Jump to content


Highest Reputation Content


#22864 Bypass Win8.1 UAC source + documentation

Posted by romero on 02 January 2015 - 12:17 AM

Bypass Win8.1 UAC source + documentation (translated from chinese)

[code=auto:0] The source code modifications to POC (GUI version without the direct use of the code, we can implement your own, there is not released) foreigners initially reported
This document contains a detailed description of the POC:
Initially released foreigner win7 UAC bypass URL is as follows:

http://www.pretentio...n7...list2.html

win8.1 Dll hijack that has been repaired, we now come to hijack another exe, windows exe can be hijacked several ...

BypassUac_Inject.cpp source code is more crucial to a file, in addition to some other file interprocess memory copy code is GUI-related code.

The POC program includes:

- GUI code (most of the code are UI-related code, you can write a command-line version)

- Error handling / reporting code (easy after the program error diagnostics)

- Cleanup code (after bypass UAC, clean up legacy in the system directory Dll)

- We can choose a different target process to inject (a process Explorer.exe is more appropriate, in addition Calc.exe, Notepad.exe, MSPaint.exe also can)

In fact, the code is not that complicated, really.

* Note *

- For 64-bit operating system compiled into 64 programs for 32-bit operating system compiled into 32 programs ...

- If you do not accidentally injected DLL 32 to 64 in the process went, into the process of the program may be Ben collapse, and vice versa ... so 32 pairs 32 operating system, 64 pairs of 64-bit operating system .. .

- You choose the target process may need to open ASLR (address randomization), if you turn off the EXE ASLR, then the target process will also require close ASLR. Essentially, Kernel32.dll loading process to address both the same, so the two processes handle on the address randomization consistently. System processes that can be used basically opened the ASLR, so the compiler option default. If you inject found during the collapse of the target process, and this time you can check the state of the process of Explorer ASLR.

- The code multi-process / multi-thread is unsafe (because black DLL may also be used, so you may need to add a mutex to prevent spurious DLL is detected deleted)

** Details use: **

The code use two vulnerabilities of the system. The first flaw comparative vulnerability, but also more difficult to repair. The second vulnerability DLL hijacking relatively easy to fix, it does not, win8.1 Microsoft will fix the dll that classic sysprep.exe hijacking.

Exploit 1 (general permission to copy files to the system directory without triggering pop interception):

1.1) we choose a Microsoft digital signature program, such as: Explorer.exe.
1.2) target remote thread injection process. (There is no god horse restrictions? We just need to choose the process with our main program in the same (Session) session, Explorer.exe is a good target process.)
1.3) was injected code to create a COM object IFileOperation. (If it is win7,8,8.1 default UAC option, and the target process is to have Microsoft copyright and digital signature program, it will not trigger the UAC prompt.)
1.4) was injected code IFileOperation interface using our black Dll files copied to the specified system
1.5) was injected code will start with a shield and is UAC whitelist program
1.6) was injected code with shields and is waiting to start UAC whitelist program is completed.
1.7) was injected code using IFileOperation interface delete black Dll.

Exploit 2 (System Dll hijacking):

BypassUacDll.dll is a very simple dynamic link library files, in the form of resource files to the main program BypassUac embedded inside.

We are looking for can Dll hijack the system program.

Note: We move / rename / replace the file under System32. You will find that if you were an ordinary privileges move / rename / replace, etc., it will pop prompt with administrator privileges to operate. So we need IFileOperation object mentioned above to help us to complete these operations.

How to find it can Dll hijack procedures, monitoring System32 process, you will find C: \ Windows \ sysprep.exe will System32 \ sysprep directory called cryptbase.dll default load a dynamic link library.

And this cryptbase.dll is located in the System32 directory below, currently there is no good way to replace it, but we can take advantage of a loophole to replicate a fake Dll to go sysprep directory, sysprep.exe default will load in the current directory cryptbase.dll, if you can not find it, only to find the System32 directory cryptbase.dll.

By injecting win8.1 sysprep.exe hijacking has expired, we use another program to C: \ Windows \ System32 \ migwiz \ migwiz.exe. [/ CODE]

http://bbs.pediy.com...?t=187210&pp=40

 

Source (vs2010 works directly compiled to)

Packed all together here : http://www68.zippysh...58619/file.html

 


  • 6


#22808 CodeCracker's old nickname stolen.. :)

Posted by CodeCracker on 12 December 2014 - 08:17 PM

I don't care about it!

I've changed my mind. He get VIP promotion on URET forum probable due to that name.

So it is a problem.


