MBR Operations

• MBR 저장 또는 삭제


• 백업된 MBR 복구


• Wipe MBR


• 훼손된 MBR 정정


• 새로운 MBR 생성


• 디스크 Signature 수정


• 파티션 테이블 엔트리 정렬


• 섹터 복사


• 존재하는 MBR 삭제

Partition Operation

• 파티선 삭제


• 숨기기/보이기 파티션


• Bootable/Active 파티션 셋팅


• 파티션 타입 변경

추가기능

• 전체 디시크 안전하게 와이핑


• 부팅 메뉴 - 부팅 가능한 파티션 선택


• 영구적인 상태 바이트 유지


• MBR의 내용을 갖는 ini 파일 생성


• 머신 종료/재부팅

Downloads

3개의 Release 버전(Windows XP/PE/2003, DOS/Win9x, Linux)이 있으며 3개의 Beta-Version이 있다.

• Released Versions

• Pre-release, Beta Versions

Operational Command

• /List - Display the partitions listed in the MBR, their order in the MBR, partition type, size, and whether active or hidden. The Pos field indicates the order the partitions are laid out on disk, while MBRndx shows them as they're listed in the MBR.


• /Disk=# - Selects the disk to use for all operations. This switch is always processed first, verifying that all operations specified on the command line will use the disk specified here. If not specified, Disk 0 will be used by default.


• /Part=# - Selects the partition to use for all partition based operations. If not specified, partition '0' will be used by default. All operations use the physical location of the partition on the disk (the first column in /list), not the MBRndx field which simply identifies the current position of the partition entry in the MBR.   Certain commands allow the action to be performed on all partitions, in this case /Part=* (asterisk) performs this functionality.


• /Sector=# - Selects the sector to use with sector based operations. Sector 0 (MBR) will be used by default if not specified.

MBR Commands

• /Save=filename - Saves the current MBR to a file, where filename is the path+filename used to store the file.  Specifying /Sector=# on the command line will save the sector # specified rather than the MBR (Sector 0).


• /Restore=filename - Reads an MBR file from filename, where filename is an existing path+filename containing the backed up contents of the MBR sector. Optionally, specifying the /Sector=# parameter will restore the file to sector # rather than 0 (MBR).


• /Repair=# - Designed to create a new Master Boot Record on a blank disk, or fix a damaged, corrupt, or missing MBR.  Specifying an option of '1' will save a PE/XP/2003 MBR to the specifed disk. This may be expanded to other OS formats if the need exists. Note, this option will not modify the partition table.


• /Show=x - Shows the partition structure from a backed up MBR.  Available options for x are a filename, the sector number containing the backup, or the word SECTOR if the contents have been previously saved to the hidden sector.


• /Wipe=x - Selecting an option of 'mbr' will wipe the MBR clean, 'head' will wipe the first head or 63 sectors, and a range of sectors from x to y can be wiped by specifying /Wipe=x-y. This will effectively remove all information from the specified sectors of the disk.


• /Sort - It isn’t uncommon for the partition entries in the MBR to be unsorted after reinstalling Windows or restoring a Ghost or Acronis disk image.  This means that the partition order in the MBR won't match the order on disk. Normally this wasn’t a problem until Windows NT/2K/XP came along with its new boot loader, and the requirement that each partition entry in the boot.ini must point to the actual partition number. This option will sort the entries in the MBR to match their physical order on disk.


• /IsSorted - Queries the partition entry order in the MBR and  returns an ErrorLevel code based on the status of the partition entries: '0' = Sorted, '1' = Not Sorted


• /Signature=x - Reads or Writes a new disk signature to the MBR.  Specifying 'Zero' will clear the existing signature, otherwise an 8 digit hex entry can be entered for the signature.  For example, /Signature= Zero, or /Signature= AC87AD87. Specifying /Signature with no options will display the existing disk signature.


• /Copy=x - Copies the contents of one sector to another.  The /Sector=x command will specify the source sector, and will be copied to the sector specified by /Copy.  Please note, typically only the first 64 sectors (0-63) should be used as the destination, otherwise existing data on the hard disk may be overwritten. Selecting 0 as the target will overwrite and erase the contents of the MBR.

Partition Options

• /Hide=# - Hides or Unhides the specified partition to the operating system. An option of '1' or 'Yes' will hide the partition, while selecting '0' or 'No' will set the partition visible. If /Part=* is specified all partitions will be hidden/unhidden.


• /Active=# - Sets the specified partition status as active (bootable) or inactive. Specifying the parameter as '1' or 'Yes' will set the partition active, while an option of '0' or 'No' will set the partition non-bootable.  /Part=* can be selected to set all partitions inactive.  If setting the a hidden partition active, it will first be unhidden before being  set active. Note for older operating systems: DOS and Win9x do not properly recognize multiple visible primary partitions, make certain any remaining primary partitions are unhidden if necessary.


• /Type=# - Modifies the partition type in the MBR. Please note that this does not attempt to convert the actual partition and file system to a new type. This is generally required when a partitioning or backup/restore program modifies the partition type and it needs to be restored back to the original type. The # specified must be directly followed by either a d (decimal) or h (hexadecimal) in order to properly identify the new type.  This option must be used with /Partition in order to identify the partition being modified.


• /Del - Deletes the specified partition.  Specifying /Part=* removes all partitions on selected disk, while specifying both /Disk=* /Part=* removes all partitions on all disks.

Miscellaneous Options

• /Shutdown=# -An entry of '1' will force Windows to shutdown, '2' will force Windows to shutdown and reboot. '3' shuts down without force, and '4' reboots without force. Note, using the Force options may cause data loss if open programs contain unsaved data. NT/2K/XP/2003 version only.


• /WipeDisk=# - Wipes (overwrites) each sector on the disk in order to securely erase all data. Selecting an option of '1' write zeros to all sectors, additional methods coming. Please note, MBRwizard can not completely wipe the system disk (C: drive) when running from Windows, as the machine will blue screen once operating system files are overwritten. An alternative option is to securely wipe the disk from WinPE, which boots from CD or USB Flash Disk, and doesn't have the same limitations. This option is currently only available under the Windows version.


• /Status=x - Stores or Retrieves the status byte located at offset 0x1b2 in the MBR, which is widely recognized as an unused section of the MBR.  This option allows a single byte to be stored to this unused location of the hard disk, used mainly as a status indicator for provisioning or deployment projects. Specifying a value for 'x' will set the status byte, valid options are 0-255.  Selecting /Status with no options will return the current byte upon program exit.


• /Confirm - Any operation that performs a change to the MBR will now ask for user confirmation before making the change.  Specifying /confirm on the command line overrides this request and defaults to Yes for each operation without prompting.


• /BootMenu -This option will list the available, bootable partitions to the user, and set one active by secting from the menu


• /Msg=# - Hides the status messages shown upon program exit.  An entry of '1' indicates that no messages should be shown, '2'=No error messages, and '3'=No status messages displayed on success.


• /Ignore - Attempts to continue the specified operation if an error occurs.


• /Result - Displays the return code for visual verification of success/failure.


• /? - Show command line options

이 글은 스프링노트에서 작성되었습니다.

This section gives some of the more frequently asked questions from the forum.  If you can't find the answer you seek here then the forum should be your first port of call.

