USER2SID & SID2USER


User2sid and Sid2user are two small utilities for Windows NT, created by Evgenii Rudny, that allow the administrator to query the SAM to find out a SID value for a given account name and vice versa. User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine and Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions; LookupAccountName and LookupAccountSid respectively. These tools can be called against a remote machine without providing logon credentials except those needed for a null session connection. These tools rely on the ability to create a null session in order to work.

Source: http://www.windowsecurity.com/whitepapers/Windows-Enumeration-USER2SID-SID2USER.html
Download: http://securityoverride.com/infusions/pro_download_panel/download.php?did=24

Recursive File Search in C | Source Code


This source code below is written by se7en from LeetCoders.  It is capable of running through the enter C drive in 8 seconds on my computer finding more than 230,000 files.  Although the downside of it is that it costs quite an amount of CPU usage during its process.  You might try to optimize it by placing Sleep function or something that is possible in reducing the CPU usage. Read the rest of this entry »

HTTP File Downloader for Linux and Windows in C | Source Code


A member in HackForums by the handle Jakash3 has posted a source code on how to download files from the Internet that can be compiled in both Linux and Windows.  Another great feature is that it supports IPv6. Read the rest of this entry »

The official way of writing a crypter in C | Source Code


mindlessdeath, a member from HackForums have posted a thread regarding how to write a crypter in C!  I find this source code a very good example for people that are trying to learn to write their own crypter.  Compared to any other source codes that are posted on the internet, the author of this source code gave a very detailed information on each line on what the statements does.  In order to use this source code without much trouble, there are some prerequisites that was mentioned by the author himself.  Read the rest of this entry »

Decrypt Firefox 3.5 and 3.6 stored passwords in C | Source Code | Application


If you have already decrypted passwords for Firefox 1, 2 and 3 (if you need them, it’s here), here is the source code in C that helps you decrypt Firefox passwords for version 3.5 and 3.6!  This source code is written by ZeR0 from HackHound.org.  This source code is generally open source by the author but the terms of use is to give credits if you use it.

Download source code here (link removed).
Download binary / application here (link removed).

Listing processes for all users in C


While i was searching online for a way to display processes for all users, i came across this source code which was coded profesionally.  The source code can be found here.  Be sure to check their homepage here too for more source codes.

Creating your own driver loader in C | Driver Loader | Source Code | Rootkit


Technically, there’s 2 way of loading a rootkit according to Greg Hoglund when he wrote Rootkits: Subverting the Windows Kernel book.  One is called The Quick-And-Dirty Way to Load a Driver.  This method allows you to “load a driver into the kernel without having to create any registry keys.  “Pageable” refers to memory that can be swapped to disk. If a driver is pageable, any part of the driver could be paged out (that is, swapped from memory to disk). Sometimes when memory is paged out, it cannot be accessed; an attempt to do so will result in the infamous Blue Screen of Death (a system crash)” by using an undocumented API call.  Read the rest of this entry »

WLM / Firefox / No-IP / DynDNS Recovery in C | Source Code


As mentioned in one of my previous posts i will be releasing the function to retrieve passwords of WLM, Firefox, No-IP and DynDNS.

Download WLM Recovery source code.

Download Firefox Recovery source code.

Download No-IP Recovery source code.

Download DynDNS Recovery source code.

Analyzing network packets


Those of you that think of yourself as a hacker, do you know what does a network packet look like?  Have you ever read network packets in your life, do you know how they work?  Take a look in the TCP packet below and try to figure out what the packet is doing as well as getting the source ip address and port of the sender.

00 1c f0 39 8e 45 00 1c  f0 8a a1 71 08 00 45 00
00 34 06 6e 40 00 80 06  9a 0e c0 a8 01 02 45 a2
52 fb c0 a7 00 50 a1 f6  7c bb 00 00 00 00 80 02
20 00 15 25 00 00 02 04  05 b4 01 03 03 02 01 01
04 02

Tips: Think of the packet as an Ethernet frame.

DLL Injection | What it is


In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

Source: Wikipedia

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]