Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Usr6

  1. Python is an amazing language with a strong and friendly community of programmers. However, there is a lack of documentation on what to learn after getting the basics of Python down your throat. Through this book I aim to solve this problem. I would give you bits of information about some interesting topics which you can further explore. The topics which are discussed in this book open up your mind towards some nice corners of Python language. This book is an outcome of my desire to have something like this when I was beginning to learn Python. If you are a beginner, intermediate or even an advanced programmer there is something for you in this book. Please note that this book is not a tutorial and does not teach you Python. The topics are not explained in depth, instead only the minimum required information is given. I am sure you are as excited as I am so let’s start! Note: This book is a continuous work in progress. If you find anything which you can further improve (I know you will find a lot of stuff) then kindly submit a pull request! Author I am Muhammad Yasoob Ullah Khalid. I have been programming extensively in Python for over 3 years now. I have been involved in a lot of Open Source projects. I regularly blog about interesting Python topics over at my blog . In 2014 I also spoke at EuroPython which was held in Berlin. It is the biggest Python conference in Europe. If you have an interesting Internship opportunity for me then I would definitely like to hear from you! Table of Contents 1. *args and **kwargs 1.1. Usage of *args 1.2. Usage of **kwargs 1.3. Using *args and **kwargs to call a function 1.4. When to use them? 2. Debugging 3. Generators 3.1. Iterable 3.2. Iterator 3.3. Iteration 3.4. Generators 4. Map, Filter and Reduce 4.1. Map 4.2. Filter 4.3. Reduce 5. set Data Structure 6. Ternary Operators 7. Decorators 7.1. Everything in Python is an object: 7.2. Defining functions within functions: 7.3. Returning functions from within functions: 7.4. Giving a function as an argument to another function: 7.5. Writing your first decorator: 7.6. Decorators with Arguments 8. Global & Return 8.1. Multiple return values 9. Mutation 10. __slots__ Magic 11. Virtual Environment 12. Collections 12.1. defaultdict 12.2. OrderedDict 12.3. counter 12.4. deque 12.5. namedtuple 12.6. enum.Enum (Python 3.4+) 13. Enumerate 14. Object introspection 14.1. dir 14.2. type and id 14.3. inspect module 15. Comprehensions 15.1. list comprehensions 15.2. dict comprehensions 15.3. set comprehensions 16. Exceptions 16.1. Handling multiple exceptions: 17. Lambdas 18. One-Liners 19. For - Else 19.1. else clause: 20. Python C extensions 20.1. CTypes 20.2. SWIG 20.3. Python/C API 21. open Function 22. Targeting Python 2+3 23. Coroutines 24. Function caching 24.1. Python 3.2+ 24.2. Python 2+ 25. Context managers 25.1. Implementing Context Manager as a Class: 25.2. Handling exceptions 25.3. Implementing a Context Manager as a Generator Link: http://book.pythontips.com/en/latest/index.html
  2. Photonic Side Channel Attacks Against RSA Elad Carmon, Jean-Pierre Seifert, Avishai Wool Abstract This paper describes the first attack utilizing the photonic side channel against a public-key crypto-system. We evaluated three common implementations of RSA modular exponentiation, all using the Karatsuba multiplication method. We discovered that the key length had marginal impact onresilience to the attack: attacking a 2048-bit key required only 9% more decryption attempts than a 1024-bit key. We found that the most dominant parameter impacting the attacker’s effort is the minimal block size at which the Karatsuba method reverts to naive multiplication: even for parameter values as low as 32 or 64 bits our attacks achieve 100% success rate with under 10,000 decryption operations. Somewhat surprisingly, we discovered that Montgomery’s Ladder—commonly perceived as the most resilient of the three implementations to side-channel attacks—was actually the most susceptible: for 2048-bit keys, our attack reveals 100% of the secret key bits with as few as 4000 decryptions. Link: https://eprint.iacr.org/2017/108.pdf
  3. Image: byrev / Pixabay If you wanted an exhaustive reference for all the command line tools and utilities available in Windows, "/h" was as good as it got. Well, that was until last month, when Microsoft published a whopping big PDF with information on every single terminal command the operating system has to offer. The document, released on April 18, comes in at 4.6MB and 948 pages and covers the following platforms: Windows Server (Semi-Annual Channel) Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 10 Windows 8.1 Even though Windows 7 is absent, it's fair to say a lot of the commands should work on the older OS. The reference isn't just limited to commands — it also contains tips for configuring the command prompt window, as well as changes you can make to the Registry to enable and disable features, such as filename / directory completion. Best of all, hyperlinks embedded in the file for each command jump directly to online documentation, so you can always check out the most up-to-date content. This does however raise the question: why have a gigantic reference PDF in the age of online documentation? I guess if you print it out, it makes for good toilet reading material? Windows Commands Reference [Microsoft, via Bleeping Computer] Sursa: https://www.lifehacker.com.au/2018/05/microsoft-publishes-massive-948-page-pdf-with-every-windows-terminal-command-you-could-ever-need/
  4. Syhunt Huntpad is a notepad application with features that are particularly useful to penetration testers and bug hunters - a collection of common injection string generators, hash generators, encoders and decoders, HTML and text manipulation functions, and so on, coupled with syntax highlighting for several programming languages. Huntpad borrows many features from Syhunt Sandcat's QuickInject sidebar. Like its cousin, it is focused on File Inclusion, XSS and SQL Injection and comes with the following options: Syntax Highlighting - supporting HTML, JavaScript, CSS, XML, PHP, Ruby, SQL, Pascal, Perl, Python and VBScript. SQL Injection functions Filter Evasion - Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines Filter Evasion (MySQL-Specific) - String Concatenation, Percent Obfuscation & Integer Representation (eg: '26' becomes 'ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)', a technique presented by Johannes Dahse). UNION Statement Maker Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL File Inclusion functions Quick Shell Upload code generator PHP String Escape (chr) Cross-Site Scripting (XSS) functions Filter Evasion - JavaScript String Escape (String.fromCharCode), CSS Escape Various handy alert statements for testing for XSS vulnerabilities. Hash functions Hash Generators - MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL Encoders/Decoders URL Encoder/Decoder Hex Encoder/Decoder - Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported). Base64 Encoder/Decoder CharCode Converter - Converts a string to charcodes (eg: 'abc' becomes '97,98,99') or vice-versa. IP Obfuscator - Converts an IP to dword, hex or octal. JavaScript Encoders - Such as JJEncode by Yosuke HASEGAWA HTML functions HTML Escape/Unescape HTML Entity Encoder/Decoder - Decimal and hexadecimal HTML entity encoders & decoders JavaScript and CSS beautifiers JavaScript String Escape Text Manipulation functions - Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator Time-Based Blind Injection code - Covering MySQL, MSSQL, Oracle, PostgreSQL, Server-Side JavaScript & MongoDB CRC Calculators - CRC16, CRC32, CRC32b, and more. Classical Ciphers - ROT13 & ROT[N] Checksum Calculators - Adler-32 & Fletcher Buffer Overflow String Creator Random String & Number Generation functions URL Splitter Useful Strings - Math, character sets and more. Download: http://www.syhunt.com/en/index.php?n=Products.SyhuntHuntpad
  5. I’m tired of saying, “Be careful, it’s speculative.” Then, “Be careful, it’s gambling.” Then, “Be careful, it’s a bubble.” Okay, I’ll say it: Bitcoin is a scam. In my opinion, it’s a colossal pump-and-dump scheme, the likes of which the world has never seen. In a pump-and-dump game, promoters “pump” up the price of a security creating a speculative frenzy, then “dump” some of their holdings at artificially high prices. And some cryptocurrencies are pure frauds. Ernst & Young estimates that 10 percent of the money raised for initial coin offerings has been stolen. The losers are ill-informed buyers caught up in the spiral of greed. The result is a massive transfer of wealth from ordinary families to internet promoters. And “massive” is a massive understatement — 1,500 different cryptocurrencies now register over $300 billion of “value.” It helps to understand that a bitcoin has no value at all. Promoters claim cryptocurrency is valuable as (1) a means of payment, (2) a store of value and/or (3) a thing in itself. None of these claims are true. 1. Means of Payment. Bitcoins are accepted almost nowhere, and some cryptocurrencies nowhere at all. Even where accepted, a currency whose value can swing 10 percent or more in a single day is useless as a means of payment. 2. Store of Value. Extreme price volatility also makes bitcoin undesirable as a store of value. And the storehouses — the cryptocurrency trading exchanges — are far less reliable and trustworthy than ordinary banks and brokers. 3. Thing in Itself. A bitcoin has no intrinsic value. It only has value if people think other people will buy it for a higher price — the Greater Fool theory. Some cryptocurrencies, like Sweatcoin, which is redeemable for workout gear, are the equivalent of online coupons or frequent flier points — a purpose better served by simple promo codes than complex encryption. Indeed, for the vast majority of uses, bitcoin has no role. Dollars, pounds, euros, yen and renminbi are better means of payment, stores of value and things in themselves. Cryptocurrency is best-suited for one use: Criminal activity. Because transactions can be anonymous — law enforcement cannot easily trace who buys and sells — its use is dominated by illegal endeavors. Most heavy users of bitcoin are criminals, such as Silk Road and WannaCry ransomware. Too many bitcoin exchanges have experienced spectacular heists, such as NiceHash and Coincheck, or outright fraud, such as Mt. Gox and Bitfunder. Way too many Initial Coin Offerings are scams — 418 of the 902 ICOs in 2017 have already failed. Hackers are getting into the act. It’s estimated that 90 percent of all remote hacking is now focused on bitcoin theft by commandeering other people’s computers to mine coins. Even ordinary buyers are flouting the law. Tax law requires that every sale of cryptocurrency be recorded as a capital gain or loss and, of course, most bitcoin sellers fail to do so. The IRS recently ordered one major exchange to produce records of every significant transaction. And yet, a prominent Silicon Valley promoter of bitcoin proclaims that “Bitcoin is going to transform society ... Bitcoin’s been very resilient. It stayed alive during a very difficult time when there was the Silk Road mess, when Mt. Gox stole all that Bitcoin ...” He argues the criminal activity shows that bitcoin is strong. I’d say it shows that bitcoin is used for criminal activity. Bitcoin transactions are sometimes promoted as instant and nearly free, but they’re often relatively slow and expensive. It takes about an hour for a bitcoin transaction to be confirmed, and the bitcoin system is limited to five transactions per second. MasterCard can process 38,000 per second. Transferring $100 from one person to another costs about $6 using a cryptocurrency exchange, and well less than $1 using an electronic check. Bitcoin is absurdly wasteful of natural resources. Because it is so compute-intensive, it takes as much electricity to create a single bitcoin — a process called “mining” — as it does to power an average American household for two years. If bitcoin were used for a large portion of the world’s commerce (which won’t happen), it would consume a very large portion of the world’s electricity, diverting scarce power from useful purposes. In what rational universe could someone simply issue electronic scrip — or just announce that they intend to — and create, out of the blue, billions of dollars of value? It makes no sense. All of this would be a comic sideshow if innocent people weren’t at risk. But ordinary people are investing some of their life savings in cryptocurrency. One stock brokerage is encouraging its customers to purchase bitcoin for their retirement accounts! It’s the job of the SEC and other regulators to protect ordinary investors from misleading and fraudulent schemes. It’s time we gave them the legislative authority to do their job. Sursa: https://www.recode.net/2018/4/24/17275202/bitcoin-scam-cryptocurrency-mining-pump-dump-fraud-ico-value#
