Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ReX

Pages: [1]
1
Hacking and Security / Re: SSH Keys problem?
« on: June 11, 2014, 02:41:56 am »
Hi lucid,
Forgot to refresh my page to see your reply, But never the less.


I've posted you a private message on the IRC server, hopefully one of those methods will help you with your problem, If any of them work, Let me know and ill post it up here or you can.


Atleast if anybody else suffers from the same problem, The fix is there :)


ReX

2
Hacking and Security / Re: SSH Keys problem?
« on: June 11, 2014, 02:18:29 am »

Hmm, is it possible to see the banlist? Maybe your server/shell as banned your ip/isp range,
I know on some servers/shells after a few times trying to get on with pw or ssh keys, The firewall automaticly does the clever business.


Hopefully its a firewall issue, As i see nothing wrong with your settings.


ReX

3
Projects and Discussion / Re: Self replecation
« on: June 10, 2014, 03:45:09 pm »
Sorry did not read the topic properly. Must of been super tired. But thats no excuse eh :)

And yes your correct, And your answer is true,
I could of just shown him how to do it using simple random letters/numbers so the file each time its run will generate a defined file limit and what not,
But wanted to keep it simple Like your first reply was, :)

Hopefully though the small snippet will give him an idea of what he wants/needs to do.
This will not work with certain windows versions i believe, as you need administration rights and i dont want to go into detail on elevation when yeah.. lol
Afterall its like you said :D
Quote
That doesn't mean that i will just guess what icon needs exactly,now will i spoonfeed what icon can find out by himself (or herself)]/quote]

-Rex

4
Projects and Discussion / Re: Self replecation
« on: June 10, 2014, 10:47:04 am »

He's after a none 'malware' related method,
And an example is what one wanted.


So the link i posted should be perfect if he knows the language,
If it was malware type methods he was after, I Would of gave him a simple exe infect,
Where the 'malware' would infect every exe which is accessible..
Never the less, ive posted below a small snippet which will copy the running pe file
too the windows & system directory, Nice and basic, and the method is used in most
Malware today




Code: [Select]
int replicate(){
    char Buffer[260],Windows[260],System32[MAX_PATH];   
    GetWindowsDirectory(Windows,sizeof(Windows));   
    GetModuleFileName(NULL,Buffer,MAX_PATH);   
    strcat(Windows,"\\");   
    strcat(Windows,"FileName.exe");     
    GetSystemDirectory(System32, sizeof(System32)); 
    strcat(System32,"\\");   
    strcat(System32, "FileName.exe");   
    return 0; 
}


5
Projects and Discussion / Re: Self replecation
« on: June 10, 2014, 12:09:39 am »
Not sure what it is your exactly looking for,
BUT!
Maybe [size=78%]http://hackthedark.blogspot.com/2012/06/create-self-replicating-virus-in-c.html[/size] this can be of assistance. And: http://stackoverflow.com/questions/12879612/self-replicating-self-compiling-code-c


Knowledge of c/c++ will be needed by the way. These are just examples and i dont encourage you to use the code which is on there, as the first one is for use with a virus.





A nice read :)


-ReX

6
C - C++ / [C++]HTTP Client(Unfinished)
« on: June 09, 2014, 10:01:53 pm »
Heres another example of using wininet in your own (projects)

Two source files http.c & Http.h:

Note there is no (main function) on this project,
Current functions:


Http_init()
http_release()
http_get()
http_write_mem()
http_download_mem()
http_download_file();

If you need more of an explanation on what each function does, Please respond and ill be more then happy to give a tutorial on what they do & how to do it.

ReX
 
Code: [Select]

#include "http.h"

static HINTERNET http_handle = NULL;

bool http_init()
{
    return (http_handle = InternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0));
}

bool http_release()
{
    return http_handle != NULL ? InternetCloseHandle(http_handle) : true;
}

bool http_get(const char *url, HTTP_CALLBACK cb, void *context)
{
    DWORD size = sizeof(DWORD);
    DWORD zero = 0;
    unsigned int file_pos = 0;
    unsigned int file_size = 0;
    unsigned int http_code = 0;
    HINTERNET req;
    char buf[BUFSIZ];

    if (http_handle == NULL)
    {
        return false;
    }

    req = InternetOpenUrl(http_handle, url, NULL, 0, INTERNET_FLAG_NO_COOKIES|INTERNET_FLAG_NO_CACHE_WRITE|INTERNET_FLAG_RELOAD, 0 /* context */);

    if (req == NULL)
    {
        return false;
    }

    zero = 0;
    HttpQueryInfo(req, HTTP_QUERY_CONTENT_LENGTH|HTTP_QUERY_FLAG_NUMBER, &file_size, &size, &zero);

    zero = 0;
    HttpQueryInfo(req, HTTP_QUERY_STATUS_CODE|HTTP_QUERY_FLAG_NUMBER, &http_code, &size, &zero);

    if (http_code == 200)
    {
        while (InternetReadFile(req, buf, sizeof(buf), &size))
        {
            if (size == 0)
            {
                break;
            }

            file_pos += size;

            if (cb)
            {
                if (cb((void *)buf, size, file_pos, file_size, context) == false)
                {
                    break;
                }
            }
        }
    }

