Skip to content

Instantly share code, notes, and snippets.

View 0xbadfca11's full-sized avatar
💭
I may be slow to respond.

0xbadfca11

💭
I may be slow to respond.
33 followers · 0 following
View GitHub Profile
@0xbadfca11
0xbadfca11 / wslapi.def
Last active April 22, 2019 11:06
EXPORTS
WslLaunch
@0xbadfca11
0xbadfca11 / 頭の体操.md
Created July 7, 2018 05:51
母音の判定

char a = <...>;
2130466 >> a & 1;
とは

ネタ元

https://twitter.com/kumagi/status/1014953960237436928

必要前提知識

x86のシフト命令は下位5ビットしか見ない

The count operand can be an immediate value or the CL register. The count is masked to 5 bits (or 6 bits if in 64-bit mode and REX.W is used). The count range is limited to 0 to 31 (or 63 if 64-bit mode and REX.W is used).

@0xbadfca11
0xbadfca11 / .md
Created June 10, 2018 12:19
IsWow64Process2() を使わずにWowA64を検出する

TLDR IsWow64Process2()使え。

WowA64ではIsWow64Process()GetNativeSystemInfo()を使うとx86版Windowsと誤認するようになっている。 バグではなく意図的な仕様と考えられる。(理由考察は省略)

しかしそれらのAPIで得られる値やIsWow64Process2()以外のAPIでも一部の挙動がx86版Windowsと違う。

AMD64 x86 Arm64
IsWow64Process() *Wow64Process TRUE 0 0
@0xbadfca11
0xbadfca11 / Flash Player eicar.docx.uuencode
Created June 10, 2018 06:22
Microsoft セキュリティ アドバイザリの回避策は間違っている
begin 644 Flash Player eicar.docx
M4$L#!!0`!@`(````(0`EQW`>Z@$``-\#```0``@!9&]C4')O<',O87!P+GAM
M;""B!`$HH``!````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M`````````````````````````````````````````````````````)R32V[;
M,!"&]P5Z!X'[F';JO@R:0>&@R*)M#%A)UBPULHE2)$%.C+C+9-.#=-=#]#"^
M2(=2K,AI5]7JG^%P],V#XNRNL<468C+>S=ED-&8%..TKX]9S=E5^/'G'BH3*
@0xbadfca11
0xbadfca11 / CreateDirectory.cpp
Last active March 5, 2018 05:20
BOOLEAN WINAPI RtlAreLongPathsEnabled()
#include <windows.h>
#include <atlalloc.h>
#include <atlcore.h>
#include <clocale>
#include <cstdio>
int wmain(int, PWSTR argv[])
{
setlocale(LC_ALL, "");
IFDYNAMICGETCACHEDFUNCTIONTYPEDEF(L"ntdll", BOOLEAN(WINAPI*)(), "RtlAreLongPathsEnabled", RtlAreLongPathsEnabled)
@0xbadfca11
0xbadfca11 / .cpp
Created June 29, 2017 15:26
WslLaunchInteractive
#define WIN32_LEAN_AND_MEAN
#define _ATL_NO_AUTOMATIC_NAMESPACE
#include <windows.h>
#include <atlbase.h>
#include <wslapi.h>
int main()
{
if (auto WslLaunchInteractivePtr = AtlGetProcAddressFn(LoadLibraryExW(L"wslapi", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32), WslLaunchInteractive))
{
@0xbadfca11
0xbadfca11 / .md
Last active June 13, 2017 08:04
Windows exFAT bug

Summary

Windows exFAT driver crashes when making huge file.

Affect

  • Windows XP with KB955704
  • Windows Server 2003 with KB955704
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
@0xbadfca11
0xbadfca11 / What is .PFILE file extension.ja.md
Created February 17, 2017 13:02
What is .PFILE file extension

.PFILE 拡張子とは何か

Microsoft Rights Management Services

あなたが探している情報はこちらではないね?

Windows 10 の EFS

Windows 10 の新機能の一つで FAT16/FAT32/exFAT で EFS(Encrypting File System) が使用可能になりました。 公式にはバージョン 1607 からとありますが実際には FAT16/FAT32 ではバージョン 1507 から exFAT ではバージョン 1511 から使用可能でした。 暗号化されたファイルは Windows 10 以外からはファイル名の末端に .PFILE が付きます。 Windows 10 の EFS 以外でファイル名の末端を .PFILE に変えても Windows 10 で EFS として扱われることはありません。

Windows 10 同士で共有したい

NTFS の EFS の場合と同じ方法で可能です。