Friday, August 28, 2020

How to fix new MS Edge (Chromium) downloads, which taking forever/long time to download files

I usually do not recommend downgrading security, but when using Microsoft new Edge browser to download a file, it's super slow on Windows 7 (which does not have a native MS Defender built-in). Therefore it's invoking your installed antivirus to invoke a scan, but this is super slow. This make this feature unusable. I can't wait a few minutes for a PDF to download, that I need to read now.

A good antivirus will scan any file that hits the disk regardless, so I think this is overkill. The blocking of bad site, is also prevented with some AVs.  And by good antivirus that is either Kaspersky, Bitdefender or Malwarebytes, all others provides are insufficient. Kaspersky has a broswer plugin that does exactly same thing as SmartScreen. 

What is SmartScreen ? 

SmartScreen works by sending information about every application you download and run to Microsoft’s servers. If the application is something legitimate and fairly popular, like Google Chrome or Apple iTunes, Windows will allow it to run. If it’s something Microsoft knows is harmful, Windows will prevent it from running.

If the application is something SmartScreen isn’t familiar with, you’ll see warning message saying that Windows prevented an unrecognized app from starting. You can choose to bypass this message at your own risk, if you’re confident the application is safe.

Then, when you try to run it, Windows SmartScreen will check if the application is safe. If that’s all good, Windows Defender or whatever other antivirus you have installed will check whether the application is dangerous. SmartScreen is just another layer of protection.

The operating system level protection of antivirus works no matter where the application or file comes from.

arch result match: Microsoft Defender SmartScreen

Search result match: Help protect me from malicious sites and downloads with Microsoft Defender SmartScreen.

How to turn off Microsoft Defender SmartScreen

In settings, search for "smartscreen" and disable.





Tuesday, August 25, 2020

Phishing Email - DermaCorrect with subject Re: Naturally Remove Skin Tags Without Pain

For the record, this is a DermaCorrent phishing email attempt that is recently going around, with body title "Blog: the Best Natural Skin Tag Removal to Try Today" What to do?  Report them, goto bottom of page. 


From : Thank You-DermaCorrect <community@evergreen.ca>;

Subject
 : Re: Naturally Remove Skin Tags Without Pain







PHISHING LINKs;

1. http://jassinossmedia.shop/r.php?t=c&d=xxxxx&l=xxxxx&c=xxx
2. http://jassinossmedia.shop/opt.php?d=xxx&l=xxx&c=xxx&em=xxx



How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have recievied this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Wednesday, August 19, 2020

Phishing Email - Shoppers Drug Mart (Open Immediately) with subject Re: Please Respond

For the record, this is a Shoppers Drug Mart phishing email attempt that is recently going around, with body "We have a surprise for Shoppers Drug Mart Customers!" What to do?  Report them, goto bottom of page. 


From : Shoppers Drug Mart <sdgfpinfo@state.sd.us>;

Subject
 :  Re: Please Respond





PHISHING LINKs;

1. http://jassinooption.shop/r.php?t=c&d=xxxxx&l=xxxx&c=xxxxxx
2. http://jassinooption.shop/opt.php?d=xxxxx&l=xxxx&c=xxxxx&em=xxxxxxxxxxxxxx



How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have recievied this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Sunday, August 16, 2020

Phishing Email - London Drugs with subject Re: All natural Keto diet

For the record, this is a London Drugs phishing email attempt that is recently going around.  What to do?  Report them, goto bottom of page. Particularly concerning is the email address has been spoofed in the email to show londondrugs.ca.


From : Bye bye fat<newsletter@londondrugs.ca>



Subject :  Re: All natural Keto diet




PHISHING LINKs;

1. http://polidamente.me/opt.php?d=xxxxx&l=xxxx&c=xxx&em=xxxxxxxxxxx



How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have recievied this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Friday, August 14, 2020

C# .NET How to create a custom clipboard format to copy and paste

The following console application is fully functional working code to demonstrate how to create a custom clipboard format, when these standard formats will not suffice. 

In below example source code specifically, we are creating a custom class Infopic to paste onto the clipboard. 

