http://duartes.org/gustavo/blog/post/how-the-kernel-manages-your-memory
Monday, July 30, 2012
Sunday, July 29, 2012
CentOS cannot boot
I had couple of times with CentOS cannot boot.
Please read my previous article about how to use Ubuntu LiveCD, and mount CentOS Volume group disk. Then you can change the grub.cfg file.
http://fengweizhang.blogspot.com/2011/02/mount-lvm-partition-from-other-disk.html
But it didn't work for this time.
I cashed CentOS again by adding mem=2000 to the boot argument in grub.cfg. Even I used first method, it cannot find any file in /boot directory.
This time I soved by using CentOS LiveCD. It has an rescue function, and install grub and configure boot flag automatic.
Please read my previous article about how to use Ubuntu LiveCD, and mount CentOS Volume group disk. Then you can change the grub.cfg file.
http://fengweizhang.blogspot.com/2011/02/mount-lvm-partition-from-other-disk.html
But it didn't work for this time.
I cashed CentOS again by adding mem=2000 to the boot argument in grub.cfg. Even I used first method, it cannot find any file in /boot directory.
This time I soved by using CentOS LiveCD. It has an rescue function, and install grub and configure boot flag automatic.
Wednesday, July 25, 2012
Heap Overflow Attacks
http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html
http://heapoverflow.com/
http://heapoverflow.com/
Saturday, July 21, 2012
Linux Kernel Stack Size
From testing,
Linux kernel 2.6.24 set process kernel stack size as 4KB
while kernel 2.6.32 set size as 8KB.
Usage: calculating current from ESP, mask 12 or 13 bits....
http://lxr.linux.no/linux+v2.6.32/arch/x86/include/asm/page_32_types.h#L23
Linux kernel 2.6.24 set process kernel stack size as 4KB
while kernel 2.6.32 set size as 8KB.
Usage: calculating current from ESP, mask 12 or 13 bits....
http://lxr.linux.no/linux+v2.6.32/arch/x86/include/asm/page_32_types.h#L23
Debian kernel Downaloads
Debian 3.0 Woody
Kernle 2.4
http://www.debian.org/releases/woody/
Debian 3.1 Sage
Kernel: 2.4
http://www.debian.org/releases/sarge/debian-installer/
Debian 4.0 Etch
Kernle 2.6.18
http://www.debian.org/releases/etch/
Debian 5.0 Lenny
Kernel
http://www.debian.org/releases/lenny/
Debian 6.0 squeeze
Kernel: 2.6.32
http://www.debian.org/releases/squeeze/
It looks like Debian does not change too much kernel from mainline kernel.
While CentOS changes a lot.
Kernle 2.4
http://www.debian.org/releases/woody/
Debian 3.1 Sage
Kernel: 2.4
http://www.debian.org/releases/sarge/debian-installer/
Debian 4.0 Etch
Kernle 2.6.18
http://www.debian.org/releases/etch/
Debian 5.0 Lenny
Kernel
http://www.debian.org/releases/lenny/
Debian 6.0 squeeze
Kernel: 2.6.32
http://www.debian.org/releases/squeeze/
It looks like Debian does not change too much kernel from mainline kernel.
While CentOS changes a lot.
Thursday, July 19, 2012
Heap Exploits
BlackHat 2009
https://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
BlackHat 2010
http://illmatics.com/Understanding_the_LFH.pdf
Heap Overflow exploits
http://heapoverflow.com/
https://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
BlackHat 2010
http://illmatics.com/Understanding_the_LFH.pdf
Heap Overflow exploits
http://heapoverflow.com/
Wednesday, July 18, 2012
Install Custom Kernel on Ubuntu
Please read: https://help.ubuntu.com/community/Kernel/Compile/
Basically, it only supports kernel from Ubuntu source. It doesn't support mainline kernel from kernel.org.
The source code from mainline kernel could successfully compile, but it cannot boot.
The experiment I had is: automatic restart after loading mainline kernel.
Experiment enviroment:
Ubuntu 11.10 + mainline kernnel 2.6.19
Basically, it only supports kernel from Ubuntu source. It doesn't support mainline kernel from kernel.org.
The source code from mainline kernel could successfully compile, but it cannot boot.
The experiment I had is: automatic restart after loading mainline kernel.
Experiment enviroment:
Ubuntu 11.10 + mainline kernnel 2.6.19
Traversal Widows Process List
Method1:
Using the PsActiveProcessList in EProcess structure
Method 2:
Using the Handle_Table structure in Eprocess structure, and traversal HandleTableList.
