Hax0ring Windows security software

Posted by: James

Hax0ring Windows security software - 07/17/02 04:58 AM

Hi.
As good a place to start as any I think.
I'm looking to code apps which circumvent windows security programs.
Need ideas, links to these programs which, *maybe* some of you here have bother with..like at school and home maybe ?..
Well, don't hesitate to reply on any kind of security program that needs bypassing..etc.
you can tell i'm bored, ya?
But I am serious about this..so let me know.
Laters.
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/17/02 08:10 AM

hrm, well, if you're just look for ideas on what to code, then I'm your man. I've got lots of ideas. In the area that you're looking for, it would be high advantageous to make a program which can execute another program with SYSTEM permissions on NT/2K. This may require that your program has SYSTEM permissions at boot.

A more powerful program would to make some sort of "console" where it has SYSTEM permissions when the computer boots up and you may modify/delete/anything to any file or folder no matter what permissions they have set.

good luck seņior
Posted by: James

Re: Hax0ring Windows security software - 07/17/02 09:42 AM

Well, anything is possible when your program is allowed to run whenever the system boots.
Its getting the permissions to modify the system in order to have it run when the system does that..
There are known exploits,I would not want to use known exploits because patches are available for them, and perhaps most Administrators would have service packs installed to fix those problems.
It would be cool to have our program work on not just un-patched systems,but all.

If only you discovered a flaw in both NT4/Win2k that nobody knew about,and used this to setup your program..makes sense to anyone who wants to be malicious.
I'm not a malicious person by the way.

I think that the potential to exploit LDT in NT4/Win2k is possible,getting Ring-0 access, like on Win9x.
I don't see the point in having such a program when you already have Administrator privilages.
So,perhaps an exploit would be appropriate first for that idea.

I was thinking more along the lines of Win9x/ME security programs because those systems aren't exactly secure anyway, with or without the programs.

But, I'll keep that one in mind, as NT4/Win2k i'm sure is full of holes because its closed source.
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/17/02 02:49 PM

hrm, yes, good points all. I wasn't talking about maliciousness, and I WAS talking about using such a console for systems that you DON'T have administrator access to. With such a tool you could install programs and access features you wouldn't normally be able to. As for the good point about exploits, I wasn't thinking about using a flaw or bug in windows to gain system permissions, I was thinking about using some legit feature to give your program system permissions, and it would just share the love ya know?

But, ok, let's move on from that. quote: "circumvent windows security programs". Like what kind of windows security programs are you talking about? Programs which lock-down most computer features? Programs like administrative monitoring tools that spy on ya? Give me an example. It may be that I've never encountered any...
Posted by: James

Re: Hax0ring Windows security software - 07/18/02 06:38 AM

There are some legit features in the operating system that would allow you to do things you normally wouldn't with or without Administrator access.
You can use the available API's for example which run in Ring-3 mode of the x86 CPU.
Its a big operating system Win2k, I mean there are thousands of API's which I'm sure are exploitable,and they just haven't been found yet.
Process Tokens are interesting,I was reading an article last night about how to modify a process token of a process handle, to modify memory of another process you wouldn't normally have access to..that was a mouthfull.
I was experimenting a little last night with some security API's but haven't been able to create anything useful with them just yet.
Need to research a bit more,could be days,weeks even..
Or maybe I'll just give up trying to find a problem.
Also,I read a short article about the possibility of jumping to Ring-0 mode on Win2k using the API's which add LDT entries to the kernel.
The problem that the author encountered was the kernel validating the LDT entry.
But he also found out that depending on the value of the segment registers when calling the API,on some occasions,he would experience different results.
When I mentioned security programs for windows, I suppose yes, I was generally talking about software that locked down systems like Win95/98/ME because NT4/Win2k already has security features to allow you to do so.
Its a little more tricky, as you know
There is a flaw in Win2k before service pack 1+2 which allows anyone to execute commands with SYSTEM privilages.
Its a design error to do with NetDDE which is enabled by default after Win2k has been installed.
Dildog (Atstake) found this.
It would be cool to be able to circumvent win2k security features, who wouldn't want to find problems like that for a such a high profile operating system?
But it takes more work than finding these problems on Win9x..etc
Posted by: Paragon

Re: Hax0ring Windows security software - 07/18/02 09:12 AM

Interesting stuff. Where did you come across these articles?

What do you mean by LDT? Local Descriptor Tables?
Posted by: James

Re: Hax0ring Windows security software - 07/18/02 09:36 AM

I don't have a link to the article on Process tokens..and I don't have it here on this computer at the moment so I can't upload it.
However, the article about LDT entries can be found here http://z0mbie.host.sk/ldt2k.txt
Posted by: Paragon

Re: Hax0ring Windows security software - 07/18/02 09:38 AM

Damn, forbidden.
Could you maybe PM me the article?

