Notes from a humble computer user...

Application Whitelisting Bypass using Firefox?

2017-05-20T20:45:00.001+08:00

Recently, thanks to a friend who bring my attention to the Javascript capability of the Firefox chrome code (this is the code in Firefox, not Chrome or Chromium browser), I have learnt new ways to launch cmd.exe, this time from Firefox.

Unlike MS Edge or IE, when one enters something like "file:///C/Windows/System32/cmd.exe" or "file:///C/Windows/System32/notepad.exe" in Firefox's address bar, it does not usually execute cmd.exe. Instead it is what it looks like this:

Opening notepad.exe from Firefox address bar

However, if we perform the following steps:

Open Firefox, enter "about.config" in address bar.
Set "devtools.chrome.enabled" to "true".
Ctrl-Shift-J to launch the web console, go to JS tab and enter the below:
var file=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsIFile);file.initWithPath("C:\\windows\\system32\\cmd.exe");file.launch();

The result looks like the following screenshot, where cmd.exe is successfully launched.

Launching cmd.exe from Firefox

While I find this interesting, it would be even more fun if:

There is a more direct way of executing cmd.exe, say from the address bar.
We can perform more things with the Javascript chrome code.

Admittedly I am not so familiar with the internals of Firefox, if you know any of the above, do educate me.

Anyway, since Firefox is such a common application on many Windows workstation, could this be useful as a application white listing bypass technique? :-)

Note: The method described here is not new, and I am not the first one to discover them. It is (along with a few other methods) already documented here. I merely carry out the experiment and note down the steps.

Update: As soon as I posted this, I realised there is simpler way to launch cmd.exe from Firefox, assuming Windows Explorer is not locked down, which is to click on cmd.exe, download it and use the "Open Containing Folder" icon (as shown in the following screenshot) to launch Windows Explorer from there. The rest is history... :-)

Open Containing Folder

Simulating Privileges Patching using Windows Kernel Debugger

2017-05-10T20:21:00.000+08:00

The following is an experiment to simulate a Windows privilege escalation using privileges patching in access token. The experiment uses two windbg instances, one running within the target machine as user mode debugger and another running on the host machine as kernel debugger.

Firstly, we launch the user mode windbg in the target machine as ordinary non admin user. Using this windbg, we attempt to attach to a the spoolsv.exe process, which is the Spooler service running as SYSTEM privilege. We can see that windbg fail to attach to the spoolsv.exe process.

User mode windbg fail to attach to spoolsv.exe

Next, we use the kernel mode windbg from the host machine to break into the target machine. We then locate the user mode windbg process and its corresponding access token address.

Locate access token within process structure

Locate privileges structure within access token

From there we can locate the address of the _SEP_TOKEN_PRIVILEGES structure, where we first examine its original value.

_SEP_TOKEN_PRIVILEGES original value

We then update the value to contain 0xffffffffffffffff for all the three members in the structure.

Update _SEP_TOKEN_PRIVILEGES members

Finally, we resume the target machine and use our user mode windbg to attach to the spoolsv.exe process again. This time, windbg is able to break into the spoolsv.exe process.

Application Whitelisting Bypass using Windbg

2017-05-07T18:45:00.001+08:00

Casey Smith has thought us many cool application white listing bypass techniques. They can be found here.

While learning those techniques, it occurs to me that anything officially signed by Microsoft that has the capability to load dll could be potentially useful. So maybe I can also add windbg to the list?

The steps are very simple. It uses windbg and cmd.dll (or any dll of your choice).

Launch windbg.
Click File -> Attach to a Process..
Select any target process. In my case, I select the cmd.exe that was blocked. :-)
After windbg break into the process, type .load \\path\to\cmd.dll

The result can be seen in the following screenshot. The yellow box highlights the original cmd.exe which was blocked by the policy, the red box highlights the windbg command and the green box highlights the new cmd.dll built from ReactOS source.

CreateProcess from C++ to C# to Powershell

2017-04-17T20:38:00.002+08:00

I was trying to get myself familiar with how to invoke native calls such as Windows API from Powershell, which leads me to look into P/Invoke etc.
To get started, I just try to call CreateProcess (without worrying too much about clean up or good coding etc) starting with C++, then C# and finally Powershell.

First, C++

#include int main() { STARTUPINFO si = { 0 }; si.cb = sizeof(si); PROCESS_INFORMATION pi = { 0 }; TCHAR szCommandLine[] = TEXT("C:\\Windows\\System32\\notepad.exe"); BOOL bResult = CreateProcess( NULL, //_In_opt_ LPCTSTR lpApplicationName, szCommandLine, //_Inout_opt_ LPTSTR lpCommandLine, NULL, //_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, NULL, //_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, FALSE, //_In_ BOOL bInheritHandles, 0, //_In_ DWORD dwCreationFlags, NULL, //_In_opt_ LPVOID lpEnvironment, NULL, //_In_opt_ LPCTSTR lpCurrentDirectory, &si, //_In_ LPSTARTUPINFO lpStartupInfo, &pi //_Out_ LPPROCESS_INFORMATION lpProcessInformation ); return 0; }

Next, C#
The details are taken from http://www.pinvoke.net/. There is possible a simpler/shorter way to write this, but I just want to get it to work for now.

using System; using System.Runtime.InteropServices; [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct STARTUPINFO { public Int32 cb; public string lpReserved; public string lpDesktop; public string lpTitle; public Int32 dwX; public Int32 dwY; public Int32 dwXSize; public Int32 dwYSize; public Int32 dwXCountChars; public Int32 dwYCountChars; public Int32 dwFillAttribute; public Int32 dwFlags; public Int16 wShowWindow; public Int16 cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } [StructLayout(LayoutKind.Sequential)] struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; public int dwThreadId; } [StructLayout(LayoutKind.Sequential)] struct SECURITY_ATTRIBUTES { public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle; } public class Kernel32 { [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] static extern bool CreateProcess( string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); public static void Main(string[] args) { STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); CreateProcess( null, //string lpApplicationName, "C:\\Windows\\System32\\notepad.exe", //string lpCommandLine, ref sa, //ref SECURITY_ATTRIBUTES lpProcessAttributes, ref sa, //ref SECURITY_ATTRIBUTES lpThreadAttributes, false, //bool bInheritHandles, 0, //uint dwCreationFlags, IntPtr.Zero, //IntPtr lpEnvironment, null, //string lpCurrentDirectory, ref si, //[In] ref STARTUPINFO lpStartupInfo, out pi //out PROCESS_INFORMATION lpProcessInformation) ); Console.ReadLine(); } }

Finally, Powershell
Note that when using Powershell, the lpApplicationName cannot be $null and lpCurrentDirectory needs to be populated.