Questions

1. Why doesn't my old AutoIt v2.64 script run in v3?

2. Isn't v3 much more difficult than previous versions?

3. How can I convert my v2.64 scripts to v3?

4. Where is the "goto" command?

5. How can I run a DOS program from within AutoIt?

6. Why can I only use Run() to execute .exe and .com files?  What about .msi / .txt and others?

7. Why do I get errors when I try and use double quotes (") ?

8. What do the window "title" and "text" parameters mean?

9. Why can't I print a variable using "My var is $variable"?

10. When I use Send() to send a variable odd things happen?

11. What is the difference between the return value and @error?

12. How can I exit my script with a hot-key?

13. How can I use a custom icon when compiling my scripts?

14. How can I make sure only one copy of my script is run?

15. What are the current technical limits of AutoIt v3?

16. I get a missing picture symbol in the Help file under the Examples.

1. Why doesn't my old AutoIt v2.64 script run in v3?

v3 has a different language structure to v2.64.

Previous versions of AutoIt were fine for what they were designed for - writing simple scripts to help with software installations.  Over time people began using it for general and complicated scripting tasks.  The old syntax and structure made this possible but very very difficult and cumbersome.  The decision was made to make AutoIt more suitable for general automation tasks and to achieve that a more standard and basic-like language was made.  This also means that if you already know a scripting language you will pick AutoIt v3 up easily.

Back To Top

2. Isn't v3 much more difficult than previous versions?

No.  In fact in many instances it's much easier than previous versions as you don't have to try and force the language to do something it was never designed to do.  It also uses a familiar BASIC-like language, and BASIC is known for being...well...basic :)

The vast majority of old AutoIt scripts were focused around software installation and clicking "Next" a lot in dialog boxes.  Most of these scripts can be converted to v3 simply by adding a couple of brackets here and there.  Here is an example of such a script in v2 and v3 (simulating a software installation with a few dialogs that have a Next button and a Finish button)

; v2.64 Script

WinWaitActive, Welcome, Welcome to the XSoft installation

Send, !n

WinWaitActive, Choose Destination, Please choose the

Send, !n

WinWaitActive, Ready to install, Click Next to install

Send, !n

WinWaitActive, Installation Complete, Click Finish to exit

Send, !f

WinWaitClose, Installation Complete



; v3 Script

WinWaitActive("Welcome", "Welcome to the XSoft installation")

Send("!n")

WinWaitActive("Choose Destination", "Please choose the")

Send("!n")

WinWaitActive("Ready to install", "Click Next to install")

Send("!n")

WinWaitActive("Installation Complete", "Click Finish to exit")

Send("!f")

WinWaitClose("Installation Complete")

Now, that wasn't so bad! :)  As all "strings" are enclosed in quotes you no longer have to wrestle with problems caused by leading and trailing spaces in text.  There is also fantastic support for many text editors so that when you are writing v3 scripts you can have syntax highlighting which makes everything much easier.

Back To Top

3. How can I convert my v2.64 scripts to v3?

The first thing you should ask yourself is "Do I need to convert my script?".  v2.64 will continue to be downloadable and supported so don't update all your scripts just for the sake of it - well not unless you want to :)

There is a section in the Help file that shows how the commands in v2 and v3 are related - click here to see the page.

One of the AutoIt v3 authors has written a utility to automatically convert v2 scripts to v3.  Conversion is pretty good unless your code is a rats-nest of gotos :)  You can find the converter in the "Extras" directory (Start \ AutoIt v3 \ Extras - or look in the directory that you installed AutoIt v3).

Back To Top

4. Where is the "goto" command?

Gone.  It's evil.  No, you can't ask why - it just is.  It's like that lump of rock they find in the microwave at the end of the film Time Bandits :)

AutoIt v3 features most of the common "loops" in use today and with these Goto is no longer required.  Look up While, Do, For, ExitLoop, ContinueLoop and Functions for the modern way of doing things :)  And while you are looking at help file sections check out these on loops, conditional statements and functions.  I promise you, once you have got the hang of such things you will be able to script in virtually any other language within a couple of minutes.

Just to get you started, the most basic use of Goto in version 2.64 was an infinite loop like:

:mylabel

...do something...

...and something else...

goto, mylabel

A simple v3 version of that is a While loop that is always "true".

While 1 = 1

   ...do something...

   ...do something else...

Wend

Back To Top

5. How can I run a DOS program from within AutoIt?

If you wanted to run something like a DOS "Dir" command then you must run it though the command interpreter (command.com or cmd.exe depending on your OS).  The @Comspec macro contains the correct location of this file.  You should use the RunWait() function as it waits for the DOS program to finish before continuing with the next line of the script.  Here is an example of running the DOS Dir command on the C: drive: (effectively running the command command.com /c Dir C:\ )

    RunWait(@COMSPEC & " /c Dir C:\")

Back To Top

6. Why can I only use Run() to execute .exe files?  What about .msi / .txt and others?

Only a few file extensions are usually "runable" - these are .exe, .bat, .com, .pif.  Other file types like .txt and .msi are actually executed with another program.  When you double click on a "myfile.msi" file what actually happens in the background is that "msiexec.exe myfile.msi" is executed.  So to run a .msi file from AutoIt you would do:

    RunWait("msiexec myfile.msi")

Or, run the command "start" which will automatically work out how to execute the file for you:

    RunWait(@COMSPEC & " /c Start myfile.msi")

Or, use the ShellExecuteWait function which will automatically work out how to execute the file for you:

    ShellExecuteWait("myfile.msi")

Back To Top

7. Why do I get errors when I try and use double quotes (") ?

If you want to use double-quotes inside a string then you must "double them up".  So for every one quote you want you should use two.  For example if you wanted to set a variable to the string: A word in "this" sentence has quotes around it!  You would do:

    $var = "A word in ""this"" sentence has quotes around it!"

or use single quotes instead:

    $var = 'A word in "this" sentence has quotes around it!'

Back To Top

8. What do the window "title" and "text" parameters mean?

There is a detailed description here.

Back To Top

9. Why can't I print a variable using "My var is $variable"?

If you have a variable called $msg and you want to print in inside a MsgBox then this will NOT work:

    MsgBox(0, "Example", "My variable is $msg")

It will actually print  My variable is $msg . What you need to do is tell AutoIt to join the string and the variable together using the & operator:

    MsgBox(0, "Example", "My variable is " & $msg)

Advanced: If you have many variables to add into a string then you may find the StringFormat() function useful.  For example, if I wanted to insert $var1 to $var5 into a string then it may be easier to do:

     $msg = StringFormat("Var1 is %s, Var2 is %s, Var3 is %s, Var4 is %s, Var5 is %s", $var1, $var2, $var3, $var4, $var5)

     MsgBox(0, "Example", $msg)

Back To Top

10. When I use Send() to send a variable odd things happen?

If you are sending the contents of a variable then be mindful that if it contains special send characters like ! ^ + {SPACE} then these will be translated into special keystrokes - rarely what is wanted.  To overcome this use the RAW mode of Send() that does not translate special keys:

    Send($myvar, 1)

Back To Top

11. What is the difference between the return value and @error?

Generally a return value is used to indicate the success of a function.  But, if a function is already returning something ( like WinGetText() ) then we need to have a way of working out if the function was successful, so we set @error instead.

Back To Top

12. How can I exit my script with a hot-key?

Ah, an easy one.  If you want to make your script exit when you press a certain key combination then use the HotKeySet() function to make a user function run when the desired key is pressed.  This user function should just contain the Exit keyword.

Here some code that will cause the script to exit when CTRL+ALT+x is pressed:

HotKeySet("^!x", "MyExit")

...

...

; Rest of Script

...

...

Func MyExit()

    Exit

EndFunc

Back To Top

13. How can I use a custom icon when compiling my scripts?

You need to run the full compiler program (rather than just right-clicking a script and selecting compile).  This page describes the compiler in detail.

