Be sure to visit all the options under "Configuration" in the Admin Menu Bar above. There are 16 themes to choose from, and you can also create your own.

Tuesday, July 19, 2005 11:00:00 PM (Pacific Standard Time, UTC-08:00)      Comments [0]  dasBlog

Last week I had trouble getting Live Meeting 7 to work.  It launches successfully and joins me to the meeting but then an error dialog appears behind the application with the following message:

''An error occurred while creating an error report''

Hmmm... not exactly informative.  Clicking anywhere shuts down LiveMeeting 7.  With Live Meeting 1 I had similar problems although the application appeared to just freeze rather than "shut down."

It turns out that the issue is with Data Execution Prevention (DEP) and the resolution is described here.  The instructions also work with Windows 2003 SP1.  The specific file for Live Meeting 7 in Step 6 is actually %ProgramFiles%\Microsoft Office\Live Meeting 7\Console\7.1.\PWConsole.exe.

Saturday, July 16, 2005 1:58:22 PM (Pacific Standard Time, UTC-08:00)      Comments [2]  Computer Related | Miscellaneous

With C# and .NET you can:

1. Copy a memory address into a byte array.
2. Allocate memory that is not Data Execution Protected (DEP).
3. Embed assembler instructions into a byte array.
4. Execute the assembly instructions
5. Dispose of the allocated memory.

Not that I realized up front I would use all this functionality for my is-in-VM task with managed code, but in hindsight I am amazed at the power.  ....to think this is managed code!

In yesterday's post, I showed some C/C++ code that executed assembler instructions to determine whether the computer was a virtual machine or not.  In this post, I demonstrate the same results using managed code.

using System;
using System.Runtime.InteropServices;

class Program
{
    delegate void MethodInvoker();

    static int Main(string[] args)
    {
        // Assign redpill
        byte[] redpill = {
            0x0f, 0x01, 0x0d,       // asm SIDT instruction
            0x00, 0x00, 0x00, 0x00, // place holder for an address
            0xc3};                  // asm return instruction

    unsafe
    {
        fixed (byte* matrix = new byte[6],
            redpillPtr = redpill)
        {
            // Move the address of matrix immediately following
            // the SIDT instruction of memory.
            *(uint*)&redpillPtr[3] = (uint)&matrix[0];

            using (VirtualMemoryPtr codeBytesPtr =
                new VirtualMemoryPtr(redpill.Length))
            {
                // Copy redpill's data into the non-DEP memory area.
                Marshal.Copy(redpill, 0, codeBytesPtr, redpill.Length);

                // Retrieve a delegate that points to the assembler
                MethodInvoker method =
                    (MethodInvoker)Marshal.GetDelegateForFunctionPointer(
                    codeBytesPtr, typeof(MethodInvoker));

                // Execute the assembler
                method();
            }
            if (matrix[5] > 0xd0)
            {
                Console.WriteLine("Inside Matrix!\n");
                return 1;
            }
            else
            {
                Console.WriteLine("Not in Matrix.\n");
                return 0;
            }
        } // fixed
    } // unsafe
}

The code for MemoryManager and VirtualMemoryPtr, which demonstrates power points 2 and 5, is provided in my post earlier today.

Next stop... write low level drivers in managed code.

Friday, July 15, 2005 12:56:19 AM (Pacific Standard Time, UTC-08:00)      Comments [0]  Computer Related | .Net

I never noticed the Marshal.GetDelegateForFunctionPointer() function in the .NET Framework 2.0 until Devin Jenson posted about using it to run native assembly code from C#.  This was a wonderfully timed post for me as I was just putting together the finishing touches on the code for my how to detect virtual machine execution.  What Marshal.GetDelegateForFunctionPointer() enables is certainly impressive.

