Tag: Computers

Self-Viewing Data Files

Synetech Leave a comment

This article shows one way of creating self-viewing data files. Examples of such things include self-extracting archives and self-playing videos. Self-viewing data files are executable files that put the data and the viewing program together in a nice neat little packa-ge.

This will require two programs, the player and the creator. The player will be embedded as a resource inside the creator. The creator extracts the player (aka the “stub”) and saves it as the target file, then embeds the data file in that as a resource. The player, when run will read the data file from it’s resources and display it.

To accomplish this, there will need to be a few functions that access or manipulate resources. Here are the ones required and who the onus falls on:

StepFunctionResponsible
1Insert  viewing program as   resource into creator program   You, programmer
2Extract viewing program from resource and save to file       Creator program
3Insert  data file       as   resource into viewing program   Creator program
4Extract data file       from resource and save to file/displayViewing program

The obvious way to do this is to use the native resource functions. Unfortunately, the functions for updating resources is not available for Win9x systems, only the ones for reading them are. There is a way to add the missing support by using the MSLU but that adds to the size and requires including a DLL with the program. An easy alternative is to manually handle the “resources” by injecting them in and extracting them from the stub. This is the method used in this article. We’ll break down the work into the separate programs. First the player.

The Player (stub.exe)

Step 4
The viewing application (the stub) will need to be able to extract the data from itself. The data will be located at the end of the executable, followed by the size of the data (so that we know how much data there is), and finally a signature. Here is some (surprisingly) simple code—sans error checking—to read a chunk of plain text:

void ReadResource() {
    CFile  f;
    DWORD  sig =0;
    LONGLONG size =0;
    CString t =_T("");
    //open itself for reading
    if (f.Open(__argv[0], CFile::modeRead)) {
        //read the last 4 bytes of the file and check if it is the signature
        f.Seek(-((LONGLONG)sizeof(sig)), f.end);
        f.Read(&sig;, sizeof(sig));
        if (sig==0x12344321) {
            //read the size
            f.Seek(-((LONGLONG)(sizeof(size)+sizeof(sig))), f.end);
            f.Read(&size;, sizeof(size));
            if (size) {
                //seek to the start of the data
                f.Seek(-((LONGLONG)(size+sizeof(size)+sizeof(sig))), f.end);
                //allocate a buffer for the data and read it
                f.Read(t.GetBufferSetLength((UINT)size), (UINT)size);
                //display the read data in the edit control
                GetDlgItem(IDC_EDIT1)->SetWindowText(t);
            }
        }
        f.Close();
    }
}

Other types of data can be read in the same manner.

The Creator (create.exe)

Step 2
We can use the same technique as above to read the stub from the end of the creator program, but here is a way to do it with the normal method of using resources (which is supported):

//search for and locate the stub resource
HRSRC shstub=FindResource(NULL, MAKEINTRESOURCE(IDR_STUB), _T("BIN"));
if (shstub) {
    //verify the size of the stub
    DWORD rs=SizeofResource(NULL, shstub);
    if (rs) {
        //load the stub resource
        HGLOBAL hstub=LoadResource(NULL, shstub);
        if (hstub) {
            //lock the stub resource to get a pointer to it's first byte
            BYTE* stub=(BYTE*)LockResource(hstub);
            if (stub) {
                //create an executable file
                CFile stubf;
                if (stubf.Open("stub.exe", CFile::modeCreate|CFile::modeWrite)) {
                    //copy the stub to the file
                    stubf.Write(stub, rs);
                    stubf.Close();
                }
                UnlockResource(hstub);
            }
        }
    }
}

Step 3
The stub is now written to the disk but is just a viewer. We have to inject the data file for it to display:

//get the data to be injected (simple edit box in this case)
UpdateData();
CString  t =::GetWindowText(GetDlgItem(IDC_EDIT1));

CFile    f;
LONGLONG size=0;
DWORD    sig =0;

//open the player file
if (f.Open("myfile.exe", CFile::modeReadWrite)) {
    //we need to check if there's already something there
    //read the last 4 bytes from the player file and check if it's a signature
    f.Seek(-((LONGLONG)sizeof(sig)), f.end);
    f.Read(&sig;, sizeof(sig));
    if (sig
==0x12344321) {
        //there's already a resource there, so we'll have to replace it
        //read the size of the existing resource
        f.Seek(-((LONGLONG)(sizeof(size)+sizeof(sig))), f.end);
        f.Read(&size;, sizeof(size));
        if (size) {
            //add the size of the size and signature
            size+=sizeof(size)+sizeof(sig);
            //truncate the file, leaving just the stub
            f.SetLength(f.GetLength()-size);
        }
    }

    //seek to the end of the file
    f.Seek(0, f.end);
    size=t.GetLength();
    //write the data file to the stub
    f.Write(t.GetBuffer(), (UINT)size);
    //write the size of the data
    f.Write(&size;, sizeof(size));
    //write the signature
    sig=0x12344321;
    f.Write(&sig;, sizeof(sig));

    f.Close();
}

Step 1
Finally, we need to insert the stub into the creator program. If you are using the resource method, then it can be added as any other resource, making sure to use type BIN and using stub.exe as the source. If you are using the manual method, then you will need to manually append stub.exe to creator.exe, add the size of stub.exe, then the signature.

