Inline Hook NtQueryDirectoryFile
Hola!
There are a lot of sample source codes available on Internet about hooking on NtQueryDirectoryFile/ZwQueryDirectoryFile to achieve Windows file hidding capabilities but there are mostly using driver.
It is nothing new anymore and has been discussed throughout the Internet and even the algorithm had been around a few years back. One of my favourite articlesHoly Father's Invisibility on NT boxes, How to become unseen on Windows NT has digged deeply on a few stealth techniques on Windows. One of these stealth techiques is file hidding.
A short demo video:
The source code can be downloaded here.
Update: [10/05/2010]
Alternative download link: http://www.4shared.com/file/7jaxJs2K/inline_hooks_ntquerydirectoryf.html
Please note that the program does not work under Vista/Windows 7. In order to hide files in Vista or higher OS, you have to use FileIdBothDirectoryInformation in FileInformationClass.
Signing off.
@x9090
Saturday, April 24, 2010
Sunday, March 14, 2010
[TUTORIAL] Exploit Writting Tutorial From Basic To Intermediate
Exploit Writting Tutorial From Basic To Advanced
There are increasing number of bloggers who like to share thier knowledge in exploit especially the topic on how to create and write your own exploit.
In this post, I would like to combine the exploits tutorial that I have came across. This is not the comprehensive collection but at least its a good starting point for exploits beginners.
BASIC
David Hoelzer tutorial that is intended for application/software developers from SANS Institude. For application/software developers, the overall presentation is meant to explain the basic concept of buffer overflow, how does it occurs, how to exploit it using manual/automation way and create the exploit using metasploit and automate the exploitation process.
The source code of the vulnerable server can be found on his blog.
The video tutorials can be downloaded here
-- Reference: http://www.enclaveforensics.com/Blog/files/e6fb7327cb615688f90fc07656a3880d-28.html
INTERMEDIATE
I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains exploit from basic to intermediate level with step by step debugging. Here is the summary:
-- Reference: http://grey-corner.blogspot.com
ADVANCED
Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).
Peter Van Eeckhoutte
-- Reference: http://www.corelan.be:8800
If you have any nice exploit tutorials, please feel free to leave a comment here to share with others :)
Thanks!
Update:
- Part 5 from grey-corner [24/04/2010]
There are increasing number of bloggers who like to share thier knowledge in exploit especially the topic on how to create and write your own exploit.
In this post, I would like to combine the exploits tutorial that I have came across. This is not the comprehensive collection but at least its a good starting point for exploits beginners.
BASIC
David Hoelzer tutorial that is intended for application/software developers from SANS Institude. For application/software developers, the overall presentation is meant to explain the basic concept of buffer overflow, how does it occurs, how to exploit it using manual/automation way and create the exploit using metasploit and automate the exploitation process.
The source code of the vulnerable server can be found on his blog.
The video tutorials can be downloaded here
-- Reference: http://www.enclaveforensics.com/Blog/files/e6fb7327cb615688f90fc07656a3880d-28.html
INTERMEDIATE
I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains exploit from basic to intermediate level with step by step debugging. Here is the summary:
- Stack Based Windows Buffer Overflow Tutorial - http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
- SEH Stack Based Windows Buffer Overflow Tutorial - http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html
- Windows Buffer Overflow Tutorial: Dealing with Character Translation - http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
- Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability - http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
- Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump - http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
-- Reference: http://grey-corner.blogspot.com
ADVANCED
Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).
Peter Van Eeckhoutte
- Exploit writting tutorial part 1:Stack Based Overflows - http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
- Exploit writting tutorial part 2: Stack Based Overflows - jumping to shellcode - http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
- Exploit writting tutorial part 3: SEH Based Exploits - http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
- Exploit writting tutorial part 3b: SEH Based Exploits - just another example - http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
- Exploit writting tutorial part 4: From Exploit to Metasploit - The basics - http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
- Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development - http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
- Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR - http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
- Exploit writting tutorial part 7: Unicode - from 0x00410041 to calc - http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
- Exploit writting tutorial part 8: Win32 Egg Hunting - http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
- Exploit writting tutorial part 9: Introduction to Win32 shellcoding - http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
-- Reference: http://www.corelan.be:8800
If you have any nice exploit tutorials, please feel free to leave a comment here to share with others :)
Thanks!
Update:
- Part 5 from grey-corner [24/04/2010]
Sunday, January 17, 2010
CVE-2010-0249 - Internet Explorer 6 mshtml.dll Remote Code Execution
Remote Code Execution in mshtml.dll in Internet Explorer 6
CVE-2010-0249 is a vulnerability utilized in Google targeted attack and it can be used to exploit one of the IE 6 DLL components mshtml.dll.
This post is to demonstrate the recently released Metasploit "Aurora" module that manipulate this exploit.
I am not able to post the exploit code here probably it was blocked by Google blog as the shellcode or the Javascript code is detected by them.
The shellcode is obfuscated and I deobfuscate it using HIEW:
Obviously, the shellcode payload will download additional file from this URL: http://demo1.ftpaccess.cc/demo/ad.jpg and perform further malicious activities.
Reference
[1] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Wepawet analysis
[2] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- ie_aurora.rb Metasploit Aurora Exploit Module
CVE-2010-0249 is a vulnerability utilized in Google targeted attack and it can be used to exploit one of the IE 6 DLL components mshtml.dll.
This post is to demonstrate the recently released Metasploit "Aurora" module that manipulate this exploit.
I am not able to post the exploit code here probably it was blocked by Google blog as the shellcode or the Javascript code is detected by them.
The shellcode is obfuscated and I deobfuscate it using HIEW:
Obviously, the shellcode payload will download additional file from this URL: http://demo1.ftpaccess.cc/demo/ad.jpg and perform further malicious activities.
Reference
[1] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Wepawet analysis
[2] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- ie_aurora.rb Metasploit Aurora Exploit Module
Subscribe to:
Posts (Atom)