Practical O2 Platform Tools
Practical O2 Platform Tools
Dinis Cruz
Buy on Leanpub

Table of Contents


This book contains the blog posts written by Dinis Cruz on OWASP (and other philosophical ideas)

This section has the following chapters:

Table of Contents

Change log:

Here are the changes made (per version):

v0.10 (07 April)
* First release of book with raw import from blogger posts (no formatting or editing done) * Added cover to eBook version * Created GitHub repo (and added all previous DropBox content to that repo) * Renamed all posts (to make it easier to read what they are about); set their extension to .md (for Markdown); mapped them to the following sections: ‘Java’, ‘.Net’, ‘Web Automation’, ‘Windows Hijacking’, ‘Misc Utils’, ‘TeamMentor’, ‘IBM AppScan’

Table of Contents

1 Java and J2EE

This section has the following chapters:

Table of Contents

1.1 O2 tools to view and script J2EE, Struts and Tiles xml config files

If you are reviewing Java/J2EE applications, here are a number of mini O2 tools that will help you to understand what is going on:

Bellow are these Tools in action (using the demo apps from )

Util - View Struts Mappings v.1.0
**Drop in the TreeView (white space) the WEB-INF folder

This control will load up the web.xml, struts-config.xml, tiles-def.xml and validation.xml config files, and create a mapping view of that data

The reason this exe is 4Mbs is because it includes the C# REPL script environment

Which can be used to access/script the StrutsMappings object created (and visualized in the TreeView shown above)

The code sample menu item, shows how to easily access the the mapped Struts data:

The REPL Form menu item, provides access the _Form _object which (for example) can be used to make all child controls pink :)

Util - View struts-config.xml mappings v1.0.exe

Drop the struts-config.xml file to see its mappings:

****Util - View tiles-def.xml mappings v1.0.exe**

Drop the tiles-defs.xml file to see its mappings:

****Util - View validation.xml mappings v1.0.exe**
Drop the validation.xml file to see its mappings:

****Util - View Web.Xml mappings v1.0**
**Drop the web.xml file to see its mappings:

If you like this (and are reviewing Java Apps with lots of interfaces) you should also check out the Util - O2 Java Tools (IKVM Based) v1.0

1.2 Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe

I just had a request for the O2’s Spring MVC module (developed ages ago), and It was was a good opportunity to test the latest version of the ‘_O2 Standalone tool builde_r’, since it now supports the embedding of the tools installed via an O2 Script (usually stored in the _ToolsOrApis folder).

You can download the Tool - O2 Cmd SpringMVC v1.0.exe (or build it using O2) which is the stand alone exe of the old O2_Cmd_SpringMvc.msi tool (See at the end of this post for details on how this exe was created)

When you open this tool, you will get a GUI that looks like this:

Then if you drop a jar (or the zip of *.classes like the one you will find in the jPetClinic – O2 Demo that you get from the Packaged Spring MVC Security Test Apps: JPetStore and PetClinc ), a series of conversions will occur (Jython is used to parse the java byte code) :

Which when finished will look like this:

For a detailed explanation of how this module works (including the VERY important /*O2Helper:MVCAutoBindListObject: hack) take a look at this blog post:
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

How the Tool - O2 Cmd SpringMVC v1.0.exe was created

It was quite easy to package the O2_Cmd_SpringMvc.msi tool (note-to-self: do this for the other really powerful old O2 tools that are gathering dust in the O2 archives)

Step 1: Create an installer that downloads and extracts the msi:

Step 2: In an O2 C# REPL script create the_ Tool - O2 Cmd SpringMVC.h2_ file

Which will consume the installers (shown above) and will trigger the extraction (when executed for the first time as a standalone exe)

Step 3: Open the context menu and chose the item to package the current script

And that’s it!

The package tool (which is a script it self) should be open with the created exe:

It’s quite powerful the fact that it took me longer to write this blog post than to package that old O2 tool :)

1.3 Util - Java Decompiler (JAD based) v1.0.exe

If you want to take a quick look at the Java code inside a Jar file, here is a simple Java/Jar Decompiler (based on the JAD tool)

You can download the tool from: Util - Java Decompiler (JAD based) v1.0.exe (stand-alone O2 Platform script)

This is what it looks like when you open it:

And this is what happens after a *.jar file is dropped in the left-hand-side TreeView:

You can drop multiple jar files:

Apart the initial delay (caused by the unziping of the dropped jar file into a temp folder), the decompilation should be quite quick.

