Can I Pull the Plug Now…?
Suddenly CodeLens in VS Community Edition - sweet! Today I started VS and was pleasantly surprised to get CodeLens, totally out of nowhere for me and really cool! But as we all know, things never happen out of nowhere, so I did some investigation and it turns out that the latest SQL Server Data Tools.
- Mick Walsh, Special Agent, Miami Electronic Crimes Task Force
- 29 pages
- October 21, 2009
THE U.S. SECRET SERVICE
Investigates . . .
Counterfeit currency
Fraud involving U.S. financial obligations and securities
Crimes affecting other federally insured financial institutions
Threats against the President & other government officials
Telecommunications fraud
Access Device fraud
Identity fraud
Computer fraud
Fraud involving U.S. financial obligations and securities
Crimes affecting other federally insured financial institutions
Threats against the President & other government officials
Telecommunications fraud
Access Device fraud
Identity fraud
Computer fraud
…
3 Levels of Training in the Secret Service
– Computer forensic examiners
– Network intrusion investigators
– Other agents who’ve taken a basic
course in computer crime investigations
– Computer forensic examiners
– Network intrusion investigators
– Other agents who’ve taken a basic
course in computer crime investigations
SOFTWARE
This is what we need…
1. Image RAM
2. Detect encryption
3. Detect networked data storage
This is what we want…
– Fewest number of tools possible to cover every situation
– Reliable
– Easy to use
– Small “footprint”
– Only trusted files are executed
– Can be run from different types of media
This is what we need…
1. Image RAM
2. Detect encryption
3. Detect networked data storage
This is what we want…
– Fewest number of tools possible to cover every situation
– Reliable
– Easy to use
– Small “footprint”
– Only trusted files are executed
– Can be run from different types of media
Lots of RAM imaging tools available…
My forensic lab uses FastDump Pro by HBGary, Inc.
– Supports all versions of Windows, all service packs, 32 & 64 bit
– Images up to 64 GB of RAM
– Relatively easy to use
– Small “footprint” in memory
– Also acquires the pagefile
– Loads its own trusted drivers & services
– Low cost for Pro version
– “Community Edition” is less capable, but it’s free
My forensic lab uses FastDump Pro by HBGary, Inc.
– Supports all versions of Windows, all service packs, 32 & 64 bit
– Images up to 64 GB of RAM
– Relatively easy to use
– Small “footprint” in memory
– Also acquires the pagefile
– Loads its own trusted drivers & services
– Low cost for Pro version
– “Community Edition” is less capable, but it’s free
CryptHunter by the CERT Software Engineering Institute at Carnegie
Mellon University detects whole disk encryption, as well as encrypted
volumes and encrypted virtual disks.
– Works on Windows NT, 2000, XP, 2003 and Vista
– Relatively easy to use
– Easy to understand output
– Small “footprint”
– Creates a detailed log of files “touched” by CryptHunter
– It’s free for use by law enforcement!
Mellon University detects whole disk encryption, as well as encrypted
volumes and encrypted virtual disks.
– Works on Windows NT, 2000, XP, 2003 and Vista
– Relatively easy to use
– Easy to understand output
– Small “footprint”
– Creates a detailed log of files “touched” by CryptHunter
– It’s free for use by law enforcement!
Nmap is an open source utility for network mapping & security
auditing. It shows hosts available on the network, what services the
hosts are offering, operating systems, open ports, devices, etc.
– Runs on Windows NT, ME, 2000, XP, 2003 and Vista
– Not exactly easy to use, but the basics can learned fairly quickly
– Straightforward output
– Small “footprint”
– Downside – free version must install WinPcap & MS Visual C++
– Can buy a version that runs directly from CD or USB
auditing. It shows hosts available on the network, what services the
hosts are offering, operating systems, open ports, devices, etc.
– Runs on Windows NT, ME, 2000, XP, 2003 and Vista
– Not exactly easy to use, but the basics can learned fairly quickly
– Straightforward output
– Small “footprint”
– Downside – free version must install WinPcap & MS Visual C++
– Can buy a version that runs directly from CD or USB
…
Share this:
MASM is maintained by Microsoft and is an x86 assembler that consumes Windows and Intel syntax to produce a COFF executable. It is compatible for both 16 bit and 32 bit sources. Fortunately, Microsoft’s Visual Studio IDE endorses MASM programming tasks just by making a couple of project property changes. The prime objective behind this article is to introduce the power of assembly code in terms of speed and full control over programs which are typically not seen in other programming languages. Even though there are numerous editors and software available to do such a task in a standalone way, the aspirant system or security programmers who are only limited to .NET software IDE so far can enter into the real system programming world by using none other than visual studio IDE.
