Hi.
As good a place to start as any I think.
I'm looking to code apps which circumvent windows security programs.
Need ideas, links to these programs which, *maybe* some of you here have bother with..like at school and home maybe ?..
Well, don't hesitate to reply on any kind of security program that needs bypassing..etc.
you can tell i'm bored, ya?
But I am serious about this..so let me know.
Laters.

hrm, well, if you're just look for ideas on what to code, then I'm your man. I've got lots of ideas. In the area that you're looking for, it would be high advantageous to make a program which can execute another program with SYSTEM permissions on NT/2K. This may require that your program has SYSTEM permissions at boot.

A more powerful program would to make some sort of "console" where it has SYSTEM permissions when the computer boots up and you may modify/delete/anything to any file or folder no matter what permissions they have set.

good luck señior

Well, anything is possible when your program is allowed to run whenever the system boots.
Its getting the permissions to modify the system in order to have it run when the system does that..
There are known exploits,I would not want to use known exploits because patches are available for them, and perhaps most Administrators would have service packs installed to fix those problems.
It would be cool to have our program work on not just un-patched systems,but all.

If only you discovered a flaw in both NT4/Win2k that nobody knew about,and used this to setup your program..makes sense to anyone who wants to be malicious.
I'm not a malicious person by the way.

I think that the potential to exploit LDT in NT4/Win2k is possible,getting Ring-0 access, like on Win9x.
I don't see the point in having such a program when you already have Administrator privilages.
So,perhaps an exploit would be appropriate first for that idea.

I was thinking more along the lines of Win9x/ME security programs because those systems aren't exactly secure anyway, with or without the programs.

But, I'll keep that one in mind, as NT4/Win2k i'm sure is full of holes because its closed source.

hrm, yes, good points all. I wasn't talking about maliciousness, and I WAS talking about using such a console for systems that you DON'T have administrator access to. With such a tool you could install programs and access features you wouldn't normally be able to. As for the good point about exploits, I wasn't thinking about using a flaw or bug in windows to gain system permissions, I was thinking about using some legit feature to give your program system permissions, and it would just share the love ya know?

But, ok, let's move on from that. quote: "circumvent windows security programs". Like what kind of windows security programs are you talking about? Programs which lock-down most computer features? Programs like administrative monitoring tools that spy on ya? Give me an example. It may be that I've never encountered any...

There are some legit features in the operating system that would allow you to do things you normally wouldn't with or without Administrator access.
You can use the available API's for example which run in Ring-3 mode of the x86 CPU.
Its a big operating system Win2k, I mean there are thousands of API's which I'm sure are exploitable,and they just haven't been found yet.
Process Tokens are interesting,I was reading an article last night about how to modify a process token of a process handle, to modify memory of another process you wouldn't normally have access to..that was a mouthfull.
I was experimenting a little last night with some security API's but haven't been able to create anything useful with them just yet.
Need to research a bit more,could be days,weeks even..
Or maybe I'll just give up trying to find a problem.
Also,I read a short article about the possibility of jumping to Ring-0 mode on Win2k using the API's which add LDT entries to the kernel.
The problem that the author encountered was the kernel validating the LDT entry.
But he also found out that depending on the value of the segment registers when calling the API,on some occasions,he would experience different results.
When I mentioned security programs for windows, I suppose yes, I was generally talking about software that locked down systems like Win95/98/ME because NT4/Win2k already has security features to allow you to do so.
Its a little more tricky, as you know
There is a flaw in Win2k before service pack 1+2 which allows anyone to execute commands with SYSTEM privilages.
Its a design error to do with NetDDE which is enabled by default after Win2k has been installed.
Dildog (Atstake) found this.
It would be cool to be able to circumvent win2k security features, who wouldn't want to find problems like that for a such a high profile operating system?
But it takes more work than finding these problems on Win9x..etc

Interesting stuff. Where did you come across these articles?

What do you mean by LDT? Local Descriptor Tables?

I don't have a link to the article on Process tokens..and I don't have it here on this computer at the moment so I can't upload it.
However, the article about LDT entries can be found here http://z0mbie.host.sk/ldt2k.txt

Damn, forbidden.
Could you maybe PM me the article?

EDIT: Never mind, I got it anyway. But PM me the other article when you can though. Thanks.

damn, that was way to ej33t for me. Maybe we have finally found another as smart as SR. No, its not possible, cant... be...falling..pain..in..chest...aggggggggghh...

to get around the forbidden message you need to enter the URL and hit enter. The site won't let you link to it. An easy workaround.

hey james, while we're talking about process memory and all that hardcore good shit: I suppose you'd know how to run a program in another processes' address space? I've read about that technique for hiding the original running process from task monitors. Also, are you familiar with running net enabled applications without using sockets so that programs like "netstat" won't detect them? These two techniques have fascinated me.

Also, and now I've got a question. I hope you have experience with this cause it seems everybody else I ever ask never knows... I'm assuming your a programmer ya... Have you used SetWindowsHookEx to make global hooks? I've tried so very hard to do this, and read all about it, but I only end up with a local hook.

I don't know if this is relavent, but it's a program I've tried to make unsucessfully and never found anywhere, maybe you could make it? I want a remote DOS prompt. That would be sweet. So it would be like you had the DOS prompt of another computer on ur desktop and could do whatever on that computer. I made one but it's HORRIBLE. The problem was I couldn't get VB to send data both ways. I had it so I would send a command to my program on the other computer and then it would execute that command using the Shell() command on the remote computer, but the only way I could figure out how to get the returned data was to send to a text file and then read the text file and send back to the original user. There are SO many bugs in this, the major one being my program would try to read the text file before everything was written to it and all this other junk. So if you could pull this off, that would be dope.

What they're talking about is a little more advanced than that. They're talking about the good stuff! At least, SR is. That doesn't work. At least it doesn't for that site. I just clicked a button I have the google toolbar, so I just clicked the cached page button.
That's something I've been looking into. I want to know about this too. I was told it's been done, but I don't know how yet.
I never thought of that! I think I'll look into that.
Where did you read about these things? I haven't come across anything, I've only talked about it with people.

well, supposedly, both techniques are employed in BackOrifice 2000. I remember back in the day when I was looking for a trojan to use, I chose BackOrifice. That was the first and last time I tried to use a trojan (which I hadn't made myself anyway...). I remember trying to get it to work and installing it on several machines. I'd execute it and try to connect to it on another computer on the same LAN and could never get it to work. I was trying to verify that the program was even running in the first place. On some machines I could see it in the WinNT tasklist, on others I couldn't. And I couldn't ever tell that it was listening on a port.

I don't know if I was just too newbie - but I thought for sure I knew what I was doing - still do. The same guy who told me about all this had made a program which would "scan" all the local ports by trying to listen on each one, so that it could detect trojans using that technique. Apparently, if there is a program listening on port 123 but does not show up in netstat - you still can't have another application listen on the same port.

You can't have 2 apps listening on the same port?
Why not?
You can have one app listen on multiple ports right?

Well, it IS possible to sniff/filter/send data on a port with as many programs as you want - but within the socket restrictions, you may not. You will get a "in use" error if you try to listen on a port that another application is already listening on.

Yes, a single application can listen on as many ports as the OS will support (up to a absolute max of 65535 due to the restrictions as imposed by the IP layer). FTP servers for example may listen on many many ports - one for the main service, and one for each incoming data connection from a client.