructProductCode(string munged) {
            
            string strProductCode;
            const int intArraySize = 32;
            strProductCode = "{";
            
            int[] arrSequence = new int[]{1, 2, 3, 4, 5, 6, 7, 8, 13, 14, 15, 16, 9, 10, 11, 12, 23, 24, 21, 22, 19, 20, 17, 18, 31, 32, 29, 30, 27, 28, 25, 26};
            // // Generate the Product Code
            for (int intIndex = 0; (intIndex 
                        <= (intArraySize - 1)); intIndex++) {
                strProductCode = (strProductCode + munged.Substring((arrSequence[intIndex] - 1), 1));
                if (((intIndex == 7) 
                            || ((intIndex == 11) 
                            || ((intIndex == 15) 
                            || (intIndex == 19))))) {
                    strProductCode = (strProductCode + "-");
                }
            
            }
        
            return (strProductCode + "}");
        }
    }
 
 public static string ReverseString(this string s)
 {
  if (string.IsNullOrEmpty(s))
   return s; 

  char[] array = new char[s.Length];
  int forward = 0;
  for (int i = s.Length - 1; i >= 0; i--)
  {
   array[forward++] = s[i];
  }
  return new string(array);
 }

 
 public static void Main()
 {
   GUID2DD conv = new GUID2DD();

  string code = "w_1^VX!!!!!!!!!MKKSk"; 
  //string code = "{91120000-0030-0000-0000-0000000ff1ce}"; //expect from above
  string result = string.Empty;

  // check if this is a GUID
  if ((code.Length == 38))
  {

   if ((code.Substring(0, 1) == "{"))
    result = conv.GetConvertedGUID(code);

  }
  else if ((code.Length == 20))
  {

   result = conv.DDtoGUID(code);
  }
  else
  {

   result = "Format of string submitted does not match that of a regular GUID or a Darwin Descriptor. Entries must" +
    " be of the form {xxxxxxxx-xxxx-xxxx-xxxx-Xxxxxxxxxxxx} or xxxxxxxxxxxxxxxxxxxx (len=20)";
  }

  Console.WriteLine(code+"  => " + result);

 }
}

Saturday, November 16, 2019

Super Fast Base64 Encode Decode Tool/Editor for Windows

Free Hex Editor

Free Hex Editor is a tool that can open any file in their raw format, examining the bytes (hexadecimal values) that make up the file. The tool is written in C++ make it super fast to open large files. 

You can edit inspect system files, disks, disk images, memory, and log files; patch errors, and examine disk structures. Be cautious with this tool! Changes are irreversible. 


With new Version 1.7.3.+ supports Base64 encoding and decoding - Get it here.  

Need lightning fast Base64 encoding and decoding feature with MIME image support in an actual downloadable Windows executable?  

With this tool you can Base64 encode and decode any file. However, Image files with extensions (.BMP, .GIF, .ICO, .JPEG, .JPG, .PNG, .SVG., .TIF, .TIFF, .WEBP) will included the proper Multi-Purpose Internet Mail Extension (MIME) type for those supported images. So supported  images will be Base64 encoded with following prefix in the file export.

Take for example a Base64 encoded .PNG will look like; 


data:image/png;base64, iVBORw0KGgoAAAA ...

Other of image types examples are image/jpeg, image/png, and image/svg+xml.


For the uninitiated, MIME is type of Internet standard originally developed to allow the exchange of different types of data files through e-mail messages, and used to set "Content-Type:" as well.  Some refer to this as a 'media type' or MIME type is a standard that indicates the nature and format of a document, file, or assortment of bytes. It is defined and standardized in IETF's RFC 6838.






























The above will export a 10-tooth-black-gear.b64. Opening the file in Frhed you get MIME type with base64 encoded file.












Importing the MIME encoded file, Frhed will convert the file into proper image extension







Thursday, November 14, 2019

77% of sites use at least one vulnerable jQuery library

A Snyk study reports that 77% of sites use at least one vulnerable JavaScript library and pointed out jQuery was detected in 79% of the top 5,000 URLs from Alexa.

