Getting acquainted with ARM Cortex-M


Today we'll discuss 32-bit microcontrollers with ARM Cortex-M cores and, in particular, STMicroelectronics (aka ST) controllers. This post will describe how to develop for these controllers, which development environments available, and how to use some popular libraries. If you are interested in Arduino development, but 8-bit AVR is no longer enough for you, and you want something more, then this post is for you.

Continue reading "Getting acquainted with ARM Cortex-M"

Follow-up: filled NTFS partition cleanup

In the previous post Filling up NTFS partition forever without admin privileges I described the method to fill all free space on an NTFS partition without administrator privileges and without creating any large suspicious files. However, "forever" in the title was too strong a word, so I continued to search for solutions to cleanup the clogged $Secure file. Finally, I found this can be done quite simply: you need to use the standard Windows CHKDSK utility! I would've never thought that it had such a feature. Apparently, it was added in around 2009 in the KB919241 update.

Continue reading "Follow-up: filled NTFS partition cleanup"

Filling up NTFS partition forever without admin privileges

NTFS logo

NTFS is an advanced file system that is one of the main parts of all modern Windows operating system versions. This file system supports logging, it has the ability to recover data, advanced security, file streams and many other features. However, sometimes with rich features you get problems that were absent in older file systems like FAT32.

Continue reading "Filling up NTFS partition forever without admin privileges"

Writing macros with GUI for Microsoft Word like a PRO [Part 2, final]

Final word macro form view

Yes, this is a macro for MS Word!

Let's dive deeper into the topic of macros in Microsoft Word. We will add the user interface for our macro, which replaces two or more consecutive line breaks with a single one. Why would you ever need some kind of interface for a macro? Well, for example, you want to remove extra line breaks on all pages of the document, except for some specific ones. The interface would allow you to specify the page numbers that you want to skip during processing (or vice versa, only process specified pages). This is the functionality we will implement.

Continue reading "Writing macros with GUI for Microsoft Word like a PRO [Part 2, final]"

Writing Macros for Microsoft Word like a PRO [Part 1]

Angry word helper

You may have the feeling that the Word macros are quite useless. Who needs them anyway? Well, sometimes they are used in malware... Moreover, they are written in a long forgotten VBA (Visual Basic for Applications, which is somehow limited Visual Basic 6 in an interpreted form), eeww!

But in fact, after all, many people may sometimes need to write a report in Word, or issue a paper, or write a CV before sending it to their dream company... For some people, their job is working in Word itself. Often, various documentation systems can export pages to doc or docx formats that your customers ask for. And it often happens that exported documents look awful, you have to fix them manually every time after export.

Working in Word often involves performing some repetitive actions, which can be sometimes (but not always!) solved by correctly setting and applying styles, as well as using templates. How do you automate everything else? This is where these very macros come to our aid.

Continue reading "Writing Macros for Microsoft Word like a PRO [Part 1]"

Writing simple Nessus plugin

One of the key aspects of penetration testing is the automation of routine actions. Someone writes standalone programs for this, but now there are many products that allow you to extend their functionality with the help of additional modules. An example of a free vulnerability scanner with custom modules support is OpenVAS, but this article is about Nessus, which isn't free, but in my humble opinion, finds more and generates fewer false positives (although OpenVAS started as a fork of Nessus, but that was a long time ago). Let's get started.
Continue reading "Writing simple Nessus plugin"

Pentest 101: Content bruteforcing lists

When it comes to black-box testing of web applications, one of the main things is to search through possible web paths to find new entry points and “forgotten” data. That is, any list of popular directory names (like /uploads/) and files (data.txt, file.php, etc.) is taken and a sequential search of valid paths is performed. The technique is well-known, old, there are many utilities to exploit it, many public lists of such paths. Among the most popular are the following utilities:

Lots of them...
Personally I prefer wfuzz (pretty fast, convenient filtering of web server responses by several criteria), or Burp Suite.
Continue reading "Pentest 101: Content bruteforcing lists"

Skype Preview – Skype link preview plugin


Once upon a time I chatted in one cozy Skype conference and suddenly one of the members got a rather interesting idea: to develop a Skype plugin, which allows to view content of links thrown into chat without opening them. "Why not?", - I thought. It is possible to open pictures in reduced size, if the link points to the image (including animated ones). If the link leads to usual HTML page, it is possible to display its title. Running ahead, I'll show you the result:


Continue reading "Skype Preview – Skype link preview plugin"

Developing PE file packer step-by-step. Step 12 – bugfixes


Thanks to the guy from commentaries in previous posts about the packer, one amazing bug in the code was discovered, which I tried to fix quickly. The commentator, without analyzing the packer operation in detail, stated that the code packed with it will not be able to work with SEH if DEP is turned on. Under such conditions the code worked well (because all unpacked code in memory is located within one single PE file section marked as executable. UPX has same operation logic.). However, suddenly the following bug was discovered: if the program is built in MSVC++, uses SEH and has relocations, it will likely crash on first exception (more precisely, if the file was loaded to the address other than base). DEP, of course, has nothing to do with this. The thing is in disastrous IMAGE_LOAD_CONFIG_DIRECTORY directory. It is created by Visual Studio linker. Of useful information it contains the address table (RVA) of SE handlers and a pointer to CRT internal variable __security_cookie. As it turned out, this directory is necessary not only for CRT internals (although it, as it seems, actually doesn't care about this structure), but also for the system loader (at least, in Win7. WinXP, it seems, ignores this directory too). The packer, which I developed, moves this directory to other section (see here). Thus the issue can be fixed by adding several records to relocations table, which is created by the packer. These records will fix the addresses pointing to security cookie and SE handlers table, to let it read necessary information from this directory at loading stage.

Except correcting this bug I updated the packer code to make it buildable with latest version (1.0.0) of PE library (PE Bliss). It is always available to download here.

By the way, about PE Bliss library. Currently in my free time I develop new version, which will have the following features (the list is exemplary and can be changed):
- high-level work with additional types of PE file resources;
- detailed .NET binaries parsing (metadata, signatures, resources);
- library wrapper in C++/CLI, which allows .NET developers to use library functionality comfortably in C# or Visual Basic .NET software.

Download packer sources: packer source
Download binary: packer binary

PS. In Windows 8 and 8.1 image load configuraton directory has been exanded (to support Control Flow Guard), so the packer will be unable to pack newest binaries from that operation systems, if IMAGE_LOAD_CONFIG_DIRECTORY is present.

UPDATE 24.05.2016: relocations generation has been updated. In some rare cases (when TLS data was big enough, and load config directory was present, relocation table addresses could overflow, which resulted in corrupted packed binary).

Developing PE file packer step-by-step. Step 11. Command line interface. Final version

Previous step is here.


At this step we will develop nice command line interface for our packer.

Continue reading "Developing PE file packer step-by-step. Step 11. Command line interface. Final version"