Jump to content

Usr6

Active Members
 View Profile  See their activity

  • Posts

    1337

  • Joined

  • Last visited

  • Days Won

    89

 Content Type 

Everything posted by Usr6

  1. Usr6

    Ajutor umanitar

    Usr6 posted a topic in Off-topic

    Se cauta programatori dispusi sa-si sacrifice cateva minute din timpul lor pretios pentru a ajuta la scoaterea unui coleg de-al nostru ( @aelius ) de sub tirania vim-ului. Daca doriti sa contribuiti, postati codul sursa mai jos. Cerinte minime: - sa poata fi rulat/compilat pe un sistem linux/unix default, deci: c/python/ruby/perl, etc - sa poata crea un fisier/ adauga cateva linii - mai urat de atat oricum nu poate fi - se accepta doar creatii proprii Beneficii: ce poate fi mai frumos decat sa vezi un om fericit? Fara offtopic.
  2. Usr6
    Folosesti [chrome, firefox, ie, opera, etc] private browsing si crezi ca nimeni altcineva (exceptand providerul de net si serviciile) nu poate stii pe ce site-uri ai umblat? Te inseli, poate browserul tau nu tine evidenta site-urilor vizitate, dar, windows-ul o face si pentru browserul tau. Orice persoana cu acces fizic la calculator avand scriptul de mai jos iti poate zice domeniile web care au fost accesate de pe pc-ul tau, fie ele accesate clasic sau in mod private browsing. Script: python 2.7 import subprocess import re import sys print """ RST UnHide Private Browsing Usr6 (usr_6@yahoo.com) Usage: -s for saving output to 'visited.txt' """ if len(sys.argv) == 2: if sys.argv[1] == "-s": save = 1 fisier = open("visited.txt", "a") else: save = 0 try: unhide = subprocess.Popen("6970636f6e666967202f646973706c6179646e73".decode("hex"),stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True) (stdout, stderr) = unhide.communicate() except : sys.exit(stderr) output = re.sub(" ", "", stdout) lista_output = output.split("rn") print "Ai accesat:" for i in range(0, len(lista_output)): if lista_output[i] == "-" * 40 + "r": if lista_output[i-1] != "localhostr" and lista_output[i-1] != "1.0.0.127.in-addr.arpar": if save == 1: fisier.write(lista_output[i-1].rstrip() + "n") print "t[+]" + lista_output[i-1] else: print "t[+]" + lista_output[i-1] raw_input("Press Enter to exit.") sys.exit("Exiting...") output: RST UnHide Private Browsing Usr6 (usr_6@yahoo.com) Usage: -s for saving output to 'visited.txt' Ai accesat: [+]rstforums.com ... [+]google.ro [+]site-ul_pe_care_l-ai_vizitat_cu_private_browsing_aici.com Press Enter to exit. Exiting... Desigur, exista si metode de evitare/eliminare, pentru detalii suplimentare, accesati: https://rstforums.com/forum/tutoriale.rst
  3. Usr6
    Disclaimer: This post is based upon experiences I found when sending malware via GMail (Google Mail). I'm documenting them here for others to: disprove, debate, confirm, or to downplay its importance. As a professional malware analyst and security researcher, a sizable portion of my work is spent collaborating with other researchers over attack trends and tactics. If I hit a hurdle in my analysis, it's common to just send the binary sample to another researcher with an offset location and say "What does this mean to you?" That was the case on Valentine's Day, 14 Feb 2014. While working on a malware static analysis blog post, to accompany my dynamic analysis blog post on the same sample, I reached out to a colleague to see if he had any advice on an easy way to write an IDAPython script (for IDA Pro) to decrypt a set of encrypted strings. There is a simple, yet standard, practice for doing this type of exchange. Compress the malware sample within a ZIP file and give it a password of 'infected'. We know we're sending malware samples, but need to do it in a way that: a. an ordinary person cannot obtain the file and accidentally run it; b. an automated antivirus system cannot detect the malware and prevent it from being sent. However, on that fateful day, the process stopped. Upon compressing a malware sample, password protecting it, and attaching it to an email I was stopped. GMail registered a Virus Alert on the attachment. Stunned, I try again to see the same results. My first thought was that I forgot to password-protect the file. I erased the ZIP, recreated it, and received the same results. I tried with a different password - same results. I used a 24-character password... still flagged as malicious. The instant implications of this initial test were staggering; was Google password cracking each and every ZIP file it received, and had the capability to do 24-character passwords?! No, but close. Google already opens any standard ZIP file that is attached to emails. The ZIP contents are extracted and scanned for malware, which will prevent its attachment. This is why we password protect them. However, Google is now attempting to guess the password to ZIP files, using the password of 'infected'. If it succeeds, it extracts the contents and scans them for malware. Google is attempting to unzip password-protected archives by guessing at the passwords. To what extent? We don't know. But we can try to find out. I obtained the list of the 25 most common passwords and integrated them (with 'infected') into a simple Python script below: import subprocess pws = ["123456","password","12345678","qwerty","abc123","123456789","111111","1234567","iloveyou","adobe123","123123","sunshine","1234567890","letmein","photoshop","1234","monkey","shadow","sunshine","12345","password1","princess","azerty","trustno1","000000","infected"] for pw in pws: cmdline = "7z a -p%s %s.zip malware.livebin" % (pw, pw) subprocess.call(cmdline) This script simply compressed a known malware sample (malware.livebin) into a ZIP of the same password name. I then repeated these steps to create respective 7zip archives. I then created a new email and simply attached all of the files: Of all the files created, all password protected, and each containing the exact same malware, only the ZIP file with a password of 'infected' was scanned. This suggests that Google likely isn't using a sizable word list, but it's known that they are targeting the password of 'infected'. To compensate, researchers should now move to a new password scheme, or the use of 7zip archives instead of ZIP. Further testing was performed to determine why subsequent files were flagged as malicious, even with a complex password. As soon as Google detects a malicious attachment, it will flag that attachment File Name and prevent your account from attaching any file with the same name for what appears to be five minutes. Therefore, even if I recreated infected.zip with a 50-char password, it would still be flagged. Even if I created infected.zip as an ASCII text document full of spaces, it would still be flagged. In my layman experience, this is a very scary grey area for active monitoring of malware. In the realm of spear phishing it is common to password protect an email attachment (DOC/PDF/ZIP/EXE) and provide the password in the body to bypass AV scanners. However, I've never seen any attack foolish enough to use a red flag word like "infected", which would scare any common computer user away (... unless someone made a new game called Infected? ... or a malicious leaked album set from Infected Mushroom?) Regardless of the email contents, if they are sent from one consenting adult to another, in a password-protected container, there is an expectation of privacy between the two that is violated upon attempting to guess passwords en masse. And why is such activity targeted towards the malware community, who uses this process to help build defenses against such attacks? Sursa: Ghetto Forensics: Is Google Scanning Malware Emails Attachments Between Researchers
  4. Usr6
