Nytro

Nu inteleg de ce va complicati. Nu stiti SQL, nu veti sti niciodata SQL Injection. Invatat SQL (orice, MySQL, Postgre, Oracle...), apoi va apucati de SQL Injection.

Backdoor.Win32.UltimateDefender.gtz - Reversing In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code, some layer of Encryption decoded at Runtime and Custom Hash Functions used as Integrity Check. We can also see an intersting technique that retrieves API's Addresses OnDemand through a series of hardcoded values that corresponds to some API, the correspondent API Address is computated at runtime and chosen in function of the Hardcoded Value. Download: http://rootkitanalytics.com/papers/pdf/Backdoor-UltimateDefender.pdf

Kernelland Rootkits Kernel rootkits are the tools that run in the kernel, hence making it really hard to detect. The entire operating system would be altered in the process, which would help in the process of hiding the fact that the system is compromised. Kernel rootkits are of the most malicious nature -- they completely undermine a systems integrity and capacity for self-diagnosis. Essentially any tool that could be used for detecting such a rootkit is susceptible to false results due to syscall hijacking. Some tools however does not have to run in memory of the target system itself may benefit from running on a remote machine to avoid certain syscalls (i.e over NFS) -- this can be explained in more detail sometime. There are a many ways to subvert. Here are some of them: -- Directly modifying the syscall table -- Syscall jump -- IDT -- IA32 Debug Kernel - Working To understand the working of kernel rootkit, it is important to understand how a kernel works. Though we talk a lot more about Linux related samples at most cases, all kernels behave the same way. Kernel is a mediator between user apps and the hardware. Hence, kernel should interact/talk-to both the user-mode apps and the hardware. To do this in a secure way, operating systems has ensured that all processes communicate with the kernel through system libraries and the system libraries sends system calls to the kernel mode, which reaches the system call table. The system call table then interacts with the text or data segment of the kernel depending on the nature of Syscall or the function to be performed. Once that is processed in the kernel, the kernel then interacts with the hardware accordingly. The following figure shows a simple interaction diagram: Kernel Rootkit - Ring Terminology In the ring terminology, kernel rootkits run on ring0. Since, ring0 is under all the other layers, monitoring kernel rootkits is almost impossible if the monitoring software is run on the same system, except for certain detection techniques that compares the different states or interacts with kernel using different stimulus signals and compares the response. Though once again, since the kernel rootkit modifies the entire operating system properties, functions and anything and everything possible to deceive a user from noticing the compromise by completely hiding itself, detection is quite hard in case of kernelland rootkits. As said in the ring terminology section, ring0 has the highest privilege and ring3 has the least privilege. Most anti-rootkit tools that are created to detect kernel rootkits, really do not do the stuff that they were created for if the kernel rootkit does its job as it was meant to. Kernel Modification Techniques Kernelland rootkits are known for overwriting the entire operating system. They do this by modifying the kernel. Loadable Kernel Module [LKM] is used to expand the kernel for adding new hardware or Filesystem without a system reboot. LKM is used only when required and when they are used, they run in the memory and when done they are removed. In this process, an attacker/rootkit can run the infected process that would load the EVIL_LKM to modify the kernel. LKM runs in ring0 of the system as it is running on the kernel itself, which means that it is running on the highest privilege. To do this, the EVIL_PROCESS loads the EVIL_LKM. There are several ways to do this and there are several things that can be done once this is done. Syscall hijack is one way that we talk about in our other paper and also the Syscall modification too. Once this is loaded, the rootkits can alter the Syscall to EVIL_SYSCALL or intercept the good Syscall with EVIL_FUNCTION, depending on the technique that the rootkit chooses to use. Once this is done, the kernel access is obtained by running the code that the rootkit tries to access in the Text segment. Another way to subvert the kernel is to alter kernel memory. /dev/kmem is used for mapping the kernel memory at run-time in Linux. In Windows systems, Hence to change the kernel at runtime, direct memory I/O could alter kmem. Even though there are patches to protect kmem, there are other ways to override the patches for the rootkits to do what they were meant to. Directly modifying the Syscall table The syscall table is generally an array of function pointers; these function pointers can be redirected to point to functions implemented in the rootkit, often times an LKM. This type of kernel rootkit is easy to detect compared to other kernel rootkits. A hands on approach is to analyze /proc/kcore with gdb and verify the syscalls against the System.map file (A file created at kernel compilation time for debugging purposes). A simpler approach is to run a tool like ktraq, which also has the benefit of disabling this type of rootkit by resetting the syscall function pointers. Syscall jump This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first 7 bytes of the syscall are overwritten with a jump to the new code -- i.e "movl $0x0, %eax; jmp *%eax". Keep in mind the original 7 bytes are saved and copied back into the original syscall so that it may be called within the evil syscall. This type of syscall hijacking cannot be detected by tools like ktraq, however a tool like ElfStat which analyzes the text segment of the running kernel and compares it to vmlinux can detect this method. This method is also used in kernel function hijacking (Not only syscalls). Sursa: Kernelland - Linux kernel rootkit - RootkitAnalytics.com

