Saturday, June 22, 2013

How to build cURL static library with SSL support on Windows

This is a short note about building cURL with SSL support on Windows.

Tools required:
  1. cURL source: Download latest cURL source from here.
  2. Microsoft Visual C++ 2008 or 2010 Express Edition: It looks like 2008 Express Edition is no longer available, but 2010 Express Edition can be downloaded from here.
  3. Win32 OpenSSL:
    1. Download Win32 OpenSSL installer and Visual Studio redistributable from here - these are Win32 OpenSSL v1.0.1e and Visual C++ 2008 Redistributables at the time of this writing.
    2. Install Win32 OpenSSL; by default it installs to C:\OpenSSL-Win32.
    3. Install Visual C++ 2008 redistributable.

Building cURL:
  1. Run Visual Studio 2008 Command Prompt from Start Menu > All Programs > Microsoft Visual C++ 2008 Express Edition > Visual Studio Tools. Or, Visual Studio 2010 Command Prompt if you're using Visual C++ 2010.
  2. Navigate to winbuild sub-directory in cURL source directory, and issue following command:
nmake /f Makefile.vc mode=static WITH_SSL=static WITH_DEVEL=C:\OpenSSL-Win32 VC=X ENABLE_SSPI=no ENABLE_IDN=no ENABLE_WINSSL=no DEBUG=no MACHINE=x86 GEN_PDB=no ENABLE_IPV6=yes

Note: In VC=X, replace X with 9 for Visual C++ 2008 or 10 for Visual C++ 2010.

Once build is complete, cURL static libraries would be copied to builds sub-directory in cURL source directory.

Sunday, October 31, 2010

FLVTube - rogue video player

FLVTube is supposedly a video player that downloads and plays YouTube videos. Only a few anti-viruses categorize FLVTube as an adware, and most of the antivirus software do not have any detection for it. FLVTube uses the familiar fake codec download techniques to trick PC users in downloading their software: You chance upon a video clip on a random website and to view it you need to download FLVTube! If FLVTube is really a genuine video player, then I wonder why they are using such misleading installation strategies.


During installation, FLVTube gives options to install following affiliate products of questionable reputation:
  • Emoticons Toolbar by SweetIM
  • WhiteSmoke Grammar software
  • Uniblue RegistryBooster

And, it installs following mandatory components:
  • FLVTube Player
  • FLVTube Toolbar
  • QueryBrowser Search Assistant

FLVTube Toolbar and QueryBrowser Search Assistant hijack browser homepage and search provider to http://flvtubesearch.co and www.querybrowser.com (however, this is mentioned in terms and conditions during installation).


VirusTotal scan results of installer and browser plugins can be found here, here and here. Stay clear of this rogue video player! Malwarebytes Anti-Malware can be used to remove FLVTube Player.

Saturday, October 23, 2010

ThinkPoint rogue antivirus

ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. Once installed, it shows a fake "Microsoft Security Essentials Alert" popup box showing a non-existent threat.


ThinkPoint adds a Winlogon Shell registry entry, so that ThinkPoint starts up instead of Windows Explorer during Windows startup. ThinkPoint hijacks the startup/login screen.


At this point, follow these steps to get back the standard Windows desktop:
  • Start Task Manager by pressing CTRL+ALT+DEL and kill the process named hotfix.exe.
  • Go to File Menu > New Task (Run) in Task Manager and type explorer.exe to spawn Windows Explorer.

In case you don't find hotfix.exe process in Task Manager, it could mean that the rogue program is using a different filename. Interestingly, there's a workaround built into this rogue program to get to desktop:
  • Click "Safe Startup" button and allow it to finish its fake scanning (duh!). After it completes scanning and shows scan results, click "Continue Unprotected".
  • Now, click "Settings" and select the option "Allow unprotected startup".
  • Close ThinkPoint rogue program's window by clicking the close button on top-right corner. This should take you to the standard Windows desktop.

VirusTotal scan results for ThinkPoint installer can be found here. Malwarebytes' Anti-Malware can be used to remove ThinkPoint rogue antivirus program completely.

Monday, September 13, 2010

OAuth support for twitCurl

The twitCurl twitter API library now supports OAuth authorization methods for twitter! Check out project wiki page for more information on twitCurl OAuth flow:

Labels: , , ,

Wednesday, September 01, 2010

ARKit updates

Few updates on ARKit library! Following functionalities have been added to the library:
  • VAD tree traversal to find images loaded by a process
  • SSDT hook restoration
  • Kernel inline hook restoration
  • Process detection by scanning Handle Table
  • Process termination using NtTerminateProcess and NtTerminateThread
Get the source code here.

Sunday, July 25, 2010

ARKit - An open-source rootkit detection library for Windows

ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:
  1. ARKitLib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
  2. ARKitDrv - A device driver that actually implements methods to scan and detect rootkits
Currently, ARKit has following features:
  1. Process scanning – Detect all running processes (hidden and visible)
  2. DLL scanning – Detect DLLs loaded in a process
  3. Driver scanning – Detect all loaded drivers (hidden and visible)
  4. SSDT hook detection
  5. Sysenter hook detection
  6. Kernel inline hook detection
ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.

For more information on ARKit project, please visit:

Tuesday, April 06, 2010

yelpcurl - C++ Yelp API library

yelpcurl is an open-source, pure C++ wrapper for Yelp's RESTful APIs. The library currently supports all the APIs provided by Yelp. yelpcurl uses cURL and is written in a similar way as that of twitcurl. Building applications using yelpcurl is quite easy:
  • Compile yelpcurl source files (yelpcurl.h and yelpcurl.cpp) and link with cURL library (libcurl.lib) to build static library yelpcurl.lib.
  • Include yelpcurl.h and cURL headers (present in /include/curl/ directory in cURL source) in your Yelp based application and link to yelpcurl.lib and also libcurl.lib/libcurl.dll.
  • Instantiate an object of yelpCurl class and use the Yelp API wrappers that are exposed as public methods.
yelpcurl works on all OS (Windows, Linux, Mac etc.) as it is written completely in C++ and the only dependency is cURL (which works on all OSes mentioned earlier).

More info about the yelpcurl library can be found here: