Nytro

[h=3]A Brief, Incomplete, and Mostly Wrong History of Programming Languages[/h][h=2]Thursday, May 7, 2009[/h] 1801 - Joseph Marie Jacquard uses punch cards to instruct a loom to weave "hello, world" into a tapestry. Redditers of the time are not impressed due to the lack of tail call recursion, concurrency, or proper capitalization. 1842 - Ada Lovelace writes the first program. She is hampered in her efforts by the minor inconvenience that she doesn't have any actual computers to run her code. Enterprise architects will later relearn her techniques in order to program in UML. 1936 - Alan Turing invents every programming language that will ever be but is shanghaied by British Intelligence to be 007 before he can patent them. 1936 - Alonzo Church also invents every language that will ever be but does it better. His lambda calculus is ignored because it is insufficiently C-like. This criticism occurs in spite of the fact that C has not yet been invented. 1940s - Various "computers" are "programmed" using direct wiring and switches. Engineers do this in order to avoid the tabs vs spaces debate. 1957 - John Backus and IBM create FORTRAN. There's nothing funny about IBM or FORTRAN. It is a syntax error to write FORTRAN while not wearing a blue tie. 1958 - John McCarthy and Paul Graham invent LISP. Due to high costs caused by a post-war depletion of the strategic parentheses reserve LISP never becomes popular[1]. In spite of its lack of popularity, LISP (now "Lisp" or sometimes "Arc") remains an influential language in "key algorithmic techniques such as recursion and condescension"[2]. 1959 - After losing a bet with L. Ron Hubbard, Grace Hopper and several other sadists invent the Capitalization Of Boilerplate Oriented Language (COBOL) . Years later, in a misguided and sexist retaliation against Adm. Hopper's COBOL work, Ruby conferences frequently feature misogynistic material. 1964 - John Kemeny and Thomas Kurtz create BASIC, an unstructured programming language for non-computer scientists. 1965 - Kemeny and Kurtz go to 1964. 1970 - Guy Steele and Gerald Sussman create Scheme. Their work leads to a series of "Lambda the Ultimate" papers culminating in "Lambda the Ultimate Kitchen Utensil." This paper becomes the basis for a long running, but ultimately unsuccessful run of late night infomercials. Lambdas are relegated to relative obscurity until Java makes them popular by not having them. 1970 - Niklaus Wirth creates Pascal, a procedural language. Critics immediately denounce Pascal because it uses "x := x + y" syntax instead of the more familiar C-like "x = x + y". This criticism happens in spite of the fact that C has not yet been invented. 1972 - Dennis Ritchie invents a powerful gun that shoots both forward and backward simultaneously. Not satisfied with the number of deaths and permanent maimings from that invention he invents C and Unix. 1972 - Alain Colmerauer designs the logic language Prolog. His goal is to create a language with the intelligence of a two year old. He proves he has reached his goal by showing a Prolog session that says "No." to every query. 1973 - Robin Milner creates ML, a language based on the M&M type theory. ML begets SML which has a formally specified semantics. When asked for a formal semantics of the formal semantics Milner's head explodes. Other well known languages in the ML family include OCaml, F#, and Visual Basic. 1980 - Alan Kay creates Smalltalk and invents the term "object oriented." When asked what that means he replies, "Smalltalk programs are just objects." When asked what objects are made of he replies, "objects." When asked again he says "look, it's all objects all the way down. Until you reach turtles." 1983 - In honor of Ada Lovelace's ability to create programs that never ran, Jean Ichbiah and the US Department of Defense create the Ada programming language. In spite of the lack of evidence that any significant Ada program is ever completed historians believe Ada to be a successful public works project that keeps several thousand roving defense contractors out of gangs. 1983 - Bjarne Stroustrup bolts everything he's ever heard of onto C to create C++. The resulting language is so complex that programs must be sent to the future to be compiled by the Skynet artificial intelligence. Build times suffer. Skynet's motives for performing the service remain unclear but spokespeople from the future say "there is nothing to be concerned about, baby," in an Austrian accented monotones. There is some speculation that Skynet is nothing more than a pretentious buffer overrun. 1986 - Brad Cox and Tom Love create Objective-C, announcing "this language has all the memory safety of C combined with all the blazing speed of Smalltalk." Modern historians suspect the two were dyslexic. 1987 - Larry Wall falls asleep and hits Larry Wall's forehead on the keyboard. Upon waking Larry Wall decides that the string of characters on Larry Wall's monitor isn't random but an example program in a programming language that God wants His prophet, Larry Wall, to design. Perl is born. 1990 - A committee formed by Simon Peyton-Jones, Paul Hudak, Philip Wadler, Ashton Kutcher, and People for the Ethical Treatment of Animals creates Haskell, a pure, non-strict, functional language. Haskell gets some resistance due to the complexity of using monads to control side effects. Wadler tries to appease critics by explaining that "a monad is a monoid in the category of endofunctors, what's the problem?" 1991 - Dutch programmer Guido van Rossum travels to Argentina for a mysterious operation. He returns with a large cranial scar, invents Python, is declared Dictator for Life by legions of followers, and announces to the world that "There Is Only One Way to Do It." Poland becomes nervous. 1995 - At a neighborhood Italian restaurant Rasmus Lerdorf realizes that his plate of spaghetti is an excellent model for understanding the World Wide Web and that web applications should mimic their medium. On the back of his napkin he designs Programmable Hyperlinked Pasta (PHP). PHP documentation remains on that napkin to this day. 1995 - Yukihiro "Mad Matz" Matsumoto creates Ruby to avert some vaguely unspecified apocalypse that will leave Australia a desert run by mohawked warriors and Tina Turner. The language is later renamed Ruby on Rails by its real inventor, David Heinemeier Hansson. [The bit about Matsumoto inventing a language called Ruby never happened and better be removed in the next revision of this article - DHH]. 1995 - Brendan Eich reads up on every mistake ever made in designing a programming language, invents a few more, and creates LiveScript. Later, in an effort to cash in on the popularity of Java the language is renamed JavaScript. Later still, in an effort to cash in on the popularity of skin diseases the language is renamed ECMAScript. 1996 - James Gosling invents Java. Java is a relatively verbose, garbage collected, class based, statically typed, single dispatch, object oriented language with single implementation inheritance and multiple interface inheritance. Sun loudly heralds Java's novelty. 2001 - Anders Hejlsberg invents C#. C# is a relatively verbose, garbage collected, class based, statically typed, single dispatch, object oriented language with single implementation inheritance and multiple interface inheritance. Microsoft loudly heralds C#'s novelty. 2003 - A drunken Martin Odersky sees a Reese's Peanut Butter Cup ad featuring somebody's peanut butter getting on somebody else's chocolate and has an idea. He creates Scala, a language that unifies constructs from both object oriented and functional languages. This pisses off both groups and each promptly declares jihad. [h=4]Footnotes[/h] Fortunately for computer science the supply of curly braces and angle brackets remains high. Catch as catch can - Verity Stob Sursa: One Div Zero: A Brief, Incomplete, and Mostly Wrong History of Programming Languages