    InternetCloseHandle(req);
    return (http_code == 200);
}

bool http_write_mem(void *buf, size_t size, size_t file_pos, size_t file_size, download *dl)
{
    if (file_size > dl->bufsiz || dl->bufpos + size > dl->bufsiz)
    {
        return false;
    }

    memcpy((char *)dl->buf + dl->bufpos, buf, size);
    dl->bufpos += size;
    return true;
}

int http_download_mem(const char *url, void *buf, size_t bufsiz)
{
    static download dl;
    dl.buf = buf;
    dl.bufpos = 0;
    dl.bufsiz = bufsiz;
    return http_get(url, (HTTP_CALLBACK)http_write_mem, &dl);
}

bool http_write_file(void *buf, size_t size, size_t file_pos, size_t file_size, FILE *fh)
{
    return fwrite(buf, size, 1, fh) == 1;
}

int http_download_file(const char *url, const char *path)
{
    FILE *fh = fopen(path, "wb");
    bool success = false;

    if (fh)
    {
        success = http_get(url, (HTTP_CALLBACK)http_write_file, fh);
        fclose(fh);
    }

    return success;
}

Http.h
Code: [Select]
#ifndef _HTTP_H_
#define _HTTP_H_

#include <windows.h>
#include <stdbool.h>
#include <stdio.h>
#include <wininet.h>

typedef struct
{
    void *buf;
    size_t bufpos;
    size_t bufsiz;
} download;

typedef bool (*HTTP_CALLBACK)(void *buf, size_t len, size_t file_pos, size_t file_size, void *context);

bool http_init();
bool http_release();
bool http_get(const char *url, HTTP_CALLBACK cb, void *context);
bool http_write_mem(void *buf, size_t size, size_t file_pos, size_t file_size, download *dl);
int http_download_mem(const char *url, void *buf, size_t bufsiz);
int http_download_file(const char *url, const char *path);

#endif

7
C - C++ / [C++]Remote_Thread(PE_Execute)
« on: June 09, 2014, 09:49:13 pm »

Hello all thought my second post would be a code release.


Basicly will this little bit of code will allow you to run an executable via Remote threads.


Code i believe MAY already be public, It was given to me as a portfolio by a certain friend who wished to work on a project i was working on.
Unknown to him, I  came across this code somewhere else before hand, So he was -Demoted-  by the boss's hand :)


First file is the memory.cpp second is the main.cpp - Enjoy
Rex
Code: [Select]
#include <windows.h>
#include <tchar.h>
#include <detours.h>
#include <stdio.h>
#include <tchar.h>
 
 
#define NTSIGNATURE(ptr) ((LPVOID)((BYTE *)(ptr) + ((PIMAGE_DOS_HEADER)(ptr))->e_lfanew))
#define SIZE_OF_NT_SIGNATURE (sizeof(DWORD))
#define PEFHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE))
#define OPTHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)))
#define SECHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER)))
#define RVATOVA(base,offset) ((LPVOID)((DWORD)(base)+(DWORD)(offset)))
#define VATORVA(base,offset) ((LPVOID)((DWORD)(offset)-(DWORD)(base)))
 
 
typedef enum _SECTION_INHERIT {
    ViewShare = 1,
    ViewUnmap = 2
} SECTION_INHERIT;
 
typedef DWORD (WINAPI *PFN_NtMapViewOfSection)( HANDLE SectionHandle,
                                                                                                HANDLE ProcessHandle,
                                                                                                PVOID *BaseAddress,
                                                                                                ULONG ZeroBits,
                                                                                                ULONG CommitSize,
                                                                                                PLARGE_INTEGER SectionOffset,
                                                                                                PULONG ViewSize,
                                                                                                SECTION_INHERIT InheritDisposition,
                                                                                                ULONG AllocationType,
                                                                                                ULONG Protect
                                                                                        );
 
