Nytro

Da, sunt politist si il urmaresc pe gicu asta ca e mare infractor, face parte din mafia online, e periculos. Ce dracu ma, daca v-ati folosi doar de ce e postat aici ati putea sti multe despre mine...

ESET NOD32 Antivirus 4 for Linux desktop Most Linux users may claim that they can never fall prey to viruses, Trojans, worms, spyware, phishing and other Internet attacks; however, the reality is different. Linux is no harder to break into than a Microsoft Windows operating system. Even though the Linux platform may not be targeted directly, it can act as a malware carrier and cause serious damage to Windows-based systems in the network. Therefore it is vitally important that every single endpoint user within a network uses an antivirus solution providing this multiplatform protection. ESET NOD32 Antivirus 4 for Linux fulfils this task. ESET’s solution for the Linux desktop employs the award winning ThreatSense® scanning engine. Utilizing advanced heuristic techniques, ThreatSense® provides industry-leading protection against yet unknown threats. Additionally, the sophisticated generic detection method resembling that of DNA profiling is applied to intercept mutations of already existing infiltrations across all platforms. Sursa: http://www.eset.eu/products/nod32-for-linux Download: http://www.eset.eu/download/registered

O sa particip si eu la Tech Talks.

Linux exploit development Author: sickness Articolele sunt scrise de un roman, pe care insa nu l-am mai vazut pe aici de ceva timp. Linux exploit development part 1 - Stack overflow http://www.exploit-db.com/download_pdf/17008 Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg http://www.exploit-db.com/download_pdf/17049 Linux exploit development part 3 - ret2libc http://www.exploit-db.com/download_pdf/17131 Linux Exploit Development Pt 2 (rev 2) - Real App Demo (part 2) http://www.exploit-db.com/download_pdf/17154

azazazazazazazazazazazaza az azazaza za z fhty u tyu inyu iyu imyioiuoiuoiumo uioiuonnnnnnnnn uioiuonuiuibukytftr rtrevhewch

azazazazazazazazazazazaza az azazaza za z fhty u tyu inyu iyu imyioiuoiuoiumo uioiuonnnnnnnnn uioiuonuiuibukytftr rtrevhewch

aaaaaaaaaaaaaaaaaaaaaaaaaaaa

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

fdgdgdfgdfghdfnhfgjghj

Fac niste teste...

Ideea e sa nu mai luati RST la caterinca, pentru ca veti disparea, cate unul, cate unul... Si va puteti gandi si la viitorul vostru. Sunt destui care vor un viitor in IT, dar nu se chinuie deloc. Nu vor reusi asa.

Nu cred ca aveti de ce sa va faceti griji daca sunt politist sau nu. Nu vad ce actiuni criminale ati desfasurat. Va zic doar asta: stati linistiti.

La inceput m-a amuzat, dar daca ma gandesc mai serios e trist, foarte trist. S-a ajuns, ca pe langa o propunere a unui pacalici (a se vedea topicurile create si posturile lui), care nu a contribuit cu nimic util la forum, de a deveni administrator, sa se gaseasca multi care ar fi de acord cu aceasta idee. Ce ar face ca administrator? Nimic. Postezi si tu ceva, se gasesc 10 care sa si-o infiga in rudele tale si nimic. Pui o intrebare, si vin 20 de onanisti si fac misto in loc sa aduca un raspuns intrebarii tale. Si ce patesc aceste persoane? Nimic, poate chiar le creste reputatia si poate ajung si ei administratori. In ultimul timp, sunt multi care ia totul in gluma, care folosesc RST pe post de "sa ma distrez, sa rad, sa fac caterinca", ceea ce nu e deloc bine. Da, trebuie sa mai fie si caterinca, da nu numai caterinca. Eu ma uit la ultimele topicuri postate. Nimic interesant, nimic tehnic, doar: "O baba nemultumita de violator" si o gramada de alte rahaturi ca la OTV. Si acele topicuri primesc si o gramada de raspunsuri, desigur, la fel de inteligente ca primul post. Stiu ca multi nu va simtiti, dar ia vizualizati-va profilul si vedeti: "Find all threads started by" si "Find all posts by". Si va puteti uita si la mine la "Find all threads started by" si la jic0 si o sa observati niste diferente. Daca se pune intrebarea: ce sa facem pe viitor, toti veniti cu solutii, toti sunteti apti de o categorie privata, toti sunteti mari si tari. Nu va neg calitatile, dar acestea sunt ascunse de ipocrizie, de lene si de caterinca vietii. Ma uitam si la topicul cu varstele. Ma simt prost sa vad ca e un nivel ridicat al varstei, insa o gramada de membri se poarta de parca ar avea 12 ani, se implica in discutii penibile si in nimic altceva. Se presupune ca sunteti aici pentru a invata despre hacking, securitate, programare. Ia ganditi-va, ce ati invatat in ultimul timp, de o lunga perioada de timp? Cate tutoriale sau ceva care sa va aduca informatii tehnice noi ati citit? Daca va intreb de "Romanii au talent" sau de alte rahaturi veti fi la curent cu toate noutatile, despre ceva practic cred ca nici nu se pune problema. Ar fi multe de spus, dar cred ca ma obosesc inutil. Sunt curios totusi de ceva: sunt mai multi membri care vor ca jic0 sa fie administrator decat cei care vor sa primeasca ban? Ma tot gandesc ca sunt prea multi care sunt aici la caterinca, si cei care au votat pozitiv, desi inutil, aceasta initiativa penibila, sunt unii dintre ei. Cand o sa am mai mult timp liber, o sa fac urmatoarele: se ia membrul "x", si i se verifica posturile si topicurile create. Sunt majoritatea sutpide, la caterinca si inutile? - Nu - primeste un plus moral de la mine, ceea ce inseamna ca o sa am grija sa nu ii dau avertisment la cea mai mica abatere, fac astfel de lucruri. Adica admit greseli din partea celor competenti, celor care nu sunt in plus - Da - primeste ban pentru o perioada de timp, merg pe ideea ca poate se invata minte. Apoi, la fiecare abatere, chiar daca e mica, daca vad un "sugi pula" intr-o alta categorie in afara de Offtopic, primeste avertisment, si se ajunge la ban. Vedem ce va fi cu timpul.