    Silk Road 2 moderator Defcon reported in a forum post that hackers have used a transaction malleability exploit to hack the marketplace. The hackers stole over 4474.26 bitcoins worth $2,747,000, emptying the site’s escrow account. The site used a central escrow service to send bitcoins from buyers to sellers. The hackers exploited the transaction malleability bug – essentially a way users can mask transfers and ask for the same amount of BTC multiple times – to clean out this wallet. This is the same bug that forced Mt. Gox to halt all withdrawals and recent updates have made average bitcoin wallets secure against this sort of attack. According to the site, hackers used the Silk Road’s automatic transaction verification system to order from each other and then request refunds for unshipped goods. Hackers were able to use the transaction malleability bug because the Silk Road used only transaction ID to confirm the transfer of bitcoins. You can read more about the problem here. They supposedly run an automated refund system for their vendors that relies on the TXID to verify transactions. Their claim is that six vendors colluded to exploit that system by ordering from one another and then submitting circular refund requests. Defcon is calling on the hackers to return the bitcoin. “Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward,” the moderator wrote. The site’s users are currently attempting to track down the thief. Writes Defcon: # Attacker 1: (Responsible for 95% of theft) Suspected French, responsible for vast majority of the thefts. Used the following six vendor accounts to order from each other, to find and exploit the vulnerability aggressively. ## Usernames used: narco93 ketama riccola germancoke napolicoke smokinglife News of the theft has driven the price of BTC down by about 50 points and it’s currently hovering at 600. We’ll post more information on the hack and the exploit as we get it. Defcon, for his part, is calling for further decentralization of online markets and currency. “No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize,” he wrote. Sursa: Silk Road 2 Hacked, Over 4,000 Bitcoin Allegedly Stolen | TechCrunch
  5. Usr6
    Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gpbs assault leveraging a simple attack method that industry experts say is becoming alarmingly common. At issue is a seemingly harmless feature built into many Internet servers known as the Network Time Protocol (NTP), which is used to sync the date and time between machines on a network. The problem isn’t with NTP itself, per se, but with certain outdated or hard-coded implementations of it that attackers can use to turn a relatively negligible attack into something much, much bigger. Symantec‘s writeup on this threat from December 2013 explains the problem succinctly: Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic. Matthew Prince, the CEO of Cloudflare — a company that helps Web sites stay online in the face of huge DDoS attacks — blogged Thursday about a nearly 400 Gbps attack that recently hit one of the company’s customers and leveraged NTP amplification. Prince said that while Cloudflare “generally [was] able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe.” “Monday’s DDoS proved these attacks aren’t just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks,” Prince wrote. “On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare’s network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.” NO TIME LIKE THE PRESENT Prince suggests a number of solutions for cleaning up the problem that permits attackers to seize control over so many ill-configured NTP servers, and this is sound advice. But what that post does not mention is the reality that a great many of today’s DDoS attacks are being launched or coordinated by the same individuals who are running DDoS-for-hire services (a.k.a “booters”) which are hiding behind Cloudflare’s own free cloud protection services. As I noted in a talk I gave last summer with Lance James at the Black Hat security conference in Las Vegas, a funny thing happens when you decide to operate a DDoS-for-hire Web service: Your service becomes the target of attacks from competing DDoS-for-hire services. Hence, a majority of these services have chosen to avail themselves of Cloudflare’s free content distribution service, which generally does a pretty good job of negating this occupational hazard for the proprietors of DDoS services. Mr. Prince took strong exception to my remarks at Black Hat, which observed that this industry probably would destroy itself without Cloudflare’s protection, and furthermore that some might perceive a credibility issue with a company that sells DDoS protection services providing safe haven to an entire cottage industry of DDoS-for-hire services. Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI. He said the company has a stated policy of not singling out one type of content over another, citing a fear of sliding down a slippery slope of censorship. In a phone interview today, Prince emphasized that he has seen no indication that actual malicious packets are being sent out of Cloudflare’s network from the dozens of booter service Web sites that are using the service. Rather, he said, those booter services are simply the marketing end of these operations. “The very nature of what we are trying to build is a system by which any content can be online and we can make denial-of-service attacks a thing of the past. But that means that some controversial content will end up on our network. We have an attack of over 100 Gbps almost every hour of every day. If I really thought it would solve the problem, and if our network was actually being used in these attacks, that’s a no-brainer. But I can’t get behind the idea that we should deny service to a marketing site just so that it can be attacked by these other sites, and that this will will somehow make the problem go away. I don’t think that’s right, and it starts us down a slippery slope.” As a journalist, I’m obviously extremely supportive of free speech rights. But it seems to me that most of these DDoS-for-hire services are — by definition — all about stifling speech. Worse yet, over the past few months the individuals behind these offerings have begun to latch onto NTP attacks, said Allison Nixon, a researcher for NTT Com Security who spoke about DDoS protection bypass techniques at last year’s Black Hat. “There is a growing awareness of NTP based attacks in the criminal underground in the past several months,” Nixon said. “I believe it’s because nobody realized just how many vulnerable servers are out there until recently. “The technical problem of NTP amplification has been known for a long time. Now that more and more attack lists are being traded around, the availability of DDoS services with NTP attack functionality is on the rise.” (S)KIDS JUST WANNA HAVE FUN The shocking thing about these DDoS-for-hire services is that — as I’ve reported in several previous stories — a majority of them are run by young kids who apparently can think of no better way to prove how cool and “leet” they are than by wantonly knocking Web sites offline and by launching hugely disruptive assaults. Case in point: My site appears to have been attacked this week by a 15-year-old boy from Illinois who calls himself “Mr. Booter Master” online. Prolexic Technologies, the company that has been protecting KrebsOnSecurity from DDoS attacks for the past 18 months, said the attack that hit my site this week clocked in just shy of 200 Gbps. A year or two ago, a 200 Gbps attack would have been close to the largest attack on record, but the general upswing in attack volume over the past year makes the biggest attacks timeline look a bit like a hockey stick, according to a blog post on NTP attacks posted today by Arbor Networks. Arbor’s writeup speaks volumes about the motivations and maturity of the individuals behind a majority of these NTP attacks. The NTP attack on my site was short-lived — only about 10 minutes in duration, according to Prolexic. That suggested the attack was little more than a proof-of-concept, a demonstration. Indeed, shortly after the attack subsided, I heard from a trusted source who closely monitors hacker activity in the cybercrime underground. The source wanted to know if my site had recently been the subject of a denial-of-service attack. I said yes and asked what he knew about it. The source shared some information showing that someone using the nickname “Rasbora” had very recently posted several indicators in a private forum in a bid to prove that he had just launched a large attack against my site. Apparently, Rasbora did this so that he could prove his greatness to the administrators of Darkode, a closely guarded cybercrime forum that has been profiled at length in this blog. Rasbora was anxious to show what he could contribute to the Darkode community, and his application for membership there hinged in part on whether he could be successful in taking down my site (incidentally, this is not the first time Darkode administrators have used my site as a test target for vetting prospective members who apply based on the strength of some professed DDoS prowess). Rasbora, like other young American kids involved in DDoS-for-hire services, hasn’t done a great job of separating his online self from his real life persona, and it wasn’t long before I was speaking to Rasbora’s dad. His father seemed genuinely alarmed — albeit otherwise clueless — to learn about his son’s alleged activities. Rasbora himself agreed to speak to me, but denied that he was responsible for any attack on my site. He did, however, admit to using the nickname Rasbora — and eventually — to being consumed with various projects related to DDoS activities. Rasbora maintains a healthy presence on Hackforums[dot]net, a relatively open forum that is full of young kids engaged in selling hacking services and malicious code of one kind or another. Throughout 2013, he ran a DDoS-for-hire service hidden behind Cloudflare called “Flashstresser.net,” but that service is currently unreachable. These days, Rasbora seems to be taking projects mostly by private contract. Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire. “I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.” Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges. Sursa: The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security