Back To Top

14. How can I make sure only one copy of my script is run?

Use the _Singleton() function. See the User Defined Functions documentation for more information on _Singleton() and how to use it.

Back To Top

15. What are the current technical limits of AutoIt v3?

Here are details of the current technical limits of AutoIt. Please note that some of the limits are theoretical and you may run into performance or memory related problems before you reach the actual limit.

Maximum length of a single script line: 4,095

Maximum string length: 2,147,483,647 characters

Number range (floating point): 1.7E–308 to 1.7E+308 with 15-digit precision

Number range (integers): 64-bit signed integer

Hexadecimal numbers: 32-bit signed integer (0x80000000 to 0x7FFFFFFF)

Arrays: A maximum of 64 dimensions and/or a total of 16 million elements

Maximum depth of recursive function calls: 5100 levels

Maximum number of variables in use at one time: No limit

Maximum number of user defined functions: No limit

Maximum number of GUI windows: No limit

Maximum number of GUI controls: 65532

Back To Top

16. I get a missing picture symbol in the Help file under the Examples.

This should be the Open button that enable you to open the Examples in the Help file.

This issue is that the hhctrl.ocx isn't properly registered or corrupted.

Try registering it by doing "regsvr32 hhctrl.ocx" from the command prompt or check if the file is still valid.

Back To Top

이 글은 스프링노트에서 작성되었습니다.

OnEvent 모드에서는 GUI가 사용자의 스크립트를 멈추도록 만드는 어떤 것을이 일어났는지 알기 위해 GUI를 항상 Polling하는 대신에 이벤트를 처리하기 위해 사용자가 미리 정의한 함수를 호출한다. 예를들어, 사용자가 Button1을 클릭하면 GUI는 사용자의 메인 스크립트를 중지시키고 Button1과 연관된 미리 사용자가 정의한 함수를 호출한다. 미리 정의된 함수의 호출이 끝나고 나면 메인 스크립트가 재시작된다. 이 모드는 Visual Basic forms metohd와 유사하다.

GUI가 실행될 때, 사용자의 메인 스크립트는 임의의 스크립트를 실행시킬 수 있다.

Default 모드는 MessageLoop 모드이므로 OnEvent 모드를 사용하기 전에 Opt("GUIOnEventMode", 1)을 호출해야 한다.

기본적인 OnEvent 형식

일반적인 OnEvent 코드의 형태는 다음과 같다.

1. While 1


2. 
   

   Sleep(1000)   ; Just idle around

   
   


3. WEnd


4. Func Event1()


5. 
   

   ; Code to handle event goes here

   
   


6. EndFunc


7. Func Event2()


8. 
   

   ; Code to handle event goes here

   
   


9. EndFunc

GUI 이멘트

OnEvent 모드에서 사용자 GUI는 다음과 같은 이벤트들을 생성할 수 있다.

컨트롤 이벤트

시스템 이벤트

GUI에 대해서는 GUISetOnEvent 또는 컨트롤에 대해서는 GUICtrlSetOnEvent가 정의되어 있고 둘중 하나의 이벤트가 발생하면 사용자가 미리 정의한 함수를 호출한다. 이벤트에 대해 미리 정의된 함수가 없다면, 그 이벤트는 무시된다. When inside this called function various macros will be set to values to help process the event.

Note : 다양한 이벤트에 대한 같은 함수를 사용하는 것은 가능하다. 이러한 경우 사용자가 필요한 것은 @GUI_CTRLID를 기반으로 한 액션을 처리하는 것이다. 예를 들어, 사용자는 모든 시스템 이벤트에 대해 동일한 함수를 등록할 수 있다.

컨트롤 이벤트

컨트롤이 클릭되거나 변화되면 컨트롤 이벤트가 발생한다. CUICtrlSetEvent를 통해 정의된 함수에 이벤트가 전달된다. 내부적으로 사용자가 정의한 함수에서 @GUI_CTRLID은 GUICtrlCreate...를 통해 컨트롤을 만들때 리턴된 controlID이 정의된다.

시스템 이벤트

GUI를 닫는 것과 같은 시스템 이벤트는 컨트롤 이벤트와 유사하게 전달되지만 컨트롤 이벤트는 @GUI_CTRLID에 의해 정의된다. 이벤트는 GUISetOnEvent에 의해 정의된 함수에 전달된다. 가능한 시스템 이벤트는 값은 다음과 같다.

• $GUI_EVENT_CLOSE


• $GUI_EVENT_MINIMIZE


• $GUI_EVENT_RESTORE


• $GUI_EVENT_MAXIMIZE


• $GUI_EVENT_PRIMARYDOWN


• $GUI_EVENT_PRIMARYUP


• $GUI_EVENT_SECONDARYDOWN


• $GUI_EVENT_SECONDARYUP


• $GUI_EVENT_MOUSEMOVE


• $GUI_EVENT_RESIZED


• $GUI_EVENT_DROPPED
  

GUI 예제

사용자는 위에서 언급한 이벤트 메시지중 몇몇와 OnEvent를 사용하여 코드를 끝낼 수 있다.

1. #include <GUIConstantsEx.au3>


2. Opt("GUIOnEventMode", 1)
   
   $mainwindow = GUICreate("Hello World", 200, 100)
   
   GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")
   
   GUICtrlCreateLabel("Hello world! How are you?", 30, 10)
   
   $okbutton = GUICtrlCreateButton("OK", 70, 50, 60)
   
   GUICtrlSetOnEvent($okbutton, "OKButton")
   
   GUISetState(@SW_SHOW)


3. While 1
   
      Sleep(1000)
   
   WEnd


4. Func OKButton()
   
      ;Note : at this point @GUI_CTRLID would equal $GUI_EVENT_CLOSE,
   
      ; and @GUI_WINHANDLE would equal $mainwindow
   
      MsgBox(0, "GUI Event", "You pressed OK!")
   
   Exit
   
   EndFunc


5. Func CLOSEClicked()
   
      ;Note: at this point @GUI_CTRLID would equal $GUI_EVENT_CLOSE
   
      ; and @GUI_WinHandle would equal $mainwindow
   
      MsgBox(0, "GUI Event", "You clicked CLOSE! Exiting...")
   
      Exit
   
   EndFunc
   

발전된 오퍼레이션과 다수의 윈도우

다수의 윈도우에서도 ControlID는 유일하다. 그러나 사용자는 어떻게 다수의 윈도우를 처리할 수 있을까?

여기 다른 Dummy 윈도우와 함께 처리하는 유사한 예제가 있다.

1. #include <GUIConstantsEx.au3>


2. Opt("GUIOnEventMode", 1)
   
   $mainwindow = GUICreate("Hello World", 200, 100)
   
   GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")
   
   GUICtrlCreateLabel("Hello world! How are you?", 30, 10)
   
   $okbutton = GUICtrlCreateButton("OK", 70, 50, 60)
   
   GUICtrlSetOnEvent($okbutton, "OKButton")


3. $dummywindow = GUICreate("Dummy window for testing ", 200, 100)
   
   GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")


4. GUISwitch($mainwindow)
   
   GUISetState(@SW_SHOW)


5. While 1
   
      Sleep(1000)
   
   WEnd


6. Func OKButton()
   
      ;Note : at this point @GUI_CTRLID would equal $GUI_EVENT_CLOSE,
   
      ; and @GUI_WINHANDLE would equal $mainwindow
   
      MsgBox(0, "GUI Event", "You pressed OK!")
   