Other O2 Platform Java-based tools:

More details on how this tool was created:

1.4 Util - Jni4Net - Java BeanShell REPL v1.0.exe

Using the technique shown in the Invoking Java BeanShell from .Net CLR post, here is REPL that allows the quick execution of Java BeanShell command in a C# GUI

You can download this stand-alone O2 tool from: Util - Jni4Net - Java BeanShell REPL v1.0.exe

And this is what the default GUI looks like:


If you expand the Console Out panel, you can see the Jni4Net initialization messages:


There are a number of code samples included:


Which will be auto executed on selection:


This one for example:


will create a Java button:


which of course can be modified and executed:


Also included is a REPL menu


That allows the scripting of the current Form:


like for example: changing its title and making all controls pink


or inject a WebBrowser (on the left) with the Jni4Net website:

The other REPL menu item:


Allows the scripting and visualization of the Jni4Net object:

For reference here is the script (also available at O2.Platform.Scripts\3rdPartyJni4NetUtil - Jni4Net - Java BeanShell REPL.h2) that created this GUI (a bit messy and in need for a good dose of refactoring)):

  1 O2Setup.extractEmbededConfigZips();
  3 //Set value of Bridge.homeDir  
  4 var jni4NetDir = PublicDI.config.ToolsOrApis.pathCombine(@"Jni4Net\lib");  
  5 var fieldInfo = (FieldInfo)typeof(Bridge).field("homeDir");  
  6 PublicDI.reflection.setField(fieldInfo, jni4NetDir);  
  7 //return typeof(Bridge).fieldValue("homeDir");
  9 "jni4net.j- location: {0}".info(Bridge.FindJar());
 11 //stand-alone tool not working (not finding the "jni4net.j-");
 13 //"jni4net.n- is at: {0}".info("jni4net.n-".assembly_Location());  
 14 var topPanel = "Util - JavaBean REPL - {0}".format(clr.details()).popupWindow(800,400)   
 15 .insert_LogViewer();   
 16 //var topPanel = panel.clear().add_Panel(); 
 18 Action execute =null;
 20 var replGui = topPanel.add_REPL_Gui();   
 21 replGui.On_ExecuteCode = ()=> execute();
 23 replGui.Output_Panel.insert_Below("Console Out").add_ConsoleOut();
 25 "test console out".console_WriteLine();
 27 var codeText = replGui.Code_Panel.add_SourceCodeViewer();  
 28 var toolStrip = topPanel.insert_Above_ToolStrip()  
 29 .add_Button("Run", "btExecuteSelectedMethod_Image".formImage(),()=> execute())  
 30 .toolStrip();  
 31 var samplesMenu = toolStrip.add_DropDown("Java BeanShell Code Samples", "help_browser".for\
 32 mImage());   
 33 var beanShellJar = "".uri().download(false);   
 34 //configure Jni4Net bridge and BeanShell  
 35 "Configuring Jnu4Net".info();  
 36 var jni4Net = new API_Jni4Net();  
 37 jni4Net.setUpBride();  
 38 "Default Jni4Net bridge setup ".info();
 40 var interpreterClass = beanShellJar.java_Jar_Class("bsh.Interpreter");  
 41 if(interpreterClass.isNull() && clr.x86()) // most likely means it couldn't find a compati\
 42 ble   
 43 {  
 44 var javaHomeLocation = @"C:\Program Files (x86)\Java\jre7";  
 45 "interpretreClass was null, and this is a 32bit process, so to set-up bridge with JavaHome\
 46 : {0}".error(javaHomeLocation);  
 47 var bridgeSetup = new BridgeSetup() { JavaHome = javaHomeLocation};  
 48 jni4Net.setUpBride(bridgeSetup);  
 49 interpreterClass = beanShellJar.java_Jar_Class("bsh.Interpreter");  
 50 }  
 51 var interpreter = interpreterClass.ctor();
 53 if (interpreter.isNull())  
 54 {  
 55 "Failed to create interpreter instance".error();  
 56 }
 58 java.lang.System.@out.println("Hello Java world!");
 60 //set execute method  
 61 execute =   
 62 ()=>{   
 63 var code = codeText.get_Text().java_String();  
 64 try  
 65 {  
 66 var result = interpreter.java_Invoke_UsingSignature("eval","(Ljava/lang/String;)Ljava/lang\
 67 /Object;",code);   
 68 replGui.showOutput(result.str());   
 69 }  
 70 catch(System.Exception ex)  
 71 {  
 72 ex.log("Execution error");  
 73 replGui.showErrorMessage(ex.Message);  
 74 }   
 75 };   
 76 Action<string,string> addCodeSample =   
 77 (title, codeSample)=> samplesMenu.add_Button(title,   
 78 ()=>{  
 79 codeText.set_Text(codeSample);  
 80 execute();  
 81 });  
 82 Func<string> getJni4NetReplCode =  
 83 ()=>{  
 84 return "return jni4Net.bridgeSetup;".line().line() +   
 85 "//O2Ref:jni4net.n-".line() +   
 86 "//O2Ref:{0}".format(jni4Net.type().Assembly.ManifestModule.str());  
 87 };
 90 toolStrip.add_DropDown("REPL", "text_x_script".formImage())  
 91 .add_Button("REPL Form" , ()=>topPanel.parentForm().script_Me("form"))  
 92 .add_Button("REPL Jni4Net" , ()=>jni4Net.script_Me("jni4Net").set_Code(getJni4NetReplCode(\
 93 )))  
 94 .add_Button("REPL Jni4Net Assembly" , ()=>jni4Net.type().Assembly.script_Me("assembly"));
 96 toolStrip.add_Button("Open BeanSheel website", "internet_web_browser".formImage(), ()=>"ht\
 97 tp://".startProcess())  
 98 .add_Button("View Jni4Net O2 Blog posts", "internet_web_browser".formImage(), ()=>"http://\
101 //Code samples
103 addCodeSample("Hello World", "return \"Hello World (from java bean)\";");  
104 addCodeSample("Java Properties", "return java.lang.System.getProperties();");
106 addCodeSample("Int sums",   
107 @"int a = 12;  
108 return a + 30;");
110 addCodeSample("Hashtable and date",   
111 @"Hashtable hashtable = new Hashtable();  
112 Date date = new Date();  
113 hashtable.put( ""today"", date );  
114 return hashtable.get(""today"");");
117 addCodeSample("Create java button",  
118 @"button = new JButton( ""My Button"" );  
119 frame = new JFrame( ""My Frame"" );  
120 frame.getContentPane().add( button, ""Center"" );  
121 frame.pack();  
122 frame.setVisible(true);
124 return ""You should have a Java button"" +   
125 ""somewhere on your screen"";");
128 addCodeSample("System.out.println (not working)",  
129 @"java.lang.System.out.println(""Hello Java world!"");  
130 return ""done"";");
132 samplesMenu.items().first()  
133 .PerformClick();
136 replGui.Output_Panel.splitterDistance(50);
138 return "done";
141 //using System.Reflection  
142 //using net.sf.jni4net  
143 //using net.sf.jni4net.jni;  
144 //using java.lang;  
145 //using;  
146 //O2File:API_Jni4Net.cs  
147 //O2Ref:Jni4Net\lib\jni4net.n-  
148 //O2Embed:java.ico  
149 //O2EmbedTool:Jni4Net  