The most popular open source JavaScript frameworks, Angular and React, and three other frontend JavaScript ecosystem projects - Vue.js, Bootstrap and jQuery all suffer from highly severity XSS vulnerabilities. 


Below is slide 36 of the Snyk  "The state of JavaScript frameworks security report 2019". report  listing jQuery libraries vulnerability severty status.



Source

Tuesday, November 12, 2019

CSharp : Convert a GUID to a Compressed GUID

Here's how to compress and decompress Packed GUIDs or some people refer to them as Compressed GUIDs in C-Sharp

Input GUID         {12345678-ABCD-EFAB-1234-ABCDEFABCDEF}
Packed GUID is 87654321DCBABAFE2143BADCFEBADCFE

A Packed GUID format is loosely defined  as having a length of 32 characters, where the GUID is rearranged and the braces '{' and dashes '-' are removed.


Note: A "Compressed GUID" is a intermediate format, that rearranges the GUID and is Base85 encoded (using a restricted set) and has a length of 21 characters long and used to create Darwin Descriptors.  
A Darwin Descriptor is an encoded string and when decoded produces a combination of the ProductCode, Feature & ComponentId(s) and generally used for Windows installer, because it provides feature resilience through a mechanism called COM Advertising
Here's an example of a Darwin Descriptor, which you may have though was a virus entry in your registry!
"w_1^VX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5Z" 
decoded yields a GUID, feature name, and a GUID.
{91120000-0030-0000-0000-0000000ff1ce}EXCELFiles{0638c49d-bb8b-4cd1-b191-052e8f325736}


To decode Darwin Descriptors that are in the registry, use RegtoText tool to decode all values en masse (free demo available). 


In example code below, I use "compressed GUID" to describe Packed GUID. 


using System;
using System.Collections.Generic; 

//
public class Program
{
 public static bool IsHex(IEnumerable<char> chars)
 {
  bool isHex; 
  foreach(var c in chars)
  {
   isHex = ((c >= '0' && c <= '9') || 
      (c >= 'a' && c <= 'f') || 
      (c >= 'A' && c <= 'F'));

   if(!isHex)
    return false;
  }
  return true;
    }
 public static void Main()
 {
     //Source - http://www.hanselman.com/blog/BATCHFILEVOODOODetermineIfMultipleAndWhichVersionsOfAnMSIinstalledProductAreInstalledUsingUpgradeCode.aspx
     //like to but to bulky - https://docs.microsoft.com/en-us/dotnet/standard/base-types/how-to-define-and-use-custom-numeric-format-providers
     //https://installpac.wordpress.com/2008/03/31/packed-guids-darwin-descriptors-and-windows-installer-reference-counting/
   
        //PROTO    
     //{12345678-ABCD-WXYZ-1234-ABCDEFGHIJKL}
     //should be-> 87654321DCBAZYXW2134BADCFEHGJILK
     //string inStrGUID = "{12345678-ABCD-WXYZ-1234-ABCDEFGHIJKL}"; //cannot use this contrived GUID has hex values above > (A-F) 
     
     string inStrGUID = "{12345678-ABCD-EFAB-1234-ABCDEFABCDEF}"; 
     string expectedCompressedGUID = "87654321DCBABAFE2143BADCFEBADCFE";
     //https://docs.microsoft.com/en-us/dotnet/api/system.guid.parse?view=netframework-4.7.2 - N has no dashes
     string outputFormat = "N"; //outputFormat can be N, D, B, P - N has no dashes
     string outCompressedGuid = ""; 
     string outDecompressedGuid = ""; 
     
     Guid inGuid = new Guid();
     Guid outGuid = new Guid(); 
     Guid outDCGuid = new Guid(); 
  
     bool isValidGuid = Guid.TryParse(inStrGUID, out inGuid); 
  