Now, just compile stub.exe, then creator.exe. Run the creator program and create some data. Click the export player button, and select the filename to save. The creator will read the stub, save it to disk, and inject the data. Now run the self-contained data/viewer file. It will extract the data from itself and display it.

Note: there are a couple of drawbacks to using this method. First, while it works, it is not part of the PE format standard. Future revisions of the PE format may break this, especially with the crackdown on code execution. Another potential problem is that some virus scanners may detect the modification of an executable as suspicious activity and thus have a bad reaction, causing itchy, watery eyes and a runny nose. The virus scanner can be circumvented however, by writing the stub to a non-executable file (say myfile.bin), then renaming it after the data has been injected.

Quieter, Smoother Computer

Synetech Leave a comment

Most computers come with fans to keep them running cool enough to avoid problems. Unfortunately, fans have moving parts, move fast, and stir air. All this results in quite a bit of noise which can cause headaches, not to mention being down right annoying. It also causes a lot of vibration which further adds to the noise, headaches, and annoyance. Some people get rid of their fans and use alternative cooling methods, however most of these are just too expensive for the regular computer user, and worse, too complicated. Good computer cases will come with rubber feet instead of the hard plastic ones that cheaper cases have. The rubber feet will absorb the vibrations instead of passing them to the desk, floor, or whatever surface the computer rests on. If your case does not have rubber feet, then you can add them if you are comfortable/able to open the case. If not (or even if your case does have rubber feet), there is a quick, easy, and cheap trick that can help to reduce vibration which will result in less noise and provide quieter, smoother computing environment.

Simply place a couple of foam-rubber mouse-pads beneath the computer. You’ve probably got a few lying around somewhere, or can easily buy a couple for under a dollar. The design does not matter, so you can get generic ones for less. The thick, foam-rubber kind work best, although even the thin rubber kinds are better than nothing. In either case, you just slip in under the computer to cushion it from the desk, making sure that the rubber side faces the computer. Even better, fold it in half (rubber side out), and you’ve got a vibration damping, noise canceling, double-cushioned, non-slip shim between the computer and the desk.

*UPDATE*
Here is a blog entry which says pretty much the same thing and includes pictures.

Tip: Smooth Mouse Scroll Wheel

Synetech Leave a comment

Here’s a tip for those with scroll mice. Take the clicker out of the wheel. Scroll mice usually accomplish the clicking of the scroll wheel by means of a spring or metal stick that press inside the wheel. Take this out, the wheel will turn nice and smooth. It may take a little getting used to, but it will soon feel great.

Of course you should realize that the clicking serves a function: to limit the movement of the wheel. If the scroll wheel is too loose, it may spin out of control without it, but normally it won’t. In fact, in some mice, the clicker may cause unwanted scrolling, so removing the clicker will eliminated that.

(The little metal stick inside my mouse broke recently, and I panicked because it was a fairly new, expensive mouse, but before I knew it I was hooked—pun intended. I never want to use a clicker again.)

Outlook Express Folder Compaction Error

Synetech Leave a comment

If you get the following message for FOLDERS.DBX when trying to “compact all folders” in Outlook Express

The folder is currently in use by Outlook Express or by another application.

there is a simple solution. The error message is deceptive since the actual cause has nothing to do with being in use. The problem occurs when you try to compact all folders and not all folders are actually present on disk. This can happen if a .DBX file got deleted somehow (for example if you decided to save some space by deleting the .DBX files of empty folders.) When OE tries to compact, it checks the folders.dbx file to see what .DBX files to expect, and when it can’t find one, it complains with the inaccurate message above.

The fix is simple, just replace or recreate the files. The easiest way to do this is to simply open the missing folders in OE because it will automatically create a .DBX file if one does not exist.

If you do not know which ones are missing, you can click on “Local Folders”, press the * key on the keypad to expand all branches, then click on each and every folder—you could also use the Down key instead of clicking, but then you have to wait a second on each folder for OE to open them, clicking opens them instantaneously.