$csharp = @' using System; using System.Runtime.InteropServices; [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct STARTUPINFO { public Int32 cb; public string lpReserved; public string lpDesktop; public string lpTitle; public Int32 dwX; public Int32 dwY; public Int32 dwXSize; public Int32 dwYSize; public Int32 dwXCountChars; public Int32 dwYCountChars; public Int32 dwFillAttribute; public Int32 dwFlags; public Int16 wShowWindow; public Int16 cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; }; [StructLayout(LayoutKind.Sequential)] public struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; public int dwThreadId; }; [StructLayout(LayoutKind.Sequential)] public struct SECURITY_ATTRIBUTES { public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle; }; public class Kernel32 { [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] public static extern bool CreateProcess( string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); } '@ Add-Type -TypeDefinition $csharp $si = New-Object STARTUPINFO $si.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($si) # $si.dwFlags = 0x1 # $si.wShowWindow = 0x1 $pi = New-Object PROCESS_INFORMATION $sa = New-Object SECURITY_ATTRIBUTES $sa.nLength = [System.Runtime.InteropServices.Marshal]::SizeOf($sa) $dir = (Get-Location).Path # [Kernel32]::CreateProcess($null, "C:\\Windows\\System32\\cmd.exe", [ref]$sa, [ref]$sa, $false, $0, [IntPtr]::Zero, $null, [ref]$si, [ref]$pi) # Using Powershell, lpApplicationName cannot be $null and lpCurrentDirectory needs to be populated [Kernel32]::CreateProcess("C:\Windows\System32\notepad.exe", $null, [ref] $sa, [ref] $sa, $false, 0x0, [IntPtr]::Zero, $dir, [ref] $si, [ref] $pi) # [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()

Building cmd.dll with CMake

2017-04-15T17:29:00.002+08:00

After reading Didier Stevens's great post on cmd.dll, I was excited to give it a try, by building cmd.dll from ReactOS source as described.
However, I soon found out that the updated ReactOS source now uses CMake instead of RBuild, as stated in ReactOS wiki.

The following are the modification to Didier's steps I needed, in order to build cmd.dll in the CMake environment.

diff --git a/reactos/base/shell/cmd/CMakeLists.txt b/reactos/base/shell/cmd/CMakeLists.txt index 37d2c09ab7..29dabe5ec9 100644 --- a/reactos/base/shell/cmd/CMakeLists.txt +++ b/reactos/base/shell/cmd/CMakeLists.txt @@ -68,9 +68,9 @@ list(APPEND SOURCE precomp.h) add_rc_deps(cmd.rc ${CMAKE_CURRENT_SOURCE_DIR}/res/terminal.ico) -add_executable(cmd ${SOURCE} cmd.rc) +add_library(cmd SHARED ${SOURCE} cmd.rc) target_link_libraries(cmd wine) -set_module_type(cmd win32cui UNICODE) +set_module_type(cmd win32dll UNICODE) add_importlibs(cmd advapi32 user32 msvcrt kernel32 ntdll) add_pch(cmd precomp.h SOURCE) add_cd_file(TARGET cmd DESTINATION reactos/system32 FOR all) diff --git a/reactos/base/shell/cmd/cmd.c b/reactos/base/shell/cmd/cmd.c index ed162bf9f6..8f680ef6bc 100644 --- a/reactos/base/shell/cmd/cmd.c +++ b/reactos/base/shell/cmd/cmd.c @@ -1816,7 +1816,7 @@ static VOID Cleanup() /* * main function */ -int _tmain(int argc, const TCHAR *argv[]) +int original_tmain(int argc, const TCHAR *argv[]) { HANDLE hConsole; TCHAR startPath[MAX_PATH]; @@ -1832,6 +1832,8 @@ int _tmain(int argc, const TCHAR *argv[]) InputCodePage = 0; OutputCodePage = 0; + AllocConsole(); + hConsole = CreateFile(_T("CONOUT$"), GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); @@ -1866,4 +1868,25 @@ int _tmain(int argc, const TCHAR *argv[]) return(nErrorLevel); } +INT WINAPI +DllMain( + IN PVOID hInstanceDll, + IN ULONG dwReason, + IN PVOID reserved) +{ + switch (dwReason) + { + case DLL_PROCESS_ATTACH: + original_tmain(0, NULL); + break; + case DLL_THREAD_ATTACH: + break; + case DLL_THREAD_DETACH: + break; + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +}

Besides the above mentioned modification, the build steps are the same.

Download and install ReactOS Build Environment (consult ReactOS wiki) and source.
Run the ReactOS Build Environment.
cd reactos/reactos and run configure.cmd
cd output-MingW-i386
make cmd

Hope it helps others who are struggling to build cmd.dll.

Vulnhub FristiLeak 1 Walkthrough

2016-07-17T08:32:00.001+08:00

I have decided not to continue on Necromancer, and try out an older VM, FristiLeak instead.
Granted, there are already heaps of walkthrough since it is an old VM. But that doesn't matter to me, if I haven't pwn it, it is still good to practice.
As usual, the enumeration started with nmap, which only returns the default HTTP port.

In the browser, a page stating "KEEP CALM and DRINK FRISTI" was returned.

Enumerating for robots.txt returned 3 entries.

However, attempting to browse those 3 entries all resulted in nothing more than a meme hinting that they were dead ends.

Taking the hint that those dead ends all suggested various drinks names and the fact that the main page said drink Fristi, I tried to browse /fristi instead, which successfully landed on a admin portal login page.

Several guesses of login credentials such as "admin:admin" and "admin: fristi" didn't helped.
So, I checked out the HTML source. There was a comment written by someone named eezeepz.

Interestingly, the page encoded the "Ha Ha" image using base64. So, I gave it a more detail inspection. That paid off, I noticed there were a few separate base64 encoded image, like this one at the bottom of the source.

I decoded each of them. The first 2 images were identical to the one shown on the login page, but the last one decodes to a different image, presumably something useful, maybe a password?

So, I tried to login the admin portal using "eezeepz" found in the HTML comment together with this newly found "keKkeKKeKKeKkEkkEk" string as password.

That worked! It landed me on a page with a link to upload file. ;-)

I tried to upload a PHP webshell with .php extension but that failed, but it gave a rather useful error message.