     Console.WriteLine("Input GUID " + inStrGUID+ " is valid? "+isValidGuid); 
        
     if (isValidGuid) {
      
      string raw = inGuid.ToString("N"); //N for no dashes
      char[] aRaw = raw.ToCharArray();
      //compressed format reverses 11 byte sequences of the original guid
      int[] revs
       = new int[]{8, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2};
      int pos = 0;
      for (int i = 0; i < revs.Length; i++)
      {
       Array.Reverse(aRaw, pos, revs[i]);
       pos += revs[i];
      }
      string newstrGuid = new string(aRaw);
      
      bool isoutValidGuid = Guid.TryParse(newstrGuid, out outGuid); 
      
      if ( isoutValidGuid ) {
       
      //GUID in registry are all caps.
      outCompressedGuid = outGuid.ToString(outputFormat).ToUpper(); 
      
       Console.WriteLine("out  CGUID "+   outGuid.ToString("B").ToUpper()+" before full compression (removal of dashes) here for readability"); //for readability
      
       Console.WriteLine("\nCompressed guid is "+ outCompressedGuid );
         
       
       if (outCompressedGuid == expectedCompressedGUID) 
        Console.WriteLine("Matched expectations."); 
      else
       Console.WriteLine("Did not met expectations.");   
       
       
      } else
       Console.WriteLine("Failed to compress GUID."); 
     }
     
     Console.WriteLine("\nInput Compressed GUID " + outCompressedGuid); 
  
   
   char[] chrArrCGUID = outCompressedGuid.ToCharArray();
     
     //Here's a typical GUID Compressed in a Registry Key       
     //what if ? S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxx - split on new char[] {' ','-'} check any that are length 32 
  
     //Expand/Decompress/Decrypt Compressed GUID
     if (outCompressedGuid.Length == 32 && Program.IsHex(chrArrCGUID)==true){ //validate potential Compressed GUID
         
      int[] reversalidxs= new int[]{8, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2};
       
      int pos = 0;
      for (int i = 0; i < reversalidxs.Length; i++)
      {
       Array.Reverse(chrArrCGUID, pos, reversalidxs[i]);
       pos += reversalidxs[i];
      }
      string newstrGuid = new string(chrArrCGUID);
      
      bool isoutValidDCGuid = Guid.TryParse(newstrGuid, out outDCGuid );
      
      if ( isoutValidDCGuid ) {
       
       //GUID in registry are all caps.
       outDecompressedGuid = outDCGuid.ToString("B").ToUpper(); 

       //Console.WriteLine("\nInput Compressed GUID "+   outDCGuid.ToString("B").ToUpper()+" this line for comparison only"); //for readability
       Console.WriteLine("Output Decomprsd GUID "+   outDCGuid.ToString("N").ToUpper()+" this line for comparison only"); //for readability

       Console.WriteLine("\nDecompressed compressed guid is "+ outDecompressedGuid );
     }
     
     }
     else 
     Console.WriteLine("Failed to decompressed CGUID.");  
  
 }
 
}

Sunday, November 10, 2019

Why are malware viruses so widespread?

This is the perennial question, that will not die. Here's one major reason why.

Microsoft security engineer Matt Miller from Microsoft Security Response Center
 gave a recent presentation at a security conference tracking malware attacks across Microsoft software for the last 12 years. In slide 10 of the presentation, he states around 70 percent of all Microsoft patches were fixes for memory safety bugs

The reason for this high percentage is because Windows operating system has been written mostly in C and C++. These "memory-unsafe" programming languages that allow developers fine-grained control of the memory addresses where their code can be executed, but also can leave gaping holes. 

Like Windows, Apple Macintosh operating system and Iphone OS (which is a variant of Unix, a Linux predecessor) and Linux variants are all written in "memory-unsafe" C or C++, primarily for speed. Kernels have been traditionally written in C. C's philosophy was to trust the programmer.

