CSharp Interop P/Invoke mechanism has change in .NET7 - LibraryImport replaces DLLImport

Major announcement at .NET CONF 2022 .NET7 which some of you many have missed,  replaces DLLImport() with LibraryImport(). 

Official documentation here - 
Use custom marshallers in source-generated P/Invokes | Microsoft Learn

Sampe Pseudo Code

// Import user32.dll (containing the function we need) and define
// the method corresponding to the native function.

[DllImport("user32.dll", EntryPoint = "MessageBoxW", CharSet = CharSet.Unicode, SetLastError = true)]

private static extern int MessageBoxW(IntPtr hWnd, wstring lpText, string lpCaption, uint uType);

//>>>>>>>>>>>> .NET7 New P/Invoke Method <<<<<<<<<<<<
[LibraryImport("user32.dll", EntryPoint = "MessageBoxW", SetLastError =true,
StringMarshalling = StringMarshalling.Utf16)]

internal static partial int MessageBoxW(IntPtr hWnd, string lpText, string lpCaption, uint uType);

Differences from DllImport

LibraryImportAttribute is intended to be a straightforward conversion from DllImportAttribute in most cases, but there are some intentional changes:

• CallingConvention has no equivalent on LibraryImportAttribute. UnmanagedCallConvAttribute should be used instead.
• CharSet (for CharSet) has been replaced with StringMarshalling (for StringMarshalling). ANSI has been removed and UTF-8 is now available as a first-class option.
• BestFitMapping and ThrowOnUnmappableChar have no equivalent. These were only relevant when marshalling an ANSI string on Windows. The generated code for marshalling an ANSI string will have the equivalent behaviour of BestFitMapping=false and ThrowOnUnmappableChar=false.
• ExactSpelling has no equivalent. This was a Windows-centric setting and had no effect on non-Windows. The method name or EntryPoint should be the exact spelling of the entry point name. This field has historical uses related to the A and W suffixes used in Win32 programming.
• PreserveSig has no equivalent. This was a Windows-centric setting. The generated code always directly translates the signature.

There are also differences in support for some settings on MarshalAsAttribute, default marshalling of certain types, and other interop-related attributes. For more details, see our documentation on compatibility differences.

.NET CONF 2022 Video Release

Fedex phishing email with subject Re: FEDEX

For the record, this is a Fedex phishing email attempt that is recently going around, with subject RE: Fedex

What to do?  Report them, goto bottom of page. 

From : Shipment Trackings <hetaarbetare.utskick@brandskyddsforeningen.se> Subject : RE: FEDEX

PHISHING LINKs;

1. http://investinmacedonia.shop/?xxx...

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

How do developers generate revenues - State of Nation Report from SlashData

How developers generate revenues

• Contracted development is the revenue model of choice across all industry verticals, used by nearly a third (31%) of professional developers.
• Less than one in ten (7%) professional developers are generating revenue from selling data.
• Usage of the advertising revenue model declines as companies grow in size.
• Developers working for large enterprises (5K+ employees) tend to use
  multiple revenue models less often than developers in smaller companies.

Below we have included a few graphs that illustrate some of the findings.

You can download the full report for free and access all data and insights within.

If you need additional information or looking to understand developer preferences’, please get in touch with us and we will dive into it together.

Full Article :  https://www.slashdata.co/blog/state-of-the-developer-nation-coding-language-popularity-chinas-developer-market-how-developers-make-revenue-and-more

Home Depot phishing email with subject FW: Exclusive Reward

For the record, this is a Home Depot phishing email attempt that is recently going around, with subject FW: Exclusive Reward!

What to do?  Report them, goto bottom of page. 

From : Home Depot Survey <noreply@storypark.com> via ibm591.wtrbs.heathfly.com Subject :  FW: Exclusive Reward

PHISHING LINKs;

1. http://ourloveplace.info/?xxxx...

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Walgreens phishing email with subject Confirmation-xxxxxxxxxx

For the record, this is a Costco phishing email attempt that is recently going around, with subject Confirmation-xxxxxxxxxxxxx.

What to do?  Report them, goto bottom of page. 

From : Walgreens <info@news.qdcjfwnajqu.com.net> via ibm591.wtrbs.heathfly.com Subject :  Confirmation-xxxxxxxxxxxxx                            Re: 2nd Attempt for {your email}

PHISHING LINKs;

1. https://ci3.googleusercontent.com/proxy/xxxxxxxxxxxxxxxxxxxxxxxxxxxx#https://s3.amazonaws.com/chirrirXaXir/chirrirXaXir.png

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Costco phishing email with subject FW: Notice: Costco Survey Offer expiring soon!

For the record, this is a Costco phishing email attempt that is recently going around, with subject FW: Notice: Costco Survey Offer expiring soon! and enticement of $90 Promo offer.

What to do?  Report them, goto bottom of page. 

From : Thank-you <no-reply@nl.francetv.fr> Subject :  FW: Notice: Costco Survey Offer expiring soon!

PHISHING LINKs;

1. http://coinbore.makeup/?xxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Geek Squad phishing email with subject We are processing your order 1-415-424-4760

For the record, this is a Best Buy's Geek Squad phishing email attempt that is recently going around, with subject "  We are processing your order

What to do?  Report them, goto bottom of page. 