La inceput m-a amuzat, dar daca ma gandesc mai serios e trist, foarte trist. S-a ajuns, ca pe langa o propunere a unui pacalici (a se vedea topicurile create si posturile lui), care nu a contribuit cu nimic util la forum, de a deveni administrator, sa se gaseasca multi care ar fi de acord cu aceasta idee. Ce ar face ca administrator? Nimic. Postezi si tu ceva, se gasesc 10 care sa si-o infiga in rudele tale si nimic. Pui o intrebare, si vin 20 de onanisti si fac misto in loc sa aduca un raspuns intrebarii tale. Si ce patesc aceste persoane? Nimic, poate chiar le creste reputatia si poate ajung si ei administratori. In ultimul timp, sunt multi care ia totul in gluma, care folosesc RST pe post de "sa ma distrez, sa rad, sa fac caterinca", ceea ce nu e deloc bine. Da, trebuie sa mai fie si caterinca, da nu numai caterinca. Eu ma uit la ultimele topicuri postate. Nimic interesant, nimic tehnic, doar: "O baba nemultumita de violator" si o gramada de alte rahaturi ca la OTV. Si acele topicuri primesc si o gramada de raspunsuri, desigur, la fel de inteligente ca primul post. Stiu ca multi nu va simtiti, dar ia vizualizati-va profilul si vedeti: "Find all threads started by" si "Find all posts by". Si va puteti uita si la mine la "Find all threads started by" si la jic0 si o sa observati niste diferente. Daca se pune intrebarea: ce sa facem pe viitor, toti veniti cu solutii, toti sunteti apti de o categorie privata, toti sunteti mari si tari. Nu va neg calitatile, dar acestea sunt ascunse de ipocrizie, de lene si de caterinca vietii. Ma uitam si la topicul cu varstele. Ma simt prost sa vad ca e un nivel ridicat al varstei, insa o gramada de membri se poarta de parca ar avea 12 ani, se implica in discutii penibile si in nimic altceva. Se presupune ca sunteti aici pentru a invata despre hacking, securitate, programare. Ia ganditi-va, ce ati invatat in ultimul timp, de o lunga perioada de timp? Cate tutoriale sau ceva care sa va aduca informatii tehnice noi ati citit? Daca va intreb de "Romanii au talent" sau de alte rahaturi veti fi la curent cu toate noutatile, despre ceva practic cred ca nici nu se pune problema. Ar fi multe de spus, dar cred ca ma obosesc inutil. Sunt curios totusi de ceva: sunt mai multi membri care vor ca jic0 sa fie administrator decat cei care vor sa primeasca ban? Ma tot gandesc ca sunt prea multi care sunt aici la caterinca, si cei care au votat pozitiv, desi inutil, aceasta initiativa penibila, sunt unii dintre ei. Cand o sa am mai mult timp liber, o sa fac urmatoarele: se ia membrul "x", si i se verifica posturile si topicurile create. Sunt majoritatea sutpide, la caterinca si inutile? - Nu - primeste un plus moral de la mine, ceea ce inseamna ca o sa am grija sa nu ii dau avertisment la cea mai mica abatere, fac astfel de lucruri. Adica admit greseli din partea celor competenti, celor care nu sunt in plus - Da - primeste ban pentru o perioada de timp, merg pe ideea ca poate se invata minte. Apoi, la fiecare abatere, chiar daca e mica, daca vad un "sugi pula" intr-o alta categorie in afara de Offtopic, primeste avertisment, si se ajunge la ban. Vedem ce va fi cu timpul.

E problema mea cine sunt, ce fac in prezent si ce vreau sa fac in viitor. Oricum jic0, nu inteleg de ce te agiti atat, probabil te crezi cine stie ce mare mafiot, probabil crezi ca activitatea ta online e o amenintare la adresa securitatii nationale, nu stiu... De fapt nu prea e asa. Eu doar mi-am facut treaba de administrator, si anume am avut grija sa dau avertismente si banuri celor care doar comenteaza aiurea, injura, se baga in seama fara rost, cu alte cuvinte: care sunt in plus, care nu aduc nici un avantaj forumului. Nu esti singurul care a primit avertismente si ban de la mine, dar nu cred ca dau banuri si avertismente fara un motiv. Ce-i drept, nu pot sa vad toate posturile "rele", dar fac si eu ce pot. M-am uitat la posturile tale de pe forum, majoritatea sunt la Offtopic. De asemenea, 16 din 26 de topicuri create sunt la Offtopic. Si mai ai ceva posturi pe la Ajutor si 2-3 prin alte categorii. Cu ce ai contribuit tu la forum? Cu nimic. Singurul motiv pentru care nu iti dau ban acum e ca vreau sa vad ce mai ai de spus, cu ce aberatii mai vii.

Secrete C++ - Constantin Galatan

parazitul29, wildchild, Patrunjel - ban cate 5 zile sa va calmati.

Duce la asta (nu descarcati): http://webwasher-antispyware.co.cc/fast-scan/download.php Ideea e veche.

E cineva de aici care vine? As vrea si eu sa merg. La prezentari.

Interesant. Ban.

