Why is keyhelp.ocx failing in my Visual Studio C++ application? - chm

Using keyhelp.ocx to display popup HtmlHelp in a modern Visual Studio C++ application fails.
I get a COM exception with no sensible error code. Looking at the debug output, there seems to be an Access Violation behind the scenes.

Your executable is build with Data Execution Prevention enabled, via /NXCOMPAT. That's the default in Visual Studio.
keyhelp.ocx is built using ATL7, which is incompatible with DEP - see http://support.microsoft.com/kb/948468
You need to disable DEP (/NXCOMPAT:NO) for your executable or find an alternative to keyhelp.ocx (I don't know of one).
(Note that's it's possible to enforce DEP system-wide - your code will still fail on such machines.)

Related

Visual Studio 2019 SSIS-Extension log4j files

Due to the recent problems with log4j I was checking all my code etc..
While doing so i discovered two files named
"slf4j-log4j12-1.7.5.jar" and "log4j-1.2.17.jar"
to find under
"...\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\SSIS\150\Extensions\Common\Jars"
Since we are also developing SSIS packages we kinda rely on this extension.
Sadly I was not able to find anything about SSIS in context with log4j. IMO it's also a bit dubious that the version of the log4j seems to be 1.x, which support ended in 2015.
Are there any known fixes/updates?
This is not a problem.
In what way those .jar file can be exploited to trig a privilege escalation or software evasion?
The fact that Visual Studio is using old libraries doesn't shock me at all. Large companies are use to rely on third party library and then they are usually forbidden in the corner during years.
EDIT:
You question was somehow interesting and I needed to dig further.
Apparently this 0-day has been around since March, so it means 9 month ago. There is no evidence of mass exploitation but that doesn't mean that it hasn't been used in the past months.
In order to use it:
[...] an attacker only needs to get the system to log a strategically
crafted string of code. From there they can load arbitrary code on the
targeted server and install malware or launch other attacks. Notably,
hackers can introduce the snippet in seemingly benign ways, like by
sending the string in an email or setting it as an account username.
This means that hypothetically you can exploit the vulnerability through SSIS in this scenario:
Create an SSIS package that ask for an input to the client user
The package must use log4j for logging
The user enter the malicious crafted string of code
...then yes in this case an SSIS package could be exploited.
I will try it out in my spare time and I will let you know.
EDIT 2:
After extensive research I can confirm you that this is not a problem because only version Log4j 2.X are impacted:
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques
below.
Use log4j-finder developed by FOX IT to enumerate vulnerable log4j files on your machines.
Microsoft have now removed the dependency
There is a new version (3.16) of the SSIS tools for VS2019 which removes the dependency for log4j.
Here's the download link:
https://marketplace.visualstudio.com/items?itemName=SSIS.SqlServerIntegrationServicesProjects
Version 3.16 Upgrade Notes

How to open this .net project with no errors

I have this project from github, database on sales and inventory system. But when I open it, it encounters errors.
I really need help on how to open this project with no errors? What should I do to fix this project?
PS: Need a step by step explanation regarding this, I just started databases, so I'm not sure what other tools I should be needing like MS Access or SQL.
The error is self-explanatory: underlined data types cannot be found.
That's means these types are defined in assemblies, currently not available to the compiler.
So in order to build the solution you need to supply these assemblies. There are multiple options, but I'd recommend doing this through NuGet as it is fully automated(you know about it, right?).
The missing assembly is related to the Microsoft.Reporting. So install this and try to build again.

"Post build event error"

I am using Visual Studio 2008 to build my projects.
I often take existing sample code and edit it and toy around with it, as I am just learning and I'd like to advance my skill.. it's nice to have a template to work with.
That being said, I often get the build error "Post build event failed". This is often accompanied by a "could not find xxx.sbr file" or something. I do not know what an sbr file is, not a "post-build event". Re-building doesn't seem to help, and clearing all the files out before tying another build does not help either.
That being said, the executable still always gets built.
I was wondering:
What is a post build event and what are the implications/causes of its failure?
What is an sbr file? I tried researching this a bit.. a "Source Browse File"? This site seemed pretty informative: http://www.ehow.com/facts_5657521_file-extension-sbr_.html
The problem is, I don't understand why the compiler would complain about not finding this (isn't it supposed to MAKE this?) and what EXACTLY it does ("enables Microsoft Visual Studio to access your source code" - can't it do this anyway?)
Thanks!
R
post build event is just a command you can have visual studio run after it's finished - maybe to kick off tests or build an installer.
It's in properties->build events in the menu - right click on the project.
The SBR file is used by visual studio to browse sources and lookup which function is in which file. I have had problems where somehow it's internal list of dependencies gets screwed up and it always rebuilds one of them.
Try a clean and rebuild, then try quitting visual studio and deleting the .ncb file

How to sign a binary as part of post build step using sn.exe from Windows SDK?

I am a totally unfamiliar in this C# Visual Studio programming environment but I am required to finish a task.
I am sorry if my question seems silly. But I really could not understand what other posts on this site or other site on the net explaining. I need a step by step guide to do this final step to accomplish my task.
I have been given an application called MCC written using Visual Studio 2008. However, this application could not run properly in Window Vista due to the issue of DEP. MCC has a function to display video from an IP camera. This required the ActiveX control of AxGif89aLite. However, DEP in Vista is by default enabled. The flag IMAGE_DLLCHARACTERISTICS_NX_COMPAT in PE header do not allow this control to be used. Several tests have been run and identified this is the problem.
From an article online,
http://blog.dyadica.net/archives/data-execution-prevention-workaround, they suggest I need to add the below to MCC post build event.
call $(DevEnvDir).. \tools\vsvars32.bat
editbin.exe /NXCOMPAT:NO $(C:\Program Files\Aerocut\MCC\MCC2.exe)
So, I add this and rebuild the MCC solution file. Then, I cannot get what this last step required me to do.
Please note that if you sign the binary in Visual Studio, flipping the IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag in the post build step after the binary has been signed will result in an assembly that will fail strong name validation. To work around this sign your binary as part of the post build steps.
To do this, use SN.EXE from the Windows SDK.
I am really confused what is this signing binary.
From information that I googled, signing an application is getting a certificate for the program so that it is more secured, am I right here?
I got the SN.EXE in my computer. But, how do I sign my binary as post build step? The binary should be my compiled execution file right?
I reinstalled the MCC with the rebuilt setup file. It still give me the following error:
Unable to get the window handler for the 'AxGif89aLite' control. Windowless ActiveX controls are not supported.
Help is very much appreciated. I would like to express thank you in advance here first.
If you're not signing the executable already as part of the compilation then you don't need to worry about it.

ActiveX dependencies in Access

I'm using the Crystal Reports Viewer 11 ActiveX control in an Access form (version 2007, 2003 format). Everything works well on my development machine, where I have CRXI installed. I copied the referenced DLL to the client's machine, but when I try to register it, it says "Can't find module" (I double- and triple-checked my spelling) and when I try to open the form it tells me "ActiveX component can't create object" when the code tries to create a new instance of the report object. I suspect there are more dependency files required by the DLL, but I'm a little at a loss as to what ones and how I go about finding out. Although I'm using the CR control, I assume this would apply to any ActiveX control throwing this error. Thanks.
There should be a runtime distribution document in your Crystal Help files - from past experience (Crystal 8.5) there are multiple files that you have to distribute and register.
I'm answering my own question in case someone finds this via a search in the future. I don't have the Access Package & Deploy wizard David mentioned above (okay, I probably have it but couldn't find it readily) but I image it would probably do what I needed, so I recommend anyone try that first. Instead, I was able to create a setup to install tghe needed files using the Visual Studio Installer and the Crystal merge modules; note that while it wasn't difficult, nor was it pleasant.
I downloaded and installed Visual Studio Installer 1.1 from MSDN. This creates a new project type in Visual Studio 6.0 (in particular, I used InterDev 6.0) that creates a Windows Installer (*.msi) setup file. Because one of the Crystal merge modules requires the Crystal license key and VSI doesn't support merge module parameters, I also had to use Orca, a merge module editor, available from the Microsoft Windows SDK (also available on the Microsoft download site). I recommend reading through the SDK and Orca pages on MSDN for more info. Using Orca, I was able to put my key code and recompile the merge module, so I don't have to deploy my key to my users, and my users don't have to enter one.
Again, the Package & Deployment Wizard is probably a better option, but when faced with using merge modules, as with Crystal, this method will get the job done.