      Exit
   
   EndFunc


7. Func CLOSEClicked()
   
      ;Note: at this point @GUI_CTRLID would equal $GUI_EVENT_CLOSE
   
      ; and @GUI_WinHandle would equal $mainwindow
   
      If @GUI_WinHandle = $mainwindow Then
   
         MsgBox(0, "GUI Event", "You clicked CLOSE! Exiting...")
   
         Exit
   
      EndIf
   
   EndFunc
   

첫번째 변화는 GUISwitch 함수의 호출이다. 새로운 윈도우가 만들어지면 추후에 발생하는 GUI 오퍼레이션이 Default 윈도우가 된다.(컨트롤 생성을 포함해서) 이와 같은 예제의 경우, "Hello World" 윈도우를 통해 작업해야 한다. 그래서 Switch가 필요하다. 몇몇 GUI 함수는 호출하는 그 자체로 사용자가 윈도우 핸들의 사용하는 것을 허용한다. 이러한 함수들은 윈도우를 자동으로 스위치한다. 그러기 위해서는 다음과 같이 함수를 호출한다.

1. GUISetState(@SW_SHOW, $mainwindow)

위의 코드에서는 두 개의 윈도우에 대해 버튼을 "Close"하는 이벤트를 처리하기 위해 같은 OnEvent 함수를 사용했고 어떤 윈도우가 메시지를 전전달했는지 알기 위해 @GUI_WINHANDLE를 사용했다.(사용자가 Close 버튼을 클릭했을 때, 메시지는 메인 윈도우로부터 전달된 된다.) 사용자가 희망한다면 각각의 윈도우에 대해 함수들을 분리할 수 있다.

이 글은 스프링노트에서 작성되었습니다.

Message-loop 모드에서 사용자 스크립트는 tight-loop에서 대부분의 시간을 보낸다. 이 루프는 GUIGetMsg 함수를 사용하여 GUI를 Pool한다. 이벤트가 발생할 때, GUIGetMsg 함수의 리턴 값은 이벤트에 대한 자세한 사항을 나타낸다. MessageLoop 모드는 AutoIt GUI에 대한 기본 메시지 모드이며 다른 가능한 모드는 OnEvent 모드가 있다.

In the MessageLoop mode you will only receive events while you are actively polling the GUIGetMsg function so you must ensure that you call it many times a second otherwise your GUI will be unresponsive.

기본 MessageLoop 형태

MessageLoop 코드의 일반적인 형태

1. Whilw 1


2. 
   

   $msg = GUIGetMsg()

   
   


3. 
   

   ...

   
   


4. 
   

   ...

   
   


5. WEnd

Usually a tight loop like the one shown would send the CPU to 100% - fortunately the GUIGetMsg function automatically idles the CPU when there are no events waiting. Do not put a manual sleep in the loop for fear of stressing the CPU - this will only cause the GUI to become unresponsive.

GUI Events

GUIGetMsg가 리턴하는 이벤트 메시지는 세가지가 있다.

• 이벤트 없음(No Event)


• 컨트롤 이벤트(Control Event)


• 시스템 이벤트(System Event)

이벤트 없음(No Event)

이벤트가 없을 때, GUIGetMsg가 리턴하는 0을 처리하는 것을 기다린다.

컨트롤 이벤트(Control Event)

사용자가 컨트롤을 클릭하거나 변경하여 이벤트가 전달되면, 이 이벤트는 GUICtrlCreate... 함수들에 의해 컨트롤을 만들었을때 생성된 controlID에 해당하는 양수 값이다.

시스템 이벤트(System Event)

시스템 이벤트는 GUI를 닫는 것과 같은 음수 값이다. 다른 이벤트들은 아래와 같으며, GUIConstantEx.au3에 정의되어 있다.

• $GUI_EVENT_CLOSE


• $GUI_EVENT_MINIMIZE


• $GUI_EVENT_RESTORE


• $GUI_EVENT_MAXIMIZE


• $GUI_EVENT_PRIMARYDOWN


• $GUI_EVENT_PRIMARYUP


• $GUI_EVENT_SECONDARYDOWN


• $GUI_EVENT_SECONDARYUP


• $GUI_EVENT_MOUSEMOVE


• $GUI_EVENT_RESIZED


• $GUI_EVENT_DROPPED

예제 GUI

GUI Referance page에서 아래에 있는 Hello World 예제를 보았다.

#include <GUIConstantsEx.au3>

GUICreate("Hello World", 200, 100)

GUICtrlCreateLabel("Hello world! How are you?", 30, 10)

GUICtrlCreateButton("OK", 70, 50, 60)

GUISetState(@SW_SHOW)

Sleep(2000)

자, 우리는 MessageLoop를 사용한 코드를 끝낼 것이며 몇몇 이벤트 메시지들을 위에서 설명했다.

1. #include <GUIConstantsEx.au3>


2. GUICreate("Hello Word", 200, 100)


3. GUICtrlCreateLabel("Hello World! How are you?", 30, 10)


4. $okbutton = GUICtrlCreateButton("OK", 70, 50, 60)


5. GUISetState(@SW_SHOW)


6. While 1


7. 
   

   $msg = GUIGetMsg()

   
   


8. 
   

   Select

   
   


9. 
   

   Case $msg = $okbutton

   
   


10. 
    

    MsgBox(0, "GUI Event", "You pressed OK!")

    
    


11. 
    

    Case $msg = $GUI_EVENT_CLOSE

    
    


12. 
    

    MsgBox(0, "GUI Event", "You clicked CLOSE! Exiting...")

    
    


13. 
    

    ExitLoop

    
    


14. 
    

    EndSelect

    
    


15. WEnd

발전된 GUIGetMsg와 다수의 윈도우

사용자가 다수의 윈도우들을 가지고 있더라고 Control_ID들은 유일하기 때문에, 위의 코드는 다수의 윈도우와 컨트롤이 있다 하더라도 잘 동작한다. 그러나 $GUI_EVENT_CLOSE 또는 $GUI_MOUSEMOVE와 같은 이벤트들을 처리할 때, 어떤 윈도위가 이벤트를 발생시켰는지 알아야 할 필요가 있다. 이것을 하기 위해서 사용자는 GUIGetMsg를 다음과 같이 호출해야 한다.

1. $msg = GUIGetMsg(1)

사용자가 파라미터 1을 가지고 호출하면 이벤트 값을 리턴하는 대신 배열을 리턴한다. 이 배열은 $array[0]에 이벤트 값을 저장하고 있고 윈도우 핸들($array[1]과 같은 남은 정보들을 저장한다. 이전 예제에서 두 개의 윈도우가 만들어졌다면, 코드를 다음과 같이 작성해야 한다.

1. #include <GUIConstantsEx.au3>


2. $mainwindow = GUICreate("Hello World", 200, 100)
   
   GUICtrlCreateLabel("Hello World! How are you?", 30, 10)
   
   $okbutton = GUICtrlCreateButton("OK", 70, 50, 60)
   
   $dummywindows = GUICreate("Dummy window for testing ", 200, 100)


3. GUISwitch($mainwindow)
   
   GUISetState(@SW_SHOW)


4. While 1
   
      $msg = GUIGetMsg(1)
   
    
   
       Select
   
         Case $msg[0] = $okbutton
   
            MsgBox(0, "GUI Event", "You pressed OK!")
   
     
   
         Case $msg[0] = $GUI_EVENT_CLOSE and $msg[1] = $mainwindow
   
            MsgBox(0, "GUI Event", "You clicked CLOSE on the main window! Exiting...")
   