Renaming the webshell extension from .php to .php.png worked.

After some enumeration, I found a file named notes.txt under /home/eezeepz.

So, I tried out the helpful suggestion by writing "id" into /tmp/runthis file to see if it resulted in /tmp/cronresult as claimed.

It did, a /tmp/cronresult file was created.

However, the content was not what I had hoped for. But once again, the error message was helpful.

As suggested, I used the chmod command in /home/admin directory, this time to modify the permission of the /home/admin itself.

That worked. Now, I can access the entire /home/admin simply as the apache process. I noticed that there was a file owned by fristigod, so maybe it has something to do with the user fristigod.

Without wasting anytime, I checked out all the files deemed interesting in that directory, staring with cryptedpass.txt.

Next came the file cryptpass.py

This is followed by the file cronjob.py

And finally, the all interesting whoisyourgodnow.txt

After inspecting the source of cryptpass.py, I modified it to reverse the process of encoding to decode the downloaded text.

The content of the file whoisyourgodnow.txt decodes to "LetThereBeFristi!", which looks curiously like the password for the user fristigod, maybe?
It is time to try out SU, which needed a TTY session. However, I was a little upset to find that netcat was not installed on the target VM. So, I searched the web for one and uploaded it there.
After establishing a netcat reverse shell, I switch to the user fristigod with the password "LetThereBeFristi!".

Checking out sudo, I noticed there was a hidden suid binary called doCom.

Executing doCom via sudo gave me root permission! The rest is just about sitting back and enjoy a bottle of Fristi? :-)

Vulnhub The Necromancer 1 Walkthrough (flag2)

2016-07-12T19:13:00.000+08:00

Pondering on the hint from flag1, "Chant the string of flag1 - u666", I thought maybe it was UDP port 666.
But before that, I tried to decode flag1. Turns out that it was an MD5 hash.

MD5 of opensesame was flag1

So, I tried sending "opensesame" to UDP port 666 using hping3.

Sending flag1 using hping3

Maybe I did some mistake in my initial attempt, the response I received was "You gasp for air! Time is running out!".

Initial attempt failed

So, I tried sending in the original MD5 hash instead. However, that gave me a different error message. This time it was "Chant is too long! You gasp for air!".

Chant too long

That made me retry with "opensesame" again.

Resending "opensesame"

This time, it worked!

flag2 in wireshark

Copied from wireshark to a text editor, the returned message looked like this

flag2 in text editor

Vulnhub The Necromancer 1 Walkthrough (flag1)

2016-07-11T18:33:00.000+08:00

Trying out The Necromancer 1 VM. Here is the walkthrough for the 1st flag.

I started with the usual nmap full TCP scan, but to my surprise, none of 65535 TCP ports were open. So, I tried to capture the traffic with Wireshark and see if I could find anything.

Then, I noticed this:

Incoming connection from The Necromancer VM to me

It seemed that the VM was trying to connect to me on port 4444!
So, I tried to listen to TCP port 4444 with netcat and as expected an incoming TCP connection was established. I received some random looking text.

Incoming random looking text

After removing the "..." (3 dots) at the beginning and the end of the text, I was able to base64 decode the text into something comprehensible.

Base64 decoded text with flag1

There was the 1st flag. :-)

Vulnhub Violator 1 Walkthrough (partial)

2016-07-09T17:17:00.000+08:00

Just tried another VM in Vulnhub, this time it is Violator 1.
As usual, the journey starts with nmap, which brings up 2 TCP ports, FTP (21) and HTTP (80).

nmap shows port 21 and port 80

The default web page in HTTP port gives a hint that I should be trying out the FTP port instead.

The hint says I'm barking up the wrong tree.

Furthermore, I at the bottom of the page, it also provides another hint about a Wikipedia page that may be useful for me.

Hint about Wikipedia page

So, I took the hint and checked out the FTP server. It appeared to run ProFTPd 1.3.5. So, I try to search ExploitDB to see if anything comes up. I was lucky to find this:

ExploitDB entry for ProFTPd 1.3.5

So, I tried the exploit suggested by the page to see if it works. It did.

Copy /etc/passwd by exploiting ProFTPd vulnerability

I was able to view the passwd file content.

/etc/passwd file content

However, when I tried to upload my PHP web shell as suggested, I met some challenges (which later I found out the reason but it is irrelevant by then).
So, being lazy, I searched Metasploit for exploit that are readily available for ProFTPd 1.3.5. Again, I was lucky

Metasploit exploit for ProFTPd 1.3.5

The exploit spawned a shell with the privilege of the web server (www-data). I was delighted. But after that I was stuck with the www-data shell for sometime.

Furthermore, on another somewhat unrelated event, my VM environment was unstable and I had to reboot both my Kali and Violator VM. Which is why, in all the screenshots below, you will notice that the IP address for Violator VM changed from the original 192.168.56.101 to 192.168.56.103.

After enumerating the box for sometime, I still didn't get much improvement, but I did notice the 4 users from /etc/passwd file (and from their /home directory), namely af, aw, dg and mg.
I tried to switch user to these account but I needed their passwords.

Remembering the Wikipedia hint at the bottom of the Violator main web page, I paid Wikipedia a visit and manually copied (I tried CeWL but my VM ran out of memory) all the strings that I felt is relevant to create a wordlist.

Wordlist scraped from Wikipedia page.

Next, I created a password list out of the wordlist using John the Ripper

Using John the Ripper to generate password list.

Using the generated password list, I used Hydra to brute force the FTP server again to discover the password of the users.

Hydra brute force FTP for passwords.

I was lucky again. Hydra presented me with the passwords for all 4 of the users.
Trying out "sudo -l" on each one of them, I noticed that the user bd is allowed to execute the ProFTPd binary in the subdirectory of his home directory using sudo.
I thought to myself, isn't that almost as good as a setuid? :-)
So, I searched the etc subdirectory for the configuration file and downloaded it to my Kali VM for customization before uploading it back.

Difference between customized and the original proftpd.conf.

Looking back, maybe not all of the customization is necessary. But well, it doesn't matter now.
Next, I use sudo to execute the ProFTPd binary under bd user's home directory and checked that it binds to port 2100. (The other instance that binded to port 2121 was due to an earlier mistake I made by not changing the DefaultAddress. Let's ignore that for now).

ProFTPd listening to port 2100

I then tried to connect the ProFTPd server listening to port 2100. I was surprised to find that it was a different version of ProFTPd, namely version 1.3.3c.