  • 6


#21400 Microsoft .NET Native

Posted by kao on 08 April 2014 - 10:09 AM

Ooook.. After spending several hours yesterday installing all that horrid crap on that equally horrid OS, I finally managed to build something into .NETNative. That's an experience I don't want to repeat. Ever.

tl;dr - .NET-style metadata are gone. You get native exe+dll+mrt100_app.dll

How to install it.
1) You pretty much follow instructions by MS. Install VS2013 on Win8.1, install Visual Studio 2013 Update 2 RC, install .NETNative package kindly provided by JeRRy.
2) Open or create project for Windows Store app.
3) VS2013 will bug you to get Developers licence. Just hit Cancel, you don't need it for testing.
4) Right-click project and select "Enable for .NET Native"
5) Lots of magic will happen in the background, and nice MHT document will open and describe next 2 steps.
6) Select solution, in properties select correct configuration. "AnyCPU" won't do, you need either ARM or X64.
7) Then select project, and in Build properties for this configuration enable "Compile with .NET Native" toolchain.

Build process
1) Once you've set up configurations properly, run Build as usual.
2) If you've enabled .NET Native, in the log window you'll see something like this:
.NET Native Build starting: Several compilation stages will occur. Please be patient as this may take several minutes.

1>------ Rebuild All started: Project: App1, Configuration: Debug x64 ------
1>  App1 -> C:\123\App1\App1\bin\x64\Debug\App1.exe
1>  Loading 63 modules...
1>  Checking assembly C:\123\App1\App1\bin\x64\Debug\App1.exe

...

1>  Build succeeded.
1>      0 Warning(s)
1>      0 Error(s)
1>  
1>  Time Elapsed 00:02:27.26
1>  Compilation successful.
1>  
========== Rebuild All: 1 succeeded, 0 failed, 0 skipped ==========
Yes, it takes 2.5 minutes to build app that does absolutely nothing.

Result
I tested simple SplashScreenApp from official MS code samples.

.NET EXE size - 35KB. Download link for EXE file: https://www.mediafir...99csgohbvyiegab
.NET Native: EXE size - 4KB, DLL size - 3.6MB, mrt100_app.dll - 300KB. Download link for binaries+PDB file, so that you can explore it a bit: https://www.mediafir...ac3ggddv76chcv4
These are not complete application packages, you will not be able to run them! Just explore them and see how bad is the future...

EDIT 2x: Typos. Lots of them. I can't type today.
  • 6


#24735 Pwn2Own 2016: Windows, OS X, Chrome, Edge, Safari all hacked

Posted by whoknows on 21 March 2016 - 06:00 AM

http://www.ghacks.net/2016/03/20/pwn2own-2016-windows-os-x-chrome-edge-safari-hacked/

 
*bonus* - Bypassing Antivirus With Ten Lines of Code

http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html

*bonus* - How to hack a sex toy

http://www.reuters.com/article/us-germany-cyber-idUSKCN0WH1YU

  • 5


#23707 Why you shouldn't downgrade to Windows 10

Posted by Kurapica on 01 August 2015 - 12:55 PM

I won't discuss the design beauty or technical details ! I will just quote some parts of their EULA ..

 

 

“Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage.”

 

 

“We may collect information about your device and applications and use it for purposes such as determining or improving compatibility” and “use voice input features like speech-to-text, we may collect voice information and use it for purposes such as improving speech processing.”

 

 

“If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of]it for purposes such as improving performance, or [if you]enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving auto-complete and spell check features.”


  • 5


#23135 Wireless networking tutorial

Posted by CodeCracker on 09 March 2015 - 06:39 PM

A Wireless networking tutorial,
in the end is shown how to create
a Peer-to-Peer Network using an UTP cable.
This is NOT a reverse engineering tutorial.
 

Attached Files


  • 5


#24904 Flash Decompiler

Posted by whoknows on 03 May 2016 - 11:49 AM

JPEXS Free Flash Decompiler
Opensource flash SWF decompiler and editor. Extract resources, convert SWF to FLA, edit ActionScript, replace images, sounds, texts or fonts. Various output formats available. Works with Java on Windows, Linux or MacOS.
 
You can find more information on homepage at: 
https://www.free-decompiler.com/flash/

source code @:

https://github.com/jindrapetrik/jpexs-decompiler

  • 4


#24322 Alternate.DLL Analyzer

Posted by whoknows on 07 January 2016 - 05:28 PM

A simple application to extract the available function names

 

img_dllanalyzer.jpg

http://www.alternate-tools.com/pages/c_dllanalyzer.php?lang=ENG

  • 4


#23644 Visual Studio 2015 Final

Posted by bprg on 20 July 2015 - 04:16 PM

Visual Studio 2015 Final

Community Edition

 

Enterprise Edition

 

Professional Edition


  • 4


#23010 CoreCLR is open-source!

Posted by yck1509 on 04 February 2015 - 07:11 AM

See https://github.com/dotnet/coreclr

It seems very similar to desktop version of .NET

 

Also, FYI, https://github.com/d...c/corjit.h#L398

// Note: Obfuscators that are hacking the JIT depend on this method having __stdcall calling convention.

Which explains 0xd4d's observation at https://github.com/0...crypter.cs#L125 :P

 

EDIT: From their wiki: https://github.com/d...ki/Contributing

 

 

Equally important is to understand that both CoreCLR and Desktop CLR (part of the .NET Framework) are built from the same source code and this repository contains a subset of that source code - targeted to build CoreCLR.

It seems pretty sure most of the code is identical to desktop CLR.


