Fred's demise

So Fred called the four of us (me, Pete, Josh and Justin) up, asked for our help to clean up some messy mess. We were innocently unsuspecting enough. I was just preoccupied by those serious dents he made on the cargo bed of my red Tundra I loaned him last week.

Sure enough, there was this big sheet of tin sandwiched between two pieces of ply wood propped up against the fridge. That's what he borrowed my truck to haul. The blood splatter on the board could have been a masterpiece in some fancy gallery I thought for a moment. You've got to give it to him, the dude knew his physics - the wood absorbs the kinetic energy and prevents the bullet from ricocheting while the metal sheet shields his beloved Westinghouse appliance from piercing - cheapo.

He did it kneeling down. Towels on the vinyl floor soaked up most of the blood. Plenty of red dots on those cut up shower curtains taped to the oak cabinets. The gore filled hole on his temple reminded me of that camp night boar head roasting. He did all the roasting while the rest of us got drunk. Good times, but the dude had problems and I didn't notice.

While Justin sat sighing at the dining table and Pete stood debating himself whether to wipe the floor or call the police first, I looked around. "What's the hurry, why today I wondered." Judy's due in a month, dude didn't want his kid to lose its father - better to never have one than to lose - I figured, he was twisted.

The staircase was lined with fading photos. The five of us were in most of them; the rest were Judy's. I never knew he cared enough to hang us on his wall; I can't be blamed, the dude was private and kept to himself.

I hesitated to the bedroom door. I thought I'd find some answers there. But nah, he wanted to hide it from Judy he stowed it in the garage. Besides, I was afraid I'd find his shirt draped upon my Gap turtleneck I lost at a camping trip. I made it my policy not to peer into another dude's closet after that cowboy movie.

So me and Josh like two detectives headed for the garage for inspection. I was examining a rubber hose and a few printouts that read "Beware - Poison Gas" in bold, when Josh hollered me over to check out a waist high gas tank.

"He was going to poison himself." Josh pointed at the CO tag hanging off the knob. I noticed the red paint at the bottom matched those rubbed off my truck.

"Would have been less painful and less messy. Why didn't he do this instead?" I was puzzled, so was Josh, until we heard his calico kitty meowed at the door.

We miss Fred, he was a thoughtful guy.

Code injection at process creation

Many articles have talked about DLL injection using CreateRemoteThread() and LoadLibrary(). But this technique does not always work with newly created processes when some system DLLs have not fully initialized. After some digging, I realized that the proper way to achieve such is to use the technique of overwriting entry point of a the newly created process, let me lay it out here.

First, the new process is created with the CREATE_SUSPEND flag:

CreateProcess(lpApplicationName, lpCommandLine,
             lpProcessAttributes,
             lpThreadAttributes, bInheritHandles,
             CREATE_SUSPENDED,
             lpEnvironment, lpCurrentDirectory,
             lpStartupInfo, lpProcessInformation);

Next step is to obtain the entry point of the process. When a process is newly created and suspended, EAX points to its entry point. To obtain EAX, get the suspended thread context:

HANDLE hThread = lpProcessInformation->hThread;
CONTEXT context;
ZeroMemory(&context, sizeof(context));
context.ContextFlags = CONTEXT_FULL;
GetThreadContext(hThread, &context);

Voi la, context.Eax now holds the entry address. But before we can detour the execution flow to our code, we have to write our stub in this process' address space: allocate executable memory (or DEP will complain!) and write your stub to it, your stub that does your stuff, load a DLL, what not:

HANDLE hProcess = lpProcessInformation->hProcess;
LPVOID pMem = VirtualAllocEx(hProcess, 0, dwStubSize,
                             MEM_COMMIT, 
                             PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pMem, pStub, 
                   dwStubSize, ...);

Now, we are ready to overwrite the entry point, first, save the first few instructions:

BYTE savedBuf[6];
ReadProcessMemory(hProcess, context.Eax,
                 savedBuf, sizeof(savedBuf), ...);

Then overwrite the entry point with these instructions:

__asm jmp pMemOffset
WriteProcessMemory(hProcess, context.Eax, insts, sizeof(insts), ...);

where insts is the byte code of the jump instruction and pMemOffset is offset into your stub's address (pMem).

