Software Generalist

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

InitOnceExecuteOnce API, synchronous (p. 197) - new in Vista and W2K8, http://msdn.microsoft.com/en-us/library/ms683493(VS.85).aspx

InitOnceBeginInitialize / InitOnceComplete API, asynchronous (p. 197) - code examples for one-time initialization: http://msdn.microsoft.com/en-us/library/ms686934(VS.85).aspx

Dynamic worker threads (pp. 199 - 200)

ALPC (pp. 202 - 206) - ALPC is used extensively in terminal services environments. Here is the sample output from WinDbg to mine for ALPC wait chains in frozen systems and blocked services: 

1: kd> !process 0 ff

[...]

THREAD fffffa8006ef7060  Cid 0350.279c  Teb: 000007fffffa4000 Win32Thread: fffff900c22904f0 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa8006ef73f0  Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff880104eecf0 : queued at port fffffa80060d4c80 : owned by process fffffa8004c39040
IRP List:
    fffffa8006d21c60: (0006,03a0) Flags: 00060030  Mdl: 00000000
    fffffa8005f876c0: (0006,03a0) Flags: 00060030  Mdl: 00000000
Not impersonating
DeviceMap                 fffff88000007450
Owning Process            fffffa80057844d0       Image:         svchost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      10908131       Ticks: 18864 (0:00:04:54.750)
Context Switch Count      12660                 LargeStack
UserTime                  00:00:00.671
KernelTime                00:00:00.578
Win32 Start Address 0×000007fefe51fdec
Stack Init fffffa6006249db0 Current fffffa6006249670
Base fffffa600624a000 Limit fffffa6006243000 Call 0
Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffffa60`062496b0 fffff800`016a36fa nt!KiSwapContext+0×7f
fffffa60`062497f0 fffff800`0169835b nt!KiSwapThread+0×13a
fffffa60`06249860 fffff800`016cd4e2 nt!KeWaitForSingleObject+0×2cb
fffffa60`062498f0 fffff800`01916d14 nt!AlpcpSignalAndWait+0×92
fffffa60`06249980 fffff800`019137a6 nt!AlpcpReceiveSynchronousReply+0×44
fffffa60`062499e0 fffff800`0190330f nt!AlpcpProcessSynchronousRequest+0×24f
fffffa60`06249b00 fffff800`016a0ef3 nt!NtAlpcSendWaitReceivePort+0×19f
fffffa60`06249bb0 00000000`774d756a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`06249c20)
00000000`029decd8 00000000`00000000 0×774d756a

1: kd> !alpc /m fffff880104eecf0

Message @ fffff880104eecf0
  MessageID             : 0x053C (1340)
  CallbackID            : 0xC26264 (12739172)
  SequenceNumber        : 0x0000031F (799)
  Type                  : LPC_REQUEST
  DataLength            : 0x0048 (72)
  TotalLength           : 0x0070 (112)
  Canceled              : No
  Release               : No
  ReplyWaitReply        : No
  Continuation          : Yes
  OwnerPort             : fffffa800a7804d0 [ALPC_CLIENT_COMMUNICATION_PORT]
  WaitingThread         : fffffa8006ef7060
  QueueType             : ALPC_MSGQUEUE_PENDING
  QueuePort             : fffffa80060d4c80 [ALPC_CONNECTION_PORT]
  QueuePortOwnerProcess : fffffa8004c39040 (svchost.exe)
  ServerThread          : fffffa800aa8c700
  QuotaCharged          : No
  CancelQueuePort       : 0000000000000000
  CancelSequencePort    : 0000000000000000
  CancelSequenceNumber  : 0×00000000 (0)
  ClientContext         : 0000000004e87390
  ServerContext         : 0000000000000000
  PortContext           : 0000000005615340
  CancelPortContext     : 0000000000000000
  SecurityData          : 0000000000000000
  View                  : 0000000000000000

1: kd> !alpc /p fffffa80060d4c80
Port @ fffffa80060d4c80
  Type                      : ALPC_CONNECTION_PORT
  CommunicationInfo         : fffff88007f66ba0
    ConnectionPort          : fffffa80060d4c80
    ClientCommunicationPort : 0000000000000000
    ServerCommunicationPort : 0000000000000000
  OwnerProcess              : fffffa8004c39040 (svchost.exe)
  SequenceNo                : 0x00000000 (0)
  CompletionPort            : fffffa80057d8040
  CompletionList            : 0000000000000000
  MessageZone               : 0000000000000000
  ConnectionPending         : No
  ConnectionRefused         : No
  Disconnected              : No
  Closed                    : No
  FlushOnClose              : Yes
  ReturnExtendedInfo        : No
  Waitable                  : No
  Security                  : Static
  Wow64CompletionList       : No

  Main queue is empty.