Using the PsActiveProcessList in EProcess structure
Method 2:
Using the Handle_Table structure in Eprocess structure, and traversal HandleTableList.
kd> dt _Handle_table 0xe1001cd0
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe1002000
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : 0x00000004
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe1023e44 - 0x8055b548 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x2c4
+0x034 LastFree : 0
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 252
+0x040 Flags : 0
+0x040 StrictFIFO : 0y0
Method3:
Using the queues in scheduler.
Tuesday, July 17, 2012
Downgrade GCC from 4.6 to 4.4
You could install both 4.6 and 4.4 version
$sudo apt-get install gcc-4.6
$sudo apt-get install gcc-4.4
$sudo apt-get install gcc
$ ls /usr/bin/gcc*
you should see 3 files: gcc, gcc-4.4, gcc-4.6.
And gcc link to gcc-4.6
Then link gcc to gcc-4.4
$ rm /usr/bin/gcc
$ ln -s /usr/bin/gcc-4.4 /usr/bin/gcc
Done!
$sudo apt-get install gcc-4.6
$sudo apt-get install gcc-4.4
$sudo apt-get install gcc
$ ls /usr/bin/gcc*
you should see 3 files: gcc, gcc-4.4, gcc-4.6.
And gcc link to gcc-4.6
Then link gcc to gcc-4.4
$ rm /usr/bin/gcc
$ ln -s /usr/bin/gcc-4.4 /usr/bin/gcc
Done!
Monday, July 16, 2012
Install Custom Kernels on CentOS
Read: http://wiki.centos.org/HowTos/Custom_Kernel
Basic, it suports kernel from CentOS source, not from mainline kernel from kernel.org.
But I have been successfully compiled kernel version 2.6.19 based on CentOS 4.5, and version 2.6.24 based on CentOS 5.5.
Steps:
$make menuconfig // need to enable General config-->enable deprecated sysfs
$make -j4
$make modules_install
$make install
Ref:
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=15198&forum=37&post_id=88760#threadbottom
Basic, it suports kernel from CentOS source, not from mainline kernel from kernel.org.
But I have been successfully compiled kernel version 2.6.19 based on CentOS 4.5, and version 2.6.24 based on CentOS 5.5.
Steps:
$make menuconfig // need to enable General config-->enable deprecated sysfs
$make -j4
$make modules_install
$make install
Ref:
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=15198&forum=37&post_id=88760#threadbottom
Tuesday, July 10, 2012
Windows rootkits Collection
rootkits collection:
http://ping-of-death.blogspot.com/2009/07/edmunds-rootkit-collection-downloads-w.html
I was thinking of posting them individually, but I didn’t want it to be seen as “spamming”, so here’s all the rootkits I have. These are all RS downloads.
Almost all files are zipped.
Some are tar.gz and others .rar.
Happy Hacking.
http://ping-of-death.blogspot.com/2009/07/edmunds-rootkit-collection-downloads-w.html
I was thinking of posting them individually, but I didn’t want it to be seen as “spamming”, so here’s all the rootkits I have. These are all RS downloads.
Almost all files are zipped.
Some are tar.gz and others .rar.
Happy Hacking.
Legend:
Rootkit name
Description
download link
————————————–
Vanquish Rootkit
Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
Rootkit name
Description
download link
————————————–
Vanquish Rootkit
Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
http://rapidshare.com/files/214735218/vanquish-0.2.1.zip
NT Rootkit
The original and first public NT ROOTKIT – has not been updated for many years but is good for ideas.
The original and first public NT ROOTKIT – has not been updated for many years but is good for ideas.
http://rapidshare.com/files/214735636/rk_044.zip
FU Rootkit
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!). (Look, Mom, no hands!) It does all this by Direct Kernel Object Manipulation (TM); no hooking! This project has been evolving other time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program “su” used to elevate privilege.
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!). (Look, Mom, no hands!) It does all this by Direct Kernel Object Manipulation (TM); no hooking! This project has been evolving other time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program “su” used to elevate privilege.
http://rapidshare.com/files/214736334/FU_Rootkit.zip
WinLogonHijack Rootkit
Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
http://rapidshare.com/files/214736739/winlogonhijack-v0.3-src.rar
MyNetwork Rootkit
This ethernet bridge allows many subnets to connect to one another, supports a central server, and watches ARP and ethernet traffic to maintain a MAC-router table. (windows vc7++) requires winpcap
This ethernet bridge allows many subnets to connect to one another, supports a central server, and watches ARP and ethernet traffic to maintain a MAC-router table. (windows vc7++) requires winpcap
http://rapidshare.com/files/214737889/MyNetwork.zip
Vice Rootkit
VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT’s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT’s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
http://rapidshare.com/files/214738213/vice.zip
KIog Rootkit
Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
[code]http://rapidshare.com/files/214738979/Klog_1.0.zip[/code
Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
[code]http://rapidshare.com/files/214738979/Klog_1.0.zip[/code
]AFX Rootkit '05
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
http://rapidshare.com/files/214739475/AFXRootkit2005.zip
SinAR Rootkit
A Cross architecture Solaris rootkit.