One thing that Devin pointed out in his post was the need for VirtualAllocEx() and VirtualProtectEx() calls to ensure the code executed was not in a Data Execution Protection block.  Since I needed to make those calls anyway to port my C/C++ code, I decided to post how to do it here:

class MemoryManager
{
    const uint MEM_COMMIT = 0x1000;
    const uint MEM_RESERVE = 0x2000;
    const uint MEM_DECOMMIT = 0x4000;
    const uint PAGE_EXECUTE_READWRITE = 0x40;

    [DllImport("kernel32.dll")]
    public static extern IntPtr GetCurrentProcess();

    [DllImport("kernel32.dll")]
    static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress,
        UIntPtr dwSize, uint dwFreeType);

    public static bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress,
        UIntPtr dwSize)
    {
        return VirtualFreeEx(hProcess, lpAddress, dwSize, MEM_DECOMMIT);
    }

    public static bool VirtualFreeEx(IntPtr lpAddress, UIntPtr dwSize)
    {
        return VirtualFreeEx(GetCurrentProcess(), lpAddress, dwSize, MEM_DECOMMIT);
    }

    [DllImport("kernel32", SetLastError = true)]
    static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
        UIntPtr dwSize, uint flAllocationType, uint flProtect);

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
        UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

    public static IntPtr AllocExecutionBlock(int size)
    {
        return AllocExecutionBlock(size, GetCurrentProcess());
    }

    public static IntPtr AllocExecutionBlock(int size, IntPtr hProcess)
    {
        IntPtr codeBytesPtr;
        codeBytesPtr = VirtualAllocEx(
            hProcess, IntPtr.Zero,
            (UIntPtr)size,
            MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

        if (codeBytesPtr == IntPtr.Zero)
        {
            throw new System.ComponentModel.Win32Exception();
        }

        uint lpflOldProtect;
        if (!VirtualProtectEx(
            hProcess, codeBytesPtr,
            (UIntPtr)size,
            PAGE_EXECUTE_READWRITE, out lpflOldProtect))
        {
            throw new System.ComponentModel.Win32Exception();
        }

        return codeBytesPtr;
    }
}

Updating Devin's code to use MemoryManager involves replacing his Marshal.AllocCoTaskMem() call with MemoryManager.AllocExecutionBlock() and Marshal.FreeCoTaskMem() with MemoryManager.VirtualFreeEx().  However, since this is really a resource that requires disposal, I also created a struct for the purpose.

public struct VirtualMemoryPtr : IDisposable
{
    public VirtualMemoryPtr(int memorySize)
    {
        ProcessHandle = MemoryManager.GetCurrentProcess();
        MemorySize = (UIntPtr)memorySize;
        AllocatedPointer = MemoryManager.AllocExecutionBlock(memorySize, ProcessHandle);
        Disposed = false;
    }

    public readonly IntPtr AllocatedPointer;
    readonly IntPtr ProcessHandle;
    readonly UIntPtr MemorySize;
    bool Disposed;

    public static implicit operator IntPtr(
        VirtualMemoryPtr virtualMemoryPointer)
    {
        return virtualMemoryPointer.AllocatedPointer;
    }

    #region IDisposable Members
    public void Dispose()
    {
        if (!Disposed)
        {
            Disposed = true;
            GC.SuppressFinalize(this);
            MemoryManager.VirtualFreeEx(ProcessHandle,
                AllocatedPointer, MemorySize);
        }
    }
    #endregion
}

One thing I haven't figured out yet is why GetDelegateForFunctionPointer() is it not declared as GetDelegateForFunctionPointer<TDelegate>(IntPtr ptr) since this avoids casting on the return.

Friday, July 15, 2005 12:38:39 AM (Pacific Standard Time, UTC-08:00)      Comments [1]  Computer Related | .Net

Several months ago I cam across some C code that cleverly detected whether a process was running on a Virtual Machine or not.  It uses terms like "redpill" and "matrix" in order to symbolize context within a virtual machine or not.  The code places the SIDT assembler instruction into a string and then executes the instruction to determine whether it successfully modifies the expected register or not.  The problem is that the code no longer works with Windows 2003 SP1 and Windows XP SP2.

The issue is caused by the addition of the Data Execution Protection (DEP) feature that current CPUs support and the service packs now recognize.  DEP is a security counter measure against buffer overflow holes.  It prevents the execution of instructions within memory assigned to data and instead only processes instructions specifically allocated within an execution block.  It is a pretty cool feature that required both processor and OS support.

