Do you ... analyze a lot of malware? Dynamically, too? Or do you just want to launch suspended processes? Well either way, although this is really easy to do, my intense web research did not yield satisfactory results. So here you go, this will just take the entire command line that is passed to it and execute it as a new, suspended process:
#include <windows .h>
#include <shlwapi .h>

BOOL ChrIsWhiteSpace(WCHAR x) {
    return x == 32 || (x >= 9 && x < = 13);
}

int WinMainCRTStartup() {
    int ArgCount = 0;
    WCHAR* CommandLine = GetCommandLineW();
    WCHAR** ArgList = CommandLineToArgvW(CommandLine, &ArgCount);
    if (ArgList && ArgCount > 1) {
        WCHAR* PtrRest = StrStrW(CommandLine, ArgList[1]);
        if (PtrRest) {
            STARTUPINFOW StartupInfo;
            PROCESS_INFORMATION ProcessInfo;

            while (!ChrIsWhiteSpace(*PtrRest))
                PtrRest--;

            GetStartupInfoW(&StartupInfo);

            CreateProcessW(
                NULL,
              ++PtrRest,
                NULL,
                NULL,
                FALSE,
                CREATE_SUSPENDED | INHERIT_PARENT_AFFINITY | DETACHED_PROCESS | CREATE_DEFAULT_ERROR_MODE,
                NULL,
                NULL,
                &StartupInfo,
                &ProcessInfo
            );
            CloseHandle(ProcessInfo.hProcess);
            CloseHandle(ProcessInfo.hThread);
        }
        LocalFree(ArgList);
    }
    ExitProcess(0);
}
Do you want the Base64 encoded binary?


a.k.a. "My Bank does not support CSVs". When I asked my bank for "machine readable" versions of my bank statements, they where like: WAT! Their website has a CSV-export function. But only data from the last three months can be exported. Of course, it would have been smart to have performed this export every two months or so, but let's talk about something else. Sure!


When I open up a file in IDA Pro, I usually want the HexRays decompiler panel to the right of the disassembly. It just so happens that I open up a lot of files in IDA Pro and I have to rearrange the panels every time. Now I finally sat down and wrote a little Python plugin that will rearrange the panels just the way I like them. You may have similar problems and may find it useful. You should be able (with only a small amount of pain) to modify the script according to your own preferred layout:
import idaapi

def runonce(function):
    """
    A decorator which makes a function run only once.
    """
    function._first_run = True
    def wrapper(*args, **kwargs):
        if function._first_run:
            function._first_run = False
            return function(*args, **kwargs)
    return wrapper

@runonce
def position_pseudocode():
    idaapi.set_dock_pos('Pseudocode-A', None, idaapi.DP_RIGHT)
    idaapi.set_dock_pos('Graph overview', 'Output window', idaapi.DP_TAB)
    idaapi.set_dock_pos('Functions window', 'Output window', idaapi.DP_TAB)

class PseudoCodeTabRight(idaapi.plugin_t):
    flags = idaapi.PLUGIN_HIDE
    comment = 'Opens the PseudoCode tab in a spearate pane to the right.'
    help = 'The plugin triggers automatically when the decompiler is engaged for the first time.'
    wanted_name = 'PseudoCodeTabRight'
    wanted_hotkey = ''

    def init(self):
        def hexrays_event_callback(event, *args):
            if event == idaapi.hxe_open_pseudocode:
                position_pseudocode()
            return 0
        if not idaapi.install_hexrays_callback(hexrays_event_callback):
            return idaapi.PLUGIN_SKIP
        return idaapi.PLUGIN_KEEP

    def run(self, arg=0):
        pass

    def term(self):
        pass

def PLUGIN_ENTRY():
    return PseudoCodeTabRight()


I have finally solved an annoying problem with my Windows 10 setup which was sortof hard to Google, so I am sharing. For quite some time, the computer had refused to go to sleep when it was not running on battery. Instead of going to sleep when instructed to, it would simply turn off the screen and mute the volume while continuing to *actually not sleep*. Moving the mouse a tiny bit would swiftly end the charade. In a recent fit of rage I decided to inspect the event log, and behold, there were some Kernel Power events that said: > _The system is entering Away Mode._ Which is entirely _not_ what I wanted when I told it to go to sleep. However, there was no option _anywhere_ in the power settings to be found that turned off this _"Away Mode"_. Well, the option actually does exist, but for some reason it is not visible unless you set the Attributes value to 2 in the following, easily memorable registry key:
HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\25DFA149-5DD1-4736-B5AB-E8A37B5B8187
Armed with this registry tweak, you can go back to the _"advanced"_ power settings, aka:
rundll32 shell32.dll,Control_RunDLL PowerCfg.cpl @0,/editplan:
Navigate to Sleep and there should be an option that says Allow Away Mode Policy or something similar. And that policy should be set to no, not even when plugged in, never, just sleep, for crying out loud, why does this even exist.