A Cross architecture Solaris rootkit.
http://rapidshare.com/files/214740016/SInAR-0.1.tar.gz
Shadow Walker Rootkit
Shadow Walker as seen at Black Hat and Phrack 63.
Shadow Walker as seen at Black Hat and Phrack 63.
http://rapidshare.com/files/214740632/Shadow_Walker_1.0.rar
CFSD Rootkit
FUTo Rootkit
FUTo is the successor of FU. Its accompanying research paper can be found at
FUTo is the successor of FU. Its accompanying research paper can be found at
www.uninformed.org
. FUTo currently hides from Blacklight and IceSword as of the initial release.
http://rapidshare.com/files/214741940/FUTo_enhanced.zip
WMFT
WMFT Rootkit
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
http://rapidshare.com/files/214742116/wmftv02.zip
RAIDE Rootkit remover
RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool.
RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool.
http://rapidshare.com/files/214742492/RAIDE_BETA_1.zip
BootKitBasic RootKit
BOOT KIT is a project related to custom boot sector code subverting Windows NT Security Model.The sample presented currently keeps on escalating cmd.exe to system privileges every 30 secs.
It has several features
1) It's very small.The basic framework is just about 100 lines of assembly code.It supports 2000,XP,2003
2) It patches the kernel at runtime(no files are patched on disk).
3) BOOT KIT is PXE-compatible.
4)It can even lead to first ever PXE virus
5)It also enables you to load other root kits if you have physical access(Normally root kits can only be loaded by the administrator.
BOOT KIT is a project related to custom boot sector code subverting Windows NT Security Model.The sample presented currently keeps on escalating cmd.exe to system privileges every 30 secs.
It has several features
1) It's very small.The basic framework is just about 100 lines of assembly code.It supports 2000,XP,2003
2) It patches the kernel at runtime(no files are patched on disk).
3) BOOT KIT is PXE-compatible.
4)It can even lead to first ever PXE virus
5)It also enables you to load other root kits if you have physical access(Normally root kits can only be loaded by the administrator.
http://rapidshare.com/files/214742926/bootkitbasic.zip
Defrag Rootkit
Windows NT/2K/XP Defragmentierer fuer FAT12/16/32/NTFS-Partitione.
Windows NT/2K/XP Defragmentierer fuer FAT12/16/32/NTFS-Partitione.
http://rapidshare.com/files/214743554/defragger30b_src.zip
Keyboard Hook
Ps/2 Keyboard Hook with only 1-bit in the Keyboard Controller.
Ps/2 Keyboard Hook with only 1-bit in the Keyboard Controller.
http://rapidshare.com/files/214744072/Ps2_Keyboard_Polling.zip
And...
For fun...
For fun...
CheatEngine
Cheat Engine is a tool designed to give you the upper hand in games, but also contains other usefull tools to help debugging games and even normal applications.
Cheat Engine is a tool designed to give you the upper hand in games, but also contains other usefull tools to help debugging games and even normal applications.
http://rapidshare.com/files/214744668/CheatEngine54src.rar
Just got done uploading all of these today, so there shouldn't be any broken links.
But if there is, let me know.
But if there is, let me know.
**THESE DO NOT CONTAIN VIRUSES**
THEY CONTAIN INACTIVE ROOTKITS
Until you activate them, that is...
Wouldn't run these on your PC.
THEY CONTAIN INACTIVE ROOTKITS
Until you activate them, that is...
Wouldn't run these on your PC.
All files should contain tutorials.
I'm not held responsible for what you do with these rootkits.
I'm not held responsible for what you do with these rootkits.
author : indounderground n phphack
Thursday, July 5, 2012
set SVN repository II
Login into your server
mkdir svnrepos
cd svnrepos
mkdir ProjectName
svnadmin create ProjectName
Login into your local working machine
svn co svn+ssh://username@servername/home/username/svnrepos/ProjectName ProjectName
cd ProjectName and do whatever you want
mkdir svnrepos
cd svnrepos
mkdir ProjectName
svnadmin create ProjectName
Login into your local working machine
svn co svn+ssh://username@servername/home/username/svnrepos/ProjectName ProjectName
cd ProjectName and do whatever you want
Subscribe to:
Posts (Atom)