  6. As before, the CrackMe is dedicated to malware analysts and to those who want to practice becoming them. That’s why it is not just a set of some abstract riddles, but an exercise that walks through selected tricks that were used in real malware. (Expect some original schemes designed just for this game, too.) Of course, all is demonstrated on harmless examples, but we still recommend you use VM for reversing it so that it will not interfere with any antivirus protection. Rules of the contest There are two CrackMe contests: Capture the flag. The first three submitted flags win. The flag should be submitted along with (minimalistic) notes about the steps taken to find it. (No detailed write-up is required.) Best write-up. The write-up will be judged by its educational value, clarity, and accuracy. The author should show his/her method of solving the CrackMe, as well as their level of understanding of the techniques used. The write-up submission contest closes three weeks after capture the flag. Submissions to both contests should be sent to my Twitter account: @hasherezade. Each of the four winners will get a prize: a book of his/her choice and some Malwarebytes swag. At the end of the contest, I will publish my own solution, made from the point of view of author. All the submitted write-ups will be linked. Asking questions I want the contest to be fair to everyone, so I will not be answering any questions in private. However, if you are stuck, please don’t hesitate to post your question in the comments section of this post, and I will answer as soon as possible. The questions can be also answered by other participants. Giving false clues or teasing beginners will result in a ban—please respect fair play. The application The application is a Windows executable. It was tested on Windows 7 and above. You can download it here. Have fun! Sursa: https://blog.malwarebytes.com/security-world/2018/04/malwarebytes-crackme-2-another-challenge/
  7. My personal challenge for 2016 was to build a simple AI to run my home -- like Jarvis in Iron Man. My goal was to learn about the state of artificial intelligence -- where we're further along than people realize and where we're still a long ways off. These challenges always lead me to learn more than I expected, and this one also gave me a better sense of all the internal technology Facebook engineers get to use, as well as a thorough overview of home automation. So far this year, I've built a simple AI that I can talk to on my phone and computer, that can control my home, including lights, temperature, appliances, music and security, that learns my tastes and patterns, that can learn new words and concepts, and that can even entertain Max. It uses several artificial intelligence techniques, including natural language processing, speech recognition, face recognition, and reinforcement learning, written in Python, PHP and Objective C. In this note, I'll explain what I built and what I learned along the way. Diagram of the systems connected to build Jarvis. Getting Started: Connecting the Home In some ways, this challenge was easier than I expected. In fact, my running challenge (I also set out to run 365 miles in 2016) took more total time. But one aspect that was much more complicated than I expected was simply connecting and communicating with all of the different systems in my home. Before I could build any AI, I first needed to write code to connect these systems, which all speak different languages and protocols. We use a Crestron system with our lights, thermostat and doors, a Sonos system with Spotify for music, a Samsung TV, a Nest cam for Max, and of course my work is connected to Facebook's systems. I had to reverse engineer APIs for some of these to even get to the point where I could issue a command from my computer to turn the lights on or get a song to play. Further, most appliances aren't even connected to the internet yet. It's possible to control some of these using internet-connected power switches that let you turn the power on and off remotely. But often that isn't enough. For example, one thing I learned is it's hard to find a toaster that will let you push the bread down while it's powered off so you can automatically start toasting when the power goes on. I ended up finding an old toaster from the 1950s and rigging it up with a connected switch. Similarly, I found that connecting a food dispenser for Beast or a grey t-shirt cannon would require hardware modifications to work. For assistants like Jarvis to be able to control everything in homes for more people, we need more devices to be connected and the industry needs to develop common APIs and standards for the devices to talk to each other. An example natural language request from command line. Natural Language Once I wrote the code so my computer could control my home, the next step was making it so I could talk to my computer and home the way I'd talk to anyone else. This was a two step process: first I made it so I could communicate using text messages, and later I added the ability to speak and have it translate my speech into text for it to read. It started simple by looking for keywords, like "bedroom", "lights", and "on" to determine I was telling it to turn the lights on in the bedroom. It quickly became clear that it needed to learn synonyms, like that "family room" and "living room" mean the same thing in our home. This meant building a way to teach it new words and concepts. Understanding context is important for any AI. For example, when I tell it to turn the AC up in "my office", that means something completely different from when Priscilla tells it the exact same thing. That one caused some issues! Or, for example, when you ask it to make the lights dimmer or to play a song without specifying a room, it needs to know where you are or it might end up blasting music in Max's room when we really need her to take a nap. Whoops. Music is a more interesting and complex domain for natural language because there are too many artists, songs and albums for a keyword system to handle. The range of things you can ask it is also much greater. Lights can only be turned up or down, but when you say "play X", even subtle variations can mean many different things. Consider these requests related to Adele: "play someone like you", "play someone like adele", and "play some adele". Those sound similar, but each is a completely different category of request. The first plays a specific song, the second recommends an artist, and the third creates a playlist of Adele's best songs. Through a system of positive and negative feedback, an AI can learn these differences. The more context an AI has, the better it can handle open-ended requests. At this point, I mostly just ask Jarvis to "play me some music" and by looking at my past listening patterns, it mostly nails something I'd want to hear. If it gets the mood wrong, I can just tell it, for example, "that's not light, play something light", and it can both learn the classification for that song and adjust immediately. It also knows whether I'm talking to it or Priscilla is, so it can make recommendations based on what we each listen to. In general, I've found we use these more open-ended requests more frequently than more specific asks. No commercial products I know of do this today, and this seems like a big opportunity. Jarvis uses face recognition to let my friends in automatically and let me know. Vision and Face Recognition About one-third of the human brain is dedicated to vision, and there are many important AI problems related to understanding what is happening in images and videos. These problems include tracking (eg is Max awake and moving around in her crib?), object recognition (eg is that Beast or a rug in that room?), and face recognition (eg who is at the door?). Face recognition is a particularly difficult version of object recognition because most people look relatively similar compared to telling apart two random objects -- for example, a sandwich and a house. But Facebook has gotten very good at face recognition for identifying when your friends are in your photos. That expertise is also useful when your friends are at your door and your AI needs to determine whether to let them in. To do this, I installed a few cameras at my door that can capture images from all angles. AI systems today cannot identify people from the back of their heads, so having a few angles ensures we see the person's face. I built a simple server that continuously watches the cameras and runs a two step process: first, it runs face detection to see if any person has come into view, and second, if it finds a face, then it runs face recognition to identify who the person is. Once it identifies the person, it checks a list to confirm I'm expecting that person, and if I am then it will let them in and tell me they're here. This type of visual AI system is useful for a number of things, including knowing when Max is awake so it can start playing music or a Mandarin lesson, or solving the context problem of knowing which room in the house we're in so the AI can correctly respond to context-free requests like "turn the lights on" without providing a location. Like most aspects of this AI, vision is most useful when it informs a broader model of the world, connected with other abilities like knowing who your friends are and how to open the door when they're here. The more context the system has, the smarter is gets overall. I can text Jarvis from anywhere using a Messenger bot. Messenger Bot I programmed Jarvis on my computer, but in order to be useful I wanted to be able to communicate with it from anywhere I happened to be. That meant the communication had to happen through my phone, not a device placed in my home. I started off building a Messenger bot to communicate with Jarvis because it was so much easier than building a separate app. Messenger has a simple framework for building bots, and it automatically handles many things for you -- working across both iOS and Android, supporting text, image and audio content, reliably delivering push notifications, managing identity and permissions for different people, and more. You can learn about the bot framework at messenger.com/platform. I can text anything to my Jarvis bot, and it will instantly be relayed to my Jarvis server and processed. I can also send audio clips and the server can translate them into text and then execute those commands. In the middle of the day, if someone arrives at my home, Jarvis can text me an image and tell me who's there, or it can text me when I need to go do something. One thing that surprised me about my communication with Jarvis is that when I have the choice of either speaking or texting, I text much more than I would have expected. This is for a number of reasons, but mostly it feels less disturbing to people around me. If I'm doing something that relates to them, like playing music for all of us, then speaking feels fine, but most of the time text feels more appropriate. Similarly, when Jarvis communicates with me, I'd much rather receive that over text message than voice. That's because voice can be disruptive and text gives you more control of when you want to look at it. Even when I speak to Jarvis, if I'm using my phone, I often prefer it to text or display its response. This preference for text communication over voice communication fits a pattern we're seeing with Messenger and WhatsApp overall, where the volume of text messaging around the world is growing much faster than the volume of voice communication. This suggests that future AI products cannot be solely focused on voice and will need a private messaging interface as well. Once you're enabling private messaging, it's much better to use a platform like Messenger than to build a new app from scratch. I have always been optimistic about AI bots, but my experience with Jarvis has made me even more optimistic that we'll all communicate with bots like Jarvis in the future. Jarvis uses speech recognition in my iOS app to listen to my request for a fresh t-shirt. Voice and Speech Recognition Even though I think text will be more important for communicating