Twosh: A 128-Bit Block Cipher Twosh: A 128-Bit Block Cipher Bruce Schneier, John Kelseyy, Doug Whiting,z David Wagnerx, Chris Hall, Niels Ferguson 15 June 1998 Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a xed 4-by-4 maximum distance separable matrix over GF(28), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twosh encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twosh can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeos between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twosh; our best attack breaks 5 rounds with 222:5 chosen plaintexts and 251 eort. Download: http://www.thc.org/root/docs/cryptography/twofish-paper.pdf

THC-Hydra 6.2 THC-Hydra A very fast network logon cracker which support many different services. Have a look at the feature sets and services coverage page - including a speed comparison against ncrack and medusa! Last update 2011-04-06 [0x00] News and Changelog Hydra is now over 10 years old! Yeah! Good news: hydra is now co-maintained by David Maciejak @ gmail (dot) com, thanks a lot! Hydra is made available under GPLv3 with a special OpenSSL license expansion. No more windows .exe cygwin port. Too many clueless people hassled me why hydra.exe does not work for them when they double-click on it ... duh Check out the feature sets and services coverage page - including a speed comparison against ncrack and medusa (yes, we win ) It was tested to work on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX. CHANGELOG for 6.2 ================= * Added a patch by Jan Dlabal which adds password generation bruteforcing (no more password files ) * New module: XMPP with TLS negotiation and LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1 support * New module: IRC is not dead ! use to find general server password and /oper credential * Added man pages from debian maintainers * Add support for new syntax: ://[:][/] * Add TLS support for SIP * Add SCRAM-SHA1 auth to IMAP module * Add module usage help (-U) * Add support for RFC 4013: Internationalized Strings in SASL ("SASLPrep") * Add SASL + TLS support for NNTP * Add support for CRAM-MD5 and DIGEST-MD5 auth to ldap module * Add support for SCRAM-SHA1 (RFC 5802), first auth cracker to support it, yeah * Add TLS negotiation support for smtp-auth, pop3, imap, ftp and ldap * Rename smtpauth module to smtp * Forgot to rename ssh2 to ssh in xhydra, fixed * Fix SASL PLAIN auth method issue * Bugfix SASL DIGEST-MD5, response could be wrong on 64bits systems * Bugfix rlogin and rsh module, some auth failure could not be detected accurately * Add SSL support for VMware Authentication Daemon module * Bugfix CVS module, working now * Bugfix for Telnet module when line mode is not available Detalii: http://www.thc.org/thc-hydra/ Download: http://www.thc.org/download.php?t=r&f=hydra-6.2-src.tar.gz

Foarte misto explicat ca la prosti E facut mai mult pentru colegii mei care nu sunt tocmai pasionati de asa ceva. Insa nu prea m-am prins de un lucru ... cand supraincarci un operator .. de ex. = si faci a = b; nu ar trebui sa fie exact ca si a.operator=( iar antetul functiei sa fie void operator=(MyClass obj) si atribuirea sa se faca membru cu membru (in cazul datelor ... de obicei alea private) sau ceva de genul *this = b; ? Cand ai Obiect a, b; si vrei sa copiezi asa: a = b? La asta cred ca te referi. E simplu. Daca nu definesti tu constructorul de copiere Obiect(Obiect &operand) si nu supraincarci operatorul = pentru parametru de tip obiect, adica Obiect& Obiect::operator = (Obiect &), care face cam acelasi lucru, cel dintai apelandu-se la initializarea obiectului, in declaratie, atunci se vor defini cei impliciti si se va face o copiere bit cu bit, din "b" in "a". Problema apare cand lucrezi cu pointeri. Sa zicem ca memorezi intr-o clasa un sir de caractere: char *p_sir; La atribuirea bit cu bit, pointerul din "a" va pointa catre aceeasi adresa cu pointerul din "b". Adica se va copia adresa pointerului si ambele obiecte vor avea practic acelasi sir. Daca intre timp tu distrugi obiectul "b" si eliberezi memoria ocupata de sir, acesta nu va mai putea fi folosit nici in "a", deoarece e vorba de acelasi sir. Solutia e ca la constructorul de copiere si la supraincarcarea lui egal cu parametru un obiect de tipul clasei curente (transmis prin referinta) sa aloci spatiu pentru sirul din "a" si sa copiezi in el sirul din "b", astfel incat sa ai 2 siruri distincte. Aum sa trecem la ce te intereseaza pe tine. Desi pare ciudat, operatorul - returneaza o valoare. Daca nu ar returna nu ai putea folosi expresii ca: a = b = c;, mai multe expresii inlantuite. In expresia asta, cum operatorul - se evalueaza de la dreapta la stanga, mai intai b ia valoarea c, apoi expresia b = c returneaza pe b, care e apoi copiat in a; Pentru a putea face asta cu obiecte, supraincarcarea lui = trebuie sa returneze o referina la obiectul curent. Adica: Obiect& Obiect::operator = (Obiect &operand_2) { /* Copiere, in care pui valorile dorite in obiectul curent, pe care apoi il returnezi, pentru a putea fi folosit in continuare */ return *this; } Adica obiectul curent, determinat de *this e primul operand, iar cel de-al doilea operand e parametrul. Copiezi din parametru in *this ce iti trebuie si returnezi *this. Pe surt, a = b returneaza a. Si o ultima nedumerire care o am ... nu prea am inteles de ce in cazul unor functii virtuale la definirea lor se mai adauga dupa antet un const sau un tip de date ceva. Const se foloseste, in cazul de fata, pentru a defini funtii membru constante. Ideea cu ele e simpla: nu se va permite modificarea starii obiectului din aceste functii. Se definesc pentru a se asigura de acest lucru, adaugand un "const" dupa ()-le cu parametrii functiei. Insa cred ca tu te referi la functiile virtuale pure, care au un "= 0;" la sfarsit si nu sunt definite. Desigur, acel = 0 poate si de multe ori, si de preferat, este precedat de un "const". E alta treaba aici. Se folosesc pentru a defini o clasa abstracta, o clasa care nu poate fi instantiata, si care obliga clasele ce o mostenesc sa implementeze acele functii. Cred ca asta voiai sa stii, daca ai nelamuriri posteaza.