[h=1]Drive-by-download Attack Exploits Critical Vulnerability in Windows Media Player[/h] By Lucian Constantin, IDG News Jan 27, 2012 12:01 pm Security researchers from antivirus vendor Trend Micro have come across a Web-based attack that exploits a known vulnerability in Windows Media Player. "Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003)," Trend Micro threat response engineer Roland Dela Paz said in a blog post on Thursday. The security flaw can be exploited by tricking the victim into opening a specially crafted MIDI (Musical Instrument Digital Interface) file in Windows Media Player. Microsoft released a security fix for it on January 10, as part of its monthly patch cycle. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company said at the time. The so-called drive-by-download attack identified by Trend Micro researchers uses a malicious HTML page to load the malformed MIDI file as an embedded object for the Windows Media Player browser plug-in. If successful, the exploit downloads and executes a computer Trojan on the targeted system, which Trend Micro detects as TROJ_DLOAD.QYUA. "We're still conducting further analysis on TROJ_DLOAD.QYUA, but so far we've been seeing some serious payload, including rootkit capabilities," Dela Paz said. It's not yet clear how victims are being tricked into visiting the malicious page, but the attack doesn't appear to target a particular organization or group of people, said David Sancho, a senior antivirus researcher at Trend Micro. According to the researcher, the attack is not widespread at the moment, but it is possible that other attackers will start exploiting the same vulnerability in the near future. "As mentioned, this is a publicly disclosed vulnerability so we can expect similar attacks in the future," Sancho, said. Trend Micro advises users to install the security patches described by Microsoft in its MS12-004 security bulletin. The vulnerability affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, but not Windows 7 or Windows Server 2008 R2. As a general rule, users should always keep their operating systems and other software installed on their computers up to date in order to avoid becoming victims of drive-by-download attacks. Running an antivirus program capable of scanning Web content at all times is also recommended. Sursa: Drive-by-download Attack Exploits Critical Vulnerability in Windows Media Player | PCWorld

[h=4]Windows Registry Forensics[/h][h=3]Thursday, January 26. 2012[/h] Document created by Yakov Goldberg UBSERC TEAM Our website: UBERsec - When efficiency & smart cyber security collaborates together. Follow Us in Twitter: Twitter Windows Registry Forensics BACKGROUND Most of Windows Operating Systems (OS) contain a database called the Windows registry. The Windows registry consists of Windows data files that contain imperative information about the Windows Operating System (OS), software applications that are installed in Windows, hardware information and various system components. The registry is designed with folders called keys and values that contain specific information about the keys which they represent. By browsing through the keys and reading the values, users can find information about applications that have been installed in the system, files that were used recently and applications and services that are running throughout the Windows start-up process. The information in this article will present some interesting locations within the Windows registry. That information can be viewed by all users and help them to learn and understand the registry and also realize what is getting logged by Windows inside the registry. Likewise, the information in this article can help users to perform some simple forensics analysis of their Windows registry for learning purposes or for troubleshooting purposes as needed. THE REGISTRY HIVES To load the Windows registry editor, type the following: click on the START button ? the click on RUN ?and then type regedt32 And now you should see the following, As you can see, the registry shows five different registry hives. Keep in mind however, that Windows Vista and Windows 7 also include an additional registry hive files besides those that are loaded by the registry editor. - HKEY_CLASSESS_ROOT (HKCR): this hive contains configuration information that specifies which applications are used to open each file format within the system. - HKEY_CURRENT_USER (HKCU): this hive contains information about the current user that is currently logged on to the system and information about the current user profile of that user as well. The HKCU folder is actually corresponding to the NTUSER.dat file located in the following location in your hard-drive, For Windows XP users, C:\Documents and Settings\username\NTUSER.dat For Windows Vista and 7 users, C:\Users\username\NTUSER.dat Note that there are some open-source tools on the Internet that can allow you to view the information within the NTUSER.dat file without having to logon as each user and then access that registry hive. However, if you are a professional forensics analyst, login in to an OS that is used as evidence in criminal investigation under the criminal’s Windows profile only to collect artifacts from the registry pertain to the crime is NOT a GOOD idea because you will contaminate the timelines stored within the NTUSER.dat file (or HKCU) and the evidence will not be admissible in court. The information within that NTUSER.dat must only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. In addition, you may choose to download a demo of AccesData Registry viewer and/or purchase that application for helping you to collect information from other users’ NTUSER.dat files without having to worry about contaminating the integrity of the evidence. - HKEY_LOCAL_MACHINE (HKLM): this hive by far contains a lot of information regarding the OS configuration state and the hardware and software settings as well. Upon expanding the HKLM tree, you should see the following sub-folders, These folders are actually corresponds to data files that are located in the following location in your hard-drive, %WINDIR%\system32\config Note that there are some open-source tools on the Internet that can let you to view the information within each file without having to use the registry. However, since these files are protected by the OS once the OS is loaded to the system, the information within each file can only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. - HKEY_USERS (HKU): this hive contains information about the settings that apply to all the users that logged on into the system. In addition, it contains the default profile configuration for new user profiles. - HKEY_CURRENT_CONFIG (HKCC): this hive contains information about the hardware profile the OS uses throughout the start-up process. WARNING Before attempting to view the registry or change any values in any of the hives, it is a good idea to back-up the registry to your local drive. Often people change values and key within the registry and that result their OS to crash and Windows to fail booting and so on. To back-up the registry to a file you can use the export option located in the File tab within the registry editor. Once you click on export, save the file to your local C: drive root folder. If after changes to the registry you have realized that you need to restore the registry to a state prior of the changes that you have made, you can always import that file back to your registry. INSTRUCTIONS First let’s start with key and values that exist in the HKEY_LOCAL_MACHINE (HKLM) location. Listing applications that are lunched throughout OS boot process: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ That location in the HKLM, HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ And that location in the HKCU, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ The following location specifies all the services that are loaded to the Windows OS system. HKLM\System\CurrentControlSet\Services Alternatively, to see all services NOT using the registry type the followings, click on the START button ? the click on RUN ?and then type services.msc Then you should see the following, Under the Services key, you should see more sub-folders corresponding to each service that is loaded to the Windows system. Upon clicking on the desired key, you should see the values pertaining to the key on the right pane of your registry screen. One of these values is the start value. Look below, If that start value is set to 0x02 it means that the particular service starts once the Windows OS is booting up. In the following location you can find the computer’s name, HKLM\CurrentControlSet\Control\ComputerName\ActiveComputerName In the following location you will find the OS Product-ID, Product-Name, System Root, etc. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion In the following location you can find the time and date in which the OS was last shut down, HKLM\System\CurrentControlSet\Control\Windows After clicking on the Windows key, you should see the value ShutdownTime on the right pane. However, you cannot read this information unless you know how to convert a REG_BINARY key to readable value. Yet, you can download the script LastShutDown.bvs script below and run it on the system. root@ubersec$ sudo wget http://www.ubersec.com/downloads/LastShutDown.vbs The results should look like the following, In the following location you can find information about the systems such as the BIOS and product information. The information includes the BIOS versions and release date. HKLM\HARDWARE\DESCRIPTION\System\BIOS In the following location you can find a list of registered applications with Windows, HKLM\SOFTWARE\RegisteredApplications In the following location you can find time-zone information about the system: HKLM\System\CurrentControlSet\Control\TimeZoneInformation In the following location you can find information about the system network cards. Once you expends the NetworkCards tree you should see a key for each corresponding network card in the system, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards In the following location you can find information about all the Internet Protocol (IP) addresses that were assigned or are assigned to the network interface, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetAuth In the following location you can find information about all the printer drivers that are currently exist in the system. Forensics analysts can find information such as a model value that indicate the printer name and driver that was installed and the installdate value which represents the date which the printer drive was installed, HKLM\SYSTEM\ControlSet001\Control\Print\Printers In the following location you can find out whether the TimeStamp feature for NFS is disabled or enabled. The TimeStamp feature is a timelog that tells the user when a folder was last accessed. HKLM\SYSTEM\CurrentControlSet\Control\FileSystem And now look for the value NtfsDisableLastAccessUpdate. If the value is set to 0 then this feature is disabled. However, you can choose to set the value to 1 and then the feature will be enabled. 0 = NTFS updates the last-accessed timestamp of a file whenever that file is opened. 1 = NTFS does not update the last-access timestamp of a file when that file is opened. The results should look like the following, For more information about this features, check out the NtfsDisableLastAccessUpdate article at Technet. Sursa: Windows Registry Forensics - UBERsec - When efficiency & smart cyber security collaborates together.

