Nytro

Parerea mea: o alta gaura neagra pentru banii publici.

Proiect de lege privind securitatea cibernetic? a României Num?r de înregistrare Senat: L580/2014 Link pentru acces rapid la documentul legislativ: Senatul României - Fi?? senator Adresa: plx263/2014 Prima camer?: Camera Deputa?ilor Tip ini?iativ?: Proiect de lege Ini?iatori: Guvernul României Num?r de articole: 33 Avizul Consiliului Legislativ: 513/05.05.2014 Procedura de urgen??: Nu Stadiu: în lucru, la comisiile permanente ale Senatului Caracterul legii: Organic? Opiniile persoanelor interesate asupra propunerilor legislative aflate în consultare public?: Opinii trimise Derularea procedurii legislative: Data Ac?iunea 16-09-2014 adoptat de Camera Deputa?ilor 19-09-2014 Înregistrat la Senat pentru dezbatere cu nr.b513 (adresa nr.plx263/16/09/2014) 22-09-2014 cu nr.L580 prezentare în Biroul permanent; Senatul este Camer? decizional? 22-09-2014 trimis pentru raport la Comisia pentru ap?rare, ordine public? ?i siguran?? na?ional? (TERMEN: 24/09/2014) - adresa de înaintare a ini?iativei legislative pentru dezbatere - forma ini?iatorului - expunerea de motive la ini?iativa legislativ? - avizul Consiliului Legislativ - hot?rârea de Guvern - adresa prin care ini?iativa legislativ? e transmis? la cealalt? Camer? spre dezbatere - forma adoptat? de Camera Deputa?ilor Adoptata de Camera Depulatilor: http://www.senat.ro/legis/PDF%5C2014%5C14L580FC.pdf Sursa: Senatul României - Fi?? senator

Si cine va implementa asa ceva?

https://www.techdirt.com/articles/20130723/12395923907/even-powering-down-cell-phone-cant-keep-nsa-tracking-its-location.shtml FBI taps cell phone mic as eavesdropping tool - CNET News

The main focus of this course is to teach you the following skills: Gather Information Intelligence Find Web Applications and System Security Vulnerabilities Scan Your Target Stealthily Exploit Web Applications and System Vulnerabilites Conduct Real World Client Side Attacks Conduct Tactical Post Exploitation on Windows and Linux Systems Develop Windows Exploits [h=3]The Course[/h] The course covers 8 modules: Module 1: Solid Introduction to Penetration Testing Module 2: Real World Information Intelligence Techniques Module 3: Scanning and Vulnerability Assessment Module 4: Network Attacking Techniques Module 5: Windows – Unix Attacking Techniques Module 6: Windows – Unix Post-exploitation Techniques Module 7: Web Exploitation Techniques Module 8: Windows Exploit Development Am gasit aici: CODENAME: Samurai Skills - Real World Penetration Testing Training - Darknet - The Darkside Pare interesant.

Pentru cei interesati: OpenBTS | Open Source Cellular Infrastructure

https://stuk.github.io/jszip/ https://gildas-lormeau.github.io/zip.js/ https://github.com/43081j/rar.js/ https://github.com/beatgammit/gzip-js https://github.com/abraidwood/minilzo-js https://github.com/nmrugg/LZMA-JS