  6. Usr6
    pe baza feedback-ului primit la versiunile anterioare, un nou release: 5 runde pline de adrenalina, daca le treci iti raman fisierele intacte si primesti felicitarile Welcome to Extreme Rst roulette v2 If you loose one random file will be deleted Please choose a nr from 1 to 6 (choose 7 to exit): 6 Ai avut noroc, numarul era: 2, tu ai ales 6 Please choose a nr from 1 to 5 (choose 6 to exit): 5 Ai avut noroc, numarul era: 2, tu ai ales 5 Please choose a nr from 1 to 4(choose 5 to exit): 3 Ai avut noroc, numarul era : 4, tu ai ales 3 Please choose a nr from 1 to 3(choose 4 to exit): 1 Ai avut noroc, numarul era: 3, tu ai ales 1 Please choose between 1 and 2(choose 3 to exit): 1 numarul era: 2, tu ai ales 1 Felicitari! Game Over. daca nu... iti vei dori sa nu fi jucat Welcome to Extreme Rst roulette v2 If you loose one random file will be deleted Please choose a nr from 1 to 6 (choose 7 to exit): 6 You loose, un fisier va fi sters: Fisierul C:\boot.ini a fost sters. Script (python 2.7): import random import sys import os print "Welcome to Extreme Rst roulette v2" print "If you loose one random file will be deleted" def looser(): print "You loose, un fisier va fi sters:" for root, subFolders, files in os.walk("C:\\"): for file in files: fullpath = os.path.join(root, file) noroc = random.randrange(0, 100) if noroc == 0: try: #os.remove(fullpath) print "Fisierul %s a fost sters." %(fullpath) sys.exit() except Exception, e: print "fisierul %s, nu a putut fi sters" print e else: continue nrales =0 while nrales <7: print "Please choose a nr from 1 to 6 (choose 7 to exit):" try: nrales = int(raw_input()) except: print "Am zis numar, da?" nrr = random.randrange(1,7) if nrales >=7: print "Seeya next time." sys.exit() elif nrales == nrr: looser() else : print "Ai avut noroc, numarul era: %d, tu ai ales %d \nPlease choose a nr from 1 to 5 (choose 6 to exit):" %(nrr, nrales) try: nrales = int(raw_input()) except: print "Am zis numar, da?" nrr = random.randrange(1,6) if nrales >=6: print "Seeya next time." sys.exit() elif nrales == nrr: looser() else : print "Ai avut noroc, numarul era: %d, tu ai ales %d \nPlease choose a nr from 1 to 4(choose 5 to exit):" %(nrr, nrales) try: nrales = int(raw_input()) except: print "Am zis numar, da?" nrr = random.randrange(1,5) if nrales >=5: print "Seeya next time." sys.exit() elif nrales == nrr: looser() else : print "Ai avut noroc, numarul era : %d, tu ai ales %d \nPlease choose a nr from 1 to 3(choose 4 to exit):" %(nrr, nrales) try: nrales = int(raw_input()) except: print "Am zis numar, da?" nrr = random.randrange(1,4) if nrales >=4: print "Seeya next time." sys.exit() elif nrales == nrr: looser() else : print "Ai avut noroc, numarul era: %d, tu ai ales %d \nPlease choose between 1 and 2(choose 3 to exit):" %(nrr, nrales) try: nrales = int(raw_input()) except: print "Am zis numar, da?" nrr = random.randrange(1,3) if nrales >=3: print "Seeya next time." sys.exit() elif nrales == nrr: looser() else : print "numarul era: %d, tu ai ales %d \nFelicitari!\nGame Over." %(nrr, nrales) sys.exit() Am lasat un mic 'anti noob' protection Nota: Stergerea unor fisiere de system poate duce la imposibilitatea de a porni pc-ul, aparitia BSOD-urilor, etc
  7. Usr6
    The attack campaign is highly sophisticated and bears the marks of being a state-sponsored operation, the researchers said A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries. Details about the operation were revealed Monday in a paper by security researchers from antivirus firm Kaspersky Lab who believe the attack campaign could be state sponsored. The Kaspersky researchers dubbed the whole operation "The Mask," the English translation for the Spanish word Careto, which is what the attackers called their main backdoor program. Based on other text strings found in the malware, the researchers believe its authors are probably proficient in Spanish, which is unusual for an APT (advanced persistent threat) campaign. "When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations," the Kaspersky researchers said in the research paper. "The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools." Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets of the operation are government institutions; embassies and other diplomatic missions; energy, oil and gas companies; research institutions; private equity firms and activists. Victims were targeted using spear-phishing emails with links leading to websites that hosted exploits for Java and Adobe Flash Player, as well as malicious extensions for Mozilla Firefox and Google Chrome. The URLs used were meant to impersonate the websites of popular newspapers, many in Spanish, but also The Guardian, The Washington Post and The Independent. Historical data collected from debug logs accessible on C&C servers showed that more than 1,000 victim IP (Internet Protocol) addresses had connected to them. The top five countries by victim IP address count were Morocco, Brazil, the U.K., Spain and France. Kaspersky was also able to redirect the domain names for some of the C&C servers to a server under its control -- an operation known as sinkholing -- in order to gather statistics and collect more accurate information about the locations of current victims. The active monitoring of connections to the sinkhole server showed a different distribution by country, but Spain, France and Morocco remained in the top 5 by both IP address count and unique victim IDs. The attackers began shutting down their command-and-control servers in January, and at this time all servers that the Kaspersky researchers knew of are offline. Even so, it's not certain that all victims have been identified, so the paper includes technical details that organizations can use to check their networks and systems for intrusions with this threat. Also, the possibility of attackers resurrecting the attack campaign cannot be ruled out, the researchers said in a blog post. In terms of sophistication, the Kaspersky researchers place The Mask campaign above other cyberespionage operations such as Duqu, Gauss, Red October and Icefog that the company has identified over the past few years. "For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on," the researchers said in their paper. "This is not very common in APT operations, putting the Mask into the 'elite' APT groups section." The malware toolset used by the attackers includes three different backdoor programs, one of which had versions for Mac OS X and Linux in addition to Windows. Some evidence possibly indicating infections on iOS and Android devices was also found on the C&C servers, but no malware samples for those platforms was recovered. The Careto backdoor program collects system information and can execute additional malicious code, the Kaspersky researchers said. It also injects some of its modules into browser processes -- it can do so in Internet Explorer, Mozilla Firefox and Google Chrome -- to communicate with command-and-control servers. Careto was often used to install a second, more complex backdoor program called SGH that has a modular architecture and can be easily extended. This second threat contains a rootkit component and has modules for intercepting system events and file operations as well as performing a large number of surveillance functions. SGH also attempts to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection, which is what attracted the researchers' attention in the first place and prompted the investigation. However, that vulnerability was patched back in 2008 and only affects versions of Kaspersky Workstation older than 6.0.4. and Kaspersky Anti-Virus and Kaspersky Internet Security 8.0 installations that haven't been properly updated, the researchers said. The third backdoor program is based on an open-source project called SBD, short for Shadowinteger's Backdoor, which is itself based on the netcat networking utility. The Kaspersky researchers found customized SBD variants for Windows, Mac OS X and Linux associated with The Mask operation, but the Linux variant was damaged and couldn't be analyzed. Different variants of the backdoor