ProFTPd version 1.3.3c

So, I searched Metasploit for existing exploits and was glad to find one.

ProFTPd 1.3.3c exploit in Metasploit

Executing the exploit gave me a root shell.

Rooted!

That's it folks. I stopped there after getting root access.
Notice that the title of this post says partial? That's because in the description of this challenge in Vulnhub, it says "The challenge isn't over with root. The flag is something special."
It could have something to do with the Enigma machine emulator but I didn't take the time to figure that out.

Vulnhub Stapler 1 Walkthrough

2016-06-18T18:11:00.000+08:00

Today I tried out Stapler VM in Vulnhub and here is the walkthrough. (Note, I did not attend the BSide or anything, this is perform on the VM from Vulnhub, so this is likely something that others already have walkthrough).

As usual, I start the scan using nmap, and found that port 22 and 139 was open.

So I ran enum4linux, which provided me with a list of enumerated user name.

Using John the ripper, I created a password list out of the username list.

I then attempted to brute force the ssh login using the generated password list and username list and discovered that the user SHayslett was using the same string for both username and password.

After logging in as SHayslett via ssh, I try to enumerate the system.

While enumerating cron.d directory, I found that logrotate was using a custom script that was world writeable.

By uploading a netcat and appending custom command to the custom logrotate script, I was able to launch a reverse netcat shell with root privilege.

Using the reverse netcat shell, the flag was obtained.

:-)

user mode process debugging from windbg kernel debugger via ntsd

2016-06-12T10:30:00.000+08:00

When used together, ntsd and windbg can let us switch between kernel debugging and specific user mode process debugging.

First, ensure that the usual kernel mode debugging session is properly setup and working.
In the target machine, identify the user mode process id. This can be done using tasklist command. Then launch ntsd against the selected process id.
attach ntsd against pid 2728 (calc.exe)
As a result, the windbg kernel debugger will break in and wait for input.
windbg kernel debugger breaks in
From that point onwards, we can proceed to use the kernel debugger to inspect the user mode process in more detail.
pid is hex aa8 which is decimal 2728

KGDB Linux kernel debugging in Windows host using 2 Linux virtualbox guest

2016-06-11T09:52:00.002+08:00

For those who needs to perform Linux kgdb debugging on Windows host like I do, below are the steps. (As a side note, these steps have been described in detail in a virtualbox forum discussion before. For details, refer to the comment I posted below. For the rest of you who prefer a blog post with screenshots, read on :-)

Create 2 Linux guest, one as the debugger running GDB and the other as the debugee kernel. Both these VM should use the same Windows named pipe path for the serial ports settings. But for the debugger VM, check the "Connect to existing pipe/socket" box, while for the debugee, keep it uncheck.
Windows named pipe as virtual serial port
I chose to build my own debugee kernel (using the default Fedora kernel config for make oldconfig) and remove KDB from the compilation. I did this because if I include it in compilation (as how the default Fedora kernel config does), the GDB remote target handshake fails with some "qStatus#49" error.
CONFIG_KGDB_KDB is not set
After finish building the new kernel and install it in the debugee system, copy its vmlinux (note, NOT vmlinuz) image to the debugger machine.
Start the debugee VM first, follow by the debugger VM. Optionally, we can use the "pipelist" utility from Sysinternals Suite to make sure that the shared named pipe is created.
pipelist shows that dbgpipe is created
In the debugee VM, make sure to append "kgdboc=ttyS0,115200n8 kgdbwait" kernel boot parameter in the grub screen, if not already done so in grub.cfg earlier.
kgdboc and kgdbwait boot parameters
Boot the debugee kernel, it should appear to hang at KGDB and wait for connection.
debugee kernel waiting for remote gdb connection
Run "gdb vmlinux" in the debugger VM. After GDB has started, optionally run "set serial baud 115200", then run "target remote /dev/ttyS0". Wait for the connection to be established, and you are ready to go! (Here, I execute "bt" to see the backtrace).
gdb remote target

In addition to the steps described above, we can optionally enable GDB script as described in https://www.kernel.org/doc/Documentation/gdb-kernel-debugging.txt.

enable gdb script

We then copy the build tree over to the debugger machine (maybe we just need the scripts/gdb/ directory but I have not verify that, I just copy the entire build directory). The scripts let us perform some convenient steps like "ps" as shown here.

lx-ps

Note that I need to make changes to the gdb scripts for the specific kernel version source that I build, which I did not describe the steps in this post.

GDB TUI

2016-06-05T21:04:00.000+08:00

Recently watched this "CppCon 2015: Greg Law " Give me 15 minutes & I'll change your view of GDB" video.
https://www.youtube.com/watch?v=PorfLSr3DDI

It discusses about some simple but useful trick in GDB TUI mode.
However, when I try them out, some of the Ctrl-X key combination does not always work on my machine.
After some googling, I found this: https://sourceware.org/gdb/onlinedocs/gdb/TUI-Commands.html#TUI-Commands

For those who are reluctant to read the document, use "layout split" to split your screen, "layout reg" to list the register.

I hope these can be useful for other GDB users who wish to use TUI mode.

msfelfscan to find jmp esp

2016-06-05T20:56:00.000+08:00

It has been sooooooooooo long (again) that I have not post anything. Oh well, busy with things, as usual.
But today I have just pick up a new trick in Metasploit (more specifically msfelfscan) that might worth reminding myself, so here goes.
So, some of us find it quite convenient to use debugger like Immunity Debugger, OllyDbg and EDB to find "JMP ESP" instruction, for example.
But what if we have no access to those?
First, use the msfelfscan tool in Metasploit to scan for the binary. This should give you a list of offsets.

msfelfscan -j esp ./libc.so.6

Then, we can run the program that uses that library, for example can check the base address in /proc/<pid>/maps to search for the base address.
When combined, should give us the "JMP ESP" address we are looking for.

Ubuntu 14.04 and Android MTP

2014-08-30T21:56:00.003+08:00

I'm not sure is it just me, or are there some other Ubuntu users who are unable to access the files and directories in their Android smartphone.
Anyway, I found that the below step/package works:

apt-get install jmtpfs

vim to ubuntu 14.04: youcompleteme :-)

2014-06-01T16:20:00.001+08:00

I just found out that "youcompleteme" was added as a package in Ubuntu 14.04 LTS.
Now, vim fans like me can have the amazing IDE-like experience by simply doing the few easy steps below:

apt-get install vim apt-get install vim-youcompleteme apt-get install vim-addon-manager vam install youcompleteme

The screen shots (C++ and Python) below work out of the box!

