Monday, 20 September 2021

Surface Pro 4 display issues: clear registry cache

From this article - to clear the display cache:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity]


Saturday, 4 September 2021

HP EliteBook 840 G2 - WiFi keeps turning off

After a reinstall of Windows 10 on my HP EliteBook 840 G2, I found that I could not get the WiFi to work. 

The hardware Wifi button in the top right corner of the laptop was showing white. Whenever I discconect the Ethernet cable you would get the globe symbol in the system tray. If you turned WiFi on from this pop-up, you would see the list of SSIDs and then they would disappear one second later and the WiFi would show disconnected. The fact they appeared showed the adapter was physically working.

The machine dual-booted to Linux and there were no problems there, so this was clearly a Windows [driver] problem.

Nothing was visible in the Event Log.

I ran the network troubleshooter and it said:

Result of diagnosis: Problem found

Root cause:
Wireless capability is turned off

Detailed root cause:
Radio is off (SW switch)

Repair option:
Turn on wireless capability

The correct drivers had been installed.

I had unchecked the "Allow the computer to turn off this device to save power".


I uninstalled the drivers.

I installed the HP Wireless Button Driver.

The WiFI/LAN switching was turned off in the BIOS.

None of this worked.


In the end this post found the problem.

My list of network adapters included a TAP-Windows Adapter. This is deemed to be an ethernet connection. Although you disconnect the physical ethernet connection ("Ethernet" in my list), the Ethernet2 remains virtually "connected". And Windows will not allow both an Ethernet and a Wifi connection to remain active simultaneously, so it turns off your Wifi again. Disabling this allowed the Wifi to work continuously.



Examining the TAP adapter, I could see it was installed by a VPN provider.

Clicking the properties, I could see a setting "Media Status". It defaulted to Always Connected. Setting this to "Application Controlled" meant that the adapter would only be active when the VPN demanded it, thus it would be disabled at other times. This meant that if the physical ethernet was disabled and the VPN was not active, the TAP adapter would be disabled and WiFi would resume. Voila!





Wednesday, 25 August 2021

Visual Studio function address different in watch window from code

 In my code I had:

void function2()

{

    std::cout << "Malware payload that should never be run!\n";

}

and

void (*pFun)() = &function2;

When I inspect pFun it returns the address 

0x0092141f {BufferOverrunExample.exe!function2(void)}

But in the watch window it is



Why the difference?

If we inspect 0x0092141f  in the dissasembly window:


You can see it simply jumps to the same address as shown in the watch window. This is a jump table.

Why?

This explains about incremental linking
c++ - Why doesn't VS2015 debugger show the function address correctly in the watch window? - Stack Overflow

"This behavior seems to be because of incremental linking. When it is enabled, the function is assembled in one memory address and another address contains a jump table entry with one jump instruction to the 'real' address. The function is always called by calling the jump table. If you disable incremental linking, the 'detour' via the jump table goes away and also your example case shows just one address.

Everything else seems to show the address to the jump table, but the 'printStuff' and '&printStuff' watch expressions show the actual address where the function code is located."



Linkers & Jump tables

Canary bytes, prologues and epilogues

Stack Guard

Address layout randomisation

CC bytes

Mitigate threats by using Windows 10 security features (Windows 10) - Windows security | Microsoft Docs



Friday, 6 August 2021

Terraform fails to import App Service Plan: ID was missing the `serverfarms` element

 When importing an Azure App Service Plan, using the resource ID copied from Azure Resource Explorer:

terraform import azurerm_app_service_plan.app "/subscriptions<mysubscriptionId>/resourceGroups<myresoureegroup>/providers/Microsoft.Web/serverFarms/<myAppServicePlan>"

I got the error:

Error: parsing Resource ID "XXX": ID was missing the `serverfarms` element

Note serverfarms is case sensitive and should all be lower case, wherease Azure Resource Explorer is camelCase.

Monday, 2 August 2021

Friday, 30 July 2021

Can't upload files to GoDaddy Managed WordPress - 0 byte files and disconnects

 I spent a couple of hours trying to work out why I could not upload files to GoDaddy's Managed WordPress.

I was using FileZilla on Windows 10, and connected via SFTP to the Managed Wordpress instance as detailed in GoDaddy's control panel.

Whenever I uploaded media to wp-content/uploads, it would error with 0-byte files and server disconnects.


The solution?

Bizarrely, disable and reenable your NIC. Yes, I did say that.

https://uk.godaddy.com/community/Managed-WordPress-Hosting/Solution-SFTP-Upload-Issue-with-Managed-WordPress/td-p/15961

It's the first time I've ever experienced a software problem get fixed by disabling a NIC. What's the relationship between GoDaddy's SFTP server and your NIC? Maybe when it goes to sleep it doesn't fully restore in a way that allows SFTP to be negotiated correctly?

Monday, 26 July 2021

Touchpad jumps on Ubuntu on HP Elitebook 840 G2

The cursor would jump around when typing on an HP Elitebook 840 G2, running Ubuntu.

