Skip to content

Instantly share code, notes, and snippets.

0xbadfca11

Block or report user

Report or block 0xbadfca11

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@0xbadfca11
0xbadfca11 / .cpp
Last active Nov 3, 2019
Rename alternate data stream
View .cpp
#define WIN32_LEAN_AND_MEAN
#define STRICT_GS_ENABLED
#include <windows.h>
#include <cstdio>
#include <cstdlib>
int main()
{
#define file L"file"
#define stream1 L":stream"
@0xbadfca11
0xbadfca11 / .md
Created Dec 21, 2018
Windows ReFS bug
View .md

Summary

Windows Server 2016 ReFS driver crashes when trying to mount ReFS 3.4 that disguised ReFS 3.1.

Affect

  • Windows Server 2016
    Tested with KB4483229 applied

Not affect

  • Windows 10 v1809
  • Windows Server 2019

How to crash

  1. Boot from Install media of Windows 10 v1809.
View 頭の体操.md

char a = <...>;
2130466 >> a & 1;
とは

ネタ元

https://twitter.com/kumagi/status/1014953960237436928

必要前提知識

x86のシフト命令は下位5ビットしか見ない

The count operand can be an immediate value or the CL register. The count is masked to 5 bits (or 6 bits if in 64-bit mode and REX.W is used). The count range is limited to 0 to 31 (or 63 if 64-bit mode and REX.W is used).

@0xbadfca11
0xbadfca11 / .md
Created Jun 10, 2018
IsWow64Process2() を使わずにWowA64を検出する
View .md

TLDR IsWow64Process2()使え。

WowA64ではIsWow64Process()GetNativeSystemInfo()を使うとx86版Windowsと誤認するようになっている。 バグではなく意図的な仕様と考えられる。(理由考察は省略)

しかしそれらのAPIで得られる値やIsWow64Process2()以外のAPIでも一部の挙動がx86版Windowsと違う。

AMD64 x86 Arm64
IsWow64Process() *Wow64Process TRUE 0 0
@0xbadfca11
0xbadfca11 / Flash Player eicar.docx.uuencode
Created Jun 10, 2018
Microsoft セキュリティ アドバイザリの回避策は間違っている
View Flash Player eicar.docx.uuencode
begin 644 Flash Player eicar.docx
M4$L#!!0`!@`(````(0`EQW`>Z@$``-\#```0``@!9&]C4')O<',O87!P+GAM
M;""B!`$HH``!````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M`````````````````````````````````````````````````````)R32V[;
M,!"&]P5Z!X'[F';JO@R:0>&@R*)M#%A)UBPULHE2)$%.C+C+9-.#=-=#]#"^
M2(=2K,AI5]7JG^%P],V#XNRNL<468C+>S=ED-&8%..TKX]9S=E5^/'G'BH3*
View make_case_sensitive_directory.cpp
#define WIN32_LEAN_AND_MEAN
#define _ATL_NO_AUTOMATIC_NAMESPACE
#include <windows.h>
#include <atlbase.h>
#include <winternl.h>
#include <cstdio>
#include <cstdlib>
#pragma comment(lib, "ntdll")
#ifndef FILE_CS_FLAG_CASE_SENSITIVE_DIR
@0xbadfca11
0xbadfca11 / .cpp
Last active Aug 26, 2017
_fto132proc bug
View .cpp
#include <fenv.h>
#include <stdint.h>
#include <stdio.h>
extern "C" int64_t fto132proc(/* Passing by ST(0) */);
int main()
{
double f = UINT32_MAX + 0.9;
uint32_t h, l;
@0xbadfca11
0xbadfca11 / .cpp
Created Jun 29, 2017
WslLaunchInteractive
View .cpp
#define WIN32_LEAN_AND_MEAN
#define _ATL_NO_AUTOMATIC_NAMESPACE
#include <windows.h>
#include <atlbase.h>
#include <wslapi.h>
int main()
{
if (auto WslLaunchInteractivePtr = AtlGetProcAddressFn(LoadLibraryExW(L"wslapi", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32), WslLaunchInteractive))
{
@0xbadfca11
0xbadfca11 / .md
Last active Jul 4, 2017
Windows ReFS bug
View .md

Summary

Windows ReFS driver crashes when enabling integrity streams of large file.

Affect

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (with ReFS 1.2)
  • Windows 10 v1703 (with ReFS 1.2)

Not affect

  • Windows Server 2016 (with ReFS 3.1)
You can’t perform that action at this time.