Evading network-level emulation Piotr Bania bania.piotr @ gmail.com April 2009 Abstract Recently more and more attention has been paid to the intrusion detection systems (IDS) which don't rely on signature based detection approach. Such solutions try to increase their defense level by using heuristics detection methods like network-level emulation. This technique allows the intrusion detection systems to stop unknown threats, which normally couldn't be stopped by standard signature detection techniques. In this article author will describe general concepts of network-level emulation technique including its advantages and disadvantages (weak sides) together with providing potential countermeasures against this type of detection method. Download: http://piotrbania.com/all/articles/pbania-evading-nemu2009.pdf

URI use and abuse Prezentare de la Blackhat Europe 2008. Download: http://www.blackhat.com/presentations/bh-europe-08/McFeters-Rios-Carter/Whitepaper/bh-eu-08-mcfeters-rios-carter-WP.pdf

Anti-debugging with RDTSC ------------------------------------------------- Playing with RDTSC ------------------------------------------------- by Piotr Bania <bania.piotr @ gmail.com> [: www.piotrbania.com :] All rights reserved! Disclaimer ---------- Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. Introduction ------------ In this short "article" i will present some anti-debugging tricks done with usage of RDTSC intruction. This article is mainly bunch of my sick ideas, written in very fast tempo so sorry for lack of refferences or language mistakes. So here we start with bit of bunch of facts: Code: 0F 31 Mnemonic: RDTSC Description: Loads the current value of the processor's time-stamp counter into the EDX:EAX registers. The time-stamp counter is contained in a 64-bit MSR. The high-order 32 bits of the MSR are loaded into the EDX register, and the low-order 32 bits are loaded into the EAX register. The processor increments the time-stamp counter MSR every clock cycle and resets it to 0 whenever the processor is reset. The time stamp disable (TSD) flag in register CR4 restricts the use of the RDTSC instruction. When the TSD flag is clear, the RDTSC instruction can be executed at any privilege level; when the flag is set, the instruction can only be executed at privilege level 0. The time-stamp counter can also be read with the RDMSR instruction, when executing at privilege level 0. The RDTSC instruction is not a serializing instruction. Thus, it does not necessarily wait until all previous instructions have been executed before reading the counter. Similarly, subsequent instructions may begin execution before the read operation is performed. This instruction was introduced into the Intel Architecture in the Pentium processor. Most known example ------------------- Following codes is trying to prevent the application from single stepping. It will execute RDTSC twice and then calculate the difference between low order values and check it with cmp condition. If the difference lays below 0FFFh no debugger is found if it is above or equal then application is debugged (singlestepped etc.) ;------------------ SNIP ----------------------------------------- rdtsc mov ecx,eax rdtsc sub eax,ecx cmp eax,0FFFh jae found_debugger_action ;------------------ SNIP ----------------------------------------- Some crazy ideas ---------------- Following tests were done under my Windows XP SP1 on Intel Celeron 2,8ghz - pretty overloaded . Check following program: ;------------------ SNIP ----------------------------------------- #include <stdio.h> #include <conio.h> #include <windows.h> #define RDTSC(x,y) __asm rdtsc \ __asm mov x,eax \ __asm mov y,edx int main() { DWORD a1,b1,a2,b2; int i; for (i=0; i<20; i++) { RDTSC(a1,b1); _lopen("././RANDOM",OF_READ); RDTSC(a2,b2); printf("[%.02d] cycle: EAX2-EAX1 = %.08x * EDX2-EDX1 = %.08x\n",i,(a2-a1),(b2-b1)); } getch(); return 0; } ;------------------ SNIP ----------------------------------------- What does this program? It simply calculates the difference of RDTSC values between _lopen api execution. Now check the following output: Non traced (clear run): ---------------------- [00] cycle: EAX2-EAX1 = 000d9860 * EDX2-EDX1 = 00000000 [01] cycle: EAX2-EAX1 = 0009d768 * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 00098bb8 * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 00086d7c * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 00086270 * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 0008890c * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 00085f98 * EDX2-EDX1 = 00000000 [07] cycle: EAX2-EAX1 = 00086fac * EDX2-EDX1 = 00000000 [08] cycle: EAX2-EAX1 = 0008771c * EDX2-EDX1 = 00000000 [09] cycle: EAX2-EAX1 = 000861ac * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 00086cb8 * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 000887a0 * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 00088714 * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 000873d4 * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 000876ac * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 00086484 * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 00087e8c * EDX2-EDX1 = 00000000 [17] cycle: EAX2-EAX1 = 00088ff0 * EDX2-EDX1 = 00000000 [18] cycle: EAX2-EAX1 = 000868e4 * EDX2-EDX1 = 00000000 [19] cycle: EAX2-EAX1 = 00087f50 * EDX2-EDX1 = 00000000 Olly Trace into: --------------- [00] cycle: EAX2-EAX1 = 00f98b50 * EDX2-EDX1 = 00000000 [01] cycle: EAX2-EAX1 = 00f23440 * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 010a786e * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 012233e0 * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 00c8ed4c * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 