Result: 

When you copy an image from a browser, and paste into MSPaint, you'll get the expected image.
When you paste into Notepad, you'll get a text message. 

See it in action with my tool - https://clipboardplaintextpowertool.blogspot.com/. When you copy an image, you also to get metadata for images like this; 

Clip iss063e070805.jpg [1041w✕585h] "NASA Image of the Day | NASA - Microsoft​ Edge", img src="https://www.nasa.gov/sites/default/files/styles/full_width_feature/public/thumbnails/image/iss063e070805.jpg"
using System;
using System.Collections.Generic;
using System.Data;
using System.Text;
using System.Windows.Forms;
using System.Drawing.Imaging;
using System.Drawing;
using System.Diagnostics;

namespace ClipboardCustomFormatEx
{
    class InfoPic
    {
        public System.Drawing.Image imgctnr { get; set; } //image container
        public string info { get; set; } //image caption
    }

    class Program
    {
        [STAThread] //TIP! Set this to get clipboard handle from a console app
        public static void Main(string[] args)
        {

            Console.WriteLine("Right-click COPY a image from your open brower. Press any key to start...");
            Console.ReadKey();

            //Let's grab clipboard - Do we have access and is there data 
            System.Windows.Forms.IDataObject iData = Clipboard.GetDataObject();

            if (iData == null)
                return;

            //check is we have standard Bitmap format available 
            if (!iData.GetDataPresent(DataFormats.Bitmap))
                return;

            Bitmap clipBMP = iData.GetData(DataFormats.Bitmap) as Bitmap;

            if (clipBMP == null)
                return;

            string imgInfo = "This image is a Bitmap " + clipBMP.PixelFormat.ToString();

            //Create on custom object to place on clibpoard. 
            InfoPic obj = new InfoPic();

            //Load object 
            obj.imgctnr = clipBMP;
            obj.info = imgInfo;

            //Some suggests we should serialize the object before placeing onto clipboard but not required

            //Set and use a custom format that represents our object with clipboard. It can be any name, using "AssemblyName"."ClassName", in this case. No need to "register" foramt ahead of time, any longer as in C using RegisterClipboardFormatA
            string myCustomFormat = "ClipboardCustomFormatEx.InfoPic";
            Clipboard.SetData(myCustomFormat, obj);

            Console.WriteLine("Success. ClipboardCustomFormatEx.InfoPic is pasted on clipboard. Press any key to continue...");
            Console.ReadKey();
            Console.WriteLine("Okay. Let's get grab the ClipboardCustomFormatEx.InfoPic object from the clipboard.");
            
            //Let's get all data ojbects to check if clipboard is accessible and initialize object
            IDataObject clipobj = Clipboard.GetDataObject();
            if (iData == null)
                return;

            //Does custom format live on clipboard 
            if (Clipboard.ContainsData(myCustomFormat) == false)
                return;

            InfoPic myPaste = clipobj.GetData(myCustomFormat) as InfoPic; //cast is safe

            Console.WriteLine("ClipboardCustomFormatEx.info = " + myPaste.info);
            Console.WriteLine("ClipboardCustomFormatEx.imgctnr size = " + myPaste.imgctnr.Size);
            Console.WriteLine("Success. Got ClipboardCustomFormatEx.InfoPic. Press any key to repaste to overload regular formats.");
            Console.ReadKey();

            Clipboard.Clear();

            //re-paste to test using standard formats acceptable to most programs
            System.Windows.Forms.IDataObject objFormatstoPaste = new DataObject();
            objFormatstoPaste.SetData(DataFormats.Text, "Repasted Image");
            Bitmap repasteBMP = (Bitmap)myPaste.imgctnr;
            repasteBMP.RotateFlip(RotateFlipType.RotateNoneFlipY); //upside down

            objFormatstoPaste.SetData(DataFormats.Bitmap, repasteBMP);

            Clipboard.SetDataObject(objFormatstoPaste, true);

            Console.WriteLine("Success. ClipboardCustomFormatEx.InfoPic is pasted on clipboard.");
            Console.WriteLine("Open Notepad and paste (CTRL-V), you'll get text. Open MSPaint and you'll paste the image!");
            Console.ReadKey();
        }
    }
}

Wednesday, August 12, 2020

C# .NET How to overload clipboard to handle multiple formats simultaneously

The following console application is fully functional working code to demonstrate how to overload Windows system clipboard with multiple formats

In below example source code specifically, we are overloading a image copy to append a caption.