About RemoteDLL RemoteDLL is the tool which makes it easy to inject the DLL or free the DLL from remote process. This tool is based on popular DLL Injection technique which has already been used in many top programs such as pwdump. Many spyware programs uses this technique to hide their presence. Many of these comes as DLL and injects themselves to legitimate windows process and operates from that process so that normal user will not suspect its presence. Using RemoteDLL you can easily remove such DLL from the process and then delete it from the system completely. How RemoteDLL works? This tool is entirely based upon the DLL Injection concept. In short DLL Injection uses CreateRemoteThread API to invoke LoadLibrary or FreeLibrary on remote process. Here is a very good article which explains this technique in detail. I suggest you to read that article to better understand working of RemoteDLL. Injecting the DLL into Remote Process Below are the steps for injecting the DLL into another process using RemoteDLL. * Select the "Load DLL" option. * Now select the process to which you want to inject the DLL. * Next specify the the DLL and press the "Load DLL" button * The specified DLL will be injected into the target process and the result of entire operation will be displayed in status window. Removing the DLL from Remote Process Follow the below mentioned steps to remove DLL from any process using RemoteDLL. Note that removing DLL from process may crash it or destabilize the entire system. So make sure you know what you are doing before using it. * Select the "Free DLL" option from the main screen. * Next select the process from which you want to remove the DLL. * Now select the DLL to be removed from the process using DLL selection dialog. It displays following information about each DLL o DLL Name o Base Address o Entry Point of DLL o Size of the DLL in memory o Load count or Reference Count of DLL o Static or dynamically loaded * Next press the "Free DLL" button to remove the DLL from process. Result will be displayed step by step in the status window. Note that only dynamically loaded DLLs can be removed from the process. Reference count : Unique feature of RemoteDLL Reference count or load count indicates how many times the DLL is loaded into the process. Each time the DLL is loaded , process increases that DLL's reference count. So when you want to remove the DLL from the process, you have to invoke the FreeLibrary function that many times to completely free it. Reference count is the unique feature of RemoteDLL which is not present in any other similar tools. This is because there is no direct way or API function to get this information. Reference count for the DLL is stored in the PEB (Process Environment Block) for that process. PEB contains the linked list of DLL Module Structure which contain complete information about that particular DLL. One can retrieve the PEB data of remote process by using ReadProcessMemory() API. For detailed information on finding reference count read the detailed article here. Download: http://securityxploded.com/getfile.php?id=7111

About ProcHeapViewer This is the tool to enumerate process heaps on windows. It uses much better technique than slower Windows heap API functions which makes it faster and efficient. You can enumerate the heaps from normal Windows processes as well as system services. Its very useful tool for anyone involved in analyzing process heaps. Vulnerability researchers can use it as a side tool for discovering heap related vulnerabilities. The new version provides support for Windows 7. It also presents the enhanced user interface with cool look & feel. Making of ProcHeapViewer Some time back I was doing password strength related research on Yahoo Messenger. It used to store the password on the heap and I wrote an sample tool using normal heap functions to locate and retrieve the password. The password was basically located on one of the heap block which was near the end of 60,000th block. So I had to traverse all the 60,000 heap blocks using Heap32Next function and it took more than 10 minutes..! I tried running the program on multiple machines but it took almost same amount of time. I was getting irritated as I had to wait for so long every time I run my program. To find a way around this timing problem, I tried looking on the internet for answers but found nothing. Then I finally resort to finding the truth myself and started reverse engineering the Windows heap functions. Finally after few hours of work, I found the reason behind the delay and wrote my own implementation which took little more than few seconds. For the complete story behind the creation of ProcHeapViewer, read the detailed article here. Download: http://securityxploded.com/getfile.php?id=7211