  Large message queue is empty.

  Pending queue has 192 message(s)

    fffff88012c7e030 0000201c 0000000000013f88:00000000000154fc 0000000000000000 fffffa8008573a30 LPC_CANCELED
    fffff88009a98cf0 0000221c 0000000000000b04:00000000000109b4 fffffa800b533bb0 fffffa8008ee7bb0 LPC_REQUEST
    fffff880129b9cf0 00001ffc 00000000000067d8:000000000000a85c fffffa800a032060 fffffa800a408060 LPC_REQUEST
    fffff8800ed62cf0 00001ea4 0000000000012c1c:0000000000013238 fffffa800afbcbb0 fffffa800bbf1060 LPC_REQUEST
    fffff88011fa7cf0 000014ec 0000000000000b04:0000000000013a38 fffffa80072c6bb0 fffffa800b4d2700 LPC_REQUEST
    fffff8801001e980 0000159c 000000000000b25c:0000000000003004 fffffa8006ebcbb0 fffffa8009c25060 LPC_REQUEST
    fffff88009a56cf0 00001f94 0000000000012940:0000000000015478 fffffa800a75d700 fffffa800b4b8060 LPC_REQUEST
[...]
    fffff880129aa640 000018f0 000000000000d31c:00000000000147c0 fffffa800ab9bbb0 fffffa8006ffb560 LPC_REQUEST
    fffff88008b29ac0 0000152c 000000000000fa5c:000000000000faa4 0000000000000000 fffffa800abadbb0 LPC_CANCELED
    fffff88009eaa460 000005dc 000000000000e13c:000000000000e3d4 fffffa800921b630 fffffa800a191060 LPC_REQUEST

  Canceled queue is empty.

The .NET Developer’s Guide to Windows Security by M. Brown:

Developing code in non-privileged way: two logons (p. 35)

whoami command (p. 37) - whoami /all

netsh command (p. 37)

runas /netonly (p. 39)

Nested runas commands (p. 40)

Debugger Users group (p. 41) 

Run - install assumption (p. 46) - Got an idea for a bugtation: “You must assume that your program will be” coded “by one person and” debugged “by another!”

Least privilige for installer design (p. 46)

Software Requirements & Specifications by M. Jackson:

Indicative mood of formalizations (p. 9)

Application domain vs. generic domain and app. domain vs. environment (p. 9)

Structured Analysis of DeMArco / Gane / Sarson - the danger of thinking in terms of a machine when looking at the existing system (p. 10)

Costruction of difficulty from simplicity in software development, shorter vs. longer problem description spans (pp. 12 - 14) - lesson: create one structural UML diagram that covers all possible problem spans

Different views on the origin of software development disasters (pp. 14 - 15) - the view from memory dump analysis engineer: study crash dump analysis patterns (by applying bijectionism) and learn from them. Software artifacts are memory dumps. Software development is memory change.

Software technology as technology of description (p. 17) 

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

The .NET Developer’s Guide to Windows Security by M. Brown:

The principle of least privilege as software construction mindset (pp. 17 - 18)

Close a resource as you finish to avoid security intra-context leaks (p. 18)

Always think about failure (p. 23)

Multifactor authentication (p. 25) - Useful mnemonic HKM (Have, Know, Made of) 

Default modes in Kerberos and SSL: client to prove identity and server to prove identity (p. 26)

Did you complete identity proof by checking GUI details? (p. 26)

The luring attack (p. 27)

“Security Is a Process, Not a Product” by B. Schneier (p. 32) - Thinking analogically, regarding supportability, software engineers need to write maintainable code with a support engineer in mind.

Software Requirements & Specifications by M. Jackson:

Need to read this book to refresh my past software design and architecture knowledge

Software development as logic and math, as socio-ethical challenge, as labour employment relations, as problem in manufacturing control, as engineering (p. 1) - I see it as memory changes 

Distinction between machine and app domain: how and what (p. 1) - Modeling?