Enjoy!

Value Semantics, Concepts Based Polymorphism and Composite Pattern

2014-02-24T21:26:00.001+08:00

Not long ago, I watched Sean Parent's Value Semantics and Concepts Based Polymorphism.

In the presentation, Sean showed a sample code that manipulates "document type".

Yesterday, while flipping over an old book on my book shelf, Pattern Hatching: Design Patterns Applied, by John Vlissides, I came across his example of using the Composite Pattern to illustrate a simplified file system structure with class Node, class File and class Directory. There it uses the classical way of inheritance.

I couldn't help but notice the similarity between the simplified file system recursive structure of the Composite Pattern with Sean's example of the document inside document.

So, I just play around with concepts based polymorphism a bit.

Note that the code may not be optimize or anything, as it is a quick copy-and-modify.

Here is node.h:

#ifndef NODE_H #define NODE_H #include #include #include #include class node_t { struct concept_t { virtual ~concept_t() = default; virtual size_t total_size() const = 0; virtual void print(std::ostream& out) = 0; virtual concept_t* copy() = 0; }; struct file_model_t : concept_t { file_model_t(size_t x) : total_size_(x) {} size_t total_size() const { return total_size_; } void print(std::ostream& out) { out << total_size_; } concept_t* copy() { return new file_model_t(*this); } size_t total_size_; }; struct dir_model_t : concept_t { dir_model_t(std::initializer_list l) : children_(l) {} size_t total_size() const { size_t total_size = 0; for (const auto& c : children_) total_size += c.total_size(); return total_size; } virtual void print(std::ostream& out) { out << "("; auto i = children_.begin(); out << *i; ++i; while (i != children_.end()) { out << ","; out << *i; ++i; } out << ")"; } concept_t* copy() { return new dir_model_t(*this); } std::vector children_; }; std::unique_ptr p_; public: node_t(size_t value) : p_(new file_model_t(value)) { /*std::cout << "ctor file" << std::endl;*/ } node_t(std::initializer_list l) : p_(new dir_model_t(l)) { /*std::cout << "ctor dir" << std::endl;*/ } node_t(const node_t& x) : p_(x.p_->copy()) { /*std::cout << "copy" << std::endl;*/ } node_t& operator=(node_t x) { //std::cout << "assign" << std::endl; p_ = std::move(x.p_); return *this; } size_t total_size() const { return p_->total_size(); } friend std::ostream& operator<<(std::ostream& out, const node_t& n) { n.p_->print(out); return out; } }; using file_t = node_t; using directory_t = node_t; #endif //NODE_H

And here is the client code:

#include #include #include "node.h" int main() { file_t f1 ( 10 ); std::cout << "f1: " << f1.total_size() << std::endl; file_t f2 ( 20 ); std::cout << "f2: " << f2.total_size() << std::endl; directory_t d1 { f1, f2 }; std::cout << "d1: " << d1.total_size() << std::endl; file_t f3 ( 30 ); std::cout << "f3: " << f3.total_size() << std::endl; directory_t d2 { f3, d1 }; std::cout << "d2: " << d2.total_size() << std::endl; std::cout << d2 << std::endl; }

And this is the output:

f1: 10 f2: 20 d1: 30 f3: 30 d2: 60 (30,(10,20))

Note how the directory nests the subdirectory.
More importantly, the value semantics of the client code, polymorphism without reference or pointer, cool!

Admittedly, I'm quite new to this concepts-based polymorphism technique, and may also not be paying too much attention to other aspect of the C++ code in general. If you find any mistake, feedback and advice are appreciated.

Discrete Fourier Transform and Nested For Loops

2013-12-31T23:50:00.000+08:00

This will be my last post for this year, 2013. Hehe, what a way to spend my new year countdown.
A while ago, Discrete Fourier Transform gave me a feeling of "I understand the intuition but the equation...".
So, I spent some time understanding the math behind.
After some reading, I kinda think that it would be easier for programmer to understand it if we spell it out as nested for loops, instead of equation that Capital Sigma notation. So, here is a post that I try to code it out in Python (originally to convince myself, but hopefully it can help others too).
First, we import NumPy and Matplotlib, so that we can plot the output to help with the understanding.

import numpy import matplotlib.pyplot

Next, we create a couple sine, cosine, with different (multiple) frequencies.

N = 44 time = numpy.arange(N) sine = numpy.sin(2 * numpy.pi * (1.0/N) * time) cosine = numpy.cos(2 * numpy.pi * (1.0/N) * time) legend_sine_real, = matplotlib.pyplot.plot(sine.real, marker='o') legend_sine_imag, = matplotlib.pyplot.plot(sine.imag, marker='o') matplotlib.pyplot.legend([legend_sine_real, legend_sine_imag], ["sine real", "sine imag"]) matplotlib.pyplot.title("time domain sine") matplotlib.pyplot.savefig("time_domain_sine.png") matplotlib.pyplot.clf() # matplotlib.pyplot.show() # sine2a and sine2b should be equivalent sine2a = numpy.sin(2 * numpy.pi * (2.0/N) * time) sine2b = numpy.array([sine[n*2 % N] for n in time]) legend_sine2b_real, = matplotlib.pyplot.plot(sine2b.real, marker='o') legend_sine2b_imag, = matplotlib.pyplot.plot(sine2b.imag, marker='o') matplotlib.pyplot.legend([legend_sine2b_real, legend_sine2b_imag], ["sine2b real", "sine2b imag"]) matplotlib.pyplot.title("time domain sine2b") matplotlib.pyplot.savefig("time_domain_sine2b.png") matplotlib.pyplot.clf() # matplotlib.pyplot.show() sine4 = numpy.sin(2 * numpy.pi * (4.0/N) * time) legend_sine4_real, = matplotlib.pyplot.plot(sine4.real, marker='o') legend_sine4_imag, = matplotlib.pyplot.plot(sine4.imag, marker='o') matplotlib.pyplot.legend([legend_sine4_real, legend_sine4_imag], ["sine4 real", "sine4 imag"]) matplotlib.pyplot.title("time domain sine4") matplotlib.pyplot.savefig("time_domain_sine4.png") matplotlib.pyplot.clf() # matplotlib.pyplot.show()

The wave forms we get are like:
Then, we add up the wave forms with different frequencies to create our time domain data

data = sine + sine2b + sine4 legend_data_real, = matplotlib.pyplot.plot(data.real, marker='o') legend_data_imag, = matplotlib.pyplot.plot(data.imag, marker='o') matplotlib.pyplot.legend([legend_data_real, legend_data_imag], ["data real", "data imag"]) matplotlib.pyplot.title("time domain data") matplotlib.pyplot.savefig("time_domain_data.png") matplotlib.pyplot.clf() # matplotlib.pyplot.show()

This should give us:
After that, we create the "scary" coefficient array (the one that usually appears as complex exponential of 'e')

coff = numpy.arange(N, dtype=numpy.complex) coff.real = cosine coff.imag = sine * -1.0

Finally, we perform the DFT using nested for loops.