It would require a tremendous effort to re-write, the OS into a memory safe language.

Specifically, as of 26 September 2018, using then-current 20,088,609 LOC (lines of code) for the Linux kernel version 4.14.14  and the current US National average programmer salary of $75,506 show it would cost approximately $14 Billion dollars to rewrite the existing GPL-2.0 code that existing contributors still have claimed to if they decided to rescind the grant of license to the kernel source.  Source: https://en.wikipedia.org/wiki/Linux_kernel

What is a Memory-unsafe bug?

Memory-unsafe bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses, accessing other parts of the system to gain elevated privileges or impregnate custom malware code into that adjacent memory space.

Memory-unsafe bugs have similar terms such as buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free --all describe memory safety vulnerabilities. 










































There is a tension for whom the responsibility resides with, the language/compiler or the operating system. 

The C philosophy is always trust the programmer. And also not checking bounds allows a C program to run faster. The problem is that C/C++ doesn't actually do any boundary checking with regards to arrays. It depends on the OS to ensure that you are accessing valid memory.

There is only one solution and that is to re-write the entire Windows Operating system in a memory-safe language like Rust. That is starting to be addressed

Here's a brief review of one unsafe memory bug, stack overflow.




































Source Slides : https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf

Stack Overflow Attack Source Slides
https://www.slideshare.net/gumption/buffer-overflow-attacks-7024353


Friday, November 8, 2019

Around 70 percent of all Microsoft patches were fixes for memory safety bugs over the last 12 years

Why are malware viruses so wide spread?

This is the perennial question, that will not die. Here's one major reason why.

Microsoft security engineer Matt Miller from Microsoft Security Response Center
 gave a presentation at security conference stated it very succinctly in his slides, that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs (see slide 10). 

The reason for this high percentage is because Windows has been written mostly in C and C++, two "memory-unsafe" programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. 

Memory-unsafe bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses, accessing other parts of the system to gain elevated privileges or impregnate custom malware code into that adjacent memory space.


Memory-unsafe bugs have similar terms such as buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free --all describe memory safety vulnerabilities. 











































There is a tension for whom the responsibility resides with, the language/compiler or the operating system. 

The C philosophy is always trust the programmer. And also not checking bounds allows a C program to run faster. The problem is that C/C++ doesn't actually do any boundary checking with regards to arrays. It depends on the OS to ensure that you are accessing valid memory.

There is only one solution and that is to re-write the entire Windows Operating system in a memory-safe language like Rust. That is starting to be addressed

Here's a brief review of one unsafe memory bug, stack overflow.




































Source Slides : https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf

Stack Overflow Attack Source Slides
https://www.slideshare.net/gumption/buffer-overflow-attacks-7024353


Wednesday, November 6, 2019

What files to clean for Windows 10 1809 Disk Cleanup Categories

Here's a list of files to clean-up your Windows 10 Version 1809 (October 2018 Update) using Disk Cleanup. Disk Cleanup has many new file deletion categories, such as Windows Defender files, see below.

However, Microsoft has a Metro version of Disk Cleanup up called Storage Sense which is a simplified interface of Disk Cleanup. It amalgamates some of the categories below, but retains many.

Storage Sense



  1. Open Settings -> Click on System -> Click on Storage
  2. Under "Storage Sense" click the Free up space now option, to list same categories as below.

How to Use

Disk Cleanup wizard detects outdated files that can be delete, so if the category appears you can select those files to be deleted. By category, I mean potential files to be deleted under the "Files to delete:" heading in the bordered box below. 

These potential files to be deleted 
will be enumerated each time you run Disk Cleanup, so the categories will change each time you run it and and be different on other computers.




Click "View Files" button to examine the files that are to be deleted in each category.

Click "Clean up system files" button to to analyze the selected drive and display what Windows system can be cleaned up. A progress bar is shown during this process. Wait for this to finish.




When done, Disk Cleanup shows the total amount of space that can be freed up. Then, in the 'Files to delete' section you see different types of files that can be deleted. 

