Thursday, December 31, 2009

Syntax highlighting for code blocks.

5:57 PM  cyber news  No comments

My blog used to have ugly display of source code, and I've always been a bit jealous of sites with pretty syntax highlighting for their source code. Well jealous no longer, I've now started using SyntaxHighlighter in my blog. You can find howto directions here. Here' a small sample:



C Sharp:



Python:





If there is demand I'll go through some of the old posts and re-highlight them.
Read More

Tuesday, December 29, 2009

Using wireshark to trace localhost traffic on windows.

9:24 PM  cyber news  No comments

(If you don’t care why this works and just need a recipe, switch to this post)

Capturing network packets on localhost doesn't work on windows. The reason is windows doesn't send loopback traffic far enough down the networking stack for wireshark to see it. To make sniffing work on localhost you can route your ip traffic to your default gateway. I'll walk you through this, and along the way you'll see:

  • netcat - telnet on steroids (nc.exe)
  • tshark - command line network sniffer from the wireshark package.
  • powershell jobs - background jobs from the shell!

Step 1 - launch the server as a background job (Woohoo powershell) 

PS C:\Users\igord> $server = start-job { \bin_drop\nc -L -p 8082 }

Step 2 - Make client connection: 

PS C:\Users\igord> \bin_drop\nc.exe 127.0.0.1 8082
Hello 
You can see me

Step 3: See if we can see anything in tshark on port 8082. 

C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft

Step 4: Point netcat at our ip address that's external: 

PS C:\Users\igord> ipconfig
    Windows IP Configuration
    Wireless LAN adapter Wireless Network Connection:   
    Connection-specific DNS Suffix  . : hsd1.state.comcast.net   
    Link-local IPv6 Address . . . . . : fe80::49a:2ea6:7757:db5%14   
    IPv4 Address. . . . . . . . . . . : 192.168.1.100   
    Subnet Mask . . . . . . . . . . . : 255.255.255.0   
    Default Gateway . . . . . . . . . : 192.168.1.1PS 

C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello can you see me in tshark?


(Still nothing in netcat)



Step 5: Add a route for our local address to the router: 



PS C:\Users\igord> route add 192.168.1.100 192.168.1.1
OK!

Step 6: Run netcat again - and check tshark: 

PS C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello Do you see me

Now we get our packets in tshark! 

C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
107.838518 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.840456 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.841013 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.841988 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.842291 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
107.844181 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 449#1] 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
110.528557 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.530030  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.530139 192.168.1.100 -> 192.168.1.100 TCP [TCP Out-Of-Order] 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.730222 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
110.731258  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.731797 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 480#1] us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
116.982412 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0
116.984259  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
116.984390 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0


For bonus points, why do you see 2 of each packet?



Step 7: Cleanup 



PS C:\Users\igord> route delete 192.168.1.100 OK!
Read More

Sunday, December 27, 2009

That's fast

12:46 AM  cyber news  No comments

Geeks born before the 80's had wet dreams about getting a T1 line. A T1 was 1.5 Mbps ~ 0.19 MB/s. Here's a picture of a large download on my home wireless network which connects to the world via cable:


Gotta love technology. How long before 1 MB/s is slow?
Read More

Friday, December 25, 2009

Why twitter can be awesome

2:29 PM  cyber news  No comments

If you were born before the 80's (heck maybe before the 90's) you have some idea what twitter is but can't understand what it is for.   Well, I've been thinking about twitter and I have a few ideas.



A tweet (a message on twitter) is a short (140 char max) thought you broadcast to the world.  Now the 'magic' of twitter is this: people can decide to listen to your message, only if they want to.  If you think a tweet is stupid, it is because it isn't written for you, instead of complaining about the tweet, you ignore it '.' This should sounds familiar, it is how broadcast works in ethernet networks, and even how conversations work on public transit.



Since tweets are public, and arguably represent what people are thinking/doing, you can do something you could never do before: see what the world is thinking.  From that starting point, you can join a conversation, or simply learn something interesting.



That said, as I'm looking at twitter, and I'm not finding any conversations I'm interested in joining, or even overhearing. Oh well I'll keep my eye on it.
Read More

Thursday, December 17, 2009

Pretty Printing XML on Windows.