Acultarea telefoanelor a devenit, în România, sport na?ional. Nu exist? dosar “serios” f?r? kilometri de stenograme. Dar aceasta este doar partea vizibil? a fenomenului, legal?, cu intercept?ri autorizate de un judec?tor ?i realizate din central?. Telefoanele sunt ascultate ?i localizate ?i în mod direct, f?r? ca operatorul GSM s? ?tie sau s? î?i dea acordul, de c?tre institu?ii, de servicii secrete, de oameni de afaceri sau de so?i gelo?i. Practic, aproape oricine î?i poate achizi?iona de pe pia?a neagr? aparatur? sau aplica?ii software ce pot fi folosite în acest scop. Achizi?ionarea unora dintre ele nici m?car nu este ilegal?. Exist? ?i metode de contracarare a intercept?rii convorbirilor, mai mult sau mai pu?in eficiente, fiecare dintre ele cu o serie de avantaje ?i dezavantaje. Important e s? ?tim, îns?, care sunt metodele prin care ni se poate viola intimitatea, în zona comunica?iilor mobile. Interceptorul – un fals releu GSM Re?eaua GSM a unui operator poate fi asem?nat? cu o plas? de sârm?. “Nodurile” sunt BTS-urile. Mai pe române?te, antenele sau releeele GSM. Telefonul se conecteaz? la BTS-ul în raza c?ruia de ac?iune se afl?. În cazul în care recep?ioneaz? mai multe relee, se conecteaz? la cel care are semnalul cel mai puternic. Exact de acest lucru se folosesc aparatele care intercepteaz? convorbirile telefonice. Interceptorul este, de fapt, un BTS fals. Este adus aproape, la câteva sute de metri de locul în care se afl? telefonul ce trebuie interceptat. Interceptoarele mai noi folosesc ?i o tehnic? numit? manipulare BCCH, prin care transmit c? nivelul semnalului pe care îl emit este foarte mare, de zeci de ori mai puternic decât în realitate. Este de ajuns, pentru a “p?c?li” telefoanele, c? acesta este BTS-ul cu cel mai bun semnal din zon?. Evident, a?a cum au fost “înv??ate”, se vor conecta la el. Interceptorul are, bineîn?eles, ?i o leg?tur? cu un releu real al operatorului GSM. Doar c?, din acest moment, toate convorbirile vor trece, mai întâi, pe aici, unde pot fi ascultate sau înregistrate. Anularea cript?rii În mod normal, transmiterea datelor de la telefon la BTS se face codat, prin intermediul unui algoritm de criptare. Operatorii GSM, de?i au anun?at în permanen?? c? î?i îmbun?t??esc nivelul de securitate, nu au progresat foarte mult în aceast? zon?. Oricum, modul de criptare este stabilit, îns?, de BTS, nu de telefon. În momentul în care telefonul este conectat la re?ea prin filtrul unui interceptor, acesta îi cere s? nu cripteze transmisia sau s? foloseasc? un protocol ceva mai vechi, mult mai u?or de decodat. În mod normal, telefoanele ar trebui s? afi?eze un semnal de alarm? în momentul în care nu este folosit? func?ia de criptare standard. Aceast? func?ie este, îns?, anulat? de c?tre operatorii de telefonie. Motivul, evident neoficial, este c? astfel sunt protejate ac?iunile autorit??ilor ?i ale serviciilor secrete, evitâdu-se deconspirarea acestora. Problema apare, îns?, în momentul în care este folosit un telefon în re?eaua 3G, unde decriptarea este extrem de anevoioas?, dac? nu imposibil?. Produc?torii de aparatur? de interceptare au g?sit solu?ii ?i la aceast? problem?. Pe frecven?ele 3G este emis un semnal de bruiaj, extrem de puternic. Dac? telefonul este setat doar pe 3G, va r?mâne f?r? semnal ?i nu va mai putea fi folosit. Dac? este setat în mod dual, 2G/3G, a?a cum se întâmpl? de obicei, telefonul va crede c? nu are semnal pe 3G ?i va comuta, automat, pe 2G. La comanda interceptorului, iconi?a de pe ecranul aparatului va indica tot recep?ie 3G, pentru a nu fi alertat posesorul acestuia. Categorii de interceptoare Interceptoarele pot fi grupate în trei mari categorii: active, semiactive ?i pasive. Cele active se comport? identic BTS-urilor, cu singura diferen?? legat? de eliminarea cript?rii. Ele identific? permanent telefoanele ce intr? în raza sa de ac?iune. În momentul intr?rii în func?iune a interceptorului, toate telefoanele din zona respectiv? se vor conecta, automat, la el. Se ?tie, îns?, c? fiecare telefon are o amprent? unic?, pe baza c?reia poate fi identificat. Este vorba despre IMEI (International Mobile Station Equipment Identity), un cod unic, format din 15 cifre. Pe baza acestui cod, operatorul interceptorului poate filtra convorbirile, astfel încât s? se concentreze doar asupra telefonului vizat. Pentru cei care fac asemenea opera?iuni în mod ilegal, acestea sunt ?i cele mai riscante. Pot fi detectate atât de operatorul GSM, care poate remarca o perturbare a traficului comunica?iilor din zon?, cât ?i de c?tre utilizatorii experimenta?i, în special de cei care folosesc aparatur? antiinterceptare. Aparatele semiactive emit doar pân? în momentul în care identific? telefonul, îl localizeaz? ?i calculeaz? cheia de criptare, dup? care trec în mod de recep?ie, pentru a nu fi detectate. Exist? ?i interceptoare pasive, care, sus?in produc?torii, sunt aproape imposibil de detectat. Numai c? acestea pot fi folosite în mod limitat, pentru telefoane care nu-?i schimb? pozi?ia, iar leg?tura se poate pierde ?i din alte motive, cum ar fi supraînc?rcarea BTS-urilor cele mai apropiate. Spy Interceptor Cea mai ieftin? solu?ie de interceptare ?i, totodat?, la îndemâna oricui, r?mâne instalarea unui program software în telefonul-?int?. Asemenea programe se vând la liber, pe internet, ?i au pre?uri cuprinse între câteva zeci de euro ?i câteva mii. Unele sunt, teoretic, pentru controlarea aparatului telefonic, în cazul în care este furat, altele pentru backup. Ele ruleaz? în fundal, sunt nedetectabile ?i permit controlul total al telefonului de la distan??, de pe un alt telefon cu num?r predefinit. Un soft de acest gen, care cost? sub 500 de euro, poate intercepta convorbirile, realiza intercept?ri ambientale, poate localiza telefonul-?int? prin GPS sau în func?ie de re?elele GSM din zon?, poate prelua SMS-uri sau efectua fotografii. Pân? ?i înc?rcarea cartelei pre-pay se poate face de la distan??, f?r? ca posesorul telefonului s? fie în?tiin?at în vreun fel. Acest procedeu este folosit în special de c?tre persoane particulare, care vor s?-?i supravegheze so?i/so?ii, dar ?i de unele firme care doresc s? aib? control total asupra angaja?ilor ?i le ofer? telefoane de serviciu astfel “preparate”. Licen?a pentru un soft de acest fel este, de obicei, nelimitat? în timp. Apelurile ?i SMS-urile “t?cute” Interceptoarele folosesc, extrem de mult, func?iile telefonului, dar f?r? ca proprietarul s? ?tie de acest lucru. Principala func?ie a unui “silent call” este interceptarea ambiental?. Altfel spus, folosirea microfonului telefonului-?int? pentru a asculta ce se petrece în jurul lui. Este ca ?i cum ar suna la num?rul respectiv ?i cineva i-ar r?spunde. De fapt, asta se ?i întâmpl?, doar c? tocmai telefonul este cel care-i r?spunde. În acela?i mod func?ioneaz? ?i SMS-urile invizibile. Acestea sunt folosite de c?tre operatorul care intercepteaz?, pentru a transmite diferite comenzi telefonului. Cunoscute ?i ca Flash SMS, aceste mesaje invizibile au fost folosite ini?ial de c?tre operatorii GSM pentru a-?i testa re?elele sau pentru a verifica dac? anumite telefoane sunt deschise ?i conectate, f?r? ca abona?ii s? fie deranja?i. Ulterior, metoda a fost preluat? de Poli?ie ?i servicii secrete, pentru a localiza un telefon în timp real. Exist? chiar ?i o discu?ie ce n-a ajuns la vreo concluzie, pentru c? anumite institu?ii sus?in c? folosirea acestor SMS-uri pentru localizare nu trebuie aprobat? de un judec?tor, pentru c? nu încalc? secretul comunica?iilor. Serviciile secrete folosesc SMS-urile invizibile în mai multe moduri: un num?r mare de mesaje trimise c?tre un telefon îi poate bloca acestuia semnalul sau îi poate consuma bateria în mod accelerat. Instrumente anti-interceptare Pe pia?? au fost scoase o serie de dispozitive care, sus?in cei care le vând, fac imposibil? interceptarea. Unele au ceva rezultate, altele sunt marketing pur. Telefonul cu IMEI dinamic. Este metoda cea mai sigur?, spun cei din domeniu. Automat sau manual, telefonul î?i poate schimba IMEI-ul, astfel c? interceptorul înregistreaz? dispari?ia sa ?i apari?ia unui alt telefon în re?ea. Pe deasupra, telefonul mai are o serie de elemente pe care le afi?eaz? în momentul în care detecteaz? c? ceva nu este în regul? ?i exist? posibilitatea s? fie interceptat. Alte func?ii utile ar fi detectarea ping-urilor de localizare a telefonului, detectarea silent-call-urilor (apelurile de interceptare ambiental?), protec?ie la perchezi?ia electronic?, ?tergerea automat? a istoricului apelurilor ?i SMS-urilor sau înregistrarea automat? a con?inutului audio a convorbirilor telefonice pentru o eventual? contra dovad? în cazul mistific?rii sau modific?rii probei audio, spun produc?torii. Telefoanele criptate. Este o solu?ie de comunicare între dou? aparate telefonice ce au instalate chei de criptare greu de spart. De regul?, îns?, folosirea unor astfel de aparate nu face decât s? atrag? aten?ia, iar serviciile de informa?ii au destule posibilit??i s? blocheze func?ionarea acestora, iar interceptarea s? fie f?cut? prin alte metode. GSM box. Sunt aparate care detecteaz? apelurile sau SMS-urile t?cute ?i îl avertizeaz? pe proprietar. Pot fi folosite împotriva încerc?rilor de interceptare ambiental?. Dar nu pot împiedica interceptarea convorbirilor, a?a cum sus?in, în mod fals, cei care le comercializeaz?. Husele antiinterceptare. Pot fi folositoare, în sensul c? blocheaz? orice semnal de la sau c?tre telefon. Doar c? telefonul nu poate fi folosit în niciun fel în acest timp. Mai r?mâne scoaterea bateriei din telefon. Dar nici m?car aceast? metod? nu este sigur?. Documenta?ia de specialitate arat? c? nu e nevoie nici de curent în telefon pentru a fi ascultat. Prin bombardarea cu microunde de o anumit? frecven??, microfonul va rezona inclusiv modula?iile de voce pe care le percepe. Metoda pare s? fi fost descoperit? de un rus ?i folosit?, la un moment dat, se spune, pentru ascultarea ambasadorului american la Moscova. Prin urmare, telefon ?i intimitate par s? fie doi termeni care nu pot fi al?tura?i. Stiri de ultima ora - ultimele stiri online - ZiuaNews.ro Sursa: Cine ?i cum ne intercepteaz? telefoanele | Lupul Dacic