01014bea * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 00d9c25c * EDX2-EDX1 = 00000000 [07] cycle: EAX2-EAX1 = 00d9d34c * EDX2-EDX1 = 00000000 [08] cycle: EAX2-EAX1 = 01f2a304 * EDX2-EDX1 = 00000001 [09] cycle: EAX2-EAX1 = 00da6e4c * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 01593a9e * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 01dc7ab8 * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 00f0d75a * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 0113998c * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 01c7dfc8 * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 00ddedc0 * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 00cc2308 * EDX2-EDX1 = 00000000 [17] cycle: EAX2-EAX1 = 02318eb8 * EDX2-EDX1 = 00000000 [18] cycle: EAX2-EAX1 = 00c83ec0 * EDX2-EDX1 = 00000000 [19] cycle: EAX2-EAX1 = 02f7e078 * EDX2-EDX1 = 00000000 Olly Trace over: --------------- [00] cycle: EAX2-EAX1 = 00683da4 * EDX2-EDX1 = 00000000 [01] cycle: EAX2-EAX1 = 0063666c * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 006f1778 * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 006d7618 * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 0062c1d0 * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 0062cca4 * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 00787178 * EDX2-EDX1 = 00000000 [07] cycle: EAX2-EAX1 = 00628d34 * EDX2-EDX1 = 00000000 [08] cycle: EAX2-EAX1 = 00e6ab20 * EDX2-EDX1 = 00000000 [09] cycle: EAX2-EAX1 = 006daab4 * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 00647750 * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 008b898c * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 006e00e4 * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 009bc054 * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 00634200 * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 0074e0d8 * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 0062f19c * EDX2-EDX1 = 00000000 [17] cycle: EAX2-EAX1 = 006404cc * EDX2-EDX1 = 00000000 [18] cycle: EAX2-EAX1 = 009db384 * EDX2-EDX1 = 00000000 [19] cycle: EAX2-EAX1 = 00629824 * EDX2-EDX1 = 00000000 Conclusions for tracing ----------------------- As you can see the EAX2-EAX1 difference is much bigger when program is traced then if it is clearly runned - well it's logical. We will use the fact for coding some examples (code below) now lets check single stepping mode: Some single stepping: -------------------- [00] cycle: EAX2-EAX1 = c387c6c0 * EDX2-EDX1 = 00000001 [01] cycle: EAX2-EAX1 = 43d8444c * EDX2-EDX1 = 00000000 [02] cycle: EAX2-EAX1 = 465f9ffc * EDX2-EDX1 = 00000000 [03] cycle: EAX2-EAX1 = 478f50d8 * EDX2-EDX1 = 00000000 [04] cycle: EAX2-EAX1 = 46068f98 * EDX2-EDX1 = 00000000 [05] cycle: EAX2-EAX1 = 46767aac * EDX2-EDX1 = 00000000 [06] cycle: EAX2-EAX1 = 4f2e79dc * EDX2-EDX1 = 00000001 [07] cycle: EAX2-EAX1 = 4b0fc400 * EDX2-EDX1 = 00000001 [08] cycle: EAX2-EAX1 = 42835c20 * EDX2-EDX1 = 00000001 [09] cycle: EAX2-EAX1 = 47285570 * EDX2-EDX1 = 00000000 [10] cycle: EAX2-EAX1 = 45cb4330 * EDX2-EDX1 = 00000000 [11] cycle: EAX2-EAX1 = 49d9c1b8 * EDX2-EDX1 = 00000000 [12] cycle: EAX2-EAX1 = 47b0c5e0 * EDX2-EDX1 = 00000000 [13] cycle: EAX2-EAX1 = 45ccf9ac * EDX2-EDX1 = 00000000 [14] cycle: EAX2-EAX1 = 3bb0d8b4 * EDX2-EDX1 = 00000000 [15] cycle: EAX2-EAX1 = 406d1abc * EDX2-EDX1 = 00000000 [16] cycle: EAX2-EAX1 = 4b1ab80c * EDX2-EDX1 = 00000001 [17] cycle: EAX2-EAX1 = 4111b198 * EDX2-EDX1 = 00000001 [18] cycle: EAX2-EAX1 = 462c9e94 * EDX2-EDX1 = 00000001 [19] cycle: EAX2-EAX1 = 48844964 * EDX2-EDX1 = 00000000 Conclusions for single stepping ------------------------------- - the EAX2-EAX1 is very high (look trace output to compare) - also notice the facts EDX2-EDX1 is sometimes 1, so this is a very good proof of single stepping player around. Some crazy examples ------------------- Try to play with debugger and with breakpoints on _lopen MAX_EAX_TIMING was calculated on the C program output somelines before this code + some extra range. EXAMPLE 1 ---------- ;------------------ SNIP ----------------------------------------- MAX_EAX_TIMING equ 000eeeeeh rdtsc push eax push edx push OF_READ @pushsz "\.\\RANDOM" @callx _lopen rdtsc sub edx,dword ptr [esp] test edx,edx jnz found_single_step ; or very slow processor sub eax,dword ptr [esp+4] cmp eax,MAX_EAX_TIMING jge found_debugger_action exit: push 0 @callx ExitProcess found_single_step: @debug "Single step action was found",0 jmp exit found_debugger_action: @debug "Debugger action was found",0 jmp exit ;------------------ SNIP ----------------------------------------- EXAMPLE 2 --------- And here is the second example, which calculates the clock time of first _lopen execution and then executes next _lopen and calculates the same thing. Then compares both results (including some extra range of 0aaaaaah - just to cover some speciall EAX2-EAX1 cases in clear mode - look tables above). If the final difference is larger then 0 we got some bad guy on us. ;------------------ SNIP ----------------------------------------- rdtsc push eax push edx push OF_READ @pushsz "\.\\RANDOM" @callx _lopen rdtsc sub edx,dword ptr [esp] test edx,edx jnz found_single_step ; or very slow processor sub eax,dword ptr [esp+4] xchg ebx,eax rdtsc push eax push OF_READ @pushsz "\.\\RANDOM" @callx _lopen ; ---> break on this call rdtsc sub eax,dword ptr [esp] add eax,0aaaaah ; some extra value sub ebx,eax cmp ebx,0 jle exit jmp found_debugger_action exit: push 0 @callx ExitProcess found_single_step: @debug "Single step action was found",0 jmp exit found_debugger_action: @debug "Debugger action was found",0 jmp exit ;------------------ SNIP ----------------------------------------- Sursa: http://piotrbania.com/all/articles/playing_with_rdtsc.txt

