Friday, April 14, 2017

What is the programmatic difference of Powershell x86 vs x64?

There are a number of explanations as to why people think you should use Powershell (PS) x86 vs x64 typically stuff like larger address space, blah de blah, but there is never mention of  real programmatic issues.

The #1 reason to use the Powershell x86 vs x64 is to get the access the proper Windows Registry hive either x86 or x64. So if you are have x86 OS, use PS x86 on x64 OS use x64.

Let's take for example getting the Windows Install date from the registry with this path
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion we are going to get the Installdate value from here.

This is run on Windows x32 failed 

1
2
Windows Registry Install Date using Powershell (32 bit)
Wednesday, December 31, 1969 7:00:00 PM

This is run on Windows x64 worked

1
2
Windows Registry Install Date using Powershell (64 bit)
Tuesday, February 16, 2010 1:09:20 AM

This is the Powershell for the above, from line 90 and after


  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
#requires -version 2.0

# -----------------------------------------------------------------------------
# Script: Get-PowershellInfo+Architecture.ps1
# Version: 1.2017.04.13
# Author: Mark Pahulje
# URL   : metadataconsulting.ca
# Date: 13-Apr-2017
# Keywords: Powershell Architecture, PS Info
# Comments:
#
# "Those who forget to script are doomed to repeat their work."
#
#  ****************************************************************
#  * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED *
#  * THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK.  IF   *
#  * YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, *
#  * DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING.             *
#  ****************************************************************
# -----------------------------------------------------------------------------
 
Function Get-PowershellInfo+Architecture {
 
<#
.SYNOPSIS
Write out an improved pseudo psversiontable of PS Version, CLR & Build version, and Architecture (32 or 64 bit)
.DESCRIPTION
Write out an improved pseudo psversiontable of PS Version, CLR & Build version, and Architecture (32 or 64 bit)
.MUNCHIES
 This script also shows a test for Windows Install Date using Registry, to prove that if this runs on (32 or 64 bit) it will 
 fail on unsupport CPU Architecture Types
.EXAMPLE
PS C:\> Get-PowershellInfo+Architecture 
 
Name            : Version
----            : -------
PS Version      : 3.0
PS Architecture : 32 bit
CLR Version     : 4.0.30319.42000
Build Version   : 6.2.9200.16481

Return registry usage information for the local host.

.NOTES
NAME        :  Get-PowershellInfo+Architecture
VERSION     :  1.2017.04.13  
LAST UPDATED:  13-Apr-2017
AUTHOR      :  MDC
.LINK
http://metadataconsulting.blogspot.ca/2017/04/How-to-get-the-most-accurate-Windows-Install-Date-time-zone-adjusted.html
.LINK
Get-WindowsInstallDateTMZAdjusted
.INPUTS
String
.OUTPUTS
A formatted table
#>

#Function Start 
process {

cls
$psinfo = $psversiontable

if ([intPtr]::size -eq 4){
    $xarch = "32 bit"
}  
if ([intPtr]::size -eq 8){
    $xarch = "64 bit"
}

$psinfo | Select-Object -Property @{Name="Name";Expression={"Version"}},
    @{Name="----";Expression={"-------"}},
    @{Name="PS Version";Expression={$_.PSVersion}},
    @{Name="PS Architecture";Expression={$xarch}}, 
    @{Name="CLR Version ";Expression={ $_.CLRVersion }},
    @{Name="Build Version ";Expression={ $_.BuildVersion }}
}        

}

Get-PowershellInfo+Architecture


#What's the diff between running cmds in x86 and x64 Powershell? 

#this will fail on the unsupported processor type
#This script also shows a test for Windows Install Date using Registry, to prove that if this runs on (32 or 64 bit) it will 
#fail on unsupport CPU Architecture Types

$psinfo = $psversiontable

if ([intPtr]::size -eq 4){
    $xarch = "32 bit"
}  
if ([intPtr]::size -eq 8){
    $xarch = "64 bit"
}


$windowsinstalldate = [TimeZone]::CurrentTimeZone.ToLocalTime([DateTime]'1.1.1970').AddSeconds(
    (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').InstallDate       )

write-host ""
write-host "Windows Registry Install Date using Powershell ($xarch)"
$windowsinstalldate.DateTime

Posted by metadataconsulting (profile) at 12:56 PM 0 comments

What is the programmatic difference of Powershell x86 vs x64?



There are a number of explanations as to why people think you should use Powershell (PS) x86 vs x64 typically stuff like larger address space, blah de blah, but there is never mention of real programmatic issues.

The #1 reason to use the Powershell x86 vs x64 is to get the access the proper Windows Registry hive either x86 or x64. So if you are have x86 OS, use PS x86 on x64 OS use x64.

Let's take for example getting the Windows Install date from the registry with this path
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion we are going to get the Installdate value from here.

This is run on Windows x32 failed, install date is wrong.

