Search found 50 matches

by 0x16/7ton
Fri Mar 18, 2016 7:21 pm
Forum: Malware
Topic: H1N1 loader (aka Win32/Zlader)
Replies: 22
Views: 52980

Re: H1N1 loader (aka Win32/Zlader)

Ironically, I found AV "bypass" functionality in that crap. Early samples have av name hash table hash_table.png Old sample hash function: for char_ in str_: char_int = ord(char_) hash_ = (rol(hash_,3) & 0xFFFFFFFF) hash_ = (hash_&0xFFFFFF00)|((hash_&0x000000ff)^char_int) Malware enumerate processes...
by 0x16/7ton
Wed Jul 30, 2014 7:44 am
Forum: Kernel-Mode Development
Topic: How to execute code on specified CPU core?
Replies: 4
Views: 4392

Re: How to execute code on specified CPU core?

Also, if you need execute code on each cpu, IPI can be useful
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
by 0x16/7ton
Mon Jun 30, 2014 9:44 am
Forum: Newbie Questions
Topic: Prevent programs from running on specific folders
Replies: 4
Views: 4987

Re: Prevent programs from running on specific folders

Starting from w7 (ultimate and enterprise) you can use AppLocker to prevent executing applications.
http://msdn.microsoft.com/en-us/library ... 10%29.aspx
http://www.howtogeek.com/howto/6317/blo ... applocker/
by 0x16/7ton
Tue Mar 04, 2014 6:59 pm
Forum: Malware
Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)
Replies: 66
Views: 243749

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Exploit pseudocode: SUPCOOKIE CookieReq; uint32_t g_u32Cookie = CookieReq.u.Out.u32Cookie; uint32_t g_u32SessionCookie = CookieReq.u.Out.u32SessionCookie; uint32_t g_pSession = CookieReq.u.Out.pSession; void *pvImageBase; CookieReq.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; CookieReq.Hdr.cbIn = SUP_I...
by 0x16/7ton
Tue Feb 04, 2014 4:27 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 192957

Re: AV SP Discussion & Bypass

I decided to make the video :"how I pwn KGBav with new HIPS system"(DrWeb 9.0) with 100% stealth,without any popup windows,security alerts and etc.. What i have: -full admin rights -all work in user mode -AV settings is paranoidal Video of this tragedy: http://www.sendspace.com/file/8bukm5 p.S. I re...
by 0x16/7ton
Wed Sep 04, 2013 2:20 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 524138

Re: ZeroAccess (alias MaxPlus, Sirefef)

Dropper from 01.09.2013 with mini-update
01_09_2013.rar
Sirefef attempts to stop and delete in addition two services: RemoteAccess,PolicyAgent
mini_update.png
by 0x16/7ton
Fri Jul 19, 2013 8:53 pm
Forum: Malware
Topic: WinNT/Simda
Replies: 43
Views: 51370

Re: WinNT/Simda

My view of this l0lkit :
http://inresearching.blogspot.ru/2013/0 ... yload.html
Also i attached simda web-redirect config and decryption script for him.
by 0x16/7ton
Wed Jun 26, 2013 2:05 am
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 192957

Re: AV SP Discussion & Bypass

Note about Eset SP bypassing,found it in leaked super elite CrapBerp source pack :ugeek: So,NOD allow to open own processes with this access: OpenProcess(PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION..) After opening process {ekrn.exe} they start enuming them handles and duplicate like here: Duplicat...
by 0x16/7ton
Wed Jun 26, 2013 12:16 am
Forum: Malware
Topic: Carberp source leaked
Replies: 28
Views: 41222

Re: Carberp source leaked

by 0x16/7ton
Sun Jun 23, 2013 12:58 pm
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 36602

Re: AvLock Method

Finally i've made it work with avira doing a trick Where the PoC,information and etc? But i don't understand how avira protects itself from te trick It is a very obviosly protection,working via mini-filter driver(thus avira support start from XP sp3) For real-time protect watching,go to FLT_REGISTR...