After you’ve ensured that all .DBX files exist, you can successfully compact all folders.

Registry Cleaners/Repairers: Caveat Usurpator

Synetech Leave a comment

The registry is where Windows keeps most of it’s settings. It is also where most programs keep their settings. Ever since it was introduced in Windows 95, it has been a mysterious place where some people have dared to venture in the hopes of finding computing treasure. There are all kinds of articles on how and where to make modifications and tweaks to improve system performance, increase stability, add new features, and other enhancements to the OS.

One aspect of the registry that has been popular is the concept of cleaning or repairing it. The idea that it can get cluttered with traces of old, uninstalled programs, invalid file references, corruption, and manipulation by nasty programs, and that cleaning these out and repairing them, will help a system run better. There is of course truth in this, and making sure that the registry is free of debris is certainly a good thing. Unfortunately, doing so requires some skill and more patience than even the best of us have. It is now a vast storage with more entries than there are stars in the sky. A proper audit would take far too long. As a result, numerous programs have been written to help automate this process. They scan the registry for what they consider to be problems and list them for the user, eager to delete them. Unfortunately, few if any such programs does the job adequately or even properly. Most of them do little more than look for references to files that do not exist. Some will check other components as well, but searching for missing files tends to be the most popular function of these programs.

Modifying the registry is not always as hazardous as some would have you believe. There are plenty of changes that can be done or undone safely. Of course there are some which can make it extremely difficult to fix and can potentially require reinstalling the OS. Making changes to entries without noting what the previous value was, or deleting entries altogether, is an irreparable operation and so must be done carefully. The better cleaner/repair tools will allow you to back up the entries they modify before altering them, but some do not; be vary wary of these.

Another thing to look out for when using a registry cleaner/repair utility is whether or not it provides detailed explanations of the entries it deems problematic. If all it gives is a one-line reason (eg: missing file/invalid entry/etc) or says nothing at all, then you should be extremely careful. A proper utility will give you the option of viewing a thorough explanation of why they flagged an entry as being bad, and what it means. That way you can examine it and determine if it really is a problem or not.

The vast majority of these registry fixing applications return more false positives than they do genuine items to fix. There are numerous reasons why they can report a false positive:

MRUsA lot of apps keep track of files that have been opened with them and often the file no longer exists because they were temporary, moved, renamed, etc. So when the cleaner checks the MRU, it sees a file reference but the file is not there, so it complains.
Variables in filenamesMost of these types of apps are not capable of handling filenames that have variables in their path. For example while %systemroot%\explorer.exe is an existing file, the cleaner will nag that it can’t find it.
Other types of unsupported file pathThese apps usually only support simple filepahts (eg: c:\folder\file.exe) so they choke on other types of filenames like network paths (eg: “\\somecomputer\folder\file.exe”). Services often use this format: “\??\c:\myservice\service.sys” which they can’t read. URLs are another that can’t be checked by them. Some may, but most don’t support relative paths: “system32\blah.exe”.
Empty keysWhen some cleaners find an empty key(s) they figure that it’s just residue from an uninstalled program, and thus obsolete. This may be the case but no necessarily. It could just be that the app has not yet been run since installation, that the app hasn’t had reason to write to it yet, or that it uses the key itself as data: perhaps keeping a version number in the keyname, or using the fact that the key exists at all to indicate that the app is installed. Obviously removing it even though it’s empty, would mess things up.
Hidden/system files/folderSome of these apps are unable to determine if a file or folder exists if it is a hidden or system file/folder even if it does.
Special formatSome programs have entries that are in their own special format (eg: “something”=”c:\blah|The Blah Game|3|always”). These apps won’t be able to parse the value and identify just the file/folder part. (They should not be messing around with things they can’t handle anyway.)
Temp filesThere are often traces of temporary files, Internet caches, etc. left behind for a while. For example a browser may keep a list of it’s temporary files. When the user clears them out, they are still listed until the browser overwrites them with new entries, so the cleaner nags. Of course if the use cleared them through the browser, it should have wiped them from the registry as well, but the user may have manually cleared them or use another tool. In this case it’s perfectly fine since they are temp files, but the registry entries are still there. And, since the cleaner can’t tell the difference between an important file and a temp file, it complains about all.
Icon indexesPlain icon files (icon.ico) have a single icon while DLLs, ICLs, EXEs, and such may have more than one. In this case the specific icon inside is indicated in this manner: “c:\folder\icons.dll,32”. This means that the target is the 32nd icon in the file icons.dll. Almost all of these cleaners are unable to handle this and can’t find the file.