Simple PE Cryptor Demonstrate how to encrypt code and data section of any PE file. Full source code included. This is a very rough beta. include w32.inc include console.inc include message.inc include imghdr.inc extrn GetSystemTime:proc extrn VirtualAlloc:proc extrn VirtualFree:proc .DATA file_hnd dd 0 ; handle to opened file mem_offset dd 0 ; address of allocated memory obj_offset dd 0 ; address of import table peh_offset dd 0 ; address of pe header curr_disp dd 0 ; displacement rsrc_count dd 0 ; number of resource types num_rsrc dd 0 ; total number of resources rsrc_head dd 0 ; size of resourse header sys_time SYSTEMTIME <0> ; used in getsystime pe_h IMAGE_NT_HEADERS <0> ; pe header struc obj_table IMAGE_SECTION_HEADER 0Fh dup (<0>) ; section table struc header_len equ size pe_h + size obj_table ; length of header decryptor_len equ decryptor_end - decryptor_start ; lenght of decryptor it_len equ it_end - k32_original ; length of import table inside decryptor crypt_flag db 00,10,13 ; for stat display new_section: obj_name db '.hayras',0 ; section name virt_size dd 0 ; virtual size virt_addr dd 0 ; rva raw_size dd 0 ; size of file raw_offset dd 0 ; offset in file unused dd 0,0,0 ; others obj_flags dd 0E0000020h ; flag (r/w/c/x) .CODE start: ; ----- show intro ------------------------------------------------------------ call init_console ; initialize console push logo_l ; show this message push offset logo ; call write_console ; write to screen ; ----- get command line ------------------------------------------------------ call GetCommandLineA mov edi,eax ; address of name mov ecx, -1 ; counter mov al, 0 ; search byte push edi ; save for later repnz scasb ; search for end of name not ecx ; number of bytes read pop edi ; address of name mov al, 20h ; search byte repnz scasb ; get length of file name dec ecx ; skip extra space test ecx,ecx ; something there jnz open_file no_commandline: push no_cmd_l push offset no_cmd call write_console jmp quit ; ----- open file ------------------------------------------------------------- open_file: push 0 ; hTemplateFile push FILE_ATTRIBUTE_NORMAL ; dwFlagsAndAttribute push OPEN_EXISTING ; dwCreationDistribution push 0 ; lpSecurityAttribtes push 0 ; dwShareMode push GENERIC_READ + GENERIC_WRITE ; dwDesiredAccess push edi ; lpFileName call CreateFile cmp eax, INVALID_HANDLE_VALUE ; returned file handle jz file_not_found mov file_hnd, eax ; save file handle ; ----- get offset of pe header ----------------------------------------------- push FILE_BEGIN ; start of file push 0 ; lpDistanceToMoveHigh push 3Ch ; number of bytes to move (location of offset to pe header) push file_hnd ; handle of file call SetFilePointer push 0 ; lpOverlapped push offset bytes_read ; address of number of bytes read push 4 ; number of bytes to read push offset peh_offset ; address to store bytes read (offset to pe header) push file_hnd ; handle of file call ReadFile ; ----- read header to pe struc ----------------------------------------------- push 0 push 0 push peh_offset push file_hnd call SetFilePointer push 0 push offset bytes_read push header_len push offset pe_h push file_hnd call ReadFile ; ----- check pe signature ---------------------------------------------------- cmp [pe_h.Signature], IMAGE_NT_SIGNATURE ; check for 'PE' jnz not_valid_pe call show_some_info ; display some stats ; ----- get offset to object table -------------------------------------------- movzx eax, [pe_h.SizeOfOptionalHeader] ; size of optional header add eax, 18h ; offset to object table mov obj_offset, eax ; ----- check for space in object table --------------------------------------- movzx eax, [pe_h.NumberOfSections] ; number of sections inc eax ; add 1 for new section mov ecx, 28h ; size of section mul ecx ; num sections * 28h add eax, obj_offset ; offset of object table add eax, peh_offset ; offset to pe header cmp eax, [pe_h.SizeOfHeaders] jg no_space ; ----- store rva of import section ------------------------------------------- mov eax, [pe_h.DataDirectory.(8).VirtualAddress] mov it_address, eax ; ----- generate encryption key ----------------------------------------------- push offset sys_time ; SYSTEMTIME struc call GetSystemTime movzx ax, [sys_time.st_wMilliseconds] ; get millisecond mov key, al ; save as encryption key ; ----- encrypt objects ------------------------------------------------------- push sec_label_l ; header for section display push offset sec_label call write_console mov esi, offset obj_table ; start of section table movzx ecx, [pe_h.NumberOfSections] ; number of section as counter next_obj: call encrypt_objects ; encrypt each section call show_stats ; display some stats add esi, 28h ; next section in table loop next_obj ; ----- locate/add decryptor