|
Understand Common Virus Attacks Before They Strike to Better Protect Your Apps
by Jason Fisher
The web address of this article is :
http://msdn.microsoft.com/msdnmag/issues/03/05/VirusHunting/default.aspx
This article presents information on some of the techniques viruses use to launch themselves and get into your system.
|
|
|
|
|
1. User A accesses the Web Application.
1.1 The Web Application Starts up (System.Web.HttpAplication.Application_Start() event is fired).
1.2 A new Session is started (System.Web.HttpAplication.Session_Start() event is fired).
2. User B accesses the Web Application.
2.1 The web application is already started up.
2.2 A new Session is started (System.Web.HttpAplication.Session_Start() event is fired).
3. The web application will only end after both User A and User B sessions end.
3.1 When a session ends, System.Web.HttpAplication.Session_End() event is fired.
3.2 When a web application ends, System.Web.HttpAplication.Application_End() event is fired.
|
|
|
|
|
The Global.asax file captures the start and end of both application and user sessions.
1. Application - when the internet application is first run by a user. Happens only once during an entire APPLICATION session.
2. Session - when a user requests for a page within an application. This happens everytime a new user accesses web pages of an application.
Definition of Session State :
The current value of all the controls and variables for the current user in the current session.
Note : values stored in Session variables are unique for each user session.
|
|
|
|
|
Microsoft ASP.NET solves the HTTP Stateless and CGI Performance Problems through :
1. Application Management.
2. Session Management.
3. Viewstate.
4. Model View Controller (Code behind) Architecture.
5. Automatic Memory Allocation System (Garbage Collection).
|
|
|
|
|
Microsoft Classic ASP solves the HTTP Statelessness Problem through :
1. Application Management.
2. Session Management.
|
|
|
|
|
1. HTTP : lack of session management (due to statelessness).
1.1 HTTP is usch that web applications are not able to "remember" a user's past status and operations.
1.2 It does not provide any means for a web app to clearly mark the start and end of a client user's engagement.
1.3 It does not provide any means for a web app to clearly mark the start and end of the entire application.
2. CGI : low in performance.
2.1 CGI does not operate in Multi-tasking and multi-threading environment.
2.2 It is difficult to support the programming of reusable codes.
|
|
|
|
|
This can be done by setting the "AutoPostBack" property of a Web Server Control to TRUE.
This is known as POSTBACK.
|
|
|
|
|
1. Use a button of type "submit". Embed this button inside a <form></form> tag in the web page's HTML.
2. Call the submit() function inside javascript, e.g. :
function SubmitForm
{
this.Form.submit;
}
|
|
|
|
|
Also note that the form tag must have the appropriate action attribute, e.g. :
<form name="MyForm" action="www.somesite.com/somepage.asp">
...
</form>
|
|
|
|
|
WebServiceObject wso = new WebServiceObject();
AsyncCallback cb = new AsyncCallback(MethodCallback);
try
{
wso.BegindoAsyncFunction
(
some_param_1,
some_param_2,
cb, // 2nd last parameter is always the AsuncCallback object.
(object)wso // This object (whatever it is)
); // is returned in IAsyncResult.AsyncState in
// callback function.
}
catch(SoapException se)
{
...
}
private void MethodCallback(IAsyncResult ar)
{
WebServiceObject wso = (WebServiceObject)ar.AsyncState;
string strRetVal = wso.EnddoAsyncFunction(ar);
...
}
|
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
|
|
|
C# Code :
byte[] byImageBytes = GetImageBytesFromSomewhere();
MemoryStream ms = new MemoryStream(byImageBytes);
pictureBox_Image.Image = Image.FromStream(ms);
|
|
|
|
|
<html>
<body>
<form action="http://localhost/MyWebService/MyWebService.asmx/MyMethod" method="POST">
<input name="a"></input>
<input name="b"></input>
<input type="submit" value="Enter"> </input>
</form>
</body>
</html>
|
|
|
|
|
1. To provide a common way of packaging message data.
2. To define encoding rules for serialization and deserialization of data transmission.
3. To provide a model that can be used to implement RPC operations using SOAP.
|
|
|
|
|
Misconception #1 - SOAP is nothing more than a protocol for RPC over HTTP.
* No, this is just one implementation of SOAP.
Misconception #2 - SOAP specification requires the use of HTTP.