Result: 

When you copy an image from a browser, and paste into MSPaint, you'll get the expected image.
When you paste into Notepad, you'll get a text message.

This is the overload in action, an additional text format has been added. 

Aside : See it in action with my tool - https://clipboardplaintextpowertool.blogspot.com/  which overloads images with following text metadata; 

Clip iss063e070805.jpg [1041w✕585h] "NASA Image of the Day | NASA - Microsoft​ Edge", img src="https://www.nasa.gov/sites/default/files/styles/full_width_feature/public/thumbnails/image/iss063e070805.jpg"

Update - Simplified further Aug 13, 2020.

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Text;
using System.Windows.Forms;
using System.Drawing.Imaging;
using System.Drawing;

namespace ClipboardOverloadExample
{
    class Program
    {
        [STAThread] //TIP! Set this to get clipboard handle from a console app
        public static void Main(string[] args)
        {
            Console.WriteLine("Right-click COPY a image from your open brower. Press any key to start...");
            Console.ReadKey();

            //Let's grab clipboard, do we have access and does it contain data?
            System.Windows.Forms.IDataObject iData = Clipboard.GetDataObject();

            if (iData == null)
                return;
            
            //check if we have a standard Bitmap format on the clipboard
            //images are saved on the clipboard as raw bitmap "Memory Bitmap",but transparency maybe lost.
            if (!iData.GetDataPresent(DataFormats.Bitmap))
                return;

            //we have Bitmap format and thus we can perform cast safely
            Bitmap clipBMP = iData.GetData(DataFormats.Bitmap) as Bitmap;

            if (clipBMP == null)
                return;

            string imgInfo = "This image is a Bitmap " + clipBMP.PixelFormat.ToString();

            //Create an object that will contain multiple formats to paste - overload
            System.Windows.Forms.IDataObject objFormatstoPaste = new DataObject();

            //add formats to put on clipboard
            objFormatstoPaste.SetData(DataFormats.Text, imgInfo);
            objFormatstoPaste.SetData(DataFormats.Bitmap, clipBMP);

            //Copy to the clipboard, and the 2nd parameter indicates that the clipboard is not cleared when the program exits
            Clipboard.SetDataObject(objFormatstoPaste, true);
            
            Console.WriteLine("Success. You can exit program, but to test overload of clipboard, do the following:");
            Console.WriteLine("Open Notepad and paste (CTRL-V), you'll get text. Open MSPaint and you'll paste the image!");
            Console.ReadKey();

        }
    }
}

Tuesday, August 4, 2020

Recent Reverse Engineering open source tools for Windows exe and dlls for malware/virus analysis

Let's back up a bit, what is a exe? 

.Exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows. The Portable Executable (PE) format is a file format for executables (exe), object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems.

How is exe created? 

Compilers take C/C++/C#/Python code and compile it into the PE format, which is not very human friendly to read. 

Why infect it? 

A computer virus is software usually hidden within another seemingly innocuous program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action (such as destroying data). An example of this is a PE infection, a technique, usually used to spread malware, that inserts extra data or executable code into PE files. 

The PE Format Specification

Portable Executable (PE) format is a specification describes the structure of executable (exe) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively. 

























Source : http://dandylife.net/blog/archives/date/2015/02/page/2


An Exe opened in a Hex Editor














How to reverse engineer exe? 

Some recent PE Reverse Engineering Tools of note; 

  • PE-bear is a freeware reversing tool for PE files.  Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files. The PE-bear’s  parser is open  source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander).  For windows requires Microsoft Visual C++ 2010 Redistributable Package. 

  • BlackBerry, PE Tree's https://github.com/blackberry/pe_tree , but requires Python to run.