 
CRITICAL_SECTION _cs;
UINT _nInitCount = 0;
BOOL _fModified;
WORD _OriginalCharacteristics;
BYTE _abTrampolineNtMapViewOfSection[DETOUR_TRAMPOLINE_SIZE];
BYTE _abTrampolineDllMain[DETOUR_TRAMPOLINE_SIZE];
 
static BOOL APIENTRY PseudoDllMain( HMODULE hModule, DWORD  dwReason, LPVOID lpReserved ){
        if( dwReason == DLL_PROCESS_ATTACH )
                ::DisableThreadLibraryCalls( hModule );
        return TRUE;
}
 
static BOOL SetImageCharacteristics( PVOID hModule, WORD dwAdded, WORD dwRemoved, WORD* OldCharacteristics ){
        PIMAGE_FILE_HEADER pfh;
        PIMAGE_OPTIONAL_HEADER poh;
        pfh = (PIMAGE_FILE_HEADER)PEFHDROFFSET(hModule);
        poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
        WORD newCharacteristics = pfh->Characteristics;
        if( OldCharacteristics != NULL )
                *OldCharacteristics = newCharacteristics;
        newCharacteristics |= dwAdded;
        newCharacteristics &= ~dwRemoved;
        DWORD newProtect, oldProtect;
        newProtect = PAGE_EXECUTE_WRITECOPY;
        VirtualProtect(hModule,poh->SizeOfHeaders,newProtect,&oldProtect);
        pfh->Characteristics = newCharacteristics;
        VirtualProtect(hModule,poh->SizeOfHeaders,oldProtect,&newProtect);
        return TRUE;
}
 
static DWORD WINAPI Mine_NtMapViewOfSection(
    HANDLE SectionHandle,
    HANDLE ProcessHandle,
    PVOID *BaseAddress,
    ULONG ZeroBits,
    ULONG CommitSize,
    PLARGE_INTEGER SectionOffset,
    PULONG ViewSize,
    SECTION_INHERIT InheritDisposition,
    ULONG AllocationType,
    ULONG Protect
    )
{
        PFN_NtMapViewOfSection fnNtMapViewOfSection =(PFN_NtMapViewOfSection)&_abTrampolineNtMapViewOfSection[0];
        DWORD retval = fnNtMapViewOfSection( SectionHandle,
                                                                        ProcessHandle,
                                                                        BaseAddress,
                                                                        ZeroBits,
                                                                        CommitSize,
                                                                        SectionOffset,
                                                                        ViewSize,
                                                                        InheritDisposition,
                                                                        AllocationType,
                                                                        Protect
                                                                );
 
        if( _fModified )
                return retval;
        _fModified = TRUE;
        PVOID hImage = *BaseAddress;
        SetImageCharacteristics( hImage, IMAGE_FILE_DLL, IMAGE_FILE_EXECUTABLE_IMAGE, &_OriginalCharacteristics );
        PIMAGE_OPTIONAL_HEADER poh;
        poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hImage);
        DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hImage+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain);
        return retval;
}
 
 
BOOL init(){
        if( _nInitCount++ == 0 )
                ::InitializeCriticalSection( &_cs );
        return TRUE;
}
 
BOOL Uninit(){
        if( --_nInitCount == 0 )
                ::DeleteCriticalSection( &_cs );
        return TRUE;
}
 
HMODULE WINAPI wLoadEW( LPCWSTR lpszExePath ){
        ::EnterCriticalSection( &_cs );
        FARPROC NtMapViewOfSection = ::GetProcAddress( GetModuleHandleW( L"NTDLL.DLL" ), "NtMapViewOfSection" );
        memset( _abTrampolineNtMapViewOfSection, 0x90, sizeof(_abTrampolineNtMapViewOfSection) );
        memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
        DetourFunctionWithEmptyTrampoline( _abTrampolineNtMapViewOfSection,(PBYTE)NtMapViewOfSection,(PBYTE)Mine_NtMapViewOfSection );
        _fModified = FALSE;
        HMODULE h = LoadLibraryW(lpszExePath);
        _fModified = TRUE;
        DetourRemove( _abTrampolineDllMain, (PBYTE)PseudoDllMain );
        DetourRemove( _abTrampolineNtMapViewOfSection, (PBYTE)Mine_NtMapViewOfSection );
        if( h != NULL )
                SetImageCharacteristics( h, _OriginalCharacteristics, IMAGE_FILE_DLL, NULL );
        ::LeaveCriticalSection( &_cs );
        return h;
}
 
HMODULE WINAPI wLoadEA( LPCSTR lpszExePath ){
        WCHAR szPath[MAX_PATH];
        ::MultiByteToWideChar( CP_ACP, 0,
                lpszExePath, -1,
                szPath, sizeof(szPath) );
        return wLoadEW(szPath);
}
 
 
BOOL WINAPI wFreebin( HMODULE hModule ){
        ::EnterCriticalSection( &_cs );
        memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
        PIMAGE_OPTIONAL_HEADER poh;
        poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
        DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hModule+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain);
        FreeLibrary( hModule );
        ::LeaveCriticalSection( &_cs );
        return TRUE;
}
 





Main.cpp
Code: [Select]