object in table ---------------------------------- mov esi, offset obj_table ; start of section table movzx eax, [pe_h.NumberOfSections] ; number of sections mov ecx, 28h ; size of section header mul ecx ; number of section * 28h add esi, eax ; end of section header inc [pe_h.NumberOfSections] ; add our section mov edi, offset new_section xchg edi, esi ; ----- calculate rva (aligned) ----------------------------------------------- mov eax, [edi-28h+8] ; (rva+size)/align add eax, [edi-28h+0Ch] mov ecx, [pe_h.SectionAlignment] cdq div ecx test edx, edx jz section_aligned inc eax section_aligned: mul ecx mov virt_addr, eax mov decr_rva, eax ; ----- calculate raw data size (aligned) ------------------------------------- mov eax, decryptor_len mov ecx, [pe_h.FileAlignment] div ecx test edx, edx jz file_aligned inc eax file_aligned: mul ecx mov [raw_size], eax ; ----- calculate virtual size (aligned) -------------------------------------- mov eax, decryptor_len mov ecx, [pe_h.SectionAlignment] div ecx test edx, edx jz sect_aligned inc eax sect_aligned: mul ecx mov virt_size, eax ; ----- calculate file offset ------------------------------------------------- mov eax, [edi-28h+14h] add eax, [edi-28h+10h] mov raw_offset, eax ; ----- calculate rva/size of import section ---------------------------------- mov eax, k32_original-decryptor_start add eax, decr_rva ; add rva or decryptor mov [pe_h.DataDirectory.(8).VirtualAddress], eax ; it rva in data dir mov [pe_h.DataDirectory.(8).Size], it_len ; it size add dword ptr k32_original, eax ; convert to rva add dword ptr k32_dll, eax ; add dword ptr k32_first, eax ; add dword ptr func_k32, eax ; add dword ptr [func_k32+4], eax ; add dword ptr [func_k32+8], eax ; add dword ptr [func_k32+0Ch], eax ; add dword ptr getproc, eax ; add dword ptr getmod, eax ; add dword ptr loadlib, eax ; add dword ptr u32_original, eax ; add dword ptr u32_dll, eax ; add dword ptr u32_first, eax ; add dword ptr func_u32, eax ; add dword ptr msgbox, eax ; add dword ptr cap_addr, eax ; add dword ptr msg_addr, eax ; ; ----- adjust size of image (aligned) ---------------------------------------- mov eax, virt_size add eax, [pe_h.SizeOfImage] mov ecx, [pe_h.SectionAlignment] div ecx test edx, edx jz image_aligned inc eax image_aligned: mul ecx mov [pe_h.SizeOfImage], eax ; ----- copy data to decryptor section ---------------------------------------- mov ecx, 28h rep movsb ; ----- store new entry point rva --------------------------------------------- mov eax, dword ptr virt_addr mov ebx, dword ptr [pe_h.AddressOfEntryPoint] mov [pe_h.AddressOfEntryPoint], eax mov original_erva, ebx ; ----- rewrite header ------------------------------------------------------- push 0 push 0 push peh_offset push file_hnd call SetFilePointer push 0 push offset bytes_read push header_len push offset pe_h file_hnd call WriteFile ; ----- write decryptor ------------------------------------------------------ push 0 push 0 push raw_offset push file_hnd call SetFilePointer push 0 push offset bytes_read push raw_size push offset decryptor_start push file_hnd call WriteFile push done_l push offset done call write_console jmp close_hnd ; ----- some error messages -------------------------------------------------- no_space: push no_o_space_l push offset no_o_space call write_console jmp close_hnd not_valid_pe: push not_pe_l push offset not_pe call write_console jmp close_hnd file_not_found: push file_nf_l push offset file_nf call write_console jmp quit ; ----- finished, lets close ------------------------------------------------- close_hnd: push file_hnd ; handle of file call CloseHandle quit: push 0 call ExitProcess ;------------------------------------------------------------------------------ show_some_info proc ;------------------------------------------------------------------------------ mov eax, [pe_h.SizeOfCode] push eax eax movzx eax, [pe_h.NumberOfSections] push eax offset num_secs call write_hex mov eax, [pe_h.SizeOfInitializedData] push eax eax mov eax, [pe_h.ImageBase] push eax offset img_base call write_hex mov eax, [pe_h.SizeOfUninitializedData] push eax eax mov eax, [pe_h.AddressOfEntryPoint] push eax offset ep_rva call write_hex mov eax, [pe_h.SectionAlignment] push eax eax mov eax, [pe_h.SizeOfImage] push eax offset size_img call write_hex mov eax, [pe_h.FileAlignment] push eax eax mov eax, [pe_h.SizeOfHeaders] push eax offset size_head call write_hex movzx eax, [pe_h.MinorLinkerVersion] push eax movzx eax, [pe_h.MajorLinkerVersion] push eax mov eax, [pe_h.BaseOfCode] push eax offset base_code call write_hex movzx eax, [pe_h.DllCharacteristics] push eax eax mov eax, [pe_h.BaseOfData] push eax offset base_data call write_hex ret endp ;------------------------------------------------------------------------------ show_stats proc ;------------------------------------------------------------------------------ push 8 esi call write_console push dword ptr [esi.SVirtualSize] push dword ptr [esi.SVirtualAddress] push dword ptr [esi.SizeOfRawData] push dword ptr [esi.PointerToRawData] push dword ptr [esi.SFlags] push offset sec_status call write_stat push 3 offset crypt_flag call write_console ret endp ;------------------------------------------------------------------------------ encrypt_objects proc ;------------------------------------------------------------------------------ pusha cmp [esi], 'adr.' ; skip .rdata jz set_flag cmp [esi], 'ade.' ; skip .edata jz set_flag cmp [esi], 'ler.' ; skip .reloc jz set_flag cmp [esi], 'slt.' ; skip .tls jz set_flag cmp dword ptr [esi.SizeOfRawData], 0 jz set_flag jmp proceed set_flag: mov crypt_flag, ' ' jmp no_encrypt ; ----- allocate memory ------------------------------------------------------- proceed: push PAGE_READWRITE push MEM_COMMIT push [esi.SizeOfRawData] push 0 call VirtualAlloc mov mem_offset, eax ; ----- read section to encrypt ----------------------------------------------- push 0 push 0 push [esi.PointerToRawData] push file_hnd call SetFilePointer push 0 push offset bytes_read push [esi.SizeOfRawData] push mem_offset push file_hnd call ReadFile cmp [esi], 'rsr.' jnz not_rsrc ; ----- resource routine ------------------------------------------------------ mov edi, mem_offset ; start of rsrc buffer mov edx, mem_offset movzx ecx, word ptr [edi.IRD_NumberOfNamedEntries] ; rsrc with names add cx, [edi.IRD_NumberOfIdEntries] ; rsrc with id mov rsrc_count, ecx ; number or rsrc type add edx, 10h ; skip root next_resource: ; num rsrc type as counter mov eax, [edx+4] ; offset to subdir and eax, 0FFFFFFFh ; mask offset add eax, edi ; address of subdir movzx ebx, word ptr [eax.IRD_NumberOfNamedEntries] add bx, [eax.IRD_NumberOfIdEntries] add num_rsrc, ebx cmp [eax.IRD_NumberOfNamedEntries], 0 jz not_named push ecx eax movzx ecx, [eax.IRD_NumberOfNamedEntries] add eax, 10h next_entry: movzx ebx, word ptr [eax] add ebx, edi movzx ebx, word ptr [ebx] imul ebx, 2 add ebx, 2 add rsrc_head, ebx add eax, 8 loop next_entry pop eax ecx not_named: add edx, 8 ; next resource type loop next_resource mov ecx, 30h mov eax, num_rsrc ; total number of resources mul ecx ; 30h * num of res add rsrc_head, eax mov ecx, 18h mov eax, rsrc_count ; 18h * number of res type mul ecx add rsrc_head, eax ; add em both add rsrc_head, 10h ; add size of main struc mov eax, rsrc_head ; length of resource header add mem_offset, eax ; skip the res header mov edi, mem_offset mov ecx, [esi.SizeOfRawData] ; size as counter sub ecx, [rsrc_head] mov al, key res_encrypt: sub byte ptr [edi], al ; encrypt inc al inc edi ; next byte loop res_encrypt mov eax, [esi.PointerToRawData] ; get file offset add eax, rsrc_head ; skip resource header push 0 push 0 push eax push file_hnd call SetFilePointer mov eax, [esi.SizeOfRawData] sub eax, rsrc_head ; skip resource header push 0 push offset bytes_read push eax push mem_offset push file_hnd call WriteFile ; write it mov edi, [curr_disp] mov eax, [esi+SVirtualAddress] add eax, rsrc_head ; skip resource header mov [object_rva+edi], eax ; save rva to decryptor mov eax, [esi.SizeOfRawData] sub eax, rsrc_head ; dont include rsrc header mov [object_size+edi], eax ; save size to decryptor jmp release_mem ; ----- store rva/size to decryptor ------------------------------------------- not_rsrc: mov edi, [curr_disp] mov eax, [esi+SVirtualAddress] mov [object_rva+edi], eax ; save rva to decryptor mov eax, [esi.SizeOfRawData] mov [object_size+edi], eax ; save size to decryptor mov edi, mem_offset ; start of buffer mov ecx, [esi.SizeOfRawData] ; size as counter mov al, key ; get key encrypt: sub byte ptr [edi], al ; encrypt inc al inc edi ; next byte loop encrypt ; ----- write encrypted section ----------------------------------------------- push 0 push 0 push [esi.PointerToRawData] ; point to push file_hnd call SetFilePointer push 0 push offset bytes_read push [esi.SizeOfRawData] ; size push mem_offset ; start here push file_hnd call WriteFile ; ----- deallocate memory ----------------------------------------------------- release_mem: push MEM_DECOMMIT ; fdwFreeType push [esi.SizeOfRawData] ; cbSize push mem_offset ; lpvAddress call VirtualFree ;----- update flags/number of objects ----------------------------------------- add [curr_disp], 8 ; update displacement inc byte ptr num_objects ; update counter or [esi.SFlags], 80000000h ; enable write bit mov crypt_flag, 0FBh ; for stat display no_encrypt: popa ret encrypt_objects endp .DATA ;------------------------------------------------------------------------------ decryptor_start: db '[SPEC]' call delta ; get delta offset delta: pop ebp mov eax, ebp ; save for imagebase calculation sub ebp, offset delta ; ebp = delta offset sub eax, [decr_rva+ebp] ; decryptor rva sub eax, offset delta-decryptor_start ; calculate current imagebase mov [image_base+ebp], eax ; store for later movzx esi, [num_objects+ebp] ; number of sections (use as counter) mov edi, ebp ; save delta next_object: mov ebx, [image_base+ebp] ; imagebase mov eax, [object_rva+edi] ; rva of encrypted section add ebx, eax ; imagebase+rva=address of section mov ecx, [object_size+edi] ; size of section (use as counter) mov al, [key+ebp] decrypt: add byte ptr [ebx], al ; decrypt inc al inc ebx ; next byte loop decrypt add edi, 8 ; next section dec esi ; dec section count jnz next_object ; until no more sections ; ----- fix import section ---------------------------------------------------- mov edx, [image_base+ebp] ; get image base mov esi, [it_address+ebp] ; rva of original import table add esi, edx ; address of import table next_dll: mov eax, [esi+0Ch] ; rva of dll name or eax, eax ; dll name present? jz dll_end add eax, edx ; address of dll name mov ebx, eax ; save for loadlibrary push eax ; push dll name call [getmod+ebp] ; call GetModuleHandleA or eax, eax ; loaded? jnz dll_loaded push ebx ; push dll name call [loadlib+ebp] ; call LoadLibrary or eax, eax ; success? jnz dll_loaded exit_loader: mov edx, [image_base+ebp] ; get imagebase add [cap_addr+ebp], edx ; add to offset add [msg_addr+ebp], edx push 0 ; null push [cap_addr+ebp] ; caption push [msg_addr+ebp] ; message push 0 ; mb ok call [msgbox+ebp] ; call MessageBoxA push 0 call [exitproc+ebp] ; call ExitProcess dll_loaded: mov [dll_hnd+ebp], eax ; save handle mov [func_disp+ebp], 0 ; initialize displacement next_function: mov edx, [ebp+image_base] ; imagebase mov eax, [esi] ; original first thunk (rva) or eax, eax ; is it there? jnz hint_ok mov eax, [esi+10h] ; no, then check out first thunk hint_ok: add eax, edx ; offset to function name add eax, [func_disp+ebp] ; displacement (first thunk) mov ebx, [eax] ; rva to function name mov edi, [esi+10h] ; first thunk (iat) add edi, edx ; address of iat add edi, [func_disp+ebp] ; displacement (iat) test ebx, ebx ; function present? jz function_end test ebx, 80000000h ; test for ordinal bit jnz func_ordinal ; if present, then function is ordinal only add ebx, edx ; address of function name add ebx, 2 ; skip ordinal func_ordinal: and ebx, 0FFFFFFFh push ebx ; offset of function name or ordinal push dword ptr [ebp+dll_hnd] ; handle of dll call [getproc+ebp] ; call GetpProcAddress or eax, eax jz exit_loader mov [edi], eax ; store address to iat add [func_disp+ebp], 4 ; update displacement jmp next_function function_end: add esi, 14h ; next import descriptor mov edx, [image_base+ebp] ; image base again jmp next_dll dll_end: mov eax, [original_erva+ebp] ; original entry point rva add eax, [image_base+ebp] ; add imagebase jmp eax ; jump to original entry point ;------------------------------------------------------------------------------ align 4 k32_original dd func_k32-k32_original ; original first thunk dd 0,0 ; time/date, forwarder k32_dll dd k32-k32_original ; rva to dll name k32_first dd getproc-k32_original ; first thunk u32_original dd func_u32-k32_original ; same as above, for user32 dd 0,0 u32_dll dd u32-k32_original u32_first dd msgbox-k32_original dd 5 dup (0) ; terminate import descriptor k32 db 'KERNEL32.DLL',0 ; dll to load func_k32 dd function1-k32_original ; rva's to function names dd function2-k32_original dd function3-k32_original dd function4-k32_original,0 u32 db 'USER32.DLL',0 func_u32 dd function5-k32_original,0 getproc dd 0 ; the iat getmod dd 0 ; the loader patches loadlib dd 0 ; this area exitproc dd 0 ; msgbox dd 0 dd 0 ; terminator function1 db 0,0,'GetProcAddress',0 ; function names function2 db 0,0,'GetModuleHandleA',0 function3 db 0,0,'LoadLibraryA',0 function4 db 0,0,'ExitProcess',0 function5 db 0,0,'MessageBoxA',0 align 4 it_end: cap_addr dd caption-k32_original ; offset to caption msg_addr dd message-k32_original ; offset to message caption db 'error',0 ; generic message message db 'loader failed', 0 key db 0 dll_hnd dd 0 ; handle to loaded dll func_disp dd 0 ; displacement in function name & iat it_address dd 0 ; rva of original import section decr_rva dd 0 ; rva of the decryptor image_base dd 0 ; image base num_objects db 0 ; number of encrypted sections original_erva dd 0 ; entry point rva object_rva dd 0 ; rva/size of encrypted sections object_size dd 0 dd 20h dup (0) decryptor_end: ;------------------------------------------------------------------------------ end start Download: http://win32assembly.online.fr/files/spec.zip