1.5 Util - O2 Java Tools (IKVM Based) v1.0

For the Java users, here are a couple O2 Tools that expose GUIs to view java class files and programatically analyze them.

These tools leverage the amazing IKVM project to parse the Java class files into C# classes.

You can download the exe from Util - O2 Java Tools - IKVM Based v1.0.exe (its 20Mb since it includes the latest version of IKVM)

When you start this exe, you will see this menu:

Which is a launcher for the following 4 tools (included as *.h2 scripts which will be compiled on first run):

Util - Java Methods CallTo and IsCalledBy Mappings.h2

Util - View Java Mappings.h2


Util - Jar or Class Browser.h2




Util - View Jar File Entries.h2

Included REPL Script environment

And as with most O2 tools, what is really powerful is the fact that these APIs and GUIs are all easily scripted using the provided REPL C# Script environment (via REPL menu):

2 .Net

This section has the following chapters:

Table of Contents

2.1 Tool - View .NET Assembly References Mappings.exe

Here is a ‘simple’ .Net mini-tool that shows two TreeViews with .Net assemblies reference’s dependencies (I used it today to figure out how many dependencies a particular dll had).

You can download this O2 Platform tool from: Tool - View .NET Assembly References Mappings.exe (5Mb)

Here is what it looks when executed for the first time:


On the left you have the original assembly (in this can the actual Tool - View .NET Assembly References Mappings.exe) and the dlls it depends on.

On the right you have the XRef mappings of each assembly loaded on the right:


Where this gets interesting is if you drop a folder into the left-hand-side TreeView:


All dlls are loaded (on the left) and the XRefs (on the right) show more mappings:


The loading and mapping of dlls is very quick, for example it took about 2 seconds to load and map 81 assemblies:


The ‘REPL Selected Assembly’_ ToolStrip Button**, will open a C# REPL for the assembly selected (on the left **_TreeView)

For example here is the AWSSDK.dll assembly:


Once we have a dll loaded, we can (for example) list it classes using reflection:


**Note 1: **you probably noticed that I used and packaged ILSpy (in order to use Mono.Cecil) as one of the dependencies, so a cool improvement of this script would be to fire up ILSpy from here, or even better to show its main decompilation GUI (TreeView and decompiled code).

