Jump to content

Search the Community

Showing results for tags 'system'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Have you been wondering how to speed up your computer? Cacheman (short for Cache-manager), the award-winning Windows optimizer, offers you a multitude of ways to speed up your computer. Cacheman has been developed with novice, intermediate, and expert users in mind. Immediately after installation, Cacheman examines your computer and automatically tweaks a vast number of cache settings, Registry values, system service options, and PC memory parameters. But this is only the start. Cacheman then continues to work quietly in the background, in order to speed up your computer even more by managing computer memory (RAM), program processes and system services. Cacheman makes sure that the active application gets the maximum possible processing power and available system memory. Cacheman also includes a special optimization for computer games, to prevent slow downs, lag, and stuttering caused by system tools like anti-virus programs. This giveaway has no free updates or free tech support and is for home/personal use only. Get Cacheman with free lifetime upgrades to get free updates, free tech support, and business or home use. Sale ends in 1 day 19 hrs 58 mins Link: Free Cacheman (100% discount)
  2. Recently I got the idea to play around with bypassing bootkit disk filters from an email i received, which highlighted that my MBR spoofing code was able to get underneath the driver of a popular forensics tool, preventing it from reading the real disk sectors. Although I believe disk forensics should not be done on a live system, instead the disk should be mounted on a clean system and examined from there, I thought it would be fun to write a tool for bypassing various bootkit drivers and then post my research. Another email I received requested that I show how one would detect the presence of such filters from WinDbg, So I will try to cover both. Disk Filtering - Old and New Driver Module As I've shown in a previous article, disk filtering is usually done by hooking the IRP_MJ_SCSI field of the miniport driver's object. Another common method is hooking DriverStartIo; however, this field is only used in the old-style driver model and is set to NULL on most Vista+ systems. The drivers used depend on whether you use SCSI or ATA based hardware, but because all drivers follow the same model, I will simply use an ATA system in my examples. Old Driver Model Pre-Vista disk drivers would have a single ATA channel driver known as atapi.sys, which would provide the functionality of both a port and miniport. If a disk required a custom miniport, the vendor would have to write their own miniport + port driver, which is no small task. When a device receives a request such as IRP_MJ_SCSI, it queues it to the disk via IoStartPacket, which eventually calls the address held by the DriverStartIo field of the driver's object; thus hooking DriverStartIo would intercept any disk I/O requests, not just IRP_MJ_SCSI. New Driver Model The new driver model provides a Microsoft supplied port driver (ataport.sys) and miniport driver (atapi.sys), which work together to make up the channel interface. The port driver provides basic functionality, whilst the miniport provides hardware specific functionality; so, if a vendor needs a custom miniport driver, they could simply write their own miniport to interface with the Microsoft supplied port driver. With the new model the IRP_MJ_SCSI field of atapi's driver object points to a function within ataport.sys (IdePortDispatch), which handles and queues requests using an internal mechanism instead of IoStartPacket, meaning bootkits hooking only IRP_MJ_SCSI and DriverStartIo can be bypassed using passthrough operations (even from usermode). TDL Warning Although TDL is no longer active, I should mention that it hijacks kdcom.dll (the COM debugger extension) in such a way that it prevents it from starting. If you attempt to enable kernel debugging via COM on a TDL infected system, it will be completely bricked following reboot (even safemode won't load). Detecting Major Function Hooks with WinDbg First things first you need to find which disk is your boot disk (it's up you you how you do this), but in most cases it will be \Device\Harddisk0\DR0. Once you've made sure WinDbg has the correct symbols loaded, use !devstack to display the device stack and find the bottom most device (the miniport). Here is a normal output: In the case of some TDL4 infections, the miniport driver object (\driver\atapi) will appear to be invalid (it's not), but it prevents the !devobj and !drvobj commands from working, so we'll