            ExitLoop
   
      EndSelect
   
   WEnd

첫번째 주요 변화는 GUISwitch 함수의 호출이다. 하나의 새로운 윈도우가 만들어지면 향후 GUI 작업을 위한 기본 윈도우가 된다.(컨트롤의 생성도 포함된다.) 사용자는 테스트 윈도우가 아닌 메인 "Hellow World" 윈도우를 가지고 작업하기를 원한다.몇몇  GUI 함수는 사용자가 함수 스스로 윈도우 핸들을 사용하도록 허락한다. 사용자는 다음 함수를 사용하여 사용될 윈도우 핸들에 대해 자동으로 전환할 수 있다.

1. GUISetState(@SW_SHOW, $mainwindow)

 다음 변화는 GUIGetMsg 함수가 호출되는 방법과 이벤트들이 어떻게 확인되는지($msg[0]과 $msg[1]을 사용하여)에 대한 것이다. 이 스크립트는 Close 이벤트가 메인 윈도우로부터 발생하면 종료된다.

이 글은 스프링노트에서 작성되었습니다.

AutoIt은 GUI를 구성하는 윈도우와 컨트롤을 쉽게 만들 수 있다.

GUI Concepts

GUI는 하나 이상의 윈도우를 가지고 있으며 윈도우는 하나 이상의 컨트롤들을 가지고 있다. GUI는 "Event Driven"으로 사용자가 버튼을 클릭하는 것과 같은 이벤트를 발생시킨다는 것을 의미한다. 사용자는 어떤 이벤트가 발생하기를 기다리는데 많은 시간을 소비한다. 이점이 다른 스크립트와 다른 점이다. 물론 GUI가 활성화 될 때까지 다른 일을 하도록 할 수 있다.

GUI 컨트롤

사용자가 윈도우에서 클릭할 수 있는 임의의 것들이 모두 컨트롤이다. AutoIt이 만들 수 있는 컨트롤은 다음과 같다.

• Label - A plain piece of text.


• Button - A simple button.


• Input - A single line control that you can enter text into.


• Edit - A multi-line control that you can enter text into.


• Checkbox - A box that can be "checked" or "unchecked".


• Radio - A set of circular buttons - only one can be active at once.


• Combo - A list with a dropdown box.


• List - A list.


• Date - A date picker.


• Pic - A picture.


• Icon - An icon.


• Progress - A progress bar.


• Tab - A group of controls that are contained in tabs.


• UpDown - A control that can be added to input controls.


• Avi - Display an AVI format clip.


• Menu - A menu across the top of the window.


• ContextMenu - A menu that appears when you right click inside the window.


• TreeView - A control similar to the windows file-explorer.


• Slider - A control similar to the windows sound volume control.


• ListView - A control displaying columns information.


• ListViewItem - A control displaying item in a listview control.


• Graphic - A control displaying graphics drawn with GUICtrlSetGraphic.


• Dummy - A dummy user control

컨트롤은 GUICtrlCreate...와 같은 함수들의 집합으로 만들 수 있다. 컨트롤이 만들어지면 Control ID를 리턴한다.

• Control ID는 양수이다.


• 각각의 Control ID는 유일하다.


• Control ID는 AutoIt Window Info Tool에서 보여주는 Control ID와 같은 값이다.

GUI 기초 함수

GUI와 연관된 기초적인 상수를 사용하기 위해 #include <GUIConstantsEx.au3>가 필요하다.

먼저 "Hello World"를 호출하는 윈도우를 만들어보자. 윈도우를 새로 만들면 Hidden 상태이므로 만드시 "show"해야 한다.

1. #include <GUIConstantsEx.au3>


2. GUICreate("Hello World", 200, 100)


3. GUISetState(@SW_SHOW)


4. Sleep(2000)

위에서 만든 윈도우에 텍스트와 OK 버튼을 추가하자.

텍스트는 30, 10 위치에 추가하고 버튼은 70, 50 위치에 폭 60픽셀로 추가한다.

1. #include <GUIConstantsEx.au3>


2. GUICreate("Hello World", 200, 100)
   
   GUICtrlCreateLabel("Hello world! How are you?", 30, 10)
   
   GUICtrlCreateButton("OK", 70, 50, 60)
   
   GUISetState(@SW_SHOW)
   
   Sleep(2000)

이제 OK 버튼을 클릭하여 어떻게 동작하게 해야 할까? 이와 같은 것을 하기위해서는 MessageLoop 또는 OnEvent 함수들을 통해 이벤트를 처리해야 한다. 기본값은 MessageLoop 모드이고 OnEvent 모드로 전환하기 위해서 Opt("GUIOnEventMode", 1)을 호출한다.

Message-loop Mode (default)

Message-loop 모드에서 사용자 스크립트는 tight-loop에서 대부분의 시간을 보낸다. 이 루프는 GUIGetMsg 함수를 사용하여 GUI를 Pool한다. When an event has occurred the return value of the GUIGetMsg function will show the details (a button is clicked, the GUI has been closed, etc.).

In this mode you will only receive events while you are actively polling the GUIGetMsg function so you must ensure that you call it many times a second otherwise your GUI will be unresponsive.

This mode is best for GUIs where the GUI is "king" and all you care about is waiting for user events.

See this page for a more detailed explanation of the MessageLoop mode.

OnEvent Mode

In the OnEvent mode instead of constantly polling the GUI to find out if anything has happened you make the GUI temporarily pause your script and call a pre-defined function to handle the event. For example, if the user clicks Button1 the GUI halts your main script and calls a previously defined user function that deals with Button1. When the function call is completed the main script is resumed. This mode is similar to the Visual Basic forms method.

This mode is best for GUIs where the GUI is of secondary importance and your script has other tasks to perform in addition to looking after the GUI.

See this page for a more detailed explanation of the OnEvent mode.

이 글은 스프링노트에서 작성되었습니다.

다음 예제는 메모장을 자동으로 열고 임의의 문자를 자동으로 추가하고 메모장을 닫는 것을 보여준다.

우선 npad.au3라 불리는 빈 스크립트 파일을 만들고 파일을 수정한다.

메모장을 실행하기 위해서 AutoIt은 Run 함수를 사용한다. 이 함수는 간단하게 주어진 실행가능한 응용프로그램을 실행한다.

1. Run("notepad.exe")
   
   WinWaitActive("제목 없음 - 메모장")
   
   Send("This is some text.")
   
   WinClose("제목 없음 - 메모장")
   
   WinWaitActive("메모장", "변경된 내용을 저장하시겠습니까?")
   
   Send("!n")

• Run("notepad.exe") - 메모장 실행


• WinWaitActive("제목 없음 - 메모장") - 메모장(제목 없음 - 메모장 이라는 제목을 갖고 있는)이 활성화 되는 것을 확인


• Send("This is some text.") - 메모장에 This is some text. 입력


• WinClose("제목 없음 - 메모장") - 메모장(제목 없음 - 메모장 이라는 제목을 갖고 있는)을 종료


• WinWaitActive("메모장", "변경된 내용을 저장하시겠습니까?") - 제목이 "메모장"인 대화상자에 "변경된 내용을 저장하시겠습니까?"라는 문자열을 포함하고 있는 창이 활성화 되는 것을 확인


• Send("!n") - 키보드 "ALT + n"을 입력

이 글은 스프링노트에서 작성되었습니다.

Tutorial은 AutoIt 스크립트를 만들고 실행하는 기초를 설명한다. Tutorial은 이미 AutoIt V3가 Full Version으로 설치되어 있다가 가정한다.

• 스크립트를 만들 폴더에서 마우스 오른쪽 버튼을 클릭한 뒤, "새로만들기" -> "AutoIt v3 Script"를 선택한다.


• 만들어진 스크립트 파일의 이름을 "helloworld"로 수정한다.