About WinSniff WinSniff is the basic network packets sniffer for Windows developed using Winpcap library. It displays all the packets that are transmitted on the local network and gives detailed information about each header in the packet. In order to keep it simple, I am not dealing with application level protocols. If you are interested, you can add features to support various application level protocols such as SMTP, FTP, NETBIOS etc. Working of WinSniff When your machine is on the network, packets with different destinations arrive. By default (i.e., when the network adapter is in normal mode) these packets are rejected by the network adapter since they are intended to different hosts. But if you want, you can receive these packets by putting the network adapter in promiscuous mode. In this mode, it will accept all the packets irrespective of the destination address. Hence you can analyze the packets transmitted on your network. This trick is used for network management to determine the network traffic... etc. However, there is one problem here...!!! You will receive the packets with different destinations if you are using HUB. Since, HUB uses broadcasting technique for transmitting packets to all the hosts attached to it. However, if you are using SWITCH (an intelligent device), then you won't receive any packet sent to other hosts on the network. Best place to install this application is on the gateway where you can keep track of incoming and outgoing packets Implementation This part is meant for developers who are interested in coding their own sniffer. You may wants read to understand the internals of WinSniff. To start with, first step is to find out the right network interface and and then open it in promiscuous mode. While opening the device, you can also specify the size of the packet and time out value. //Get all devices for capturing the packet pcap_findalldevs(&devlist,err); //Open device in promiscous mode hdev=pcap_open_live( devname[index], //name of the device 65536, //size ->Capture whole packet 1, //promiscous mode 1000, //read timeout err ); Once you have opened the device, you will receive all packets. If you are interested in a particular packet, for example, only QUAKE packets (port 27960), ARP packets (ARP) etc., then you can specify the filter expression. For more details on filter expression, you can refer WinPcap documentation. // compile the filter pcap_compile(hdev,&fcode,filter,1,netmask); // now set the filter pcap_setfilter(hdev,&fcode); Once you have opened the device and set the filter, now you are ready to receive the packets. Once the packet is received, header contains the length, time and other information about the packet. Structure pkt_data contains the exact contents of the packet starting from Ethernet header. while(true) { pcap_next_ex(hdev,&header,&pkt_data); /* play with the captured packet */ } In order to analyze the packet contents, you must be familiar with various header formats. Mainly, you must know the format of the following headers... ETHERNET, ARP, IP, TCP, UDP, ICMP and IGMP. I have included the file 'protocol.h' which contains the format information about all these headers. If you want more details, you can refer RFCs for respective protocols. Once you have done the job, it's time to safely close the device. //close the device... pcap_close(hdev); Requirements 1) Developers can find all the header files and libraries in 'Winpcap developer pack' 3.0 or higher version. Don't forget to specify the include and lib files within the project settings. 2) Before running this application you need to install Winpcap version 3.0 or higher. Download: http://securityxploded.com/getfile.php?id=9121 Source code: http://securityxploded.com/getfile.php?id=9155

AdvancedWinServiceManager About AdvancedWinServiceManager 'Windows Service' is a program designed to perform specific service which is started automatically when Windows boots and runs as long as System is up and running. Services normally run with 'System' privilege thus enabling them to execute higher privilege operations which otherwise cannot be performed by normal processes. Due to these advantages, often malware applications use services to monitor and control the target system. In this direction, AdvancedWinServiceManager makes it easy to eliminate such malicious services by separating out third party services from Windows services. By default it shows only third party services along with more details such as Company Name, Description, Install Date, File Path etc at one place which helps in quickly differentiating between legitimate and malicious services. It comes with rich features such as detecting hidden rootkit services, exporting the service list to html based log file, displaying only third party services etc. All these unique things make it stand apart when compared to 'Windows Service Management Console'. Features of AdvancedWinServiceManager Here is the complete feature list of AdvancedWinServiceManager * Detection of hidden Rootkit services It can detect the services hidden by malicious Rootkit applications using bypass hook method. Such hidden services will be shown in red color to differentiate it from normal services. * Enhanced user interface with dynamic resize functionality. It comes with really cool GUI interface with catchy banner. Also it has dynamic resizing capability which makes it to adjust the screen according to the user needs. * Arrange the services based on various parameters It comes with sorting functionality to arrange the services based on service name, description, status, user account, company name, binary path, file size etc. This helps in quick searching of the service. * Easier detection of malicious service By default only third party services are displayed along with detailed information which makes it easy to differentiate between legitimate and malicious services. * Export the services list to standard html format 'Export to File' option provides easy way to save the displayed service list to html based log file for offline analysis. * Show services based on status and vendor. User can view the services based on its status. For example one can view only third party services or all running services. * Smooth and quick management of services It provides option to start, stop, enable or disable services with just a click. * Displays detailed information for each service For each service following information is shown, o Service Name o Description o Company Name o Service Status o User account o File version o File Size o Install Date o Full Binary Path Download: http://securityxploded.com/getfile.php?id=8275