**Note 2: **The script that created this tools is at GitHub: Tool - View .NET Assembly References Mappings.h2

2.2 WinDbg, Cdb, Sun-Of-Strike and Util - Start SoSNet (O2 Version).exe

If you are want to manipulate or analyze a .Net in real time, one of the best options is to use the .Net debugging API, and the best way to do that is to use the cdb.exe utility (downloadable from here) with the SoS (Sun-Of-Strike) managed debugger extension

A while back I found the SoSNet project (which was a gui on top of Sos) from which I then forked into in order to allow it to compile under Roslyn (and add a couple other changes/fixes)

If you want to give this tool a test drive here is an stand-alone exe: Util - Start SoSNet (O2 Version) v1.0.exe (created from the _Util - Start SoSNet (O2 Version).h2 _script), which you can see in action at the end of this post.

If you don’t know (or have used) SoS, you are missing a massive trick!!! You will get FULL access to the CLR, and there is no .Net object that you can’t access (or manipulate). It is spectacularly powerful, and you will never do .Net debugging the same way again. And with the O2 modules/tools and the SunOfStrikeAPI.cs , it can now be scripted in a REPL environment :)

See the Scripting SoS (Sun-of-Strike) .Net managed extension using O2 post for detailed examples on how to script SoS in a real-time REPL environment (you might also like the Scripting MDbg and DbgHostLib post).

For more on SoS see:

A related technique is the one show in the Video: Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes (where .Net assemblies are injected into another .NET process)

Screenshots of Util - Start SoSNet (O2 Version) v1.0.exe in action:
**Default Gui (note the extra O2 Menu and REPL script below)

Listing current processes and selecting an .Net process to attach

Once attached you can see a list of AppDomains (which you can select one)

Here is the list of loaded assemblies

Here are the current types in the selected AppDomain

If you chose a type you get to see its instances

Here is what is happening under the hood (i.e. the cdb.exe output)

Type !help (in the textbox at the bottom) to see the list of available commands:

Settings page with links to download the latest version of Cdb/WinDbg


3 Web Automation

This section has the following chapters:

Table of Contents

3.1 Packaging an O2 Platform Script as a stand alone tool (in this case the WatiN based ‘IE Script’ tool)

If you grab the latest version of the O2 Platform and try to run the _**IE Script **_tool


you might get a bunch of compilation errors, like the ones Arnaud described in this How to get a “full” version of o2 mailing list thread.

The best way to deal with this is to run this O2 Script as a ‘packaged script’, i.e. from a stand-alone exe that contains all dependencies required to run it.

The rest of this post shows how to create such stand-alone exe for the IE Script tool.

Open the Package O2 Script tool/script


which looks like this:


Then click on Find an O2 Script:


Search for IE Automation

And Drag-n-drop the IE Automation (Simple mode).h2 into the Drop Zone

The button should go green to represent an active build/package process


And look like this when completed (the button goes red if there are compilation or packaging errors)


That 3.084kb exe file is now our packaged script :)

You can run this executable directly from here:


or copy it to another vm with .NET 4.0 installed


and run it from there:


In some cases (like this one), there will be two new folders created in the executable folder.

The O2.Platform.Scripts (containing the scripts dynamically compiled by the REPL)


And the O2.Temp (which will contain all temp files (including the O2 assemblies that were embedded in the stand-alone exe and extracted to facilitate the compilation))


Going back into the tool that created the stand alone script, the logs provide really good info on what happened:


and if you open the __BuildFiles_ you can see the VisualStudio project that was programmatically created and compiled


In fact, you can open that IE Automation (Simple mode).csproj file in VisualStudio


And run the tool (or a customized version of it) from there:


Note: I just uploaded the IE Automation (Simple mode) v1.0.exe tool to the O2 Platform downloads at Google Code, so you can also grab it from there:


3.2 Writing an IE Automation script to login into UK’s Wifi (using O2 Platform’s WatiN ExtensionMethods)

Here is an example of how to write an O2 Platform IE Automation script that will login a user into a wifi connection that needs a username and password.

Open the IE Script tool which you can get from this stand-alone version (see Packaging an O2 Platform Script as a stand alone tool (in this case the WatiN based ‘IE Script’ tool) )

Or from the main O2 Platform gui:


When opened it, should look like this:


Leave the first line and open the default wifi connection page (see at the end of this post for the scripts created in a format you can copy and paste):


Take a look at the HTML links of this page (I commented out the since the browser session is persisted on multiple executions):


Here is how to get a specific link (note the multiple variations caused by the fact that the Get Online link has no ID and a new line in its text:


Next step is to click on the link:


Next get the links for this page and look at the details of the link we want to click next:


Which has the same issue of a new line at the beginning and no ID


Let’s click on that Link:


And look at the fields in this page:


In there find the password one


Note that we can edit this field and see its changes in real-time:

image image

We can now get the reference to the password field:


and change its value programmatically:


Now the email field is going to be a little more complicated since it wasn’t picked up by the _fields WatiN _Extension Method.