As you can see, the results from these apps are not very reliably and you should be wary of what they report. Not all of the entries they flag will be problems so you should examine them before making any changes. You should be aware that even if you run these programs immediately after a fresh installation of Windows, they will find quite a lot of things to complain about.

That’s not to say that you should not use these programs at all; they definitely have their use, just be careful. The best advice is to limit yourself to items you know for sure are incorrect, such as those for a program you have uninstalled, or for a file you deleted. If you are unsure about something, leave it be at least until after you have looked it up, and always make a backup (export a .REG file) so that you can recover from any mistakes.

Easy Rootkit Detection

Synetech Leave a comment

An easy way to detect most rootkits is to use an old technology: DOS.

Most (read, pretty much all) rootkits require some sort of file component. In fact all malware requires some sort of file to be loaded to perform it’s malfeasance. This is because malware is just software that does bad things and software means files. Even worms and other memory-resident applications require files at some point. This is why rootkits hijack directory listing commands to hide themselves.

So, how do you find files when they are being hidden? One way is to check the drive at a low-level, viewing the disk directly instead of using a file listing command. You can look at the disk and see if the entries in the cluster match up with the directory listing. This is a common method but has it’s drawbacks. For one thing, a decent rootkit would be able to hijack sector-level disk access and hide it’s entries just as it does with a directory listing command. Another problem is that it is difficult to use and can be unreliable.

Another easy to use method is to get a directory listing from within Windows, then boot into DOS mode and get another one, then compare the two. There are few if any DOS rootkits, but more importantly DOS is a lightweight, easy to control environment that can fit on a single floppy. This is important, because it means that you can ensure the integrity of a DOS boot disk because a minimal system needs just four files taking no more than 200KB. Make sure that the boot disk is reliable by making it from a secure system and then write-protecting it. Another option is to use a CD, for example a Windows 95/98 CD which allow you to boot to DOS.

To check for a Windows rootkit:

  1. Open a command prompt with the cmd command.

  2. Get a directory listing with dir c:\/s/a/o>d:\windir.txt.

  3. Reboot into pure DOS mode (do this ASAP after the previous step.)

  4. Get another directory listing with dir c:\/s/a/o>d:\dosdir.txt.

  5. Compare the two files (eg: WinDiff d:\dosdir.txt d:\windir.txt).

Obviously there will be some differences, since files are normally created, changed, and deleted while shutting down Windows. You’ll have to use your best judgement and possibly a reference or the Internet to determine which files that are different are malicious. To minimize the noise, make sure to clean up any temporary files and such before getting the listing.

If there is no rootkit, then the two listings should be more or less the same. If there is a rootkit present, then the DOS listing will reveal the hidden rootkit files.

One drawback to this method is that the built-in DIR command returns the directory listings in different formats in Windows and DOS. As a result, it will be difficult to do a straight comparison of the two listing files. For example this is a listing made in Windows:


 Volume in drive C is C-Windows
 Volume Serial Number is 0123-4567

 Directory of C:
Mar.03.03  03:03am           233,632 ntldr
Mar.03.03  03:03am            47,580 ntdetect.com
Mar.03.03  03:03am               193 boot.ini
Mar.03.03  03:03am              Windows
Mar.03.03  03:03am              Program Files
Mar.03.03  03:03am              Documents and Settings
               3 File(s)         48,638 bytes
               3 Dir(s)     123,456,789 bytes free

and the same in DOS (with DOSLFN for long file names on the right):


 Volume in drive C is C-WINDOWS  
 Volume Serial Number is 0123-4567
 Directory of C:
NTLDR              233,632  03-03-2003  03:03 ntldr
NTDETECT COM           502  03-03-2003  03:03 ntdetect.com
BOOT     INI           502  03-03-2003  03:03 boot.ini
WINDOWS                03-03-2003  03:03 Windows
PROGRA~1               03-03-2003  03:03 Program Files
DOCUME~1               03-03-2003  03:03 Documents and Settings
         3 file(s)         48,638 bytes
         3 dir(s)     123,456,789 bytes free

The formats are quite different and will require some reworking to make a comparison easy. One solution is to use a third party directory listing program instead of the built-in dir. A third party dir would give the listing in the same format in both Windows and DOS, just make sure that it can list anything, and everything (including hidden files, system files, volumes, etc.)

All software is limited and hackable, and malware is no different. With a little thought and the right tools, even a rootkit can be ferreted out.

Clean and Oil Those Fans

Synetech Leave a comment

Computers are not invulnerable to dust. They have a tendancy to get clogged up with plenty of dust which at best causes overheating. It is a good idea to regularly clean out all the dust in a system to keep it as cool as possible since dust is an insulator. Removing the dust will allow better airflow, especially through fins on heatsinks and lighten fan blades, allowing them to turn faster.