From : Angel | Support Dept <xxxx@gmail.com> Subject :  We are processing your order

PHISHING LINKs;

1. 415 424-4780

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Transform Clipboard Contents Between Copy and Paste with tool

Clipboard PlainText PowerTool (CPPT) has advanced clipboard transformations, which have been accumulated since 2014.

You will not find in another tool or text editor, with these transformations features . Each of the power tools have been customized and are unique apps, you'll not find anywhere else. 

CPPT Version 5.1 - 138 productivity functions - 23 Major Power Tools/Apps

CPPT features 1st of its kind, on-the-fly media file metadata extraction

If you copy or move a any file type, CPPT will extract metadata for that file. For media files,  CPPT extracts enhanced metadata automatically and puts onto the clipboard history. Click it, to to copy it to system clipboard.

On-the-fly metadata information pulled from a .DOCX, .MP3 and .MPG file; 

Copied/Moved 
DOCX "Standard Release Form.docx"  2pgs 42.6KB Title:"Microsoft Word - Standard Release Form.doc" Author:"aaggarwa" Company:"John Wiley and Sons, Inc." Mon 04-Jan-21  11:30AM "H:\Downloads2021\Standard Release Form.docx"
	MP3 "01 Genesis.mp3"  5,512KB ‎44kHz 00:03:55 Title:"Genesis" Album:"Justice" Artist:"Justice" Year:2007 Sat 08-Mar-14  9:43PM "C:\Users\Markus\Music\iTunes\iTunes Media\Music\Justice\Justice\01 Genesis.mp3" - EXIF metadata detected MPG "ghost.MPG"  6.34Mb 00:00:18 [640wX480h] MPEG-PS(video/mpeg) 2.829Mbps 25.000FPS MPEG Video 8-bits(256bpp) MPEG Audio 1ch-32000kHz-64kbps Sun 28-Oct-12  1:22PM "C:\Users\Markus\Videos\ghost.MPG"
	3 items in 136ms 270µs 400ns with enhanced metadata extracted, if available. Enhanced metadata extraction set at <= 20 items.

Here's an example use of clipboard transformation 

Check it out Clipboard Plaintext PowerTool  - the most advanced clipboard tool on the market today!

UPS phishing email with subject You have (1) package awaiting information

For the record, this is a UPS phishing email attempt that is recently going around, with subject " Re: You’ve Been selected!" that made it through spam filters.

What to do?  Report them, goto bottom of page. 

From : UPSDelivrey.com <7-eleven@mail.7-eleven.com> Subject : You have (1) package awaiting information

PHISHING LINKs;

1. http://julianol.com/xxx...

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Camp Lejeune exposed to contaminated water phishing email with subject Re: Confirmation_Receipt_306

For the record, this is a Camp Lejeune exposed to contaminated water phishing email attempt that is recently going around, with subject "Confirmation_Receipt_306". 

What to do?  Report them, goto bottom of page. 

From : Lejeune Lawsuits <info@botlibre.com> Subject :  Confirmation_Receipt_306

PHISHING LINKs;

1. https://xxxxx.s3.us-east-2.amazonaws.com/xxxxx.HTM#qs=xxxxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Sams Club phishing email with subject Re: You’ve Been selected!

For the record, this is a Sam's Club phishing email attempt that is recently going around, with subject " Re: You’ve Been selected!" that made it through spam filters.

What to do?  Report them, goto bottom of page. 

From : samsClubstores <info@qiita.com> Subject : Re: You’ve Been selected!

PHISHING LINKs;

1. https://ifqifiqsfiqsif.s3.us-east-2.amazonaws.com/vlds.html#Xxxxxx...

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Fake Rogers Text Message Phishing Scam

For the record, this is a fake Rogers text message that has been going around, since the massive outage in Canada that started July 7th. 

From : 306-501-8123

Report SPAM

1. What to do if I get mobile spam? (bell.ca)
2. Report a spam message | TELUS Support

UЅPS phishing email with subject UЅPS® Іssue Your Delivery оn June 27, 2022 arriving by 6:00pm

For the record, this is an UЅPS phishing email attempt that is recently going around, with subject "UЅPS® Іssue Your Delivery оn June 27, 2022 arriving by 6:00pm"

What to do?  Report them, goto bottom of page. 

From : Ρostal UЅPS <Office365@messaging.microsoft.com> Subject : UЅPS® Іssue Your Delivery оn June 27, 2022 arriving by 6:00pm

PHISHING LINKs;

1. What's encryption?

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the  company's website then forget it.
3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take it further at 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and subsequently government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx
2. Report Phishing Sites | CISA
3. Home - Canada's Anti-Spam Legislation (fightspam.gc.ca)

Right-to-Left Override RTLO Removal Tool for filenames #Windows #malware

Malware writers can trick you in 2 ways into thinking your file is a "PDF looking" file using the Right-to-Left Override (RTLO) technique.

“Right-to-Left Override” RTLO example

Firstly, a maliciously constructed “.exe” can be built to display an PDF icon, so it looks like PDF default reader will open this file. If the filename is really long then, you can't see the extension (see image below). 

