Thread.Sleep (.NET) vs Sleep Function (WinAPI)


Thread.Sleep is a sign of a poorly designed program.

by Peter Ritchie.

Thread.Sleep has it’s use: simulating lengthy operations while testing/debugging on an MTA thread.  In .NET there’s no other reason to use it.

Thread.Sleep(n) means block the current thread for at least the number of timeslices (or thread quantums) that can occur within n milliseconds.  The length of a timeslice is different on different versions/types of Windows and different processors and generally ranges from 15 to 30 milliseconds.  This means the thread is almost guaranteed to block for more than n milliseconds.  The likelihood that your thread will re-awaken exactly after n milliseconds is about as impossible as impossible can be.  So, Thread.Sleep is pointless for timing.  Read the rest of this entry »

Advertisements

Purchased Rootkits | Subverting the Windows Kernel


A month ago I have bought Rootkits, Subverting the Windows Kernel by Greg Hoglund and James Butler and I find it superb.  If you are a rootkit developer or looking to be one, this is a must have book that you need to get a hold of.  It teaches you generally the stuffs you want to learn such as hiding processes, files and directories, registries and lots more.  Conquering the kernel level as well as beating up Antiviruses are one of the topics that are discussed on!  Recently I am busy with my final years so I hope I can find time to post some useful articles.

HTTP File Downloader for Linux and Windows in C | Source Code


A member in HackForums by the handle Jakash3 has posted a source code on how to download files from the Internet that can be compiled in both Linux and Windows.  Another great feature is that it supports IPv6. Read the rest of this entry »

Protecting by hooking ZwOpenProcess


Want to know how Antivirus and rootkits protect themselves from being terminated? You might have tried running Windows Task Manager and find it impossible to kill avp.exe by Kaspersky. This is because the process is being protected by a higher privilege, the kernel.  This article assume that you know how to write using Windows Driver Kit.

Article: http://unlmtd.wordpress.com/2007/07/27/protecting-by-hooking-zwopenprocess/

WLM / Firefox / No-IP / DynDNS Recovery in C | Source Code


As mentioned in one of my previous posts i will be releasing the function to retrieve passwords of WLM, Firefox, No-IP and DynDNS.

Download WLM Recovery source code.

Download Firefox Recovery source code.

Download No-IP Recovery source code.

Download DynDNS Recovery source code.

DLL Injection | What it is


In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

Source: Wikipedia

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

Merry Christmas


So what did you get for Christmas?  I’m sure everyone must have enjoyed theirs!  Here’s a quick note on what i intend to do for the next few hours, days,  …years.

I will be releasing released a source code that i have compiled for some time now which helps retrieve passwords that has lost for programs such as WLM, Firefox, No-IP and DynDNS.  The source codes are coded in C language so basically it’s just a header.  In order to use it you’ll just call the function like RetrieveWLM(“recovery.txt”);.  Look forward to lots more of source codes that will be released from my personal code vault.