In the past when computer displays in 256 colors, there are 216 colors are the same between Mac and DOS-PC. These 216 colors are known as web-safe as the viewer will see similar color in either system.
Each web-safe color has RGB value in multiple of 51 and include 0. For examples, 51 (#33), 102 (#66), 153 (#99) etc.
Sunday, December 29, 2013
HTML Color Names
HTML 3.2 and 4.0 defined a set of 16 standard colors which can be referenced by their names (e.g. black, white, silver, yellow, blue etc). These color names continue to be included in the CSS standards.
Example of usage:
which is same as
Example of usage:
which is same as
or
Saturday, December 14, 2013
NTFS Boot Sectors and MFT
The first 16 sectors in a NTFS volume is allocated to contain the boot code. Only half of them contains the code and the other half contains null bytes. Windows will refuse to mount the volume if these null bytes contains non-null value.
After the boot sectors is the Master File Table (MFT). MFT contains metadata on file. It consists a series of records. Each file and director has at least 1 record in MFT. MFT record is 1K in size.
The first 16 records in MFT describes special system files created toge4ther with the NTFS volume. They are hidden files. These files implement the file system and its metadata.
Rec 0 - $Mft - The MFT itself
Rec 1 - $MftMorr - Partial mirror of the MFT's first 4 records
Rec 2 - $LogFile - transaction log
Rec 3 - $Volume - volume metadata such as label, creation time
Rec 4 - $AttDef - metadata on NTFS attributes
Rec 5 - . - root directory folder
Rec 6 - $Bitmap - allocation status of cluster (adjacent sectors)
Rec 7 - $Boot - code and data used to bootstrap the system
Rec 8 - $BadClus - bad clusters
Rec 9 - $Secure - contains security descriptor for all files
Rec 10 - $Upcase - contains upper case table to convert lower case character to upper case unicode characters
Rec 11 - $Extend - used for NTFS extension such as quota and object ID
Rec 12- 15 - reserved
After the boot sectors is the Master File Table (MFT). MFT contains metadata on file. It consists a series of records. Each file and director has at least 1 record in MFT. MFT record is 1K in size.
The first 16 records in MFT describes special system files created toge4ther with the NTFS volume. They are hidden files. These files implement the file system and its metadata.
Rec 0 - $Mft - The MFT itself
Rec 1 - $MftMorr - Partial mirror of the MFT's first 4 records
Rec 2 - $LogFile - transaction log
Rec 3 - $Volume - volume metadata such as label, creation time
Rec 4 - $AttDef - metadata on NTFS attributes
Rec 5 - . - root directory folder
Rec 6 - $Bitmap - allocation status of cluster (adjacent sectors)
Rec 7 - $Boot - code and data used to bootstrap the system
Rec 8 - $BadClus - bad clusters
Rec 9 - $Secure - contains security descriptor for all files
Rec 10 - $Upcase - contains upper case table to convert lower case character to upper case unicode characters
Rec 11 - $Extend - used for NTFS extension such as quota and object ID
Rec 12- 15 - reserved
Friday, December 13, 2013
_declspec(naked)
This specifies a storage class attribute causing the compiler not to add prolog or epilog into the code.
Call Gate
A call gate is a type of GDT descriptor. It is 8-bytes long. A call gate is used to allow code running at lower privilege invoke a routine running at a higher privilege.
Thursday, December 12, 2013
Portable Executable (PE) and IAT
The first 40 bytes contains the MSDOS header defined by IMAGE_DOS_HEADER structure. Following the header is a stub program which displays "This program cannot be run in DOS mode" message. The MSDOS header contains a magic number "MZ" in the first 2 bytes. MZ is initials for Mark Zbikowski which develop the DOS format. The last field of the header contains the RVA (relative virtual address) of the PE file header.
RVA signifies the offset from the base address of the PE module, return by GetModuleHandle(). The PE header is defined by IMAGE_PE_HEADER structure:
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature; // magic number "PE\0\0"
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADER32, *PIMAGE_NT_HEADER32;
IMAGE_FILE_HEADER stores a number of file attributes such as number of sections, date/time stamp, Characteristics that indicate if this is a DLL (1) or EXE (0) based on the value in the 14th bit.