2ndly and may not be so obvious, malicious PDF filename is constructed as with a right-to-left override character is such a way that the file ends ".pdf" extension, but really is an ".exe".  


So in example below, the 2nd file looks like a ".txt" file, but is really a ".docx" file (the 1st file). The 1st file has been cleansed of the RTL Unicode character, and ends in ".docx". 

The PDF file is actually an ".exe" file, but looks like it will open with default PDF reader. 

Download RTLExample.7z ( it includes the above files with PDF ".exe" example. The files contain no viruses or malware. The PDF is safe ".exe", and just opens this page in Chrome). The "PDF" is safe ".exe", and just opens this page in Chrome. But GDrive marks these examples "Sorry, this file is infected with a virus", which good because they are detecting the RTL character and exe. But it a false positive, since there is no virus in the files. You can create you own examples by inserting the RTL character into the filename, see this video https://youtu.be/n2kV3Q2eTCY). 

Here's the same files as viewed from the command (cmd.exe) line. The box character represents the RTL character.

Note: Detection of malicious file is never done by a filename alone, so a good antivirus will flag the contents of this file, for known signatures. BUT you can remove the annoying RTL character with the free tool below! 

How is RTLO being abused by malware writers?

In apps that support Unicode like Window Explorer, the right-to-left override malware method uses  a RTL Unicode character, that will reverse the order of the characters that follow it. It's used mainly for Middle Eastern/Asian languages that you read right-to-left.

RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.

What is “Right-to-Left Override” RTLO?

The RTLO method is used to hide the true type of a file, so it might trick you into open text file (.txt) which really is a Word file (.docx) with malicious malware. More recently this file could hide a .wav file. Audio files such .wav file are being embedded with malware, is on the forefront of malware maliciousness. Read about that on my post here.

The method exploits a feature built into Windows Explorer. Since Microsoft Windows does a great job of supporting different languages from around the world, some of those languages that are written from right-to-left (RTL). 

Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support.

Bidirectional script support is the capability of a computer system to correctly display bi-directional text. In HTML we can use Unicode right-to-left marks and left-to-right marks to override the HTML bidirectional algorithm when it produces undesirable results:

left-to-right mark: ‎ (U+200E) Unicode character
right-to-left mark: ‏ (U+200F) Unicode character

How do you fix files that have the RTLO or other bad characters ? 

Here's a tool I built to clean up Right-to-Left Mark (and many others) and Unicode Control Characters from your files. It's super fast, small and written in native C++.

Updated Thu 21-Apr-22 - new build, fixed many recursive issues

Download touchRTL.7z (you need https://www.7-zip.org/ to unpack). For personal use only, will open this page for help. Copy into c:\windows to use from cmd.exe.

License : 

touchRTL.7z personal use only, for commercial use buy touchLTRPRO. Contact as validated today available for license request. 

touchRTLPRO.7z, has flags to remove Unicode spaces and punctuations (math symbols, currency, open closing braces, and accent marks).  

Just run this command and it will recursively rename filenames to remove those characters under the specified directory name. If directory name, contains spaces you need quotes.

touchRTL -v -R -l -y "directory name"

where

Usage: touchRTL [-aclmpRuvxy] [-r REFFILE | -d DATETIME] PATH...

UNIX touch mimic, updates files access, modification and creation times of file(s) in PATH to the current time,
If PATH argument does not exist, creates corresponding new empty file or directory (using -y), unless -c or --n
Supports directory recursion and time stamping!
Supports Right-to-Left (RTL) character removal for files.
PATH argument can represent a filename(s) or directory. Double quote if it contains spaces. eg "c:\as is.txt"

  -a, --access-time        change only the file access time
  -c, --no-create          do not create any new files - If the file exists, touch will update the access time,
  -l, --RTL                remove Unicode control & format characters (esp. infamous right-to-left) from filena
  -m, --modif-time         change only the file modification time
  -p, --pause-exit         pause on exit (non-GNU extra)
  -R, --recursive          recursively touch files in specified directory and all subdirectories (non-GNU extra
  -u, --unicntrl           remove Unicode control characters only - https://www.fileformat.info/info/unicode/ca
  -v, --verbose            output the result of every file processed (non-GNU extra)
  -x, --creation-time      change only the file creation time (non-GNU extra)
  -y, --directory          specify directory, instead of default file
  -r, --reference REFFILE  use this file's times instead of current time
  -s, --spaces (PRO edtn)  remove Unicode spaces from filename
  -!, --puncs  (PRO edtn)  remove Unicode punctuations & symbols (math & modifiers) from filename

  -d, --date DATETIME      use YYYY-MM-DDThh:mm:ss[.ms] instead of current time (non-GNU, does not parse string
                           accepted "2033-04-01T07:07:07", "2033-04-01 07:07:07"

  -h, --help               Display this help and exit.

      --version            Display version information and license information.

For personal use only. Commercial license required for business use and removes page open. See --version for al
Copyright © 2019-2022 M. Pahulje <metadataconsult@gmail.com> - https://http://metadataconsulting.blogspot.com/