programs used in The Mask over the years have been identified, the oldest of which appears to have been compiled in 2007. Most samples were digitally signed with valid certificates issued to a company called TecSystem Ltd. from Bulgaria, but it's not clear if this company is real. One certificate was valid between June 28, 2011 and June 28, 2013. The other was supposed to be valid from April 18, 2013 to July 18, 2016, but has since been revoked by VeriSign. "Nation-state-level cyber-offensive operations can lurk in the dark for many years before being discovered and fully analyzed," said Igor Soumenkov, principal security researcher at Kaspersky Lab, via email. "Sometimes, samples are detected, but the researchers lack the data to make a 'big picture' out of it. With Careto, we tried not just to analyze the attack against Kaspersky products, but to understand what is the big picture." Soumenkov believes the use of the Spanish language and the compilation date of the oldest sample suggest that state-sponsored attackers from countries other than China, Russia or the U.S. have been running cyberespionage attacks longer than previously thought. Sursa: Cyberespionage operation 'The Mask' compromised organizations in 30-plus countries | ITworld pe acelasi subiect: http://arstechnica.com/security/2014/02/meet-mask-posssibly-the-most-sophisticated-malware-campaign-ever-seen/ http://www.darkreading.com/attacks-breaches/researchers-uncover-the-mask-global-cybe/240166043 http://www.securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_Asked_Questions Ceva interesant: The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story. This was the first exploit to break the Chrome sandbox and was used to win the CanSecWest Pwn2Own contest in 2012. The exploit caused a bit of a controversy because the VUPEN team refused to reveal how they escaped the sandbox, claiming they were planning to sell the exploit to their customers. It is possible that the Careto threat actor purchased this exploit from VUPEN.(See story by Ryan Naraine) Analiza completa: http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf
  8. Usr6
    About the Course Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field. The course will include written homeworks and programming labs. The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory. Syllabus week 1 Background and overview. One-time encryption using stream ciphers. Semantic security. week 2 Block ciphers and pseudorandom functions. Chosen plaintext security and modes of operation. The DES and AES block ciphers. week 3 Message integrity. CBC-MAC, HMAC, PMAC, and CW-MAC. Collision resistant hashing. week 4 Authenticated encryption. CCM, GCM, TLS, and IPsec. Key derivation functions. Odds and ends: deterministic encryption, non-expanding encryption, and format preserving encryption. week 5 Basic key exchange: Diffie-Hellman, RSA, and Merkle puzzles. A crash course in computational number theory. Number theoretic hardness assumptions. week 6 Public key encryption. Trapdoor permutations and RSA. The ElGamal system and variants. Online video: https://class.coursera.org/crypto-preview/lecture Torrent: Download Coursera / Stanford University - Cryptography Torrent - KickassTorrents
  9. Usr6
    Vorbiti de spartul bitilor de parca ar fi vorba de semintele de pe stadion. In lumea reala un sistem de criptare pe 128 biti(daca nu ma insel minim e chiar mult mai mic: 80 sau 90 biti) e considerat relativ sigur pentru a putea fi utilizat in securizarea informatiilor. Chiar si cu aparitia calculatoarelor cuantice, un algoritm de criptare pe 256 biti ar trebui sa fie sigur. (un curs pentru cei interesati de: https://www.coursera.org/course/crypto) Pana in prezent, DES(64 bit) cred ca e singurul algoritm de criptare oficial care e considerat nesigur. MD5 tot e considerat nesigur de cativa ani, desi inca n-am vazut 2 siruri de caractere care sa aiba acelasi hash(daca aveti va rog sa postati). Totusi exista exemple pentru file collision. Referitor la specialistii care fac si dreg, acu cativa ani se zicea ca specialistii pot recupera un procent foarte ridicat din datele care au fost sterse de pe un hdd: biti reali:01001000 = H recup :01001100 = L 7 biti din 8 au fost recuperati, adica ~90% din date au fost recuperate, statistic este exceptional de bine, practic informatiile recuperate sunt inutile Pentru paranoici: https://rstforums.com/forum/81034-talking-safe-using-rsa-pycrypto-python.rst
  10. Usr6
    Editie speciala pentru iubitorii de adrenalina, va sterge un fisier random import random import sys import os print "Welcome to Extreme Rst roulette" print "random file will be deleted" print "press 7 to exit" nrales =0 while nrales <7: print "Please choose a nr from 1 to 6:" try: nrales = int(raw_input()) except: print "Am zis numar, da?" nrr = random.randrange(1,6) if nrales >=7: print "Seeya next time." sys.exit() elif nrales == nrr: try: print "You loose, un fisier va fi sters:" for root, subFolders, files in os.walk("C:\\"): for file in files: fullpath = os.path.join(root, file) noroc = random.randrange(0, 100) if noroc == 0: try: #os.remove(fullpath) print "Fisierul %s a fost sters." %(fullpath) sys.exit() except Exception, e: print "fisierul %s, nu a putut fi sters" %(fullpath) print e else: continue except Exception, e: print "Ai avut noroc de ", e sys.exit() else : print "Ai avut noroc, numarul era : %d, tu ai ales %d" %(nrr, nrales) Am avut "noroc" )) Welcome to Extreme Rst roulette random file will be deleted press 7 to exit Please choose a nr from 1 to 6: 1 You loose, un fisier va fi sters: Fisierul C:\IO.SYS a fost sters. Am lasat un mic 'anti noob' protection Nota: Stergerea unor fisiere de system poate duce la imposibilitatea de a porni pc-ul, aparitia BSOD-urilor, etc
  11. Usr6
    import random import sys import os print "Welcome to Rst roulette" print "Exit nr >7" nrales =0 while nrales <7: print "Please choose a nr from 1 to 6:" nrales = int(raw_input()) nrr = random.randrange(1,6) if nrales >=7: print "Seeya next time." sys.exit() elif nrales == nrr: try: os.system('shutdown -r -t 10 -c "You loose"') except Exception, e: print "Ai avut noroc de", Exception, sys.exit() else : print "Ai avut noroc, numarul era : %d, tu ai ales %d" %(nrr, nrales) Trebuie sa alegeti un nr intre 1 si 6, daca ghiciti nr ales aleator primiti ca premiu un restart al calculatorului daca alegeti un nr mai mare sau egal cu 7 iesiti din joc
  12. Usr6
    Somewhat similar to HashTag – Password Hash Type Identification (Identify Hashes) – which we posted about a while back, here we have hash-identifier or Hash ID. Once again this is a Python script created to identify types of hashes used to encrypt data and especially passwords. It supports a whole bunch of hashes such as (but not limited to): ADLER-32 CRC-32 CRC-32B CRC-16 CRC-16-CCITT DES(Unix) FCS-16 GHash-32-3 GHash-32-5 GOST R 34.11-94 Haval-160 Haval-192 110080 ,Haval-224 114080 ,Haval-256 Lineage II C4 Domain Cached Credentials XOR-32 MD5(Half) MD5(Middle) MySQL MD5(phpBB3) MD5(Unix) MD5(WordPress) MD5(APR) Haval-128 MD2 MD4 MD5 MD5(HMAC(WordPress)) NTLM RAdmin v2.x RipeMD-128 SNEFRU-128 Tiger-128 MySQL5 – SHA-1(SHA-1($pass)) MySQL 160bit – SHA-1(SHA-1($pass)) RipeMD-160 SHA-1 SHA-1(MaNGOS) Tiger-160 Tiger-192 md5($pass.$salt) – Joomla SHA-1(Django) SHA-224 RipeMD-256 SNEFRU-256 md5($pass.$salt) – Joomla SAM – (LM_hash:NT_hash) SHA-256(Django) RipeMD-320 SHA-384 SHA-256 SHA-384(Django) SHA-512 Whirlpool You can download Hash ID v1.1 here: Hash_ID_v1.1.py Or read more here. Sursa: hash-identifier - Identify Types Of Hashes Used To Encrypt Passwords - Darknet - The Darkside
  13. Usr6
    Marile companii, printre care Google ?i Facebook, investesc sume uria?e în dezvoltarea inteligen?ei artificiale. Exist? deja computere care pot parca o ma?in?, pot identifica anumite obiecte sau pot traduce din diferite limbi str?ine. O companie din domeniul tehnologiei a împins îns? lucrurile ?i mai departe, pentru a face un calculator s? gândeasc? asemeni unui om. Vicarious FPC Inc., companie care are sprijinul Facebook ?i Google, a pus bazele unei tehnologii de ultim? or?, care folose?te pentru computere bi?i de cod asem?n?tori creierului uman. Practic, calculatorul care folose?te aceast? tehnologie va ajunge s? gândeasc? la fel ca un om. Proiectul este coordonat de Yann LeCun, profesor la Universitatea din New York, considerat unul din cei mai mari exper?i în domeniul inteligen?ei artificiale. Una din tehnologiile deja cunoscute care este folosit? la proiect este un software care se poate înv??a singur s? clasifice obiectele în obiecte animate sau neanimate. Compania Vicarious a strâns aproximativ 16 milioane de dolari, îns? activitatea ei este înc? secret?. Se ?tie îns? c? principalul domeniu de cercetare este rolul pe care îl are vederea în dezvoltarea creierului ?i cum poate o ma?in?rie s? ajung? la o performan?? similar?. De exemplu, s? poat? reconstitui forma unui animal, chiar dac? acesta nu este vizibil în totalitate. La fel ca un bebelu?, calculatorul înva?? întâi sa recunoasc? forme simple, apoi textura ?i lumina. La final, ma?in?ria va putea s? fac? leg?tura între cauz? ?i efect. Iat? cum a reu?it acest calculator s?-?i imagineze c? arat? o vac?, dup? ce a v?zut o singur? imagine cu acest animal. Rezultatul este îns? pixelat, neclar. Vacile au fost pozi?ionate de soft în diferite pozi?ii, îns? propor?iile nu au fost mereu respectate - la un moment dat apare un animal care are gâtul prea lung. Exist?, deci, o problem? legat? de percep?ia corect?. Vicarious a recunoscut c? abia peste 5-10 ani vor putea fi rezolvate aceste probleme. Sursa: Calculatorul care încearc? s? gândeasc? la fel ca un om. Cum î?i imagineaz? o inteligen?? artificial? c? arat? o vac?