have to get the driver object associated with the miniport by using dt _DEVICE_OBJECT on the lowest device's object. Now we can examine the driver object (specifically the dispatch table) for major function pointer hooks. On a clean system all the dispatch routines should have addresses which resolve to symbols in either the miniport, port or ntoskrnl. On TDL4 infected systems the !drvobj command won't work, so you'll have to use dds (iv'e shown how to use both below). Major functions on a clean system shown with !drvobj Major functions on a clean system shown with dds On an infected system (TDL4) we will see something similar to the below. ote: all the dispatch routines point to the same address, which resides in pool memory (not normal). In an attempt to trick av tools, Rovnix redirects the pointers to jumps it wrote to unused space at the end of atapi.sys, hence the addresses don't resolve to a function, only a module. If the driver dispatch table appears to be clean, the next thing to do is disassemble the address pointed to by IRP_MJ_SCSI (IRP_MJ_INTERNAL_DEVICE_CONTROL), as this is the dispatch routine which handles disk read/write requests and could be inline hooked. In my case IRP_MJ_SCSI points to ataport!IdePortDispatch. A example of a clean IRP_MJ_SCSI handler It may be difficult to detect inline hooks, especially if existing jump/calls are modified. One should compare the module in memory against its disk image, accounting for relocation and imports (the best way to do this would be to have a driver map the disk image into memory and relocate it to point to the original module, allowing you to simply compare the two). Coming Soon Part 2: Detecting DriverStartIo hooks and driver object spoofing. Source
  3. I receive crash dumps containing pirated antiviruses all the time, however I felt the need to blog about it for once because it's actually so often and just comical to me at this point. I also haven't blogged in a little while. I'm not really here to discuss the pros & cons of antivirus software, it's obvious. What I will say however is it's also obvious that for any software you install regardless of its intended job, you're increasing your attack surface. Given the fact that most antiviruses are granted complete come/go access to the kernel, have the highest privileges, have various kernel-mode drivers, etc, your surface is increased just that much more. Let's take a look at this crash dump (unfortunately only a Small Memory dump...): 2: kd> .bugcheck Bugcheck code 00000024 Arguments 00000000`001904fb fffff880`085866a8 fffff880`08585f00 fffff880`016b1d82 Right, so we have our bug check - NTFS_FILE_SYSTEM (0x24). Big hint, if you see this bug check on a crash dump from a user, chances are it's 50/60% (or more) the fault of either the one security application they have installed (whatever the actual problem with the application is), or user error as far as installing more than one security applications go. It's generally a bad idea to pigeonhole a bug check with a single problem (because it's ridiculous to do so), but I'd personally say over the years 0x24 has been much more of a security software issue than anything else. 2: kd> .exr fffff880`085866a8 ExceptionAddress: fffff880016b1d82 (Ntfs!NtfsRemoveHashEntry+0x00000000000000c2) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff By taking a look at the exception record structure, we can see the direct reason for the exception being thrown that caused the actual crash was an access violation occurring in Ntfs!NtfsRemoveHashEntry. Now that we know why, let's take a look at the context record using the address from our 3rd parameter in the .bugcheck output. 2: kd> .cxr fffff880`08585f00 rax=0000000000000000 rbx=fffff8a00224e050 rcx=0001000000000000 rdx=0000000000000000 rsi=000000001fdefdd9 rdi=fffffa80049be358 rip=fffff880016b1d82 rsp=fffff880085868e0 rbp=00000000000001d9 r8=00000000000003b2 r9=0000000000000000 r10=00000000000003b2 r11=fffff88008586910 r12=0000000000000001 r13=0000000000000000 r14=0000000000000001 r15=fffff8a003533ed0 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 Ntfs!NtfsRemoveHashEntry+0xc2: fffff880`016b1d82 397110 cmp dword ptr [rcx+10h],esi ds:002b:00010000`00000010=???????? On the instruction regarding Ntfs!NtfsRemoveHashEntry, we can see it was comparing the esi register to the memory at address rcx+10. rcx looks pretty bogus, and just to confirm: 2: kd> !pte 0001000000000000 // Or !pte rcx VA 0001000000000000 PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000000 Unable to get PXE FFFFF6FB7DBED000 WARNING: noncanonical VA, accesses will fault ! So here's the reason why the exception was thrown, it was noncanonical. Now