Leaderboard

About the Pagefile Attack The pagefile attack is about to use the fact that Windows is swapping out memory into the pagefile. The attack is based on modification of the pagefile - so indirectly the physical memory. The idea is to find specific memory in the pagefile, modifying it, and letting Windows reloading it without any verification. But there are a few limitations to consider, the most important one is that you can not directly access the pagefile. The file "C:\pagefile.sys" is locked for access, you can not open it by CreateFile. The system process has an open handled without any Shared Access flag set, so any access to pagefile.sys will fail consequently. How to access the pagefile under Windows So how to access the pagefile? By bypassing the Windows File overhead. This can be done by not using the CreateFile/WriteFile functions but direct driver communication. Direct driver communication can be done through 2 ways (and the first is the Windows File Management again): CreateFile with a valid DOS device name or device name (i.e. "\\.\PhysicalDrive0") DeviceIoControl With the first you can open handles which can be used to send and receive (ReadFile, WriteFile) data to and from drivers. A driver can register a device name, and if you open a handle to the device you open a handle to the driver. Once opened, you can communicate with the driver, in the example you would directly do read/write operations on the hard disk (compare with Raw Sector Access). There was also an attack to physical memory, because the physical memory object "\Device\PhysicalMemory" was writable as non-Administrator in Windows XP (fixed in Service Pack 2). You can use the DeviceIoControl function to directly send control codes (IOCTLs, I/O Control Codes) to the driver. Control codes tell the driver what to do. For the function you also need an open handle, but in difference to file mapped driver communication you can open a handle with the correct, undocumented flags. After you opened a handle to the driver using CreateFile, you can send IOCTLs using DeviceIoControl. I'm glad to say that Microsoft started documenting the IOCTLs since late 2008, so there are now many documented IOCTLs in the connection with their next operating system Windows 7. The want people to NOT write drivers but use existing API functions. This is also a result from the fact that Windows Vista and newer only allow to load signed drivers, which means to have a company and pay for signing, and registering etc. So hows done the magic to access the pagefile? By using the correct IOCTLs and flags: Open handle to NTFS file system driver of the volume via CreateFile by specifying "\\.\C:\" as file name and FILE_READ_ATTRIBUTES as desired access flag Receive cluster list by calling DeviceIoControl with FSCTL_GET_RETRIEVAL_POINTERS IOCTL Calculate start sector and count by LCN (Logical Cluster Number), data run and NTFS volume info (Sectors per Cluster, Clusters per Record) Read the data runs directly using raw sector access Be sure to specify correct device name "\\.\[Drive Letter]:\" with the ending backslash, otherwise you would open a handle to the logical drive. The undocumented FILE_READ_ATTRIBUTES flag for the desired access allows you to send IOCTLs to the driver (but still forbids read/write IO). And this is exactly what we need, and what was done in the Pagefile Attack. You need to know about the internal NTFS file structure, how clusters are stored. There is a concept used called "Data Runs" (also appearing in FAT file system), which means that multiple clusters are stored and remembered in a list as one single data run. All runs together make the file. The list of the data runs is received by the IOCTL FSCTL_GET_RETRIEVAL_POINTERS, and each element consists of next VCN and LCN. Next VCN tells you the starting virtual cluster number (starting from zero) inside the file, and LCN the logical cluster number on the drive. This concept, receiving the cluster list with the IOCTL, works for both FAT and NTFS. I don't want to explain the full NTFS file system here but be aware of sparse data (= clusters which are fully zero, alpha compression), because they are not stored on NTFS but assigned as LCN -1. And do not forget compresson, encryption and resident data. Take a look at the NTFS documentation. Limitations Like given in my Hibernation File Attack, the Pagefile Attack has also its limitations. First you need elevated Administrator rights for the driver communication. Second the Pagefile Attack works only up to Windows XP, Microsoft fixed the vulnerability in Windows Vista Release Candidate in response to the public presentation of the pagefile attack. Furthermore its important to say that it is a relative high expenditure to find and replace specific memory in the pagefile, so it is only limited qualified for real exploits used by malware. References Vista RC2 vs. pagefile attack (and some thoughts about Patch Guard), Joanna Rutkowska in her blog "invisiblethings" Subverting Vista Kernel For Fun And Profit - presentation at Black Hat USA 2006 Rutkowska's profile on Black Hat USA 2006 Sursa: Pagefile Attack - Peter Kleissner