# freq = numpy.fft.fft(data) # equivalently, we can implement DFT (which is not as efficient as FFT, since it is O(n^2)), but for learning purpose freq = numpy.arange(N, dtype=numpy.complex) for p in time: freq[p] = numpy.complex(real=0.0, imag=0.0) for q in time: freq[p] += data[q] * coff[p*q % N] legend_freq_real, = matplotlib.pyplot.plot(freq.real, marker='o') legend_freq_imag, = matplotlib.pyplot.plot(freq.imag, marker='o') matplotlib.pyplot.legend([legend_freq_real, legend_freq_imag], ["freq real", "freq imag"]) matplotlib.pyplot.title("freq domain spectrum") matplotlib.pyplot.savefig("freq_domain_spectrum.png") matplotlib.pyplot.clf() # matplotlib.pyplot.show()

And here is the plot for the DFT (you can enable the line that uses numpy.fft.fft to verify and see if the result is identical):
Yeah, I know, it is probably too lame for those who already understand it. But hopefully, for some who find it easier to read source code (and loops) compare to mathematical symbol, this can be helpful. By the way, if you find that I have coded/explained something inaccurately, feel free to let me know, I will appreciate it and update it accordingly. Happy New Year 2014! :)

Python, COM and Windows UIAutomation

2013-11-25T17:34:00.001+08:00

Occasionally, we need to automate some of the GUI application. For Windows desktop application, we can use UIAutomation API.
There are quite a number of tutorial how that can be done, in say, C# (.NET) or even C++ (COM). There are even PowerShell wrapper.
When it comes to Python, there are of course existing library like PyWinAuto. But what if we want to use UIAutomation API just like the rest of the languages. Since COM should be able to get consumed by any languages, and Python, as usual, should be able to do wonderful things, why not give it a try. However, I have yet to find a tutorial on that. At least I haven't found one. Hence, this tutorial (or rather, sample code):

import subprocess import time import comtypes from comtypes import * from comtypes.client import * import win32gui, win32api, win32con, ctypes comtypes.client.GetModule('UIAutomationCore.dll') from comtypes.gen.UIAutomationClient import * if __name__ == "__main__": # launch calculator executable subprocess.Popen('calc.exe') time.sleep(1) # initialize COM for UIAutomation iuia = CoCreateInstance(CUIAutomation._reg_clsid_, interface=IUIAutomation, clsctx=CLSCTX_INPROC_SERVER) # get desktop root element root_elem = iuia.GetRootElement() time.sleep(1) # get calculator window cond_calc = iuia.CreatePropertyCondition(UIA_NamePropertyId, "Calculator") calc = root_elem.FindFirst(scope=TreeScope_Descendants, condition=cond_calc) time.sleep(1) print(calc) print(calc.CurrentName) # button '6' cond_6 = iuia.CreatePropertyCondition(UIA_NamePropertyId, str(6)) print(cond_6) time.sleep(1) cond_btn = iuia.CreatePropertyCondition(UIA_ControlTypePropertyId, UIA_ButtonControlTypeId) print(cond_btn) time.sleep(1) cond_and = iuia.CreateAndCondition(cond_6, cond_btn) print(cond_and) time.sleep(1) button_6 = calc.FindFirst(scope=TreeScope_Descendants, condition=cond_and) time.sleep(1) # click button '6' print(button_6) print(button_6.CurrentName) patt_click = button_6.GetCurrentPattern(UIA_InvokePatternId) iinvoke = patt_click.QueryInterface(IUIAutomationInvokePattern) iinvoke.Invoke()

This should launch calc.exe and click button '6'. At the moment, I haven't master all the skill and internal details, and all the inelegant time.sleep etc are still there. Do educate me if you more. Otherwise, I might update this when I know more.

Building LLVM/Clang, YouCompleteMe etc in Windows using VS2008.

2013-11-02T12:22:00.001+08:00

First of all, these steps are more or less described nicely in their respective websites:
http://llvm.org/releases/3.3/docs/CMake.html
http://clang.llvm.org/get_started.html
https://github.com/Valloric/YouCompleteMe/wiki/Windows-Installation-Guide

Here I just add in the specific tried and true steps for myself.
Why VS2008? Why not VS2013? Well, just trying, since I build the rest of my stuff, especially Python 2.6 extensions in VS2008. I might retry in VS2013 later.

Install GnuPG from http://gpg4win.org/.
Download LLVM 3.3 source tarballs from http://www.llvm.org/releases/download.html#3.3, and verify their integrity using GnuPG after obtaining GPG key.

gpg2 --keyserver pgp.mit.edu --recv-key E95C63DC gpg2 --verify llvm-3.3.src.tar.gz.sig llvm-3.3.src.tar.gz gpg2 --verify cfe-3.3.src.tar.gz.sig cfe-3.3.src.tar.gz

Unzip llvm-3.3.src.tar.gz to a directory, say, C:\llvm-3.3.src\.
Unzip cfe-3.3.src\ portion of cfe-3.3.src.tar.gz (the file also include other directories, such as Driver\, Modules\, test\ etc) to a subdirectory of LLVM source, namely C:\llvm-3.3.src\tools\. Then, rename the result subdirectory from C:\llvm-3.3.src\tools\cfe-3.3.src\ to C:\llvm-3.3.src\tools\clang\.
Install CMake from http://www.cmake.org/.
Install GnuWin32 so that tools like grep is available.
Open a Visual Studio 2008 Command Prompt.
Create a build directory, C:\llvm_build\ and change to that directory and run CMake to create a VS2008 (MSVC 9.0) solution file.