1
2
Windows Registry Install Date using Powershell (32 bit)
Wednesday, December 31, 1969 7:00:00 PM

This is run on Windows x64 worked

1
2
Windows Registry Install Date using Powershell (64 bit)
Tuesday, February 16, 2010 1:09:20 AM

This is the Powershell for the above, from line 90 and after


  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
#requires -version 2.0

# -----------------------------------------------------------------------------
# Script: Get-PowershellInfo+Architecture.ps1
# Version: 1.2017.04.13
# Author: Mark Pahulje
# URL   : metadataconsulting.ca
# Date: 13-Apr-2017
# Keywords: Powershell Architecture, PS Info
# Comments:
#
# "Those who forget to script are doomed to repeat their work."
#
#  ****************************************************************
#  * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED *
#  * THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK.  IF   *
#  * YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, *
#  * DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING.             *
#  ****************************************************************
# -----------------------------------------------------------------------------
 
Function Get-PowershellInfo+Architecture {
 
<#
.SYNOPSIS
Write out an improved pseudo psversiontable of PS Version, CLR & Build version, and Architecture (32 or 64 bit)
.DESCRIPTION
Write out an improved pseudo psversiontable of PS Version, CLR & Build version, and Architecture (32 or 64 bit)
.MUNCHIES
 This script also shows a test for Windows Install Date using Registry, to prove that if this runs on (32 or 64 bit) it will 
 fail on unsupport CPU Architecture Types
.EXAMPLE
PS C:\> Get-PowershellInfo+Architecture 
 
Name            : Version
----            : -------
PS Version      : 3.0
PS Architecture : 32 bit
CLR Version     : 4.0.30319.42000
Build Version   : 6.2.9200.16481

Return registry usage information for the local host.

.NOTES
NAME        :  Get-PowershellInfo+Architecture
VERSION     :  1.2017.04.13  
LAST UPDATED:  13-Apr-2017
AUTHOR      :  MDC
.LINK
http://metadataconsulting.blogspot.ca/2017/04/How-to-get-the-most-accurate-Windows-Install-Date-time-zone-adjusted.html
.LINK
Get-WindowsInstallDateTMZAdjusted
.INPUTS
String
.OUTPUTS
A formatted table
#>

#Function Start 
process {

cls
$psinfo = $psversiontable

if ([intPtr]::size -eq 4){
    $xarch = "32 bit"
}  
if ([intPtr]::size -eq 8){
    $xarch = "64 bit"
}

$psinfo | Select-Object -Property @{Name="Name";Expression={"Version"}},
    @{Name="----";Expression={"-------"}},
    @{Name="PS Version";Expression={$_.PSVersion}},
    @{Name="PS Architecture";Expression={$xarch}}, 
    @{Name="CLR Version ";Expression={ $_.CLRVersion }},
    @{Name="Build Version ";Expression={ $_.BuildVersion }}
}        

}

Get-PowershellInfo+Architecture


#What's the diff between running cmds in x86 and x64 Powershell? 

#this will fail on the unsupported processor type
#This script also shows a test for Windows Install Date using Registry, to prove that if this runs on (32 or 64 bit) it will 
#fail on unsupport CPU Architecture Types

$psinfo = $psversiontable

if ([intPtr]::size -eq 4){
    $xarch = "32 bit"
}  
if ([intPtr]::size -eq 8){
    $xarch = "64 bit"
}


$windowsinstalldate = [TimeZone]::CurrentTimeZone.ToLocalTime([DateTime]'1.1.1970').AddSeconds(
    (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').InstallDate       )

write-host ""
write-host "Windows Registry Install Date using Powershell ($xarch)"
$windowsinstalldate.DateTime

Posted by metadataconsulting (profile) at 12:00 PM 0 comments

Thursday, April 13, 2017

7-Zip Portable not 7-Zip hacked by CIA

Everyone's favorite freebie zip application has comprised and targeted by your friendly neighborhood CIA agent as revealed in latest WikiLeaks leak, code-named "Vault 7".

Just to be clear "7-Zip Portable" was mentioned, and there's allot of confusion of what the difference between "7-Zip Portable" and "7-Zip". This post will clear that up.




Firstly,  7-Zip is safe!

I spoke with Igor Pavlov the owner of 7-Zip,  and he has no idea about "7-Zip Portable". 

I asked him if there are any issues with CIA hack using his open source code base, and he affirmed it was with "7-Zip Portable" was the problem code.

Recent CIA Wikileaks release mentions "7-Zip Portable" hack for spying on users, under the section called "Fine Dining Tool Module Lists" at https://wikileaks.org/ciav7p1/cms/page_20251107.html

For the uninitiated, the Wikileaks"Vault 7" release list a host of exploits for common everyday free and paid  applications by the CIA. The "Fine Dining Tool Module Lists" section list applications whose libraries ( which are loaded to run the program known as dynamically loading libraries (DLL))  have been compromised and replace. This is know as "DLL Hijack" in the document.  A hijacked DLL enables practically anything to be done by the remote collectors; it can collect keystrokes, take screenshots, record microphone, snoop on your mail and the dreaded scenario of complete control over you computer using a remote administration tool RAT.  

This "7-Zip Portable" appears on 2 lines of "Vault 7" leak so can be a little confusing.

DLL Hijack7-Zip PortableUser, Compression, BackupOperator performs backup, encrypted storage while collection is occurring

So what is "7-Zip Portable"? How does it differ from 7-Zip? 


"7-Zip Portable" is exactly same as 7-zip, it just been consumed by PortableApps.com because project is open-source. PortableApps.com removed the installer and repackaged it for their own and even used the same logo. 
PortableApps.com is the world's most popular portable software solution allowing you to take your favorite software with you. A fully open source and free platform, it works on any portable storage device (USB flash drive, memory card, portable hard drive, etc), cloud drive (DropBox, Google Drive, etc), or installed locally. 

The confusing part is it has the same logo, comes from the same open source repo "Sourceforge" (different projects however) and even lists 7-Zip developers as part of their development effort. 

PublisherPortableApps.com (John T. Haller) and the 7-Zip developers





























  • So, there you are you have been warned.

    A further note, it seems many of the apps from PortableApps.com have been infiltrated. Probably, the same installer used by  PortableApps.com has been compromised.

    For further explanation a good article here
    http://www.filmsforaction.org/articles/wikileaks-cia/


Posted by metadataconsulting (profile) at 2:17 PM 1 comments
Subscribe to: Posts (Atom)