that we've also instructed the debugger to use the context record as the register context, we can run a k(b,nL,whatever) to get a more detailed stack in our case - even with a Small Memory dump: 2: kd> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffff880`085868e0 fffff880`016b224f Ntfs!NtfsRemoveHashEntry+0xc2 fffff880`08586970 fffff880`016b0a24 Ntfs!NtfsDeleteNormalizedName+0x7f fffff880`085869a0 fffff880`016b4cdb Ntfs!NtfsDeleteScb+0x1f4 fffff880`085869e0 fffff880`0162e343 Ntfs!NtfsRemoveScb+0x5b fffff880`08586a20 fffff880`016b2a3c Ntfs!NtfsPrepareFcbForRemoval+0x53 fffff880`08586a50 fffff880`01635a52 Ntfs!NtfsTeardownStructures+0xdc fffff880`08586ad0 fffff880`016c22d3 Ntfs!NtfsDecrementCloseCounts+0xa2 fffff880`08586b10 fffff880`01714d32 Ntfs!NtfsCommonClose+0x353 fffff880`08586be0 fffff800`02ae1561 Ntfs!NtfsFspCloseInternal+0x186 fffff880`08586cb0 fffff800`02d740ca nt!ExpWorkerThread+0x111 fffff880`08586d40 fffff800`02ac8be6 nt!PspSystemThreadStartup+0x5a fffff880`08586d80 00000000`00000000 nt!KxStartSystemThread+0x16 Not going to put comments, but rather just talk about it. We were starting a system thread which turned out to be a worker thread (as we can see from the ExpWorkerThread function), and from then on go throughout various NT file system calls. Given the fact that it's a worker thread dealing with NTFS tells us we're likely dealing with a driver requiring delayed processing, etc. As we're going through various NTFS calls, we can see we're preparing the File Control Block (FCB) and Stream Control Block (SCB) for removal and deletion. This also tells us if anything, it's a driver working actively with/for the file system. Looking at the loaded modules list for any drivers actively working with the file system, what do we find? Hint: A lot of Symantec/Norton kernel-mode drivers 2: kd> lmvm SRTSP64 start end module name fffff880`082d4000 fffff880`08394000 SRTSP64 (deferred) Image path: SRTSP64.SYS Image name: SRTSP64.SYS Timestamp: Tue Mar 29 22:46:12 2011 Here is Symantec's x64 Real Time Storage Protection (SRTSP) driver. This driver is used by Symantec's Auto-Protect feature, which is what scans files under various conditions. You can expect to find this kernel-mode driver on any system with NIS installed, so what's the big deal? The timestamp/date on the driver itself is from March 29th 2011. The time of the bug check is: Debug session time: Tue Feb 3 23:57:58.466 2015 (UTC - 5:00) Okay, so we have a kernel-mode driver from/for Norton that's approximately as of this blog post 3.8 years old. That's.... bad. To give the user the absolute ultimate benefit of the doubt, I for a split-second thought that perhaps maybe Symantec really has a kernel-mode driver regarding RTP that's 3.8 years old. Surely there may be hundreds of vulnerabilities, but it's possible.. right? Wrong. 2: kd> vertarget Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742 It's a Windows 7 x64 system, so let's create a test environment really quick and install the latest trial version of NIS. Ah, that's much better. Unfortunately, that wasn't the only out of date kernel-mode driver regarding Symantec loaded on this particular system. Let's keep comparing: 2: kd> lmvm SYMDS64 start end module name fffff880`01279000 fffff880`012ea000 SYMDS64 (deferred) Image path: SYMDS64.SYS Image name: SYMDS64.SYS Timestamp: Tue Dec 07 19:16:58 2010 Symantec's x64 Data Store (SymDS) driver. 2: kd> lmvm SYMEFA64 start end module name fffff880`014f4000 fffff880`015d8000 SYMEFA64 (deferred) Image path: SYMEFA64.SYS Image name: SYMEFA64.SYS Timestamp: Sun Mar 13 23:20:58 2011 Symantec's x64 Extended File Attributes driver. 2: kd> lmvm SYMEVENT64x86 start end module name fffff880`01dbf000 fffff880`01df5000 SYMEVENT64x86 (deferred) Image path: SYMEVENT64x86.SYS Image name: SYMEVENT64x86.SYS Timestamp: Thu Mar 24 19:02:36 2011 Symantec's x64 SymEvent driver. 2: kd> lmvm SRTSPX64 start end module name fffff880`01c2d000 fffff880`01c43000 SRTSPX64 (deferred) Image path: SRTSPX64.SYS Image name: SRTSPX64.SYS Timestamp: Tue Mar 29 22:46:18 2011 Symantec's x64 Real Time Storage Protection (SRTSP - PEL) driver. 2: kd> lmvm SYMNETS start end module name fffff880`01d58000 fffff880`01dbf000 SYMNETS (deferred) Image path: SYMNETS.SYS Image name: SYMNETS.SYS Timestamp: Tue Apr 19 18:33:31 2011 Symantec's Network Security WFP driver. Overall, we can see that all of these Symantec/Norton kernel-mode drivers are not their latest versions. Given the fact that the user's system bug checked Feb 2015 and many of its kernel-mode drivers are 3.8 years (or older) old, we know it's pirated. Remove pirated Norton, crashes stop. Surprise surprise. Moral of the story: If you really are going to pirate an antivirus, be sure it's actually as up to date as it would be if you paid for it. If you're running an antivirus with kernel-mode drivers from 3.8> years old, the amount of vulnerabilities you're vulnerable to that were patched years ago is pretty high. You're also opening yourself up to becoming infected with old malware that was invalidated if not further developed if it relied on certain EOP (or other) exploits to get around active protection. Also, as you can see here, chances are you'll bug check considering you're also subject to ~3.8> year old driver bugs that have since been patched. You could alternatively just buy the antivirus. Crazy, I know. source