Another tip to keeping a computer running in peak condition is to oil fans. Anything that moves should be well lubricated to allow it to do so smoothly and fans are no exception. Every once in a while (at least once a year, depending on how dusty your environment is) you should remove the fans in your system, take them apart, and oil them.

To oil a fan, you need to disassemble it. This is the tricky part. To disassemble a fan, you need to remove any stickers that cover the capstan. Next, remove the washer that holds the capstan. You will need a pointy knife or something to do this. Usually they will be made of plastic, but sometimes metal. They will almost always be a small flat disc with a hole in the middle and have a cut (think of a “C” where the ends meet but do not attach). Once this is off, you can remove the fan blade assembly. Before oiling it, you should thouroughly clean it. All kinds of grime and grit can get in there and cause it to make noise, as well as slow it down and create friction heat. Once you’ve cleaned it, then you can oil it. The type of oil does not matter too much depending on the fan. Most fans are cheap anyway so you do not need to shell out for top of the line lubricant. Even vegitable oil is better than nothing in a pinch. Synthetic teflon lubricant can be found in any bicycle shop and works great. You should oil the parts that touch and move. This includes the capstan, and the hole in which it goes. You will also want to oil the joint where the capstan attaches to the blade hub and where the blade hub rests on the washer. Do not over-oil since that will just make a mess with no extra benefit. In fact you should probably clean up any excess before putting it back. Put the blade assembly back into the fan and give it a test spin. Make sure that it is running smoothly. Now place the holding washer back on the end of the capstan and finally the sticker. Put the fan back, plug it in, power it up, and watch it spin. You may want to consider comparing fan rotation speeds before and after. Also, make sure to notice the noise level after oiling.

Windows Themes Dialog

Synetech Leave a comment

The Display Properties dialog in Windows has a Themes tab which allows you to easily change the theme used. This allows you to quickly change color schemes, wallpaper, visual styles, icons, sounds, and more. The drop down lists available themes as well as an option to browse for a theme and another that allows you to find some themes online.

Using the scroll wheel makes it easy to change the selected option in a combo box but the one in the themes dialog is problematic because every time that the online option is selected, Windows immediately freezes while it tries to open a browser window and navigate to a web page where you can download new themes. Also, the browse option is annoying because as soon as you hit it, Windows opens a file browsing dialog. These two options make scrolling through the options very inconvenient. Worse still, the web page that you are taken to is completely useless. Instead of allowing you to download free themes, it is merely a page that offers you the option of buying theme software.

Fortunately the online selection can be altered or removed completely. You can change the URL of the site that you are taken to when you select the online option by changing this registry entry:


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\DownloadSites\100]
"DisplayName"="@themeui.dll,-2015"
"URL"="http://localhost/"

Copy the code into a text file and give it a .REG extension then run it. When prompted to merge, say yes. The default code above will set the URL of the page to the local machine. If you are running a webserver you can create your own page and change the URL as necessary. Alternately you can set the URL to your favorite theme related web page where you normally download themes from.

You can change the text that is displayed in the combo box from the default of “More Themes Online…” to whatever you want by replacing the “@themeui.dll,-20154” in the above code.

To completely remove the “More Themes Online…” entry, just delete the whole DownloadSites key:


REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\DownloadSites]

I have not yet found a way to remove the Browse option but will post it as soon as I do.

Another problem with the Themes dialog is the way in which the Theme combo box is populated. There is no (known) way to set a directory where Windows should look for themes to list in this dialog. Windows fills the list by searching through each and every top level directory in the My Documents folder for .THEME files. What this means is that the dialog will go to the folder that “My Documents” is set to and check each folder in there for any .THEME files then add those to the list. It will not however check any deeper. For example, if you have:


"My Documents\doc"
"My Documents\mp3s"
"My Documents\mp3s\audiobooks"
"My Documents\styles"
"My Documents\styles\colorschemes"
"My Documents\styles\themes"
"My Documents\styles\wallpaper"
"My Documents\text"

Then the dialog will look in the following folder for .THEME files:


"My Documents\doc"
"My Documents\mp3s"
"My Documents\styles"
"My Documents\text"

In other words, it will look for theme files in many directories in which it has no business looking, and will miss some where it should be looking. If you have many folders in your “My Documents” folder, then it will take longer as it searches each one.

There is currently no known way to disable this behavior and set one or more specific directories for it to look in.

The worst part of all is that these actions occur every time that the Display Properties dialog is opened since the Themes tab is always the first one displayed.