ProcNetMonitor About ProcNetMonitor ProcNetMonitor is the free tool to monitor the network activity of all running process in the system. It displays all open network ports (TCP/UDP) and active network connections for each process. It has advanced color based auto analysis system to make it easy to distinguish network oriented processes from others with just one glance at the list. It also presents unique 'Port Finder' feature to easily search for particular port in all running processes with just one click. It also comes with export feature to save the entire process-port list to standard HTML file for offline analysis. All these features combined together make it very effective tool in combating the Trojans and Spywares installed on the system which continuously send keyboard strokes, online account data and other sensitive information to remote server. In the newer version by default only network oriented processes are displayed. As a result user don't have to spend time in figuring out the network processes from the big process list. ProcNetMonitor works on all Windows platforms starting from XP to latest Windows 7 version. Features of ProcNetMonitor Here is the highlight of ProcNetMonitor's features. * Informative running process list with TCP/UDP/connection count displayed per process. * Unique 'Port Finder' feature to search for network port in all running processes. * Advanced color based auto analysis system makes it easy to separate out network based process from others with just one glance. * AutoRefresh feature to automatically update the process network parameters on selection. * Faster remote host name resolution using multi thread based approach. * Display open network ports (TCP/UDP) and active network connections for selected process. * Sort the process list based on various parameters such as process name, process id, TCP count, UDP count, connection count etc. * Shows detailed properties of process on double click. * Option to terminate the selected process. * Export feature to save the entire displayed list to standard HTML file for offline analysis. * Refresh option to manually refresh the process and network port/connections list. Download: http://securityxploded.com/getfile.php?id=7255

Sunteti cativa pe aici care dezbateti aceasta problema punand trup si suflet, dar sunt sigur ca la 2 zile dupa uitarea acestui topic (ultimul post) o sa va faceti veacul tot pe la Offtopic. Incercam mai de mult un proiect: Traducerea tutorialelor din engleza in romana. Nu a fost tradus nici macar un singur tutorial, desi ar fi fost multi dispusi sa o faca. Si eu sunt unul dintre ei! Asadar, fapte, nu vorbe.

Sunt multi baieti isteti, foarte isteti. Dar, fie lucreaza la diverse companii pentru bani, fie sunt imprastiati peste tot, ceea ce nu ii avantajeaza. Da, incepe si mie sa imi displaca din ce in ce mai mult aceasta foame de bani, sa ceri bani pentru orice, chiar daca e vorba de un rahat de 2 lei, si de 10 linii de cod, pe care apropo, sunt zeci de mii de oameni care il pot scrie. Dar din acei zeci de mii de oameni, 90% ar cere bani pentru cele 10 linii de cod. Nu e de vina lipsa de cunostinte, ci mentalitatea asta fomista de bani.

Mie imi place filelist. Chiar am vorbit cu God (care nu e orice pusti de 12 ani care nu stie ce e ala PHP, se pricepe) mai de mult, facusem scriptul sa se poata aranja torrentele in functie de seeds, peers... Dar a facut niste modificari tehnice la cautare, si nu stiu daca se mai poate.

Numiti flood porcaria asta de udp.pl? Pfff...

Orice sugestie BUNA si utila e binevenita.

Nu cred ca a facut nimic pe VM, cred ca doar a detectat ca e pe VM si s-a inchis. Nu stau sa il verific in detalii, nu are rost.

Nu a rulat in Sandbox, iar pe masina virtuala s-a inchis singur. Asta e al dracu de suspect. In plus, continea mai multe fisiere (executabile). Din moment ce l-am rulat, a facut ceva (verific acum ce) si s-a inchis singur, e clar, e cine stie ce porcarie. Deci ban.

Pff, no comment, un articol de nota 10. Al dracu de interesant si de bine scris. Ia puneti mana si cititi ba, mai ales cei care vreti schimbari pe aici. Eu pana acum gandeam ca baietii de la Offensive Security (cei care au "facut" Backtrack) sunt hackeri. Dar cand ma gandesc ce preturi exorbitante cer pentru cursurile lor... Un hacker face totul din placere, nu pentru bani. Ideea asta s-a pierdut in timp, si foamea de bani a adus aceste modificari absurde in lumea hackingului.

De unde sti ca e Fake? Si un scan nu te ajuta cu nimic, poate fi falsificat. Insa un screenshot nu ar strica. PS: Sa uploadeze cineva altundeva, urasc jegul de rapidshare.