As I [have hinted at before](/2017/09/20/just-some-friendly-advice/), the [PyCrypto library](https://www.dlitz.net/software/pycrypto/) [seems to be dead](https://github.com/dlitz/pycrypto/issues/173). The [PyCryptodome](https://www.pycryptodome.org/en/latest/) library is a fork that is promising because it is maintained and works in Python 3, but they have a bit of a finger-wagging attitude which sometimes means that you have to fight the library a bit:
>>> from Crypto.Cipher import ARC4
>>> cipher = ARC4.new(B'funk')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python37\lib\site-packages\Crypto\Cipher\ARC4.py", line 132, in new
    return ARC4Cipher(key, *args, **kwargs)
  File "C:\Python37\lib\site-packages\Crypto\Cipher\ARC4.py", line 57, in __init__
    len(key))
ValueError: Incorrect ARC4 key length (4 bytes)
>>> ARC4.key_size = range(1,257)
>>> ARC4.new(B'funk').decrypt( ARC4.new(B'funk').encrypt( B'Hello World' ))
b'Hello World'
They certainly mean well, but the library is no place to impose security standards, in my opinion. In malware research for example, we often have to verbatim copy the appalling use of certain ciphers, like ARC4 with a 4-byte key. It happens all the time! I have been particularly struggling with [the removal of the XOR cipher](https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html). The XOR implementation of PyCrypto was very fast, and in this article I will both benchmark how fast exactly it was and give you a drop-in replacement which degrades gracefully based on your options. Do you want to know more?


I started to play around with ArangoDB and used Python to get some data into my first database. Long story short: if you want to set your own key for the documents, do it on the document, not on the initialization data. EDIT: this is only true for the most recent version 1.3.1 release on pypi by the time of writing[1]. Read the longer story!
  1. See conversation on github for details [back]


This post will be probably be very boring for everyone who doesn't have this problem. But since it cost me some time to figure out a solution, I think it is worth sharing. I care. You share. Read on!


To reduce the size of some of my virtual machines, I often run the Windows cleanup tool to get rid of update artifacts and temporary files. While the cleanmgr command has some undocumented options such as /setup, /autoclean and /verylowdisk, I could not achive what I wanted with any combination of these: I wanted to have one command that simply cleans _everything_ without interaction. TL;DR: Put this in a batch file:
@echo off
set rootkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches
for /f "tokens=*" %%K in ('reg query %rootkey%') do >NUL REG add "%%K" /v StateFlags0000 /t REG_DWORD /d 2 /f
cleanmgr /sagerun:0
Essentially, this script manually creates the registry keys that would be created by a call to cleanmgr /sageset:0 and checking all the boxes. It then runs cleanmgr /sagerun:0 which non-interactively calls cleanmgr performing every cleanup task available. Remember to run this as an administrator to remove Windows update artifacts. Would you like to have that as PowerShell?


I recently wanted to buy a new Harddisk. I did not want one that uses "shingled magnetic recording" because thats awfully slow. Instead I looked for a "perpendicular magnetic recording" HDD, but I learned thats not a thing anymore. Instead I could buy CMR disks. For those getting here by google looking for a quick answer: CMR=PMR. For those who want to know why PMR was renamed to CMR and why SMR disks are slow: read on


In an attempt to piggyback on the people's vague fear of random lawsuits in Germany, I'll blog on how to remove the last octet of an IP in NGINX log files. Do you want to know more or get sued?


I recently dropped my Sony Z5 Compact and the glass on its back splintered. So I bought a new phone. Sony A Z5 Compact for the horrendous amount of 70€. When I bought my last phone everything had to go quick, Cyanogen mod was just announced dead and LineageOS was not ready yet. So I just installed the stock rom and lived with it. This time I wanted to go with a custom Rom and without any Google Apps on it. Here is what i did:


Recently I once again stumbled upon a detail of the HTTP specification involving the POST verb and "enforced" https. I'll document it here in an attempt to save other people the time (hopefully also future-me). Do you want to know more?


Flask pretty-prints response generated by the flask.json.jsonify function. Avoiding this on a per request basis doesn't seem to be intended: There is a configuration variable for the whole application: JSONIFY_PRETTYPRINT_REGULAR. But setting that to False minifies every JSON responses. And, in general, I enjoyed the pretty printed output. So implementing X-PrettyPrint - which seems to be a quasi-standard - also sounded like a the wrong way because it means replacing the call to jsonify by a custom implementation. This short story has a happy end though: Flask does not pretty-print the response if it receives an AJAX request. So one can just send the appropriate header:
curl -H 'X-Requested-With: XMLHttpRequest' "https://exmaple.com/api/endpoint.json";