Si uite asa incepe declinul Facebook. In sfarsit.

http://img-9gag-lol.9cache.com/photo/aBQWRVQ_460sa_v1.gif

CipherShed is free (as in free-of-charge and free-speech) encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project. Learn more about how CipherShed works and the project behind it. CipherShed is cross-platform; It will be available for Windows, Mac OS and GNU/Linux. The CipherShed project is open-source, meaning the program source code is available for anyone to view. We encourage everyone to examine and audit our code, as well as encourage new ideas and improvements. We have several methods of communication for anyone to ask questions, get support, and become involved in the project. For more detailed information about the project, including contributing code and building from source, please visit our technical wiki. Sursa: https://ciphershed.org/

Site-ul IGPR, spart de Anonymous România, care a afi?at mesajul "Salut?ri din partea ciumpalacilor" de Andrei Dumitrescu - Mediafax Site-ul Poli?iei Române a fost spart de o grupare de hackeri care se recomand? "Anonymous România" ?i care a afi?at, la sec?iunea ?tiri, un mesaj cu titlul "Salut?ri din partea ciumpalacilor". Site-ul IGPR, spart de Anonymous România, care a afi?at mesajul "Salut?ri din partea ciumpalacilor" Pe prima pagin? a site-ului Inspectoratului General al Poli?iei Române (IGPR), la sec?iunea ?tiri, a fost postat vineri un mesaj care ar avea ca autor "Anonymous România". "V? salut?m domnilor. Noi suntem Anonymous. Noi suntem Legiunea. Noi suntem POPORUL ROMÂN sau desigur ciumpalacii. România, treze?te-te!". În februarie 2012, site-ul FMI.ro al Biroului Fondului Monetar Interna?ional în România a fost atacat de hackeri care se recomandau ca reprezentând mi?carea Anonymous ?i gruparea Antisec, la dou? zile dup? un atac similar asupra ANRE.ro. Site-ului era în mare parte func?ional, mai pu?in pagina de pornire, care a fost înlocuit? cu aceea?i secven?? video de un minut de pe YouTube afi?at? pe site-ul Agen?iei Na?ionale de Reglementare în domeniul Energiei (ANRE), înso?it? de mesajul "Hacked by Anonymous". Anonymous a postat atunci pe site-ul ANRE un videoclip de un minut, în care pe fond muzical apare We Are Anonymous, Antisec, care se încheie cu mesajul "Expect us". La sfâr?itul lunii mai 2012, DIICOT anun?a c? a anihilat gruparea Anonymous care accesa ilegal bazele de date ale unor institu?ii. Anchetatorii au f?cut atunci perchezi?ii la locuin?elor a 12 persoane din Bucure?ti, Ia?i, Alba-Iulia, Piatra Neam?, Cluj-Napoca, Drobeta-Turnu Severin, Arad, Craiova, Re?i?a ?i Târgu Mure?. DIICOT precizat c? gruparea infrac?ional? era constituit? din 14 persoane, cunoscut? sub denumirea Anonymous România. Liderul grup?rii a fost identificat ca fiind Gabriel B?l?neasa, atunci în vârst? de 24 de ani, din municipiul Piatra Neam?, cunoscut în mediul virtual cu nickname-urile "lulzcart, anonsboat, anonsweb, cartman". Acesta, împreun? cu Fábián Gábor ?i Pico? Mihai Emil, ar fi constituit gruparea, la care au aderat ?i alte persoane, implicat? în agresiunile de terorism cibernetic sub numele Anonymous România. Potrivit DIICOT, Anonymous România a desf??urat o vast? activitate infrac?ional? specific?, de criminalitate informatic?, ce a constat în accesarea ilegal? a sistemelor informatice, sustragerea de date confiden?iale sau nedestinate publicit??ii, precum ?i publicarea în mediul on-line a datelor exfiltrate. Bazele de date confiden?iale sau clasificate vizate erau administrate de institu?ii ?i persoane juridice publice, atât din România cât ?i din str?in?tate. Din punct de vedere tehnic ?i al modalit??ii concrete de operare, atacurile informatice lansate asupra serverelor ?i paginilor web ?int?, erau de tip SQL Injection, prin folosirea unor diferite aplica?ii informatice, respectiv Havij, SQL Map etc. În majoritatea cazurilor, dup? compromiterea ?i ob?inerea accesului neautorizat la site-urile vizate, membrii grup?rii aduceau modific?ri datelor informatice, executând atacuri de tip "Deface", constând în introducerea unei pagini web în locul paginii principale a site-ului, modificare care consta în general în postarea anumitor mesaje, link-uri ?i imagini prin care se revendica atacul ?i se promova gruparea de hackeri Anonymous România, preciza atunci DIICOT. Atacurile erau lansate în scopul ob?inerii de date informatice, date care erau dup? caz copiate sau transferate f?r? drept ?i publicate ulterior în mediul virtual pe diverse site-uri, ca dovad? a activit??ii de hacking. Membrii grup?rii au procedat astfel la lansarea de atacuri informatice asupra unui num?r de 29 de site-uri, p?trunderea neautorizat? în respectivele infrastructuri informa?ionale realizându-se prin înc?lcarea m?surilor de securitate implementate la nivelul serverelor care g?zduiau site-urile web ?int?. Activitatea infrac?ional? a dus la compromiterea total? sau par?ial? a paginilor ?i domeniilor de internet vizate, generând costuri semnificative în vederea recuper?rii datelor ?i implement?rii de noi m?suri de securitate, mai ar?ta DIICOT. Gruparea Anonymous este format? din persoane care se descriu drept lupt?tori pentru libertatea Internetului ?i au atacat în trecut mai multe site-ui, printre care ale Bisericii Scientologice, Amazon, Mastercard ?i alte altor companii, precum ?i ale unor guverne. NATO consider? gruparea Anonymous o amenin?are pentru alian?a militar?. Sursa: Site-ul IGPR, spart de Anonymous România, care a afi?at mesajul "Salut?ri din partea ciumpalacilor" - Mediafax

L-a testat cineva? Ce s-a putea face practic: cookie stealing.

Interesant. Cred. Nu stiu cat de utile sunt noile functionalitati... Arata dubios: auto match_name = [&name](const record& r) -> bool { return r.name == name; };

Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors Kernel Patch Protection (also known as "patchguard") is a Windows mechanism designed to control the integrity of vital code and data structures used by the operating system. It was introduced in Windows 2003 x64 and has been constantly improved in further Windows versions. In this article we present a descriptive analysis of the patchguard for the latest Windows 8.1 x64 OS, and primarily focus on patchguard initialization and attack vectors related to it. It is natural that kernel patch protection is being developed incrementally, so the initialization process is common for all versions of Windows that have patchguard. There are a lot of papers published about kernel patch protection on Windows, which describe the process of its initialization, so you may use references at the end of this article to obtain details. Initialization sources As widely known, the main component of patchguard is initialized in a misleadingly named function "KiFilterFiberContext". It will be the starting point of our investigation. Looking for cross-references doesn't help us much for pointing out its call site, but several articles help us by stating that patchguard initialization is called indirectly in a function "KeInitAmd64SpecificState". By indirectly we mean here not just an indirect call, but the usage of exception handlers. It is a very common trick often found in patchguard-related functions, as we'll see further. So, we have an initialization function call stack: [FONT=Courier New] (call) (call) (exception)[/FONT][FONT=Courier New]... --> Phase1InitializationDiscard --> ; KeInitAmd64SpecificState -> KiFilterFiberContext[/FONT] This type of initialization is described in more detail in [1]. By the way, this one is always called on the last CPU core, if it matters. However, it is not the only way that kernel uses to initialize patchguard. With a 4% probability patchguard context can also be initialized from a function also misleadingly called "ExpLicenseWatchInitWorker": [FONT=Courier New]... --> Phase1InitializationDiscard --> sub_14071815C (obviously with a stripped symbol because this one processes Windows license type for a current PC) --> ExpLicenseWatchInitWorker[/FONT] The pseudocode of this function looks like this: VOID ExpLicenseWatchInitWorker() { PVOID KiFilterParam; NTSTATUS (*KiFilterFiberContext)(PVOID pFilterparam); BOOLEAN ForgetAboutPG; // KiServiceTablesLocked == KiFilterParam KiFilterParam = KiInitialPcr.Prcb.HalReserved[1]; KiInitialPcr.Prcb.HalReserved[1] = NULL; KiFilterFiberContext = KiInitialPcr.Prcb.HalReserved[0]; KiInitialPcr.Prcb.HalReserved[0] = NULL; ForgetAboutPG = (InitSafeBootMode != 0) | (KUSER_SHARED_DATA.KdDebuggerEnabled -> -> 1); // 96% of cases will fail if ( __rdtsc() % 100 -> 3 ) ForgetAboutPG |= 1; if ( !ForgetAboutPG && KiFilterFiberContext(KiFilterParam) != 1 ) KeBugCheckEx(SYSTEM_LICENSE_VIOLATION, 0x42424242, 0xC000026A, 0, 0); } As you may notice, there is a small "present" in the “HalReserved” processor control block field left for this initialization case. Tracing down the guy who left it leads us to the very beginning of system startup: [FONT=Courier New]... --> KiSystemStartup --> KiInitializeKernel --> KeCompactServiceTable --> KiLockServiceTable -v ??????[/FONT] We have to pause here, because there is no code that puts data into HalReserved fields directly. As instead, it is done using the exception handler. And it is done in a different way from "KeInitAmd64SpecificState", because it doesn't trigger any exceptions. What it does instead is – it directly looks up the current instruction pointer, finds the corresponding function and it's exception handler manually, and then calls it. The exception handler of "KiLockServiceTable" function is an unnamed stub to the "KiFatalExceptionFilter". [FONT=Courier New]?????? ---> KiFatalExceptionFilter[/FONT] “KiFatalExceptionFilter” in turn looks up an exception handler for "KiServiceTablesLocked" function. And surprisingly it is the "KiFilterFiberContext"! Also, a parameter that is passed to "KiFilterFiberContext" is located right after the "KiServiceTablesLocked" function. It is a small structure: typedef struct _KI_FILTER_FIBER_PARAM { NTSTATUS (*PsCreateSystemThread)(); // a pointer to PsCreateSystemThread function KSTART_ROUTINE sub_140235C44; // unnamed checker subroutine KDPC KiBalanceSetManagerPeriodicDpc; // global DPC struct } KI_FILTER_FIBER_PARAM, *PKI_FILTER_FIBER_PARAM; "KiFatalExceptionFilter" stores these pointers to “HalReserved” fields. Creating patchguard context Let's get back to the "KiFilterFiberContext" function. It's pseudocode is given below: BOOLEAN KiFilterFiberContext(PVOID pKiFilterParam) { BOOLEAN Result = TRUE; DWORD64 dwDpcIdx1 = __rdtsc() % 13; DWORD64 dwRand2 = __rdtsc() % 10; DWORD64 dwMethod1 = __rdtsc() % 6; AntiDebug(); // Let's call sub_1406D6F78 KiInitializePatchGuardContext since it does initialize patchguard context Result = KiInitializePatchGuardContext(dwDpcIdx, dwMethod1, (dwRand2 < 6) + 1, pKiFilterParam, TRUE); // A 50% chance to create two patchguard contexts if (dwRand2 < 6) { DWORD64 dwDpcIdx2 = __rdtsc() % 13; DWORD64 dwMethod2 = __rdtsc() % 6; do { dwMethod2 = __rdtsc() % 6; } while ((dwMethod1 != 0) && (dwMethod1 == dwMethod2)); Result = KiInitializePatchGuardContext(dwDpcIdx2, dwMethod2, 2, pKiFilterParam, FALSE); } AntiDebug(); return Result; } It is rather clear, and with provided code we can assume that up to 4 patchguard contexts can be active on a running system simultaneously. Remember this one because wherever it is called, we can be 100% sure that a new patchguard context is being initialized. The function that creates and initializes patchguard context is so-called "KiInitializePatchGuardContext". It is a huge obfuscated function. I guess it is suitable to reference Alex's Ionescu tweet about it: "I love the new #Windows 8 Patch Guard. Fixes so many of the obvious holes in downlevel, and the new hyper-inlined obfuscation makes me cry." You bet it! IDA Pro's decompiler works on it ~20 min on 3770 Core i7 CPU and spews out 26K lines of code. It is not worth dealing with it as a single unit. Luckily, you can bite out small pieces of information that give you a clue about methods that the new patchguard uses. That's why we did not reverse engineer it entirely, as instead we took and analyzed several parts in it. Feel free to explore this function yourself, and you may discover new wonderful things! It takes 5 parameters on Windows 8.1: 1. Index of DPC routine to be called from a created patchguard DPC for checking the patchguard context. It may be one of these: // These ones don't use exception handlers to fire checks KiTimerDispatch (copied to random pool allocation) KiDpcDispatch (copied into patchguard context) // These use exception handlers to fire patchguard checks ExpTimerDpcRoutine IopTimerDispatch IopIrpStackProfilerTimer PopThermalZoneDpc CmpEnableLazyFlushDpcRoutine CmpLazyFlushDpcRoutine KiBalanceSetManagerDeferredRoutine ExpTimeRefreshDpcRoutine ExpTimeZoneDpcRoutine ExpCenturyDpcRoutine Also those 10 DPCs are regular system DPCs with useful payload, but when they encounter a DeferredContext which has non-canonical address, they fire a corresponding KiCustomAccessRoutine function. These functions are only called when an appropriate scheduling method is used (0, 1, 2, 5) 2. Scheduling method: These are the methods that are used to fire a patchguard DPC object that is created inside "KiInitializePatchGuardContext" function. KeSetCoalescableTimer (0). A timer object is created with a random fire period between 2 minutes and 2 minutes and 10 seconds. Prcb.AcpiReserved (1). In this case a patchguard DPC is fired when a certain ACPI event occurs, f.e. transitioning to idle state. In this case "HalpTimerDPCRoutine" checks if 2 minutes have passed since last queued by itself DPC, and queues another one, taken from Prcb.AcpiReserved field. Prcb.HalReserved (2). Here a patchguard DPC is queued when HAL timer clock interrupt occurs, in the "HalpMcaQueueDpc". It is also done with 2 minutes period at least. Queued patchguard DPC is taken from Prcb.HalReserved field. PsCreateSystemThread (3). In this case, patchguard DPC routine is not used, as instead a system thread is created. The thread procedure is taken from KI_FILTER_FIBER_PARAM structure. Patchguard DPC in turn is used just as a container of the address of a newly created patchguard context. KeInsertQueueApc (4). This time a regular kernel APC is queued to the one of the system threads with "KiDispatchCallout" APC procedure. No patchguard DPC is fired also. System thread is chosen based on its start address, i.e. it must be equal to either PopIrpWorkerControl or CcQueueLazyWriteScanThread. KiBalanceSetManagerPeriodicDpc (5). Patchguard DPC is stored in a global variable named "KiBalanceSetManagerPeriodicDpc". It is queued in "KiUpdateTimeAssist" function and "KeClockInterruptNotify" function within every "KiBalanceSetManagerPeriod" ticks. 3. This parameter can be either 1 or 2. We are not sure about how it affects "KiInitializePatchGuardContext" function, but it is somehow connected to the quantity of checks being done during patchguard context verification routine execution. 