11:43 PM  cyber news  No comments

It happens to the best of us, we get some ugly XML string with no formatting, and we need to view it, ideally in a formatted fashion. XMLLint is the answer. Ugly XML is the input, nicely formatted XML is the output. Finding a version of XMLLint for windows was a challenge till I found this project: http://code.google.com/p/xmllint. Unfortunately this xmllint requires an xml filename as input, and I wanted a version that takes xml on stdin, and produces pretty xml on stdout(*). Luckily this project had source code available and the pretty printing is trivial, here's the full code listing for 'my version' of XMLLint:



Example Usage(+):









NOTES:

(*) StdIn -> Filter -> StdOut is a common trick for VI folks. the syntax is: :%!

(+) Any guesses why I needed a screen shot for example usage?
Read More

Tuesday, November 17, 2009

Using Vim and Ctags to edit Powershell

10:49 PM  cyber news  No comments

To use vim with a new language you need a few things firstly: indent, syntax and file type plugins. These can be found here .



Next, you need ctags support (this is how vim implements 'goto function'). Ctags doesn't natively support powershell yet, but luckily ctags supports adding languages dynamically. From the command line you can add powershell support to ctags via:



c:\> ctags.exe --langdef=powershell --langmap=powershell:.ps1 --regex-powershell="/^function[\t ]*([a-zA-Z0-9_]+)/\1/d,definition/" --regex-powershell="/^filter[\t ]*([a-zA-Z0-9_]+)/\1/d,definition/" *


Alternatively you can pass this information into your ctags configuration file. Note that on the command line regexps are in quotes.



C:\> type %USERPROFILE%\ctags.cnf
--langdef=powershell
--langmap=powershell:.ps1
--langmap=powershell:.psm1
--regex-powershell=/^function[\t ]*([a-zA-Z0-9_-]+)/\1/d,definition/
--regex-powershell=/^filter[\t ]*([a-zA-Z0-9_-]+)/\1/d,definition/




Happy PS1Viming.
Read More

Saturday, November 14, 2009

The Performance of Everyday Things

10:43 PM  cyber news  No comments

I've spent much time fixing code optimizations that added no business value (with often matching performance value). Please do not try to make your code faster unless you need to. The way I handle performance issues on my projects:

  1. Define acceptable performance.
  2. Write my code as simply as possible.
  3. Measure performance: against definition, if performance > acceptable - goto DONE.
  4. /*Performance not acceptable*/ Profile; Fix as simply as possible; goto Measure.
  5. DONE

To be explicit: I'm comfortable using slower patterns if they are clear and simple. As soon as I've hit my acceptable performance bar - I'm done.

With that out of the way, let me discuss a performance riddle I hit this week. I was wandering through some powershell code that processed slews of objects (over 200K of 'em): 
$interestingObjects = @()
foreach ($object in $inputObjects) 
{
    if ($object.IsInteresting) 
    {
        $interestingObjects += $objects
    }
}

$interestingObjects



I'm a real fan of succinct code so I replaced the code with the following and it was much faster:




$inputObjects| where {$_.IsInteresting}



I prefer the succinct version of the code, but why is this one liner so much faster? The answer lies in the type of $interestingObjects:




PS C:\Users\igord> $interestingObjects.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array



$interestingObjects is an array, so when we add an item, we could end up doing an expensive operation - for example:




$Array + $item :=
     $newArray = new Object[$array.Length+1]
     $array.CopyTo(newArray,0)   # O(N) copy - nasty for large datasets.
     $newArray[$array.Length] = item
     return $newArray



BTW - in .NET List is implemented via an ArrayList. ArrayList is an Array with the helpful property that Add is mostly O(1):








  • If Count already equals Capacity, the capacity of the list is doubled by automatically reallocating the internal array and copying the existing elements to the new array before the new element is added.


  • If Count is less than Capacity, this method is an O(1) operation. If the capacity needs to be increased to accommodate the new element, this method becomes an O(n) operation, where n is Count.

Read More

Friday, October 23, 2009

Do your certificate management in Powershell

11:59 PM  cyber news  No comments

I do a lot of security work, and that means lots of time poking at certificates. Tooling for certificates was never something I was happy with until I stumbled upon powershell. Let me give you a demo: 

PS C:\> cd cert:

PS cert:\> cd .\LocalMachine\My
PS cert:\LocalMachine\My> dir

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My


Thumbprint                                Subject
----------                                -------
4EE3FDE4FFF422935CAA0CA2783EF2CA601D6DE5  CN=NonSecretGlobalEncryptKey
272BDAC53C26CC5A8067FE6076D2F74797F69AF7  CN=igordm1, OU=Workstations, OU=Machines, DC=redmond, DC=corp, DC=microsof...


