The historical significance of the Burgermaster drive-in restaurant
> In Windows 3.0, the data segment that recorded the locations of all the other data segments was named the BurgerMaster.
> The Burgermaster restaurant was so important that Bill Gates’s secretary kept it on speed dial. In fact, it wasn’t just on speed dial for Bill Gates’s secretary. It was a company-wide speed dial number. You could call them to order a burger, walk next door, and your order would be ready and waiting for you.
Microsoft's Chain of Fools
Hackers hit Norsk Hydro with ransomware
> The breach last March would ultimately affect all 35,000 Norsk Hydro employees across 40 countries, locking the files on thousands of servers and PCs. The financial impact would eventually approach $71 million.
> All of that damage had been set in motion three months earlier when one employee unknowingly opened an infected email from a trusted customer. That allowed hackers to invade the IT infrastructure and covertly plant their virus.
This is kinda fluffy, but somewhat interesting.
So We Don'T Have A Solution For Catalina...Yet
> With the release of macOS 10.15 (Catalina), Apple has dropped support for running 32-bit executables and removed the 32-bit versions of system frameworks and libraries. Most Windows applications our users run with CrossOver are 32-bit and CrossOver uses a 32-bit Mac executable, system frameworks, and libraries to run them. This will break with Catalina.
And then comes the fun part:
> We have built a modified version of the standard C language compiler for macOS, Clang, to automate many of the changes we need to make to Wine’s behavior without pervasive changes to Wine’s source code.
> First, our version of Clang understands both 32- and 64-bit pointers. We are able to control from a broad level down to a detailed level which pointers in Wine’s source code need to be 32-bit and which 64-bit. Any code which substitutes for Windows at the interface with the Windows app has to use 32-bit pointers. On the other hand, the interfaces to the system libraries are always 64-bit.
snek - Python from PowerShell
> Snek is a cross-platform PowerShell module for integrating with Python. It uses the Python for .NET library to load the Python runtime directly into PowerShell. Using the dynamic language runtime, it can then invoke Python scripts and modules and return the result directly to PowerShell as managed .NET objects.
AddressSanitizer (ASan) for Windows with MSVC
> We are pleased to announce AddressSanitizer (ASan) support for the MSVC toolset. ASan is a fast memory error detector that can find runtime memory issues such as use-after-free and perform out of bounds checks. Support for sanitizers has been one of our more popular suggestions on Developer Community, and we can now say that we have an experience for ASan on Windows, in addition to our existing support for Linux projects.
> MSVC support for ASan is available in our second Preview release of Visual Studio 2019 version 16.4.
Why can’t I create a “Please wait” dialog from a background thread to inform the user that the main UI thread is busy?
> When the dialog box sets the main UI window as its owner, this causes the input queues to become attached, at which point their fates become linked. In particular, the dialog box cannot show itself because doing so requires it to notify the owner window that the owner has lost activation, but that owner window is not responding to messages because it’s off doing the really long operation.
Specific instance of a more general problem. Doing the wrong thing with the wrong thread leads to sadness.
How did MS-DOS decide that two seconds was the amount of time to keep the floppy disk cache valid?
Taskbar Latency and Kernel Calls
> I work quickly on my computer and I get frustrated when I am forced to wait on an operation that should be fast. A persistent nuisance on my over-powered home laptop is that closing windows on the taskbar is slow. I right-click on an entry, wait for the menu to appear, and then select “Close window”. The mouse movement should be the slow part of this but instead I find that the delay before the menu appears is the longest component.
> What this says is that, over the course of two right-mouse clicks, RuntimeBroker.exe, thread 10,252, issued 229,604 ReadFile calls, reading a total of 15,686,586 bytes. That is an average read of 68 bytes each time.
One byte used to cost a dollar
> Back in the days when software was distributed on floppy disks (remember floppy disks?), the rule of thumb for Windows was one byte costs a dollar.
