D. Hazelton wrote:
> Someone mentioned that regedit might be a piece of code which
> is the only one
> to use a function call... All modern windows releases ship
> with two versions
> of regedit, regedit.exe and regedt32.exe - and there have
> been several
> third-party replacements for regedit released.
Win XP and above ship with a new regedit.
Regedit.exe(win98 derivative) and regedt32.exe(crippled version for 2K) have
both been dropped.
Ged
************************************************************************
The information contained in this message or any of its
attachments is confidential and is intended for the exclusive
use of the addressee. The information may also be legally
privileged. The views expressed may not be company policy,
but the personal views of the originator. If you are not the
addressee, any disclosure, reproduction, distribution or other
dissemination or use of this communication is strictly prohibited.
If you have received this message in error, please contact
postmaster(a)exideuk.co.uk
<mailto:postmaster@exideuk.co.uk> and then delete this message.
Exide Technologies is an industrial and transportation battery
producer and recycler with operations in 89 countries.
Further information can be found at www.exide.com
Dont be silly, all of you, such audit will take at least half a year and reimplementing everything will just destroy the proyect. Use your heads, you are programmers, and you fear there is leaked code, if there is any their assembly it should be similar to the windows one, so be easy: compile reactos, dissasemble it. Then dissasemble windows. Write a tool that compares dissassembled code. And you have ONLY (and is still lots of work) to compare where there are enough coincidences betwen reactos assembly and windows assembly. Once you get to those spots you only have to check if there is a logical conclusion of a sole way of doing something (like clearing a stack) or a copied code.
Why hope for reactos,
Lucio Diaz.
---------------------------------
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
M Bealby wrote:
> Hey all,
Hi Martin
> I have finished my security audit of one of the pieces of code in the
> new svn repository! (/base/services/tcpsvcs/)
>
> In my audit notes I have listed the problems by simple filename:line,
> flaw, description. They are also dated. Is this the same sort of
> documentation you would like in svn and bugzilla too?
I think the best place for this would be bugzilla.
You can group the full audit in one bug.
> On that note, what is happening with bugzilla? I seem to remember
> someone mentioning that someone was going to go through all the bug
> reports and close any that affected non-audited code. Is this
> correct?
I don't know what is happening with bugzilla at the moment. We've lost
WaxDragon now :(
He used to take care of bugzilla, and all other things related to testing.
You don't want the job, do you ?? ;)
> Should I submit my bug report anyway? I'll write something
> noticeable in the summary field so it is obvious it is to do with the
> security audit.
When you submit it, I'll try to get it fixed straight away.
I expect there to be quite a few fixes as I just threw this code together
quickly to give us something to test with. ;)
> Are we going to implement something like Peters /documentation/ patch?
> If so I will put my security auditing notes in there too.
I don't see any reason to store information which is going to be fixed.
Bugzilla
and SVN will take care of the history for us. However if there is general
audit
information in there, then I think is should be treated in the same manner
as the
rest and stored in the respective directory accordingly.
Regards,
Ged.
************************************************************************
The information contained in this message or any of its
attachments is confidential and is intended for the exclusive
use of the addressee. The information may also be legally
privileged. The views expressed may not be company policy,
but the personal views of the originator. If you are not the
addressee, any disclosure, reproduction, distribution or other
dissemination or use of this communication is strictly prohibited.
If you have received this message in error, please contact
postmaster(a)exideuk.co.uk
<mailto:postmaster@exideuk.co.uk> and then delete this message.
Exide Technologies is an industrial and transportation battery
producer and recycler with operations in 89 countries.
Further information can be found at www.exide.com
Hey guys,
at first I was shocked, when I read that you want to audit all code and
will have to rewrite a lot of the old code, but then I realised, that
this is a great chance for making improvements.
Here's one of my ideas:
We could create a completely new setup, that will have a gui (not really
a new idea...).
But the second thing would be to create something similar to debians apt
and debconf.
My idea was to create a new setup, that installs ReactOS in packets,
that would look a bit like this:
A compressed archive (maybe bzip) that contains a folder with all the
files, that need to be installed, one file that contains informations
like e.g. where to put the files (%SYSTEMROOT% or %WINDIR%...) and one
script file that looks a bit like a batch file. Maybe we could add a
file, that contains some questions and hints, that can be interpreted by
different configuration utilities.
That is, what is IN these archives, in addition to this the header of
the file would contain uncompressed information about the dependencies,
so that they are easier to read.
All this would give us some big advantages.
For example we would be able to create different distributions and
repositories.
Companies would be able to have a mirror of our repository and could
additionally have their own repositories, whose files depend on ours.
This would ease deployment in big companies and would be a big advantage
compared to Microsoft, as everything happens completely unattended,
even if you upgrade from ReactOS 1.0 to 3.0.
I'm looking forward to read what you think about my idea.
Greets,
David Hinz
I've made a start with the audit of NTOSKRNL. The page
http://www.reactos.org/wiki/index.php/Ntoskrnl_audit contains a list of all
the public (either exported or syscall) routines of our ntoskrnl.exe, with a
template to fill in the audit metrics which were proposed. I already checked
the documentation status of all routines.
GvG
Hey all,
I have finished my security audit of one of the pieces of code in the
new svn repository! (/base/services/tcpsvcs/)
In my audit notes I have listed the problems by simple filename:line,
flaw, description. They are also dated. Is this the same sort of
documentation you would like in svn and bugzilla too?
On that note, what is happening with bugzilla? I seem to remember
someone mentioning that someone was going to go through all the bug
reports and close any that affected non-audited code. Is this
correct? Should I submit my bug report anyway? I'll write something
noticeable in the summary field so it is obvious it is to do with the
security audit.
Are we going to implement something like Peters /documentation/ patch?
If so I will put my security auditing notes in there too.
Cheers,
Martin
Index: documentation/README
===================================================================
--- documentation/README (revision 0)
+++ documentation/README (revision 0)
@@ -0,0 +1,11 @@
+This is the documentation directory for the ReactOS project.
+
+
+Directory Layout:
+
+api\ : Documentation for various APIs.
+articles\ : Howto's, Articles and related documentation.
+audit\ : Documentation about and gathered by the audit.
+reverse.engineering\ : Clean-Room effort documentation.
+ : _Only_ human language and pseudo-code documentation is allowed here.
+