PS cert:\LocalMachine\My> cd\
PS cert:> cd .\CurrentUser\Root
PS cert:\CurrentUser\Root> dir | where {$_.Subject -like "*Veri*"}


    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root


Thumbprint                                Subject
----------                                -------
18F7C1FCC3090203FD5BAA2F861A754976C8DD25  OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stampin...
85371CA6E550143DCE2803471BDE3A09E8F8770F  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized us...
742C3192E607E424EB4549542BE1BBC53E6174E2  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
4F65566336DB6598581D584A596C87934D5F2AB4  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2...
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B  OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet


PS cert:\CurrentUser\Root> $cert = gi 24A40A1F573643A67F0A4B0749F6A22BF28ABB6B

PS cert:\CurrentUser\Root> $cert.ToString()
[Subject]
  OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet

[Issuer]
  OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet

[Serial Number]
  03C78F37DB9228DF3CBB1AAD82FA6710

[Not Before]
  4/8/1996 5:00:00 PM

[Not After]
  1/7/2004 3:59:59 PM

[Thumbprint]
  24A40A1F573643A67F0A4B0749F6A22BF28ABB6B

PS cert:\CurrentUser\Root>
Does the output of $cert.ToString() look familiar? It's actually the ToString() on X509Certificate2. This means as well as having a great certificate store browser, you also get to access the CLR certificate classes interactively - Yeehaw!
Read More

Wednesday, October 21, 2009

Need another monitor? Try a USB Video Card.

8:00 PM  cyber news  No comments





I use 3 monitors at work and it is awesome. My laptop only drives two monitors so for the 3rd monitor I picked up a USB video card,  the  EVGA 100-US-UV16A1 . This thing works (*). The device installs drivers automatically and works like a charm on Windows 7. It only supports upto 1600x1200.  Also, I don't play games so I can't tell you how well that works, but for reading email and viewing OneNote  I can't tell this is a USB video card.



(*) If you're not impressed this thing works, you should be. A back of the envelope bandwidth analysis:



Required Bandwidth:



= 1600pixels x 1200pixels x 24 bits per pixel x 30 frames/second

= 1.38 Gbps



Actual USB 2.0 bandwidth:

= 480Mbps
Read More

Saturday, October 17, 2009

Using TShark

12:55 AM  cyber news  No comments

Today I realized this blog lost its google analytics (GA) tracking. Ooops, I accidentally erased the javascript that talks to Google Analytics in my blog template. I fixed the template on my blog, and wanted to verify my browser was sending data to GA. It takes the GA UI a while to show you data is coming in, so I decided to use tshark to see if my tracker code is working.

Tshark is the command line version of Wireshark, an Ethernet level packet sniffer. Lets see what HTTP GETs occur when I connect to one of my posts:


C:\Program Files\Wireshark>tshark.exe | findstr GET
Capturing on Microsoft
1) 67.936320 192.168.1.100 -> 64.233.169.191 HTTP GET  /2009/07/finding-clr-exceptions-with-visual.html HTTP/1.1 
2) 68.211983 192.168.1.100 -> 64.233.169.191 HTTP GET /dyn-css/authorization.css?targetBlogID=7821316&zx=defa99ec-5585-4463-a42d-a32bf4868482 HTTP/1.1
3) 68.393167 192.168.1.100 -> 64.233.169.139 HTTP GET  /__utm.gif?utmwv=4.5.8&utmn=1895005015&utmhn=ig2600.blogspot.com&utmcs=UTF-8&utmsr=1600x1200&utmsc=32-bit&ut
mul=en-us&utmje=1&utmfl=10.0%20r32&utmdt=Igor%27s%20Computer%20Blog%3A%20Finding%20CLR%20exceptions%20without%20visual%20studio&utmhid=396081822&utmr=0&utmp=%2F
2009%2F07%2Ffinding-clr-exceptions-with-visual.html&utmac=UA-6806517-1&utmcc=__utma%3D91978370.809539203.1241314101.1255744665.1255763228.10%3B%2B__utmz%3D91978
370.1255744665.9.3.utmcsr%3Dblogger.com%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D%2Fhtml%3B HTTP/1.1 
4) 68.393325 192.168.1.100 -> 64.233.169.191 HTTP GET /navbar.g?targetBlogID=7821316&blogName=Igor%27s+Computer+Blog&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=
BLUE&layoutType=LAYOUTS&searchRoot=http%3A%2F%2Fig2600.blogspot.com%2Fsearch&blogLocale=en_US&homepageUrl=http%3A%2F%2Fig2600.blogspot.com%2F&targetPostID=61412
67244510925043 HTTP/1.1
5) 68.517559 192.168.1.100 -> 64.233.169.191 HTTP GET /2009/07/finding-clr-exceptions-with-visual.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseTyp
e=js&postID=6141267244510925043 HTTP/1.1
6) 68.601057 192.168.1.100 -> 64.233.169.118 HTTP GET /gadgets/ifr?url=http%3A%2F%2Fwww.google.com%2Ffriendconnect%2Fgadgets%2Fmembers.xml&container=peoplesense&p
arent=http%3A%2F%2Fig2600.blogspot.com%2F&mid=0&view=profile&libs=opensocial-0.8%3Askins%3Adynamic-height%3Agoogle.blog&v=0.463.3〈=en&country=US&communityId
=02722510552710003866&caller=http%3A%2F%2Fig2600.blogspot.com%2F2009%2F07%2Ffinding-clr-exceptions-with-visual.html HTTP/1.1
7) 68.807944 192.168.1.100 -> 64.233.169.118 HTTP GET /gadgets/deps.js HTTP/1.1