  14. Usr6
    Criptografia asimetric? este un tip de criptografie care utilizeaza o pereche de chei: o cheie public? ?i o cheie privat?. Un utilizator care de?ine o astfel de pereche î?i public? cheia public? astfel încat oricine dore?te s? o poata folosi pentru a îi transmite un mesaj criptat. Numai de?in?torul cheii secrete (private) este cel care poate decripta mesajul astfel criptat. Matematic, cele dou? chei sunt legate, îns? cheia privat? nu poate fi ob?inut? din cheia public?. In caz contrar, orcine ar putea decripta mesajele destinate unui alt utilizator, fiindc? oricine are acces la cheia public? a acestuia. O analogie foarte potrivit? pentru proces este folosirea cutiei po?tale. Oricine poate pune în cutia po?tal? a cuiva un plic, dar la plic nu are acces decât posesorul cheii de la cutia po?tal?. [wikipedia: Criptografie asimetric? - Wikipedia ] 1.0 Generarea cheilor publice si private: Pentru a putea comunica in secret Ion si Maria trebuie sa-si genereze cheile de criptare folosind scriptul de mai jos. from Crypto.PublicKey import RSA from Crypto import Random print "Generating keys\nplease wait..." # generare key pub/priv random_generator = Random.new().read key = RSA.generate(1024, random_generator) public_key = key.publickey().exportKey("PEM") private_key = key.exportKey("PEM") keyfile = open("key.txt", "a") keyfile.write(public_key) keyfile.write("\n") keyfile.write(private_key) keyfile.close() print "done." Dupa rularea scriptului, Ion va gasi in fisierul key.txt : -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjH4ZhGcvrs1iDF8Mk4rin90vB kQyklff9gVItswpNpMzw7OhpMqOXk0BgQS4ROh3uEgp/fpi4ZhHJfYY9RBMTPdNc IXUVv6TzcqSsarhiRUwmkZiBqPYGiqXG0ODSk0ROVo+0DhA/Lf5KPGGo0MREjqLE WWahtz7gDUXI9rRnXwIDAQAB -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCjH4ZhGcvrs1iDF8Mk4rin90vBkQyklff9gVItswpNpMzw7Ohp MqOXk0BgQS4ROh3uEgp/fpi4ZhHJfYY9RBMTPdNcIXUVv6TzcqSsarhiRUwmkZiB qPYGiqXG0ODSk0ROVo+0DhA/Lf5KPGGo0MREjqLEWWahtz7gDUXI9rRnXwIDAQAB AoGAHUGILl4cDrfpxgk6/KCVEbruoVbMd7BV++d3v65+yJIoF4XF4Sgt4v+L6jeG dZyAxbQCof8okNntkr+qlc5hxSXu1GB6paeqOLdLFbedjZg/8LEcKGm/+pB0gnxy hxklalWGUFBxj18yl7+zKZNf+7zts9edv7CIMYcltp+2WwECQQC251e+xARhijgA tgtKUHkgaZQnhZBK+TBRIJOMs0a4quHCmewGicf9cVRUtG+o1ZyvM5B1De+NnS6I wOslBq+fAkEA5FB1ezysbuCornDZyEz26cjlEVMSsTi5d0O1qbymTTyybVolcsWW Z8j3EyEbkTm6c/D+XzyzxKm1BEvDyGwwQQJAMzki98gJug9tk7VoAA39fjhTR6Y+ POEAyReoevUST1F8HHXjBgm8Opxsk7RcuRnp4Z89S6r1deGZUK9Gq33t3QJAA83j Zz5HkUFlDiMLPe8qXhLe3j8IHLPZQ0d5i259RuQwBOpvnU31h50toL/4eZ8AoFXv px6X0DsTrRKmHHzRAQJBAJy+updgLPUB/0A0LXllj3j7+nDtaslFABgQemh2slhE tlEreUPI4ofSbCZ6rduZaWnt3FMvGAFES3jXcEdcd/U= -----END RSA PRIVATE KEY----- iar Maria: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8PJicyokgOT6MBYJVv+yLeMIy JDQ2u3+2OynogXGJ/BTLfrYlOXDBlTVLKMjQ8kXr+6p1nH7gc+KVbzOr9kwqzxOl ENYQrzgLahLh+Q/JXZ+9IYZ8kWm49T285nBsnyLnJYShznFDXwUO1G6OckJvuIBi PZTMG8DWF+uKiJbpBQIDAQAB -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQD8PJicyokgOT6MBYJVv+yLeMIyJDQ2u3+2OynogXGJ/BTLfrYl OXDBlTVLKMjQ8kXr+6p1nH7gc+KVbzOr9kwqzxOlENYQrzgLahLh+Q/JXZ+9IYZ8 kWm49T285nBsnyLnJYShznFDXwUO1G6OckJvuIBiPZTMG8DWF+uKiJbpBQIDAQAB AoGBAMV688kd0QpHhy69SXO1VY9EtlXnfnGzjqOv4nnEjo4HrIg95oFyXVNSbG0x uzfL1u6RFL4MDlHQqP9yFrR1mt8DZdDLpn8hXM97oRq/VNqJkc5Runq6g3R9fhAp fGYt0aMI1foAGtN5cqv6O3TiNu/jt9e6k4lHD3myHxgUYxcpAkEA/UQNvrUdo2xp //bABk/5UsoWvbL78Hx7kqJ2I0TjClRLQuJ5yV/CRw8BjInP3gLqxvIE2NdtGdZw 1F2iZcs2uwJBAP71ssEp6AAhe1qj45maUFrC2dTt356cW8j+akdA5KocuhFthnTd MuFZBamldv6ZvCbVPswSR4jxFmAZWy5swz8CQCMJCQW6tFDpLHi2P7Yf1hO31RGE 8wk/jzCnvMQAQZAqPQcRoVtUHeIKl2JDpjfGG4hN7pG4q2UJny4hjdebFwUCQQC6 0yGsZ9/IEMDKN2O1D52oFDX40GHXYO3lB4CrO8MTYD98O8yV3+zDsi7zE/txLwfv UL1WXmKq1za1Ln9hMnOTAkEA8MOb/ABJ0WiFahyHcbOId1XNULt/DX4FM6tkwBK7 ilAHA64wSPPw7krhvhDGicHuB2dYRuCwhMjLRdajdMZnig== -----END RSA PRIVATE KEY----- 1.1 Key exchange: Ion trebuie sa ii dea Mariei cheia lui publica si Maria trebuie sa-i dea lui Ion cheia ei publica Ion: Marioooooooooooooooooooo, ia de aici cheia mea sa-mi poti scrie : -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjH4ZhGcvrs1iDF8Mk4rin90vB kQyklff9gVItswpNpMzw7OhpMqOXk0BgQS4ROh3uEgp/fpi4ZhHJfYY9RBMTPdNc IXUVv6TzcqSsarhiRUwmkZiBqPYGiqXG0ODSk0ROVo+0DhA/Lf5KPGGo0MREjqLE WWahtz7gDUXI9rRnXwIDAQAB -----END PUBLIC KEY----- Maria: Multumesc Ioane, iti dau si eu cheitza mea: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8PJicyokgOT6MBYJVv+yLeMIy JDQ2u3+2OynogXGJ/BTLfrYlOXDBlTVLKMjQ8kXr+6p1nH7gc+KVbzOr9kwqzxOl ENYQrzgLahLh+Q/JXZ+9IYZ8kWm49T285nBsnyLnJYShznFDXwUO1G6OckJvuIBi PZTMG8DWF+uKiJbpBQIDAQAB -----END PUBLIC KEY----- 1.2 Encrypting message: from Crypto.PublicKey import RSA from Crypto.Cipher import PKCS1_OAEP mesaj = "Draga Ion, cei de pe http://rstforums.com au cheia mai lunga o au de 4096." pub_key ="""-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjH4ZhGcvrs1iDF8Mk4rin90vB kQyklff9gVItswpNpMzw7OhpMqOXk0BgQS4ROh3uEgp/fpi4ZhHJfYY9RBMTPdNc IXUVv6TzcqSsarhiRUwmkZiBqPYGiqXG0ODSk0ROVo+0DhA/Lf5KPGGo0MREjqLE WWahtz7gDUXI9rRnXwIDAQAB -----END PUBLIC KEY-----""" rsakey = RSA.importKey(pub_key) rsakey = PKCS1_OAEP.new(rsakey) encrypted = rsakey.encrypt(mesaj) mesaj_criptat = encrypted.encode('base64') print mesaj_criptat 1.2.1 Sending encrypted message Maria: OctEHiY1wkK6My4YeogpXFH/Q+p/CdjuWxDljcgDS8EGVB0OpUHMjC91OntWUjgW0kph529CDAU/ Hg1I1kPVmOuV1AR3MNZ9exibIJPOcsKXl5j1WH/YhNNGRUOwzGJ2PxVNzoV2KibmMjRiLVYFw/OX swUhIlCai08KQuFUgzA= Ion: decrypting... 1.3 Decrypting message: from Crypto.PublicKey import RSA from Crypto.Cipher import PKCS1_OAEP from base64 import b64decode mesaj_criptat = """OctEHiY1wkK6My4YeogpXFH/Q+p/CdjuWxDljcgDS8EGVB0OpUHMjC91OntWUjgW0kph529CDAU/ Hg1I1kPVmOuV1AR3MNZ9exibIJPOcsKXl5j1WH/YhNNGRUOwzGJ2PxVNzoV2KibmMjRiLVYFw/OX swUhIlCai08KQuFUgzA=""" priv_key = """-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCjH4ZhGcvrs1iDF8Mk4rin90vBkQyklff9gVItswpNpMzw7Ohp MqOXk0BgQS4ROh3uEgp/fpi4ZhHJfYY9RBMTPdNcIXUVv6TzcqSsarhiRUwmkZiB qPYGiqXG0ODSk0ROVo+0DhA/Lf5KPGGo0MREjqLEWWahtz7gDUXI9rRnXwIDAQAB AoGAHUGILl4cDrfpxgk6/KCVEbruoVbMd7BV++d3v65+yJIoF4XF4Sgt4v+L6jeG dZyAxbQCof8okNntkr+qlc5hxSXu1GB6paeqOLdLFbedjZg/8LEcKGm/+pB0gnxy hxklalWGUFBxj18yl7+zKZNf+7zts9edv7CIMYcltp+2WwECQQC251e+xARhijgA tgtKUHkgaZQnhZBK+TBRIJOMs0a4quHCmewGicf9cVRUtG+o1ZyvM5B1De+NnS6I wOslBq+fAkEA5FB1ezysbuCornDZyEz26cjlEVMSsTi5d0O1qbymTTyybVolcsWW Z8j3EyEbkTm6c/D+XzyzxKm1BEvDyGwwQQJAMzki98gJug9tk7VoAA39fjhTR6Y+ POEAyReoevUST1F8HHXjBgm8Opxsk7RcuRnp4Z89S6r1deGZUK9Gq33t3QJAA83j Zz5HkUFlDiMLPe8qXhLe3j8IHLPZQ0d5i259RuQwBOpvnU31h50toL/4eZ8AoFXv px6X0DsTrRKmHHzRAQJBAJy+updgLPUB/0A0LXllj3j7+nDtaslFABgQemh2slhE tlEreUPI4ofSbCZ6rduZaWnt3FMvGAFES3jXcEdcd/U= -----END RSA PRIVATE KEY-----""" rsakey = RSA.importKey(priv_key) rsakey = PKCS1_OAEP.new(rsakey) decrypted = rsakey.decrypt(b64decode(mesaj_criptat)) print decrypted print "press any key to exit..." raw_input() 1.4 Concluzie: Nu folositi chei scurte si mesaje lungi. Later on that day... Ion: urs eshti? Ion: scuze, usr Usr_6: nu Ion: frate, zi shi mie cum sa-mi lungesc cheia? Usr_6: prinzi un capat in menghina si cu patentu tragi de celalalt, dc? Ion: nu cheia de la usa frate.. aia de la RSA, din tutorialul postat de tine pe RST Usr_6: schimbi "key = RSA.generate(1024, random_generator)" cu "key = RSA.generate(2048, random_generator)" sau cat o vrei tu de lunga In alte roluri: Python 2.7.6 Release https://www.dlitz.net/software/pycrypto/ Python and cryptography with pycrypto | Laurent Luce's Blog https://launchkey.com/docs/api/encryption
  15. Usr6
    CyberGhost VPN 5 includes a 1-Device, 1-Year license CyberGhost VPN 5 Note : create an account (if you already have an account use this), login, request a code..... Yhis offer is for Computeractive members only (UK)....Offer expires in about 28 days pentru a putea beneficia de promotie este necesar ip de uk Sursa
  16. Usr6