• 스크립트 파일에서 오른쪽 버튼을 클릭하여 "Edit Script"를 선택한다.

• 다음 코드를 입력한다.

1. MsgBox(0, "Tutorial", "Hello World!")

• MsgBox는 다음 파라미터(flag, title, message)들을 인자로 받는다.

• 스크립트를 저장하고 에디터를 닫는 후, 스크립트 파일을 더블클릭하여 실행시킨다.

MsgBox의 flag 파라미터를 살펴보면, flag의 값은 0부터 64의 값을 가질 수 있으며 각각의 flag 값은 메시지 박스의 종류를 나탄낸다.

1. MsgBox(64, "Tutorial", "Hello World!")

이 글은 스프링노트에서 작성되었습니다.

v3.2.12.0

©1999-2008 Jonathan Bennett & AutoIt Team

AutoIt v3 Homepage

Introduction

AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying "runtimes" required!



AutoIt was initially designed for PC "roll out" situations to reliably automate and configure thousands of PCs. Over time it has become a powerful language that supports complex expressions, user functions, loops and everything else that veteran scripters would expect.

Features:

• Easy to learn BASIC-like syntax


• Simulate keystrokes and mouse movements


• Manipulate windows and processes


• Interact with all standard windows controls


• Scripts can be compiled into standalone executables


• Create Graphical User Interfaces (GUIs)


• COM support


• Regular expressions


• Directly call external DLL and Windows API functions


• Scriptable RunAs functions


• Detailed helpfile and large community-based support forums


• Compatible with Windows 95 / 98 / ME / NT4 / 2000 / XP / 2003 / Vista / 2008


• Unicode and x64 support


• Digitally signed for peace of mind


• Works with Windows Vista's User Account Control (UAC)

AutoIt has been designed to be as small as possible and stand-alone with no external .dll files or registry entries required making it safe to use on Servers. Scripts can be compiled into stand-alone executables with Aut2Exe.

Also supplied is a combined COM and DLL version of AutoIt called AutoItX that allows you to add the unique features of AutoIt to your own favourite scripting or programming languages!

Best of all, AutoIt continues to be FREE - but if you want to support the time, money and effort spent on the project and web hosting then you may donate at the AutoIt homepage.

Features in Detail

Basic-like Syntax and Rich Function Set

AutoIt has a BASIC-like syntax which means that most people who have ever written a script or used a high-level language should be able to pick it up easily.

Although it started life as a simple automation tool, AutoIt now has functions and features that allow it to be used as a general purpose scripting language (with awesome automation as well of course!). Language features include:

• The usual high-level elements for functions, loops and expression parsing


• A staggering amount of string handling functions and a Perl compatible regular expression engine (using the PCRE library).


• COM support


• Call Win32 and third-party DLL APIs

Built-in Editor with Syntax Highlighting

AutoIt comes with a customised "lite" version of SciTe that makes editing scripts easy. Users can also download a complete version of SciTe that includes additional tools to make things even easier.

Standalone and Small

AutoIt is a very small and standalone application with no reliance on massive runtimes like .NET or VB. All you need to run AutoIt scripts are the main AutoIt executable (AutoIt3.exe) and the script. Scripts can also be encoded into standalone executables with the built-in script compiler Aut2Exe.

International and 64-bit Support

AutoIt is fully Unicode aware and also includes x64 versions of all the main components! How many other free scripting languages can you say that about?

Key and Mouse Simulation

Much time has been spent optimizing the keystroke and mouse simulation functions to be as accurate as possible on all versions of Windows. All the mouse and keyboard routines are highly configurable both in terms of simulation "speed" and functionality.

Window Management

You can expect to move, hide, show, resize, activate, close and pretty much do what you want with windows. Windows can be referenced by title, text on the window, size, position, class and even internal Win32 API handles.

Controls

Directly get information on and interact with edit boxes, check boxes, list boxes, combos, buttons, status bars without the risk of keystrokes getting lost.  Even work with controls in windows that aren't active!

Graphical User Interfaces (GUIs)

AutoIt v3 will also allow you to create some complex GUIs - just like those below!

And much, much more...

이 글은 스프링노트에서 작성되었습니다.

Cross-Site Request Forgeries(CSRF, pronounced "sea surf")

I hope you don't mind if I expand on this a bit. You've come across the tip, in my opinion, of a rather large iceberg. It's another Web/trust-relationship problem. Many Web applications are fairly good at identifying users and understanding requests, but terrible at verifying origins and intent.(Web 응용프로그램은 Request를 보내오는 근원지와 의도 파악이 어렵다.)

The problem isn't the IMG tag on the message board, it's the backend app you seek to attack via the IMG tag. And I suspect lots of Web apps are vulnerable. Lots. I've been to training on highly-regarded, widely-used, expensive Web app development frameworks, and none of the classes taught how to avoid the problems I will attempt to describe. In fact, they all seem to teach the "easy way" of handling what look like user requests, which is, of course, the vulnerable way.

Anyway, let's look at how your post relates to what I call CSRF.

On Wed, Jun 13, 2001 at 07:33:04PM +0100, John Percival wrote:

> This exploit shows how almost any script that uses cookie session/login data

> to validate CGI forms can be exploited if the users can post images.

> What is the problem? Well, by using an [img] (or HTML <img> or <iframe> or

> <script src="">) tag, the user is having anyone who views the thread access

> that image - that is perform an HTTP GET on the URL specified for the image.

> Even if its not an image, it still can be accessed, but will display a

> broken image.(HTTP GET method가 실행된다. img 테그에 이미지에 대한 URL이 없더라도 GET method가 실행된다.)

Depending on what's allowed, height/width and CSS/visibility tags can be used to hide the broken image icon.(width=0 height=0)

> This means that the user can put a CGI script inside [img]

> tags.

** Learning from Randal's purple dinosaur?

The problem you describe is not uploading images, it's allowing users to post code that's inserted in an appropriate HTML tag attribute. This is something of a variation on Randal Schwartz's purple dinosaur hack,[2] but much more interesting and dangerous than even what you describe.

> This script will be called by whoever views that thread. When used

> maliciously, it could force the user to: unknowingly update their profile,

> respond to polls in a certain way, post new messages or threads, email a

> user with whatever text they want, the list goes on. This would be

> particularly worrying for a 'worm' to spread through a forum, filling it

> with rubbish posts.

** The difference between XSS and CSRF

Right. There's something much larger going on here. Darnit, I wanted to make a nice formal paper out of this, but you're forcing my hand. :-) The problem is what I call CSRF (Cross-Site Request Forgeries, pronounced "sea surf"). Any time you can get a user to open an HTML document, you can use things like IMG tags to forge requests, with that user's credentials, to any Web site you want -- the one the HTML document is on, or any other.

This looks somewhat similar to Cross-Site Scripting (XSS), but is not the same. XSS aimed at inserting active code in an HTML document to either abuse client-side active scripting holes, or to send privileged information(XSS는 client-side에 위치한 스크립트 취약점을 악용하거나 권한이 부여되어야 볼 수 있는 정보(sessionid, cookie)를 전달하기 위해 HTML 문서에 active code를 삽입하는것) (e.g., authentication/session cookies) to a previously unknown evil collection site. CSRF does not in any way rely on client-side active scripting, and its aim is to take unwanted, unapproved actions on a site where the victim has some prior relationship and authority.(CSRF는 원치안고 검증되는 안은 action을 목적으로 함)

Where XSS sought to steal your online trading cookies so an attacker could manipulate your portfolio, CSRF seeks to use your cookies to force you to execute a trade without your knowledge or consent(XSS는 사용자의 cookie 값을 훔치는 것이고 CSRF는 사용자의 cookie 값을 사용자도 모르는 사이에 공격자가 사용하는 것) (or, in many cases, the attacker's knowledge, for that matter). [Just an extreme example there; I do not have any idea if any trading sites are vulnerable. I have not tested *any* applications or sites that I don't have some personal involvement in the design and maintenance of. Don't ask me to.]