with AIs than people realize, I still think voice will play a very important role too. The most useful aspect of voice is that it's very fast. You don't need to take out your phone, open an app, and start typing -- you just speak. To enable voice for Jarvis, I needed to build a dedicated Jarvis app that could listen continuously to what I say. The Messenger bot is great for many things, but the friction for using speech is way too much. My dedicated Jarvis app lets me put my phone on a desk and just have it listen. I could also put a number of phones with the Jarvis app around my home so I could talk to Jarvis in any room. That seems similar to Amazon's vision with Echo, but in my experience, it's surprising how frequently I want to communicate with Jarvis when I'm not home, so having the phone be the primary interface rather than a home device seems critical. I built the first version of the Jarvis app for iOS and I plan to build an Android version soon too. I hadn't built an iOS app since 2012 and one of my main observations is that the toolchain we've built at Facebook since then for developing these apps and for doing speech recognition is very impressive. Speech recognition systems have improved recently, but no AI system is good enough to understand conversational speech just yet. Speech recognition relies on both listening to what you say and predicting what you will say next, so structured speech is still much easier to understand than unstructured conversation. Another interesting limitation of speech recognition systems -- and machine learning systems more generally -- is that they are more optimized for specific problems than most people realize. For example, understanding a person talking to a computer is subtly different problem from understanding a person talking to another person. If you train a machine learning system on data from Google of people speaking to a search engine, it will perform relatively worse on Facebook at understanding people talking to real people. In the case of Jarvis, training an AI that you'll talk to at close range is also different from training a system you'll talk to from all the way across the room, like Echo. These systems are more specialized than it appears, and that implies we are further off from having general systems than it might seem. On a psychologic level, once you can speak to a system, you attribute more emotional depth to it than a computer you might interact with using text or a graphic interface. One interesting observation is that ever since I built voice into Jarvis, I've also wanted to build in more humor. Part of this is that now it can interact with Max and I want those interactions to be entertaining for her, but part of it is that it now feels like it's present with us. I've taught it fun little games like Priscilla or I can ask it who we should tickle and it will randomly tell our family to all go tickle one of us, Max or Beast. I've also had fun adding classic lines like "I'm sorry, Priscilla. I'm afraid I can't do that." There's a lot more to explore with voice. The AI technology is just getting good enough for this to be the basis of a great product, and it will get much better in the next few years. At the same time, I think the best products like this will be ones you can bring with you anywhere and communicate with privately as well. Facebook Engineering Environment As the CEO of Facebook, I don't get much time to write code in our internal environment. I've never stopped coding, but these days I mostly build personal projects like Jarvis. I expected I'd learn a lot about the state of AI this year, but I didn't realize I would also learn so much about what it's like to be an engineer at Facebook. And it's impressive. My experience of ramping up in the Facebook codebase is probably pretty similar to what most new engineers here go through. I was consistently impressed by how well organized our code is, and how easy it was to find what you're looking for -- whether it's related to face recognition, speech recognition, the Messenger Bot Framework [messenger.com/platform] or iOS development. The open source Nuclide [github.com/facebook/nuclide] packages we've built to work with GitHub's Atom make development much easier. The Buck [buckbuild.com] build system we've developed to build large projects quickly also saved me a lot of time. Our open source FastText [github.com/facebookresearch/fastText] AI text classification tool is also a good one to check out, and if you're interested in AI development, the whole Facebook Research [github.com/facebookresearch] GitHub repo is worth taking a look at. One of our values is "move fast". That means you should be able to come here and build an app faster than you can anywhere else, including on your own. You should be able to come here and use our infra and AI tools to build things it would take you a long time to build on your own. Building internal tools that make engineering more efficient is important to any technology company, but this is something we take especially seriously. So I want to give a shout out to everyone on our infra and tools teams that make this so good. Next Steps Although this challenge is ending, I'm sure I'll continue improving Jarvis since I use it every day and I'm always finding new things I want to add. In the near term, the clearest next steps are building an Android app, setting up Jarvis voice terminals in more rooms around my home, and connecting more appliances. I'd love to have Jarvis control my Big Green Egg and help me cook, but that will take even more serious hacking than rigging up the t-shirt cannon. In the longer term, I'd like to explore teaching Jarvis how to learn new skills itself rather than me having to teach it how to perform specific tasks. If I spent another year on this challenge, I'd focus more on learning how learning works. Finally, over time it would be interesting to find ways to make this available to the world. I considered open sourcing my code, but it's currently too tightly tied to my own home, appliances and network configuration. If I ever build a layer that abstracts more home automation functionality, I may release that. Or, of course, that could be a great foundation to build a new product. Conclusions Building Jarvis was an interesting intellectual challenge, and it gave me direct experience building AI tools in areas that are important for our future. I've previously predicted that within 5-10 years we'll have AI systems that are more accurate than people for each of our senses -- vision, hearing, touch, etc, as well as things like language. It's impressive how powerful the state of the art for these tools is becoming, and this year makes me more confident in my prediction. At the same time, we are still far off from understanding how learning works. Everything I did this year -- natural language, face recognition, speech recognition and so on -- are all variants of the same fundamental pattern recognition techniques. We know how to show a computer many examples of something so it can recognize it accurately, but we still do not know how to take an idea from one domain and apply it to something completely different. To put that in perspective, I spent about 100 hours building Jarvis this year, and now I have a pretty good system that understands me and can do lots of things. But even if I spent 1,000 more hours, I probably wouldn't be able to build a system that could learn completely new skills on its own -- unless I made some fundamental breakthrough in the state of AI along the way. In a way, AI is both closer and farther off than we imagine. AI is closer to being able to do more powerful things than most people expect -- driving cars, curing diseases, discovering planets, understanding media. Those will each have a great impact on the world, but we're still figuring out what real intelligence is. Overall, this was a great challenge. These challenges have a way of teaching me more than I expected at the beginning. This year I thought I'd learn about AI, and I also learned about home automation and Facebook's internal technology too. That's what's so interesting about these challenges. Thanks for following along with this challenge and I'm looking forward to sharing next year's challenge in a few weeks. Sursa: https://www.facebook.com/notes/mark-zuckerberg/building-jarvis/10154361492931634/
  8. A team of academics has successfully developed and tested malware that can exfiltrate data from air-gapped computers via power lines. The team —from the Ben-Gurion University of the Negev in Israel— named their data exfiltration technique PowerHammer. PowerHammer works by infecting an air-gapped computer with malware that intentionally alters CPU utilization levels to make the victim's computer consume more or less electrical power. By default, computers extract power from the local network in a uniform manner. A PowerHammer attack produces a variation of the amount of power a victim's PC sucks from the local electrical network. This phenomena is known as a "conducted emission." By altering the high and low power consumption levels, PowerHammer malware can encode binary data from a victim's computer into the power consumption pattern. There are two types of PowerHammer attacks To retrieve this data, an attacker must tap a victim's electrical network so it can read the power consumption variation and decode the binary data hidden inside. Based where the attacker places his tapping rig, two types of PowerHammer attacks exists, with two different exfiltration speeds. The first is "line level power-hammering," and this occurs when the attacker manages to tap the power cable between the air-gapped computer and the electrical socket. The exfiltration speed for a line level hammering is around 1,000 bits/second. The second is "phase level power-hammering," this version of the attack occurs when the intruder taps the power lines at the phase level, in a building's electrical panel. This version of the PowerHammer attack is more stealthy but can recover data at only 10 bits/second, mainly due to greater amount of "noise" at the power line phase level. Attack uses off-the-shelf electrical equipment The tapping device isn't anything super-advanced, being a mundane split-core current transformer that can be attached to any electrical line. This is a non-invasive probe which is clamped around the power line and measures the amount of current passing through it (Fig. 10). The non-invasive probe behaves like an inductor which responds to the magnetic field around a current-carrying cable (Fig. 10 b). The amount of current in the coil is correlated with the amount of current flowing in the conductor. For our experiments we used SparkFun’s split core current transformer ECS1030-L72. The tapping device (probe) is also capable of sending the recorded data to a nearby computer via WiFi, making data collection easier from afar, without the attacker having to physically connect to the tapping probe. Attack works on desktops, servers, IoT devices Experiments revealed the attack is successful for stealing data from air-gapped desktops, laptops, servers, and even IoT devices, but the speed exfiltration speed is slower for the latter. Another observation is that exfiltration speed gets better the more cores a CPU possesses. Mitigations and more details for our technically inclined users are available in the research team's paper, entitled "PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines." It also must be said that this malware is only an experiment and if ever deployed in the wild, such a tool would only be found in the arsenal of intelligence agencies and not something that normal users would see every day. The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative —and sometimes weird— hacks, all listed below: LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED SPEAKE(a)R - use headphones to record audio and spy on nearby users 9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan DiskFiltration - use controlled read/write HDD operations to steal data via sound waves BitWhisper - exfiltrate data from non-networked computers using heat emanations Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems xLED - use router or switch LEDs to exfiltrate data Shattered Trust - using backdoored replacement parts to take over smartphones aIR-Jumper - use security camera infrared capabilities to steal data from air-gapped networks HVACKer - use HVAC systems to control malware on air-gapped systems MAGNETO & ODINI - steal data from Faraday cage-protected systems MOSQUITO - steal data from PCs using speakers and headphones Sursa: https://www.bleepingcomputer.com/news/security/researchers-create-malware-that-steals-data-via-power-lines/
