-
Posts
1259 -
Joined
-
Last visited
-
Days Won
86
Everything posted by gigiRoman
-
Sursa: https://github.com/enkomio/shed/blob/master/README.md Shed is an application that allow to inspect the .NET runtime of a program in order to extract useful information. It can be used to inspect malicious applications in order to have a first general overview of which information are stored once that the malware is executed. Shed is able to: Inject a .NET Assembly in a remote process (both managed and un-managed) Extract all objects stored in the managed heap Print strings stored in memory Save the snapshot of the heap in a JSON format for post-processing Dump all modules that are loaded in memory Download Source code Download binary Using Shed Shed is a command line tool. To display all available options run: shed.exe --help Inspecting an already running application In order to inspect an already running process you have to pass the pid to Shed. Example: Shed.exe --pid 2356 Inspecting a binary In order to inspect a binary, Shed needs to execute it and to attach to it in order to inspect the runtime. Example: Shed.exe --exe malware.exe You can also specify the amount of time (in milliseconds) to wait before to suspend the process. This will allow the program to have the time to initialize its properties. Example: Shed.exe --timeout 2000 --exe malware.exe Injecting an Assembly in a remote process With Shed is possible to inject a .NET Assembly in a remote process thanks to the ManagedInjector Library. In order to do so, it is necessary to specify the pid of the process and the exe to inject. Once that the Assembly is injected is possible to activate it by invoking a specific method. The rules to identify the method are inherithed by the ManagedInjector project and are the following: You must specify the full method name to invoke (eg. this.is.my.namespace.class.method) You can inject an executable that defines an EntryPoint method to execute (like a Console project) You can define a method with the following signatue: <public|private> static void Inject() For example, to inject the Assembly InjectedAssembly into the process with pid 1234, you have the run Shed with the following command: shed.exe --pid 1234 --exe InjectedAssembly.dll --inject With the --method option you can specify a method, from InjectedAssembly.exe to invoke. Find below an example of execution: Dumping options By default Shed dump both the heap and the modules. If you want only one of that specify the --dump-heap option to dump only the objects in the heap or the --dump-modules to dump only the modules. Dumping the heap can produce a lot of information which are not strictly useful for the analysis. You can filter it by using two files: blacklist.txt this file contains the type names prefix that must not be logged whitelist.txt this file contains the type names prefix that must be logged even if blacklisted For example, if you want to filter all the System.IO namespace but you are interested in logging System.IO.MemoryStream, you can add the first value to blacklist.txt and the second one to whitelist.txt. Examples In the Examples folder you will find three different projects that you can use in order to test Shed. Example: Shed.exe --exe ..\Examples\ConfigurationSample\ConfigurationSample.exe When the analysis is completed, Shed will print where you can find the result, as shown below: [+] Result saved to C:\Shed\Result\7800 Build Shed If you have installed Visual Studio, just run the build.bat batch file, it will create a zip file inside the build folder. License information Copyright (C) 2017 Antonio Parata - @s4tan License: GNU General Public License, version 2 or later; see LICENSE included in this archive for details.
-
- 4
-
Fostul deputat PSD Cristian Rizea, condamnat definitiv la 4 ani si opt luni de inchisoare pentru trafic de influenta si spalare de bani, a scos o carte, "Spovedania lui Rizea" în care acuză mai mulți oameni de afaceri, politicieni, jurnaliști sau ofițeri din servicii că sunt organizați în grupuri infracționale care au "jefuit România". https://easyupload.io/uvswun Parola: RstForums2020
-
Sursa: https://b-ok.cc/book/5215463/a31b5c in Mastering Malware Analysis Mastering Malware Analysis Alexey Kleymenov, Amr Thabet Categories: Computers\\Security Year: 2019 Language: english Pages: 868 ISBN 13: 9781789610789 Series: 9781789610789 File: PDF, 25.02 MB Product Description Master malware analysis to protect your systems from getting infected Key Features Set up and model solutions, investigate malware, and prevent it from occurring in future Learn core concepts of dynamic malware analysis, memory forensics, decryption, and much more A practical guide to developing innovative solutions to numerous malware incidents Book Description With the ever-growing proliferation of technology, the risk of encountering malicious code or malware has also increased. Malware analysis has become one of the most trending topics in businesses in recent years due to multiple prominent ransomware attacks. Mastering Malware Analysis explains the universal patterns behind different malicious software types and how to analyze them using a variety of approaches. You will learn how to examine malware code and determine the damage it can possibly cause to your systems to ensure that it won't propagate any further. Moving forward, you will cover all aspects of malware