So take a look at the **.elements() **:


And get a programmatic reference to it:


Get its outerHtml (at this stage I’m trying to figure out the most efficient way to populate it)


Here are the element attributes:


Btw: taking a look at the parent’s element outerHtml we can see that this input element is not properly terminated:


Ok, here is one way to populate the Email field (by directly changing/replacing the outerHtml)


And since they are using jQuery on this site, we can use also use jQuery to populate that field:


Top tip: you can also get javascript objects into your C# script. For example here is how to get the value of the email we just populated:


The document.location object


The window.screen object


A jQuery selector:


The body html (as seen by jQuery)


ok, moving back to our login page….

Now that we can populate data into both input fields, we need to find the button:


and click on it:


Now that its working let’s package the whole script into a lamdba method:


**Note: **since we have jQuery, we could use it to add an attribute to the link, and then get that link from the C# REPL (instead of doing that lamda search):


Next step is to ask the user for the account details and use it to login:


Now, when you click execute you will get a popup you can use to enter the email and password:


And if all goes good you will be logged in, and google should open up:


Finally, we can make this into a stand alone script:


which will open the IE/WatiN control in a popup window:

image and image

and even package it as a stand-alone exe:


which can then be executed directly:


(note that in this case there are no extra folders since the embedded dlls are extracted directly into memory and there are no scripts to dynamically compile)

****Scripts used in this blog:**

Open web page

 1 var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);  // ie r\
 2 andom value for o2cache makes this object to unique amongst multiple instances of this con\
 3 trol  
 6 return "done";
 8 //O2File:WatiN_IE_ExtensionMethods.cs   
 9 //O2Ref:WatiN.Core.1x.dll  
10 //O2Tag_DontAddExtraO2Files;  

Multiple ways to get the GetOnline link:

 1 var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);   
 2 //"");  
 3 var getOnlineLink ="  
 4 Get Online");  
 5 return getOnlineLink.text();
 7 //these also work;  
 8 return ie.links()[2].text();  
 9 return ie.links().third().text();  
10 return ie.links().where((link)=> link.text().contains("Get Online")).first();
13 //O2File:WatiN_IE_ExtensionMethods.cs   
14 //O2Ref:WatiN.Core.1x.dll  
15 //O2Tag_DontAddExtraO2Files;   

Populating the email field using jQuery:

 1 var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);   
 2 //"");  
 3 //var getOnlineLink = ie.links().where((link)=> link.text().contains("Get Online")).first(\
 4 );  
 5 //;  
 6 //"  
 7 //Free Cloud WiFi").click();  
 8 ie.eval("$('#username').val('')");  
 9 return ie.getJsVariable("$('#username').val()");  
10 return "done";
12 //O2File:WatiN_IE_ExtensionMethods.cs   
13 //O2Ref:WatiN.Core.1x.dll  
14 //O2Tag_DontAddExtraO2Files;   

Login script as Lambda method

 1 var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);
 3 Action<string,string> loginIntoTheCloud =   
 4 (email, password)=>  
 5 {   
 7 ie.links()  
 8 .where((link)=> link.text().contains("Get Online")).first().click();  
 9 ie.links()  
10 .where((link)=> link.text().contains("Free Cloud WiFi")).first().click();  
13 ie.eval("$('#username').val('{0}')".format(email));  
14 ie.field("password").value(password);  
15 ie.buttons().first().click();  
16 };
18 loginIntoTheCloud("", "password");  
19 return "done";  
20 //O2File:WatiN_IE_ExtensionMethods.cs   
21 //O2Ref:WatiN.Core.1x.dll  
22 //O2Tag_DontAddExtraO2Files;   

Adding an ID to an element using jQuery:

 1 var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);
 4 ie.eval("$(\"a :contains('Online')\").first().parent().attr('id','myLink')");  
 5 return"myLink");  
 6 **Full script with login and redirect to google:**  
 9     var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);
11 Action<string,string> loginIntoTheCloud =   
12 (email, password)=>  
13 {   
15 ie.links()  
16 .where((link)=> link.text().contains("Get Online")).first().click();  
17 ie.links()  
18 .where((link)=> link.text().contains("Free Cloud WiFi")).first().click();  
21 ie.eval("$('#username').val('{0}')".format(email));  
22 ie.field("password").value(password);  
23 ie.buttons().first().click();  
24 };
26 var credentials = ie.askUserForUsernameAndPassword();
28 loginIntoTheCloud(credentials.UserName, credentials.Password);  
29 ie.waitForComplete();  
32 //O2File:WatiN_IE_ExtensionMethods.cs   
33 //O2Ref:WatiN.Core.1x.dll  
34 //O2Tag_DontAddExtraO2Files;   