IMAGE_OPTIONAL_HEADER32 contains an array of 16 IMAGE_DATA_DIRECTORY structures. The 16 entries can be referenced individually using an integer macro:
IMAGE_DIRECTORY_ENTRY_EXPORT = 0
IMAGE_DIRECTORY_ENTRY_IMPORT = 1 which corresponds to the IAT
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
typedef struct _IMAGE_DATA_DIRECTORU {
DWORD VirtualAddress; //RVA of data
DWORD Size; // size in bytes
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
For the IMPORT DIRECTORY, the RVA points to the start of an array of IMAGE_IMPORT_DESCRIPTOR, one for each DLL imported by the module.
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics; //0 for the last descriptor
DWORD OriginalFirstThunk; //RVA of the IMPORT Lookup Table (ILT)
};
DWORD TineDateStamp;
DWORD ForwarderChain; // -1 if no forwarders
DWORD Name; //RVA of the DLL name terminated by \0
DWORD FirstThunk; //RVA to IAT
} IMAGE_IMPORT_DESCRIPTOR;
Both FirstThunk and OriginalFirstThunk points to the an array of IMAGE_THUNK_DATA structure:
typedef struct _IMAGE_THUNK_DATA {
union {
PBYTE ForwarderString;
PDWORD Function; //address of the imported routine stored in IAT
DWORD Ordinal;
PIMAGE_IMPORT_BY_NAME AddressOfData; //size and string name of the imported routine stored in ILT
} u1;
} IMAGE_THUNK_DATA32;
The ordinal field indicate if the function is imported by name or by its cardinal number.
In summary, the structures are linked:
IMAGE_DOS_HEADER -> IMAGE_NT_HEADERS {IMAGE_OPTIONAL_HEADER32} -> IMAGE_DATA_DESCRITPOR -> IMAGE_IMPORT_DESCRIPTOR -> ILT and IAT
RVA signifies the offset from the base address of the PE module, return by GetModuleHandle(). The PE header is defined by IMAGE_PE_HEADER structure:
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature; // magic number "PE\0\0"
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADER32, *PIMAGE_NT_HEADER32;
IMAGE_FILE_HEADER stores a number of file attributes such as number of sections, date/time stamp, Characteristics that indicate if this is a DLL (1) or EXE (0) based on the value in the 14th bit.
IMAGE_OPTIONAL_HEADER32 contains an array of 16 IMAGE_DATA_DIRECTORY structures. The 16 entries can be referenced individually using an integer macro:
IMAGE_DIRECTORY_ENTRY_EXPORT = 0
IMAGE_DIRECTORY_ENTRY_IMPORT = 1 which corresponds to the IAT
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
typedef struct _IMAGE_DATA_DIRECTORU {
DWORD VirtualAddress; //RVA of data
DWORD Size; // size in bytes
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
For the IMPORT DIRECTORY, the RVA points to the start of an array of IMAGE_IMPORT_DESCRIPTOR, one for each DLL imported by the module.
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics; //0 for the last descriptor
DWORD OriginalFirstThunk; //RVA of the IMPORT Lookup Table (ILT)
};
DWORD TineDateStamp;
DWORD ForwarderChain; // -1 if no forwarders
DWORD Name; //RVA of the DLL name terminated by \0
DWORD FirstThunk; //RVA to IAT
} IMAGE_IMPORT_DESCRIPTOR;
Both FirstThunk and OriginalFirstThunk points to the an array of IMAGE_THUNK_DATA structure:
typedef struct _IMAGE_THUNK_DATA {
union {
PBYTE ForwarderString;
PDWORD Function; //address of the imported routine stored in IAT
DWORD Ordinal;
PIMAGE_IMPORT_BY_NAME AddressOfData; //size and string name of the imported routine stored in ILT
} u1;
} IMAGE_THUNK_DATA32;
The ordinal field indicate if the function is imported by name or by its cardinal number.