  9. A study funded by DARPA increased the possibility of memory-enhancing brain prosthetics. The animal research done previously showed successful results after which the study was conducted on patients at Wake Forest Baptist Medical Center. The patients there were already having brain implants as a part of their epilepsy treatment. They experienced major improvements in both short-term and long-term memory. The patients were asked to play a memory-related computer game in which they were asked to remember specific things. When the patients were trying to remember those things, the researchers recorded various patterns of neural firing in the brain’s hippocampus area. The hippocampus area of the brain is responsible for the memory. They also paid attention to neural patterns that resulted in the correct memory being encoded. After that, they made the patients play the game again and electrically simulated each patient’s brain by using the encoding patterns studied earlier. They were hoping to use those electrical simulators to trigger more effective memory storage of the data which they have. The method worked successfully and showed results that were better than what the team was expecting. The results on the short-term memory tests jumped by a huge 37% and the long-term memory tests enhanced by 35%. Robert Hampson, the lead author of the study said, “We showed that we could tap into a patient’s own memory content, reinforce it and feed it back to the patient. Even when a person’s memory is impaired, it is possible to identify the neural firing patterns that indicate correct memory formation and separate them from the patterns that are incorrect. We can then feed in the correct patterns to assist the patient’s brain in accurately forming new memories, not as a replacement for innate memory function, but as a boost to it.” The research has opened the door to the memory-enhancing brain implants. These implants might give a button which can be pressed when looking at something to increase the chances of remembering it later. The researchers are looking at this as a potential medical device to help the patients with Alzheimers, stroke or traumatic brain injury patients. The implant will help them re-start the process of forming new memories using their brain’s own activity patterns. The team is also hoping that the technology might be able to assist people in keeping memories which they have encoded already. Hampson says, “In the future, we hope to be able to help people hold onto specific memories, such as where they live or what their grandkids look like when their overall memory begins to fail.” Sursa: http://wonderfulengineering.com/brain-prosthetic-boost-memory-shown-impressive-results-human-trials/
  10. Usr6

    Fun stuff

    Sursa pozei si linkuri catre discutia de pe twitter: https://www.reddit.com/r/sysadmin/comments/8aem4n/tmobile_plaintext_password_data_breach_thought_to/
  11. Over 80 recipes that will take your PHP 7 web development skills to the next level! This is the most up-to-date book in the market on PHP It covers the new features of version 7.x, best practices for server-side programming, and MVC frameworks The recipe-based approach will allow you to explore the unique capabilities that PHP offers to web programmers Link: https://www.packtpub.com/packt/offers/free-learning
  12. Canon has just released this new 3-minute video showing the power of its 120-megapixel CMOS sensor, which it first announced in September 2015 and then showed off at an expo in May 2016. The sensor is called the 120MXS, and it has an ultra-high-resolution of 13280×9184, or about 60 times the resolution of Full HD video. Physically, the sensor is an APS-H sensor (29.22×20.20mm), which falls between full frame (36×24 mm) and APS-C crop (22.5x15mm): “Ultra-high-resolution is made possible by parallel signal processing, which reads signals at high speed from multiple pixels,” Canon says. “All pixel progressive reading of 9.4fps is made possible by 28 digital signal output channels. It is available in RGB or with twice the sensitivity, in monochrome.” When shooting video of the inner workings of a watch, the sensor is able to capture significantly more detail compared to a 1080p camera: You can shoot some ordinary footage with an ordinary lens and then reveal an extraordinary amount of detail simply by digitally zooming into the frame: A video still frame captured with the 120MP sensor. A tiny crop of the still frame captured by the 120MP sensor. For another demonstration of this sensor’s abilities, Canon took it to a rugby match and pitted it against standard Full HD footage captured using the Canon 1D Mark IV. Canon pointed the cameras at a wide view of the fans in the stands: Here’s the difference in detail between the two cameras: Full HD 120MP sensor “Through the further development of CMOS image sensors, Canon seeks to continue breaking new ground in the world of imaging,” Canon says. Still no word on if or when we’ll be seeing this 120MP sensor released in a camera available to consumers. If you’d like one in the future, though, you should probably start stockpiling hard drives: RAW photos shot by the sensor weigh in at 210MB each. (via CanonUSA via CanonWatch) Sursa: https://petapixel.com/2018/03/29/this-is-the-power-of-canons-120mp-camera-sensor/
  13. Sublime has highly customizable build systems that can add to your productivity if you learn how to use them to your advantage. You can define one for your project and whenever you are editing any file, you can run certain commands on the source file and see the output in the sublime console, without leaving the editor. I mostly use IntelliJ for development but still find myself switching to sublime text time to time, depending upon the nature of the project. I mainly use sublime when I have to write some small script or a library, and when I use it I prefer to setup the build system to make it easier to test. In this post I am going to explain how to create one by creating an example build system for a hello-world php application. But the steps should be same for any language. So let’s get started. The first thing that you are going to do is create a new build system. You can do that by going to below path Tools > Build System > New Build System This will open a new file named untitiled.sublime-build. Update the file and put the below content { "cmd": ["php", "$file"], "selector": "source.php", "file_regex": "php$" } Now save this file with the name php.sublime-build. To give you some details about the file content; cmd here means the command that we need to run with the arguments that we want to pass it selector is an optional string used to locate the best builder to use for the current file scope. This is only relevant if Tools > Build System > Automatic is true file_regex specifies the file pattern that our build is going to be working with. After saving the file you can see the build system inside Tools > Build System. Now you can run any php file ending with php as specified above in the above snippet. Now let’s test our build system. Create a new php file and put the below content in it <?php echo “Hello world”; Now let’s run this file that we have created. So select php from Tools > Build Systems and hit CMD + B if you are on Mac, CTRL + B if you are on windows or Linux. Once you run it, you will notice the output for the build in the console, as shown in the image below In case you want to cancel a stuck build, you can do that by pressing CTRL + C if you are on Mac, or Ctrl + Break if you are on windows or linux. You can use the same steps to create a build system for any language. For example, here is how the contents of the build file may look like for a Javascript application { "cmd": ["node", "$file"], "selector": "source.js", "file_regex": "js$" } Hope you enjoyed the article, you can learn more about the build systems in the Sublime Docs, if you have any comments or feedback, leave them down below and feel free to connect with me on twitter or say hi via email. Sursa: https://medium.com/tech-tajawal/build-systems-in-sublime-text-3-9706ab7f44f4
  14. Documents obtained by The Washington Post indicate that the National Security Agency is collecting billions of records a day to track the location of mobile phone users around the world. This bulk collection, performed under the NSA’s international surveillance authority, taps into the telephony links of major telecommunications providers including some here in the United States. The NSA collects this location and travel habit data to do “target development” — to find unknown associates of targets it already knows about To accomplish this, the NSA compiles information on a vast database of devices and their locations. Most of those collected, by definition, are suspected of no wrongdoing. Officials say they do not purposely collect U.S. phone locations in bulk, but a large number are swept up “incidentally.” Using these vast location databases, the NSA applies sophisticated analytics techniques to identify what it calls co-travelers — unknown associates who might be traveling with, or meeting up with a known target. HERE IS HOW IT WORK: https://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html?utm_term=.aacc009d53c5
  15. We tested 3 popular VPNs: Hotspot Shield, PureVPN, and Zenmate with accredited researchers to find if the VPNs could leak data. While we hoped to find zero leaks, we regretfully found that all of them leak sensitive data. On the positive side, after we contacted the VPN vendors, we saw one that was fast to respond and release a patch within days. We are still waiting to hear from the other two VPN vendors, and have decided to publish the information in hope that they will hurry up and fix the underlying issues for the benefit of their users. Here’s a is a summary of our findings Hotspot Shield, PureVPN, and Zenmate VPN all suffer from IP leaks. The leaks allow governments, hostile organizations, or individuals to identify the actual IP address of a user, even with the use of the VPNs. Zenmate’s leak was somewhat minor compared to the two other VPNs. We believe that most other VPNs suffer from similar issues, so the fast response of Hotspot Shield is something we think is worth commending. We felt that they worked with our research team in a fast and serious manner and that they care for their users. They took our research as help for improvement rather than criticism. Since the vulnerabilities in PureVPN and Zenmate are still not fixed, we are only sharing information about the vulnerabilities that were found and patched in HotSpot Shield. We advise users of PureVPN and Zenmate to be wary of the leaks they may face and check with their VPN providers for an immediate fix. The research team VpnMentor hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. File Descriptor is a reputable, ethical hacker working for Cure53, the company hired by TunnelBear to identify and fix issues with their VPN applications, and one of the leading companies in security research. Paulos Yibelo, who also managed the team, is a reputable application security researcher. He has found vulnerabilities in popular VPNs and published them in the past. His work was mentioned in ZDNet, SlashDot, and other media sources. *As part of the agreement with our research team, vpnMentor cannot directly influence the research team nor the conducted research. Hotspot Shield’s Vulnerabilities These are the technical details of Hotspot Shield’s vulnerabilities, which have all been fixed by the company: All the issues are related to PAC scripts and were found in the Chrome plug-in. The mobile and desktop apps were not affected by these vulnerabilities. – 1 CVE-2018-7879: Hijack all traffic We observed the following PAC script used in Hotspot Shield Chome extension: ``` function FindProxyForURL(url, host) { if(url.indexOf('act=afProxyServerPing') != -1) { let parsed = url.match(/act=afProxyServerPing&server=([^&]+)/); if(parsed && parsed[1]) return 'https '+parsed[1]+':443; DIRECT;'; } ``` It detects if the current URL has the query parameter act=afProxyServerPing, and if it does, it routes all traffic to the proxy hostname provided by the server parameter. This is a result of the proxy hijack. While we believe this is for internal use, it fails to validate what host is making this “call”. Therefore any URL with the aforementioned parameters will have the traffic routed to the specified proxy. The problem with this is that a malicious adversary could simply ask a victim to visit a link with those parameters, and all traffic will go to an attacker’s proxy server. It would be worse if the connection is on HTTP. – 2 CVE-2018-7878 DNS leak We observed the following PAC script: ``` let ip = dnsResolve(host); ``` This means that dnsResolve will make a DNS request via the system DNS. This is essentially leaking DNS, as the proxy is only assigned after all those conditions. How do we prove it? A simple check in https://www.dnsleaktest.com/ reveals your DNS server. This example shows the leak we found with HotSpot Shield. Our leak that we found with HotSpot Shield on the Chrome extension Notice, any site can read the DNS server the user is using (hence, leaking your country and other vital information). This site is just a tool to help you check that. – 3 CVE-2018-7880 IP leak We observed the following PAC script: let whiteList = /localhost|accounts\.google|google\-analytics\.com|chrome\-signin|freegeoip\.net|event\.shelljacket|chrome\.google|box\.anchorfree|googleapis|127\.0\.0\.1|hsselite|firebaseio|amazonaws\.com|shelljacket\.us|coloredsand\.us|ratehike\.us|pixel\.quantserve\.com|googleusercontent\.com|easylist\-downloads\.adblockplus\.org|hotspotshield|get\.betternet\.co|betternet\.co|support\.hotspotshield\.com|geo\.mydati\.com|control\.kochava\.