Friday, November 28, 2008

string/message resource dumpers

im currently working on software testing field with focus on localization. im under the product maintenance department and responsible for delivering hotfixes and rollups (service pack) for the Japanese, Spanish, French and German. with our testing process, i have to check on the resource strings and message tables of the localized modules; and have to avoid any regressions like strings getting reverted to english strings due to integration or build issues. formerly, we used to check on the resource strings manually by using Visual Studio or Resource Hacker. however, this had become time-consuming and pretty require great amount of effort on the tester; having all modules opened and checked one by one. this is where the search for alternative tools started.

my requirement was that i needed a command line (console)-based program which i can specify the binary path and it would print all the strings and message table resources inside it if there's one. i was able to find one but only dumps the string resources and not the message table. i gave up later on and started creating the tool on my own. i called it smrdump - string & message resource dumper.

details:
smrdump.exe is a command-line program which uses Win32 APIs for enumerating the resource libraries. since the product of our company only are available in English, Spanish, German, French and Japanese, these are the languages currently are supported by the tool. if the optional language parameter char is not specified, the default language will also be dump. default language will depend on the system where you are running the program. i will post the separate version which is language-independent and will dump all resources on all available languages.

download location:
you can get the smrdump binary here: SMRDump.exe

usage:
$>smrdump [binaryFilePath] [optionalLanguageParameter: E,J,S,G,F]

example:
here's a example dump i took using one of Citrix binaries.

dumping resources for all languages:
$>smrdump "C:\Program Files\Citrix\System32\resource\ja\ctxsbxmsgUI.dll"

***********************************************************************
* [module]: C:\Program Files\Citrix\System32\resource\ja\ctxsbxmsgUI.dll
************************************************************************
-----------------------------------------------------------------------------
[language]: 0
-----------------------------------------------------------------------------
[message block:1 size:1520]
1 分離環境レジストリ イベント
2 分離環境ファイル イベント
3 分離環境オブジェクト イベント
4 Windows インストーラの試行
-2147450879 分離環境 %1 のアプリケーションがサービス %2 をインストールしようとしました。このサービスは使用可能になりません。
-----------------------------------------------------------------------------
[language]: 1033
-----------------------------------------------------------------------------
[message block:1 size:2516]
1 Isolation Environment Registry Event
2 Isolation Environment File Event
3 Isolation Environment Object Event
4 Windows Installer Attempt
-2147450879 An isolated application in isolation environment %1 attempted to install service %2. The service will not be available.
-----------------------------------------------------------------------------
[language]: 1041
-----------------------------------------------------------------------------
[message block:1 size:1520]
1 分離環境レジストリ イベント
2 分離環境ファイル イベント
3 分離環境オブジェクト イベント
4 Windows インストーラの試行
-2147450879 分離環境 %1 のアプリケーションがサービス %2 をインストールしようとしました。このサービスは使用可能になりません。
-----------------------------------------------------------------------------
[language]: 1031
-----------------------------------------------------------------------------
[message block:1 size:3004]
1 Isolierte Umgebung - Registrierungsereignis
2 Isolierte Umgebung - Dateiereignis
3 Isolierte Umgebung - Objektereignis
4 Windows Installer-Versuch
-2147450879 Eine isolierte Anwendung in der isolierten Umgebung '%1' versuchte, den Dienst '%2' zu installieren. Der Dienst steht nicht zur Verfugung.
-----------------------------------------------------------------------------
[language]: 1036
-----------------------------------------------------------------------------
[message block:1 size:2808]
1 Evenement de registre d'environnement d'isolation
2 Evenement de fichier d'environnement d'isolation
3 Evenement d'objet d'environnement d'isolation
4 Tentative Windows Installer
-2147450879 Une application isolee dans l'environnement %1 a essaye d'installer le service %2. Le service ne sera pas disponible.
-----------------------------------------------------------------------------
[language]: 1034
-----------------------------------------------------------------------------
[message block:1 size:2812]
1 Suceso del registro del entorno de aislamiento
2 Suceso de archivo del entorno de aislamiento
3 Suceso de objeto del entorno de aislamiento
4 Intento de Windows Installer
-2147450879 Una aplicacion aislada en el entorno de aislamiento %1 trato de instalar el servicio %2. El servicio no se encontrara disponible.
-----------------------------------------------------------------------------

dumping resources for specific language:
$>smrdump "C:\Program Files\Citrix\System32\resource\ja\ctxsbxmsgUI.dll" J

