Forwarded from Заметки Хакер
Hook IAT inside process example
#include <Windows.h>
#include <stdio.h>
#define VA(imageBase, RVA) ((ULONG)imageBase + (ULONG)RVA)
void printAddr() {
LPVOID addr1 = MessageBoxA;
LPVOID addr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "MessageBoxA");
printf("%s 0x%08x, %s 0x%08x\n", "MB from IAT", addr1, "MB from EAT", addr2);
}
void Hook_IAT_MB(LPVOID originalFunc, LPVOID newFunc) {
PIMAGE_DOS_HEADER currentDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS currentNtHeader = (PIMAGE_NT_HEADERS)((ULONG)currentDosHeader + currentDosHeader->e_lfanew);
PIMAGE_DATA_DIRECTORY dataDir = (PIMAGE_DATA_DIRECTORY)(currentNtHeader + currentNtHeader->FileHeader.SizeOfOptionalHeader);
PIMAGE_IMPORT_DESCRIPTOR iat = (PIMAGE_IMPORT_DESCRIPTOR)((VA(currentDosHeader, currentNtHeader->OptionalHeader.DataDirectory[1].VirtualAddress)));
while (iat->OriginalFirstThunk) {
LPSTR funcName = (LPSTR)VA(currentDosHeader, iat->Name);
printf("%s\n", funcName);
if (strcmp(funcName, "USER32.dll") == 0 ) {
PIMAGE_THUNK_DATA thunk = (PIMAGE_THUNK_DATA)VA(currentDosHeader, iat->FirstThunk);
while (thunk->u1.Function) {
if (thunk->u1.Function == (DWORD)originalFunc) {
DWORD oldPermissions;
DWORD status = VirtualProtect((LPVOID)thunk, 1, PAGE_EXECUTE_READWRITE, &oldPermissions);
thunk->u1.Function = (DWORD)newFunc;
status = VirtualProtect((LPVOID)thunk, 1, oldPermissions, &oldPermissions);
return;
}
thunk++;
}
}
iat++;
}
}
int main() {
printAddr();
Hook_IAT_MB(MessageBoxA, (LPVOID)0x11223344);
printAddr();
MessageBoxA(GetForegroundWindow(), "Text", "Caption", 0);
system("pause");
return 0;
}
Forwarded from Hacker News
Where the top of the stack is on x86 (2011) (Score: 100+ in 1 day)
Link: https://readhacker.news/s/4LciX
Comments: https://readhacker.news/c/4LciX
Link: https://readhacker.news/s/4LciX
Comments: https://readhacker.news/c/4LciX
#include <Windows.h>Довольно тупо(хз), но!
typedef int(WINAPI* ShellAboutProc)(HWND, LPCSTR, LPCSTR, HICON);
typedef int(WINAPI* MessageBoxProc)(HWND, LPCSTR, LPCSTR, UINT);
int main() {
HMODULE hModule1 = LoadLibrary(TEXT("Shell32.dll"));
HMODULE hModule2 = LoadLibrary(TEXT("User32.dll"));
ShellAboutProc shellAboutF = (ShellAboutProc)GetProcAddress(hModule1, "ShellAboutA");
MessageBoxProc MessageBoxF = (MessageBoxProc)GetProcAddress(hModule2, "MessageBoxA");
shellAboutF(NULL, "hello", "world", NULL);
MessageBoxF(NULL, (LPCSTR)"hello", (LPCSTR)"world", MB_OK);
FreeLibrary(hModule1);
//FreeLibrary(hModule2);
}
User32.dll= юзер
Shell32.dll= шел
Если мы подгружаем либу шел, которая импортирует в том числе юзера
И подгружаем юзера отдельно, то в конце, когда мы выгрузим шел (шел при выгрузке выгрузит только себя, всё, что она импортировала, останется), мы не сможем выгрузить юзера
После
FreeLibrary(hModule2);просто ничего не произойдёт и она останется в памяти
Reverse Dungeon
Alternative Data Streams echo ORDINARY_DATA > example.txt echo SECRETDATA > example.txt:ADS dir /r - show all files with ADS's more < example.txt:ADS
Deep Instinct
The Abuse of Alternate data stream hasn't disappeared
Abuses of Alternate Data Streams has for a long time occured the wild, however more recently it is being used to hide a malicious payload in the file system
Forwarded from Order of Six Angles
Lokibot - популярный стилер, одной из характерных черт которого является api hashing
Очень подробное описание того, что такое api hashing, на примере как раз Lokibot
https://neil-fox.github.io/Anti-analysis-using-api-hashing/
Образцы Lokibot можно найти тут
https://bazaar.abuse.ch/browse/tag/Lokibot/
Очень подробное описание того, что такое api hashing, на примере как раз Lokibot
https://neil-fox.github.io/Anti-analysis-using-api-hashing/
Образцы Lokibot можно найти тут
https://bazaar.abuse.ch/browse/tag/Lokibot/
PEB - Process Environment Block
TIB - Thread Information Block
The PEB contains information about the currently running processes including the list of DLL’s that have been loaded or mapped into the processes memory.
The FS register contains the address of the data structure called TIB and a pointer to the PEB can be found in the TIB at the offset value of 0x30. Based on this information a pointer to the PEB can always be found at FS:[30].
TIB - Thread Information Block
The PEB contains information about the currently running processes including the list of DLL’s that have been loaded or mapped into the processes memory.
The FS register contains the address of the data structure called TIB and a pointer to the PEB can be found in the TIB at the offset value of 0x30. Based on this information a pointer to the PEB can always be found at FS:[30].
Forwarded from vx-underground
Forwarded from infosecurity
Most Important Security Tools and Resources For Security Researchers and Malware Analyst
https://gbhackers.com/most-important-tools/
https://gbhackers.com/most-important-tools/
GBHackers Security | #1 Globally Trusted Cyber Security News Platform
100+ Best Malware Analysis Tools & Resources - 2026
Best Malware Analysis Tools - 11.IDA Pro 2.YARA 3. Wireshark 4.WINdbg 5.ImmunityDebugger 6.Cuckoo Sandbox 7.Virustotal 8. Resource Hacker
Reverse Dungeon
http://pferrie.epizy.com/papers/
Unpackers_Notes.zip
3.1 MB
All unpackers' pdf from here
Forwarded from Security Harvester
A CTF-style walkthrough of the recent Exiftool arbitrary code execution vuln (CVE-2021-22204) - https://blog.bricked.tech/posts/exiftool/
Forwarded from RedBlueTM Hit (Gateway)
#Exclusive 🔥
BlackHat Conference 2021 Presentation
Download: hide01.ir/downloads/blackhat-2021
@RedBlueHit 💀👀
@RedBlueTM 🔒
BlackHat Conference 2021 Presentation
Download: hide01.ir/downloads/blackhat-2021
@RedBlueHit 💀👀
@RedBlueTM 🔒