Windows Timer Resolution: The Great Rule Change
The behavior of the Windows scheduler changed significantly in Windows 10 2004, in a way that will break a few applications, and there appears to have been no announcement, and the documentation has not been updated. This isn’t the first time this has happened, but this change seems bigger than last time.
The short version is that calls to timeBeginPeriod from one process now affect other processes less than they used to, but there is still an effect.
How can CharUpper and CharLower guarantee that the uppercase version of a string is the same length as the lowercase version?
Blaming the operating system for allowing people to create files with unusual characters in their names
What we have here is a case of creating an insecure system and then being surprised that the system is insecure.
This is all too common, but the fix is equally shortsighted. Always too much focus on narrow aspect of the problem.
They claimed that the issue could be fixed by simply adding the ampersand to the list of illegal file name characters. They forgot about the percent sign (for injecting environment variables), the caret (for escaping), and possibly even the apostrophe.
Ray Tracing In Notepad.exe At 30 FPS
A few months back, there was a post on Reddit (link), which described a game that used an open source clone of Notepad to handle all its input and rendering. While reading about it, I had the thought that it would be really cool to see something similar that worked with stock Windows Notepad. Then I spent way too much of my free time doing exactly that.
I ended up making a Snake game and a small ray tracer that use stock Notepad for all input and rendering tasks, and got to learn about DLL Injection, API Hooking and Memory Scanning along the way. It seemed like writing up the stuff I learned might make for an interesting read, and give me a chance to show off the dumb stuff I built at the same time, so that’s what these next couple blog posts will be about.
Avast Antivirus Is Shutting Down Its Data Collection Arm
Avast will no longer collect or sell its users’ internet browsing data
...after getting caught.
Somewhat old, but deserves a spot in the archive of malfeasance.
In Praise of AutoHotKey
People think it’s weird that I do all my development on a Windows machine. It’s definitely a second-class citizen experience in the wider development world, and Windows has a lot of really frustrating issues, but it’s still my favorite operating system. This is for exactly one reason: AutoHotKey.
AHK is an engine for mapping keystrokes to scripts. I wouldn’t call it particularly elegant, and it’s filled with tons of redundancy and quirks. Even its fans admit how nasty the language can be. But it hooks into the whole Windows system and makes it easy to augment my workflow. It’s given me a far greater degree of control over my computer than I ever managed to achieve with another OS.
What Outranks Thread Priority?
This investigation started, as so many of mine do, with me minding my own business, not looking for trouble. In this case all I was doing was opening my laptop lid and trying to log on. The first few times that this resulted in a twenty-second delay I ignored the problem, hoping that it would go away. The next few times I thought about investigating, but performance problems that occur before you have even logged on are trickier to solve, and I was feeling lazy. When I noticed that I was avoiding closing my laptop because I dreaded the all-too-frequent delays when opening it I realized it was time to get serious.
A lot of effort for a rather unsatisfactory conclusion, but I won’t spoil the surprise.
Pulling sleight of hand tricks in a security vulnerability report, or maybe it was a prank
So you tell me: Was this somebody carrying out an elaborate prank or somebody who simply didn’t understand what they were doing?
Whether it was intended as such or not, this ended up being an effective denial-of-service attack against me personally, since I ended up spending quite a bit of time watching the videos closely, then reverse-engineering what the finder believed the vulnerability to be, and then studying the videos again to find out where they went wrong.
I was feeling frustrated just reading the story.
Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.
The historical significance of the Burgermaster drive-in restaurant
In Windows 3.0, the data segment that recorded the locations of all the other data segments was named the BurgerMaster.
The Burgermaster restaurant was so important that Bill Gates’s secretary kept it on speed dial. In fact, it wasn’t just on speed dial for Bill Gates’s secretary. It was a company-wide speed dial number. You could call them to order a burger, walk next door, and your order would be ready and waiting for you.
Microsoft's Chain of Fools
Hackers hit Norsk Hydro with ransomware
The breach last March would ultimately affect all 35,000 Norsk Hydro employees across 40 countries, locking the files on thousands of servers and PCs. The financial impact would eventually approach $71 million.