* No, SOAP can be used with any protocol.
* Microsoft and others have implemented SOAP messages over SMTP.
Misconception #3 - SOAP works on HTTP request/response conversation.
* No, that supports the transmission of XML data from sender to receiver.
|
|
|
|
|
SAO - Activator.GetObject().
CAO - Activator.CreateInstance().
Config File - new
|
|
|
|
|
Windows applications in VS.NET use the name app.config by default for the configuration file. This will not be automatically created when you create a Windows application. If you need a configuration file for your application, open your project in VS.NET, go to the 'Solution Explorer' and right click on the project name. Choose Add > Add new item from the menu and select 'Application Configuration file' from the list of choices. This will create an app.config file for you in the application root.
When you compile your application, VS.NET will automatically create a file called <your application name>.exe.config in your bin\debug folder. The contents of the app.config will be automatically copied to this new config file when you compile the application. When you deliver the application to the end user, you have to deliver the exe and this new config file called <your application name>.exe.config and NOT the app.config. Users can modify the data in <your application name>.exe.config file and application will read the data from the config file, when restarted.
|
|
|
|
|
Remember that the config file -must- be named app.config and nothing else !
|
|
|
|
|
1. Make sure your depencency DLL is compiled with a strong name. This is because you will need to reference the Public Key Token in the client application's config file.
2. Create a file directory in your local hard disk in which to store your DLL (e.g. c:\MyLib). Store your dependency DLL there, e.g. c:\MyLib\MyLib.dll
3. Web Shard this folder. This will cause IIS to register a Virtual Directory for your Web Shared folder.
4. In your client application config file, supply a config file with at least the following data :
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity
name="MyLib"
publicKeyToken="f165dd82fa9f2434"
culture="neutral"
/>
<codeBase version="1.0.0.0"
href="http://localhost/MyLib/MyLib.dll" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
5. Go to the .NET Configuration Tool and create a new Code Group. For this new Code Group, under Membership Condition, select "URL" for the condition type.
6. For the URL, type in the web path to your dependency assembly : e.g. :
"http://localhost/MyLib/MyLib.dll" or "http://localhost/MyLib/*"
7. If you happen to change anything (especially method signatures) in your dependency DLL, be sure to refresh the local cache of used assemblies by deleting the appropriate insance of your DLL in the following directory :
<documents and settings folder>\<user id>\local settings\application data\assembly\dl2.
Otherwise, your old dependency DLL will still be cached and used.
|
|
|
|
|
In addition, by including the use of the FileIOPermissionAttribute class, we can ensure that subsequent code will read ONLY specified file(s) and will write to ONLY specified file(s), e.g. :
[FileIOPermissionAttribute(SecurityAction.PermitOnly, Read="C:\\security.txt", Write="C:\\security.out.txt")]
private void buttonReadFile_Click(object sender, System.EventArgs e)
{
SecureFileReader sfr = new SecureFileReader();
byte[] byDataIn = sfr.ReadFile("c:\\security.txt");
Stream fs_out = new FileStream("c:\\security.out.txt", FileMode.Create,
FileAccess.Write);
fs_out.Write(byDataIn, 0, byDataIn.Length);
fs_out.Close();
}
The desired effect is achieved even if unrestricted FileIOPermission to the file system has been granted for the assembly.
|
|
|
|
|
byte[] byData = SomeFunctionThatReturnsAByteArray();
string MyString = System.Text.UnicodeEncoding.Unicode.GetString(byData);
|
|
|
|
|
At the .NET Command Line Prompt, type :
"mscorcfg.msc"
|
|
|
|
|
byte[] byData = System.Text.UnicodeEncoding.Unicode.GetBytes(strMyString);
|
|
|
|
|
If you need to open a file (for reading only) in IIS for your ASP.NET application, be sure to use the FileAccess.Read flag in your FileStream constructor, e.g. :
FileStream fs = new FileStream
(
m_strServerPath + sbBinFileName.ToString(),
FileMode.Open,
FileAccess.Read // <-- important.
);
Otherwise, the file access attempt may fail.
|
|
|
|
|
If you use a StringBuilder object over and over again, you may need to reset its values before attempting to re-assign values to it via AppendFormat :
In this case, use the Remove() method, e.g. :
sb_string.Remove(0, sb_string.Length);
sb_string.AppendFormat(@"...", ...);
|
|
|
|