[h=1]HTML in XMLHttpRequest[/h] The W3C XMLHttpRequest specification adds HTML parsing support to XMLHttpRequest, which originally supported only XML parsing. This feature allows Web apps to obtain an HTML resource as a parsed DOM using XMLHttpRequest. [h=3]Limitations[/h] To discourage the synchronous use of XMLHttpRequest, HTML support is not available in the synchronous mode. Also, HTML support is only available if the responseType property has been set to "document". This limitation avoids wasting time parsing HTML uselessly when legacy code uses XMLHttpRequest in the default mode to retrieve responseText for text/html resources. Also, this limitation avoids problems with legacy code that assumes that responseXML is null for HTTP error pages (which often have a text/html response body). [h=3]Usage[/h] Retrieving an HTML resource as a DOM using XMLHttpRequest works just like retrieving an XML resource as a DOM using XMLHttpRequest, except you can't use the synchronous mode and you have to explicitly request a document by assigning the string "document" to the responseType property of the XMLHttpRequest object after calling open() but before calling send(). var xhr = new XMLHttpRequest(); xhr.onload = function() { alert(this.responseXML.title); } xhr.open("GET", "file.html"); xhr.responseType = "document"; xhr.send(); [h=3]Feature Detection[/h] There are two challenges to detecting if a browser supports HTML parsing in XMLHttpRequest. First, the detection result is obtained asynchronously, because HTML support is only available in the asynchronous mode. Second, you have to actually fetch a test document over HTTP, because testing with a data: URL would end up testing data: URL support instead. Thus, to detect HTML support, a test HTML file is needed on the server. This test file is small and is not well-formed XML: <title>&&<</title> If the file is named detect.html, the following function can be used for detecting HTML parsing support: function detectHtmlInXhr(callback) { if (!window.XMLHttpRequest) { window.setTimeout(function() { callback(false); }, 0); return; } var done = false; var xhr = new window.XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && !done) { done = true; callback(!!(this.responseXML && this.responseXML.title && this.responseXML.title == "&&<")); } } xhr.onabort = xhr.onerror = function() { if (!done) { done = true; callback(false); } } try { xhr.open("GET", "detect.html"); xhr.responseType = "document"; xhr.send(); } catch (e) { window.setTimeout(function() { if (!done) { done = true; callback(false); } }, 0); } } The argument callback is a function that will be called asynchronously with true as the only argument if HTML parsing is supported and false as the only argument if HTML parsing is not supported. [h=3]Character Encoding[/h] If the character encoding is declared in the HTTP Content-Type header, that character encoding is used. Failing that, if there is a byte order mark, the encoding indicated by the byte order mark is used. Failing that, if the is a meta tag that declares the encoding within the first 1024 bytes of the file, that encoding is used. Otherwise, the file is decoded as UTF-8. Sursa: https://developer.mozilla.org/en/HTML_in_XMLHttpRequest

UniOFuzz 0.1.2-beta - Universal fuzzing tool Released UniOFuzz version 0.1.2-beta - the universal fuzzing tool for browsers, web services, files, programs and network services/ports released by nullsecurity team. Video pigtail23, Developer of UniOFuzz demonstrated the tool in above Video. Download UniOFuzz Sursa: UniOFuzz 0.1.2-beta - Universal fuzzing tool Released | The Hacker News (THN)

[h=1]Virus infects worm by mistake[/h] 24 January 2012 New malware morphs into different shapes unattended by humans Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on. Now, another “practice” has silently emerged: the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC - including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended. While most file infectors have inbuilt spreading mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking a worm). Most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously. The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread. Bitdefender’s Antimalware Lab identified no less than 40,000 such malware symbioses out of a sample pool of 10 million files. One such case is the Virtob file infector, whose malicious code has been found infecting worms like OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan. From the numerous samples of worms infected by viruses, we picked out the Win32.Worm.Rimecud -Win32.Virtob pair. A few words about Win32.Worm.Rimecud Win32.Worm.Rimecud is your typical worm with a state-of-the-art spreading apparatus. For propagation it uses file-sharing applications (Ares P2P, BearShare, iMesh, Shareaza. Kazaa, DC++, eMule, LimeWire), USB devices, Microsoft MSN Messenger (sends all contacts links to sites that host malware) and network drives mapped locally. Once on the system, Rimecud injects its code into explorer.exe and steals passwords pertaining to e-banking, on-line shopping, social networking or e-mail accounts from Mozilla Firefox and Internet Explorer. In the meantime its backdoor component enables it to connect to the C&C servers and fetch commands such as flood, download and execute further malware on the compromised PC. On top of that, the worm looks for a VNC server (remote control software) that would allow the attacker remote access and control of the compromised PC. And certain details about Win32.Virtob Bitdefender labs have recently seen attached a file infector to the above mentioned worm - Win32.Virtob. This virus is known to infect executable files with .exe or .scr extensions by affixing a piece of malicious code to those files. The worm is an executable file, so chances are it also gets infected by the virus if it’s on the same computer. Virtob then instructs the compromised executable files to firstly run the viral code (by changing the entry point) and only afterwards gives control back to the original file. Certainly this also applies to the worm - its code will be executed only after the virus code has been launched. When its code is successfully loaded into the memory, Virtob connects to two IRC servers that are in fact C&C servers, and with the help of its backdoor component, the virus is ready to receive commands from a remote attacker via the Internet. By injecting its code into winlogon.exe and then adding this process to the firewall exception list, the virus makes sure it is granted complete Internet access and ensures its persistence – Winlogon is a critical process that, if terminated, will crash the computer. Afterwards, it infects HTML, HTM, PHP, ASP files by injecting IFrames that might silently load content from malware-laden pages. Now, imagine these two pieces of malware working together - willingly or not - from and on the same compromised system. That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds. Multiple Frankenware infections possible: If, by utter bad luck, the computer has more than one worm that applies to the virus specifications, the virus could infect more than one worm on the system. However, the virus might as well only infect the executable files in certain system locations, or of a certain length. Other viruses look for certain strings that pertain to other pieces of malware which will remain uninfected if found on the compromised system. So, one worm can be infected while others on the same system are not. If one of the two (whether the virus or the worm) is caught by the AV, the other might pass undetected. Perhaps if we think of an infected file (possibly the virus) that needs to be analyzed separately and a piece of code is taken out and looked at, maybe then someone discovers also the worm. If the worm is detected based on a signature, the worm is simply wiped out from the compromised system, without any further analysis. This would make it easier for the virus to pass unseen. There’s no rule. And two hypothetical scenarios: Hypothetical scenario No. 1: Imagine a worm like Downadup, that has been spreading constantly around the world for three years now (70,000 infected systems in the last six months alone), being infected with a virus. On the one hand, Downadup prevents the system from updating the OS and the AV solution locally installed; and on the other hand the virus may have rootkit capabilities and open a backdoor. Downadup spreads around the world constantly, which makes it a great propagation tool; not to mention that it took AVs more than half a year, and almost a million infections, to discover it. If this had carried along a virus, all those users would have suffered greater damage. And disinfection would be more complicated. Hypothetical scenario No. 2: Imagine that a worm is infected by a file infector (virus). And an AV detects the file infector first and tries to disinfect the files, which include the worm. In some rare cases disinfecting compromised files leaves behind clean files that are at the same time altered (not identical to the original anymore). They maintain their functionality but are slightly different in form. As most files are detected according to signatures and not based on their behavior (heuristically), an altered worm (disinfected along with other files that have been compromised by a file infector and disinfected by an antivirus) may not be caught anymore by the signature applied to the original file (that had been modified after disinfection). Disinfection might this way lead to a mutation that can actually help the worm. This article is based on the technical information provided courtesy of Doina Cosovan & R?zvan Benchea, Bitdefender VirusAnalysts. All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners. Sursa: Virus infects worm by mistake - MalwareCity : Computer Security Blog