  4. Description Heap - based buffer overflow in the __nss_hostname_digits_dots functi on in glibc 2.2, and other 2.x versions before 2.18, allows context - dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST. " The GHOST vulnerability is a serious weakness in th e Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE - 2015 - 0235 has been a ssigned to this issue. Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015. Read more: http://dl.packetstormsecurity.net/papers/general/securing-ghost.pdf
  5. Salut, am cumparat un amplificator stereo 3220. model vechi l.am luat de la o cunostinta. As vrea sa il montez la PC am si 2x BOXE. Am nevoie de o "schita'' cablurile necesare pentru montare. :) ELECTRONICA Amplificator Stereo 3220:
  6. Premier System X5 15.0.962 Multilanguage ISO-rG Premier System X5 15.0.962 Multilanguage ISO-rG | 1.2 GB An advanced and complete economic software (original Windows application) whose unique graphic design and ergonomic environment offer a wide number of options to suit the program to individual needs and requirements of the client. Advantages and Distinctions of the Software Complexity The wide assortment of modules allows covering all areas of the company management in any industry (see Reference) Large font The unusually large letter font provides the user with a well-visible and ergonomical graphic environment easy for orientation. Interaction The navigation through the program is based on interactive nesting so the user does not get confused by a large number of functional keys and icons on the screen at once. Modularity The user can choose modules or packages that meet own needs and specific requirements. Below is the list of separate program modules that are further comprised of submodules, e.g. Customers (Billing, Due Notices, Penalization, Deposit Bills, Partners Directory, Invoice Patterns, Receivable Overview, etc.). Flexibility The way the program has been designed allows the user to perform almost any modification required to meet the user's needs in a relatively short time. This applies as well for the area of legislative continuity. Interface: english, german, czech, slovak Home Page - http://www.premier.cz/ DOWNLOAD LINKS: http://u19822771.letitbit.net/download/95919.98f08d061458bc28f181dcfecdd3/rg-ps962.part1.rar.html http://u19822771.letitbit.net/download/14326.1f8ac20158c6997d44ed47747265/rg-ps962.part2.rar.html http://u19822771.letitbit.net/download/02095.0434527c6b468f6eff0f5af29b51/rg-ps962.part3.rar.html http://u19822771.letitbit.net/download/73672.703963b992842f2971bf105ffe0a/rg-ps962.part4.rar.html http://u19822771.letitbit.net/download/26928.28b36e7ef7b9a839a426ec9a9978/rg-ps962.part5.rar.html http://u19822771.letitbit.net/download/29251.273aba7863889416c9d0b85ea774/rg-ps962.part6.rar.html http://uploaded.net/file/fptstpuc/rg-ps962.part1.rar http://uploaded.net/file/xznah3mm/rg-ps962.part2.rar http://uploaded.net/file/u408xl2u/rg-ps962.part3.rar http://uploaded.net/file/qtuopd2i/rg-ps962.part4.rar http://uploaded.net/file/sxnqocxw/rg-ps962.part5.rar http://uploaded.net/file/flo1dyei/rg-ps962.part6.rar http://rapidgator.net/file/c4606b3bdd23d9684739a326ffdd9627/rg-ps962.part1.rar.html http://rapidgator.net/file/f745a1e4870794278fbd0556011c2c47/rg-ps962.part2.rar.html http://rapidgator.net/file/289d85d707c8e9e6e39cc3a4b05d7e3f/rg-ps962.part3.rar.html http://rapidgator.net/file/fcbb028874db0aafbdcfe6d62a64f3ee/rg-ps962.part4.rar.html http://rapidgator.net/file/16a81658db7554b42dc2b747abe4337b/rg-ps962.part5.rar.html http://rapidgator.net/file/f616bb0fa5937c75825db7768f6474f0/rg-ps962.part6.rar.html http://www.uploadable.ch/file/AXBg6VhqVk7q/rg-ps962.part1.rar http://www.uploadable.ch/file/e2eDkU2Bz8yB/rg-ps962.part2.rar http://www.uploadable.ch/file/ZBMC52G7zgmn/rg-ps962.part3.rar http://www.uploadable.ch/file/YrAnw6hXnqfg/rg-ps962.part4.rar http://www.uploadable.ch/file/TWNjWBV4RNzc/rg-ps962.part5.rar http://www.uploadable.ch/file/PNm4AWQ2PPqY/rg-ps962.part6.rar
×
×
  • Create New...