Abstract In my third paper I want to talk about "The Magic of Bootkits". Boot-Software was occupying me for years in my life time. I wrote an operating system, a boot management solution and at last a "Forensic Lockdown Software" which boots before Windows does. I have seen many stuff there and so I want to discuss a few points of bootkits, whether they become useless or not, whether they will rule the world or not. I am writing this article because I read Pandalabs Security article about "Rootkits in the MBR, a dangerous reality" and I have analyzed development work of vbootkit which I will discuss later. Enjoy reading! - Peter Kleissner, Software Engineer (September 2008) The dangerous of Bootkits Bootkits are loaded before the main operating system is. The term 'Bootkit' refers to a Rootkit installed in any Boot Record (Master Boot Record, Partition Boot Record, Bootloader). Modern Bootkits are able to hook and bypass operating system routines, initialization (processor mode switch) as long as security checks (integrity, code-signed, etc.). They are not only acting on startup, but also during execution of the host operating system. Because Bootkits are loaded before the OS is, they can do what they want (at least what the programmer is capable of letting them do). In normal they do not only hook operating system kernel functions but also give themself kernel rights and do other various things. How to consider Bootkits Bootkits differ in their code with common viruses, they are assigned like any other system software directly to machine code the processor executes. Simplified but like Windows they have to support the hardware by their own code, they need their own drivers for graphics, reading from disk etc. An important aspect of system software is the hardware platform and architecture. Boot viruses must be written for a specific architecture (for "normal" computers is the Intel Architecture and classical PC Architecture), so there is a hardware dependency normal software hasn't. Problems for boot viruses are not only the architecture, but the lacking documentation of it. For example, the boot process is a very undocumented way of, which makes it difficult to get a boot software working on nearly any machine. Different computers will support different important features which are required or not. You can consider bootkits as a high-changing required applications. Unstandardized hardware is one problem, but new standards for previous architecture parts another. We have for example the new GUID Partition Table which replaces the old one, or the BIOS thats ought to be replaced by EFI. For the new Extensible Firmware Interface, you can throw away any previous boot software and write new one. Another problem beside hardware dependency is target operating system dependency-, the bootkit has to hook operating systems kernel functions and bypass the operating systems security functions. Current bootkits are targeted to operating system versions like specific to Windows XP, Windows Vista or some Linux Kernel. Its also tricky with 32 and 64 bit of operating system versions. It would be possible, but currently not used to include binary code for both different operating system versions. How to detect a Bootkit For bootkit detection, I've already worked out a concept for detecting malicious boot software, described in my article Writing a Boot Scan Engine. It's about to scan for patterns, using a black and whitelist, a database, reports and other heuristic methods. When detecting an infected system for a bootkit it is important to know the bootkit is able to hook functions that are used for detection. An example would be the common hooked function ReadFile, which would - in case - return different data then the real one. Of course the computer can be scanned from a live system, but this would be unuserfriendly crap. A solution would be a scanner which is loaded before the main operating system parts are loaded, a place for the scanner would be (Windows specific) in the Windows Bootloader or the Winloader.exe. The problem of Bootkits in the future with EFI A big change for boot viruses relies in the change of the old-fashioned BIOS to the new Extensible Firmware Interface (EFI). It makes the old BIOS and bootstrap obsolete and defines new standards for booting operating systems. For the first, old boot viruses will no longer work and can not be "translated" to the new boot system. For the second, we will have much more boot viruses in future within the next 10 years. With new versions of Microsofts operating systems they will explode, because they have the ability to. EFI makes it very easy to develop a boot loading software- or to develop a boot virus or bootkit. EFI brings better and more standardized support for hardware and supports features like the Portable Executable format that is used in Windows for executables. It's just a matter of time until we have easy to use compilers like Visual Studio for developing EFI applications. When we have this, it's very easy to copy & paste malicious boot software source code. I think the explosion will come in 2-3 years until EFI is etablished and people begin to use its possibilities. Conclusion We see a current change in bootkits and in the development of it in the near future. It's incredible to see the effort people are taking to in order to write a full functional bootkit. The good thing on previous bootkits is only experts are capable of writing them, so modern malicious bootkits (the non proof-of-concept ones) are simply not available this time. In 2-3 years we will see a change in bootkits when EFI is etablished, but until EFI applications are nearly like Windows applications, they can be easily found by anti-virus software. See you in 2-3 years, Peter Kleissner. Sursa: The Magic of Bootkits - Peter Kleissner

How to calculate an sub mask address and find out your new ip address range. FOR BEGINNERS.