    Fun stuff

    Usr6 replied to Wisa's topic in Discutii non-IT

  17. Usr6
    da, cand voi avea un txt cu api + utilizare le va incarca direct din fisier, momentan knowledge e populat doar pt a testa cum functioneaza pentru a utiliza un db extern (knowledge.txt) inlocuiesti : knowledge = {"TerminateProcess": "exact", "GetTickCount":"Sleep / check if debug", "IsDebuggerPresent":"check debugger", "CheckRemoteDebuggerPresent":" check debugger", "etc": "etc" } cu : knowledge = {} try: temp = open("knowledge.txt", "r") except Exception, e: print e sys.exit() for line in temp: line = line.strip("\n").split(":") if line[0] not in knowledge.keys(): knowledge[line[0]]= line[1]
  18. Usr6
    Update printre altele: - ofera o mica descriere a functiilor api importate, pentru cele care nu exista in dictionarul local se ofera un link de cautare pe msdn - tipareste output-ul si intr-un fisier txt (numelefisierului analizat + txt) Output: RST PE-Analyzer Usr6 rstforums.com firefox.exe Size: 275568 bytes EXE: Yes Machine: 0x14c(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 ) OEP: 0x2478 Compile time: 2013-12-05 19:22:27 Digital Signature: Yes c:\Python27\firefox.exe: Verified: Signed Signing date: 9:34 PM 12/5/2013 Publisher: Mozilla Corporation Description: Firefox Product: Firefox Prod version: 26.0 File version: 26.0 MachineType: 32-bit Binary Version: 26.0.0.5087 Original Name: firefox.exe Internal Name: Firefox Copyright: ©Firefox and Mozilla Developers; available under the MPL 2 license. Comments: MD5: 1EEA6C1B35191DC177EA83672B9C3FC0 SHA1: AC69FA1DF07CEEC14178428F6416B27CF57CEA26 PESHA1: 17FF37178BE1A4F6240D84BD54E27C74F3F95B29 SHA256: 0C722B9AAF4F2EE3265F92F1498C6B64FFFBB3E37D2136FAE8584DCD7D23C06D VT detection: 0/50 VT link: https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/ Packed: Yes (Entropy score decision) PEiD Signature: No Sections: .text 0x1000 0x1a7a 7168 .rdata 0x3000 0xfb4 4096 .data 0x4000 0x4bc 512 .rsrc 0x5000 0x3d9c8 252416 .reloc 0x43000 0x644 2048 Imported: KERNEL32.dll 0x403000 SetEnvironmentVariableW --- http://social.msdn.microsoft.com/Search/en-US?query=SetEnvironmentVariableW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403004 ExpandEnvironmentStringsW --- http://social.msdn.microsoft.com/Search/en-US?query=ExpandEnvironmentStringsW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403008 GetEnvironmentVariableW --- http://social.msdn.microsoft.com/Search/en-US?query=GetEnvironmentVariableW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40300c GetModuleFileNameW --- http://social.msdn.microsoft.com/Search/en-US?query=GetModuleFileNameW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403010 MultiByteToWideChar --- http://social.msdn.microsoft.com/Search/en-US?query=MultiByteToWideChar&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403014 GetTickCount --- Sleep / check if debug 0x403018 GetProcAddress --- http://social.msdn.microsoft.com/Search/en-US?query=GetProcAddress&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40301c GetModuleHandleW --- http://social.msdn.microsoft.com/Search/en-US?query=GetModuleHandleW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403020 QueryPerformanceFrequency --- http://social.msdn.microsoft.com/Search/en-US?query=QueryPerformanceFrequency&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403024 GetFileAttributesW --- http://social.msdn.microsoft.com/Search/en-US?query=GetFileAttributesW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403028 WideCharToMultiByte --- http://social.msdn.microsoft.com/Search/en-US?query=WideCharToMultiByte&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40302c GetProcessIoCounters --- http://social.msdn.microsoft.com/Search/en-US?query=GetProcessIoCounters&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403030 GetCurrentProcess --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentProcess&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403034 SetDllDirectoryW --- http://social.msdn.microsoft.com/Search/en-US?query=SetDllDirectoryW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403038 UnhandledExceptionFilter --- http://social.msdn.microsoft.com/Search/en-US?query=UnhandledExceptionFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40303c TerminateProcess --- exact 0x403040 GetCurrentProcessId --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentProcessId&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403044 GetCurrentThreadId --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentThreadId&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403048 QueryPerformanceCounter --- http://social.msdn.microsoft.com/Search/en-US?query=QueryPerformanceCounter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40304c DecodePointer --- http://social.msdn.microsoft.com/Search/en-US?query=DecodePointer&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403050 SetUnhandledExceptionFilter --- http://social.msdn.microsoft.com/Search/en-US?query=SetUnhandledExceptionFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403054 EncodePointer --- http://social.msdn.microsoft.com/Search/en-US?query=EncodePointer&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403058 HeapSetInformation --- http://social.msdn.microsoft.com/Search/en-US?query=HeapSetInformation&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40305c InterlockedCompareExchange --- http://social.msdn.microsoft.com/Search/en-US?query=InterlockedCompareExchange&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403060 Sleep --- http://social.msdn.microsoft.com/Search/en-US?query=Sleep&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403064 InterlockedExchange --- http://social.msdn.microsoft.com/Search/en-US?query=InterlockedExchange&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403068 IsDebuggerPresent --- check debugger 0x40306c CreateFileW --- http://social.msdn.microsoft.com/Search/en-US?query=CreateFileW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403070 CloseHandle --- http://social.msdn.microsoft.com/Search/en-US?query=CloseHandle&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403074 SetFilePointerEx --- http://social.msdn.microsoft.com/Search/en-US?query=SetFilePointerEx&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403078 ReadFile --- http://social.msdn.microsoft.com/Search/en-US?query=ReadFile&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40307c FreeLibrary --- http://social.msdn.microsoft.com/Search/en-US?query=FreeLibrary&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403080 LoadLibraryExW --- http://social.msdn.microsoft.com/Search/en-US?query=LoadLibraryExW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403084 GetLastError --- http://social.msdn.microsoft.com/Search/en-US?query=GetLastError&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403088 GetSystemTimeAsFileTime --- http://social.msdn.microsoft.com/Search/en-US?query=GetSystemTimeAsFileTime&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false USER32.dll 0x403138 MessageBoxW --- http://social.msdn.microsoft.com/Search/en-US?query=MessageBoxW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false MSVCR100.dll 0x403090 __wgetmainargs --- http://social.msdn.microsoft.com/Search/en-US?query=__wgetmainargs&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403094 _cexit --- http://social.msdn.microsoft.com/Search/en-US?query=_cexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403098 _exit --- http://social.msdn.microsoft.com/Search/en-US?query=_exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40309c _XcptFilter --- http://social.msdn.microsoft.com/Search/en-US?query=_XcptFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030a0 _amsg_exit --- http://social.msdn.microsoft.com/Search/en-US?query=_amsg_exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030a4 __winitenv --- http://social.msdn.microsoft.com/Search/en-US?query=__winitenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030a8 _initterm --- http://social.msdn.microsoft.com/Search/en-US?query=_initterm&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030ac _initterm_e --- http://social.msdn.microsoft.com/Search/en-US?query=_initterm_e&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030b0 _configthreadlocale --- http://social.msdn.microsoft.com/Search/en-US?query=_configthreadlocale&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030b4 __setusermatherr --- http://social.msdn.microsoft.com/Search/en-US?query=__setusermatherr&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030b8 _commode --- http://social.msdn.microsoft.com/Search/en-US?query=_commode&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030bc _fmode --- http://social.msdn.microsoft.com/Search/en-US?query=_fmode&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030c0 __set_app_type --- http://social.msdn.microsoft.com/Search/en-US?query=__set_app_type&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030c4 _vsnprintf_s --- http://social.msdn.microsoft.com/Search/en-US?query=_vsnprintf_s&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030c8 ?terminate@@YAXXZ --- http://social.msdn.microsoft.com/Search/en-US?query=?terminate@@YAXXZ&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030cc _unlock --- http://social.msdn.microsoft.com/Search/en-US?query=_unlock&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030d0 __dllonexit --- http://social.msdn.microsoft.com/Search/en-US?query=__dllonexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030d4 _lock --- http://social.msdn.microsoft.com/Search/en-US?query=_lock&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030d8 _onexit --- http://social.msdn.microsoft.com/Search/en-US?query=_onexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030dc _except_handler4_common --- http://social.msdn.microsoft.com/Search/en-US?query=_except_handler4_common&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030e0 _invoke_watson --- http://social.msdn.microsoft.com/Search/en-US?query=_invoke_watson&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030e4 _controlfp_s --- http://social.msdn.microsoft.com/Search/en-US?query=_controlfp_s&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030e8 _crt_debugger_hook --- http://social.msdn.microsoft.com/Search/en-US?query=_crt_debugger_hook&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030ec memset --- http://social.msdn.microsoft.com/Search/en-US?query=memset&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030f0 memcpy --- http://social.msdn.microsoft.com/Search/en-US?query=memcpy&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030f4 strcat --- http://social.msdn.microsoft.com/Search/en-US?query=strcat&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030f8 fgets --- http://social.msdn.microsoft.com/Search/en-US?query=fgets&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x4030fc strlen --- http://social.msdn.microsoft.com/Search/en-US?query=strlen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403100 ??3@YAXPAX@Z --- http://social.msdn.microsoft.com/Search/en-US?query=??3@YAXPAX@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403104 fclose --- http://social.msdn.microsoft.com/Search/en-US?query=fclose&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403108 _wfopen --- http://social.msdn.microsoft.com/Search/en-US?query=_wfopen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40310c ??2@YAPAXI@Z --- http://social.msdn.microsoft.com/Search/en-US?query=??2@YAPAXI@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403110 strcpy --- http://social.msdn.microsoft.com/Search/en-US?query=strcpy&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403114 getenv --- http://social.msdn.microsoft.com/Search/en-US?query=getenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403118 _snprintf --- http://social.msdn.microsoft.com/Search/en-US?query=_snprintf&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40311c _stricmp --- http://social.msdn.microsoft.com/Search/en-US?query=_stricmp&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403120 wcslen --- http://social.msdn.microsoft.com/Search/en-US?query=wcslen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403124 ??_V@YAXPAX@Z --- http://social.msdn.microsoft.com/Search/en-US?query=??_V@YAXPAX@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403128 strrchr --- http://social.msdn.microsoft.com/Search/en-US?query=strrchr&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x40312c exit --- http://social.msdn.microsoft.com/Search/en-US?query=exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false 0x403130 _putenv --- http://social.msdn.microsoft.com/Search/en-US?query=_putenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false Exported: Source code: import sys import os import hashlib import re import subprocess import time import pefile import peutils try: signatures = peutils.SignatureDatabase('UserDB.TXT') except: print "Lipseste fisierul cu semnaturi: UserDB.TXT" sys.exit() if len(sys.argv) != 2: print "Utilizare: python Script.py PEfile" sys.exit() else: try: filename = str(sys.argv[1]) pe = pefile.PE(filename) except Exception, e: print e knowledge = {"TerminateProcess": "exact", "GetTickCount":"Sleep / check if debug", "IsDebuggerPresent":"check debugger", "CheckRemoteDebuggerPresent":" check debugger", "etc": "etc" } msdna = 'http://social.msdn.microsoft.com/Search/en-US?query=' msdnb = '&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false' def prnt(text_to_print): if text_to_print != "None": file_to_print = str(filename) + ".txt" file_to_print = open(file_to_print, "a") print text_to_print file_to_print.write(str(text_to_print) + "\n") file_to_print.close() prnt("\tRST PE-Analyzer \n\t\tUsr6 \n\trstforums.com") prnt(filename) prnt("Size: " + str(os.path.getsize(filename)) + " bytes") prnt("DLL: " + "Yes" if pe.is_dll() else "None") prnt("EXE: " + "Yes" if pe.is_exe() else "None") prnt("Driver: " + "Yes" if pe.is_driver() else "None") prnt("Machine: " + str(hex(pe.FILE_HEADER.Machine)) + "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )") prnt("OEP: " + str(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint))) epoch = pe.FILE_HEADER.TimeDateStamp prnt("Compile time: " +str(time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch)))) ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress ds = "No" if ds == 0 else "Yes" prnt("Digital Signature: " + ds) try: cmnd = os.getcwd() + "\\" + "sigcheck.exe -q -a -h -vt -vn " + filename p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True) (stdout, stderr) = p.communicate() prnt(re.sub(r"\r\n", r"\n", stdout)) #print stderr except Exception, e: print e packed = "Yes" if peutils.is_probably_packed(pe) else "No" prnt("Packed: " + packed + "\t(Entropy score decision)") matches = "Yes" if signatures.match_all(pe, ep_only = True) else "No" prnt("PEiD Signature: " + matches) prnt("Sections: ") for section in pe.sections: prnt("\t" + str(section.Name.strip("\x00")) + " " + str(hex(section.VirtualAddress)) + " " + str(hex(section.Misc_VirtualSize)) + " " + str(section.SizeOfRawData)) prnt("Imported: ") pe.parse_data_directories() for entry in pe.DIRECTORY_ENTRY_IMPORT: prnt("\t" + str(entry.dll)) for imp in entry.imports: if imp.name in knowledge.keys(): prnt('\t\t' + str(hex(imp.address)) +" "+ str(imp.name) + str('\t\t --- ') + str(knowledge[imp.name])) else : print '\t\t', hex(imp.address), imp.name file_to_print = str(filename) + ".txt" file_to_print = open(file_to_print, "a") file_to_print.write('\t\t'+str(hex(imp.address)) +" "+ str(imp.name) + str('\t\t --- ') + msdna + str(imp.name) + msdnb + "\n") file_to_print.close() prnt("Exported: ") try: for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: prnt("\t" + str(hex(pe.OPTIONAL_HEADER.ImageBase + exp.address)) +" "+ str(exp.name) +" "+ str(exp.ordinal)) except Exception, e: print "\t", e Se ofera cineva voluntar sa faca un "mini db" txt cu functii api si o scurta descriere? ex: IsDebuggerPresent:check debugger
  19. Usr6
    Ati luat amandoi(pica + SickSpawn) kick. Din moment ce recunoasteti amandoi ca ati facut schimb de injuraturi, unde-i abuzul?
  20. Usr6
    Newspapers, commentators and bloggers have lately been asking whether digital currencies, such as Bitcoin, are “the new gold”. Digital currencies are valuable and so attackers take interest in them just like they do payment card numbers. Just today, we witnessed firsthand a heist of 10,000 Litecoins. Similar to Bitcoin, Litecoin is a peer-to-peer internet currency and is considered to be the second leading digital currency after Bitcoin. In order to extract crypto coins such as Litecoin, the common method is using mining pools. A mining pool is basically a service (a website) that people register with in order to combine work force in the task of mining coins. According to the managers of one of the largest Litecoin mining pools, Give Me Coins, a security flaw in the website was abused by an as yet unnamed team or person to steal 10,000 Litecoins. At the time of this writing, a sum of 10,000 Litecoins would be valued at approximately $230,000 USD. Following is a screenshot from Litecoinpool.org that shows relative distribution of the hashing power across the major pools in the Litecoin network. You will notice that "GiveMeCoins" is rated third in terms of its hash power. Many users noticed unauthorized transactions sent to various wallet addresses: The pool owners disabled the transfer of coins outside of the website in response to numerous complaints from users about the fraudulent transactions. The pool manager’s quick response managed to prevent the attackers from stealing an additional 20,000 Litecoins (valued at roughly $460,000 USD at the time of this writing). We have found several transactions initiated by the attackers that sent the stolen Litecoins from the Give Me Coins wallets (the coins are kept in the website’s wallets until a user requests that coins be transferred to their personal wallet) to the wallets of the attacker or attackers. Following is a screenshot of a user complaining about a fraud case: Here’s a documentation of the transaction in the Litecoin transaction network: At this point the exact vulnerability that lead to this breach remains unknown. According to the site manager, the most likely vector was SQL Injection. Unlike the recent heist of 96,000 Bitcoins from the “Sheep Marketplace” that led the operators of the website to close the website, Give Me Coins promised to refund affected users. Distributing those credits to many of the affected users may already be complete. The website is still working in a stealth mode until they will manage to identify the security breach and fully patch it. Source: 10,000 Litecoins Worth $230,000 USD were stolen! - SpiderLabs Anterior