Requirements are in app domain (p. 2)

The importance of explicit and precise domain descriptions (p. 2)

Modeling is always incomplete, coincidental similarity of many OO descriptions to the real world (p. 3)

Specification as interface description between machine and app domain (p. 3)

Scope vs. Span: classes vs. areas (pp. 3 - 4)

Partial descriptions as separating concerns (p. 4)

Moods in description: optative (what we want) and indicative (is) (p. 4)

The importance of problem frames and multi-frame problems (pp. 4 - 5)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Queued spinlocks - spinning on a per-processor flag and FIFO ordering (p. 175) - Basic algorithm is described in this paper (section 2.1): Scalable Queue-Based Spin Locks with Timeout http://www.cs.rice.edu/~wns1/papers/2001-PPoPP-QBLTO.pdf

Executive resource is not a dispatcher object (p. 179) - Indeed it doesn’t start with _DISPATCHER_HEADER:

0: kd> dt _ERESOURCE
nt!_ERESOURCE
   +0x000 SystemResourcesList : _LIST_ENTRY
   +0x010 OwnerTable       : Ptr64 _OWNER_ENTRY
   +0x018 ActiveCount      : Int2B
   +0x01a Flag             : Uint2B
   +0x020 SharedWaiters    : Ptr64 _KSEMAPHORE
   +0x028 ExclusiveWaiters : Ptr64 _KEVENT
   +0x030 OwnerEntry       : _OWNER_ENTRY
   +0x040 ActiveEntries    : Uint4B
   +0x044 ContentionCount  : Uint4B
   +0x048 NumberOfSharedWaiters : Uint4B
   +0x04c NumberOfExclusiveWaiters : Uint4B
   +0x050 Reserved2        : Ptr64 Void
   +0x058 Address          : Ptr64 Void
   +0x058 CreatorBackTraceIndex : Uint8B
   +0x060 SpinLock         : Uint8B

0: kd> dt _KSEMAPHORE
nt!_KSEMAPHORE
   +0×000 Header           : _DISPATCHER_HEADER
   +0×018 Limit            : Int4B

Difference between a mutex in kernel and user (exported) modes (p. 181)

Some values in _DISPATCHER_HEADER can be ignored (depends on Type) (p. 185)

Meaning of _DISPATCHER_HEADER flags, table (p. 185)

_KOBJECTS, _DISPATCHER_HEADER.Type (pp. 185 - 186)

Looking wait queues manually (pp. 184 - 186) - I mistakenly subjected WinDbg to !list command passing the address of thread _KWAIT_BLOCK to it:

THREAD fffffa8003c0e8f0  Cid 0004.0070  Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrVirtualMemory) UserMode Non-Alertable
   fffff800019d97a0  Semaphore Limit 0x7fffffff
   fffff800019d9860  NotificationEvent
   fffff800019d9980  NotificationEvent
   fffff800019c8840  NotificationEvent
   fffff800019c8860  SynchronizationEvent
Not impersonating
DeviceMap                 fffff88000007400
Owning Process            fffffa8003bcd0b0       Image:         System
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34801717       Ticks: 1683 (0:00:00:26.254)
Context Switch Count      12886           Â
UserTime                  00:00:00.000
KernelTime                00:00:00.702
Win32 Start Address nt!MiDereferenceSegmentThread (0xfffff8000193caa0)
Stack Init fffffa6001947db0 Current fffffa6001947a60
Base fffffa6001948000 Limit fffffa6001942000 Call 0
Priority 18 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffffa60`01947aa0 fffff800`0186d28a nt!KiSwapContext+0x7f
fffffa60`01947be0 fffff800`0186c896 nt!KiSwapThread+0x2fa
fffffa60`01947c50 fffff800`0193cb36 nt!KeWaitForMultipleObjects+0x2d6
fffffa60`01947cd0 fffff800`01a8bfd3 nt!MiDereferenceSegmentThread+0x96
fffffa60`01947d50 fffff800`018a1816 nt!PspSystemThreadStartup+0x57
fffffa60`01947d80 00000000`00000000 nt!KiStartSystemThread+0x16

0: kd> dt _KTHREAD fffffa8003c0e8f0
nt!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 CycleTime        : 0x55dc0a75
   +0x020 QuantumTarget    : 0x69dfdff1
   +0x028 InitialStack     : 0xfffffa60`01947db0
   +0x030 StackLimit       : 0xfffffa60`01942000
   +0x038 KernelStack      : 0xfffffa60`01947a60
   +0x040 ThreadLock       : 0
   +0x048 ApcState         : _KAPC_STATE
   +0x048 ApcStateFill     : [43]  "8???"
   +0x073 Priority         : 18 ''
   +0x074 NextProcessor    : 0
   +0x076 DeferredProcessor : 1
   +0x078 ApcQueueLock     : 0
   +0x080 WaitStatus       : 0
   +0×088 WaitBlockList    : 0xfffff800`0198cfd0 _KWAIT_BLOCK
[…]

and it entered endless loop becoming unresponsive. CPU was spiking 50% (2 processor machine). I forced a crash dump in Task Manager (Spiking Thread pattern, http://www.dumpanalysis.org/blog/index.php/2007/05/11/crash-dump-analysis-patterns-part-14/):