Lastly, you want this process to execute as originally intended, for that you need to restore the saved instructions, and jump back, so your stub will end with something like:

WriteProcessMemory(GetCurrentProcess(), context.Eax,
                  savedBuf, sizeof(savedBuf), ...);
__asm push context.Eax
__asm ret

There you have it, a piece of code that will do something before process execution. Sure your stub is still preceeded with some system intialization code; this technique does not gaurantee that your stub is executed absolutely before everything, but it's reasonably simple and a good start.

My Media Player 11 and iTuens 7 face off

I am liking Windows Media Player 11. The only regret is that I don't own a player that syncs with it. I think iTunes no longer has anything on Media Player.

I started using iTunes because it synced with my iPods. And I think Apple really got the sync process right, it is so much easier than other players (like my antique Diamond Rio pmp300).

I however find iTunes visual plain and unappealing - perhaps besides the easy to read alternate white and light blue list view. iTunes 7 introduced album art along side song lists, that was sort of nice.

When it comes to visual, Media Player 11 is much nicer. Its metallic toned frame can be tuned to a color theme of your choice. Buttons are aqua (Vista, not Mac) with a mystic glow. It shows an almost identical song list view (but not the 3D album cover rack, which perhaps is a bit overkill).

Some may prefer iTunes' clean interface, but check out their docked views side by side.

Media Player is not only slicker when docked, it shows song info in a fade-in/fade-out notification window, which doubles as video screen when video files are on the playlist. In comparison, iTunes' dock view is unattactive and is missing song info.

And Media Player has more to offer - more sorting options, a better radio selection, a more comprehensive media guide. I know iTunes embedds QuickTime and must have some photo album orgainzer on the Mac, but Media Player has them all in one place - photos, videos, everything sorted and organized. I am liking the one stop media organization.

Photos can be sorted by rating (rarely seen feature) and searchable by keywords (I haven't tried but I assume that's EXIF) - useful.

Videos are sortable as well and offers quick-to-show thumbnail view.

Die hard Mac fans are upset M$ stole Apple's design (and thunder!), but as a user with no stocks in either company, I am just glad to have a better player.

What would you say?

So we met up with Fred at his place as instructed - we found him lying in a pool of his own blood in the kitchen. That bastard took his own life when Judy was out of town and left us to clean up the mess.

"Tell me what he looked like." After an uneasy minute of silence and several polite sips off her gold rimmed china, Judy asked.

Stop - what are you going to say?

Tell the truth? There was blood all over the place. Ask Pete, he stepped on a piece of his skull and we've to help him scrape it off, and boy, don't even get me started with that gaping hole on his head.

Flat out lie? He looked so peaceful, like a baby sleeping.

Shy away? The important thing is, he is in a better place now.

Not my problem? Buzz. I am sorry I have to take this call, Pete, why don't you...

What would you say?

Cheated

Some'd say I'm petty, I'd still say I feel cheated.

I liked PopSci cause I thought I was reading about the latest and greatest in science advancements - scientists talking to animals, invisible cars, the unmanned tanks that navigate themselves into the battlefields shooting the guts out of bad guys steering clear trenches and obstables, you get the picture.

This November issue features an invisible warship - a design much like the F-117 nighthawk allows it to show up like a fishing boat on radar...

... and blah blah blah... so far so cool; until I was on the can the other day thumbing through last year September issue (see, I really like it), coming across the same ship...

What? On last year's ad? So much for latest and greatest... how silly of me.

I am not picking up another issue, ever.

Out last week

My venturing into blogging. Many people got blogs, so I'll try to come up with something interesting to say.

I've tried hanging out too, something new for me. Met Flavor Flav - OK, I didn't meet him. I barely recognized him, but he was out shopping too.

There, allegedly the one with the blue bandana. We were both hanging out, just at the different parts of the mall.