#include <Windows.h>
 
 
// Non Member Functions
NtOpenSectionPtr NtOpenSection = NULL;
NtClosePtr NtClose = NULL;
NtMapViewOfSectionPtr NtMapViewOfSection = NULL;
NtUnmapViewOfSectionPtr NtUnmapViewOfSection = NULL;
RtlInitUnicodeStringPtr RtlInitUnicodeString = NULL;
ZwSystemDebugControlPtr ZwSystemDebugControl = NULL;
 
EnumSystemFirmwareTablesPtr EnumSystemFirmwareTables = NULL;
GetSystemFirmwareTablePtr GetSystemFirmwareTable = NULL;
u8 * CBlockBuffer = NULL;
u8 * EBlockBuffer = NULL;
 
 
 
int wsFuncLoad(void){
        HMODULE hNtdll;
        HMODULE hKerneldll;
        hNtdll = GetModuleHandle(L"ntdll.dll");
        hKerneldll = GetModuleHandle( L"kernel32.dll" );
        if (!(hNtdll && hKerneldll))
                return FALSE;
        NtOpenSection        = (NtOpenSectionPtr) GetProcAddress(hNtdll, "NtOpenSection");
        NtClose              = (NtClosePtr) GetProcAddress(hNtdll, "NtClose");
        NtMapViewOfSection   = (NtMapViewOfSectionPtr) GetProcAddress(hNtdll, "NtMapViewOfSection");
        NtUnmapViewOfSection = (NtUnmapViewOfSectionPtr) GetProcAddress(hNtdll, "NtUnmapViewOfSection");
        RtlInitUnicodeString = (RtlInitUnicodeStringPtr) GetProcAddress(hNtdll, "RtlInitUnicodeString");
        ZwSystemDebugControl = (ZwSystemDebugControlPtr) GetProcAddress(hNtdll, "ZwSystemDebugControl");
        EnumSystemFirmwareTables = (EnumSystemFirmwareTablesPtr) GetProcAddress(hKerneldll, "EnumSystemFirmwareTables");
        GetSystemFirmwareTable = (GetSystemFirmwareTablePtr) GetProcAddress(hKerneldll, "GetSystemFirmwareTable");
 
        return TRUE;
}
 
HANDLE OpenMemAccess(void){
        UNICODE_STRING usDevmem;
        OBJECT_ATTRIBUTES oaAttrs;
        NTSTATUS status;
        HANDLE hPhysMem = NULL;
        RtlInitUnicodeString(&usDevmem, L"\\device\\physicalmemory");
        InitializeObjectAttributes(&oaAttrs, &usDevmem, OBJ_CASE_INSENSITIVE, NULL, NULL);
        status = NtOpenSection(&hPhysMem, SECTION_MAP_READ, &oaAttrs);
        if (!NT_SUCCESS(status)){
                hPhysMem = NULL;
        }
 
        return hPhysMem;
}
 
int CloseMemAccess(HANDLE hPhysMem){
        NTSTATUS status;
        status = NtClose(hPhysMem);
        if (!NT_SUCCESS(status)){
                return FALSE;
        }
 
        return TRUE;
}
 
int MapMem(HANDLE hPhysMem, PVOID pBaseAddr, PDWORD pPhysAddr, PDWORD pSize){
        NTSTATUS status;
        PHYSICAL_ADDRESS paAddr;
 
        * (DWORD *) pBaseAddr = (DWORD) NULL;
        paAddr.HighPart = 0;
        paAddr.LowPart = *pPhysAddr;
        00119         status = NtMapViewOfSection(hPhysMem, NtCurrentProcess(), (PVOID *) pBaseAddr, 0L,
                *pSize, &paAddr, pSize, ViewShare, 0, PAGE_READONLY);
 
        if (!NT_SUCCESS(status))
        {
                hPhysMem = NULL;
                return FALSE;
        }
 
        *pPhysAddr = paAddr.LowPart;
        return TRUE;
}
 
int UnMapMem(PVOID pBaseAddr){
        NTSTATUS status;
        status = NtUnmapViewOfSection(NtCurrentProcess(), pBaseAddr);
        if (!NT_SUCCESS(status)){
                return FALSE;
        }
 
        return TRUE;
}
 
static BOOL setPrivilege(LPCTSTR privilegeName, BOOL enable){
        HANDLE              hToken;
        HANDLE              hCurrentProcess;
        DWORD               err;
        TOKEN_PRIVILEGES    tkprivs;
        hCurrentProcess = GetCurrentProcess();
        if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){
                LookupPrivilegeValue(NULL, privilegeName, &tkprivs.Privileges[0].Luid);
                tkprivs.PrivilegeCount = 1;  // one privilege to set
                tkprivs.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
                AdjustTokenPrivileges(hToken, FALSE, &tkprivs, 0, (PTOKEN_PRIVILEGES)NULL, NULL);
        }
        err = GetLastError();
        return err == ERROR_SUCCESS;
}

Pages: [1]