Tag Archives: Source Code Auditing Experience

Source Code Auditing – Candidate Point analysis – List of Regular Expression patterns

When we are tasked with manual code audit of a big source code base, we will get a quick result if we start with candidate point analysis. We can use regular expression patterns to find those quick issues initially. List … Continue reading

Posted in ASP.Net, C/C++, Code review experiance, Web | Tagged , , , , , | Leave a comment

Random notes from other researchers….

@krsec If you’re performing a #sourcecodereview for an app that uses #log4j, look for an included config file (*.xml, *.prop, *.properties, etc.)

Posted in Code review experiance | Tagged , | Leave a comment

Good language materials for source code auditors

Good C/C++ materials: http://www.slideshare.net/olvemaudal/solid-c-by-example http://www.slideshare.net/olvemaudal/cpp-idioms-byexamplenov2008 http://www.slideshare.net/olvemaudal/deep-c http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html http://blog.llvm.org/2011/05/what-every-c-programmer-should-know_14.html http://blog.llvm.org/2011/05/what-every-c-programmer-should-know_21.html

Posted in C/C++ | Tagged , , | Leave a comment

What’s wrong with this code – Learn source code auditing…

  Read each and every article that is titled “What’s wrong with this code – Part X”. It is very good. http://blogs.msdn.com/search/searchresults.aspx?q=What%27s+wrong+with+this+code   I will update this thread with other links that interests me. Links: http://blog.llvm.org/2010/04/whats-wrong-with-this-code.html

Posted in Code review experiance | Tagged , | Leave a comment

Compiler injected code and multi-thread safeness

Got a chance to read gynvael’s (http://gynvael.coldwind.pl) old article on multithread issue in dynamic initialization of static variable. You can read his article here http://gynvael.coldwind.pl/?id=406. Recently i was working in a project that uses Microsoft “Unified Event Model”. You can … Continue reading

Posted in C/C++, Windows VC++ | Tagged , | Leave a comment


Tools i use: 1.  Source Navigator 2.  Understand C++ 3.  Astyle 4.  Axman 5.  My own tool to keep track the audit information. 6.  Microsoft Visual Studio 2010 Documentation 7.  Doxygen 8.  PVS Studio 9.  IDA Pro 10. CodeLite

Posted in Tools | Tagged , | Leave a comment

Understanding __event, __hook(), __unhook(), event_source(), event_receiver()

I was auditing a code that had lot of __hook() and __unhook(). So i wanted to understand how this code is working internally. Google search didn’t turn any good information. So i decided to do some test. In summary, what … Continue reading

Posted in Windows VC++ | Tagged , , , | Leave a comment