This will include categories such as 
'Downloaded Program Files''Recycle Bin''System error' files, 'Temporary files' and others. For each category of items, you see how much space they occupy at the moment. 





Extra : Click 'Clean up system files' button (to save allot of gigs of space) - see below.

Detailed Explanation of all 'Files to Delete' Categories:


Category Description

Compress System Disk



 
WARNING : THIS COMPRESSES YOUR DISK, it does not clean intermediate compressed files. THIS SLOWS YOUR FILE SYSTEM DOWN. Consult with an admin before using or extensively research this option before using. Turning this off has caused issues before. It's a one way street generally.

Save storage space by allowing Windows to compress the  contents of your drive . You will be able to access your files as normal , and the compression will be automatic and transparent to you . Depending on how much into is on your drive, compression  may take a while. If you need to decompress the drive or any  Folders at a later date you can do so with Windows File Explorer.

@C:\Program Files\rempl\strgsnsaddons.dll,-1009

BranchCache
 
Files created by BranchCache service for caching data.
 

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2012 and Windows 8 operating systems, as well as in some editions of Windows Server 2008 R2 and Windows 7. To optimize WAN bandwidth when users access content on remote servers, BranchCache copies content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. 
File History Files  File History saves copies of your files so you can get them back if they're lost or damaged. It automatically backs up files in the background and lets you restore them from a simple, time-based interface.
DirectX Shader Cache Clean up files created by the graphics system which can speed up application load time and improve responsiveness. They will be re-generated as needed.
Diagnostic Data Viewer In 2018 Microsoft released the Diagnostic Data Viewer (DDV) which is a tool that lets you review the raw diagnostic data Windows is sending to Microsoft. Now you can also view Office diagnostic data using the same viewer.
Downloads Warning: These are files in your personal Downloads folder.

It's important to understand that the "Downloads" option is unchecked by default and it's a helpful feature to those that use downloads folder for temporary files. On the other hand, if you use it as a place to store needed files, make sure the option is unchecked or you will lose the content stored in the folder.

Folder:C:\Users\{UserName}\Downloads
File List:*.*
@C:\WINDOWS\System32\DATACLEN.DLL, -1045
Hello Face Remove Warning: Using this option seems to disable Windows Hello
https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-Recovery/Hello-Face-stopped-working-after-a-disk-cleanup/td-p/7028729


When you uninstall the optional Windows Hello Face component. Signing in to Windows using facial recognition might not work. You'll still be able to log in with your Windows Hello PIN or a username and password combination. To tum this back on in the  future, go to Settings, search for Add an optional feature, select  Add a feature, and then select Windows Hello Face.


@C:\Program Files\rempl\strgsnsaddons.dll,-1029
Language Pack Files Remove unused language resource files, including keyboards, speech inputs, etc.
Mixed Reality  Removes Mixed Reality viewer files.

@C:\Program Files\rempl\strgsnsaddons.dll,-1023
OneDrive File Remove 
Removes temporary Onedrive offline files in Onedrive folders marked as "online-only" to free up disk space.

Note: You can always explicitly set a folder as 'Always keep offline' (even if you haven't used those files in a long time) and it won't affect those folders.
@C:\Program Files\rempl\strgsnsaddons.dll,-1013
Downloaded Files  Duplicate of Downloads option
@C:\Program Files\rempl\strgsnsaddons.dll,-101
Delete all System Restore Points This will deleting all previous restore points. Restore points allow you to go back to a previous install state. It can be risky to remove all restore points. If you feel confident, and need the space. Then after option, create a restore point afterwards immediately.

Note: You can also save space by deleting all previous restore points except for the last one. To do that, run Disk Cleanup and after it scans your drive, select the More Options tab. Then under the System Restore and Shadow Copies section click Clean up and then the verification message
Language Pack Remove unused language resource files, including keyboards, speech inputs, etc.
Old ChkDsk Files Check Disk (chkdsk) is a command line that you use to recover files from your hard disk, generally caused by surface errors due to aging, bumping and smoke, that cause bad sectors (lost data) to appear. Chkdsk recovers what it can of these sectors in files which was written over the bad sector into files ending in .CHK.

