Notebook

In this, I've tried to lock a physical disk using a small Windows C++ program. The steps to follow to achieve this are: 1. Get the Physical Drive and volume mapping. Say, the computer is attached with three physical drives, and we're interested to lock the Physical Drive 1 ("\\\\.\\PhysicalDrive1"). Then we need to figure out how many volumes are there on that physical disk. 2. Then Lock that volume one by one using control code FSCTL_LOCK_VOLUME . 3. Do the stuff we'd like to perform on the disk and then unlock each volume using control code  FSCTL_UNLOCK_VOLUME . 4. Close disk and volume handle(s). Few things to remember here. As per Microsoft documentation, a. The NTFS file system treats a locked volume as a dismounted volume. b. Lock volume call will fail with Access Code 5 (Access Denied) if the volume is in use. If we're not sure who's using the volume, just unmount it once. c. The FSCTL_DISMOUNT_VOLUME control code functions similarl

I've decided to spend some more time on a few areas which I've learned during my association with my gurus in the software industry. There are few people in the United States and also in India who have helped me to shape myself. Predominantly I'm not an outspoken person, but those seniors understood that I had little hunger for knowledge and provided me that information and helped me to come to this stage. Windows Media Stack, when I started working on it, I was the most nervous person because very soon I realized this is not going to be easy stuff to handle. Indeed, it's the most complex programming world I've ever faced or challenged before. I started my journey on Media Stack for Windows with the help of James Dailey. I can remember those days when he came from the US and delivered his series of lectures. It was amazing. This was an entry towards a world where programming, troubleshooting, debugging, etc isn't an easy task at all but also full of great lear

Launched a process sample_Hello through WinDbg and observed following events: ModLoad: 00400000 0041c000    Sample_Hello.exe ModLoad: 77980000 77b00000    ntdll.dll ModLoad: 76b10000 76c20000    C:\Windows\syswow64\kernel32.dll ModLoad: 76d20000 76d67000    C:\Windows\syswow64\KERNELBASE.dll ModLoad: 67fd0000 680ce000    C:\Windows\WinSxS\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_e4a70117006762dd\MSVCP80D.dll ModLoad: 670e0000 67201000    C:\Windows\WinSxS\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_e4a70117006762dd\MSVCR80D.dll ModLoad: 77050000 770fc000    C:\Windows\syswow64\msvcrt.dll (3c0.1324): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=fb480000 edx=0008e3c8 esi=fffffffe edi=00000000 eip=77a20fab esp=0018fb08 ebp=0018fb34 iopl=0          nv up ei pl zr na pe nc cs=0023   ss=002b   ds=002b   es=002b   fs=0053   gs=002b              efl=00000246 ntdll!LdrpDoDebug

In this article, I've tried to show how we can detect antivirus product installed on a Windows system. The code is written is specifically for Windows 7. The basic idea here is to use WMI from C++. Here are the steps: 1. To Setup WMI consumer, set up COM by calling CoInitializeEx . 2. Initialized COM process security by calling CoInitializeSecurity . 3. Obtained the initial locator to WMI by calling CoCreateInstance. 4. Obtained a pointer to IWbemServices for the root\cimv2 namespace on the local computer by calling IWbemLocator::ConnectServer . 5. Set IWbemServices proxy security so the WMI service can impersonate the client by calling CoSetProxyBlanket . 6.Used the IWbemServices pointer to make requests of WMI. This executes a WQL query for the antivirus product installed by calling IWbemServices::ExecQuery . The following WQL query is one of the method arguments. SELECT * FROM AntiVirusProduct The result of this query is stored in an IEnumWbemClassObject poi

This post is basically an effort to know what happens when we compile a simple Hello World program on Windows. In this case, I've used Visual Studio 2005. First I've written a small usual Hello World program with all default settings provided by Visual Studio 2005. The program looks like below: int main(void) {     printf("Hello World build on VS 2005--Default\n");     return 0; } The program compiled against the default C-runtime library. No changes have been done in any settings. I've built it in Debug as well as in release mode. In Debug build, the program size is  40 KB . In release build: Its size is 6 KB . Now I've written another Hello World Program but switched off the default C-Runtime library. Rather, I've used the standard Windows library and provided definitions of functions like printf as well as the CRT start-up function. I've also switched off Buffer Security Check and Basic Runtime checks set to Default. The last two setti

In this part I tried to enumerate all physical hard disk drive (HDD) attached to the system and tried to query to those attached physical drive to get the disk information like Vendor ID, Product ID, Product Revision, Serial number etc. In my last blog, I've tried to get physical hard disk drive count through volume map, but in this post, I tried get it through "SetupDiGetClassDevs" API. All the SetupDiXXX APIs are very powerful APIs. These APIs along with DeviceIoControl API helps to retrieve very useful information regarding devices. So, I'm not going to talk much on this rather let MSDN to speak about this APIs. Let's see what are other information that we can get on HDD attached to the system through the usage of this API: void printStorageDeviceProperty(UCHAR *outBuf, const DWORD returnedLength) {     PSTORAGE_DEVICE_DESCRIPTOR            devDesc;     PUCHAR                              pUbuffer;     devDesc = (PSTORAGE_DEVICE_DESCRIPTOR) outBuf;       

In my previous post, I tried to build a command line app to show Physical Hard drives and volume(s) mapping for each HDD present/attached to a system. Now I've extended the program to read and display the properties of the storage adapter for each physical hard drive. To achieve this I've used the very popular Win32 API, CreateFile(), and IOCTL_STORAGE_QUERY_PROPERTY control code. The previous program has been extended and now I'm showing only the part I've added on top of my previous program released under the title "PhysicalDisk and Volume Mapping information". Here goes the rest of the code to get the storage adapter's information: void PrintBusTypeName(BYTE iBusType) {     switch(iBusType)     {     case BusTypeUnknown:         wprintf(L"BusType: Unknown\n");         break;     case BusTypeScsi:         wprintf(L"BusType: SCSI\n");         break;     case BusTypeAtapi:         wprintf(L"BusType: ATAPI\n");         br