|
Articles
| Virtual Disks Infection |
by WarGame/EOF (also in EOF-DR-RRLF) |
|
The usage of virtualization technology is increasing more and more nowadays, mainly because of it's safe test environment and ability to run another system without the use of multi-boot. In this article we are going to speak about VirtualBox virtual disks infection.
| |
| Browse project files - Download project files |
| Some ideas about OpenOffice infection |
by WarGame/EOF (also in EOF-DR-RRLF) |
|
This article will try to explain a new way of infecting openoffice documents. Other OO virii have been written using the basic programming language offered by OO, like Starbucks, Stardust or the multi platform BadBunny. It is possible to infect the documents using their simple structure.
| |
| Browse project files - Download project files |
| A simple way to detect VirtualBox |
by WarGame/EOF (also in EOF-DR-RRLF) |
|
There are a lot of ways to detect virtualized env, here I will show only a simple trick to detect if you are running inside VirtualBox. This trick requires that guest additions (a component that let you exchange files between a virtualized system and the real one) are installed on the virtualized system because the detection is based on it.
| |
| Browse project files - Download project files |
| New anti debugging possibilities |
by izee/EOF (also in EOF-DR-RRLF) |
|
Nowadays there are plenty anti-debugging tricks, some of them are known, some not. However, all publicly known tricks are Win32-specific and Win64 is still untouched currently. In the first part of article I'm going to demonstrate few new tricks, which are coded for Win64, but can be easily ported to Win32. In the second part I'll show how to implement SEH and TLS on Win64 and also some other new Win64-specific anti-debug techniques.
| |
| Browse project files - Download project files |
| Controlling the process execution |
by v1rusL4ir (also in EOF-DR-RRLF) |
|
In my rootkit research I came to conclusion, that I need to have total control over the victim. Is the user about to execute some kind of AV or rootkit hunting software? If so, I need to be aware.
| |
| See also: pControl |
| Stealth API based decryptor |
by kaze/FAT (also in EOF-DR-RRLF) |
|
I'll try to present here a new approach to evade av detection. Instead of increasing the complexity of the decryptor, as most of the actual poly engines tend to, we will try to build a decryptor that looks as common as possible, hopping for the AV to cancel emulation. We will try to increase the risk of false positive during virus detection.
| |
| See also: Win32.Leon |
| Virtual Code |
by roy g biv (also in EOF-DR-RRLF) |
|
... my idea is to remove all code from a section, and use relocation data to restore it. Since the section is now only in virtual memory, I call it virtual code. It seems that IDA does not support multiple relocations being applied to the same location, so it cannot handle my files. :)
| |
| See also: Win32.Relock |
|
Other Address Space Layout Randomisation implentations require that a file has relocations, so that the sections can be moved to new locations in memory.
My Address Space Layout Randomisation does not require that a file has relocations. I call this "brutal" because of how it works - it makes a copy of the host process memory in a different location, and marks the old host process memory as NO_ACCESS. Then it redirects all accesses when a page fault occurs. The redirection is to a place in memory that is allocated "randomly".
What technique?
Simply that a protected process cannot be dumped using ordinary tools.
| |
| See also: Tool.BASLR |
| New Uses For FSAVE |
by roy g biv (also in EOF-DR-RRLF) |
|
FSAVE is an old instruction for the FPU which it seems has not been explored fully.
| |
| See also: Win32.Mimix.a |
|
Last time we talked about FPU for instruction reordering, but it is limited because we cannot use arithmetic operations. We can avoid that problem if we think about what else is stored in the FPU state: the MMX registers.
| |
| See also: Win32.Mimix.b |
|
Last time we talked about MMX for instruction reordering. It is great because we have 64-bit registers to use and there are no restrictions on the order of instructions or the arithmetic operations. Now we take it even further: the XMM registers.
| |
| See also: Win32.Mimix.c |
|
Since the advent of position-independent executables in Linux, the most interesting method of infection became possible - code integration, that is the matter in question in this article. The irony of it is that PIE, ASLR and ExecShield was meant to improve security of Linux applications, and at the same time it opened new opportunities for the viruses.
| |
| See also: Linux.Lacrimae |
| INT 0x80? No, thank you! |
by herm1t (also in EOF-DR-RRLF) |
|
After finishing the Lacrimae virus which is able to extend any section and thus import library functions, I spent some time thinking how an ordinary virus can use the libc or any other library. There are a lot of opportunities for the viruses having such a feature. Here I wish to present a method to do it, using test virus Linux.Pilot as an example.
| |
| See also: Linux.Pilot |
|
One of the widely used method of ELF files infection was propposed by Silvio Cesare. To inject the virus to a file the free space at the end of text segment, appeared as a result of alignment is used. Alignment is neccessary to prevent the beginning of the data segment and the end of text segment from ending up in the same page.
| |
| See also: Linux.Coin |
| Caveat virus |
by herm1t (also in EOF-DR-RRLF) |
|
This tutorial explains how to use a small amounts of space within Program Header Table to inject the tiny loader which will allocate the memory for the main virus body, load and execute it.
| |
| See also: Linux.Caveat |
| Hashin' the elves |
by herm1t (also in EOF-DR-RRLF) |
|
One day I was looking through the ELF files with objdump and called my attention to .hash section, and thought: gee, can't we take some advantage of it? Nice section after all. Located in the code segment. Could it be shrinked or removed? In this article I want to share my findings.
| |
| See also: Linux.Hasher |
| How to have fun with ptrace syscall |
by Cyberdude (also in EOF-DR-RRLF) |
|
In this text I want show to you how is possible to "hack" one process using some assembly strings and the Dynamic linker.
| |
| |
|
In this text I want show to you how is possible to "hack" one process using some assembly strings and the Dynamic linker.
| |
| |
Earlier articles
|
Since most processes will run in userland mode by default under vista, MS didnt want to vandalize Authentic processes from running correctly, so they established virtualization trick to let processes store information they need virtually. In this article I am trying to get use of virtualization to setup a startup runner executable.
| |
| |
| Another BufferOverflow Article |
by Berniee/EOF (also in EOF #1) |
|
In this article I will introduce an explanation on how buffer overflows work by making an exploitable code through using c++ strcpy() function, and then exploit the strcpy() function to run our shellcode.
| |
| |
|
Making a PE appender is done by various ways adding new section, increasing last section or any other ways. Here I will explain infecting pe file by adding new resource which will contain our code.
| |
| |
| PowerShell viruses |
by sk0r/ex (also in EOF #1) |
|
In this tutorial I will teach you the basics of PowerShell coding and I will show you techniques like polymorphic variable changing...
| |
| |
| Ferite virus writing guide |
by WarGame/EOF (also in EOF #1) |
|
Some time ago browsing on the net I found a nice language called "ferite", this tutorial will (try to) explain you how to write auto-replicant programs in that language.
| |
| |
|
The article covers the following subjects:
- Sostituition Techniques
• Cesare's Ciphrature
• PlayFair Ciphrature
• Hill Ciphrature
• Polialphabetic Ciphrature
- Transposition Techniques
- Rotation Machines.
| |
| |
| Introdution to DES algorithm |
by Cyberdude (also in EOF #1) |
|
The article covers the following subjects:
- Introdution to DES algorithm, a simplification of Des: S-DES
- Flux ciphrature and block ciphrature
- Feistel's block ciphrature
- DES - Data Encryption Standard
- Block's ciphrature working terms.
| |
| |
|
The article covers the following subjects:
- The rapresentation of numbers in a finished space
- Two problems with addition operation
- The smooler positiv number considerable and the rapresentable it
- Binary unfinished rapresentations
- Polinomy sovling with Horner
- Linear systems resolution
- Gauss's elimination of unknown variables to obtain a triangulate upper matrix.
| |
| |
|
The article covers the following subjects:
- Base Knowledge about Modulate Arithmetic
- Euclide's Greatest common divisor algorithm and asm implementation
- The Modulate Polinomial Arithmetic in the Galois Field form GF(p^n)
-
The Rijndael Advanced Encryption Standard ciphrature's structure introduction
• The subphases of a single encryption phase
• The Aes key's expansion from 4 to 44 words procedure.
| |
| |
|
In this tutorial I describe how to infect executables by using the .NET runtime compiler.
| |
| |
| FBSL virus writing guide |
by Genetix/ex EOF (also in EOF #1) |
|
At first FBSL looks alot like VB. It has some common Pascal, C functions too. It's in early stages, not YET supporting arrays.. But it was fun to write these code's in this language!
| |
| |
| Hashes for encryption |
by Second Part To Hell/ex RRLF (also in EOF #1) |
|
If hash functions will be used in viruses for encryption, antivirus programms would have to use a bruteforce attack to find the real virus code. As bruteforce requires much time, and less scanning time is essential for antivirus-programs, hash-encryption might be a useful weapon against antivirus programs.
| |
| |
| Compress easy |
by tanMa/EOF (also in EOF #1) |
|
This article is about compression and will be short as possible because I don't want to bother you. Just want, advert you on some un-documented functions of Windows NT/XP and Windows Server 2003 that are used by OS it-self for internal operations during compression and some MS utility programs for managing files with attribute "compressed".
| |
| |
| Wardriving uncovered |
by Skvoznoy (also in EOF #1) |
|
Everything, that is required for the beginning of practical side of Wardriving is: notebook with Wi-fi card, some soft, GPS module for navigation and, of course, comfortable backpack :) After perusal of article you will learn to make itself maps of AP's, to analyze safety wireless Networks and even to make jokes there.
| |
| Browse project files - Download project files |
| Copyright (c) 2006-2010 EOF-Project.net - Designed by Profit - Hosted by VX Heavens. |
|