What is that __utm.gif we GET in frame 3? How strange that it includes my screen resolution. A quick bing search finds this is indeed the connection to GA. So, my tracking code is good, and you should go learn how to use tshark.
Read More

Wednesday, September 30, 2009

Query the windows event logs via the command line

9:59 PM  cyber news  No comments

Today someone told me "You can find if bibblebob happened by looking in the event viewer". I automate things so I went hunting for a CLI tool to accomplish this task. wevtutil is its name-o.

The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil.

Here's an example of finding all the times DHCP started:


C:\Windows\System32>wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=50036)]]" |more
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Dhcp-Client
  Date: 2009-09-22T17:42:54.667
  Event ID: 50036
  Task: Service State Event
  Level: Information
  Opcode: ServiceStart
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: igordm1.redmond.corp.microsoft.com
  Description:
DHCPv4 client service is started

Event[1]:
  Log Name: System
  Source: Microsoft-Windows-Dhcp-Client
  Date: 2009-09-17T20:46:36.179
  Event ID: 50036
  Task: Service State Event
  Level: Information
  Opcode: ServiceStart
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: igordm1.redmond.corp.microsoft.com
  Description:
DHCPv4 client service is started


Good Hunting!
Read More

Friday, September 25, 2009

Use cdb to see what files your application is opening.

10:11 PM  cyber news  No comments

In this post I'll show you how to use CDB to intercept CreateFile and see what files your application is opening. For this problem, Process Monitor is often a better tool, but the techniques I demonstrate work for any API you should learn them.

This won't take much time, so if you've never done this before I recommend you follow along.

First Load CDB against cmd: 
 

    C:\Program Files\Debugging Tools for Windows (x64)>cdb.exe cmd.exe

    Microsoft (R) Windows Debugger Version 6.12.0000.526 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    CommandLine: cmd.exe
    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is:
    ModLoad: 00000000`49fc0000 00000000`4a018000   cmd.exe
    ModLoad: 00000000`77c10000 00000000`77db8000   ntdll.dll
    ModLoad: 00000000`779f0000 00000000`77b0e000   C:\Windows\system32\kernel32.dll
    ModLoad: 000007fe`fde90000 000007fe`fdef9000   C:\Windows\system32\KERNELBASE.dll
    ModLoad: 000007fe`febd0000 000007fe`fec6f000   C:\Windows\system32\msvcrt.dll
    ModLoad: 000007fe`fc850000 000007fe`fc858000   C:\Windows\system32\WINBRAND.dll
    ModLoad: 00000000`77b10000 00000000`77c0b000   C:\Windows\system32\USER32.dll
    ModLoad: 000007fe`fee70000 000007fe`feed7000   C:\Windows\system32\GDI32.dll
    ModLoad: 000007fe`febc0000 000007fe`febce000   C:\Windows\system32\LPK.dll
    ModLoad: 000007fe`fe2b0000 000007fe`fe37a000   C:\Windows\system32\USP10.dll
    (1268.1dfc): Break instruction exception - code 80000003 (first chance)
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
    ntdll!CsrSetPriorityClass+0x40:
    00000000`77cbb790 cc              int     3
    0:000> g
    ModLoad: 000007fe`fe640000 000007fe`fe66e000   C:\Windows\system32\IMM32.DLL
    ModLoad: 000007fe`fe530000 000007fe`fe639000   C:\Windows\system32\MSCTF.dll
    Microsoft Windows [Version 6.1.7110]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Program Files\Debugging Tools for Windows (x64)>
    (1268.1c1c): Control-C exception - code 40010005 (first chance)
    First chance exceptions are reported before any exception handling.