You can open and read the contents using Notepad or even better Notepad++. Often the contents are not worth keeping but they can be. Chkdsk files are indicative that a drive is starting to fail. If new bad sectors continue to appear you should replace the drive or you risk losing all your files.


"FileList"="*.CHK"
"Folder"="?:\\FOUND.000|?:\\
FOUND.001|?:\\FOUND.002|?:\\FOUND.003|?:\\FOUND.004|?:\\FOUND.005| ?:\\FOUND.006|?:\\FOUND.007|?:\\FOUND.008|?:\\FOUND.009"
Delivery Optimization Files Delivery optimization files are files that were previously downloaded to your computer and can be deleted if currently unused by the Delivery Optimization service.

Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. And if you own more than one PC, it can reduce the amount of Internet bandwidth needed to keep all of your PCs up-to-date. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet.

@C:\WINDOWS\system32\domgmt.dll
Content Indexer Cleaner The Windows search indexer is constantly running in the background to make file searches as quick as possible.

"Folder"="?:\\Catalog.wci"
File List:*.* 
Temporary Setup Files These files should no longer be needed. They were originally created by a setup program that is no longer running.
Located in directory C:\\Windows\\msdownld.tmp|?:\\msdownld.tmp
"FileList"="*.tmp"

@C:\WINDOWS\system32\setupcln.dll, -1001
Download Program Files Downloaded Program Files are ActiveX controls and Java applets downloaded automatically from the Internet with you view certain pages. They are temporarily stored in the Downloaded Program Files folder on your hard disk.

@C:\Windows\System32\occache.dll,- 1071
Temporary Internet Files The Temporary Internet Files folder contains webpages stored on your hard disk for quick viewing. Your personalized settings for webpages will be left intact.
Offline Web Pages Offline pages are webpages that are stored on your computer so you can view them without being connected to the Internet. If you delete these pages now, you can still view your favorites offline later by synchronizing then. Your personalized settings for webpages will be left intact.
Debug Dump Files Files created by Windows.
RetailDemo Offline Content Windows 10 includes a Retail Demo experience mode. This feature basically is useful for and meant for retail store staff who want to demo Windows 10 to customers.
Recycle Bin The Recycle Bin contains files you have deleted from your computer. 
Setup Log Files Files created by Windows.

"FileList"="setup*.log|setup*.
old|setuplog.txt|winnt32.log"
"Folder"="%WINDIR%"
System Error Memory Dump Files Remove system error memory dump files.
System Error Minidump Files Remove system error minidump files.
Temporary Files Programs sometimes stores temporary information in the TEMP folder. Before a program closes, it usually deleted this information. You can safely delete temporary files that have not been modified in over a week.

Folder:C:\Users\Markus\AppData \Local\Temp|C:\WINDOWS\Temp|C:\WINDOWS\Logs|C:\WINDOWS\System32\LogFiles
File List:*.*
Temporary Sync Files Remove Windows Media Sync files.
You can use Windows Media Player to copy music, videos, and pictures from your Player Library to a portable device, such as a compatible MP3 player. This process is called syncing. These are temp files in caches create in this process which are delete
Thumbnails Windows keeps a copy of all your picture, video, and document thumbnails so they can be displayed quickly when you open a folder. If you delete these thumbnails, they will be automatically recreated as needed.
User File Versions Windows stores file versions temporarily on this disk before copying them to the designated File History disk. If you delete these files, you will lose some file history.

File History is Windows 10’s main backup tool, originally introduced in Windows 8. Despite the name, File History isn’t just a way to restore previous versions of files–it’s a fully-featured backup tool, it's suppose to be a clone of Apple Time Machine.
Windows Error Report Files (4 types) Files used for Windows Error Reporting (WER). These are logs of errors (program crashes mostly) that were reported to Microsoft by the Windows Error Reporting service.