In the end the following settings worked:


 Natural scrolling off

Tap to click off

Two finger scrolling on

Edge scrolling off



Helped from here

https://askubuntu.com/questions/894679/ubuntu-touchpad-issues-mouse-pointer-jumps-around


Saturday, 24 July 2021

Linux virtual machine emulator - for assembly programming

http://3zanders.co.uk/2017/10/13/writing-a-bootloader/

Uses NASM and QEMU to write a bootloader.



https://qemu-project.gitlab.io/qemu/system/gdb.html

https://www.bitdegree.org/learn/gdb-debugger#running-the-program-slowly

To use Qemu with GDB use -s and -S. This set it listening at port 1234 and halt the VM until gdb connects.

qemu-system-i386 -s -S -drive file=./boot.bin,cache=none,format=raw

In GDB

connect to qemu

target remote localhost:1234 

  1. Use info reg to display all the CPU registers.
  2. Use x/10i $eip to display the code at the PC position.
  3. Use set architecture i8086 to dump 16 bit code. 
  4. set tdesc filename target.xml
  5. x/10i $cs*16+$eip to dump the next 10 lines of code at the PC position
  6. stepi

https://visualgdb.com/gdbreference/commands/x

To see the disassembled line

gdb) show disassemble-next-line
Debugger's willingness to use disassemble-next-line is off.
(gdb) set disassemble-next-line on
then si



Machine boots

info reg - show registers

cs = 0xf000 (1048560) 

ip = 0xfff0

pc = (cs * 16) + ip

      = F0000 + FFF0

       = FFFF0 (1048560)

This is 16 bytes from BIOS top (at 1048575 or 0xFFFFF)

https://www.programmersought.com/article/33296090366/



Inspecting the program at FFFF0:

x/16b 0xffff0

xffff0: 0xea 0x5b 0xe0 0x00 0xf0   0x30 0x36 0x2f

0xffff8: 0x32 0x33 0x2f 0x39 0x39 0x00 0xfc 0x00

or looking at the instructions
x/2i 0xffff0
0xffff0: ljmp   $0x3630,$0xf000e05b

which shows that 0xEA is JMP
https://www.felixcloutier.com/x86/jmp

However the interetation is a bug because the VM is running in real mode and GDB does not handle it properly, even though we set architecture i8086
https://stackoverflow.com/questions/59078290/memory-addressing-in-x86-real-mode?noredirect=1&lq=1

So we must download the target 

set tdesc filename target.xml

Now running it again gives

   0xffff0: ljmp $0xf000,$0xe05b 0xffff5: xor %dh,0x322f 0xffff9: xor (%bx),%bp 0xffffb: cmp %di,(%bx,%di) 0xffffd: add %bh,%ah 0xfffff: add %al,(%bx,%si) 0x100001: add %al,(%bx,%si) 0x100003: add %al,(%bx,%si) 0x100005: add %al,(%bx,%si) 0x100007: add %al,(%bx,%si)

Now gives us

(0xf000 x 16) + 0xe05b = F0000 + 0xe05b = FE05B = (1040475)


This jumps us to FE05B
This is 1FA4 (8100) bytes from BIOS top (at 1048575 or 0xFFFFF)

Run stepi (execute instruction)

  0xfe05b: cmpl   $0x0,%cs:0x62c8

   0xfe062: jne    0xfd0b0

   0xfe066: xor    %dx,%dx

   0xfe068: mov    %dx,%ss

   0xfe06a: mov    $0x7000,%esp

   0xfe070: mov    $0xf07c4,%edx

   0xfe076: jmp    0xfcf24

   0xfe079: push   %ebp

   0xfe07b: push   %edi

   0xfe07d: push   %esi




Reference for x386:

http://ref.x86asm.net/coder32.html

Visual chart on the Opcodes: https://i.stack.imgur.com/VTxd0.jpg


Good Reference to the opcodes




Saturday, 17 July 2021

Wordpress infection

I inherited a WordPress site for a company. That company submitted adverts to Google which referenced the Website.

Infrequently, Google would reject the advert saying the Website had malicious code on it would reference URLs such as:

https://[pianistrefutationgoose.com]/sfp.js
https://[regulationprivilegescan.top]/advertisers.js
https://[coatsanguine.com]/pixel/pure

The site was submitted to various scanners but I could not find the problem.

Eventually the problem was found because the site encountered an issue and a Wordpress email described the problem.

 Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

In this case, WordPress caught an error with one of your plugins, Monetization Code plugin.

WordPress version 5.7.2
Current theme: H-Code Child (version 1.1)
Current plugin: Monetization Code plugin (version 1.0)
PHP version 7.3.12

An error of type E_PARSE was caused in line 89 of the file /var/www/wp-content/plugins/mplugin.php. Error message: syntax error, unexpected end of file

The last part indicated the file in question mplugin.php.

You also neeed to check the database.

https://acinonyxweb.agency/cybersecurity/your-website-is-probably-infected-without-your-knowing-it-how-to-detect-and-clean-viruses-from-wordpress/

 SELECT * FROM `wp_options` WHERE (CONVERT(`option_name` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`option_value` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`autoload` USING utf8mb4) LIKE '%ad_code%') LIMIT 50

 

The wp-content\plugins\admin_ips.txt file contains a list of administrator IPs - when the Website is called from these IPs the ad code is hidden, to stop you discovering it.