To circumvent DEP it is necessary to place the instructions into memory allocated using VirtualAllocEx() and VirtualProtectEx() with the PAGE_EXECUTE_READWRITE for the protection.  Here is the updated C/C++ code:

#define WIN32_LEAN_AND_MEAN
#include
#include
#include

#if _UNICODE
    #define cout wcout
#endif

using namespace std;

void WriteLastError()
{
    DWORD dw = GetLastError();
    TCHAR szBuf[80];
    LPVOID lpMsgBuf;
    FormatMessage(
        FORMAT_MESSAGE_ALLOCATE_BUFFER |
        FORMAT_MESSAGE_FROM_SYSTEM,
        NULL,
        dw,
        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
        (LPTSTR) &lpMsgBuf,
        0, NULL );

    wsprintf(szBuf,
        _T("ERROR(%d): %s"),
        dw, lpMsgBuf);
    
    wcout << szBuf;

    LocalFree(lpMsgBuf);
}

int _tmain()
{
    unsigned char matrix[6];

    unsigned char redpill[] =
        "\x0f\x01\x0d\x00\x00\x00\x00\xc3";

    HANDLE hProcess = GetCurrentProcess();

    LPVOID lpAddress = NULL;
    PDWORD lpflOldProtect = NULL;

    try
    {
        DWORD dw;

        *((unsigned*)&redpill[3]) = (unsigned)matrix;

        lpAddress = VirtualAllocEx(hProcess, NULL,
            6, MEM_RESERVE|MEM_COMMIT , PAGE_EXECUTE_READWRITE);
        
        if(lpAddress == NULL)
        {
            WriteLastError();
        }

        BOOL success = VirtualProtectEx(
            hProcess, lpAddress, 6, PAGE_EXECUTE_READWRITE , lpflOldProtect);

        dw = GetLastError();
        if(success != 0)
        {
            WriteLastError();
        }

        memcpy(lpAddress, redpill, 8);

        ((void(*)())lpAddress)();

        if (matrix[5]>0xd0)
        {
            wcout << _T("Inside Matrix!\n");
            return 1;
        }
        else
        {
            wcout << _T("Not in Matrix.\n");
            return 0;
        }
    }
    finally
    {
        VirtualFreeEx(hProcess, lpAddress, 0, MEM_RELEASE);
    }

}

Next I hope to demonstrate the same code in C# using the new Marshal.GetDelegateForFunctionPointer() function that Devin Jenson mentions.

Wednesday, July 13, 2005 11:19:25 PM (Pacific Standard Time, UTC-08:00)      Comments [0]  Computer Related | .Net

Wowzers!  Sign me up for technology in this decade!

From Mark Sims post (which I encountered via KurzweilAI.net):

"Visualizing nanosystems and molecular manufacturing is a major challenge in communicating the power of this technology.  To help address this problem, a new computer-generated animated short film called "Productive Nanosystems: from Molecules to Superproducts" has been produced.

This was a collaborative project of animator and engineer, John Burch, and pioneer nanotechnologist, Dr. K. Eric Drexler. The film depicts an animated view of a nanofactory and demonstrates key steps in a process that converts simple molecules into a billion-CPU laptop computer.

To view 'Productive Nanosystems: from Molecules to Superproducts', visit the Download Area of the Nanorex site.  Be patient as this animation is large (60 MB) and takes time to download."

I've heard the idea of printing to manufacture three dimensional widgets but this brings an entirely new level of complexity and capability to the idea.  I highly recommend this four minute animation.  Don't miss that this envisions an appliance, the size of which you could keep on your kitchen counter or garage work bench.

Wednesday, July 13, 2005 12:01:30 AM (Pacific Standard Time, UTC-08:00)      Comments [1]  Computer Related | Miscellaneous

Yesterday, Benjamin was helping a neighbor plant some flowers.  I stopped by to check on him and as I was leaving the neighbor bumped her head on a flower pot and commented on how she should look where she is going.  Benjamin helpfully pointed out, "that's what eyes are for" accompanied by all the appropriate voice inflections that indicate how helpful a comment like that is.

Thanks Benjamin!

(If it wasn't that all the quotes are in the family category, I think I would add a new category for "Kids say the darnedest things.")

Sunday, July 03, 2005 5:50:03 AM (Pacific Standard Time, UTC-08:00)      Comments [0]  Personal | My Family