 <img src="https://trading.example.com/xfer?from=MSFT&to=RHAT&confirm=Y">

 <img src="https://books.example.com/clickbuy?book=ISBNhere&quantity=100">

** Ubiquity of attack channels

Since HTML documents are popping up everywhere (even in corporate email systems!!!), and it's impossible to discern what IMG or HREF values might be direct CSRF attacks, or redirect users to unwittingly do dangerous things via CSRF redirects, the fix has to be in the applications that do the

interesting things.

> For example, if a user posted something along these lines:

> [img]http://your.forums/forums/newreply.cgi?action=newthread&subject=aaa&bod

> y=some+naughty+words&submit=go[/img]

> Then the post would go through, under the name of whoever viewed the image.

> This is of particular danger when an administrator views an image, which

> then calls a page in an online control panel - thus granting the user access

> to the control panel.

** Impossible to filter content

Right, and as I say, the site you act against can be somewhere else entirely. Here's what a CSRF attack might look like:

 <img src="http://example.net/logo.gif" height=0 width=0 alt="">

That's it. When your client requests /logo.gif -- exposing no cookies -- the example.net server redirects you to a URL like the one you show, above. So the end result us the same as if the attacker had embedded the more obvious URL inside the IMG tag.

If an attacker wants, he can also use a simple, innocent looking hyperlink and hope the victim clicks on it (http://example.net/kyotoanalysis.htm). You don't allow hyperlinks? Well, someone might copy/paste the link, and be stung that way. They'd notice? Maybe not -- the URL could be a mostly useful page, with a tiny frameset sliver that loads your attack URL.

> How can it be fixed? Well, there are a couple of ways to stop it, but the

> easiest (in PHP at least) seems to be to have most of the variables used by

> scripts be used through $HTTP_POST_VARS. So instead of checking for $action

> in a script, $HTTP_POST_VARS['action'] would be checked. This forces the

> user to use a POST request, not a GET.

which means the attacker reverts to using Javascript, or entices the victim to click on an image that's acting as a submit control in a <form>. Requiring POST raises the bar, but doesn't really fix the problem.

> Alternatively, the sessionid could be

> required to come with the GET/POST request variables, rather than by cookie.

...thereby exposing an important piece of authentication information to history files and proxy servers; I really don't like URL mangling for authentication purposes, especially in non-SSL systems. A combination of cookie + URL mangling might not be bad, though in the message board case, a CSRF attacker could use an intermediate redirect (as described earlier) to get the URL mangling (from the Referer), and redirect back to the

messageboard with the proper mangling as well as all cookies that might be expected/needed. So in your example case, URL mangling would buy nothing. :-(

> Finally, in the specific case of [img] tags, the use of ? or & in the img

> URL can be disabled by some regexes.

Not at all adequate. Browsers follow redirects on IMG tags, so I redirect you to http://example.net/logo.gif which in turn redirects you to the final URL, as described earlier.

> If the software that you run is not secure, we recommend that you disable

> HTML and/or [img] tags, until the fixes have been implemented.(해결책이 나오기 전까지는

It's much worse than that. Please see the following URLs for an introduction to the dangers of CSRF, and some discussion of countermeasure strategies.

 http://www.astray.com/pipermail/acmemail/2001-June/000803.html

 http://www.astray.com/pipermail/acmemail/2001-June/000808.html

 http://www.astray.com/pipermail/acmemail/2001-June/000804.html

** Server-Side Countermeasures

The fix MUST be implemented on the backend that's being attacked. In your example, newreply.cgi needs to be intelligent enough to detect and stop CSRF attacks.

We've talked about how an attacker can post a message to the messageboard with innocent looking URLs. But an attacker can also simply send the victim a piece of HTML email including the full attack IMG URL. No amount of IMG tag filtering in your messageboard posting system can stop that.

** Three-phase tests before acting

When it comes to generic CSRF attacks, any application that uses a two-phase approach to action approval is vulnerable (the two phases being [1] do you possess authentication information and [2] are all the required arguments present). What's needed is a third test: is the user really using a proper application form to generate the request?

** The 90% solution: Referer tests

For many sites, you can achieve a high level of protection by checking the HTTP Referer header.(HTTP Referer Header를 확인하여 Referer의 값이 다르면 공격이라고 판단한다.) This would prevent things like attacks via email. But it would also mean locking out any user whose requests did not contain Referer information.(그러나 Referer 정보를 포함하지 않는 Request를 보내는 사용자는 lock out된다.)[1] As long as the values in the allowed Referer list are all coded with XSS and CSRF in mind, this could be adequate. Referer checks should be as specific as possible, e.g. you might require the Referer to begin with "https://example.com/admin/admin.cgi" or "https://example.com/admin/" instead of simply "https://example.com/".(보다 확실한 대책을 세우기 위해서는 Referer 정보 중, 단순한 도메인만을 확인하는 것이 아니라 도메인 하위의 경로까지 확인한다.)

** The more difficult cases

Some other applications are more difficult to secure. Consider webmail apps. So webmail.example.com decides only "message delete" requests from webmail.example.com pages will be accepted: well, if the attacker sends a CSRF message to your webmail account, then when you read it via webmail, the Referer in the CSRF image request (your client thinks it's an image request) says it's indeed from the proper webmail server (even in the case of an intermediate redirect; check the bugtraq archives for past discussion of anonymizing hyperlinks, redirects vs. client-pull, etc.), so the request gets through.(웹 메일을 통해 CSRF 메시지가 전달되고 웹 메일 사이트를 통해 CSRF 메시지가 포함된 메일을 읽는 경우는 Referer 정보를 확인하더라고 문제가 된다.) Basically, any application that allows posting of URLs needs more sophisticated protection than Referer checks. This would also include messageboards and discussion sites like Slashdot.

> Known Vulnerable: Infopop's UBB 6.04e (probably the whole 6.xx series),

> ezboard 6.2, WWW Threads PHP 5.4, vBulletin 2.0.0 Release Candidate 2 and

> before (later versions are safe). Probably many more bulletin boards and CGI

> scripts out there, but those are the main ones that we have been tested

> positive.

** One-time authorization codes

The URLs I list above outline a server-side one-use-token approach to closing the hole. For instance, the page that users are expected to use for drafting messages (in your newreply.cgi example) would create a one-time use token, good for a limited time.(서버측에서 메시지를 작성할 만한 페이지에서는 one-time token을 발급). The newreply.cgi processing script would require this value be present, correct, and in time. So while the attacker knows that action, subject, body, and authcode values are required, the attacker does not know, and cannot ascertain, the proper value needed for the authcode argument.[0] These tactics tend to introduce certain inconveniences (e.g., preventing use of the "back" button) so you may wish to analyze the various actions your application can take and provide varying levels of protection. For example, in a webmail system sending and deleting messages need more protection than displaying messages.

** Unpredicatable argument names?(서버측에서 argument name을 정하는 argument map table를 만들어 argument의 이름을 알기 어렵게 한다.)

Other tactics may be possible. For instance, consider "action=newthread&subject=aaa&body=some+naughty+words&submit=go". On the server side, you could have an "argument map table" for each session, e.g. pick random surrogates for the normal argument names. For one user, the system might look for "876575665" as an argument name instead of the predictable "action", "9876dafd987" for "body", etc. There may be some tricks vis-a-vis anonymizing referers if the labels are constant throughout a session, but it might be possible to do something like this to make it more difficult to construct a valid URL for a CSRF malicious action.

