Did you know?

Playing the Git game

Git

One of the best source control systems out there is Git, it’s free and open source. It’s functionality is exposed via the command line, but most developers prefer to use a user interface to interact with it.

  • Git Extensions – integrates nicely with Windows and Visual Studio (free)
  • SourceTree – standalone client with a nice and powerful UI (free)

Direct usage of the command line git client depends on the geek and command line fanboy level exhibited by the individual. Personally, I use a combination of the two, however, when time allows, I always try to do more complicated things from the command line, rather than using some UI. 

And now I found a good way to further my git skills by playing several games.

The Git game

A simple game that tests your git command line skills. Divided in several levels, it will use your skills to resolve conflicts, blame, view and traverse commits, and other challenges. To get you started, all you have to do is:

  1. checkout the game git clone https://github.com/hgarc014/git-game.git
  2. open the README file – there you will find instructions and riddles.

The project is hosted on github at  https://github.com/hgarc014/git-game

Learn Git branching

Focuses on teaching you how git branching actually works and delves into several commands offering good visualisations.

You can play it here: http://pcottle.github.io/learnGitBranching/

Enjoy!

Removing SearchProtect32.dll malware the hard way

The days when you could install some software by just clicking the Next button like a madman are long gone. Back in the days, software programs were simple, you would download their setup, install it, and happily use it afterwards. Today, installing a piece of software is the most attention demanding thing in the world, you have to carefully read every step, make sure you opt out of all the additional programs/malware/toolbars/atomic bombs they are trying to shovel on your throat (what, you don’t believe me? try downloading and installing java, you are in for an extra toolbar in your favorite browser).

In most of the cases, even if you accidentally install one of these extra goodies, you can uninstall them via the windows uninstaller, or from the browsers extension page. However, I stumbled upon a browser extension which actively refused my efforts to make it go away.

Initial symptoms:

  • My browser start page was always http://istart.webssearches.com
  • Starting the browser in incognito mode was no longer possible
  • When trying to start the browser in incognito mode, it would always open a new tab pointing to http://istart.webssearches.com
  • Some websites started displaying obtrusive ads, sometime overlaying the content of the page

Initial countermeasures:

  • Went through the browser extension page and removed the Quick Start extension (as it was the only one I didn’t knew)
  • Went through the windows uninstaller but couldn’t find any suspicious programs (some people were able to find a program called RSHP which when uninstalled fixes the issue)
  • Went to the browser settings and reset the start page and search provider

After this first round of countermeasures, I managed to get rid of the initial http://istart.webssearches.com browser page, however opening an incognito window would still open a new tab pointed to http://istart.webssearches.com. The obtrusive ads were still showing up, thus I concluded my job was not done.

Second wave of countermeasures:

At this point I tried all the easy ways out of the problem, and it was time to dive a little bit deeper.

Started Process Monitor and pointed it to the chrome.exe processes. After scanning through the generated activity, I encountered something out of the ordinary:

Suspicious activity

Suspicious activity

SearchProtect32.dll

 SearchProtect32.dll is being loaded into memory, and since I don’t use protection when I search, I figured this is a promising lead to follow. Going to the C:\Program Files (x86)\SupTab I could find a file called RSHP.exe, now I was convinced I found the criminal.

Why does it get loaded into memory?

Started looking around the LoadImage operation to get some context, and I found a registry query for AppInit_DLLs, opening the registry value I found it contains “C:\PROGRA~2\SupTab\SEARCH~1.DLL“. This is what causes the SearchProtect32.dll to be loaded,  but, why?

After doing some reading about AppInit_DLLs everything made sense. The official Microsoft description for AppInit_DLLs states: “All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session“, wait, what have I just read? cannot comprehend…

Why would you provide such a functionality, why call it AppInit_DLLs when you can more intuitively call it MalwareWithoutBorders or PleaseInsertPathToMalware?

Relax they said, “Typically, only the Administrators group and the LocalSystem account have write access to the key that contains the AppInit_DLLs value. “, BUT, what if I told you that most installer software requires administrator privileges to run??

Cleaning up

Searched for some more documentation and found this description of the whole process.

At this point, my mind is blown and I just want to get this over with, and this is what I’ve done:

  • Disabled dll loading by setting LoadAppInit_DLLs to 0 (zero)
  • Required the potentially future loaded dlls to be signed with a digital certificate, by creating a value of type DWORD, naming it RequireSignedAppInit_DLLs and set it to 1 (one)
  • Cleared the value of AppInit_DLLs
  • I did this with a bitter taste in my mouth, as I know that any program running under admin privileges (e.g.:  malware installer) can change them as they desire, rendering my efforts futile
  • Removed the C:\Program Files (x86)\SupTab directory
  • Of course I couldn’t remove the SupTab directory as the damn dll is contained in … … probably most of the processes I have running at the moment (thanks M$), therefore I had to schedule the deletion of the file on the next boot (I used this to schedule the deletion, you can read more about removing locked files here).
  • Reboot

Who is responsible for this great peace of software you might ask, as it turns out, all the files were digitally signed and here’s a print screen of the digital signature information

Digital signature information

Digital signature information

 

If you feel like writing an email to chloezhangling@gmail.com and thank the very author of this rubbish piece of software, I won’t judge…

Raising PropertyChanged for all properties

When working with WPF (Windows Presentation Foundation) you will often face the need to update the user interface based on some changes that took place in your view model. This is most of the time achieved by implementing the INotifyPropertyChanged interface and raising the PropertyChanged event every time your data-bound properties change their value.

You are most likely to find code that looks something like this:

public class PersonViewModel : INotifyPropertyChanged
{
   public event PropertyChangedEventHandler PropertyChanged;

   private string _firstName;
   public string FirstName
   {
      get { return _firstName; }
      set
          {
            _firstName = value;

            if (PropertyChanged != null)
               PropertyChanged(this, new PropertyChangedEventArgs("FirstName"));
           }
   }
}

Note: there are nicer ways of achieving this, but they fall out of the scope of this post.

Depending on your scenario, the above pattern can become less elegant if most of the properties of your view model change at once. In this case, polluting the view model with code that raises the PropertyChanged event for each property is undesirable, and a better way to notify that all properties have changed their value is needed. This is the case when you can use a documented obscurity of WPF: raising the PropertyChanged event and supplying null or string.Empty for the propertyName constructor parameter of PropertyChangedEventArgs.

private void NotifyAllPropertiesHaveChanged()
{
   if (PropertyChanged != null)
      PropertyChanged(this, new PropertyChangedEventArgs(null));
}

The readability of the above code sample is astonishing, what on earth new PropertyChangedEventArgs(null) is supposed to mean? When code reviewing such code, my “bug-detecting” sensors would go wild (ArgumentNullException, NullReferenceException, etc), however, luckily the whole thing is wrapped around a NotifyAllPropertiesHaveChanged method, which would help calm things down a bit, but it would still fall short in convincing a non-believer that the above implementation is finished, or it is just a stub.

A nicer implementation would be to create a new class AllPropertiesChangedEventArgs  that inherits the PropertyChangedEventArgs class.

public class AllPropertiesChangedEventArgs : PropertyChangedEventArgs
{
   public AllPropertiesChangedEventArgs()
      : base(null)
   { }
}

The new class will isolate the obscure way of raising the PropertyChanged event, and will also make the code more readable and explicit.

public void NotifyAllPropertiesHaveChanged()
{
   if (PropertyChanged != null)
         PropertyChanged(this, new AllPropertiesChangedEventArgs());
}