C:\llvm_build>cmake -DLLVM_TARGETS_TO_BUILD="X86" -DLLVM_LIT_TOOLS_DIR=C:\GnuWin32\bin -DCMAKE_INSTALL_PREFIX=C:\llvm-3.3.bin -DLLVM_INCLUDE_TESTS=OFF -G"Visual Studio 9 2008" . C:\llvm-3.3.src

C:\llvm_build>msbuild LLVM.sln /t:ALL_BUILD /p:configuration=Release /fl /flp:logfile=MsBuildLLVM.log;verbosity=diagnostic

Install the binary to destination directory (C:\llvm-3.3.bin) upon completing compilation

C:\llvm_build>msbuild INSTALL.vcproj /fl /flp:logfile=MsBuildLLVM.log;verbosity=diagnostic /p:configuration=Release

Build YouCompleteMe, similarly using CMake and MSBuild (on VS2008). First create and change to directory C:\ycm_clang_build

C:\ycm_clang_build>cmake -G "Visual Studio 9 2008" -DPATH_TO_LLVM_ROOT=c:\llvm-3.3.bin . c:\Users\MyLoginName\vimfiles\bundle\YouCompleteMe\cpp

C:\ycm_clang_build>msbuild YouCompleteMe.sln /t:ycm_core /p:configuration=Release /fl /flp:logfile=MsBuildYcmClang.log;verbosity=diagnostic C:\ycm_clang_build>msbuild YouCompleteMe.sln /t:ycm_client_support /p:configuration=Release /fl /flp:logfile=MsBuildYcmClang.log;verbosity=diagnostic

Upon completion, copy ycm_core.pyd and ycm_client_support.pyd from C:\ycm_build\ycm\Release, and libclang.dll from C:\llvm-3.3.bin\bin to C:Users\MyLoginName\vimfiles\bundle\YouCompleteMe\python\

Voila! Done! And this is what I discover it is capable of. :-)

Boost.Python to integrate Python and C++, without bjam.

2013-10-26T10:39:00.001+08:00

First of all, I would like to say, yes I heard, there are other solutions, such as Cython, Pyd or even using plain Python.h.
But this is a post about my hello world trial on Boost.Python. In future, I might try out other C++ compiler, Python version, on other OSes, and also Cython etc.
But for the moment, I just pick the below combination:

OS: Windows 7 (64 bit)
Python: Python 2.6.6 (32 bit)
Visual Studio 2008 Express Edition (a.k.a MSVC 9.0): because it was used to compile Python 2.6 and 2.7, so must the Python extension, or so I heard.
Boost 1.54.0 prebuilt binary (boost_1_54_0-msvc-9.0-32).

So, let's get on with it.

First, copy the code from here:
http://www.boost.org/doc/libs/1_54_0/libs/python/doc/tutorial/doc/html/index.html#python.quickstart

To prevent the below error:

C:\boost_1_54_0-msvc-9.0-32\boost/config/auto_link.hpp(355) : fatal error C1189:#error : "Mixing a dll boost library with a static runtime is a really bad idea..."

Prepend this to the file

#define BOOST_PYTHON_STATIC_LIB

To save you some trouble, here is the code:

#define BOOST_PYTHON_STATIC_LIB #include <boost/python.hpp> char const* greet() { return "hello, world"; } BOOST_PYTHON_MODULE(hello_ext) { using namespace boost::python; def("greet", greet); }

Save the file as hello_ext.cpp And compile it using this command line (from VS2008 command prompt, not plain cmd.exe):

cl /LD /EHsc /I "C:\boost_1_54_0-msvc-9.0-32" /I "C:\Python26\include" hello_ext.cpp /link /LIBPATH:"C:\boost_1_54_0-msvc-9.0-32\lib32-msvc-9.0" /LIBPATH:"C:\Python26\libs" /out:hello_ext.pyd

Finally, run your Python interpreter and import the resulting library:

>>> import hello_ext >>> hello_ext.greet() 'hello, world'

2013-07-26T08:58:00.000+08:00

I was trying to inspect a URB in WinDBG. From the help file, it says:

!urb The !urb extension command is obsolete. Use the dt URB command instead.

However, when I try dt URB or even dt _URB, this was the result:

kd> dt URB ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: URB *** *** *** ************************************************************************* Symbol URB not found.

I checked and was quite sure the symbol was correctly loaded. After trying a to quality the symbol with a few modules names that appear to be more relevant to USB like usbehci etc, I gave up. Luckily the below trick saved the day:

kd> !for_each_module dt ${@#ModuleName}!_URB

It automatically iterate through all the modules checking for _URB and finally found the below:

kd> dt _URB Wdf01000!_URB +0x000 UrbHeader : _URB_HEADER +0x000 UrbSelectInterface : _URB_SELECT_INTERFACE +0x000 UrbSelectConfiguration : _URB_SELECT_CONFIGURATION +0x000 UrbPipeRequest : _URB_PIPE_REQUEST +0x000 UrbFrameLengthControl : _URB_FRAME_LENGTH_CONTROL +0x000 UrbGetFrameLength : _URB_GET_FRAME_LENGTH +0x000 UrbSetFrameLength : _URB_SET_FRAME_LENGTH +0x000 UrbGetCurrentFrameNumber : _URB_GET_CURRENT_FRAME_NUMBER +0x000 UrbControlTransfer : _URB_CONTROL_TRANSFER +0x000 UrbControlTransferEx : _URB_CONTROL_TRANSFER_EX +0x000 UrbBulkOrInterruptTransfer : _URB_BULK_OR_INTERRUPT_TRANSFER +0x000 UrbIsochronousTransfer : _URB_ISOCH_TRANSFER +0x000 UrbControlDescriptorRequest : _URB_CONTROL_DESCRIPTOR_REQUEST +0x000 UrbControlGetStatusRequest : _URB_CONTROL_GET_STATUS_REQUEST +0x000 UrbControlFeatureRequest : _URB_CONTROL_FEATURE_REQUEST +0x000 UrbControlVendorClassRequest : _URB_CONTROL_VENDOR_OR_CLASS_REQUEST +0x000 UrbControlGetInterfaceRequest : _URB_CONTROL_GET_INTERFACE_REQUEST +0x000 UrbControlGetConfigurationRequest : _URB_CONTROL_GET_CONFIGURATION_REQUEST +0x000 UrbOSFeatureDescriptorRequest : _URB_OS_FEATURE_DESCRIPTOR_REQUEST +0x000 UrbOpenStaticStreams : _URB_OPEN_STATIC_STREAMS
I know this could be a n00b trick, but hopefully, this trick will safe some of you some hard work the next time you need check something on all the modules.