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '', '') || isInNet(ip, '', '') || isInNet(ip, '', '') || isInNet(ip, '', '') || isInNet(ip, '', '') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT'; What we found is that the whitelist for DIRECT connection is just too loose. Here are two examples we found: Any domain with localhost will bypass the proxy, e.g. localhost.foo.bar.com Any URL with type=a1fproxyspeedtest will bypass the proxy How do we prove it? We went to this site with the unpatched version of Hotspot Shield, and our actual IP was leaked. Our IP address was revealed when we tested it. This means that when Hotspot Shield sees the parameter a1fproxyspeedtest in any URL, it routes all traffic to the proxy hostname provided by the server parameter. Therefore, if a hacker redirects someone who is using HSS to https://example.com/?act=afProxyServerPing&server=mywebsite.com, that website will get a hit from the user’s actual IP address. We found similar vulnerabilities in Zenmate VPN and PureVPN. While Hotspot Shield already updated their service with a patch, we hope this will prompt the other VPNs to do the same. Additional research on ZenMate and PureVPN ZenMate’s webRTC leak A simple check was able to determine that ZenMate’s VPN leaked our location. PureVPN’s leak Visiting a website using the Firefox browser revealed our IP address with PureVPN. We will not go into detail about PureVPN’s and ZenMate’s vulnerabilities with the hope that they will soon fix them. While they are not exactly like HotSpot Shield’s vulnerabilities, they are similar. VPN’s responses After fixing the vulnerabilities, Hotspot Shield contacted vpnMentor with this message. “The researchers hired by vpnMentor did not find any vulnerabilities in the mobile or desktop versions of Hotspot Shield. The vulnerabilities they reported were present only in the free Chrome plug-in. Neither mobile nor desktop users of the Hotspot Shield app were affected by these vulnerabilities. We appreciate and commend vpnMentor’s initiative to improve the security of consumer VPN applications, and look forward to seeing more research from their side involving more VPN products in the near future.” What does this mean to a VPN user? VPNs are not as safe as many may think. The fact that we found leaks in all the VPNs that we tested is worrying. Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs. If you use Hotspot Shield, make sure you have updated your app. If you are a user of Zenmate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP. Sursa: https://www.vpnmentor.com/blog/vpn-leaks-found-3-major-vpns-3-tested/
  16. In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank. Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016. “One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website bzi.ro. The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization. The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document. The bait document that appeared as sent on behalf of the European Central Bank contained the code to trigger a vulnerability in the target systems. In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs. “The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the Maszol.ru. “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.” According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution. The bank confirmed that hackers did not access the customers’ account after the security breach. Sursa: http://securityaffairs.co/wordpress/70046/cyber-crime/raiffeisen-cyber-heist.html Pe acelasi subiect: https://www.bzi.ro/exclusivitatea-anului-cutremur-fara-precedent-in-sistemul-bancar-romanesc-secret-imens-ascuns-la-diicot-iasi-toate-bancomatele-unei-celebre-banci-au-fost-compromise-643428 https://www.bzi.ro/exploziv-raport-intern-strict-secret-intrat-in-posesia-bzi-fara-precedent-toate-datele-clientilor-raiffeisen-in-pericol-cei-mai-tari-hackeri-au-controlat-calculatoarele-bancii-643514
  17. # TOR Browser 0day : JavaScript Exploit ! ## Works on Firefox versions 41 - 50 ### The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50. When exploit opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverage a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows. <i>Makes redirect to '/member.php' after code execution</i> - - - This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I had to break the "thecode" line in two in order to post, remove ' + ' in the middle to restore it. - SIGAINT Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44267.zip # 0day.today [2018-03-09] # Sursa: https://0day.today/exploit/29975
  18. hai sa mai incercam ceva regshot (https://sourceforge.net/projects/regshot/postdownload?source=dlp) ii dai la scan dir c:\, dai 1st shot, astepti sa termine, deschizi programu ala astepti cateva minute, te intorci in regshot ii dai 2nd shot astepti sa termine si dupa dai compare. ar trebui sa-ti ofere o lista cu toate fisierele care au aparut pe c:\ intre cele doua shoturi
  19. tie respectivul program iti dezarhiveaza arhiva da? - te-ai uitat in temp? ( fisierele dezarhivate trebuie depozitate, macar temporar, undeva), daca nu-s in temp, vezi tot din procexp uite te dupa un fisier din arhiva respectiva da prop pe el si vezi path - mai poti incerca sa atasezi ida pe procesul programului dupa ce termina de dezarhivat si sa te uiti iar dupa parola Nu cumva este vorba de un program cu licenta care trimite niste date de identificare (hwid) catre un server si iti deschide arhiva doar in cazul in care iti este recunoscut pc-ul?
  20. Network programming in python This is a quick guide/tutorial on socket programming in python. Socket programming python is very similar to C. To summarise the basics, sockets are the fundamental "things" behind any kind of network communications done by your computer. For example when you type www.google.com in your web browser, it opens a socket and connects to google.com to fetch the page and show it to you. Same with any chat client like gtalk or skype. Any network communication goes through a socket. In this tutorial we shall be programming tcp sockets in python. You can also program udp sockets in python. Before you begin This tutorial assumes that you already have a basic knowledge of python. So lets begin with sockets. Creating a socket This first thing to do is create a socket. The socket.socket function does this. Quick Example : 1 2 3 4 5 6 7 8 #Socket client example in python import socket #for sockets #create an AF_INET, STREAM socket (TCP) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket Created' Function socket.socket creates a socket and returns a socket descriptor which can be used in other socket related functions The above code will create a socket with the following properties ... Address Family : AF_INET (this is IP version 4 or IPv4) Type : SOCK_STREAM (this means connection oriented TCP protocol) Error handling If any of the socket functions fail then python throws an exception called socket.error which must be caught. 1 2 3 4 5 6 7 8 9 10 11 12 13 #handling errors in python socket programs import socket #for sockets import sys #for exit try: #create an AF_INET, STREAM socket (TCP) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error, msg: print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] sys.exit(); print 'Socket Created' Ok , so you have created a socket successfully. But what next ? Next we shall try to connect to some server using this socket. We can connect to www.google.com Note Apart from SOCK_STREAM type of sockets there is another type called SOCK_DGRAM which indicates the UDP protocol. This type of socket is non-connection socket. In this tutorial we shall stick to SOCK_STREAM or TCP sockets. Connect to a Server We connect to a remote server on a certain port number. So we need 2 things , IP address and port number to connect to. So you need to know the IP address of the remote server you are connecting to. Here we used the ip address of google.com as a sample. First get the IP address of the remote host/url Before connecting to a remote host, its ip address is needed. In python the getting the ip address is quite simple. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 import socket #for sockets import sys #for exit try: #create an AF_INET, STREAM socket (TCP) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error, msg: print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] sys.exit(); print 'Socket Created' host = 'www.google.com' try: remote_ip = socket.gethostbyname( host ) except socket.gaierror: #could not resolve print 'Hostname could not be resolved. Exiting' sys.exit() print 'Ip address of ' + host + ' is ' + remote_ip Now that we have the ip address of the remote host/system, we can connect to ip on a certain 'port' using the connect function. Quick example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 import socket #for sockets import sys #for exit try: #create an AF_INET, STREAM socket (TCP) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error, msg: print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] sys.exit(); print 'Socket Created' host = 'www.google.com' port = 80 try: remote_ip = socket.gethostbyname( host ) except socket.gaierror: #could not resolve print 'Hostname could not be resolved. Exiting' sys.exit() print 'Ip address of ' + host + ' is ' + remote_ip #Connect to remote server s.connect((remote_ip , port)) print 'Socket Connected to ' + host + ' on ip ' + remote_ip Run the program $ python client.py Socket Created Ip address of www.google.com is Socket Connected to www.google.com on ip It creates a socket and then connects. Try connecting to a port different from port 80 and you should not be able to connect which indicates that the port is not open for connection. This logic can be used to build a port scanner. OK, so we are now connected. Lets do the next thing , sending some data to the remote server. Free Tip The concept of "connections" apply to SOCK_STREAM/TCP type of sockets. Connection means a reliable "stream" of data such that there can be multiple such streams each having communication of its own. Think of this as a pipe which is not interfered by data from other pipes. Another important property of stream connections is that packets have an "order" or "sequence". Other sockets like UDP , ICMP , ARP dont have a concept of "connection". These are non-connection based communication. Which means you keep sending or receiving packets from anybody and everybody. Sending Data Function sendall will simply send data. Lets send some data to google.com 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 import socket #for sockets import sys #for exit try: #create an AF_INET, STREAM socket (TCP) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error, msg: print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] sys.exit(); print 'Socket Created' host = 'www.google.com' port = 80 try: remote_ip = socket.gethostbyname( host ) except socket.gaierror: #could not resolve print 'Hostname could not be resolved. Exiting' sys.exit() print 'Ip address of ' + host + ' is ' + remote_ip #Connect to remote server s.connect((remote_ip , port)) print 'Socket Connected to ' + host + ' on ip ' + remote_ip #Send some data to remote server message = "GET / HTTP/1.1\r\n\r\n" try : #Set the whole string s.sendall(message) except socket.error: #Send failed print 'Send failed' sys.exit() print 'Message send successfully' In the above example , we first connect to an ip address and then send the string message "GET / HTTP/1.1\r\n\r\n" to it. The message is actually an "http command" to fetch the mainpage of a website. Now that we have send some data , its time to receive a reply from the server. So lets do it. Receiving Data Function recv is used to receive data on a socket. In the following example we shall send the same message as the last example and receive a reply from the server. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 #Socket client example in python import socket #for sockets import sys #for exit #create an INET, STREAMing socket try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error: print 'Failed to create socket' sys.exit() print 'Socket Created' host = 'www.google.com'; port = 80; try: remote_ip = socket.gethostbyname( host ) except socket.gaierror: #could not resolve print 'Hostname could not be resolved. Exiting' sys.exit() #Connect to remote server s.connect((remote_ip , port)) print 'Socket Connected to ' + host + ' on ip ' + remote_ip #Send some data to remote server message = "GET / HTTP/1.1\r\n\r\n" try : #Set the whole string s.sendall(message) except socket.error: #Send failed print 'Send failed' sys.exit() print 'Message send successfully' #Now receive data reply = s.recv(4096) print reply Here is the output of the above code : $ python client.py Socket Created Ip address of www.google.com is Socket Connected to www.google.com on ip Message send successfully HTTP/1.1 302 Found Location: http://www.google.co.in/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: expires=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=www.google.com Set-Cookie: path=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=www.google.com Set-Cookie: domain=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=www.google.com Set-Cookie: expires=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.www.google.com Set-Cookie: path=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.www.google.com Set-Cookie: domain=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.www.google.com Set-Cookie: expires=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=google.com Set-Cookie: path=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=google.com Set-Cookie: domain=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=google.com Set-Cookie: expires=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.google.com Set-Cookie: path=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.google.com Set-Cookie: domain=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.google.com Set-Cookie: PREF=ID=51f26964398d27b0:FF=0:TM=1343026094:LM=1343026094:S=pa0PqX9FCPvyhBHJ; expires=Wed, 23-Jul-2014 06:48:14 GMT; path=/; domain=.google.com Google.com replied with the content of the page we requested. Quite simple! Now that we have received our reply, its time to close the socket. Close socket Function close is used to close the socket. 1 s.close() Thats it. Lets Revise So in the above example we learned how to : 1. Create a socket 2. Connect to remote server 3. Send some data 4. Receive a reply Its useful to know that your web browser also does the same thing when you open www.google.com This kind of socket activity represents a CLIENT. A client is a system that connects to a remote system to fetch data. The other kind of socket activity is called a SERVER. A server is a system that uses sockets to receive incoming connections and provide them with data. It is just the opposite of Client. So www.google.com is a server and your web browser is a client. Or more technically www.google.com is a HTTP Server and your web browser is an HTTP client. Now its time to do some server tasks using sockets. Programming socket servers OK now onto server things. Servers basically do the following : 1. Open a socket 2. Bind to a address(and port). 3. Listen for incoming connections. 4. Accept connections 5. Read/Send We have already learnt how to open a socket. So the next thing would be to bind it. Bind a socket Function bind can be used to bind a socket to a particular address and port. It needs a sockaddr_in structure similar to connect function. Quick example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 import socket import sys HOST = '' # Symbolic name meaning all available interfaces PORT = 8888 # Arbitrary non-privileged port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket created' try: s.bind((HOST, PORT)) except socket.error , msg: print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print 'Socket bind complete' Now that bind is done, its time to make the socket listen to connections. We bind a socket to a particular IP address and a certain port number. By doing this we ensure that all incoming data which is directed towards this port number is received by this application. This makes it obvious that you cannot have 2 sockets bound to the same port. There are exceptions to this rule but we shall look into that in some other article. Listen for incoming connections After binding a socket to a port the next thing we need to do is listen for connections. For this we need to put the socket in listening mode. Function socket_listen is used to put the socket in listening mode. Just add the following line after bind. 1 2 s.listen(10) print 'Socket now listening' The parameter of the function listen is called backlog. It controls the number of incoming connections that are kept "waiting" if the program is already busy. So by specifying 10, it means that if 10 connections are already waiting to be processed, then the 11th connection request shall be rejected. This will be more clear after checking socket_accept. Now comes the main part of accepting new connections. Accept connection Function socket_accept is used for this. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 import socket import sys HOST = '' # Symbolic name meaning all available interfaces PORT = 8888 # Arbitrary non-privileged port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket created' try: s.bind((HOST, PORT)) except socket.error , msg: print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print 'Socket bind complete' s.listen(10) print 'Socket now listening' #wait to accept a connection - blocking call conn, addr = s.accept() #display client information print 'Connected with ' + addr[0] + ':' + str(addr[1]) Output Run the program. It should show $ python server.py Socket created Socket bind complete Socket now listening So now this program is waiting for incoming connections on port 8888. Dont close this program , keep it running. Now a client can connect to it on this port. We shall use the telnet client for testing this. Open a terminal and type $ telnet localhost 8888 It will immediately show $ telnet localhost 8888 Trying Connected to localhost. Escape character is '^]'. Connection closed by foreign host. And the server output will show $ python server.py Socket created Socket bind complete Socket now listening Connected with So we can see that the client connected to the server. Try the above steps till you get it working perfect. We accepted an incoming connection but closed it immediately. This was not very productive. There are lots of things that can be done after an incoming connection is established. Afterall the connection was established for the purpose of communication. So lets reply to the client. Function sendall can be used to send something to the socket of the incoming connection and the client should see it. Here is an example : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 import socket import sys HOST = '' # Symbolic name meaning all available interfaces PORT = 8888 # Arbitrary non-privileged port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket created' try: s.bind((HOST, PORT)) except socket.error , msg: print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print 'Socket bind complete' s.listen(10) print 'Socket now listening' #wait to accept a connection - blocking call conn, addr = s.accept() print 'Connected with ' + addr[0] + ':' + str(addr[1]) #now keep talking with the client data = conn.recv(1024) conn.sendall(data) conn.close() s.close() Run the above code in 1 terminal. And connect to this server using telnet from another terminal and you should see this : $ telnet localhost 8888 Trying Connected to localhost. Escape character is '^]'. happy happy Connection closed by foreign host. So the client(telnet) received a reply from server. We can see that the connection is closed immediately after that simply because the server program ends after accepting and sending reply. A server like www.google.com is always up to accept incoming connections. It means that a server is supposed to be running all the time. Afterall its a server meant to serve. So we need to keep our server RUNNING non-stop. The simplest way to do this is to put the accept in a loop so that it can receive incoming connections all the time. Live Server So a live server will be alive always. Lets code this up 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 import socket import sys HOST = '' # Symbolic name meaning all available interfaces PORT = 5000 # Arbitrary non-privileged port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket created' try: s.bind((HOST, PORT)) except socket.error , msg: print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print 'Socket bind complete' s.listen(10) print 'Socket now listening' #now keep talking with the client while 1: #wait to accept a connection - blocking call conn, addr = s.accept() print 'Connected with ' + addr[0] + ':' + str(addr[1]) data = conn.recv(1024) reply = 'OK...' + data if not data: break conn.sendall(reply) conn.close() s.close() We havent done a lot there. Just put the socket_accept in a loop. Now run the server program in 1 terminal , and open 3 other terminals. From each of the 3 terminal do a telnet to the server port. Each of the telnet terminal would show : $ telnet localhost 5000 Trying Connected to localhost. Escape character is '^]'. happy OK .. happy Connection closed by foreign host. And the server terminal would show $ python server.py Socket created Socket bind complete Socket now listening Connected with Connected with Connected with So now the server is running nonstop and the telnet terminals are also connected nonstop. Now close the server program. All telnet terminals would show "Connection closed by foreign host." Good so far. But still there is not effective communication between the server and the client. The server program accepts connections in a loop and just send them a reply, after that it does nothing with them. Also it is not able to handle more than 1 connection at a time. So now its time to handle the connections , and handle multiple connections together. Handling Connections To handle every connection we need a separate handling code to run along with the main server accepting connections. One way to achieve this is using threads. The main server program accepts a connection and creates a new thread to handle communication for the connection, and then the server goes back to accept more connections. We shall now use threads to create handlers for each connection the server accepts. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 import socket import sys from thread import * HOST = '' # Symbolic name meaning all available interfaces PORT = 8888 # Arbitrary non-privileged port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket created' #Bind socket to local host and port try: s.bind((HOST, PORT)) except socket.error , msg: print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print 'Socket bind complete' #Start listening on socket s.listen(10) print 'Socket now listening' #Function for handling connections. This will be used to create threads def clientthread(conn): #Sending message to connected client conn.send('Welcome to the server. Type something and hit enter\n') #send only takes string #infinite loop so that function do not terminate and thread do not end. while True: #Receiving from client data = conn.recv(1024) reply = 'OK...' + data if not data: break conn.sendall(reply) #came out of loop conn.close() #now keep talking with the client while 1: #wait to accept a connection - blocking call conn, addr = s.accept() print 'Connected with ' + addr[0] + ':' + str(addr[1]) #start new thread takes 1st argument as a function name to be run, second is the tuple of arguments to the function. start_new_thread(clientthread ,(conn,)) s.close() Run the above server and open 3 terminals like before. Now the server will create a thread for each client connecting to it. The telnet terminals would show : $ telnet localhost 8888 Trying Connected to localhost. Escape character is '^]'. Welcome to the server. Type something and hit enter hi OK...hi asd OK...asd cv OK...cv The server terminal might look like this $ python server.py Socket created Socket bind complete Socket now listening Connected with Connected with The above connection handler takes some input from the client and replies back with the same. So now we have a server thats communicative. Thats useful now. Conclusion By now you must have learned the basics of socket programming in python. You can try out some experiments like writing a chat client or something similar. When testing the code you might face this error Bind failed. Error Code : 98 Message Address already in use When it comes up, simply change the port number and the server would run fine. If you think that the tutorial needs some addons or improvements or any of the code snippets above dont work then feel free to make a comment below so that it gets fixed. Sursa: https://www.binarytides.com/python-socket-programming-tutorial/
  21. The Process Environment Block (PEB) is a wonderful thing, and I’d be lying if I told you that I didn’t love it. It has been present in Windows since the introduction of the Win2k (Windows 2000) and it has been improved through newer versions of Windows ever since. On earlier versions of Windows, it could be abused to do some nasty things like hiding loaded modules present within a process (to prevent them from being found – obviously this is not a beautiful thing though). What is this magic so-called “Process Environment (PEB)”? The PEB is a structure which holds data about the current process under it’s field values – some fields being structures themselves to hold even more data. Every process has it’s own PEB and the Windows Kernel will also have access to the PEB of every user-mode process so it can keep track of certain data stored within it. Where does this sorcery come from? The PEB structure comes from the Windows Kernel (although is accessible in user-mode as well). The PEB comes from the Thread Environment Block (TEB) which also happens to be commonly referred to as the Thread Information Block (TIB). The TEB is responsible for holding data about the current thread – every thread has it’s own TEB structure. Can the Thread Environment Block or the Process Environment Block be abused for malicious purposes? Of course they can! In fact, they have been abused for malicious purposes in the past but Microsoft has made many changes over the recent years to help prevent this. An example would be in the past where rootkits would inject a DLL into another running process, and then access the PEB structure of the current process they had injected into (the PPEB structure is a pointer to the PEB structure) so they could locate the list of loaded modules and remove their own module from the list… Thus hiding their injected module from view when someone enumerates the loaded modules of the affected process. This is known as memory patching because you would be modifying memory by patching the PEB. Microsoft’s mitigation for this behavior was to prevent the manual altering of the list which represents the loaded modules in user-mode – you can still access it for reading the data in user-mode though and you can still patch the memory from kernel-mode. This article will be split up into two different sections: theory and user-mode practical. Theoretical We’re going to take a look at the Thread Environment Block (TEB) structure using WinDbg. Since the TEB structure is available in user-mode, and used by user-mode Windows components such as NTDLL and KERNEL32, we won’t require kernel-debugging to query about the structure. Bear in mind that you will need to have your symbols correctly setup otherwise you will fail with the next upcoming steps, please see the following URL: https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx We’ll start by opening up WinDbg – I’ll be opening up the 64-bit version. WinDbg default view. Now we’ll open up notepad.exe. Once it is open, we can attach to notepad.exe in WinDbg by going to File -> Attach to a Process -> notepad.exe. Alternatively, you can use the default hot-key which should be F6. Attaching to a process via WinDbg. 1/2 Attaching to a process via WinDbg. 2/2 After doing this, the WinDbg command window will be displayed. The command window is the work-space we will have to enter commands at our own discretion to get back various desired results. For example, if we wish to manipulate something, or query information about something, we can do this with a command. WinDbg has a whole wide-range of commands available and you can learn more about that here: http://windbg.info/doc/1-common-cmds.html We’ll be using the dt instruction. “dt” stands for “Display Type” and can be used to display information about a specific data-type, including structures. In our case, it is more than appropriate because it supports structures and we need to find out information about the TEB structure. We can use the following instruction to query information about the TEB structure. dt ntdll!_TEB WinDbg command (dt) for the _TEB structure. We can see already that there are many fields of the structure, so many fields that they all don’t fit on the singular image view. However, if we look towards the very top of the structure, we’ll find the Process Environment Block’s field. Highlighting the ProcessEnvironmentBlock field of the _TEB structure. We can see that WinDbg is labelling the data-type for the field as “Ptr64 _PEB”. This simply means that the data-type is a pointer to the PEB structure (PPEB). Since we are debugging a 64-bit compiled program (notepad.exe since our OS architecture is 64-bit), the addresses are 8 bytes instead of 4 bytes like on a 32-bit environment, which is why “64” is appended to the “Ptr”. We can view the fields of the PEB structure with the following WinDbg command. dt ntdll!_PEB WinDbg command (dt) for the _PEB structure. The WinDbg output is below. 0:007> dt ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit +0x003 IsPackagedProcess : Pos 4, 1 Bit +0x003 IsAppContainer : Pos 5, 1 Bit +0x003 IsProtectedProcessLight : Pos 6, 1 Bit +0x003 IsLongPathAwareProcess : Pos 7, 1 Bit +0x004 Padding0 : [4] UChar +0x008 Mutant : Ptr64 Void +0x010 ImageBaseAddress : Ptr64 Void +0x018 Ldr : Ptr64 _PEB_LDR_DATA +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS +0x028 SubSystemData : Ptr64 Void +0x030 ProcessHeap : Ptr64 Void +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION +0x040 AtlThunkSListPtr : Ptr64 _SLIST_HEADER +0x048 IFEOKey : Ptr64 Void +0x050 CrossProcessFlags : Uint4B +0x050 ProcessInJob : Pos 0, 1 Bit +0x050 ProcessInitializing : Pos 1, 1 Bit +0x050 ProcessUsingVEH : Pos 2, 1 Bit +0x050 ProcessUsingVCH : Pos 3, 1 Bit +0x050 ProcessUsingFTH : Pos 4, 1 Bit +0x050 ProcessPreviouslyThrottled : Pos 5, 1 Bit +0x050 ProcessCurrentlyThrottled : Pos 6, 1 Bit +0x050 ReservedBits0 : Pos 7, 25 Bits +0x054 Padding1 : [4] UChar +0x058 KernelCallbackTable : Ptr64 Void +0x058 UserSharedInfoPtr : Ptr64 Void +0x060 SystemReserved : Uint4B +0x064 AtlThunkSListPtr32 : Uint4B +0x068 ApiSetMap : Ptr64 Void +0x070 TlsExpansionCounter : Uint4B +0x074 Padding2 : [4] UChar +0x078 TlsBitmap : Ptr64 Void +0x080 TlsBitmapBits : [2] Uint4B +0x088 ReadOnlySharedMemoryBase : Ptr64 Void +0x090 SharedData : Ptr64 Void +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void +0x0a0 AnsiCodePageData : Ptr64 Void +0x0a8 OemCodePageData : Ptr64 Void +0x0b0 UnicodeCaseTableData : Ptr64 Void +0x0b8 NumberOfProcessors : Uint4B +0x0bc NtGlobalFlag : Uint4B +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER +0x0c8 HeapSegmentReserve : Uint8B +0x0d0 HeapSegmentCommit : Uint8B +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B +0x0e8 NumberOfHeaps : Uint4B +0x0ec MaximumNumberOfHeaps : Uint4B +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void +0x0f8 GdiSharedHandleTable : Ptr64 Void +0x100 ProcessStarterHelper : Ptr64 Void +0x108 GdiDCAttributeList : Uint4B +0x10c Padding3 : [4] UChar +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION +0x118 OSMajorVersion : Uint4B +0x11c OSMinorVersion : Uint4B +0x120 OSBuildNumber : Uint2B +0x122 OSCSDVersion : Uint2B +0x124 OSPlatformId : Uint4B +0x128 ImageSubsystem : Uint4B +0x12c ImageSubsystemMajorVersion : Uint4B +0x130 ImageSubsystemMinorVersion : Uint4B +0x134 Padding4 : [4] UChar +0x138 ActiveProcessAffinityMask : Uint8B +0x140 GdiHandleBuffer : [60] Uint4B +0x230 PostProcessInitRoutine : Ptr64 void +0x238 TlsExpansionBitmap : Ptr64 Void +0x240 TlsExpansionBitmapBits : [32] Uint4B +0x2c0 SessionId : Uint4B +0x2c4 Padding5 : [4] UChar +0x2c8 AppCompatFlags : _ULARGE_INTEGER +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER +0x2d8 pShimData : Ptr64 Void +0x2e0 AppCompatInfo : Ptr64 Void +0x2e8 CSDVersion : _UNICODE_STRING +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x318 MinimumStackCommit : Uint8B +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO +0x328 FlsListHead : _LIST_ENTRY +0x338 FlsBitmap : Ptr64 Void +0x340 FlsBitmapBits : [4] Uint4B +0x350 FlsHighIndex : Uint4B +0x358 WerRegistrationData : Ptr64 Void +0x360 WerShipAssertPtr : Ptr64 Void +0x368 pUnused : Ptr64 Void +0x370 pImageHeaderHash : Ptr64 Void +0x378 TracingFlags : Uint4B +0x378 HeapTracingEnabled : Pos 0, 1 Bit +0x378 CritSecTracingEnabled : Pos 1, 1 Bit +0x378 LibLoaderTracingEnabled : Pos 2, 1 Bit +0x378 SpareTracingBits : Pos 3, 29 Bits +0x37c Padding6 : [4] UChar +0x380 CsrServerReadOnlySharedMemoryBase : Uint8B +0x388 TppWorkerpListLock : Uint8B +0x390 TppWorkerpList : _LIST_ENTRY +0x3a0 WaitOnAddressHashTable : [128] Ptr64 Void +0x7a0 TelemetryCoverageHeader : Ptr64 Void +0x7a8 CloudFileFlags : Uint4B As we can see, there’s a lot of fields for the PEB structure. We’ll only be focusing on a select few of them during the practical sections though. Before we can continue, we need to briefly talk about how the Process Environment Block is actually found. It’s located at FS:[0x30] in the Thread Environment Block/Thread Information Block for 32-bit processes, and it’s located at GS:[0x60] for 64-bit processes. To start off, the third field of the PEB structure (“BeingDebugged”) can be read to determine if the current process is attached to via a debugger – this is one vector which is commonly closed by analysts who are debugging malicious software, because malicious software tends to keep a close-eye out for debuggers and other analysis tools to make things more difficult for malware analysts. There’s a routine from the Win32 API called IsDebuggerPresent (KERNEL32) and the routine works by checking the BeingDebugged field of the PEB structure. We can validate this by reverse-engineering kernel32.dll ourselves. IDA pseudo-code for IsDebuggerPresentStub (KERNEL32 – Windows 8+). As we can see, kernel32.dll has a routine named IsDebuggerPresentStub which calls IsDebuggerPresent. This is because the environment I’m getting these images from is Windows 10 64-bit, and Microsoft moved to using KernelBase.dll (introduced starting Windows 8). However, for backwards-compatibility, kernel32.dll is still pushed for usage by their documentation – and if they had dropped support for it then they would have to have moved more than they have across to a new module project, and there’d have been a lot of incompatible software for Windows 8+ at the time. Therefore, we need to take a look at KernelBase.dll. Disassembly for IsDebuggerPresent (KERNEL32 / KERNELBASE). Perfect! KernelBase.dll has an exported routine named IsDebuggerPresent. We’re going to debunk what the above disassembly is telling us. The address of the Process Environment Block is being moved into the RAX register. Since we’re looking at the 64-bit compiled version of KernelBase.dll, 64-bit registers are being used. The Process Environment Block is located at + 0x60 for 64-bit processes. The value from the BeingDebugged field under the Process Environment Block is being extracted and put into the EAX register. The data-type for the BeingDebugged field is UCHAR (which is one byte), and it’s offset is 0x002 – the first field of the PEB structure is located at 0x000 which means the third field (which is the BeingDebugged field) is located +2 bytes from this address. Since the RAX register is holding the address to the Process Environment Block, (RAX + 2) is performed to reach the address of the BeingDebugged field. Returning with the RETN instruction. Since the value for the BeingDebugged field of the PEB structure is held within the EAX register, the caller of the routine is going to return the value stored within the BeingDebugged field. A routine like IsDebuggerPresent (KERNEL32 / KERNELBASE) might be an obvious sign for a malware analyst who is taking a look at the API calls being made by a sample therefore some malware samples will manually access the PEB structure to check – doing this is stealthier and usually less-expected. The next fields we’re going to briefly talk about are the IsProtectedProcess and IsProtectedProcessLight fields of the Process Environment Block. These fields can be used to determine if the current process is “protected” or not, hence the “ProtectedProcess” key-word in the field names. In Windows, there’s multiple process protection mechanisms although the former (non-Light variant) has been around a lot longer than the Process Protection Light (PPL) variant. Standard process protection mechanism in Windows has been around since Windows Vista, however the PPL feature came into play starting Windows 8. Microsoft use these mechanisms to protect their own System processes from being abused by malicious software or forcefully shut-down by a third-party source (because for some Windows processes this can cause the system to bug-check/improperly function). If we can access these fields within the Process Environment Block, then we can check if the current process is protected or not by Windows. All of this is enforced from kernel-mode by the Windows Kernel using the undocumented and opaque EPROCESS structure, and you cannot write to these fields in the PEB structure and have the changes take effect because it won’t update the EPROCESS structure for the current process. The standard process protection mechanism is used by Windows system processes. This mechanism is enforced from within the Windows Kernel and it’s not supposed to be used by third-parties, and it helps prevent system processes from being exploited by attackers (or forcefully shut-down – the Operating System cannot function properly without it’s critical user-mode components). On top of this, Windows will set the state of various system processes to “critical”, and this is flag-based and will cause the system to be forcefully crashed (via a bug-check) if the “critical” processes become terminated. There are two different implementations for the “critical” state: critical processes and critical threads. Setting a process as critical will cause the bug-check once the process has been terminated, and setting a thread as critical will cause the bug-check once the thread has been terminated. Usually, the former is more appropriate because threads come and go regularly (e.g. spawn a new thread to handle an operation simultaneously and then the thread will be terminated once it returns back it’s status from the operation). Windows does not set “threads” as critical as far as I am aware, although it will set specific processes as critical (processes like csrss.exe). We’re going to take a look at how the process protection mechanism which is built-into Windows actually works very briefly using Interactive Disassembler and WinDbg. We can easily check using the following routines. PsIsProtectedProcess (NTOSKRNL) PsIsProtectedProcessLight (NTOSKRNL) Both of the above routines are undocumented but they are still exported by the Windows Kernel. Disassembly for PsIsProtectedProcess (NTOSKRNL). Looking at the disassembly of PsIsProtectedProcess, we can see that the TEST instruction is being used. The TEST instruction is used for a “bitwise operation”. However, we can also see that [RCX+6CAh] is the target. The PsIsProtectedProcess routine takes in one parameter only and it returns a BOOLEAN (UCHAR) – the parameter’s data-type should be a pointer to the EPROCESS structure for the target process being checked on. This tells us that the value stored in the RCX register will be the address of the PEPROCESS (EPROCESS*) for the target process, and it’s accessing the structure to read the value stored under an unknown field which symbolises if the process is or is not protected. The offset for where the field under the EPROCESS structure is located is 6CAh. This means that if you add on 0x6CA from the base address of the EPROCESS* for a process, you will land yourself at the address in which the value being checked in this routine is located at (for this environment only because the offsets regularly shift around and will vary between environment – due to patch updates and separate OS versions). We can check with WinDbg which field is for the 0xC6A offset. WinDbg command (dt) for the _EPROCESS structure, showing the Protection field. Nice! The field in the EPROCESS structure which holds data regarding process protection is named Protection and has a data-type of _PS_PROTECTION (which is a structure) – at-least for the standard process protection mechanism, we are yet to check on the Light variant. We can take a look at the _PS_PROTECTION structure with the dt instruction. WinDbg command (dt) for the _PS_PROTECTION structure. Now if we check the disassembly of the PsIsProtectedProcessLight routine, we can see if it uses the same mechanism to query the status. Disassembly for PsIsProtectedProcessLight (NTOSKRNL). It’s targeting the Protection field of the EPROCESS structure as well – the same field of the structure too. The only difference here is that PsIsProtectedProcess is and PsIsProtectedProcessLight are doing some different checks. In the PEB structure, there’s an entry named Ldr which has a data-type of _PEB_LDR_DATA. Within this structure, we have a field named InMemoryOrderModuleList which has a data-type of _LIST_ENTRY. Double linked lists are very common in Windows components such as in the Windows Kernel or lower-level user-mode components. There’s an instruction in WinDbg named !peb which can be used to enumerate data for the PEB of the currently debugged process. Below is an image of what the output will look like, focus only on the non-highlighted parts. WinDbg command (!peb) output. If we go through the InMemoryOrderModuleList, we can extract each entry and assign to a pointer of the LDR_DATA_TABLE_ENTRY structure using the CONTAINING_RECORD macro. Then we could view details about the current module enumerated using the linked lists… We will do this during the practical code section which is right about now. We’re going to be using the PEB for practical use in the next section. User-Mode In this section we’re going to be re-writing a few Win32 API routines in user-mode which rely on the Process Environment Block. GetModuleHandle – using the Ldr field of the PEB structure GetModuleFileName – using the ProcessParameters field of the PEB structure We need to make sure we’ve declared some structures. Depending on the header files you’re using, you may not need them. However if you do need them… typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; WCHAR *Buffer; } UNICODE_STRING, PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; typedef struct _CLIENT_ID { PVOID UniqueProcess; PVOID UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _RTL_USER_PROCESS_PARAMETERS { BYTE Reserved1[16]; PVOID Reserved2[10]; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA { BYTE Reserved1[8]; PVOID Reserved2[3]; LIST_ENTRY InMemoryOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_DATA_TABLE_ENTRY { PVOID Reserved1[2]; LIST_ENTRY InMemoryOrderLinks; PVOID Reserved2[2]; PVOID BaseAddress; PVOID Reserved3[2]; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; BYTE Reserved4[8]; PVOID Reserved5[3]; #pragma warning(push) #pragma warning(disable: 4201) // we'll always use the Microsoft compiler union { ULONG CheckSum; PVOID Reserved6; } DUMMYUNIONNAME; #pragma warning(pop) ULONG TimeDateStamp; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID Reserved4[3]; PVOID AtlThunkSListPtr; PVOID Reserved5; ULONG Reserved6; PVOID Reserved7; ULONG Reserved8; } PEB, *PPEB; typedef struct _TEB { NT_TIB NtTib; PVOID EnvironmentPointer; CLIENT_ID ClientId; PVOID ActiveRpcHandle; PVOID ThreadLocalStoragePointer; PPEB ProcessEnvironmentBlock; } TEB, *PTEB; The next thing you might want is a global definition for NtCurrentPeb(). This isn’t mandatory but it can be a bit helpful if you’d prefer to type NtCurrentPeb() instead of NtCurrentTeb()->ProcessEnvironmentBlock every-time you need to gain access to the PEB. I always preferred to type NtCurrentPeb() but that’s just me. #define NtCurrentPeb() \ NtCurrentTeb()->ProcessEnvironmentBlock What is NtCurrentTeb()? NtCurrentTeb() is a function which is packed within winnt.h, and it’ll return a pointer to the TEB structure at the correct address of where the TEB is located. NtCurrentTeb() will change depending on the configuration however for a 32-bit compilation, it will locate the TEB by using the __readfsdword macro, targeting 0x18 as the location. This means that the target location is actually FS:[0x18]. For a 64-bit compilation, __readgsqword will be used and the target location will be different. GetModuleHandle replacement HMODULE GetModuleHandleWrapper( WCHAR *ModuleName ) { PPEB ProcessEnvironmentBlock = NtCurrentPeb(); PPEB_LDR_DATA PebLdrData = { 0 }; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = { 0 }; PLIST_ENTRY ModuleList = { 0 }, ForwardLink = { 0 }; if (ProcessEnvironmentBlock) { PebLdrData = ProcessEnvironmentBlock->Ldr; if (PebLdrData) { ModuleList = &PebLdrData->InMemoryOrderModuleList; ForwardLink = ModuleList->Flink; while (ModuleList != ForwardLink) { LdrDataTableEntry = CONTAINING_RECORD(ForwardLink, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks); if (LdrDataTableEntry) { if (LdrDataTableEntry->BaseDllName.Buffer) { if (!_wcsicmp(LdrDataTableEntry->BaseDllName.Buffer, ModuleName)) { return (HMODULE)LdrDataTableEntry->BaseAddress; } } } ForwardLink = ForwardLink->Flink; } } } return 0; } The above routine does the following. Retrieves the PPEB Checks if the PPEB could be acquired or not Enumerates the InMemoryOrderModuleList Retrieves a pointer to the LDR_DATA_TABLE_ENTRY structure for each entry Returns the BaseAddress of the module if its a match based on module name buffer comparison with the parameter passed in GetModuleFileName wrapper WCHAR *GetModuleFileNameWrapper() { PPEB ProcessEnvironmentBlock = NtCurrentPeb(); if (ProcessEnvironmentBlock)if (ProcessEnvironmentBlock) { if (ProcessEnvironmentBlock->ProcessParameters) { if (ProcessEnvironmentBlock->ProcessParameters->ImagePathName.Buffer) { if (ProcessEnvironmentBlock->ProcessParameters->ImagePathName.Buffer) { return ProcessEnvironmentBlock->ProcessParameters->ImagePathName.Buffer; } } } } return NULL; } The above routine does the following. Retrieves the PPEB (pointer to the PEB) Checks if the PPEB could be acquired or not Checks if it can access the ProcessParameters field Returns the ImagePathName buffer (it’s a UNICODE_STRING so the Buffer field is a wchar_t*) All of this has been known for an extremely long time now but for those of you which have only just got into Windows Internals and started studying areas like the Process Environment Block, this could help clear things up for you quickly and put an end to some confusion. As always, thanks for reading. NtOpcode Sursa: https://ntopcode.wordpress.com/2018/02/26/anatomy-of-the-process-environment-block-peb-windows-internals/
  22. Schimbai numele din ida.exe in orice.exe, prima data uite te in stringuri dupa chestii interesante"Shift+F12" p.s. Exista sanse ca parola sa fie plain text in fisier/memorie - ruleaza programu - deschide procexp, click dreapta pe procesul tau > Properties >Strings - alegi Image si dai save (salvezi stringurile din fisier) -alegi Memory si dai save (salvezi stringurile din memorie) uitate prin cele 2 fisiere dupa orice poate semana a parola (plain text, hex, base64) Daca crezi ca isi ia parola de pe server te poti uita dupa conxiunile procesului din procexp>TCP/IP, pentru a vedea ce trimite/primeste cauta wireshark
  23. This is the first in a series of articles about reverse engineering Android applications. In this series I will cover the anatomy of the APK and AAR package formats and few tools commonly used to reverse engineering or inspecting applications: aapt, dex2jar, apktool and Androguard. Part 1 – APK and AAR format Part 2 – aapt Part 3 – dex2jar Part 4 – apktool Part 5 – Androguard
  24. poti sa-ti faci cont si cu email normal daca doresti sa participici doar pt challenge
  • Create New...