In summary, the structures are linked:
IMAGE_DOS_HEADER -> IMAGE_NT_HEADERS {IMAGE_OPTIONAL_HEADER32} -> IMAGE_DATA_DESCRITPOR -> IMAGE_IMPORT_DESCRIPTOR -> ILT and IAT
Wednesday, December 11, 2013
SetWindowsHookEx()
This API allows one to execute a DLL routine upon the trigger of specific events. The list of events are documented in winuser.h. Some examples are
WH_KEYBOARD = 2
WH_MOUSE = 7
WH_SHELL = 10
The API accepts 4 parameters
int hooktype - event to be hooked
HOOKPROC procPtr - exported DLL routine to call
HINSTANCE dllHandle - handle to DLL containing the hook routine
DWORD dwThreadId - specific thread or all thread (set to 0) that trigger this event
It return the pointer to the hooked routine or NULL if call fails.
To release the hooked event, use UnHookWindowsHookEx()
The calling program first will call LoadLibrary() to load the DLL. Then it uses GetProcAddress() to get the address of specific routine to used in the hook. Finally, it issues SetWindowsHookEx() to hook to the event.
The hock routine should call CallNextHookEx() to propagate the event to the next hook, passing along the parameters.
WH_KEYBOARD = 2
WH_MOUSE = 7
WH_SHELL = 10
The API accepts 4 parameters
int hooktype - event to be hooked
HOOKPROC procPtr - exported DLL routine to call
HINSTANCE dllHandle - handle to DLL containing the hook routine
DWORD dwThreadId - specific thread or all thread (set to 0) that trigger this event
It return the pointer to the hooked routine or NULL if call fails.
To release the hooked event, use UnHookWindowsHookEx()
The calling program first will call LoadLibrary() to load the DLL. Then it uses GetProcAddress() to get the address of specific routine to used in the hook. Finally, it issues SetWindowsHookEx() to hook to the event.
The hock routine should call CallNextHookEx() to propagate the event to the next hook, passing along the parameters.
Appint_DLL
Appint_DLL is a REG-SZ value that stores a space delimited list of DLL with fully qualified path. This registry entry is stored under
HKLM\Software\Miscrosoft\Windows NT\CurrentVersion\Windows
This feature is enabled by setting the LoadAppInit_DLLs (REG_DWORD) to 0x00000001.
When user32.dll is loaded by a new process (DLL_PROCESS_ATTACH event), user32.dll will call LoadLibrary() to load all DLL specified in Appinit_DLL user32.dll is included in most applications.
HKLM\Software\Miscrosoft\Windows NT\CurrentVersion\Windows
This feature is enabled by setting the LoadAppInit_DLLs (REG_DWORD) to 0x00000001.
When user32.dll is loaded by a new process (DLL_PROCESS_ATTACH event), user32.dll will call LoadLibrary() to load all DLL specified in Appinit_DLL user32.dll is included in most applications.
Import Address Table (IAT)
IAT is a call table (an array of routine addresses) of user mode modules. Most executables have one or more IAT used to store the addresses of library routines that the module import from DLLs.
When the module is compiled with load-time dynamic linking option, the linker will take the addresses of each exported routine and place into an IAT specific to each DLL. When the application is loaded, the system will map the DLL into the address space and call the DLL entry point (DllMain with DLL_PROCESS_ATTACH argument).
Run-time dynamic linking does not rely on IAT. The module will specify the DLL and routine name at run time using LoadLibrary() and GetProcAddress() calls. One advantage of run-time dynamic linking is that the module can recover in case the DLL is not found.
When the module is compiled with load-time dynamic linking option, the linker will take the addresses of each exported routine and place into an IAT specific to each DLL. When the application is loaded, the system will map the DLL into the address space and call the DLL entry point (DllMain with DLL_PROCESS_ATTACH argument).
Run-time dynamic linking does not rely on IAT. The module will specify the DLL and routine name at run time using LoadLibrary() and GetProcAddress() calls. One advantage of run-time dynamic linking is that the module can recover in case the DLL is not found.
Deferred Procedure Call (DPC)
ISR needs to finish processing as much as possible as the normal processing of the system is suspended. To expedite processing, ISR may delay some processing which is not time sensitive to a later time. This processing is done by scheduling a DPC. DPCs are executed in the IRQL of DISPATCH_LEVEL. DPC can be scheduled to run on specific CPU.