exista seo online si seo offline... ambele se trateaza diferit... pentru seo online exista anumite taguri si notiuni pe care trebuie sa le aplici in pagina si in continut pentru a creste acea pagina pe anumite cuvinte cheie. cel mai bun exemplu ar fi una din paginile de produse de la emag, au foarte bine optimizate paginile pe parte de seo online. ce trebuie stiut ar fi asa (le enumar in ordinea importantei): 1) numele domeniului sa contina cuvintele cheie (despratite de - sau +) 2) cuvinte cheie in url -> intre site.ro/cuvant-cheie/ si site.ro/index.php?page=cuvant-cheie prima are prioritate (desi google se descurca cu ambele variante) 3) titlul paginii (tagul title din header) sa contina cuvintele cheie ale acelei pagini 4) descrierea paginii trebuie sa contina cuvintele cheie ale acelei pagini (dar sa nu fie identica cu titlul) (tagul description din header) 5) cuvintele cheie (tagul keywords din header) sa fie separate de virgula. 6) titlurile si subtitlurile din pagina sa fie incadrate corespunzator importantei in tagul h1, h2 etc (sunt considerate cuvinte cheie) 7) textele care contin cuvintele cheie sa fie integrate de tagul <strong> 8) densitatea cuvintelor cheie din pagina sa se incadreze intre 3 si 5% 9) o pagina trebuie optimizata doar pentru un anumit cuvant cheie (sau o anumita fraza) nu se va optimiza pagina pentru mai multe cuvinte sau fraze pentru ca scade importanta ei. 10) linkurile din site care duc la acea pagina trebuie sa contina atributul title="cuvintele cheie sau fraza cheie pentru pagina din acel link" 11) imaginile din pagina trebuie sa aiba un nume de fisier corespunzator imaginii (la cautarea pe google dupa imaginile care contin acel cuvant o sa vezi ca prioritare sunt imaginile care au in numele de fisier acel cuvant) 12) imaginile trebuie sa aiba setat atat atributul alt cat si atributul title ambele trebuie sa contina cuvintele cheie pentru acea imagine 13) videoclipurile trebuie sa aiba setat atributul title care sa contina cuvintele sau fraza cheie pentru acel videoclip 14) paginile trebuie sa aiba setat meta tagul language corespunzator (detalii pe wikipedia la metatagul language) 15) paginile trebuie sa aiba setat meta tagul canonical care sa duca catre adresa paginii reale (in caz de pagini dublate sa se poata identifica ca dublurile sunt defapt aceeasi pagina din linkul specificat in caonical (detalii pe wikipedia la canonical) 16) paginile trebuie sa aiba continut unic (google penalizeaza dublurile existente pe alte site-uri, iar cele de pe acelasi site sunt excluse daca au tagul canonical corect) 17) site-ul trebuie sa fie gazduit in tara in care este setat language-ul (are o importanta mica dar contribuie la afisarea rezultatelor, prioritate au rezultatele de pe site-urile din aceeasi tara cu cel care cauta) 18) paginile trebuie sa fie optimizate (codul html fara erori, codul css si js arhivat ca sa ocupe cat mai putin din trafic) (google tine cont si de viteza de afisare a paginii, cele mai rapide sunt afisate primele in rezultate (se poate implementa sistem de cache la site pentru a creste viteza de afisare a paginilor) optimizare offsite 1) cat mai multe linkuri pe site-uri externe care sa duca catre pagina pe care doresti sa o promovezi. Atentie! Am spus pagina nu site, deci daca vrei sa promovezi doar prima pagina pui backlinkuri doar catre prima pagina. Backlinkurile existente pe alte site-uri trebuie sa nu aiba atributul rel="nofollow" pentru ca acel link e pus degeaba. Back-linkurile trebuie puse pe pagini cu PR cat mai mare, si care au cat mai putine linkuri externe (cu cat sunt mai putine linkuri pe o pagina cu atat mai bine pentru pagina la care vrei sa ii faci reclama) Back-linkurile trebuie sa contina atributul title="cuvintele sau fraza cheie pentru pagina promovata" -> astea au importanta mare. 2) verificat raporartele din webmaster tools si aplicat recomandarile de acolo. 3) o importanta foarte mica o au link-exchange sau directoarele web, deoarece acolo sunt ferme de linkuri si de obicei google nu le mai da importanta (sau le da o foarte mica importanta) In rest ar mai trebui sa citesti si urmatoarele articole: Woorank - creaza in mod automat recenzia website-ului tau (iti zice multe lucruri utile pe care trebuie sa le mai faci la site-ul tau ca sa creasca) si Redu Bounce Rate-ul in 15 pasi (asta e important la optimizarea onsite) si Speed Tracer : Aplicatii noi pentru un web mai rapid (ziceam mai sus de viteza paginii) si Extensii Google Crome utile pentru programatorii web (ai multe extensii ce tin de seo si te ajuta) si Uneltele Google Webmaster si imbunatatirea performantelor (ce ziceam mai sus de webmaster tools, dar vezi ca exista si bing webmaster tools si yahoo webmaster tools nu doar google) si Cum sa verifici timpul de incarcare ale website-ului tau? Daca mai ai nelamuriri pune aici si o sa incer sa iti raspund.