4. A pointer to KI_FILTER_FIBER_PARAM structure. It is noticeable that a method chosen inside "KiInitializePatchGuardContext" is selected based on the presence of this parameter. If it is present, a method bit mask is tested with 0x29 (101001b) which allows methods 0, 3 and 5. Otherwise methods 0, 1, 2 and 4 are available. That makes sense, because methods 3 and 5 require a valid KI_FILTER_FIBER_PARAM structure. 5. Boolean parameter which tells if NT kernel functions checksums have to be recalculated. As you might guess, the only scheduling method that can be initialized twice is 0, so "KiFilterFiberContext" takes this fact into account when chooses a method for a second call of "KiInitializePatchGuardContext". Firing a patchguard check Methods that fire patchguard DPC The main principle of patchguard check routine is to launch a patchguard context verification routine on a DPC level, and then queue a work item that will check vital system structures on a passive level with a proceeding context recreation and rescheduling. The verification work item uses a copy of "FsRtlUninitializeSmallMcb" function. You can check this one out, if you want to figure out how the check works. For the methods which use DPC activation there is a common code inside 10 listed DPC routines, which checks "DeferredContext" for being a non-canonical address. If it is OK, DPC just executes its payload. Otherwise one of 10 "KiCustomAccessRoutineX" functions is called. When "KiCustomAccessRoutineX" is called, (last 2 bits + 1) of "DeferredContext" are taken and used to roll along "KiCustomRecurseRoutineX". These recursive routines are cycled incrementing X value. When the roll is over, "KiCustomRecurseRoutineX" tries to dereference a DeferredContext value as a pointer, which inevitably generates #GP exception since this address is non-canonical. // Inside DPC routine if ( (DeferredContext >> 47) < 0xFFFFFFFFFFFFFFFFui64 && DeferredContext >> 47 != 0 ) // Is DeferredContext a canonical address { ... KiCustomAccessRoutineX(DeferredContext); ... } void KiCustomAccessRoutine9(DWORD64 DeferredContext) { return KiCustomRecurseRoutine9((DeferredContext & 3) + 1, DeferredContext); } void KiCustomRecurseRoutine9(DWORD dwRoll, DWORD64 DeferredContext) { DWORD dwNextRoll; DWORD64 go_go_GP; dwNextRoll = dwRoll - 1; if ( dwNextRoll ) KiCustomRecurseRoutine0(dwNextRoll, DeferredContext); Microsoft Windows 8.1 Kernel Patch Protection Analysis Page 11 / 18 go_go_GP = *DeferredContext; // #GP } // DPC routine call sequence ExpTimerDpcRoutine -> KiCustomAccessRoutine0 -> KiCustomRecurseRoutine0 ... KiCustomRecurseRoutineN IopTimerDispatch -> KiCustomAccessRoutine1 -> KiCustomRecurseRoutine1 ... KiCustomRecurseRoutineN IopIrpStackProfilerTimer -> ; KiCustomAccessRoutine2 -> KiCustomRecurseRoutine2 ... KiCustomRecurseRoutineN PopThermalZoneDpc -> KiCustomAccessRoutine3 -> KiCustomRecurseRoutine3 ... KiCustomRecurseRoutineN CmpEnableLazyFlushDpcRoutine -> KiCustomAccessRoutine4 -> KiCustomRecurseRoutine4 ... KiCustomRecurseRoutineN CmpLazyFlushDpcRoutine -> KiCustomAccessRoutine5 -> KiCustomRecurseRoutine5 ... KiCustomRecurseRoutineN KiBalanceSetManagerDeferredRoutine -> KiCustomAccessRoutine6 -> KiCustomRecurseRoutine6 ... KiCustomRecurseRoutineN ExpTimeRefreshDpcRoutine -> KiCustomAccessRoutine7 -> KiCustomRecurseRoutine7 ... KiCustomRecurseRoutineN ExpTimeZoneDpcRoutine -> KiCustomAccessRoutine8 -> KiCustomRecurseRoutine8 ... KiCustomRecurseRoutineN ExpCenturyDpcRoutine -> KiCustomAccessRoutine9 -> KiCustomRecurseRoutine9 ... KiCustomRecurseRoutineN Here comes vectored exception handling again. If you look up all the exception handlers for these DPC routines, you'll discover that there are several nested __try\__except and __try\__finally blocks. For example, "ExpTimerDpcRoutine" looks something like this: ... __try { __try { __try { __try { KiCustomAccessRoutine0(DeferredContext); } __finally { FinalSub1(); } } __except (FilterSub1()) // patchguard context decryption occurs here { // Nothing } } __finally { FinalSub2(); } } __except (FilterSub2()) { // Nothing } ... ExpCenturyDpcRoutine, ExpTimeZoneDpcRoutine, ExpTimeRefreshDpcRoutine, KiBalanceSetManagerDeferredRoutine, CmpLazyFlushDpcRoutine, CmpEnableLazyFlushDpcRoutine, PopThermalZoneDpc, ExpTimerDpcRoutine … -> _C_specific_handler IopIrpStackProfilerTimer , IopTimerDispatch … -> _GSHandlerCheck_SEH (GS check + _C_specific_handler) Depending on the DPC routine, decryption routine (based on KiWaitAlways and KiWaitNever variables) may reside in one of the exception filters, exception handlers or termination handlers. Further patchguard context verification occurs also inside decryption routine, right after the decryption. As for "KiTimerDispatch" and "KiDpcDispatch" DPC routines - they call patchguard context verification directly. Also, depending on the DPC routine a different type of patchguard context encryption is used (or not used at all). Other methods Method 3 creates a system thread. System thread procedure sleeps between 2 minutes and 2 minutes and 10 seconds using "KeDelayExecutionThread" or "KeWaitForSingleObject" on a kernel object, which is always not signaled. After the wait is timed out it decrypts patchguard context and executes verification routine. Method 4 inserts an APC with "KiDispatchCallout" function as a kernel routine and "EmpCheckErrataList" as a normal routine. Patchguard context decryption and validation occurs upon APC delivery to the target waiting thread, which happens almost immediately. A 2 minutes wait is located inside the verifier work item routine in this method. One more piece of a puzzle That would be it about patchguard initialization, but looking for the cross-references to KUSER_SHARED_DATA.KdDebuggerEnabled lead me to a suspicious function named "CcInitializeBcbProfiler". It is full of bit rotations and magic numbers, which forced me to check whether it is related to patchguard mechanism. [FONT=Courier New]... -> Phase1InitializationDiscard --> CcInitializeCacheManager --> CcInitializeBcbProfiler[/FONT] It seems to have the same roots! With 50% chance it queues DPC with "CcBcbProfiler" routine or a work item with an unnamed work item routine (which is almost identical to the "CcBcbProfiler" routine). This mechanism picks one random function from NT kernel module and checks its consistency every 2 minutes. It is interesting that all of the patchguard-related functions are located nearby, one after another starting from "FsRtlMdlReadCompleteDevEx". It tells us that they are likely to be located in a single compilation unit. This fact gives us a hope that all of the patchguard initialization paths have been covered in this article. Attacks Now, as we covered patchguard initialization, we know what wires of a patchguard bomb can be cut to defuse it! However, there are several ways depending on a patchguard DPC scheduling method. Since we cover a specific version of patchguard, i.e. Windows 8.1, we are going to use precomputed offsets for accessing the private kernel structures' fields. The common defusing principle is firstly to check if verification routine is in progress, and wait a bit if it is true. Then do the following: KeSetCoalescableTimer (0). Scan through the Prcb timer table and disable the one with suitable DPC object. AcpiReserved field (1). Zero this field out, so the DPC won't be fired again. HalReserved field (2). Same here. PspCreateSystemThread (3). Enumerate all threads in a system and unwind their stacks. Then check if a start routine from “KiServiceTablesLocked” structure is present in a call stack. If it is there, it's a patchguard thread. Disable it while it is in a wait state setting the wait time to infinite. APC (4). Take the current Prcb NUMA Node and its worker thread pool. Scan through its sleeping worker threads unwinding the stacks until "ExpWorkerThread" function. If there are functions that are not to be found in NT image runtime function data, try to unwind them sequentially with runtime data for "FsRtlMdlReadCompleteDevEx" and "FsRtlUninitializeSmallMcb". If succeeded, than it is a patchguard worker. Disable it setting the wait time to infinity. KiBalanceSetManagerPeriodicDpc (5). Zero this struct out. By disabling a timer we mean setting its due time to infinity, so it never fires. And by suitable DPC object we mean a DPC object with a deferred context set to a non-canonical address. Furthermore, you can additionally check this pointer to be valid after XORing its value with a quad-word following right after KDPC struct and ANDing it with 0xFFFF800000000000. As for the "CcBcbProfiler" piece, we consider it not to be relevant since there is a small chance that it will check exactly the needed function. Summary A quality of Windows 8.1 kernel patch protection mechanism is extremely high. There are a lot of interesting anti-debugging tricks used again dynamic analysis, f.e. resetting IDT before accessing debug registers (which leads you to hanging if you set break on debug registers access), overall obfuscation like using macroses for generating pseudo-random values, loop unrolling etc. It is also extremely difficult to do a static analysis since a lot of indirect function calls are used including the usage of exception handlers. It is a really nice tool to keep the system safe. Therefore we hope that as a developer you won't face situations when you need to disable this cool mechanism! Authors: Mark Ermolov, Artem Shishkin, Positive Research Sursa: Positive Research Center: Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors

Minim 50 de posturi pentru "Market".

Astia sunt roz. Nu-mi plac.

Cica ar fi administratorul indetectables.net.

Rpcsniffer RPCSniffer sniffs WINDOWS RPC messages in a given RPC server process. Download .zip Download .tar.gz View on GitHub RPCSniffer RPCSniffer sniffs RPC messages in a given RPC server process. General Information With RPCSniffer you can explore RPC Messages that present on Microsoft system. The data given for each RPC message contains the following details: Type (Async/Sync , Request/Response) Process number Thread number Procedure number Transfer Info GUID RPC minor version RPC major version [*]Interface Info GUID Dispatch table pointer Dispatch table size Dispatch table function pointer [*]Midl Info Dispatch pointer Server function address [*]RPC Flags [*]RPC Data Sursa: Rpcsniffer by AdiKo

tinfoleak – Get detailed information about a Twitter user activity The latest official version is 1.2 (03/02/2014). Download tinfoleak-1.2.tar.gz here. Some examples showing user tweets in Google Earth: [TABLE=width: 100%] [TR] [TD] [/TD] [TD][/TD] [/TR] [/TABLE] tinfoleak is a simple Python script that allow to obtain: basic information about a Twitter user (name, picture, location, followers, etc.) devices and operating systems used by the Twitter user applications and social networks used by the Twitter user place and geolocation coordinates to generate a tracking map of locations visited show user tweets in Google Earth! download all pics from a Twitter user hashtags used by the Twitter user and when are used (date and time) user mentions by the the Twitter user and when are occurred (date and time) topics used by the Twitter user You can filter all the information by: start date / time end date / time keywords Screenshots: [TABLE=width: 100%] [TR] [TD]Usage[/TD] [TD]Basic information[/TD] [TD]Client applications[/TD] [TD]Geolocation information[/TD] [/TR] [TR] [TD]Hashtags[/TD] [TD]User mentions[/TD] [TD]Find keywords[/TD] [TD][/TD] [/TR] [/TABLE] Sursa: » Tools Vicente Aguilera Diaz

SecurePHPWebAppCoding - SQL Injection - what is it and how to stop it? Abani Kumar Meher, 14 Sep 2014 Introduction In this article I have tried to cover some basic info about SQL injection, how we write code while developing a web application which results in SQL injection vulnerability, how attacker uses this flaw to gain unauthorized access and how can we change code little bit to overcome our mistakes and prevent attackers from using SQL injection in web application which makes our application more secure. This articles uses PHP and MySQL to show example but other languages have also similar function to prevent SQL injection. So lets see what SQL injection is. What is SQL Injection? SQL injection is a type of web application vulnerability using which an attacker can manipulate and submit a SQL command to retrieve unauthorized information from database. This type of attack mostly occurs when a web application executes data provided by user without validating or escaping it. SQL injection can give access to sensitive information such as financial data, credit card information or users personal information to the attacker and allows the attacker to manipulate data stored in database. It is not a database or web application server issue but it is a web application programming issue and most of the developers are not aware of this. What can an attacker achieve using SQL injection? Based on the application and how user data is handled by application, SQL injection attack is used for following. There are other scenario also. Unauthorized login:- Attacker can use SQL injection to get unauthorized access to users account and perform any action they want on that account. Privileges escalation:- A user with less privilege can use sql injection to login to an account with more privileges than his account and add more privileges to his account so that attacker can access more data/features of that application. Tamper with database data:- Attacker can update database data to change other profile details, change password which will result in problem for the other user. Dumping database:- Attacker can use SQL injection to dump all data from database and expose it with sensitive information like logins, credit card information etc of users. Deletion/destruction of data:- SQL injection can be used to delete data from database making website loose all records of user and all their details. Read files of web server:- Attacker can use SQL injection to load file present in web server and read the application code, configuration files etc. Damage company's reputation:- SQL injection can be used to dump all data and can be made it available publicly. No user likes their personal/sensitive data leaked. How can we prevent SQL injection? Never believe in user input and client side validation. Always validate user input on server end for specific data type or convert data to specific data type before using it in query. For string data, escape single quotes and double quotes or convert string to html entities(this will increase length of string, so depending upon the field type/length, use it). Try to avoid creating query using string concatenation. It is one of the main reason which makes a web application vulnerable to SQL injection but most of the developers use this approach to generate query because they find it easy without thinking or knowing about the mistake they are making. Use prepared statement and parameter binding. Whenever possible replace potentially dangerous characters for database from user input data. [TABLE=width: 500] [TR] [TD=align: center]Special Database Characters[/TD] [TD=align: center]Function in database[/TD] [/TR] [TR] [TD=align: center];[/TD] [TD=align: center]Query Delimiter[/TD] [/TR] [TR] [TD=align: center]'[/TD] [TD=align: center]Character data string delimiter[/TD] [/TR] [TR] [TD=align: center]--[/TD] [TD=align: center]Single line comment[/TD] [/TR] [TR] [TD=align: center]/* */[/TD] [TD=align: center]Multiline comment[/TD] [/TR] [TR] [TD=align: center][/TD] [TD][/TD] [/TR] [/TABLE] NOTE: Special database characters may vary from database to database. Use account with less permissions for web application to execute query. Now lets do some real work. Lets see how we write code which allows hacker to use SQL injection in website and with that we will see how can we write few more lines of code with that code to prevent SQL injection in website. We will see it using PHP but the same thing can be done to/using application written in other programming language. So lets begin. Lets see the classic example first which everyone says when you ask about SQL injection. Articol: SecurePHPWebAppCoding - SQL Injection - what is it and how to stop it? - CodeProject