** Attacking sites behind corporate firewalls

Want more fun? CSRF tactics can be used to attack servers behind corporate firewalls. It's not just your public Web apps that are at risk. <img src="http://intranet/admin/purgedatabase?rowslike=%2A&confirm=yes"> If the attacker knows enough to make a URL and can get you to open a message, that's all it takes. Here we see that HTTP Referer headers can be a double-edged sword. Earlier we described how Referer tests can add security to many apps relatively easily. But Referer headers can also leak information about "private" sites if those sites use non-anonymized hyperlinks and external document references.

I'm afraid CSRF is going to be a mess to deal with in many cases.

Like trying to tame the seas.

** Workarounds

Most of us probably depend on applications that won't be fixed anytime soon. So what can you do to prevent a CSRF attack from making your browser request something without your approval?

 - Do not use an email client that renders HTML

 - Do not use a newsgroup client tied to your Web browser

 - Do not allow your browser to save usernames/passwords

 - Do not ask Web sites you care about to "remember" your login

 - Be sure to "log off" before and after using any authenticated

Web site that's important to you [or your employer ;-)], even if that means exiting your Web browser completely

 - Consider using something like Windows 2000's "Run As" shortcut feature or my "runxas" shell script (available at the tux.org URL listed below) to run a Web browser for casual use

My apologies for the somewhat rambling nature of this post; I may yet clean this up and put it in a proper paper, and do some real editing...

but I hope even in this rough form it makes some sense, and helps folks design better, safer applications.

-Peter

http://www.tux.org/~peterw/

[0] Not unless the page that included the authcode is readable, e.g. if the composition page had XSS bugs that would facilitate construction of a URL for a CSRF attack.

[1] As discussed earlier (http://www.securityfocus.com/archive/1/41653), client-pull pages usually result in no Referer information being sent by the client. So if your application allows a request with no Referer, an attacker need only direct the victim to an HTML document that uses a client-pull META tag to send the victim to the CSRF attack URL. This might be tricker to pull off, but remains feasible. So if you want to use Referer checks, you really ought to go all the way and deny every request that lacks a Referer header.

[2] http://www.stonehenge.com/merlyn/ [3]

[3] fellow cornfed users: the horror! footnotes referenced in reverse order!

이 글은 스프링노트에서 작성되었습니다.

Using the Cryptography Configuration Features of CNG

CNG API는 등록된 공급자에 대한 정보를 수집하고 얻기 위한 함수들을 제공한다.

Enumerating Providers

Getting Provider Registration Information

Enumerating Providers

사용자는 등록된 공급자 정보를 수집하기 위해 BCryptEnumRegisteredProviders 함수를 사용한다. BCryptEnumRegisteredProviders 함수는 다음 두가지 방법중 한가지 방법으로 호출될 수 있다.

첫번째, 메모리를 할당하는 BCryptEnumRegisteredProviders 함수 실행한다. 이것은 ppBuffer 인자에 대해 NULL 포인터의 주소를 전달하여 실행된다. 이 코드는 CRYPT_PROVIDERS 구조체와 관련된 스트링을 위해 요구되는 메모리를 할당할 것이다. 이와 같은 방법으로 BCryptEnumRegisteredProviders가 호출되었을 때, ppBuffer가 더 이상 필요가 없다면 그 변수를 BCryptFreeBuffer에 인자로 전달하여 사용자는 반드시 그 메모리를 free해야 한다.

1. #ifndef NT_SUCCESS
   
   #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
   
   #endif
   
   
   
   void EnumProviders1()
   
   {
   
       NTSTATUS status;
   
       ULONG cbBuffer = 0;
   
       PCRYPT_PROVIDERS pBuffer = NULL;
   
   
   
       /*
   
       Get the providers, letting the BCryptEnumRegisteredProviders
   
       function allocate the memory.
   
       */
   
       status = BCryptEnumRegisteredProviders(&cbBuffer, &pBuffer);
   
   
   
       if (NT_SUCCESS(status))
   
       {
   
           if (pBuffer != NULL)
   
           {
   
               // Enumerate the providers.
   
               for (ULONG i = 0; i < pBuffer->cProviders; i++)
   
               {
   
                   printf("%S\n", pBuffer->rgpszProviders[i]);
   
               }
   
           }
   
       }
   
       else
   
       {
   
           printf("BCryptEnumRegisteredProviders failed with error "
   
               "code 0x%08x\n", status);
   
       }
   
   
   
       if (NULL != pBuffer)
   
       {
   
           /*
   
           Free the memory allocated by the
   
           BCryptEnumRegisteredProviders function.
   
           */
   
           BCryptFreeBuffer(pBuffer);
   
       }
   
   }

두번째, 사용자 스스로 메모리를 할당하는 것이다. This is accomplished by calling the BCryptEnumRegisteredProviders function with NULL for the ppBuffer parameter. The BCryptEnumRegisteredProviders function will place in the value pointed to by the pcbBuffer parameter, the required size, in bytes, of the CRYPT_PROVIDERS structure and all strings. 그러면 사용자는 요구되는 메모리를 할당하고 ppBuffer에 대한 buffer 포인터의 주소를 BCryptEnumRegistredProviders 함수가 두번째 호출될 때, 두번째 인지로 넘겨준다.

1. #ifndef NT_SUCCESS
   
   #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
   
   #endif
   
   
   
   void EnumProviders2()
   
   {
   
       NTSTATUS status;
   
       ULONG cbBuffer = 0;
   
   
   
       // Get the required size of the buffer.
   
       status = BCryptEnumRegisteredProviders(&cbBuffer, NULL);
   
   
   
       if (STATUS_BUFFER_TOO_SMALL == status)
   
       {
   
           // Allocate the buffer.
   
           PCRYPT_PROVIDERS pBuffer =
   
               (PCRYPT_PROVIDERS)LocalAlloc(LPTR, cbBuffer);
   
           if (NULL != pBuffer)
   
           {
   
               // Get the providers in the buffer that was allocated.
   
               status = BCryptEnumRegisteredProviders(
   
                   &cbBuffer,
   
                   &pBuffer);
   
               if (NT_SUCCESS(status))
   
               {
   
                   for (ULONG i = 0; i < pBuffer->cProviders; i++)
   
                   {
   
                       // Enumerate the providers.
   
                       printf("%S\n", pBuffer->rgpszProviders[i]);
   
                   }
   
               }
   
   
   
               // Free the memory that was allocated.
   
               LocalFree(pBuffer);
   
           }
   
       }
   
   }

Getting Provider Registration Information

BCryptQueryProviderRegistration 함수는 공급자에 대한 추가적이고 등록과정에서 명시된 정보를 얻기 위해 사용된다. 이 함수는 사용자가 얻기 원하는 정보에 대한 공급자의 이름을 인자로 한다. 예를 들어 Microsoft Primitive Provider에 대한 암호 인터페이스의 사용자 모드 등록정보를 얻기 위해서, 사용자는 다음과 유사한 방법을 사용한다.

1. BCryptQueryProviderRegistration(
   
       MS_PRIMITIVE_PROVIDER,
   
       CRYPT_UM,
   
       BCRYPT_CIPHER_INTERFACE
   
       ...
   
       );

Like the BCryptEnumRegisteredProviders function, the BCryptQueryProviderRegistration function can either allocate memory for you or you can allocate the memory yourself. The process is the same for the two functions.

이 글은 스프링노트에서 작성되었습니다.