Content Preview: rss
310 days ago
Something about virus loading limitation ============================ 1. This virus will check the VM by using some unique instructions for VMWare or VPC. So this virus could not be run in VMWare or VPC unless Hardware-level virtualization has been enabled. 2. The victim computer will use “Rundll32.exe <virus dll>, <random parameter>, or “rundll32.exe <virus rename>” . 1) For the first kind, the random parameter is calculated by hashing the Computer Name of the victim machine, so if the hash is incorrect. The virus failed to load. 2) For the second kind, although it does not use the random parameter is not needed, the virus name SHOULD not be the dll extension, otherwise the virus failed to load. Something about Hiding Tricks for Conficker.B ======================================= Conficker is far ...
486 days ago
If you read Dan Kaminsky's researchs over the past few years, you'd probably that Dan know many DNS tricks. One of these is the CNAME trick that Dan mentioned in the Wired interview< http://blog.wired.com/27bstroke6/2008/07/kaminsky-on-how.html >. He has talked about this trick back to 2007< http://www.doxpara.com/slides/DMK_BO2K7_Web.ppt >as below: 1. CNAME Records: DNS Aliases - Instead of returning an address, return what the "Canonical", or Official Name was, and then the address of that Canonical Name - If you are allowed to be the resolver for that canonical name, your additional record overrides whatever's already in the cache, even if the TTL hasn't expired yet * It's not a bug. * Works against most, but not actually all name servers 2. Demo $ dig 1.foo.notmallory.com ;; ANSWER SECTION: 1.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com bar.foo.notmallory.com. 120 IN A 10.0.0.0 $ dig ...
566 days ago
It's a famous IIS vulnerability whose Exploit code is called "the red code". Due to its great reputation, I did a simple analysis with the bug code(between the lines): idq!CVariableSet::AddExtensionControlBlock: 6e90065c mov eax,0x6e906af8 6e900661 call idq!_EH_prolog (6e905c30) 6e900666 sub esp,0x1d0 6e90066c push ebx 6e90066d xor eax,eax 6e90066f push esi 6e900670 push edi 6e900671 mov [ebp-0x24],ecx 6e900674 mov [ebp-0x2c],eax 6e900677 mov [ebp-0x28],eax 6e90067a mov [ebp-0x4],eax 6e90067d mov eax,[ebp+0x8]; the parameter "EXTENSION_CONTROL_BLOCK" . . . 6e9006b7 mov esi,[eax+0x64];offset "lpszQueryString" 6e9006ba or ecx,0xffffffff 6e9006bd mov edi,esi . . . 6e9007b7 push 0x3d;ascii '=' 6e9007b9 push edi 6e9007ba mov [ebp-0x18],edi 6e9007bd call dword ptr [idq!_imp__strchr (6e8f111c)] 6e9007c3 mov esi,eax 6e9007c5 pop ecx 6e9007c6 test esi,esi 6e9007c8 pop ecx 6e9007c9 je 6e9008d2 6e9007cf sub eax,edi 6e9007d1 push 0x26 6e9007d3 push edi 6e9007d4 ...
624 days ago
为了毕设的需要,今天写了一个VS2008下编写WDM驱动的template,主要通过VS提供的custom wizard工程,编辑一个wizard的htm以及相关的js文件来实现。 目前还存在以下缺陷:第一,不支持c++,强大的面向对象设计思想暂时还不能应用。第二,必须事先手动设置一个环境变量,指定DDK的路径。 现在终于可以在VS中新建驱动工程了。相比以前在记事本里写驱动代码,VS下看起来还是很舒服的。 有兴趣的朋友可以私下交流具体细节。 下一阶段打算研究一下毕设的细节。毕竟这样的机会不多,很可能一生就这一次,今后可能就不会再碰研究领域了,所以呢,要珍惜啦。本次毕设的Code Name暂时命名为:Zion,软件开发部分与MSRA实习生——老BOSS合作完成,目前的计划是:首先合作完成Rootkit底层功能模块,然后我做攻击工具,他做检测工具。 最后,祝愿我一切顺利。
661 days ago
Knuth大牛真是博学多才,在讲到Harmonic number时,对其这般定义: Hn is a harmonic number, so called because the kth harmonic produced by a violin string is the fundamental tone produced by a string that is 1/k times as long. 这段话始终看不懂。但可以肯定的是,调和数必然和小提琴有关,google了下,终于豁然开朗: “小提琴的泛音是通过手指搭在弦上不按到指板(就是琴弦下面那块黑色的木板)时运弓发出的。通常手指按在弦上但不压到指板运弓的话发不出什么声音,但在如果搭在靠近演奏者的琴弦长度的 1/2, 1/3, 1/4 等位置却能发出比较清脆的类似笛子的声音,音调比空弦高,1/2 处比空弦高八度。这些位置发出的声音就叫自然泛音。(另外还有人工泛音,我自己从来没有试过,就不说了。)注意到这些泛音的位置了吗?空弦算作 1/1, 泛音的位置 1/2, 1/3, 1/4 正好与 Hn 中的每一项对应。” 长见识了,原来这都可以……