[h=3]Defence - Beating Keyloggers to protect Domain Admin Creds - Windows[/h] Hi All, This post is a little different to what I normally do and I think it is a long time coming in general. Nowadays the bloggers in the IT Security community are all focusing on the hacks, exploits and ways to break in. I thought I would show you a way to improve the overall security of your network. This can be implemented quite easily and is a control mandated in the Internet Security Manual. For anyone not in Australia or not aware of the ISM here is the blurb from ASD. “The Australian Signals Directorate (ASD) produces the Australian Government Information Security Manual (ISM). The manual is the standard which governs the security of government ICT systems” Link: http://www.asd.gov.au/publications/Information_Security_Manual_2014_Controls.pdf I want to state that this is not the only way to design your network and this example is specifically for handling keylogging to protect your domain admin accounts. From what I am seeing there are two types of networks around these days. Flat Networks: Hosts, Admin hosts and Servers in same Subnet Layered networks: Hosts one subnet, admin another subnet and servers in another subnet In a flat network any normal host / admin host can RDP into any server. In a layered network normal hosts cannot RDP into the server subnet but admin hosts can. What does this mean for keyloggers? Flat Network In a flat network your domain admins / server admins are able to logon to any server they want with their admin credentials. If this is the same as there workstation credentials, email associated, this is a bad thing in general. For this example we will assume the following: The workstation credentials are different to the admin credentials. The workstation credential will be named BobSmith The admin credentials will be named BobAdmin. Layered Network Now expand on this, Bob is in a separate subnet to the rest of the environment and he can RDP to any server he chooses to. Bob has a keylogger that he doesn’t know about. When bob decides to logon to Server A he uses his BobAdmin account. Here is what it looks like. Attack #1 Bob logs in to RDP server. Meterpreter dumps out the password that is typed and Admin credentials are presented. Dammit! Isn’t defense in layers supposed to be better? Well yes. So you are now asking how do you protect the domain admin credentials? Easy… Setup a management server. Here is a picture of how it works. I dummied up some IP ranges to give you an example. Management Server: You can handle this one of two ways. Bob Smith needs a separate account that is allowed to RDP onto the management server but has no admin privileges on the management server. For example an account named bobRDP. bobRDP can only RDP to the management server and nowhere else. Bob Smith uses ‘BobSmith’ to RDP to the server and again has no admin privileges on the management server. Option 1 allows a little more separation of accounts and adds an administrative burden. Option 2 is a quick fix. It is important that BobSmith is only allowed to logon to the management server and nowhere else. Essentially the admin subnet is only allowed TCP 3389 / RDP to the management server NOWHERE ELSE! No other ports. For this example I am using option 2 because I’m lazy and it allows me to bang out this post quickly. Attack # 2 Permissions on Jump Server for bobsmith Pre meterpreter dump on Bobs workstation. Nothing showed. Bob RDPs to the management server Runs mstsc and RDPs to domain controller server. Open Command Prompt on Jump Server Open Command prompt on Nested RDP - Domain controller Dump of meterpreter keylogger after As you can see there is no remnants of bobAdmins password or him typing in the management server. Keylogging problem solved! Now people may look at this post and find so many ways around this design with other attack vectors. But, this post was specifically for one issue and that is to beatMy keyloggers nothing else. Hopefully this post has been helpful to you. Posted by Mickey Perre at 20:07 Sursa: Mickeys Security Blogspot: Defence - Beating Keyloggers to protect Domain Admin Creds - Windows

