Looking inside your Windows 98
                Finding an hidden incredible database inside your computer
                                          by TWD

             (11 October 98, slightly edited by Fravia; html edited by Flavio)

  ------------------------------------------------------------------------
Courtesy of Fravia's page of reverse engineering. Check out HackPalace.com's Links section
                                    for his newest URL.

 Great stuff... I couldn't check nothing of this, because I (of course) have NOT installed
  windows'98 (I'm running Linux and I'm seriously thinking about "downgrading" my windoze
 machine to win 3.11 :-), yet I trust TWD enough to publish this text and I sincerely hope
 that this 'rolling snowball' will grow and grow -running downweb- and finally splash with
 a great "bum!" in the silly face of Micro$oft! Note that TWD has produced his own tool in
                   order to study these curious concealed activities...
  ------------------------------------------------------------------------

                                       Introduction

There is not much to say about the introduction. Some time ago I was searching for some
remains of a program on my computer. I used the in build search program coming with Win98.
But it didn't only found the program, but also a file with a .lgc extension. It was
located in the Win98/applog directory. I had a deeper look inside, and I found some
interesting things.

                                      Tools required

No SoftICE today, guys. I'm sorry
No IDA 3.74 today (sorry again)

Any good Hex Editor (I prefer UltraEdit 5.X)
FileMon
Any programming environment (VC++ or Delphi or something else) (not really needed)
And - last but not least - a lot of brain...

                                           Essay

After having read the introduction, you know how I found the applog directory (I had
never before looked inside it). Inside the directory there are a lot of files, mainly
with extensions like this --> *.lg*
And there is also a file called applog.ind (sounds interesting, doesn't it ??)

The lg* files are all plain text, but the applog.ind is much more difficult.
After some time of analyzing, I discovered the most important parts of it.

The Header (Part I)
~~~~~~~~~~~~~~~~~~~
It starts with a ten byte long string, named "APPLOG1.1" followed by six bytes with
unknown contents. Then there is the number of entries in this file, a four byte integer.

The rest of the 64 byte large header is still unknown to me, but there a some dates in it,
I know, because the change every time a program is run and the look similar to the normal
dates stored in your computer (FILETIME or SYSTEMTIME (look inside win32.hlp)).

The Header (Part ][)
~~~~~~~~~~~~~~~~~~~~

Then there is a second part, I call it the second header. It's size is about 344 bytes or
86 4-byte integers. I don't know what for this part is, but I guess it is for sorting or
something like this, because the values of the integers are increasing from to to bottom.

The Data
~~~~~~~~

After the two headers, the data entries follow. The number is defined in the first header.

The data entry structure looks like this :

      the name of the exe file                  (8 bytes)
      the offset to the path                    (4 byte integer)   <<-- explained later
      the number of runs since the last defrag  (4 byte integer)
      the total number of runs                  (4 byte integer)
      the fileDataTme of the file               (FILETIME - STRUC  8 bytes)
      the file size                             (4 byte integer)
      some flags ???? unknown                   (4 byte integer)


The only thing which is to be explained is the second entry (offset to path).

Did ever anyone of you messed around with the fuckin' PE-FILE structure ???
I did it and that's the only reason why I figured out how this value works.
There these kind of fuck is done all the time.

This value describes the distance from the end of the headers to the first char
of the path, related to the application.

Let me explain a bit more detailed:
The total size of the headers is 408 (344 + 64), and if we have a value of 1234 for
example, then the offset to the path is 1234 + 408 = 1642. Set the File Pointer to
1642 and read till the next #0.

You wanna know how I figured out all this shit, why I know the sizes of the header
and all this fuck ???

No problem, I used the good old FileMon to see when the explorer writes into the
file (yes, it's the explorer). The explorer writes four times into the file, the
first time he writes 64 bytes, then 344 bytes and then the data entries and last but
not least the paths.
When knowing these basic values, it's now problem the get the size of every entry by
looking of the distance between two strings, and so on.

After having explained the structure of the applog.ind file, I will explain the
other (*.lg*) files.
Basically the look like this (explorer.lgc) :

{
o c1507870 2c000 "C:\WIN98\EXPLORER.EXE"
R c1507870 0 40
R c1507870 80 f8
R c1507870 80 198
R c1507870 16000 1000
r c1507870 13000 1000
o c1505fb0 1665 "C:\WIN98\WIN.INI"
R c1505fb0 0 1665
C c1505fb0
r c1507870 3000 1000

The remaining 680 lines are on your own computer (if you own win98) so I don't have to
put them here.

Again I used FileMon to look what the explorer does while starting. That's why I know how
this file is structured.
First there is a character. That's very simple,

            o   -->>  open
            r   -->>  read (the file pointer was moved to the left)
            R   -->>  read (the file pointer was moved to the right)
            c   -->>  close


The open command is structured as follows :

o   <"filename">

example :
o c1507870 2c000 "C:\WIN98\EXPLORER.EXE"

The handle is used throughout the file, so if a read command is done it
looks like this :

r

example :
C c1505fb0

These few commands are enough to keep track of all file accesses of the program.
Something like FileMon but already implemented in your OS.

That's all,

bye till next time...

            TWD


P.S.: Comments, suggestions, bug reports are always welcomed. Send them to

twd(dot)rulez(at)gmx(dot)net

                                        Final Notes

Some of you will ask why evil Bill Gates hides such nice proggies in your OS (yeah, the
directory has the hidden attribute). Why doesn't he improve the performance of his fuckin'
OS instead if spying what the users do ???

There is one simple answer (maybe there are more) : This pile of information is used
by defrag to sort the files according to their use.

It is NOT send to Microsoft via the Internet when you are connected (I think so, I
checked it, but not for 1oo percent). But any evil hacker can use BO or any other
utility like BO to access you computer and get these information.

This is only the first version of this essay. It's growing like the program I wrote.
In the moment, the applog.ind file is read and processed and a beautifull tree is
created, where you can browse and look for the information you wnat to know.
But it is not ready, I'm still working on it, so be patient and come back and look
if it was enhanced once more.

  ------------------------------------------------------------------------

                 Download the tool created by TWD: twdapplo.zip, 151 Kb.