Relating IRPs to Processes in WinDBG

2013-07-25T16:13:00.000+08:00

I wouldn't have imagine myself posting on Windows OS internals or WinDBG. But I have to admit that lately, playing around a bit on WinDBG and I kinda like it. Usually, the example in books uses !irp and !process. But lately I came across this one that is quite useful when we need to relate one to another:

1: kd> !processirps 0x899b4600 0x3 **** PROCESS 899b4600 (Image: csrss.exe) **** Checking threads for IRPs. Thread 840b83c0: IRP 840f0580 - Owned by \Driver\kbdclass for device KeyboardClass0 (899776c8) Thread 840ba040: IRP 97810e28 - Owned by \Driver\mouclass for device PointerClass1 (84109550) IRP 8989bb40 - Owned by \Driver\mouclass for device PointerClass0 (89968d88) Checking file objects for IRPs.

View process address space mapping and searching for string using GDB

2013-07-21T12:26:00.000+08:00

Came across this useful trick to search for strings in memory using GDB, here in StackOverflow
Tried it out myself, it is useful for me. :)

(gdb) info proc mappings process 5340 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x401000 0x1000 0x0 /tmp/mainloop.x 0x600000 0x601000 0x1000 0x0 /tmp/mainloop.x 0x601000 0x602000 0x1000 0x1000 /tmp/mainloop.x 0x7ffff7a1b000 0x7ffff7bd0000 0x1b5000 0x0 /lib/x86_64-linux-gnu/libc-2.15.so 0x7ffff7bd0000 0x7ffff7dcf000 0x1ff000 0x1b5000 /lib/x86_64-linux-gnu/libc-2.15.so 0x7ffff7dcf000 0x7ffff7dd3000 0x4000 0x1b4000 /lib/x86_64-linux-gnu/libc-2.15.so 0x7ffff7dd3000 0x7ffff7dd5000 0x2000 0x1b8000 /lib/x86_64-linux-gnu/libc-2.15.so 0x7ffff7dd5000 0x7ffff7dda000 0x5000 0x0 0x7ffff7dda000 0x7ffff7dfc000 0x22000 0x0 /lib/x86_64-linux-gnu/ld-2.15.so 0x7ffff7fdd000 0x7ffff7fe0000 0x3000 0x0 0x7ffff7ff9000 0x7ffff7ffb000 0x2000 0x0 0x7ffff7ffb000 0x7ffff7ffc000 0x1000 0x0 [vdso] 0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x22000 /lib/x86_64-linux-gnu/ld-2.15.so 0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x23000 /lib/x86_64-linux-gnu/ld-2.15.so 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]

(gdb) maintenance info sections Exec file: `/tmp/mainloop.x', file type elf64-x86-64. 0x00400238->0x00400254 at 0x00000238: .interp ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400254->0x00400274 at 0x00000254: .note.ABI-tag ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400274->0x00400298 at 0x00000274: .note.gnu.build-id ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400298->0x004002b4 at 0x00000298: .gnu.hash ALLOC LOAD READONLY DATA HAS_CONTENTS 0x004002b8->0x00400300 at 0x000002b8: .dynsym ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400300->0x00400338 at 0x00000300: .dynstr ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400338->0x0040033e at 0x00000338: .gnu.version ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400340->0x00400360 at 0x00000340: .gnu.version_r ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400360->0x00400378 at 0x00000360: .rela.dyn ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400378->0x00400390 at 0x00000378: .rela.plt ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400390->0x0040039e at 0x00000390: .init ALLOC LOAD READONLY CODE HAS_CONTENTS 0x004003a0->0x004003c0 at 0x000003a0: .plt ALLOC LOAD READONLY CODE HAS_CONTENTS 0x004003c0->0x00400574 at 0x000003c0: .text ALLOC LOAD READONLY CODE HAS_CONTENTS 0x00400574->0x0040057d at 0x00000574: .fini ALLOC LOAD READONLY CODE HAS_CONTENTS 0x00400580->0x00400584 at 0x00000580: .rodata ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00400584->0x004005b0 at 0x00000584: .eh_frame_hdr ALLOC LOAD READONLY DATA HAS_CONTENTS 0x004005b0->0x00400654 at 0x000005b0: .eh_frame ALLOC LOAD READONLY DATA HAS_CONTENTS 0x00600e10->0x00600e18 at 0x00000e10: .init_array ALLOC LOAD DATA HAS_CONTENTS 0x00600e18->0x00600e20 at 0x00000e18: .fini_array ALLOC LOAD DATA HAS_CONTENTS 0x00600e20->0x00600e28 at 0x00000e20: .jcr ALLOC LOAD DATA HAS_CONTENTS 0x00600e28->0x00600ff8 at 0x00000e28: .dynamic ALLOC LOAD DATA HAS_CONTENTS 0x00600ff8->0x00601000 at 0x00000ff8: .got ALLOC LOAD DATA HAS_CONTENTS 0x00601000->0x00601020 at 0x00001000: .got.plt ALLOC LOAD DATA HAS_CONTENTS 0x00601020->0x00601030 at 0x00001020: .data ALLOC LOAD DATA HAS_CONTENTS 0x00601030->0x00601038 at 0x00001030: .bss ALLOC 0x00000000->0x0000006b at 0x00001030: .comment READONLY HAS_CONTENTS

(gdb) find /b 0x601020, 0x60103c, 'H','E','L','L','O' 0x601030 1 pattern found. (gdb) x /1sb 0x601030 0x601030 : "HELLO_WORLD"

Do, Re, Mi, Fa, So...with Python and Numpy

2013-06-30T22:57:00.001+08:00

It has been ages I have not post anything. Same lame excuse, busy with bla...bla...bla... :) Lately, I'm playing a bit with Python to play with sound. And here is a simple code to generate a simple Do..Re...Mi...Fa...So... I'm sure there are already tons of such example on the Net, which this will just be yet another example. Oh, well. :)

import numpy import scipy.io.wavfile import matplotlib.pyplot doremi = [523.0, 587.0, 659.0, 698.0, 784.0] # C,D,E,F,G or Do,Re,Mi,Fa,So amplitude = 65536.0/4.0 sampling_rate = 44100.0 # sampling rate duration = 0.5 # 0.5 seconds sample = sampling_rate * duration t = numpy.arange(sample) t = t/sample # scale each element for normalization song = numpy.array([]) for freq in doremi: wav = numpy.sin(2*numpy.pi*freq*t)*amplitude song = numpy.concatenate([song, wav]) scipy.io.wavfile.write('doremi.wav', sampling_rate, song.astype(numpy.int16)) matplotlib.pyplot.specgram(song) # generate spectogram matplotlib.pyplot.savefig('doremi.png')