Leaderboard

Tu cauta un programator bun in python...ca si restul vor cauta oameni buni care stiu sa faca ceva, nu sa plateasca pe altul sa faca. N-am sa inteleg niciodata de ce stati 3/4 ani in facultate ca la sfarsit sa cumparati tema de licenta...Nu poti tu sa-ti faci licenta?Nici o rusine, nu e un capat de lume, dar macar fii constient ca nici diploma nu ti-o meriti

Hmm .. ai putea sa te bazezi pe baze de date offline cu vulnerabilitati si sa faci licenta in asa fel incat sa prezinti exemple particulare de softuri ce pot fi testate cu asa ceva. Imposibil insa sa nu ai o marja de eroare la acel calcul pe care va trebui sa o mentionezi ba chiar sa o detaliezi. Ti-l fac eu dar incepem sa vorbim de la 4000 LEI in sus cu avans. Daca esti ok cu asta da-mi mesaj.

Nu ma bag, dar mersi de mention . Dureaza destul de mult sa faci asa ceva si din pacate nu am timp.

Ai aici codul sursa, poti sa il modifici dupa bunul plac si conform cerintelor tale: The Robot sau il poti folosi ca exemplu ca sa scrii altul asemanator...

In certain investigations, it may arise that you need to find the following: What process was using the camera or microphone? When was the last session? How long was that session? Using the contents of the following reg keys, you can to determine when and how long a process had access to privacy protected resources. These resources include the microphone, webcam, bluetooth, location, contacts and more. For this blog, I will focus on the microphone and webcam as an example. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\ Below is an example of the typical entries in the webcam directory. There are several entries including Microsoft and non-Microsoft applications Microsoft applications are stored in as child keys but non-Microsoft applications (which are of the most interest) are stored in the NonPackaged child key. Within the NonPackaged directory, you can see that the name of the keys are the full path of an executable with # replacing \. Each entry has two values, LastUsedTimeStart and LastUsedTimeStop, with the timestamps in FILETIME format. From the example above, you are able to determine, Zoom.exe had access to my webcam for 27.2 minutes (between 2020/06/01 04:30:52 UTC and 2020/06/01 04:58:04 UTC). Whether you are looking at what processes had access to a webcam or even trying to prove long a user’s conversation may have been, this is a great source of information. Testing RAT-like behaviour I needed to test if this also applied to more malicious methods of accessing the microphone. I used a meterpreter post-exploit module to record audio from Windows VM. As soon as I ran the recording command, a new entry was populated from where my meterpreter shell was executed. Pretty cool! Monitoring If we wanted to track all sessions (not just the last), it is easy with Sysmon. If you are running something like the Swift on Security configuration, you will need to add an inclusion line for event id 12,13 and 14 (Registry modification): <TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- When a process accesses bluetooth, location, webcam, microphone etc, the timestamps of last access are updated here. HKLM and HCKU --> After updating your configuration, a Sysmon event will now be created when the registry keys are created or updated. Below is the LastUsedTime key being updated for Skype.exe accessing my microphone in the Sysmon event log. The timestamp in the log are still in hex which needs to be coverted to decimal then to a human readable timestamp, however the timestamp of the event itself is also very accurate. Conclusion What spurred this off is when I came across this page in the settings, and it got me thinking on where this data is stored. It will be interesting if there are other places that track historical sessions without the use of monitoring. This would be more valuable to forensic analysts that don’t always have nice logs. Further research also could be done to identify which device the process is accessing (front camera, USB camera etc). I would also like to explore if this method catches more covert RAT malware. Thanks for reading, Source Zach

Sunt sanse mai mari sa te calce un bmw condus de un tigan fara ocupatie, scoala si cu permis luat pe naspa. Infractorii oricum au arme. Si nu cu proiectile de cauciuc. @unic, welcome. Sa-ti cumperi macar un Fort 17R. In rest, pe piata sunt doar pocnitori.