Get kernel ImageBase This is a small example of how to get the ImageBase of Kernel32.dll and how to get addresses of the kernel's LoadLibrary and GetProcAddress functions without any APIs ! I tested this code on Win98SE and Win2k. For any comments or bugreports trop a line to yoda_f2f@gmx.net. HAppy New Year ! yoda .386 .model flat,stdcall option casemap:none INCLUDE \masm32\include\windows.inc INCLUDE \masm32\include\comdlg32.inc INCLUDELIB \masm32\lib\comdlg32.lib ; ------ STRUCTS ------ sSEH STRUCT OrgEsp DD ? OrgEbp DD ? SaveEip DD ? sSEH ENDS ; ------ EQU'S ------ MIN_KERNEL_SEARCH_BASE EQU 070000000h MAX_API_STRING_LENGTH EQU 150 ; ------ CONST ------ .CONST szLoadLibrary DB "LoadLibraryA",0 szGetProcAddress DB "GetProcAddress",0 szExitProcess DB "ExitProcess",0 szUser32 DB "user32",0 szMessageBox DB "MessageBoxA",0 szwsprintf DB "wsprintfA",0 szInfoCap DB "- Kernel -",0 szInfoText DB "The following information were obtained",13,10 DB "without the help of an Import Table !",13,10 DB 13,10 DB "Kernel32.dll ImageBase: 0x%08lX",13,10 DB "User32.dll ImageBase: 0x%08lX",13,10 DB 13,10 DB "API Addresses:",13,10 DB "LoadLibraryA: 0x%08lX",13,10 DB "GetProcAddress: 0x%08lX",13,10 DB "ExitProcess: 0x%08lX",13,10 DB 13,10 DB "MessageBoxA: 0x%08lX",13,10 DB "wsprintfA: 0x%08lX",0 ; ------ DATA ------ .DATA _LoadLibrary DD 0 _GetProcAddress DD 0 _ExitProcess DD 0 _MessageBox DD 0 _wsprintf DD 0 cBuff DB 200 DUP (0) SEH sSEH <0> dwKernelBase DD 0 dwUserBase DD 0 ; ------ CODE ------ .CODE main: ASSUME FS : NOTHING ;INT 3 ;---- GET ImageBase of kernel32.dll ---- PUSH [ESP] CALL GetKernelBase OR EAX, EAX JZ QUIT MOV dwKernelBase, EAX ;---- GET SOME KERNEL API ADDRESSES ---- ;-> LoadLibraryA PUSH OFFSET szLoadLibrary PUSH dwKernelBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _LoadLibrary, EAX ;-> GetProcAddress PUSH OFFSET szGetProcAddress PUSH dwKernelBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _GetProcAddress, EAX ;-> ExitProcess PUSH OFFSET szExitProcess PUSH dwKernelBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _ExitProcess, EAX ;---- LOAD USER32.DLL ---- PUSH OFFSET szUser32 CALL _LoadLibrary OR EAX, EAX JZ QUIT MOV dwUserBase, EAX ;---- GET SOME USER API ADDRESSES ---- ;-> MessageBoxA PUSH OFFSET szMessageBox PUSH dwUserBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _MessageBox, EAX ;-> wsprintfA PUSH OFFSET szwsprintf PUSH dwUserBase CALL GetProcAddr OR EAX, EAX JZ QUIT MOV _wsprintf, EAX ;---- BUILD AND SHOW THE INFORMATION MSG ---- PUSH _wsprintf PUSH _MessageBox PUSH _ExitProcess PUSH _GetProcAddress PUSH _LoadLibrary PUSH dwUserBase PUSH dwKernelBase PUSH OFFSET szInfoText PUSH OFFSET cBuff CALL _wsprintf ADD ESP, (9 * SIZEOF(DWORD)) PUSH MB_ICONINFORMATION OR MB_SYSTEMMODAL PUSH OFFSET szInfoCap PUSH OFFSET cBuff PUSH 0 CALL _MessageBox ;---- EXIT ---- CALL _ExitProcess QUIT: RET ; exit to OS ;---- AN UNUSED IMPORT ---- ; The Win32 Loader of Win2k (maybe also of WinNT) won't call the EntryPoint of files which don't ; have an Import Table ; So here's an unused Import to make MASM compile an Import Table. PUSH NULL CALL GetOpenFileName ; ------ ROUTINES ------ ; returns NULL in the case of an error GetKernelBase PROC USES EDI ESI, dwTopStack : DWORD ; install SEH frame PUSH OFFSET SehHandler PUSH FS:[0] MOV SEH.OrgEsp, ESP MOV SEH.OrgEbp, EBP MOV SEH.SaveEip, OFFSET ExceptCont MOV FS:[0], ESP ; start the search MOV EDI, dwTopStack AND EDI, 0FFFF0000h ; wipe the LOWORD ! .WHILE TRUE .IF WORD PTR [EDI] == IMAGE_DOS_SIGNATURE MOV ESI, EDI ADD ESI, [ESI+03Ch] .IF DWORD PTR [ESI] == IMAGE_NT_SIGNATURE .BREAK .ENDIF .ENDIF ExceptCont: SUB EDI, 010000h .IF EDI < MIN_KERNEL_SEARCH_BASE MOV EDI, 0BFF70000h .BREAK .ENDIF .ENDW XCHG EAX, EDI ; shutdown SEH frame POP FS:[0] ADD ESP, 4 RET GetKernelBase ENDP ; returns address or NULL in the case of an error GetProcAddr PROC USES ESI EDI ECX EBX EDX, dwDllBase : DWORD, szApi : LPSTR ; install SEH frame PUSH OFFSET SehHandler PUSH FS:[0] MOV SEH.OrgEsp, ESP MOV SEH.OrgEbp, EBP MOV SEH.SaveEip, OFFSET @@BadExit MOV FS:[0], ESP ; check PE Signarue MOV ESI, dwDllBase CMP WORD PTR [ESI], IMAGE_DOS_SIGNATURE JNZ @@BadExit ADD ESI, [ESI+03Ch] CMP DWORD PTR [ESI], IMAGE_NT_SIGNATURE JNZ @@BadExit ; get the string length of the target Api MOV EDI, szApi MOV ECX, MAX_API_STRING_LENGTH XOR AL, AL REPNZ SCASB MOV ECX, EDI SUB ECX, szApi ; ECX -> Api string length ; trace the export table MOV EDX, [ESI+078h] ; EDX -> Export table ADD EDX, dwDllBase ASSUME EDX : PTR IMAGE_EXPORT_DIRECTORY MOV EBX, [EDX].AddressOfNames ; EBX -> AddressOfNames array pointer ADD EBX, dwDllBase XOR EAX, EAX ; EAX AddressOfNames Index .REPEAT MOV EDI, [EBX] ADD EDI, dwDllBase MOV ESI, szApi PUSH ECX ; save the api string length REPZ CMPSB .IF ZERO? ADD ESP, 4 .BREAK .ENDIF POP ECX ADD EBX, 4 INC EAX .UNTIL EAX == [EDX].NumberOfNames ; did we found sth ? .IF EAX == [EDX].NumberOfNames JMP @@BadExit .ENDIF ; find the corresponding Ordinal MOV ESI, [EDX].AddressOfNameOrdinals ADD ESI, dwDllBase PUSH EDX ; save the export table pointer MOV EBX, 2 XOR EDX, EDX MUL EBX POP EDX ADD EAX, ESI XOR ECX, ECX MOV WORD PTR CX, [EAX] ; ECX -> Api Ordinal ; get the address of the api MOV EDI, [EDX].AddressOfFunctions XOR EDX, EDX MOV EBX, 4 MOV EAX, ECX MUL EBX ADD EAX, dwDllBase ADD EAX, EDI MOV EAX, [EAX] ADD EAX, dwDllBase JMP @@ExitProc ASSUME EDX : NOTHING @@BadExit: XOR EAX, EAX @@ExitProc: ; shutdown SEH frame POP FS:[0] ADD ESP, 4 RET GetProcAddr ENDP SehHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD MOV EAX, pContext ASSUME EAX : PTR CONTEXT PUSH SEH.SaveEip POP [EAX].regEip PUSH SEH.OrgEsp POP [EAX].regEsp PUSH SEH.OrgEbp POP [EAX].regEbp MOV EAX, ExceptionContinueExecution RET SehHandler ENDP end main Demonstrate how to search for and obtain the module base address of kernel32.dll and the addresses of the functions in it without using any API function. Tested on both Win98 and Win2k Download: http://win32assembly.online.fr/files/kernel.zip