WingNews logo WingNews GitHub [2]

lowleveldesign's comments

lowleveldesign | 8 months ago | on: .NET 10 Preview 6 brings JIT improvements, one-shot tool execution

Interestingly, the Rust windows crate is generated from an MSIL assembly. And same metadata might be used to generate C# bindings thanks to cswin32 [1] project. The meta-assembly generation (Win32 metadata project) is based on clangsharp and it's fairly straightforward to generate interop code for native Windows libraries. Some time ago I described this process on my blog for the detours library [2]

[1] https://github.com/microsoft/CsWin32

[2] https://lowleveldesign.org/2023/11/23/generating-c-bindings-...

lowleveldesign | 9 months ago | on: I deleted my second brain

I understand the burden that too much notes may take on you. I am a software troubleshooter and I used to keep my raw notes of all the interesting cases I encountered. However, with time, this set became hard to navigate. Additionally, when I was rereading my notes, they seemed chaotic and hard to follow. I now prefer to create a succinct summary of a closed case, explaining the taken steps, my thinking, and the solution, so that my future self could understand it :)

lowleveldesign | 11 months ago | on: AI Meets WinDBG

I do a lot of Windows troubleshooting and still thinking about incorporating AI in my work. The posted project looks interesting and it's impressive how fast it was created. Since it's using MCP it should be possible to bind it with local models. I wonder how performant and effective it would be. When working in the debugger, you should be careful with what you send to the external servers (for example, Copilot). Process memory may contain unencrypted passwords, usernames, domain configuration, IP addresses, etc. Also, I don’t think that vibe-debugging will work without knowing what eax registry is or how to navigate stack/heap. It will solve some obvious problems, such as most exceptions, but for anything more demanding (bugs in application logic, race conditions, etc.), you will still need to get your hands dirty.

I am actually more interested in improving the debugger interface. For example, AI assistant could help me create breakpoint commands that nicely print function parameters when you only partly know the function signature and do not have symbols. I used Claude/Gemini for such tasks and they were pretty good at it.

As a side note, I recall Kevin Gosse also implemented a WinDbg extension [1][2] which used OpenAI API to interpret the debugger command output.

[1] https://x.com/KooKiz/status/1641565024765214720

[2] https://github.com/kevingosse/windbg-extensions

lowleveldesign | 1 year ago | on: A comparison of Rust’s borrow checker to the one in C#

I feel that nowadays Rust is the language to go when you are doing system programming, but C# is not a bad choice either. With .NET 9 being released in a few weeks we will get NativeAOT (compilation to a native single binary) for x86 (x64 and ARM64 are already available). At work, I'm writing patches for legacy apps and needed to use C++ for most of my tasks. Nowadays, I'm doing more and more stuff in C# and enjoying it. For WinAPI there is a fantastic cswin32 [1] project that generates FFIs signatures on the fly. And it's fairly simple to extend it for other Windows libraries (I did it for detours [2], for example). And using pointers or working with native memory blocks is straightforward and intuitive for people with C/C++ background.

[1] https://github.com/microsoft/CsWin32

[2] https://lowleveldesign.wordpress.com/2024/07/11/implementing...

lowleveldesign | 1 year ago | on: VBScript deprecation: Timelines and next steps

I haven't considered the execution policy such a blocker since you may change it on the powershell.exe command line (for example, run "powershell.exe -ExecutionPolicy RemoteSigned -File script.ps1" from a bat file). Also, the default execution policies changed between PowerShell 5.x, shipped with Windows, and modern PowerShell 7.x, which you need to install separately. In 7.x RemoteSigned is the default in the server environment.

lowleveldesign | 2 years ago | on: RIP Microsoft WordPad

AFAIR the WordPad source code was available in older Windows SDKs and it was the most comprehensive sample of using OLE embedding.

lowleveldesign | 2 years ago | on: Native AOT Overview

NativeAOT is an excellent way to expose .NET code to native apps. One big feature I am missing is support for x86. If you have a 32-bit app in which you want to inject your .NET library, NativeAOT won't help.

lowleveldesign | 3 years ago | on: My bad habit of hoarding information

Information hoarding was my big problem as well. To fight it, a few years ago, I stopped using any bookmark services, and I started to keep a list of links in a markdown text file with a limited number of tags. I split the links by month and often add a short description and a tag to a saved link. All IT tags are textual, but I use emojis for other link categories, such as music or books. Example content:

### 2022/12

- {musical note emoji} [Mendelssohn - Complete Piano Works](https://www.amazon.pl/Complete-Piano-Works-Prosseda/dp/B084D...)

- [Checked C](https://github.com/microsoft/checkedc) - extensions to make C safer #cpp

- [SQLite Internals: How The World's Most Used Database Works](https://www.compileralchemy.com/books/sqlite-internals/)

- {book emoji} [Ask HN: Best books read in 2022?](https://news.ycombinator.com/item?id=33849267) - some interesting pieces here

### 2022/11

- [The Linux Kernel Module Programming Guide](https://sysprog21.github.io/lkmpg/), [repo](https://github.com/sysprog21/lkmpg) #linux

...

And so on. I know it's simplistic, but it helped me a lot to keep the number of links under a reasonable limit, and it is effortless to search through.

lowleveldesign | 4 years ago | on: Implementing Global Injection and Hooking in Windows

If you need to hook methods in a remote process (and also inject payload), you may also consider the Detours library [1]. It has a straightforward API and its repository contains many interesting samples. One thing I was missing in the library was a function to inject code into a running process. So I wrote takedetour [2] which I use as a template for my other projects. Maybe you will find it useful as well.

[1] https://github.com/microsoft/Detours

[2] https://github.com/lowleveldesign/takedetour

lowleveldesign | 4 years ago | on: Sysmon for Linux 1.0.0 Released

Sysmon [1] is a popular monitoring tool on Windows. It is based on ETW and its custom driver and provides great details on what is happening in the system. To make the logs relevant, we need to configure it (SwiftOnSecurity created a good base config file [2]).

Yesterday, MS released the first version of Sysmon for Linux and made it open-source (MIT license)[3]. It is based on eBPF. In [4] they show how they use it in Azure to collect events from the Linux VMs.

- [1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysm...

- [2] https://github.com/SwiftOnSecurity/sysmon-config

- [3] https://github.com/Sysinternals/SysmonForLinux

- [4] https://techcommunity.microsoft.com/t5/azure-sentinel/automa...

page 1
more