  21. Usr6
  22. Usr6
    Celebrul hacker Guccifer, care i-a spart contul de e-mail ?efului SRI, George Maior, a fost identificat. Este acela?i care, sub pseudonimul Micul Fum, a spart conturile de e-mail ale mai multor vedete autohtone. Marcel Laz?r Lehel a fost deja condamnat la trei ani de închisoare cu suspendare. Procurorii DIICOT l-au prins din nou. Miercuri diminea??, poli?i?tii ?i jandarmii au descins la casa hackerului din Arad. Acum, la viitoarea condamnare se vor ad?uga ?i cei trei ani. Ancheta DIICOT a avut la baz? informa?iile furnizate de structurile specializate din SUA. De altfel, hackerul este cel care a spart contul de e-mail al fostului secretar de stat american Colin Powell, unde a descoperit discu?ii intime ale acestuia cu europarlamentarul PSD Corina Cre?u. Conform site-ului thesmokinggun.com, lista „victimelor” lui Guccifer cuprinde, pe lâng? Colin Powell ?i George Maior, unii membri ai familiilor Bush ?i Rockefeller, dar ?i ale unor oficiali ai Administra?iei Obama. Pe list? se aflp persoane din industria de entertainment, oameni de afaceri, academicieni, diploma?i, oficiali militari ?i guvernamentali, precum ?i jurnali?ti - actorul american Steve Martin, John Dean, fost consilier al pre?edintelui Richard Nixon, actri?a Mariel Hemingway, trei membri ai Camerei Lorzilor din Marea Britanie, Laura Manning Johnson, fost analist CIA, George Roche, fost secretar al For?elor Aeriene. Sursa: Guccifer, hackerul care i-a spart e-mailul ?efului SRI, a fost prins
  23. Usr6
    pai, au pornit astia o conspiratie impotriva mea. DOVEZI CLARE aici: https://rstforums.com/forum/326-fun-stuff-319.rst#post516048 cum un Administrator al acestui forum zice rele de mine Multumesc
  24. Usr6
    Output: RST PE-Analyzer firefox.exe Size: 275568 bytes MD5: 93e28799430480cce0ab3d961e5312ad DLL: False EXE: True Driver: False Machine: 0x14c (0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 ) OEP: 0x2478 Compile time: 2013-12-05 19:22:27 Digital Signature: Yes C:\Python27\firefox.exe: Verified: Signed Signing date: 9:34 PM 12/5/2013 Publisher: Mozilla Corporation Description: Firefox Product: Firefox Prod version: 26.0 File version: 26.0 MachineType: 32-bit Binary Version: 26.0.0.5087 Original Name: firefox.exe Internal Name: Firefox Copyright: ©Firefox and Mozilla Developers; available under the MPL 2 license. Comments: VT detection: 0/48 VT link: https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/ Sigcheck v2.01 - File version and signature viewer Copyright (C) 2004-2013 Mark Russinovich Sysinternals - www.sysinternals.com Packed: True (Entropy score decision) PEiD Signature: None Sections: .text 0x1000 0x1a7a 7168 .rdata 0x3000 0xfb4 4096 .data 0x4000 0x4bc 512 .rsrc 0x5000 0x3d9c8 252416 .reloc 0x43000 0x644 2048 Imported: KERNEL32.dll 0x403000 SetEnvironmentVariableW 0x403004 ExpandEnvironmentStringsW 0x403008 GetEnvironmentVariableW 0x40300c GetModuleFileNameW 0x403010 MultiByteToWideChar 0x403014 GetTickCount 0x403018 GetProcAddress 0x40301c GetModuleHandleW 0x403020 QueryPerformanceFrequency 0x403024 GetFileAttributesW 0x403028 WideCharToMultiByte 0x40302c GetProcessIoCounters 0x403030 GetCurrentProcess 0x403034 SetDllDirectoryW 0x403038 UnhandledExceptionFilter 0x40303c TerminateProcess 0x403040 GetCurrentProcessId 0x403044 GetCurrentThreadId 0x403048 QueryPerformanceCounter 0x40304c DecodePointer 0x403050 SetUnhandledExceptionFilter 0x403054 EncodePointer 0x403058 HeapSetInformation 0x40305c InterlockedCompareExchange 0x403060 Sleep 0x403064 InterlockedExchange 0x403068 IsDebuggerPresent 0x40306c CreateFileW 0x403070 CloseHandle 0x403074 SetFilePointerEx 0x403078 ReadFile 0x40307c FreeLibrary 0x403080 LoadLibraryExW 0x403084 GetLastError 0x403088 GetSystemTimeAsFileTime USER32.dll 0x403138 MessageBoxW MSVCR100.dll 0x403090 __wgetmainargs 0x403094 _cexit 0x403098 _exit 0x40309c _XcptFilter 0x4030a0 _amsg_exit 0x4030a4 __winitenv 0x4030a8 _initterm 0x4030ac _initterm_e 0x4030b0 _configthreadlocale 0x4030b4 __setusermatherr 0x4030b8 _commode 0x4030bc _fmode 0x4030c0 __set_app_type 0x4030c4 _vsnprintf_s 0x4030c8 ?terminate@@YAXXZ 0x4030cc _unlock 0x4030d0 __dllonexit 0x4030d4 _lock 0x4030d8 _onexit 0x4030dc _except_handler4_common 0x4030e0 _invoke_watson 0x4030e4 _controlfp_s 0x4030e8 _crt_debugger_hook 0x4030ec memset 0x4030f0 memcpy 0x4030f4 strcat 0x4030f8 fgets 0x4030fc strlen 0x403100 ??3@YAXPAX@Z 0x403104 fclose 0x403108 _wfopen 0x40310c ??2@YAPAXI@Z 0x403110 strcpy 0x403114 getenv 0x403118 _snprintf 0x40311c _stricmp 0x403120 wcslen 0x403124 ??_V@YAXPAX@Z 0x403128 strrchr 0x40312c exit 0x403130 _putenv Exported: PE instance has no attribute 'DIRECTORY_ENTRY_EXPORT' Cerinte minime: 1. python 2.7 2. pefile pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting 3. UserDB.TXT https://code.google.com/p/reverse-engineering-scripts/downloads/detail?name=UserDB.TXT 4. sigcheck.exe Sigcheck 5. conexiune la internet pentru a verifica hash-ul pe virustotal # fisierele UserDB.TXT, sigcheck.exe trebuie puse in acelasi director cu scriptul Pentru salvarea outputului intr-un fisier: python Script.py PEfile >save.txt Source Code: import sys import os import hashlib import re import subprocess import time import pefile import peutils print "\tRST PE-Analyzer https://rstforums.com" try: signatures = peutils.SignatureDatabase('UserDB.TXT') except: print "Lipseste fisierul cu semnaturi: UserDB.TXT" sys.exit() if len(sys.argv) != 2: print """ Utilizare: python Script.py executabil""" sys.exit() else: try: pe = pefile.PE(sys.argv[1]) except Exception, e: print e def hashfile(afile, blocksize=65536): handle = open(afile, "rb") temp = hashlib.md5() while True: data = handle.read(blocksize) if not data: break temp.update(data) return temp.hexdigest() print str(sys.argv[1]) print "Size: ", os.path.getsize(sys.argv[1]), "bytes" print "MD5: ", hashfile(sys.argv[1]) print "DLL: ", pe.is_dll() print "EXE: ", pe.is_exe() print "Driver: ", pe.is_driver() print "Machine: ", hex(pe.FILE_HEADER.Machine) , "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )" print "OEP: ", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint) epoch = pe.FILE_HEADER.TimeDateStamp print "Compile time: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch)) ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress print "Digital Signature: ", "No" if ds == 0 else "Yes" if ds == ds : # ds!= 0 to use sigcheck only file is signed try: cmnd = os.getcwd() + "\\" + "sigcheck.exe -a -vt " + str(sys.argv[1]) p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True) (stdout, stderr) = p.communicate() print stdout print stderr except Exception, e: print e print "Packed: ", peutils.is_probably_packed(pe), " (Entropy score decision)" matches = signatures.match_all(pe, ep_only = True) print "PEiD Signature: ", matches print "Sections: " for section in pe.sections: print "\t", section.Name.strip("\x00"), hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData print "Imported: " pe.parse_data_directories() for entry in pe.DIRECTORY_ENTRY_IMPORT: print "\t", entry.dll for imp in entry.imports: print '\t\t', hex(imp.address), imp.name print "Exported: " try: for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: print "\t", hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal except Exception, e: print "\t", e Scriptul de mai sus contine si bucati de cod copiate din alte parti: UsageExamples - pefile - Usage examples of pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting PEiDSignatures - pefile - Using PEiD signatures - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting
  25. Usr6

    Fun stuff

    Usr6 replied to Wisa's topic in Discutii non-IT

×
×
  • Create New...