[h=1]Android.Counterclank Found in Official Android Market[/h]by Irfan Asrar Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device. For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen. The combined download figures of all the malicious apps indicate that Android.Counterclank has the highest distribution of any malware identified so far this year. [TABLE=width: 450] [TR=bgcolor: #CCCCCC] [TD=width: 100]Publisher[/TD] [TD=width: 200]Malicious App Title[/TD] [TD=width: 132]Category[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Counter Elite Force[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Counter Strike Ground Force[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]CounterStrike Hit Enemy[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Heart Live Wallpaper[/TD] [TD]Entertainment[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Hit Counter Terrorist[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]iApps7 Inc[/TD] [TD]Stripper Touch girl[/TD] [TD]Entertainment[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Balloon Game[/TD] [TD]Sports Games[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Deal & Be Millionaire[/TD] [TD]Sports Games[/TD] [/TR] [TR] [TD]Ogre Games[/TD] [TD]Wild Man[/TD] [TD]Arcade & Action[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Pretty women lingerie puzzle[/TD] [TD]Photography[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Girls Photo Game[/TD] [TD]Lifestyle[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Girls Puzzle[/TD] [TD]Brain & Puzzle[/TD] [/TR] [TR] [TD]redmicapps[/TD] [TD]Sexy Women Puzzle[/TD] [TD]Brain & Puzzle[/TD] [/TR] [/TABLE] Symantec is continuing with further investigation and we will post more information as we discover it. Sursa: Android.Counterclank Found in Official Android Market | Communauté Symantec Connect

Acunetix Web Vulnerability Scanner By MaxiSoler on 28 January 2012 in Tools with No Comments Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. Improvements: The accuracy of Script Checks has been increased. The Acunetix development team is dedicated to continuously improve scan detection of security checks. The Graphical User Interface (GUI) has been enhanced in order to make menu navigation and usage easier and more effective than ever before. SSL security audit script is launched automatically when scanning a HTTPS website, regardless if port scanning is enabled or not. Added a number of new SQL Injection variants checks. Bug Fixes: HPP detection security script failed when testing input scheme with excluded variants Apply settings button not showing up in specific cases Fixed several issues related to pausing and resuming of crawler Fixed several issues when running multiple instances of the reporter Two backup files were being generated because of filename case insensitivity Filtering of wildcards from robots.txt This release candidate of Acunetix Web Vulnerability Scanner Version 8 is considered complete, stable, and suitable for testing. More Information: Acunetix v8 Manual Download Acunetix Web Vulnerability Scanner v8 RC Sursa: IT Vulnerability & ToolsWatch | Acunetix Web Vulnerability Scanner v8 Released Candidate Released

[h=2]Mozilla releases Rust 0.1, the language that will eventually usurp Firefox’s C++[/h]By Sebastian Anthony on January 24, 2012 at 6:52 am After more than five years in the pipeline, Mozilla Labs and the Rust community have released the first alpha — version 0.1 — of the Rust programming language compiler. The Rust language emphasizes concurrency and memory safety, and — if everything goes to plan — is ultimately being groomed to replace C++ as Mozilla’s compiled language of choice. Browser prototypes programmed in Rust will eventually emerge, and then one day Firefox — or parts of Firefox — might be re-written in Rust. A bit more about the language itself: Rust is a compiled, statically-typed, object-oriented programming language (and objects are immutable by default). The compiler is supported on Windows, Linux, and Mac. Feature-wise, Rust intentionally avoids any novel ideas, and instead builds upon existing, known features that are present in other languages. Syntax-wise, Rust uses curly braces {} like C, C++, or JavaScript, but as you can see in the code block below, the syntax is actually quite funky. [INDENT]use std; fn main(args: [str]) { std::io::println("hello world from '" + args[0] + "'!"); } [/INDENT] At this point we have to compare Rust to Go, Google’s new language. The Rust community explicitly says that it was not inspired by Go — development of Rust began before Go — but that other languages made by Rob Pike such as Newsqueak, Alef, and Limbo were influential. Feature-wise, the languages are quite similar, but Rust seems to be more security- and safety-oriented. Where Go has global garbage collection, null pointers, and shared mutable states, Rust GC is optional and per-task, null pointers are not allowed, and objects are immutable by default. As far as the state of the language is concerned, most of its features work but are incomplete. Standard library APIs are subject to change. Performance isn’t yet up to scratch (eventually it should be as fast as C++). In other words, you can dive in and play with Rust, but future versions of the compiler will break your code. To get started, hit up the Rust language website — or read the Rust 0.1 release notes Sursa: Mozilla releases Rust 0.1, the language that will eventually usurp Firefox’s C++ | ExtremeTech

MediaFire: "Suntem o companie americana si respectam legile americane". (ceva de genul) O sa continue sa ofere servicii de hosting.

La munca, nu la intins mana. Fara astfel de rahaturi aici, o sa ramaneti intreaga viata niste hoti. Sper sa putreziti in puscarie. Ban permanent.

Ah, stiam ca a mai fost postat, dar credeam ca versiunea in limba germana, de aceea am postat.

