|
Finding an hidden incredible database inside your computer Version 1.0 |
Our tools | |
 |
by fravia+ |
|
| fra_00xx 981014 TWD 0100 OT P9 | Note that TWD has produced his own tool in order to study these curious concealed activities... |
M$_Bashing |
|
We're the ones who knew everything / still we did nothing harvested everything, / planted nothing But still we can't feed the strange hunger inside greedy, restless and unsatisfied | ||
There is not much to say about the introduction. Some time ago I was searching for some remains of a program on my computer. I used the in build search program coming with Win98. But it didn't only found the program, but also a file with a .lgc extension. It was located in the Win98/applog directory. I had a deeper look inside, and I found some interesting things.
After having read the introduction, you know how I found the applog directory (I had
never before looked inside it). Inside the directory there are a lot of files, mainly
with extensions like this --> *.lg*
And there is also a file called applog.ind (sounds interesting, doesn't it ??)
The lg* files are all plain text, but the applog.ind is much more difficult.
After some time of analyzing, I discovered the most important parts of it.
The Header (Part I)
~~~~~~~~~~~~~~~~~~~
It starts with a ten byte long string, named "APPLOG1.1" followed by six bytes with
unknown contents. Then there is the number of entries in this file, a four byte integer.
The rest of the 64 byte large header is still unknown to me, but there a some dates in it,
I know, because the change every time a program is run and the look similar to the normal
dates stored in your computer (FILETIME or SYSTEMTIME (look inside win32.hlp)).
The Header (Part ][)
~~~~~~~~~~~~~~~~~~~~
Then there is a second part, I call it the second header. It's size is about 344 bytes or
86 4-byte integers. I don't know what for this part is, but I guess it is for sorting or
something like this, because the values of the integers are increasing from to to bottom.
The Data
~~~~~~~~
After the two headers, the data entries follow. The number is defined in the first header.
The data entry structure looks like this :
the name of the exe file (8 bytes)
the offset to the path (4 byte integer) <<-- explained later
the number of runs since the last defrag (4 byte integer)
the total number of runs (4 byte integer)
the fileDataTme of the file (FILETIME - STRUC 8 bytes)
the file size (4 byte integer)
some flags ???? unknown (4 byte integer)
The only thing which is to be explained is the second entry (offset to path).
Did ever anyone of you messed around with the fuckin' PE-FILE structure ???
I did it and that's the only reason why I figured out how this value works.
There these kind of fuck is done all the time.
This value describes the distance from the end of the headers to the first char
of the path, related to the application.
Let me explain a bit more detailed:
The total size of the headers is 408 (344 + 64), and if we have a value of 1234 for
example, then the offset to the path is 1234 + 408 = 1642. Set the File Pointer to
1642 and read till the next #0.
You wanna know how I figured out all this shit, why I know the sizes of the header
and all this fuck ???
No problem, I used the good old FileMon to see when the explorer writes into the
file (yes, it's the explorer). The explorer writes four times into the file, the
first time he writes 64 bytes, then 344 bytes and then the data entries and last but
not least the paths.
When knowing these basic values, it's now problem the get the size of every entry by
looking of the distance between two strings, and so on.
After having explained the structure of the applog.ind file, I will explain the
other (*.lg*) files.
Basically the look like this (explorer.lgc) :
{
o c1507870 2c000 "C:\WIN98\EXPLORER.EXE"
R c1507870 0 40
R c1507870 80 f8
R c1507870 80 198
R c1507870 16000 1000
r c1507870 13000 1000
o c1505fb0 1665 "C:\WIN98\WIN.INI"
R c1505fb0 0 1665
C c1505fb0
r c1507870 3000 1000
The remaining 680 lines are on your own computer (if you own win98) so I don't have to
put them here.
Again I used FileMon to look what the explorer does while starting. That's why I know how
this file is structured.
First there is a character. That's very simple,
o -->> open
r -->> read (the file pointer was moved to the left)
R -->> read (the file pointer was moved to the right)
c -->> close
The open command is structured as follows :
o <"filename">
example :
o c1507870 2c000 "C:\WIN98\EXPLORER.EXE"
The handle is used throughout the file, so if a read command is done it
looks like this :
r
example :
C c1505fb0
These few commands are enough to keep track of all file accesses of the program.
Something like FileMon but already implemented in your OS.
That's all,
bye till next time...
TWD
P.S.: Comments, suggestions, bug reports are always welcomed. Send them to
twd(dot)rulez(at)gmx(dot)net
Some of you will ask why evil Bill Gates hides such nice proggies in your OS (yeah, the directory has the hidden attribute). Why doesn't he improve the performance of his fuckin' OS instead if spying what the users do ??? There is one simple answer (maybe there are more) : This pile of information is used by defrag to sort the files according to their use. It is NOT send to Microsoft via the Internet when you are connected (I think so, I checked it, but not for 1oo percent). But any evil hacker can use BO or any other utility like BO to access you computer and get these information. This is only the first version of this essay. It's growing like the program I wrote. In the moment, the applog.ind file is read and processed and a beautifull tree is created, where you can browse and look for the information you wnat to know. But it is not ready, I'm still working on it, so be patient and come back and look if it was enhanced once more.
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?