  • 4


#22745 Any problems with the new style ?

Posted by Kurapica on 05 December 2014 - 05:51 PM

Sorry about that ...

 

we can't disappoint kao and CodeCracker in one day ! ;)

 

I fixed the code highlighting for both styles and now you can use the old one.

 

have fun.


  • 4


#21442 Brain Food for Hackers [ A must read blog ]

Posted by Kurapica on 10 April 2014 - 08:11 PM

Don't waste your weekends on mental plagues like Facebook or WhatsApp !

 

have fun reading those topics.

 

I packed the latest topics in 3 MHTML files. use FireFox to open this kind of files, you will need a small addin, or simply browse the BLOG online !

 

you can open them in IE but I don't talk to people who use IE :D

 

All credits to the Author of this blog : Gustavo Duarte

 

http://duartes.org/gustavo/blog/

Attached Files


  • 4


#16057 Save the nature

Posted by CodeCracker on 03 December 2011 - 06:30 AM

As you may noticed I am retired from SnD. I have a lot of things to sort in my life. I will do less reversing from now.

Lately I am ready to die for the ecology!
My message will be: save the nature.
  • 4


#25282 PowerShell source

Posted by Xenocode on 21 August 2016 - 04:07 AM

 

https://github.com/P...hell/PowerShell

 


  • 3


#25026 HTTPS certificate expired

Posted by Kurapica on 10 June 2016 - 05:38 PM

Solved ...


  • 3


#24814 .NET female "hacker"

Posted by Kurapica on 11 April 2016 - 06:23 PM

I finally found one !

 

 

Just for laughs :D


  • 3


#24752 [HELP] Project with function hooking / memory patching

Posted by kao on 23 March 2016 - 12:31 PM

I have access to the executable file - I can reverse engineer it, but I cannot modify the file in any way (thus memory patching).

Care to explain why? Is it protected with some tough protector like VMProtect?

 

hook functions like NtFileCreate, but I encountered a bunch of problems. I cannot properly catch and edit the file name of the file I want to ‘redirect’.

Yuck. It's a very bad idea for multiple reasons.

Nt* functions use specific style of strings - UNICODE_STRING, to be exact. So, all your processing should take that into account.
Functions like NtFileCreate can use namespaces and other weird stuff. It gets complicated real fast: https://msdn.microso...7(v=vs.85).aspx
And don't get me even started on all possible race and re-entrancy problems.. :)

In short-don't hook NtFileCreate if you can. Try hooking CreateFileA/W or other top-level functions.
 

I also experience weird anomalies when injecting my DLL – the target executable starts permanently malfunctioning until I restart my computer (message boxes won’t show, icons will disappear, clicks refuse to work, etc.).

Sounds like a bad side effect of hooking. You're either clobbering some register values or stack, or memory.

First, try injecting DLL that does nothing. If that causes problems, your DLL or injector are flawed. Then try installing hooks that do nothing. If they work, problem is in your code. If app still behaves weird, hooks are causing the problem - try again with different hooking lib.


  • 3


#24436 Scrollers Collection For Keygens

Posted by Jasi2169 on 26 January 2016 - 04:35 PM

Scrollers Collection For Keygens

You can either use the DLL or the static libraries depending on your need. C#, Java and VB.NET developers can use the DLL to invoke the scrollers, C or C++ developers can use both as per need.

Source code for the DLL loader and loading DLL's is attached, you can easily manage to get it working with static libraries too. (If you have any issue, post it here). All scrollers are made with all possible simplicity and functionality. See the loader.exe in attached file.

Run it and move/play with scrollers, you can also rearrange them,can change there positions,change colors of text,height,width,selfmove,parent move etc

Download :-

http://www15.zippysh...LaZ8W/file.html


Password :- team-uret

See Gif :-
hx17at.jpg
  • 3


#24431 Game Hacking: Developing Autonomous Bots for Online Games

Posted by Kurapica on 25 January 2016 - 07:28 PM

c118a434618f0bf7b85442bae3acda96.jpg

 

 

Wish your favorite PC game had a more informative heads up display? What if you could instantly collect all that loot from your latest epic battle? You don't need to be a sorcerer to transform a game you like into a game you love. Just make a bot to do the grunt work for you!

If you're familiar with Windows-based development and memory management, then Game Hacking, provides all the tools and knowledge you need to become a true game hacker. Let veteran game hacker Nick Cano teach you the basics, including reverse engineering, assembly code analysis, programmatic memory manipulation, and code injection. Throughout the book, you'll hone your new skills with hands-on labs, dig into practice binaries, and learn to write your own bot.

 

 

BOOK + CODE

 

DOWNLOAD

 

 

 


  • 3


#24281 Safe Native Code

Posted by whoknows on 20 December 2015 - 03:27 PM

http://joeduffyblog.com/2015/12/19/safe-native-code/

---------------------------

 

btw donate @:

http://telethon.archive.org/

---------------------------

bonus!

https://www.udemy.com/google-hacking-and-pentesting/

  • 3