> In other words, considering the cost of materials, the additional manufacturing time, the contribution to product weight, the cost of replacing materials that became defective after they left the factory (e.g., during shipping), after taking data compression into account, and so on, the incremental cost of adding another megabyte to the Windows product was around one million dollars, or about a dollar per byte.
Down the Rabbit-Hole...
> I often find it valuable to write simple test cases confirming things work the way I think they do. Sometimes I can’t explain the results, and getting to the bottom of those discrepancies can reveal new research opportunities. This is the story of one of those discrepancies; and the security rabbit-hole it led me down.
> Any application, any user - even sandboxed processes - can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications - even privileged applications - to connect to you.
> Even without bugs, the CTF protocol allows applications to exchange input and read each other’s content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application.
Regarding disclosure: https://bugs.chromium.org/p/project-zero/issues/detail?id=1859#c10
When it absolutely, positively has to be there for the product demo overnight
> The person responsible for getting the fancy computer to Hawaii talked with the shipping company about the situation. At the time, they were Microsoft’s exclusive provider of overnight delivery services, and from how this story unfolds, it’s clear that they were serious about maintaining that status.
Adventures in application compatibility: Calling an internal function
> Of course, searching memory for a function to call is not exactly something documented and supported. Windows made some changes to how these functions operate, and that threw off their code that grovels the binary, and they ended up calling the wrong function.
Why was Windows for Workgroups pejoratively nicknamed Windows for Warehouses?
> Windows for Workgroups came with a network card, instructions for installing it, and even a screwdriver to assist with the installation. Now, there were two network cable standards at the time: BNC and 10Base-T. The network card that came with Windows for Workgroups 3.10 used BNC, which turned out to be the loser in the standards battle.
GeoWorks GEOS History - The Other Windows
> Back in the early ’90s, it wasn’t a sure thing that Microsoft Windows was going to take over the market, even though they had a clear lead over many of their competitors, thanks to MS-DOS. In fact, one of the iconic GUI-based experiences of the era, AOL, hedged its bets for a while, creating and maintaining a DOS version of its iconic pseudo-internet software using an GUI platform few were familiar with: GeoWorks. It was an operating system for an era when it wasn’t even a sure thing we’d have a modem. Today, we do a dive into the world of GEOS. It’s a pretty fascinating place.
What is WofCompressedData?
> The documentation for wofapi.h says merely “This header is used by Data Access and Storage.” For more information, it refers you to another web page that contains no additional information. WOF stands for Windows Overlay Filter, which is a nice name that doesn’t really tell you much about what it does or what it’s for.
> Changing the native NTFS file compression would be a disk format breaking change, which is not something taken lightly. Doing it as a filter provides much more flexibility. The downside is that if you mount the volume on a system that doesn’t support the Windows Overlay Filter, all you see is an empty file. Fortunately, WOF is used only for system-installed files, and if you are mounting the volume onto another system, it’s probably for data recovery purposes, so you’re interested in user data, not system files.
What should you do if somebody passes a null pointer for a parameter that should never be null? What if it’s a Windows Runtime class?
> If you put the cases of in-process and out-of-process callers together, you see that the conclusion is “Go ahead and dereference those pointers.” If the caller is in-process, then it’s okay to crash because you are crashing the caller’s process (which happens to be the same process that you are in). If the caller is out-of-process, then the RPC layer will prevent invalid null pointers from getting through.
> There’s an additional wrinkle to this general principle, however, for the case where you are implementing a Windows Runtime class.
The Resource Compiler defaults to CP_ACP, even in the face of subtle hints that the file is UTF-8
> Text editors nowadays will happily “help” you out by silently converting to UTF-8, but I don’t know of any that silently convert to Windows-1252.
Analysis of CVE-2019-0708 (BlueKeep)
> As always, I started with a BinDiff of the binaries modified by the patch (in this case there is only one: TermDD.sys). Below we can see the results.
If each thread’s TEB is referenced by the fs selector, does that mean that the 80386 is limited to 1024 threads?
> No, it doesn’t, because nobody said that the distinct values had to be different simultaneously.