'
Clean up system files' button you see the following dialog box




This will include categories such as'Windows ESD Installation Files''Windows Defender'and others. 

Windows Update Cleanup only appears in the list when the Disk Cleanup wizard detects Windows updates that you don't need on your system.  This category will generally save you the greatest amount of space. All of these are okay to delete, that is the purpose of this wizard. 

Recommendation:  Carefully select categories to delete all the files, but review the categories below for further details, some have irreversible effects.

Detailed Explanation of 'Clean up system files' categories

Category
Description
Windows ESD installation Files
(since Win 10)
You will need these files to Reset or Refresh your PC.
Windows ESD Files was introduced to upgrade to Windows 10, behind the scenes.
Windows ESD Files are files used for a upgrade to a new version of Windows. ESD stands for Electronic Software Delivery and delivers files in an encypted (.esd) format. This then contains a .wim file. A Windows IMage (.wim) file contains one or more compressed Windows images. Each Windows image in a .wim file contains a list of all of the components, settings, and packages available with that Windows image. Install.wim file in its turn contains everything needed for a complete Windows installation.

You can convert the Windows 10 .esd file to make your own ISO disk to upgrade any PC later!
Temporary Windows installation files
Installation files used by Windows setup. These files are left over from the installation process and can be safely deleted.
Previous Windows installation(s)
Files from a previous Windows installation. Files and folders that may conflict with the installation of Windows have been moved to folders named Windows.old. You can access data from the previous Windows installations in this folder.

@C:\WINDOWS\system32\setupcln.dll,-1002
Update package Backup Files
Windows saves old versions of files that have been updated by an Update package. If you delete the files, you won't be able to uninstall the Update package later.
Windows Update Cleanup
Windows keeps copies of all installed updates from Windows Update, even after installing newer versions of updates that are no longer needed and taking up space. (You might need to restart your computer.)

@C:\WINDOWS\system32\scavengeui.dll,-1002
Device driver packages
Windows keeps copies of all previously installed device driver packages    from Windows Update and other sources even after installing newer versions of drivers. This task will remove older versions of drivers that are no longer needed. The most current version of each driver package will be kept.

@C:\WINDOWS\system32\pnpclean.dll, -102
Windows Defender Antivirus
Non critical files used by Windows Defender Antivirus
All files in these locations will be deleted
Folder:C:\ProgramData\Microsoft\Windows Defender\LocalCopy|C:\ProgramData\Microsoft\Windows Defender\Support
File List:*.*@C:\Program Files\WindowsDefender\MpAsDesc.dll,-380
Files Discarded by Windows Upgrade
Files from a previous Windows installation. As a precaution, Windows upgrade keeps a copy of any files that were not moved to the new version of Windows and were not identified as Windows system files. If you are sure that no user's personal files are missing after the upgrade, you can delete these files.

@C:\WINDOWS\system32\setupcln.dll, -1005 Setup Directories:$WINDOWS.~Q;$INPLACE.~TR;$Windows.~LS
Windows Upgrade Log Files
Windows upgrade log files contain information that can help identify and    troubleshoot problems that occur during Windows installation, upgrade, or servicing. Deleting these files can make it difficult to troubleshoot installation issues.

@C:\WINDOWS\System32\DATACLEN.DLL,-1010Folder:C:\WINDOWS
File List:setup*.log|setup*.old|setuplog.txt|winnt32.log
Service Pack Backup Files
Windows saves old versions of files that have been updated by a service pack. If you delete the files, you won't be able to uninstall the service pack later.

@C:\WINDOWS\system32\scavengeui.dll,-1000

When you click OK, Disk Cleanup will prompt you to confirm that you want to permanently delete the selected files. 

If you have never done, you'll be surprised at the Gigs of space freed up.