Postul de deasupra ilustreaza ce inseamna "Offtopic" (nu are legatura cu subiectul ci cu pax) si "Redeschidere topic" (ultimul post a fost scris acum 2-3 luni, si nu are un motiv serios pentru redeschiderea acestui subiect). Asadar, pentru cei care nu au inteles cum sa treaba cum avertismentele, puteti lua acest post drept un exemplu de "asa NU se face". PS: Abtineti-va de la comentarii inutile. Adica sa nu va vad ca scrieti ceva in legatura cu acest post, va fi offtopic. Daca aveti ceva de zis in legatura cu subiectul, da, puteti spune, nici o problema.

Te referi la forum si la comentariile de la torrente? Eu nu ma uit la asa ceva, daca descarc ceva (foarte rar) descarc si atat, restul nu ma intereseaza.

User Name: Daca se schimba username-urile, se ajunge la confuzii. FakeCN: Nu e nimic la VIP Area alexalghisi: Daca se cere un numar de posturi se ajunge la spam, posturi stupide si inutile.

Paxnwo, pe care il cunosc chiar, are ban (temporar). Si mai are si o bere de dat. Cum sa spun, si mama daca ar face offtopic ar primi warn

Se pot discuta multe lucruri interesante, dar sunt putini care ar participa la discutii. Zilele astea vreau sa mai fac mici modificari la RST, sa vedem, usor-usor, unde se ajunge

Nu poate fi inchisa aceasta categorie, e ca si cum ai merge la scoala si nu ai avea pauze. Pe langa tampeniile care se poasteaza aici, se mai posteaza si lucruri interesante (non-IT). In plus, aici se poate discuta despre orice, acesta e avantajul sectiunii. Aici razi, faci caterinca... E nevoie si de asa ceva. La celelalte categorii nu admit asa ceva. Si nu e vina mea ca majoritatea utilizatorilor intra aici pentru aceasta categorie, si nu dau cu vizita si prin altele, sa se lege ceva si de ei. Si se trezesc dupa 2-3 ani ca nu stiu mare lucru, si poate isi fac si iluzia ca o sa lucreze in domeniul IT.

"Pentru ca nu se mai posteaza articole si lucruri interesante, nimic calitativ." Eu cel putin am inceput sa postez. Sper sa ma ia si altii drept exemplu. "In care sa nu fie luat la misto un user al forumului, care sa contina o argumente cand se prezinta o idee." Nu sunt chiar atat de multe posturi fara rost cum zice lumea "Te cred, nu prea sunt membri care sa merite rang de moderator, care sa contribuie la dezvoltarea acestui forum, cat si la combaterea idiotiilor." Doar 2 membri as putea propune pentru un post de moderator, dar deocamdata nu cred ca e necesar deocamdata. "Imi pare rau, insa aici nu este vorba de tine.. ci de majoritatea userilor care le vorbesc noilor membrii foarte urat daca gresesc.." De multe ori merita asta. Vin cu intrebari penibile, nu se intereseaza in legatura cu problema lor, si iti dau in cap cate o intrebare stupida... "anul trecut situatia era mai altfel" Nu era mare diferenta. Niciodata nu a fost o mare diferenta intre ce e acum si ce "era odinioara". "acum totul se rezuma la stealere, keylogger, spam, off-topic" Fiecare cu ce ii place. Spam nu prea se face, iar offtopicul rezulta avertisment. "Invision Power Board 3.1.2, mi se pare bun.. " Cred ca vBulletin e cea mai buna solutie. Sau phpBB.

"Eu cred ca da." Cum adica "a murit"? Ca nu prea mai face lumea "chestii" marca RST? Sau ca nu se mai posteaza articole sau lucruri interesante? "Teme, hm..o sa caut." Daca tot cauti, sa faci rost si de tema, ca am gasit unele teme acceptabile, dar nu le-am gasit niciunde. "Selectiile se pot face dupa calitatea posturilor." Ar fi multe de discutat aici. Ce inseamna un post de calitate? "In unele cazuri nu se prea primeste avertisment.." Am dat peste 460 de warn-uri, dar nu stau sa iau fiecare topic la rand si sa dau warn la fiecare abatere. "Pt. ca nu vor sa se implice.." Nici eu nu ma mai implic asa de mult, fiecare cu problemele lui. "daca esti un membru nou si iti spui punctul de vedere iti sar in cap toti daca gresesti" Eu "m-am luat de tine" pentru ca vorbesti de RST-ul de odinioara, cand de fapt nu pari un membru foarte vechi al forumului. blech: Da, au murit . Mai sunt, numai ca au si ei alte treburi, au altele pe cap, mai importante ca RST desigur.