Interrupte Request Level (IRQL)
Each interrupt is mapped to a IRQL representing its relative priority to other interrupts. When an interrupt happens, the system looks up the ISR via the IDT and assigns it to a processor.. If the IRQL of the CPU is lower than the IRQL of the interrupt, the thread is pre-empted, the IRQL of the CPU is raised to that of the ISR and the ISR is executed. When the ISR completes, the IRQL of the CPU is lower to its previous value and the pre-empted code is resumed.
If the IRQL of the CPU is same as the ISR's, the ISR must wait till the current ISR completes. Similarly, if the IRQL of the CPU is higher than the ISR's, the ISR will wait too.
Each IRQL is assigned a number. PASSIVE_LEVEL is 0 which is the lowest. All user mode programs run in PASSIVE_LEVEL as do common Kernel Mode Driver routines such as DriverEntry(), Unload, and IRP dispatch routines.
APC_LEVEL is 1. DISPATCH_LEVEL in which the scheduler runs is set to 2. Thread runing above DISPATCH_LEVEL will not be pre-empted as the scheduler will not run. It means the code and data pages used by such thread must be pinned to memory and cannot be paged out.
The PROFILE_LEVEL is used by the timer used for profiling and is set to 27. Between 2 and 27 are the hardware device IRQL known as DIRQL.
If the IRQL of the CPU is same as the ISR's, the ISR must wait till the current ISR completes. Similarly, if the IRQL of the CPU is higher than the ISR's, the ISR will wait too.
Each IRQL is assigned a number. PASSIVE_LEVEL is 0 which is the lowest. All user mode programs run in PASSIVE_LEVEL as do common Kernel Mode Driver routines such as DriverEntry(), Unload, and IRP dispatch routines.
APC_LEVEL is 1. DISPATCH_LEVEL in which the scheduler runs is set to 2. Thread runing above DISPATCH_LEVEL will not be pre-empted as the scheduler will not run. It means the code and data pages used by such thread must be pinned to memory and cannot be paged out.
The PROFILE_LEVEL is used by the timer used for profiling and is set to 27. Between 2 and 27 are the hardware device IRQL known as DIRQL.
Sunday, December 1, 2013
Mobile Network
1G - Using analog signals based on Advanced Mobile Phone System (AMPS) standard operating in the range of 824Mhz to 894MHz (also dubbed as 800Mhz band)
2G - Converted to use digital signals to cram more calls into the available frequency. There are 2 competing standards - CDMA (Code Division Multiple Access) which operates in the same 800Mhz band, and GSM (Global System for Mobile Communication) which operates in 1900MHz. These 2 standards are not interoperatable. 2G allows transmission of data in form of SMS (Short Message Service) and MMS (Multimedia Message Service). Transfer speed is around 144Kbps.
3G - For smartphone with transfer speed to around 2Mbps. Standards include CDMA2000 which evolved from CDMA and UMTS (Universal Mobile Telecommunication System) which evolved from GSM.
4G - Transmission speed up exceeds 1Gbps. Competing standards are:
(1) LTE (Long Term Evolution) with download rate up to 300Mbps
(2) HSPA+ (Evolved High Speed Packet Access) with download rate up to 168Mbps. Current rate is around 42Mbps
(3) WiMax (Worldwide Operability for Microwave Access) with download rate of 128Mbps
2G - Converted to use digital signals to cram more calls into the available frequency. There are 2 competing standards - CDMA (Code Division Multiple Access) which operates in the same 800Mhz band, and GSM (Global System for Mobile Communication) which operates in 1900MHz. These 2 standards are not interoperatable. 2G allows transmission of data in form of SMS (Short Message Service) and MMS (Multimedia Message Service). Transfer speed is around 144Kbps.
3G - For smartphone with transfer speed to around 2Mbps. Standards include CDMA2000 which evolved from CDMA and UMTS (Universal Mobile Telecommunication System) which evolved from GSM.
4G - Transmission speed up exceeds 1Gbps. Competing standards are:
(1) LTE (Long Term Evolution) with download rate up to 300Mbps
(2) HSPA+ (Evolved High Speed Packet Access) with download rate up to 168Mbps. Current rate is around 42Mbps
(3) WiMax (Worldwide Operability for Microwave Access) with download rate of 128Mbps
Subscribe to:
Posts (Atom)