Vedeti asta: [h=1]Linux Local Privilege Escalation via SUID /proc/pid/mem Write[/h]

Tot pe aceasta ramura: [h=2]Anti-Debug trick[/h] defs.h NtCreateEventPair( OUT PHANDLE IN ACCESS_MASK IN POBJECT_ATTRIBUTES EventPairHandle, DesiredAccess, ObjectAttributes OPTIONAL ); typedef struct _DEBUG_EVENT { LIST_ENTRY EventList; KEVENT ContinueEvent; CLIENT_ID ClientId; PEPROCESS Process; PETHREAD Thread; NTSTATUS Status; ULONG Flags; PETHREAD BackoutThread; DBGKM_MSG ApiMsg; } DEBUG_EVENT, *PDEBUG_EVENT; typedef struct _DBGKM_MSG { PORT_MESSAGE h; DBGKM_APINUMBER ApiNumber; ULONG ReturnedStatus; union { DBGKM_EXCEPTION Exception; DBGKM_CREATE_THREAD CreateThread; DBGKM_CREATE_PROCESS CreateProcess; DBGKM_EXIT_THREAD ExitThread; DBGKM_EXIT_PROCESS ExitProcess; DBGKM_LOAD_DLL LoadDll; DBGKM_UNLOAD_DLL UnloadDll; }; } DBGKM_MSG, *PDBGKM_MSG; detect.c #define WIN32_LEAN_AND_MEAN #include <stdio.h> #include <stdlib.h> #include <windows.h> #include "defs.h" #pragma comment(lib,"ntdll.lib") #pragma comment(lib,"psapi.lib") void QueryProcessHeapMethod(void) { PDEBUG_BUFFER buffer; buffer = RtlCreateQueryDebugBuffer(0,FALSE); RtlQueryProcessHeapInformation(buffer); if (buffer->RemoteSectionBase == (PVOID) 0x50000062) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); if (buffer->EventPairHandle == (PVOID) 0x00002b98) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); printf("EventPairHandle= %x",(int)buffer->EventPairHandle); } int main() { QueryProcessHeapMethod(); } Sursa (cu alte informatii utile): Anti-Debug trick

In sfarsit cineva care posteaza lucruri extrem de utile si de interesante. Desigur, pentru ce interesati.

[h=1][C#] Digitally Sign App & Steal Signature[/h]This is a quick draft of stealing a signature from a signed app, and signing your own app w/ the signature. Author: Exidous Download (x86 si x64): http://www.hackhound.org/forum/index.php?app=core&module=attach&section=attach&attach_id=12100 http://www.hackhound.org/forum/index.php?app=core&module=attach&section=attach&attach_id=12110 Va faceti si voi cont: http://www.hackhound.org/forum/topic/42544-c-digitally-sign-app-steal-signature/

[h=1][C++] Anti-VMWare[/h]Author: _Carb0n_ #include "../Headers/includes.h" #include "../Headers/functions.h" #ifndef NO_ANTIVM DWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep) { PCONTEXT ctx = ep->ContextRecord; ctx->Ebx = -1; // Not running VPC ctx->Eip += 4; // skip past the "call VPC" opcodes return EXCEPTION_CONTINUE_EXECUTION; } bool DetectVPC() { bool bVPCIsPresent = FALSE; __try { _asm push ebx _asm mov ebx, 0 // It will stay ZERO if VPC is running _asm mov eax, 1 // VPC function number _asm __emit 0Fh _asm __emit 3Fh _asm __emit 07h _asm __emit 0Bh _asm test ebx, ebx _asm setz [bVPCIsPresent] _asm pop ebx } __except(IsInsideVPC_exceptionFilter(GetExceptionInformation())) { } #ifdef DEBUG if (bVPCIsPresent==TRUE) DebugMsg("Bot is under VPC !"); else DebugMsg("Bot is not running under VPC !"); #endif return bVPCIsPresent; } bool DetectVMWare() { bool bVMWareIsPresent = TRUE; __try { __asm { push edx push ecx push ebx mov eax, 'VMXh' mov ebx, 0 // any value but not the MAGIC VALUE mov ecx, 10 // get VMWare version mov edx, 'VX' // port number in eax, dx // read port // on return EAX returns the VERSION cmp ebx, 'VMXh' // is it a reply from VMWare? setz [bVMWareIsPresent] // set return value pop ebx pop ecx pop edx } } __except(EXCEPTION_EXECUTE_HANDLER) { bVMWareIsPresent = FALSE; } #ifdef DEBUG if (bVMWareIsPresent==TRUE) DebugMsg("Bot is under VMWare !"); else DebugMsg("Bot is not running under VMWare !"); #endif return bVMWareIsPresent; } bool DetectAnubis() { char szBotFile[MAX_PATH]; bool bAnubisIsPresent = FALSE; if (strstr(szBotFile, "C:InsideTm")) bAnubisIsPresent = TRUE; #ifdef DEBUG if (bAnubisIsPresent==TRUE) DebugMsg("Bot is running under Anubis !"); else DebugMsg("Bot is not running under Anubis !"); #endif return bAnubisIsPresent; } bool IsProcessRunningUnderVM() { bool bVMWare; bool bVPC; bool bAnubis; bVMWare = DetectVMWare(); bVPC = DetectVPC(); bAnubis = DetectAnubis(); if (bVPC==TRUE || bVMWare==TRUE || bAnubis==TRUE) return TRUE; return FALSE; } #endif Sursa: http://www.hackhound.org/forum/topic/893-c-anti-vmware/