Next find something like CreateFile to breakpoint: 
 
    0:001> x *!*CreateFile*
    00000000`779fd6a0 kernel32!CreateFileMappingA ()
    00000000`779ffb30 kernel32!CreateFileMappingW ()
    00000000`77a02740 kernel32!CreateFileW ()
    00000000`77a124b0 kernel32!CreateFileA ()
    00000000`77a3b980 kernel32!CreateFileMappingNumaW ()
    00000000`77a54d50 kernel32!CreateFileMappingNumaA ()
    00000000`77a63740 kernel32!LZCreateFileW ()
    00000000`77a66450 kernel32!CreateFileTransactedW ()
    00000000`77a665f0 kernel32!CreateFileTransactedA ()
    00000000`77c5ea20 ntdll!NtCreateFile ()
    00000000`77c5ea20 ntdll!ZwCreateFile ()
    000007fe`fde94990 KERNELBASE!CreateFileW ()
    000007fe`fde96270 KERNELBASE!CreateFileMappingNumaW ()
    000007fe`fdea3120 KERNELBASE!CreateFileMappingW ()
    000007fe`fdec9cc0 KERNELBASE!CreateFileA ()

Set the breakpoint on Kernel32!CreateFileW (You can figure that out by looking on MSDN) 
 
    0:001> bm kernel32!CreateFileW
    breakpoint 1 redefined
      1: 00000000`77a02740 @!"kernel32!CreateFileW"

Lets open a file and make sure our function is called!
 
    0:002> g

    C:\Program Files\Debugging Tools for Windows (x64)>type c:\foo.txt
    Breakpoint 1 hit
    kernel32!CreateFileW:
    00000000`77a02740 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000000`0024e180=000000000031df00
    0:000>


Our breakpoint is hit. Lets figure out the filename being opened. To do this, we lookup the parameter list of CreateFile on MSDN. Filename is the first parameter. Next we look up the calling convention. On AMD64, the first paramater lives in rcx. Lets dump rcx as a unicode string: 
 
    0:000> du rcx
    00000000`0031a310  "c:\foo.txt"
    0:000>

Awesome - it worked. Lets make our breakpoint automatically print, and continue execution so it's non-intrusive.
 
    0:000> bm kernel32!CreateFileW "du @rcx;g"
    breakpoint 1 redefined
      1: 00000000`77a02740 @!"kernel32!CreateFileW"
    0:000> g

    C:\Program Files\Debugging Tools for Windows (x64)>type c:\fo2.txt
    00000000`0031a310  "c:\fo2.txt"
    The system cannot find the file specified.

    C:\Program Files\Debugging Tools for Windows (x64)>type c:\IgorOpenedThisFile.txt
    00000000`0031b9e0  "c:\IgorOpenedThisFile.txt"
    The system cannot find the file specified.

    C:\Program Files\Debugging Tools for Windows (x64)>

Notice the debugger spew intersperesed with cmd output. Anytime we open a file we'll see it in the spew! Use this approach to debug all sorts of I wonder what's going on problems.
Read More

Tuesday, September 8, 2009

Copying files across parallel directory structures.

10:39 PM  cyber news  No comments

It happens to all of us, you've made a change in branch2, now you need to copy it to branch1. Here's a trick I use to accomplish this task:

C:\src\branch1\mydir\mydir2\mydir3\mydir4>xcopy %cd:branch1=branch2%\foo*
Overwrite C:\src\branch1\mydir\mydir2\mydir3\mydir4\foo.txt (Yes/No/All)? y
C:\src\branch2\mydir\mydir2\mydir3\mydir4\foo.txt
1 File(s) copied


How'd that work? Use echo to find out what happened:

C:\src\branch1\mydir\mydir2\mydir3\mydir4>echo %cd:branch1=branch2%
C:\src\branch2\mydir\mydir2\mydir3\mydir4

For more information run help set.
Read More

Thursday, July 30, 2009

Finding CLR exceptions without visual studio

11:19 PM  cyber news  No comments

(If you want to understand what exception code 0xe0434352 is, read this post)



Often exceptions are thrown and caught and you don't see them. You probably know how to debug this in Visual Studio, so let me show you how to do it in cdb.

