Software and web application security

January 15, 2007 second paper on subverting PatchGuard

Filed under: reverse engineering, software security — chrisweber @ 9:13 am

Uninformed is pleased to announce the release of its sixth volume.  This volume includes 3 articles on reverse engineering and exploitation technology.  These articles include:

– Engineering in Reverse: Subverting PatchGuard Version 2
Author: Skywing

– Engineering in Reverse: Locreate: An Anagram for Relocate
Author: skape

– Exploitation Technology: Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
Authors: Johnny Cache, H D Moore, skape

This volume of the journal can be found at:


December 26, 2006

CSIDL – Shell constants, enumerations, and flags

Filed under: penetration testing, reverse engineering, software security — chrisweber @ 2:08 pm

I worked on an application which had a couple of requirements:

  1. Allow users access to their local drive content within a defined scope (e.g. either the entire drive, or the My Documents folder only)
  2. Prevent users from accessing files outside of the defined scope. So they shouldn’t be able to access network drives, USB keys, etc.

To acheive this, the shell constants were used, as defined in the Windows SDK.

This worked well, and after we looked at the code we actually ran a battery of tests to confirm. So for example we tried the following types of canonicalizations:

  • \\host\share\file
  • \\?\folder\file
  • \\\share\file
  • \\.\folder\file

We kept going, and tried breaking out of the local scope as well:

  • ..\..\..\..\boot.ini
  • ../../../../boot.ini
  • ..%2fboot.ini

And all that sort of stuff. Using the CSIDL constants proved successful, and we could see this through debugging. Everything we entered was merely relative to the constant value, there was no way to change it.

Create a free website or blog at