[C] Dynamic API calling Author: /* Calling Windows API without using any API. 32bit version. Tested on Win7 x64. by January, 2012. This is how I've been doing my API calling for years. I believe I first started doing it with the Ju u stealer. Using an array of function pointers and an array of hashes for each library, I find it much easier to gather all of the necessary API pointers than doing 1 function call for each API I want to use. Or doing a function call every time I want to use an API. get_k32base() has been changed from what it used to be because I found it was no longer working on my win7. I do not guarantee it's effectiveness on other OS's. #trinity OG production. Fuck your crew. */ #include <windows.h> //I didn't have the header for these two structs so that's why they're here... typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; //definitions for API we are importing. typedef HMODULE (WINAPI *LoadLibraryW_)(LPCWSTR lpLibFileName); typedef int (WINAPI *MessageBoxW_)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType); typedef int (WINAPI *MessageBoxA_)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType); //hashes for API we are importing. #define dwLoadLibraryW 0x5FBFF111 #define dwMessageBoxW 0x384F14CA #define dwMessageBoxA 0x384F14B4 //function pointers for API we are importing. static LoadLibraryW_ LLW; static MessageBoxW_ MBW; static MessageBoxA_ MBA; //Arrays for API we are importing. //Must have a corresponding array of hashes and addresses function pointers for each library. //Kernel32 //Yes, I know it's dumb to have an array of 1 element...but that's just how the function works. //This could be redone so that you don't need the Kernel32Hashes array but it's in here for uniformity. static const DWORD Kernel32Hashes[] = { dwLoadLibraryW }; static LPVOID* Kernel32Ptrs[] = { (LPVOID*)&LLW }; //User32 //MessageBoxW AND MessageBoxA?!? Yeah... I didn't have any better ideas for a simple example. static const DWORD User32Hashes[] = { dwMessageBoxW, dwMessageBoxA }; static LPVOID* User32Ptrs[] = { (LPVOID*)&MBW, (LPVOID*)&MBA }; //code.. int _lstrcmpW_(LPCWSTR str1, LPCWSTR str2) /* lstrcmpW replacement function so that there is no unnecessary imports in the IAT. this doesn't behave exactly as lstrcmpW but I don't need it to I just needed it to tell if two strings are the same, I don't care what the numerical difference is. It would be advisable to turn this into something that compares the hash of the two strings but its whatevs. inputs: two null terminated, wide character strings. outputs: 0 if strings are the same, else -1. */ { if (*str1 == 0 || *str2 == 0) return -1; while (*str1 && *str2) { if (*str1 != *str2) return -1; str1++; str2++; } if (*str1 || *str2) return -1; return 0; } DWORD DJBHash(LPCSTR str) /* not by me. old, simple hashing function, don't know the real author. modified to specifically hash null terminated ASCII strings. inputs: null terminated string. outputs: 32-bit hash of input null terminated string. */ { DWORD hash = 5381; for(; *str; str++) { hash = ((hash << 5) + hash) + (*str); } return hash; } LPVOID GetAPI_FROM_DJB(const LPVOID library, const DWORD APIHASH) /* GetProcAddress replacement. Uses hashes of api names instead of strings. inputs: library = handle or base address to library (DLL) currently loaded in memory. APIHASH = hash of API name we are searching for. outputs: on success: pointer to library function that can be called from a function pointer. on error: NULL. */ { PIMAGE_EXPORT_DIRECTORY lExport; DWORD x; if (library) { lExport = (PIMAGE_EXPORT_DIRECTORY)((DWORD)library + ((PIMAGE_NT_HEADERS)((DWORD)library + ((PIMAGE_DOS_HEADER)library)->e_lfanew))->OptionalHeader.DataDirectory[0].VirtualAddress); DWORD *Names = (DWORD*)((DWORD)library + lExport->AddressOfNames); WORD *Ordinals = (WORD*)((DWORD)library + lExport->AddressOfNameOrdinals); DWORD *Functions = (DWORD*)((DWORD)library + lExport->AddressOfFunctions); for (x = 0; x < lExport->NumberOfNames; x++) { if (DJBHash((char*)(Names[x] + (DWORD)library)) == APIHASH) return (LPVOID)(Functions[Ordinals[x]] + (DWORD)library); } } return NULL; } LPVOID get_k32base() /* The assembly code is not mine, just modified from an old source by drn. I believe it was originally by Vecna or somebody. inputs: none, obviously. outputs: base address of kernel32.dll (if you are using windows2000 this will fail if kernel32 is not already linked in the import table, due to bug in win2k.) */ { LPVOID k32base = NULL; PLDR_MODULE lm, lol; __asm { pushad xor eax, eax mov eax, fs:[eax+30h] mov eax, [eax+0ch] mov esi, [eax+0ch] lodsd mov [lm], eax popad } lol = lm; while (true) { if (!lm->BaseDllName.Buffer) break; if (_lstrcmpW_(L"kernel32.dll", lm->BaseDllName.Buffer) == 0) { k32base = lm->BaseAddress; break; } lm = (PLDR_MODULE)lm->InLoadOrderModuleList.Flink; if (lm == lol || !lm) //don't wanna loop infinitely if user is on win2k or some future Windows that doesn't explicitly link kernel32. break; } return k32base; } void fillAPIPtrs(const LPVOID DllBase, const DWORD dwNumFuncs, const DWORD *HashArray, LPVOID **PtrArray) /* Will fill an array of pointers to API from within a given library. inputs: DllBase: Base address of library we are searching. dwNumFuncs: Number of members in HashArray and PtrArray. Basically the number of API we are searching for in the library. HashArray: Array of DWORDS that are corresponding hashes for pointers to be filled in PtrArray. Must be same size as PtrArray. PtrArray: Array of function pointers to be filled. Must be same size as HashArray. outputs: none, fills PtrArray with (hopefully) valid pointers to desired API. */ { DWORD i; for (i = 0; i < dwNumFuncs; i++) *PtrArray[i] = GetAPI_FROM_DJB(DllBase, HashArray[i]); } int main() { LPVOID k32; LPVOID user32; k32 = get_k32base(); fillAPIPtrs(k32, sizeof(Kernel32Hashes) / sizeof(DWORD), Kernel32Hashes, Kernel32Ptrs); if (LLW) { user32 = LLW(L"user32"); if (user32) { fillAPIPtrs(user32, sizeof(User32Hashes) / sizeof(DWORD), User32Hashes, User32Ptrs); if (MBW && MBA) { if (MBW(NULL, L":D", L"Hello World!", MB_YESNO) == IDYES) MBA(NULL, "Party All the Time", "\\o/", MB_OK); else MBA(NULL, "y u gay?", "D:", MB_OK); } } } return 0; } Sursa: http://www.hackhound.org/forum/topic/43503-dynamic-api-calling/

[h=1]28C3: How governments have tried to block Tor (en)[/h] For more information visit: 28C3: speakers To download the video visit: Documentation - 28C3 public wiki Playlist 28C3: 28C3: Behind Enemy Lines - YouTube Speakers: Jacob Appelbaum | Roger Dingledine Iran blocked Tor handshakes using Deep Packet Inspection (DPI) in January 2011 and September 2011. Bluecoat tested out a Tor handshake filter in Syria in June 2011. China has been harvesting and blocking IP addresses for both public Tor relays and private Tor bridges for years. Roger Dingledine and Jacob Appelbaum will talk about how exactly these governments are doing the blocking, both in terms of what signatures they filter in Tor (and how we've gotten around the blocking in each case), and what technologies they use to deploy the filters -- including the use of Western technology to operate the surveillance and censorship infrastructure in Tunisia (Smartfilter), Syria (Bluecoat), and other countries. We'll cover what we've learned about the mindset of the censor operators (who in many cases don't want to block Tor because they use it!), and how we can measure and track the wide-scale censorship in these countries. Last, we'll explain Tor's development plans to get ahead of the address harvesting and handshake DPI arms races. Link: Tocmai l-am vazut, e ceva ce trebuie vazut, ce s-a intamplat in Iran, China, Siria, Tunisia, Egipt se poate intampla si la noi, si e bine sa stim ce se intampla, ce se poate face pentru monitorizarea traficului.

Ai nevoie de host? Nu ai bani din chestiile private si unice si smechere pe care le ai, probabil gasite de tine? Sa fim seriosi, e o porcarie ideea.

Hackerii care stiu sa descarce LOIC si sa dea un click. Profesionisti.

E scanf, citeste. Returneaza 0 in caz de eroare, ceea ce probabil se intampla si aici, sau numarul de chestii citite. Aici, citeste "%d" + 2. Acel "%d" e in memorie % d NULL, deci practic e un: scanf(NULL); adica returneaza 0. Oricum nu e afisat nimic, dar asa functioneaza.