Sample Code:





class Program
{
 static void Main(string[] args)
 {
     foreach (var x in Enumerable.Range(0,2000))
     {
         Thread.Sleep(TimeSpan.FromSeconds(1));
         Console.WriteLine("Hello World");
         ThrowAndCatchException();
     }

 }

 private static void ThrowAndCatchException()
 {
     try
     {
        throw new NotImplementedException();
     }
     catch(Exception)
     {
     }
 }
}
Output of the application:

Hello World
Hello World
Hello World
Nothing about an exception, but you're sure it's happening behind the covers -- fire up cdb:

C:\Program Files\Debugging Tools for Windows (x64)>cdb -pn consoleapplication3.exe

<SNIP>

ModLoad: 000007fe`f7e90000 000007fe`f7eb4000   C:\Windows\Microsoft.NET\Framework64\v4.0.20506\culture.dll
(ff8.17a8): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
ntdll!DbgBreakPoint:
00000000`77b7d7b0 cc              int     3
Continue debugging:

0:004> g
Exceptions - lots of them:

(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.1860): Break instruction exception - code 80000003 (first chance)
Break on CLR exceptions:

0:004> sxe clr
0:004> g

(ff8.16dc): CLR exception - code e0434352 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
KERNELBASE!RaiseException+0x3d:
000007fe`fdb8bb5d 4881c4c8000000  add     rsp,0C8h
Load sos ( in .Net 2/3 use use !loadby sos mscorwks):

0:000> !loadby sos clr
View Stack:

0:000> !CLRStack
PDB symbol for clr.dll not loaded
OS Thread Id: 0x16dc (0)
Child SP         IP               Call Site
000000000096e6a8 000007fefdb8bb5d [HelperMethodFrame: 000000000096e6a8]
000000000096e7c0 000007ff00170360 ConsoleApplication3.Program.ThrowAndCatchException()
000000000096e810 000007ff001701fb ConsoleApplication3.Program.Main(System.String[])
000000000096ec90 000007feef474ca4 [GCFrame: 000000000096ec90]
View Exception:

0:000> !PrintException
Exception object: 0000000002c88c18
Exception type:   System.NotImplementedException
Message:          The method or operation is not implemented.
InnerException:   <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004001
0:000>
Pretty neat - eh?
Read More

Saturday, July 18, 2009

Why write programs that don't modify variables?

3:20 PM  cyber news  No comments

Slews of bugs happen because variable have values you aren't expecting. To minimize this class of bugs I use a technique a lot of people find surprising. I try to only assign and never modify variables. In C++, I make almost all my variables const.

C++ people are now saying -- Um if all your values are const how do you write a for loop?

In C++ I can't help myself, I'm stuck with a variable modification eg: 

for (size_t x=0;x<6;x++) printf("%d",x)
In python the for loop naturally iterates over a sequence so you don't need to modify a value: 
for x in range(6): print x
In C#, you can use either the C++ syntax or a more python syntax via foreach: 
for (int x=0;x<6;x++) Console.WriteLine(x);
or 
foreach (var x in Enumerable.Range(0,6)) Console.WriteLine(x)

I use the foreach syntax which people initially find confusing. But its value starts to shine when using non zero starting values. Assume I need to generate 113 numbers starting at 27. Which statement do you find expresses it better. 
for (int x=27;x<=139;x++) Console.WriteLine(x)

or 
foreach (var x in Enumerable.Range(27,113)) Console.WriteLine(x)
Read More

Saturday, July 4, 2009

How to attach to an already running debugger target using cdb.

12:50 PM  cyber news  No comments

For the last year when I wanted to attach to a process using cdb, I'd attach by PID. This meant i'd need to the following dance:
    C:\Program Files\Debugging Tools for Windows (x64)>tlist |findstr firefox
   9128 cmd.exe           findstr  firefox
    276 firefox.exe       Restore Session - Vimperator

   C:\Program Files\Debugging Tools for Windows (x64)>cdb -p 276
It turns out you can just do:

   C:\Program Files\Debugging Tools for Windows (x64)>cdb -pn firefox.exe

   Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
   Copyright (c) Microsoft Corporation. All rights reserved.


If there are multiple instances of your process, you'll still need to use tlist
to find the PID you're interested in.
Read More