analysis for the Windows platform in detail. Next, you will get to grips with obfuscation and anti-disassembly, anti-debugging, as well as anti-virtual machine techniques. This book will help you deal with modern cross-platform malware. Throughout the course of this book, you will explore real-world examples of static and dynamic malware analysis, unpacking and decrypting, and rootkit detection. Finally, this book will help you strengthen your defenses and prevent malware breaches for IoT devices and mobile platforms. By the end of this book, you will have learned to effectively analyze, investigate, and build innovative solutions to handle any malware incidents. What you will learn Explore widely used assembly languages to strengthen your reverse-engineering skills Master different executable file formats, programming languages, and relevant APIs used by attackers Perform static and dynamic analysis for multiple platforms and file types Get to grips with handling sophisticated malware cases Understand real advanced attacks, covering all stages from infiltration to hacking the system Learn to bypass anti-reverse engineering techniques Who this book is for If you are an IT security administrator, forensic analyst, or malware researcher looking to secure against malicious software or investigate malicious code, this book is for you. Prior programming experience and a fair understanding of malware attacks and investigation is expected. Table of Contents A Crash Course in CISC & RISC Assembly and Basics of Computer Programming Basic Static and Dynamic Analysis for x86/x64 Unpacking, Decryption and Deobfuscation Inspecting Process Injection & API Hooking Bypassing Anti-Reverse Engineering Techniques Understanding Kernel-Mode & Rootkits Handling Exploits & Shellcode Reversing Bytecode Languages: DotNet, Java and More Scripts & Macros: Reversing, Deobfuscation and Debugging Dissecting Linux and IoT Malware Intro to MacOS and iOS Threats Analyzing Android Malware Samples About the Author Alexey Kleymenov started working in the information security industry in his second year at university, and now has more than 10 years of practical experience at three international antivirus companies. He is an IT engineer with a strong security background and is passionate about reverse engineering, prototyping, process automation, and research. Alexey has taken part in numerous e-crime and targeted attack-related investigations, has worked on several projects that involved building machine learning classifiers to detect various types of attacks, and has developed several applications that extend the visibility of modern threats in the IoT domain. Alexey is also a member of the (ISC)² organization and holds the CISSP certification. Amr Thabet is a former malware researcher at Symantec and the founder of MalTrak. Amr has spoken at top security conferences all around the world, including DEFCON and VB Conference. He was also featured in Christian Science Monitor for his work on Stuxnet. Prior to that, he struggled to get into the field as he was a mechanical engineer graduate. he didn't have the budget to afford expensive certificates to prove his skills. And because of that, after his successes, he decided to be the inspiring voice to all enthusiasts starting in malware analysis. he helps students all around the world to build their expertise and most importantly, their irresistible resume to land their next malware analysis job.
-
- 3
-
Reverse engineering workshops
gigiRoman replied to Nytro's topic in Reverse engineering & exploit development
Acum am dat de el la o cautare pe google si am zis sa caut si pe forum inainte sa postez. L-ai facut, @Nytro ? -
Sursa: https://decoder.cloud/2020/05/04/from-network-service-to-system/amp/?__twitter_impression=true Decoder's Blog From NETWORK SERVICE to SYSTEM Decoder 1 day ago Advertisements In the last period, there have been several researches on how to escalate privileges by abusing generic impersonation privileges usually assigned to SERVICE accounts. Needless to say, a SERVICE account is required in order to abuse the privileges. The last one, in order of time, “Printer Spoofer” is probably the most dangerous/useful because it only relies on the “Spooler” service which is enabled by default on all Windows versions. In Windows 10 and Windows Server where WinRM is not enabled, you can use our “Rogue WinRM listener” in order to capture a SYSTEM token. And of course, in Windows Server versions 2016 and Windows 10 up to 1803, our Rotten/Juicy Potato is still kicking! In this post I’m going to show you how it is possible to get SYSTEM privileges from the Network Service account, as described in Forshaw’s post “Sharing a Logon Session a Little Too Much“. I suggest you to read it before if not already done as I won’t detail the internal mechanism. In short, if you can trick the “Network Service” account to write to a named pipe over the “network” and are able to impersonate the pipe, you can access the tokens stored in RPCSS service (which is running as Network Service and contains a pile of treasures) and “steal” a SYSTEM token. This is possible because of some “weird” cheks/ assignments in token’s Authentication ID. The token of the caller (coming from RPCSS service) will have assigned the Authentication ID of the service and if you impersonate this token you will have complete access to RPCSS