Prerequisite
In this article, we would get an understanding about creating both EXE and DLL using MASM with Visual Studio. So, the newbies should to have a brief knowledge of these technologies:
- MASM (Microsoft Macro Assembler) SDK Library
- VC++
Developing EXE using MASM
We shall demonstrate assembly programming by creating a simple Windows executable which typically shows “Hello World!” in a message box the moment it is initiated. It is very tricky to do such an implementation because Visual Studio 2010 IDE doesn’t offer any explicit templates for writing assembly code like C#, VC++ and VB.NET programming languages. It in fact has an in-built option to compile or run assembly programs.
Opening New Project
We shall have to create a VC++ project solution which later is accompanied with an assembly code file. Hence, open Visual Studio and choose an Empty Project of VC++ template type. There is no need to create a sub-directory for this empty solution, so uncheck the corresponding check box as follows:
Once the test_masm of VC++ type solution is created, go to the solution explorer and right click to choose Build Customization option as follows:
The Build Customization options open up the MASM compiler options which uncheck by default. This is the key option which must be enabled in order to edit and compile the native assembly code file.
Assembly Coding
As we have stated earlier, VS 2o1o doesn’t provide assembly file templates, however choose a project from the solution explorer and right click to add a text file which will be provided a *.ASM extension as follows:
Now, a blank text.asm file is added to our test_masm solution. Open it and paste the following assembly code, which is responsible for displaying a message box, as follows:
The assembly code file is written, but keep patience, this is not ready to compile or execute because some of important project settings are still remaining.
Ethical Hacking Boot Camp — 93% Exam Pass Rate
Mandatory Project Configurations
Successful execution of an assembly code file with Visual Studio IDE depends on an external library file, which will be available from MASM SDK. Hence, choose project Properties by right clicking it from the solution explorer. Here, choose General by expanding Linker and in the Additional Library Directories, insert the path of include, lib and macros directories as follows:
Next, come to the Input section in the Linker and mention the reference of masm32.lib file as additional dependencies:
It is not required to generate a manifest file for such manipulation, hence disable it as follows:
Now, come to System from the Linker and set Windows in the subsystem section as follows:
Finally configure the code entry point as the start from the Advanced option in the Linker, which determines the code execution flow. We can identify the entry point of the ASM file from the .code section.
Now come to the Microsoft Macro Assembly section from the solution properties which appears the moment when we add an assembly file in solution directory, otherwise it shall be hidden. Here, set the directory name where the MASM SDK was installed earlier as follows:
Finally, everything is ready and the solution is compiled. If the whole configuration is correct, then a test_masm.exe file is created in the Debug folder of the solution.
Testing and Debugging
![Download Download](http://1.bp.blogspot.com/-HSFL8DM2AAo/TkGf13XOaZI/AAAAAAAAAEQ/nO2utnA9iTM/s400/Untitled-1.jpg)
It is time to test the executable. When the exe is clicked, a “Hello World!” message box would appear as follows:
We can even debug the assembly code by inserting a breaking point as a specific location, and through the Register window in the Debug menu, we can observe all the CPU registers with corresponding flags as follows:
We shall cover the advanced debugging of an application in later articles. The following image shows the assembly code in debug mode which helps us to understand what is happening behind the scenes.
Although this section is not relevant to this article, but just for knowledge point view, we can disassemble any C++ file to its corresponding ASM code. The Visual Studio IDE is inbuilt with a Disassembly option, which is very helpful to detect a run time bug such as buffer overflow in the code via converting the source code file to an assembly code file as follows:
Developing DLL using MASM
In the previous section, we have seen how to create an EXE file using MASM with VS 2o10. We can also develop a library (DLL) by using MASM programming much like other technologies such as C#, VB, and C++. Therefore, the method can be utilized in the other client application in that created DLL. The procedure of generating a DLL is almost the same as EXE but requires some subtle configuration. First of we have to set Configuration type as DLL in the General section because now we are dealing with DLL. Such modification can happen from solution properties as:
And as we all know, DLL files are libraries which contain method definitions. Entry point is typically absent in the DLL file. Hence we have to change this setting as follows:
Finally, add a text file as masmlib with ASM extension in the solution like earlier and place the following code, which typically contains a testing method which will show some alert during the load and unload of DLL in the client program as follows:
Finally, compile this program and test_masm_dll. The DLL file would be created in the Debug folder which can referenced in the C++ program or in the MASM client program itself.
Final Note
So, we have seen how to create both EXE and DLL files using MASM programming languages employed with visual studio IDE. In fact, such a task could be achieved by hard-core MASM SDK but .NET programmers typically fear assembly programming due to strange syntax and platforms. Assembly language programming opens a new horizon of advance coding in terms of faster code executing, exploit writing and shell-coding. Programmers are often comfortable with Visual Studio due to having numerous in-built features and functionality. Hence, this article is dedicated to those professionals who are planning to shift towards system programming without leaving the .NET framework.