FLARE IDA Pro Script Series: MSDN Annotations IDA Pro for Malware Analysis September 11, 2014 | By Moritz Raabe | The FireEye Labs Advanced Reverse Engineering (FLARE) Team continues to share knowledge and tools with the community. We started this blog series with a script for Automatic Recovery of Constructed Strings in Malware. As always, you can download these scripts at the following location: https://github.com/fireeye/flare-ida. We hope you find all these scripts as useful as we do. Motivation During my summer internship with the FLARE team, my goal was to develop IDAPython plug-ins that speed up the reverse engineering workflow in IDA Pro. While analyzing malware samples with the team, I realized that a lot of time is spent looking up information about functions, arguments, and constants at the Microsoft Developer Network (MSDN) website. Frequently switching to the developer documentation can interrupt the reverse engineering process, so we thought about ways to integrate MSDN information into IDA Pro automatically. In this blog post we will release a script that does just that, and we will show you how to use it. Introduction The MSDN Annotations plug-in integrates information about functions, arguments and return values into IDA Pro’s disassembly listing in the form of IDA comments. This allows the information to be integrated as seamlessly as possible. Additionally, the plug-in is able to automatically rename constants, which further speeds up the analyst workflow. The plug-in relies on an offline XML database file, which is generated from Microsoft’s documentation and IDA type library files. Features Table 1 shows what benefit the plug-in provides to an analyst. On the left you can see IDA Pro’s standard disassembly: seven arguments get pushed onto the stack and then the CreateFileA function is called. Normally an analyst would have to look up function, argument and possibly constant descriptions in the documentation to understand what this code snippet is trying to accomplish. To obtain readable constant values, an analyst would be required to research the respective argument, import the corresponding standard enumeration into IDA and then manually rename each value. The right side of Table 1 shows the result of executing our plug-in showing the support it offers to an analyst. The most obvious change is that constants are renamed automatically. In this example, 40000000h was automatically converted to GENERIC_WRITE. Additionally, each function argument is renamed to a unique name, so the corresponding description can be added to the disassembly. Table 1: Automatic labelling of standard symbolic constants In Figure 1 you can see how the plug-in enables you to display function, argument, and constant information right within the disassembly. The top image shows how hovering over the CreateFileA function displays a short description and the return value. In the middle image, hovering over the hTemplateFile argument displays the corresponding description. And in the bottom image, you can see how hovering over dwShareMode, the automatically renamed constant displays descriptive information. Functions Arguments Constants Figure 1: Hovering function names, arguments and constants displays the respective descriptions How it works Before the plug-in makes any changes to the disassembly, it creates a backup of the current IDA database file (IDB). This file gets stored in the same directory as the current database and can be used to revert to the previous markup in case you do not like the changes or something goes wrong. The plug-in is designed to run once on a sample before you start your analysis. It relies on an offline database generated from the MSDN documentation and IDA Pro type library (TIL) files. For every function reference in the import table, the plug-in annotates the function’s description and return value, adds argument descriptions, and renames constants. An example of an annotated import table is depicted in Figure 2. It shows how a descriptive comment is added to each API function call. In order to identify addresses of instructions that position arguments prior to a function call, the plug-in relies on IDA Pro’s markup. Figure 2: Annotated import table Figure 3 shows the additional .msdn segment the plug-in creates in order to store argument descriptions. This only impacts the IDA database file and does not modify the original binary. Figure 3: The additional segment added to the IDA database The .msdn segment stores the argument descriptions as shown in Figure 4. The unique argument names and their descriptive comments are sequentially added to the segment. Figure 4: Names and comments inserted for argument descriptions To allow the user to see constant descriptions by hovering over constants in the disassembly, the plug-in imports IDA Pro’s relevant standard enumeration and adds descriptive comments to the enumeration members. Figure 5 shows this for the MACRO_CREATE enumeration, which stores constants passed as dwCreationDisposition to CreateFileA. Figure 5: Descriptions added to the constant enumeration members Preparing the MSDN database file The plug-in’s graphical interface requires you to have the QT framework and Python scripting installed. This is included with the IDA Pro 6.6 release. You can also set it up for IDA 6.5 as described here (Precompiled PySide binaries for IDA Pro | Hex Blog). As mentioned earlier, the plug-in requires an XML database file storing the MSDN documentation. We cannot distribute the database file with the plug-in because Microsoft holds the copyright for it. However, we provide a script to generate the database file. It can be cloned from the git repository at https://github.com/fireeye/flare-ida together with the annotation plug-in. You can take the following steps to setup the database file. You only have to do this once. Download and install an offline version of the MSDN documentationYou can download the Microsoft Windows SDK MSDN documentation. The standalone installer can be downloaded from Download Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1 (ISO) from Official Microsoft Download Center. Although it is not the newest SDK version, it includes all the needed information and data extraction is straight-forward.As shown in Figure 6, you can select to only install the help files. By default they are located in C:\Program Files\Microsoft SDKs\Windows\v7.0\Help\1033. Figure 6: Installing a local copy of the MSDN documentation Extract the files with an archive manager like 7-zip to a directory of your choice. Download and extract tilib.exe from Hex-Ray’s download page at https://www.hex-rays.com/products/ida/support/download.shtml To allow the plug-in to rename constants, it needs to know which enumerations to import. IDA Pro stores this information in TIL files located in %IDADIR%/til/. Hex-Rays provides a tool (tilib) to show TIL file contents via their download page for registered users. Download the tilib archive and extract the binary into %IDADIR%. If you run tilib without any arguments and it displays its help message, the program is running correctly. Run MSDN_crawler/msdn_crawler.py <path to extracted MSDN documentation> <path to tilib.exe> <path to til files> With these prerequisites fulfilled, you can run the MSDN_crawler.py script, located in the MSDN_crawler directory. It expects the path to the TIL files you want to extract (normally %IDADIR%/til/pc/) and the path to the extracted MSDN documentation. After the script finishes execution the final XML database file should be located in the MSDN_data directory. You can now run our plug-in to annotate your disassembly in IDA. Running the MSDN annotations plug-in In IDA, use File – Script file… (ALT + F7) to open the script named annotate_IDB_MSDN.py. This will display the dialog box shown in Figure 7 that allows you to configure the modifications the plug-in performs. By default, the plug-in annotates functions, arguments and rename constants. If you change the settings and execute the plug-in by clicking OK, your settings get stored in a configuration file in the plug-in’s directory. This allows you to quickly run the plug-in on other samples using your preferred settings. If you do not choose to annotate functions and/or arguments, you will not be able to see the respective descriptions by hovering over the element. Figure 7: The plug-in’s configuration window showing the default settings When you choose to use repeatable comments for function name annotations, the description is visible in the disassembly listing, as shown in Figure 8. Figure 8: The plug-in’s preview of function annotations with repeatable comments Similar Tools and Known Limitations Parts of our solution were inspired by existing IDA Pro plug-ins, such as IDAScope and IDAAPIHelp. A special thank you goes out to Zynamics for their MSDN crawler and the IDA importer which greatly supported our development. Our plug-in has mainly been tested on IDA Pro for Windows, though it should work on all platforms. Due to the structure of the MSDN documentation and limitations of the MSDN crawler, not all constants can be parsed automatically. When you encounter missing information you can extend the annotation database by placing files with supplemental information into the MSDN_data directory. In order to be processed correctly, they have to be valid XML following the schema given in the main database file (msdn_data.xml). However, if you want to extend partly existing function information, you only have to add the additional fields. Name tags are mandatory for this, as they get used to identify the respective element. For example, if the parser did not recognize a commonly used constant, we could add the information manually. For the CreateFileA function’s dwDesiredAccess argument the additional information could look similar to Listing 1. [TABLE=width: 100%] [TR] [TD] <?xml version=”1.0? encoding=”ISO-8859-1??> <msdn> <functions> <function> <name>CreateFileA</name> <arguments> <argument> <name>dwDesiredAccess</name> <constants enums=”MACRO_GENERIC”> <constant> <name>GENERIC_ALL</name> <value>0×10000000</value> <description>All possible access rights</description> </constant> <constant> <name>GENERIC_EXECUTE</name> <value>0×20000000</value> <description>Execute access</description> </constant> <constant> <name>GENERIC_WRITE</name> <value>0×40000000</value> <description>Write access</description> </constant> <constant> <name>GENERIC_READ</name> <value>0×80000000</value> <description>Read access</description> </constant> </constants> </argument> </arguments> </function> </functions> </msdn> [/TD] [/TR] [/TABLE] Listing 1: Additional information enhancing the dwDesiredAccess argument for the CreateFileA function Conclusion In this post, we showed how you can generate a MSDN database file used by our plug-in to automatically annotate information about functions, arguments and constants into IDA Pro’s disassembly. Furthermore, we talked about how the plug-in works, and how you can configure and customize it. We hope this speeds up your analysis process! Stay tuned for the FLARE Team’s next post where we will release solutions for the FLARE On Challenge (www.flare-on.com). Sursa: FLARE IDA Pro Script Series: MSDN Annotations IDA Pro for Malware Analysis | FireEye Blog

Using this CLI tool you can download backups of devices assigned to your AppleID. Based on iphone-dataprotection script, so copyrights belong to respective owners. Offset operations added and other minor bugs fixed. This tool is for educational purposes only. Before you start, make sure it's not illegal in your country. Follow us on twitter @hackappcom and facebook Hackapp blog Mobile Applications Scanner hackapp.com [h=1]Example[/h] python iloot.py <appleID> <password> Sursa: https://github.com/hackappcom/iloot

Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be. See What's new! Feature Additions Intelli Fuzzer Context Based Fuzzer Blind Fuzzer HTA Network Configuration HTA Drive-By HTA Drive-By Reverse Shell JSFuck 6 Char Encoder jjencode Encoder aaencode Encoder IP to Location IP to GeoLocation IP Hinting Download Spoofer HTML5 Geolocation API Reverse TCP Shell Addon (Linux) OAuth 1.0a Request Scanner 4800+ Payloads SSL Error Fixed Download OWASP Xenotix XSS Exploit Framework or https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Regards, Ajin | @ajinabraham Sursa: WebApp Sec: OWASP Xenotix XSS Exploit Framework v6 Released