Windows Error Reporting – Local crash dump collection – Graphical tool

According to Microsoft, the Windows Error Reporting feature is defined as follows:

The error reporting feature enables users to notify Microsoft of application faults, kernel faults, unresponsive applications, and other application specific problems. Microsoft can use the error reporting feature to provide customers with troubleshooting information, solutions, or updates for their specific problems. Developers can use this infrastructure to receive information that can be used to improve their applications.

When a program crashes in Windows, if it did not have built-in exception handling and crash dump generation, the Windows Error Reporting tool usually creates a crash dump and then queues it for upload to Microsoft.

The Windows Error Reporting tool can be configured in such a way to collect the crashes locally instead of queuing them for upload. The following document explains how.

In short, you have to add the follow registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<program_name>.exe]
"DumpFolder"=hex(2):43,00,3a,00,5c,00,74,00,65,00,6d,00,70,00,00,00
"DumpCount"=dword:00000100
"DumpType"=dword:00000002

Tweaking the registry manually is often not the best thing to do, therefore I wrote a simple open-source graphical utility that does the registry modification on your behalf.

WerFault GUI Tool

The graphical tool is very simple, but let me explain a few things.

WerFault supports three crash dump types: custom, mini or full memory dumps. Only when the custom dump is selected you can specify additional custom dump flags to WerFault. The custom flags are for advanced users.

In most cases it is advised to select the “Full dump” option because it captures lots of information needed for debugging. And finally, the dump count option lets you specify how many crash dumps to keep around.

There are two blue buttons that allows you to add or update an entry and to delete an entry. That’s it!

In the downloaded package, there’s an executable called crash.exe that you can use for testing. Continue reading “Windows Error Reporting – Local crash dump collection – Graphical tool”

Detect executable format using Python

In this article, I am sharing with you a small Python script that lets you detect if a file is an executable file and what platform the executable is targeting.

The following formats for 32 bits and 64bits processors are supported:

  • Mach-O files: both regular and universal formats
  • Windows PE files
  • Linux ELF files

The script

#---------------------------------------------------------------------
EXEFLAG_NONE        = 0x0000
EXEFLAG_LINUX       = 0x0001
EXEFLAG_WINDOWS     = 0x0002
EXEFLAG_MACOS       = 0x0004
EXEFLAG_MACOS_FAT   = 0x0008
EXEFLAG_32BITS      = 0x0010
EXEFLAG_64BITS      = 0x0020

# Keep signatures sorted by size
_EXE_SIGNATURES = (
    ("\x4D\x5A", EXEFLAG_WINDOWS),
    ("\xCE\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_32BITS),
    ("\xCF\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_64BITS),
    ("\xBE\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_32BITS | EXEFLAG_MACOS_FAT),
    ("\xBF\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_64BITS | EXEFLAG_MACOS_FAT),
    ("\x7F\x45\x4C\x46\x01", EXEFLAG_LINUX | EXEFLAG_32BITS),
    ("\x7F\x45\x4C\x46\x02", EXEFLAG_LINUX | EXEFLAG_64BITS)
)

def get_exeflags(filepath):
    try:
        with open(filepath, "rb") as f:
            buf = ""
            buf_len = 0
            for sig, flags in _EXE_SIGNATURES:
                sig_len = len(sig)
                if buf_len < sig_len:
                    buf += f.read(sig_len - buf_len)
                    buf_len = sig_len

                if buf == sig:
                    return flags
    except:
        pass

    return EXEFLAG_NONE

Continue reading “Detect executable format using Python”

7 DLL injection techniques in Microsoft Windows

In this article, I am going to list half a dozen DLL injection techniques that can be used by a user mode process running on MS Windows. There could be more techniques but I am sharing with you the techniques that I had first hand experience with.

1. AppInit_DLLs

People used to rely on the AppInit_DLLs registry key. The OS loader queries this value and loads the DLLs specified there when a process is created. I have not used this technique in a long while (last time I used it was on Windows XP) and I heard it is now restricted or discontinued because it was widely used by malware.

2. SetWindowsHookEx API

The SetWindowsHookEx API installs an application-defined hook procedure into a given hook chain. There are various supported hook chains (CBT, Journal, Window messages, keyboard, mouse, etc).

When using the SetWindowsHookEx API, you are instructing the operating system to inject your custom hook DLL into other process where it is relevant. The Windows hooks work when the other processes import / use functionality from USER32.dll.

Continue reading “7 DLL injection techniques in Microsoft Windows”

Batchography: Changing the MAC address on Windows – A free Batch script

batchography-good-resIn a previous post entitled “How to get unlimited free Internet at Airports“, I showed you how to circumvent the time limit imposed by the “free” Wi-Fi connections in certain airports.

For that trick to work, you were required to update the MAC address of your computer each time the free time is over.

In this blog post, I am going to share with you the ChangeMACAddressBatch script that I wrote with the help and instructions from the excellent Batchography book.

The script makes use of various recipes illustrated in the Batchography book (in Chapter 4) and uses the various Batch scripting language syntax (Chapters 1 and 2) and methodologies (Chapter 3). Therefore, I will not be explaining the script’s contents or how it works because it will become evident if you read the Batchography book.

flower separator

Get the book from Amazon:

  • Paperback editionbtn-buy-on-amazon
  • E-book editionbtn-buy-on-amazon

flower separator

How to use the script interactively

To begin with, you need to run the script with administrative privileges.

Running the script as an administrator


On Windows 8 and above, just press Win+X and choose “Command Prompt (Admin)” like this:

chg-mac-run-elevated-command-prompt

Otherwise, if you are using the Windows Explorer window, then right-click on your script and choose “Run as Administrator”:

chg-mac-run-as-admin

Starting the script

When you first run the script, you will be presented with the main menu that will show you a list of all the adapters you have on your system.

On my laptop for instance, I have 4 adapters:

  • An Ethernet adapter
  • 2 x VMWare virtual adapters
  • A Wi-Fi adapter

Using the keyboard, type the adapter number that you want to inspect and/or change its MAC address:

chg-mac-main-menu

Let’s press “4” in this case and go inside that adapter’s information screen. Continue reading “Batchography: Changing the MAC address on Windows – A free Batch script”