***********************************************************************
* [module]: C:\Program Files\Citrix\System32\resource\ja\ctxsbxmsgUI.dll
************************************************************************
-----------------------------------------------------------------------------
[language]: 1041
-----------------------------------------------------------------------------
[message block:1 size:1520]
1 分離環境レジストリ イベント
2 分離環境ファイル イベント
3 分離環境オブジェクト イベント
4 Windows インストーラの試行
-2147450879 分離環境 %1 のアプリケーションがサービス %2 をインストールしようとしました。このサービスは使用可能になりません。
-----------------------------------------------------------------------------

caveat:
there are some module which might be loading other modules at runtime. sometimes, if these kind of modules cannot find and load these necessary binaries, smrdump won't be able to handle the errors like invalid access.

for questions and suggestions:
if you have any questions or any suggestions, just add a comment on this post.
Posted by at No comments:

Wednesday, November 26, 2008

removing aikelyu virus

i would like to start up again this blog site with something useful. :)

my brother's laptop got infected by a virus called aikelyu which is basically a vbs based script being executed and spread itself thru the autorun when the usb memory stick is plugged into the computer. once the laptop gets infected, it infects all writable drives including removable ones and creates the autorun.inf file targetting the same vbs script copied on that drives for auto-execution. i was able to get a copy of that script and created the removal script below.

how to use:

  1. create an empty text file.
  2. paste the code below and save it as remscript.vbs
  3. if you have an infected usb memory stick, plug them into your computer
  4. run or double-click the created script file

you can also get the file here if you don't like creating one.
please find the removal vbscript code listing below. and if you have questions or any suggestions, feel free to add any comments.

'Aikelyu removal script starts here:
'jo.gel.santiago[at]gmail.com

Option Explicit
'bootstrap to check if this script is run via WScript
'this script will re-run itself on cscript to avoid the taskkill process
Const tN = "wscript.exe"
Dim oShl: Set oShl = CreateObject("WScript.Shell")
If IsWSEnv Then
RunInCS
WScript.Quit 0
End If

'core code starts here
Const xN = "\DEADLY-c.vbs"
Const xE = "Explorer.exe"
Const pA = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Aikelyu"
Const pS = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
Dim oFso,  oLog, oL, x
oL = WScript.ScriptFullName & ".log"
x = Array( xN, _
"\system32\kernel.dll.vbs", _
"\system32\GroupPolicy\Machine\Scripts\Startup" & xN, _
"\system32\tonton.html", _
"\system32\GroupPolicy\Machine\Scripts\scripts.ini" , _
"\system32\GroupPolicy\User\Scripts\scripts.ini" , _
"\Debug" & xN)

Set oFso = CreateObject("Scripting.FileSystemObject")
Set oLog = oFso.CreateTextFile(oL, 2, True)

'call the main process
CleanSystem
WriteLog ""
oLog.Close
OpenLog oL

'cleanup
Set oLog = Nothing
Set oShl = Nothing
Set oFso = Nothing

Sub CleanSystem
On Error Resume Next
KillTask tN
Dim z, oRot
Set oRot = oFso.GetSpecialFolder(0)
For Each z In x
DeleteFile oRot & z
Next
DeleteReg pA
ChangeReg pS, xE
CleanDrives
End Sub

Sub CleanDrives
Dim d
For Each d In oFso.Drives
If (d.DriveType=1 Or d.DriveType = 2) And d.Path <> "A:" Then
     WriteLog " "
 DeleteFile d.Path & xN
 DeleteFile d.Path & "\autorun.inf"
End If
Next
End Sub

Sub DeleteFile(path)
WriteLog " "
If oFso.FileExists(path) Then
Dim f: Set f = oFso.GetFile(path)
f.Attributes = 32
f.Delete True
WriteLog "FileDeleted:  "  & path
Else
WriteLog "FileNotFound:  "  & path
End If
End Sub

Sub DeleteReg(path)
WriteLog " "
WriteLog "Path: " & path
oShl.RegDelete path
End Sub

Sub ChangeReg(path, value)
WriteLog " "
WriteLog "Path: " & path
WriteLog "Before: " & oShl.RegRead(path)
oShl.RegWrite path, value
WriteLog "After: " & oShl.RegRead(path)
End Sub

Sub WriteLog(str)
oLog.WriteLine str
End Sub

Sub RunCmd(cmd, bWait)
On Error Resume Next
oShl.Run  cmd, 0, bWait 
End Sub

Sub KillTask(exName)
WriteLog " "
Dim c: c =  "taskkill /f /im " & exName & " /t"
RunCmd c, True
WriteLog "Cmd:  "  & c
End Sub

Sub OpenLog(path)
If Not oFso.FileExists(path) Then Exit Sub
RunCmd "%comspec% /c notepad " & path, False
End Sub

Sub RunInCS
RunCmd  "%comspec% /c cscript.exe //nologo " & """"  & WScript.ScriptFullName & """", False
End Sub

Function IsWSEnv
IsWSEnv = (InStr(1, WScript.FullName,tN,1) > 1 )
End Function

Posted by at No comments:
Subscribe to: Posts (Atom)