Final version of the script:

 1 //var ie = "ie_aenoN".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(false);   
 2 var ie = "Util - Login into the cloud Wifi".popupWindow()  
 3                                            .add_IE();
 5 Action<string,string> loginIntoTheCloud =   
 6 (email, password)=>  
 7 {   
 9 ie.links()  
10 .where((link)=> link.text().contains("Get Online")).first().click();  
11 ie.links()  
12 .where((link)=> link.text().contains("Free Cloud WiFi")).first().click();  
15 ie.eval("$('#username').val('{0}')".format(email));  
16 ie.field("password").value(password);  
17 ie.buttons().first().click();  
18 };
20 var credentials = ie.askUserForUsernameAndPassword();
22 loginIntoTheCloud(credentials.UserName, credentials.Password);  
23 ie.waitForComplete();  
26 //O2File:WatiN_IE_ExtensionMethods.cs   
27 //O2Ref:WatiN.Core.1x.dll  
28 //O2Tag_DontAddExtraO2Files;  

4 Windows Hijacking

This section has the following chapters:

Table of Contents

4.1 Showing Chrome, Eclipse, IBM AppScan Standard and VisualStudio in the same Process/Window

**UPDATE (Jan/13): **See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process

Using the control shown in Util - Win32 Window Handle Hijack (4x host panels) I was able to create a process that has windows from:

  • **Chrome **(top left)
  • **Eclipse **(top right)
  • IBM AppScan Standard (bottom left)
  • **VisualStudio **(bottom right)

Chrome inside Eclipse

We can also ‘push’ windows into other controls.

For example, here is a Chrome Browser window running inside Eclipse (note that the TeamMentor window on the top-right is being executed by Chrome’s process (not eclipse))

Chrome inside IBM AppScan Standard:
**In the example below, TeamMentor is also hosted by Chrome, while being shown natively on AppScan’s GUI:

4.2 Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe

Using the exact same control used in Util - Win32 Window Handle Hijack (simple) v1.0 here is a 4x Panel version of it (i.e. using 2 rows and 2 columns)

This allows for the _hijack _of a multiple Windows into a common (external) process/GUI

You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe

When you start the tool you will see 4 _Target _Icons, which represent the 4 _Hijack areas _available:

Next step is to chose a number of Windows/Controls from other processes.

For example, the image below shows controls from:

  • Chrome Browser (top left)
  • Windows Explorer (top right)
  • **ILSpy **(bottom left)
  • .Net TreeView (bottom right)

4.3 Util - Windows Handles - View Handle Screenshot v1.0.exe

Following from Util - Windows Handles Viewer (Simple GUI with REPL) here is nice utility that takes a screenshot of the target handle’s window (when the target process doesn’t use the the Win32 Windows controls, you will get a screenshot of the main Window)

You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe

Here is the tool taking a screenshot of itself :)

Here is the source code that creates tool:

And here is the PDF with the ‘how the script was created’ step-by-step guide:

4.4 Util - Windows Handles Viewer (Simple Gui) v1.0.exe

Following my research into Win32 Messaging APIs that allowed me to put both IBM AppScan Source and Standard working side by side and to connect TeamMentor with AppScan Source, here is a pretty sweet **Windows Handles Viewer **which allows the easy discovery (and in some cases modification) of the Window’s Handle of a particular Win32’s Button, TextBox, Menu, Window, etc…

You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe

And this is what it looks like:

To find a handle, just drag the Target icon _**around and you will see the values in the **_Handle, **Window _**and _Handle Text change.

In the image below, the Target _**icon **_was hovering on top of this tools’s top bar:

The _Handle Text _TextBox can also be used to edit the value (which if applicable will be changed on the target Handle):

We can also view and edit other process (like Notepad)

And even Chrome:

In the example below, note how the the URL was changed, but the loaded website is still the same (

NOTE: These ‘handle detection’ and ‘set text’ techniques don’t work with all visible controls:

  • more complex Windows controls, like TreeViews, DataGridViews, RichTextBoxes, ListViews, etc… require more complex Windows Messages
  • a number of applications, like for example WPF applications or WebBrowsers, have their own rendering engine (i.e. not using Win32/user32.dll )
    • in this case we will only see a handle for the window hosting those rendering engines

**Script this tool: **If you want to run or modify this tool (using the O2 Platform) here is the script used to create it: Util - Windows Messages Handle Viewer (Simple Gui).h2

Credits: this tools re-uses code from the tool

4.5 Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe

Based on the Util - Windows Handles Viewer (Simple Gui) v1.0.exe tool, here is a bigger version (5Mbs) which contains a C# REPL Script editor (with the detected handle provided as a parameter).