process, including his tokens. (because the impersonated token belongs to group “NT Service\RpcSs “) Side note: here you can find some other “strange” behaviors based on AuthID. Given that the local loopback interface (127.0.0.1) is considered a network logon/access, it’s possible to exploit this (mis)behavior locally with an all-in-one tool. The easiest way is a compromised “Network Service” account with a shell access and this will be our starting point. In this situation, we can directly write via the loopback interface to the named pipe, impersonate and access RPCSS process tokens. Note: For testing purpose, you can impersonate the “Network Service” account using psexec from an admin shell: psexec64 -i -u “NT AUTHORITY\Network Service” cmd.exe There are many ways to accomplish this task, for example with Forshaw’s NTOBJECTMANAGER library in Powershell (keep in mind that the latest MS Defender updates marks this library as malicious!??) But my goal was to create a standalone executable in old plain vanilla style and given that I’m very lazy, I found most of the functions needed in the old but always good incognito2 project. The source code is very useful and educational, it’s worth the study. I reused the most relevant parts of code and did some minor changes in order to adpapt it to my needings and also to evade AV’s. Basically this is what it does: start a Named Pipe Server listening on a “random” pipe start a Pipe Client thread, connect to the random pipe via “localhost” and write some data In the pipe server, once the client connects, impersonate the client (coming from “RPCSS”) List tokens of all processes: If a SYSTEM token is available , impersonate it and execute your shell or whatever you prefer: The “adapted” source code for my POC can be found here: https://github.com/decoder-it/NetworkServiceExploit That’s all 😉 Advertisements Share this: Categories: Uncategorized Leave a Comment Decoder's Blog Back to top Advertisements
-
- 1
-
Intrebare "bypass" multi account protection
gigiRoman replied to kelookizz's topic in Discutii incepatori
Pune un proxy (fiddler sau burp) si vezi acolo ce date trimite catre server. Te prinzi usor cu alea. -
Chiar daca ar fi fost barbat, in Ardeal numele romanesti au fost maghiarizate. Vezi fostul fotbalist cfr cluj Adrian Anca. Sursa:https://www.google.com/amp/s/adevarul.ro/locale/alba-iulia/cum-fost-maghiarizate-numele-romanilor-ardeal-sfarsitul-anilor-1800-avram-iancu-devenit--iank-abraham-1_53db32e20d133766a8eab98f/index.amphtml Citat: "Documentele de arhivă cercetate de profesorul Ilie Furduiu pentru studiul „Momente din lupta românilor împotriva maghiarizării înainte de 1918“ , ne ajută să aflăm cum au fost maghiarizate numele românilor din Ardeal. În prezent întâlnim atât numele românesc cât şi cel maghiarizat: Ancău – Anca, Ardeleanu – Ardelean, Albu – Alb, Abrudeanu – Abrudean, Aiudeanu – Aiudean, Aronu – Aron, Adamoviciu – Adamovici, Baicu – Baic, Balosu – Balos, Barbu – Barb, Beldeanu – Beldean, Beleiu – Belei, Berindeiu – Berindei, Bârluţiu – Bârluţ, Bârzu – Bârz, Boariu – Boar, Bolunduţiu – Bolunduţ ..."
-
Nu stiam ca e la capital.ro https://www.paginademedia.ro/2019/01/site-ul-capitalro-fenomenul-anului-2018-a-crescut-de-14-ori-si-a-depasit-adevarul
-
Ai nr de telefon pus public?
-
Am dat si eu o geana: https://defuse.ca/softwaresecurity.htm
-
Ziceai la un moment dat de bug bounty program...
-
De tinut minte. Stiu ca mai vazusem un demo in care comanda/fisierul/binaryul se gasea(u) in alti registri.
-
Eu am folosit android studio pentru ca nu am utilizat frida. Si gen pornesc outputul care rezulta din apktool, adica ii dau run on remote machine. Mai e o faza la ultimele versiuni de android: android:isSplitRequired="true" Permite ca aplicatia sa nu fie completa la instalare. Si se descarca module la runtime. Momentan nu am vazut progrese in acest sens la apktool pe github.
-
Stiu ca fusese o prezentare de la defcamp cu fileless attack. Era mai interesanta. https://www.google.com/url?sa=t&source=web&rct=j&url=https://m.youtube.com/watch%3Fv%3Dtoo1jVTLSIg&ved=2ahUKEwijr4ustezoAhUIVBUIHfJpBPMQwqsBMAB6BAgHEAQ&usg=AOvVaw2jMgdca27hBIPBizqENwez Oare asta e?
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aici e pus sa porneasca un cmd.
-
Nu e suficient. Secretul pe care nu il spune nimeni e sa pui aplicatia in telefon la "select app to be debugged" si apoi sa pornesti din android studio o sesiune de debug.
-
E defapt un wrapper peste system.net samd...
-
Bypassing Xamarin Certificate Pinning on Android
gigiRoman replied to Nytro's topic in Mobile security
Sau var httpClient = new HttpClient(new HttpLoggingHandler(/*new NativeMessageHandler()*/)){ BaseAddress = new Uri(baseUrl)}; Si clasa HttpLoggingHandler o iei de aici: https://gist.github.com/dbacinski/5bd2793e33b0377ecfbcd980d6841f1e Testat acum jumatate de an si e okay.- 1 reply
-
- 1
-
Da. Fii atent. Ai doua componente. Un client pe care il faci windows service si serverul care e ce vrei tu. Clientul macina si cauta la o perioada de timp connected devices ca aici: https://stackoverflow.com/questions/3331043/get-list-of-connected-usb-devices Sau face subscribe ca aici: https://stackoverflow.com/questions/620144/detecting-usb-drive-insertion-and-removal-using-windows-service-and-c-sharp E usor de impementat in c#. Daca nu te descurci de pot indruma. Daca vrei sa iti fac eu, e contra cost.
-
Orice. Numai sa nu stai degeaba.