All of that damage had been set in motion three months earlier when one employee unknowingly opened an infected email from a trusted customer. That allowed hackers to invade the IT infrastructure and covertly plant their virus.
This is kinda fluffy, but somewhat interesting.
So We Don'T Have A Solution For Catalina...Yet
With the release of macOS 10.15 (Catalina), Apple has dropped support for running 32-bit executables and removed the 32-bit versions of system frameworks and libraries. Most Windows applications our users run with CrossOver are 32-bit and CrossOver uses a 32-bit Mac executable, system frameworks, and libraries to run them. This will break with Catalina.
And then comes the fun part:
We have built a modified version of the standard C language compiler for macOS, Clang, to automate many of the changes we need to make to Wine’s behavior without pervasive changes to Wine’s source code.
First, our version of Clang understands both 32- and 64-bit pointers. We are able to control from a broad level down to a detailed level which pointers in Wine’s source code need to be 32-bit and which 64-bit. Any code which substitutes for Windows at the interface with the Windows app has to use 32-bit pointers. On the other hand, the interfaces to the system libraries are always 64-bit.
snek - Python from PowerShell
Snek is a cross-platform PowerShell module for integrating with Python. It uses the Python for .NET library to load the Python runtime directly into PowerShell. Using the dynamic language runtime, it can then invoke Python scripts and modules and return the result directly to PowerShell as managed .NET objects.
AddressSanitizer (ASan) for Windows with MSVC
We are pleased to announce AddressSanitizer (ASan) support for the MSVC toolset. ASan is a fast memory error detector that can find runtime memory issues such as use-after-free and perform out of bounds checks. Support for sanitizers has been one of our more popular suggestions on Developer Community, and we can now say that we have an experience for ASan on Windows, in addition to our existing support for Linux projects.
MSVC support for ASan is available in our second Preview release of Visual Studio 2019 version 16.4.
Why can’t I create a “Please wait” dialog from a background thread to inform the user that the main UI thread is busy?
When the dialog box sets the main UI window as its owner, this causes the input queues to become attached, at which point their fates become linked. In particular, the dialog box cannot show itself because doing so requires it to notify the owner window that the owner has lost activation, but that owner window is not responding to messages because it’s off doing the really long operation.
Specific instance of a more general problem. Doing the wrong thing with the wrong thread leads to sadness.
How did MS-DOS decide that two seconds was the amount of time to keep the floppy disk cache valid?
Taskbar Latency and Kernel Calls
I work quickly on my computer and I get frustrated when I am forced to wait on an operation that should be fast. A persistent nuisance on my over-powered home laptop is that closing windows on the taskbar is slow. I right-click on an entry, wait for the menu to appear, and then select “Close window”. The mouse movement should be the slow part of this but instead I find that the delay before the menu appears is the longest component.
What this says is that, over the course of two right-mouse clicks, RuntimeBroker.exe, thread 10,252, issued 229,604 ReadFile calls, reading a total of 15,686,586 bytes. That is an average read of 68 bytes each time.
One byte used to cost a dollar
Back in the days when software was distributed on floppy disks (remember floppy disks?), the rule of thumb for Windows was one byte costs a dollar.
In other words, considering the cost of materials, the additional manufacturing time, the contribution to product weight, the cost of replacing materials that became defective after they left the factory (e.g., during shipping), after taking data compression into account, and so on, the incremental cost of adding another megabyte to the Windows product was around one million dollars, or about a dollar per byte.
Down the Rabbit-Hole...
I often find it valuable to write simple test cases confirming things work the way I think they do. Sometimes I can’t explain the results, and getting to the bottom of those discrepancies can reveal new research opportunities. This is the story of one of those discrepancies; and the security rabbit-hole it led me down.
Any application, any user - even sandboxed processes - can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications - even privileged applications - to connect to you.
Even without bugs, the CTF protocol allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application.
Regarding disclosure: https://bugs.chromium.org/p/project-zero/issues/detail?id=1859#c10