You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe

And this is what the default GUI looks like:

To try out the C# REPL , drag the _Target Icon _into the TextBox below (shown in red below)

Then un-comment the line below Task #1 and click on Execute (note how the TextBox value was changed)

To see how you can also change the text of a Handle whose value you discovered, use the Handle value (in this case 657236) in the code (replacing 12345 as mentioned in the Task #2 instructions) and click execute:

And as shown in Util - Windows Handles Viewer (Simple Gui) v1.0.exe , this will work on other windows and processes :)

4.6 Util - Windows Handles Viewer (with Child Windows) v1.0.exe

Following from the tool shown in Util - Windows Handles - View Handle Screenshot v1.0, the next step was to create a tool that shows (for the selected Win32 Window) the handle’s children structure (i.e. what ‘child windows’ exists for the selected window/control)

You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe

Here is what the tool looks like (with the ‘target icon’ used to select the control):

Here is the Pdf with the ‘how the script was created’ step-by-step guide:

5 Misc Utils

This section has the following chapters:

Table of Contents

5.1 Util - Quick Hex File Viewer.exe

When I was creating the Generating Fuzzing Images and trying them on WebBrowser (IE) and Install Debugging Tools for Windows as a Standalone Component scripts I needed a simple and fast HEX viewer.

Since I didn’t had one at hand, I quickly wrote an O2 Script that uses a C# ListView to show binary data (see source code below)

Here is the link to the Stand-Alone tool: Util - Quick Hex File Viewer v1.0.exe

Which looks like this when executed:


… like this after a binary file is dropped inside it:


… and like this after a text file is dropped inside it:


Here is the script that creates this tool:
(also included in the O2.Platform.Scripts repository as Util - Quick Hex File Viewer v1.0.h2)

Finally here is the moment I uploaded the packaged stand-alone exe to dropbox (which is the location of the direct link to this tool)


5.2 Util - Current Font Families.exe

Today I needed to quickly see a list of available fonts in my current VM, so I quickly wrote this script:

 1 var topPanel = "Util - Current Font Families".popupWindow(700,400)  
 2                                              .insert_LogViewer();  
 3 //var topPanel = panel.clear().add_Panel();
 5 var fonts = System.Drawing.FontFamily.Families.toList();  
 6 if (fonts.first().Name == "Aharoni")  
 7 fonts.remove(0); //remove font Aharoni which was throwing errors  
 8 var fontsList = topPanel.title("Font Names").add_TreeView();  
 9 var fontsList_InStyle = fontsList.parent().insert_Below("Fonts names in Font Style").add_T\
10 reeView();  
11 var textBox = topPanel.insert_Right("Selected Font: TextArea").add_TextArea()  
12 .set_Text("this is some text\nin the selected font");  
13 var treeView = textBox.insert_Below("Selected Font: TreeView").add_TreeView()  
14 .add_Nodes(new [] {"a node", "In a treeview"})  
15 .add_Node("parent node").add_Node("Child Node")  
16 .treeView();  
17 //textBox.font(font.Name);  
18 Action<FontFamily> setFont =   
19 (font)=>{   
20 "Showing font: {0}".info(font.Name);  
21 treeView.font(font.Name);  
22 textBox.font(font.Name);  
23 };
25 fontsList.afterSelect<FontFamily>(setFont);   
26 fontsList_InStyle.afterSelect<FontFamily>(setFont);   
27 fontsList.add_Nodes(fonts,  
28 (font)=>font.Name,  
29 (font)=>font,  
30 (font)=>false)   
31 .selectFirst()  
32 .add_ContextMenu()  
33 .add_MenuItem("copy to clipboard", ()=> fontsList.selected().get_Text().clipboardText_Set(\
34 ));
37 fonts.toList().forEach<FontFamily>(  
38 (font)=>{   
39 fontsList_InStyle.add_Node(font.Name, font)  
40 .font(font.Name.font());  
41 });  

Packaged as a stand-alone exe:


which you can download from: Util - Current Font Families v1.0.exe

and looks like this:


you can select a font name (on either TreeViews on the left), and see what that font looks like on a TextArea or TreeView


5.3 Util - View CheatSheets at v1.0.exe

Here is a little mini-tool (that I used today) which provides a nice GUI for viewing the CheatSheets at

The stand-alone exe is only 1Mb and you can download it from: Util - View CheatSheets at v1.0.exe

The O2 Script is called _Util - View CheatSheets at _ and this is what it looks like:

5.4 REPL GUI for Clojure-CLR (C# port of Lisp’s Clojure)

Here is a script/tool I wrote a while back (when I wanted to see what Lisp was all about), where I created a REPL Gui based on the amazing Clojure-clr project (which is CLR port of Clojure)

You can download this O2 Platform tool from: Util - Clojure-clr REPL (Lisp) v.2.0.exe

This is a 9Mb standalone exe (only requirement is the .NET Framework 4.0 running on a Windows box):


which looks like this when executed:


As with all the other O2 Platform based REPLs, this is a real time execution and compilation environment:


Since you (like me) are most likely new to LISP, I included in this tool a Samples drop-down menu containing a number of LISP code snippets:


Note: these code examples were based on the great online tutorial:


For reference, here are the LISP Code Snippets in action:




Multiple sums
****Our first function**

An anonymous function
****Named function**
****A map**

6 TeamMentor

This section has the following chapters:

Table of Contents

6.1 TM - Library Manager (with REPL) v1.2.4.exe

Here is a (still quite raw) Library Manager for TeamMentor with REPL support (packaged as an O2 Platform stand-alone exe).

You can download this version from: TM - Library Manager (with REPL) v1.2.4.exe

If you want to run the scripts directly from O2 (or modify them), fork the UnitTests repository and take a look in this Library Management folder).

Here are some screenshots of this tool in action:
**Default screen (which tries to connect to a local TM instance which in this case there wasn’t one)

Connecting to the server

Connecting to the server (which needs a valid login to see the content)

Using the built in REPL script editor to directly invoke the TM webservices

Here is a video of an older version of this tool

The Gui has changed a bit, but the drag-and-drop operation works the same way (note how you open two instances of this tool to copy articles between TM servers)

****Features requests**
**This version is due a refresh (since there were a couple features added to the TM WebServices that will make it much faster and more efficient), so if you have ideas on what should be added, please use this Issue Tracking to register them

6.2 Util - Browse TeamMentor Libraries.h2

Here is another simple tool that allows for a quick browse of TeamMentor Articles (download exe from: Util - Browse TeamMentor Libraries v1.0.exe )

The objective of this tool is to show how to mass consume TeamMentor Articles (if you look at the code you will notice that all metadata will be downloaded locally so that after an initial delay, all navigation happens in real time (with the articles being downloaded on demand).

Note that that there is a more advanced version of this tool (called Library Manager), but for local access and quick views of TeamMentor Libraries, this is quite a nice tool:

This is what the tools looks like:


There is a right-mouse-click context menu (on the Server TextBox) that allows you to change servers


And a ‘Reload Libraries’ context menu on the Library tree that will clear the local cache and reload the TeamMentor GuiObjects.


The object viewer on the right shows the Metadata available on each TeamMentor article:


For best results use a local instance of TeamMentor, and if you get an error like this, it means the account you tried to use failed to login:


The packaged script has 2.5Mb


… and can be downloaded from Util - Browse TeamMentor Libraries v1.0.exe

… and looks like this when executed for the first time:


Finally see this gist for the source code of this script:

7 IBM AppScan

This section has the following chapters:

Table of Contents

7.1 AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)

If you are using AppScan Source (previously called OunceLabs) you will find these O2 Tools really useful:

Note that these modules are some of the oldest ones in O2 (created during really hard-core security review engagements during my OunceLabs time), and the APIs that support these modules are REALLY powerful (and allow the analysis of thousands or millions of Findings/Traces)

Most of the code that creates these tools is now on the O2.Platform.Scripts folder (see Findings_Filtering at GitHub)



Util - Simple Findings Viewer v1.0.exe

Supports the viewing of AppScan Source 8.x, 7.x and 6x *.ozasmt files (all the way back to the OunceLabs releases)

The C# REPL script environment can be used to view, edit, manipulate, join, stitch, delete or move Findings/Traces:

Util - Filter Findings by Source and Sink (RegEx) v1.0.exe


Easy way to script custom source-to-sink mappings:



PoC - Join Traces (on Attributes) - very basic version v1.0.exe
**Example of how to join/stitch Attributes, HashMaps and Getters/Setters (for example setAttributes with getAttributes)

7.2 Util - Cir Viewer (with C# DLL converter) v1.0

Here is an oldie one by still really effective.

I just rebuilt the O2’s CirViewer (CIR = Common Intermediate Representation (from the OunceLabs days)) as an easy to consume stand-alone tool which you can get from: Util - Cir Viewer (with C# DLL converter) v1.0.exe

There are a number of uses for this module, but one you can use to get a feel for it to to drop an .Net assembly (dll or exe) add take a look (you can also drop a folder)

Default view:

Showing all APIs used:

Viewing the ‘Who calls Who’ trees: