New ruby gem to access @haveibeenpwned.

So, I decided to figure out how to create a ruby gem and decided to start with a simple gem that checks an email address against


gem install PwnedCheck


require 'pwnedcheck'

# The 3 cases.
# is a valid address on the site
# is a valid address, but not on the site
# is an invalid format
addresses = ['', '', '']

addresses.each do |address|
    sites = PwnedCheck::check(address)
    if sites.length == 0
      puts "#{address} --> Not found on"
      sites.each do |site|
        puts "#{address} --> #{site}"
  rescue PwnedCheck::InvalidEmail => e
    puts "#{address} --> #{e.message}"

The code is available at and the gem page is

Let me know what you think!

#ruby code to access the @haveibeenpwned api.

This is just some ruby I whipped up really quickly to access the API of which is a cool new site by Troy Hunt that aggregates password dump information from breaches and allows you to search for your email address.

I think the code is pretty self-explanatory, but comment or send me a line if you have questions/suggestions/criticism/etc!

require 'mechanize'
require 'addressable/uri'

agent ='addresses.txt').each do |line|
  line = line.chomp
    target = "{line}"
    page = agent.get Addressable::URI.parse(target)
  rescue Mechanize::ResponseCodeError  => e
    case e.response_code
      when '404'
        puts "#{line} => Not Found"
      when '400'
        puts "#{line} => Bad Request"
        puts "#{line} => #{e.message}"
    puts "#{line} => #{page.content}"

Fun with C++ - Placement New

So, for some reason in the last few days I’ve been thinking about the old days of when I was a developer and really into C/C++. One of the things that I found interesting was placement new. In a nutshell it’s a way that you can instantiate a new object, but specify where in memory it will go. There are some interesting cases where it’s necessary such as cases where you might try to optimize by pre-allocating a bunch of memory and then re-using it. Kind of managing your own memory space. Anyway, this example shows how it’s done.

#include "stdafx.h"

class Foo
  Foo() { strncpy(message, "Hello, World", 12);}
  void * operator new (size_t, void * p) throw() { return p ; }
  void operator delete (void *, void *) throw() { }
  void printMessage() { printf("message is - %s\n", message); }
  char message[13];

int _tmain(int argc, _TCHAR* argv[])
  char buf[sizeof(Foo)];
  memset(buf, 0, sizeof(buf));
  Foo *f = new((void *)buf) Foo();
  printf("address of buf - %x\n", buf);
  printf("address of f - %x\n", f);
  printf("contents of buf - %s\n", buf);
  buf[0] = 'h';
  return 0;

Line 8 defines the constructor that placement new uses.

Line 9 defines the destructor.

Line 17 creates a buffer that is the size of a Foo object.

Line 19 instantiates a Foo object, but uses the buffer as the address of where the object will be instantiated.

Lines 20 and 21 print the addresses of the buffer and of f (the new object). They are the same.

Line 22 prints the contents of the buf, which is “Hello, World”. This is the value of the message variable in the object.

Line 23 prints the message.

Line 24 changes the first character in buf to be ‘h’. This should change it within f as well.

Line 25 shows that it changed.

Line 26 explicitly calls the destructor. That needs to be done when using placement new.

That’s about it! The example created a buffer, created an object in that buffer, changed the buffer, and showed that the object changed. Fun stuff!

Running it on my machine show-

address of buf - 31fbe0
address of f - 31fbe0
contents of buf - Hello, World
message is - Hello, World
message is - hello, World

What is X-Frame-Options?

X-Frame-Options is an HTTP response header that serves as a directive to a browser regarding if or how the current response would like itself to be framed. Framing and window positioning/layering tricks are used quite often in an attack called clickjacking in which a user is tricked into inadvertently clicking on something unintended. For more information see

There are 3 options for X-Frame-Options-

  • DENY. This tells the browser that the page should never be framed.
  • SAMEORIGIN. This tells the browser that the page can be framed within a page that is from the same origin.
  • ALLOW-FROM uri. This tells the browser that the page can be framed on the specified origin.

This site, for example, is set to SAMEORIGIN. So in effect, a page on this origin could be framed by another page in this origin.

This is supported by most newer browsers. Should a site attempt to frame a site and it violates the site policy, it will either display about:blank in the frame or perhaps an error. If a browser doesn’t support the header, it will simply ignore it.

Another mechanism you might see as a clickjacking mitigation that tries to achieve the same goal is “frame-busting JavaScript”. This is JavaScript code that detects if the page is the top-level window (not framed). If it detects that it isn’t, it makes itself the top-level window. Since this is code that is run client-side, it does have several weaknesses such as JavaScript not being enabled, the response being modified to remove it, etc.

How to do dynamic loading on Windows

So, after hitting DerbyCon a few weeks ago and going to some of the malware talks, I was reminded of my Windows programming days and decided to shake the rust off and do some examples. Today’s example is of how to load a dll dynamically in Windows.

The following is an example function that I created and put in a DLL called DynamicLoadedDLL.dll. The actual creation of the project and how to build is beyond the scope of this post. But, basically I created an empty solution and added a Win32 Project called DynamicLoadedDLL and specified the type DLL.

The code for the DLL in DynamicLoadedDLL.cpp is-

#include "stdafx.h"

extern "C" 
	__declspec( dllexport ) int AddTwo(int a, int b)
		return a + b;

Basically what that does is define a function called AddTwo that takes two integers and returns their sum. __declspec( dllexport ) tells the compiler to add the function to the Export Address Table so that it is exposed as a function in the DLL. The “extern “C”” block on line 3 tells the compiler to expose it without the C++ name mangling. This makes it callable by many different languages. If you want to see the difference of having it vs. not, first open a developer command prompt and go to the output directory. Run the command “dumpbin /exports DynamicLoadedDLL.dll” and see what it shows. Then remove the “extern “C”” block, build, and repeat.

Then I created a Win32 Console app in the same solution called DynamicLoader and it’s code is-

#include "stdafx.h"

typedef int (*AddTwo)(int, int);

int _tmain(int argc, _TCHAR* argv[])
	HMODULE hLib = LoadLibrary(TEXT("DynamicLoadedDLL.dll"));
	printf("\r\nDynamicLoadedDLL.dll loaded into memory at 0x%x\r\n", hLib);

	AddTwo AT = (AddTwo) GetProcAddress(hLib, "AddTwo");
	printf("AddTwo method loaded into memory at 0x%x\r\n", AT);
	printf("6 + 5 = %d\r\n", AT(6,5));
	return 0;

Line 3 defines the function pointer. It says create a type called AddTwo that is a pointer to a function that takes 2 integers as a parameter and returns an integer. If you were statically linking to a library, you would have the header file and the lib file and wouldn’t need to do this. Line 7 is how we load the library into memory. It looks in the standard Windows search path for the library. If it can load the library the hLib parameter actually points to where the library is loaded in the memory space of the process as demonstrated by line 8. Line 10 gets the address of the “AddTwo” function from the library and creates a function called AT that points to it. Line 11 shows the address of the function in memory. Line 12 calls the function and prints the result. Line 13 closes the handle to the library. Error checking has been left out for brevity.

The output is-

DynamicLoadedDLL.dll loaded into memory at 0x585c0000
AddTwo method loaded into memory at 0x585c1010
6 + 5 = 11

If you run “dumpbin /imports” on DynamicLoader.exe you won’t see any reference to DynamicLoadedDLL.dll at all.

That’s pretty much it!

1st Goal Achieved!

Well, I achieved my first technical goal of 2013- contribute to an open source application. I just submitted a plugin for the OWASP Zed Attack Proxy (ZAP) project. The plugin adds a context menu to the tree of sites that allows you to recursively expand/collapse the node based on it’s current state. I originally talked about doing it last summer, so I’m only a little late. 🙂