0:000> kL
Child-SP          RetAddr           Call Site
00000000`0024bee8 000007fe`f507f0dd msftedit!CFormatRunPtr::GetFormat+0xa
00000000`0024bef0 000007fe`f507f54c msftedit!CTxtRange::SpanSubstring+0x101
00000000`0024bf50 000007fe`f5087d90 msftedit!CTxtRange::ItemizeRuns+0x2d8
00000000`0024c2c0 000007fe`f507dd0b msftedit!CRchTxtPtr::ItemizeReplaceRange+0x14c
00000000`0024c3c0 000007fe`f509d28f msftedit!CTxtRange::SetCharFormat+0xc77
00000000`0024c630 000007fe`f504f568 msftedit!CTxtSelection::SetCharFormat+0x23f
00000000`0024c770 000007fe`f50a3f84 msftedit!CTxtEdit::OnSetCharFormat+0x110
00000000`0024c910 000007fe`f50585b2 msftedit!CTxtEdit::TxSendMessage+0x23b0
00000000`0024cbb0 00000000`7769d53e msftedit!RichEditWndProc+0xcca
00000000`0024d5b0 00000000`7769b5b5 user32!UserCallWinProcCheckWow+0x1ad
00000000`0024d670 00000000`7769b649 user32!SendMessageWorker+0x64a
00000000`0024d700 00000001`3f9b3f9e user32!SendMessageW+0x5b
00000000`0024d750 00000001`3f9b41a0 windbg!RichEditAddRawText+0x13e
00000000`0024d7a0 00000001`3f9b47ef windbg!RichEditAddText+0x1b0
00000000`0024d840 00000001`3f977629 windbg!RichEditAddTextBuffer+0x13f
00000000`0024d9a0 00000001`3f9c8728 windbg!WinCommand::AddTextBuffer+0xb9
00000000`0024da10 00000001`3f9d3739 windbg!wmain+0x4b8
00000000`0024fad0 00000000`7776be3d windbg!_CxxFrameHandler3+0x291
00000000`0024fb10 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd
00000000`0024fb40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:000> r
rax=0000000000000000 rbx=000000000008d64a rcx=000000000024bf10
rdx=0000000002603a00 rsi=0000000000000001 rdi=0000000000048b33
rip=000007fef50566f6 rsp=000000000024bee8 rbp=0000000000000000
 r8=000000000002b6e6  r9=0000000000000000 r10=000000000024bf90
r11=000000000024bf20 r12=00000000025e17d0 r13=000000000024bfd0
r14=0000000011461b46 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
msftedit!CFormatRunPtr::GetFormat+0xa:
000007fe`f50566f6 394208          cmp     dword ptr [rdx+8],eax ds:00000000`02603a08=00042d7a

0:000> !runaway
 User Mode Time
  Thread       Time
   0:d64       0 days 0:01:12.899
   1:f38       0 days 0:00:25.880
   3:c58       0 days 0:00:01.669
   6:12e4      0 days 0:00:00.000
   5:a84       0 days 0:00:00.000
   4:e88       0 days 0:00:00.000
   2:f80       0 days 0:00:00.000

The .NET Developer’s Guide to Windows Security by M.  Brown:

Reading this book to refresh my knowledge of Windows security needed for my work on the next generation troubleshooting tools. I read the previous “Programming Windows Security” book more than 6 years ago

Data channel vs. control channel (p. 4)

Countermeasures in protection, detection and reaction (pp. 7 - - Troubleshooting tools: Supportability (code), Detection (monitoring) and Reaction (reporting, alerts)

Threat model (p. 12) - “Supportability model” in the sense of predicting issues and their servicing

Unqualifiability of “My System is Secure” () - “My System is Supportable”. An idea for a bugtation: “[…] it’s impossible to” support “a system that you don’t understand”. What about crash dump analysis then?

STRIDE (Howard, LeBlanc) (p. 13)

Repudiation as denial of an attack by an attacker (p. 13)

Compexity as a security enemy (p. 16) - An idea for another bugtation “compexity is the number-one enemy of” debugging. When I was thinking prioritizing supportability features and idea of supportlets came to my mind

- Dmitry Vostokov @ SoftwareGeneralist.com -