EDIT: Never mind, I got it anyway. But PM me the other article when you can though. Thanks.
Posted by: dashocker

Re: Hax0ring Windows security software - 07/18/02 10:55 AM

damn, that was way to ej33t for me. Maybe we have finally found another as smart as SR. No, its not possible, cant... be...falling..pain..in..chest...aggggggggghh...
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/18/02 02:45 PM

to get around the forbidden message you need to enter the URL and hit enter. The site won't let you link to it. An easy workaround.

hey james, while we're talking about process memory and all that hardcore good shit: I suppose you'd know how to run a program in another processes' address space? I've read about that technique for hiding the original running process from task monitors. Also, are you familiar with running net enabled applications without using sockets so that programs like "netstat" won't detect them? These two techniques have fascinated me.

Also, and now I've got a question. I hope you have experience with this cause it seems everybody else I ever ask never knows... I'm assuming your a programmer ya... Have you used SetWindowsHookEx to make global hooks? I've tried so very hard to do this, and read all about it, but I only end up with a local hook.
Posted by: Mornse

Re: Hax0ring Windows security software - 07/19/02 12:36 AM

I don't know if this is relavent, but it's a program I've tried to make unsucessfully and never found anywhere, maybe you could make it? I want a remote DOS prompt. That would be sweet. So it would be like you had the DOS prompt of another computer on ur desktop and could do whatever on that computer. I made one but it's HORRIBLE. The problem was I couldn't get VB to send data both ways. I had it so I would send a command to my program on the other computer and then it would execute that command using the Shell() command on the remote computer, but the only way I could figure out how to get the returned data was to send to a text file and then read the text file and send back to the original user. There are SO many bugs in this, the major one being my program would try to read the text file before everything was written to it and all this other junk. So if you could pull this off, that would be dope.
Posted by: Paragon

Re: Hax0ring Windows security software - 07/19/02 08:44 AM

What they're talking about is a little more advanced than that. They're talking about the good stuff! At least, SR is.
Quote:
Originally posted by SilentRage:
to get around the forbidden message you need to enter the URL and hit enter. The site won't let you link to it. An easy workaround.
That doesn't work. At least it doesn't for that site. I just clicked a button I have the google toolbar, so I just clicked the cached page button.
Quote:
I suppose you'd know how to run a program in another processes' address space? I've read about that technique for hiding the original running process from task monitors.
That's something I've been looking into. I want to know about this too. I was told it's been done, but I don't know how yet.
Quote:
Also, are you familiar with running net enabled applications without using sockets so that programs like "netstat" won't detect them? These two techniques have fascinated me.
I never thought of that! I think I'll look into that.
Where did you read about these things? I haven't come across anything, I've only talked about it with people.
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/19/02 02:20 PM

well, supposedly, both techniques are employed in BackOrifice 2000. I remember back in the day when I was looking for a trojan to use, I chose BackOrifice. That was the first and last time I tried to use a trojan (which I hadn't made myself anyway...). I remember trying to get it to work and installing it on several machines. I'd execute it and try to connect to it on another computer on the same LAN and could never get it to work. I was trying to verify that the program was even running in the first place. On some machines I could see it in the WinNT tasklist, on others I couldn't. And I couldn't ever tell that it was listening on a port.

I don't know if I was just too newbie - but I thought for sure I knew what I was doing - still do. The same guy who told me about all this had made a program which would "scan" all the local ports by trying to listen on each one, so that it could detect trojans using that technique. Apparently, if there is a program listening on port 123 but does not show up in netstat - you still can't have another application listen on the same port.
Posted by: Paragon

Re: Hax0ring Windows security software - 07/22/02 07:54 AM

You can't have 2 apps listening on the same port?
Why not?
You can have one app listen on multiple ports right?
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/22/02 08:14 AM

Well, it IS possible to sniff/filter/send data on a port with as many programs as you want - but within the socket restrictions, you may not. You will get a "in use" error if you try to listen on a port that another application is already listening on.

Yes, a single application can listen on as many ports as the OS will support (up to a absolute max of 65535 due to the restrictions as imposed by the IP layer). FTP servers for example may listen on many many ports - one for the main service, and one for each incoming data connection from a client.
Posted by: Paragon

Re: Hax0ring Windows security software - 07/22/02 08:33 AM

What do you mean, "within socket restrictions?"
Posted by: James

Re: Hax0ring Windows security software - 07/22/02 10:11 AM

For a few hours last night,I was trying to give my process more privileges to see if I could in fact write to other processes in memory.
I realised today that I would probably have to use VirtualProtectEx to un-protect atleast 2 pages of protected memory in most of the processes.
However,while I was trying to open some system process using OpenProcess for PROCESS_VM_OPERATION,it failed.
Using OpenProcessToken and adjusting the privileges didn't seem to make a difference.
But it is said to work on others..maybe this was an earlier build of win2k than mine.
I don't know how to run code in another process,but yes, its possible to run Threads if you have enough access to the process,you allocate memory using VirtualAlloc on the process you want to use,copy your code to that allocated memory and use CreateRemoteThread.
There is a way on Windows 9x to hide any process not only from the Task Manager using RegisterServiceProcess but from the system itself by hooking Process32First/Process32Next API's
I don't know how to do the latter,but a coder called Vecna demonstrates it in a program he wrote,I haven't been able to test it.
Vecnas site is down at the moment,so I can't provide a link.
I was playing with SetWindowsHookEx yesterday to do a global keyboard hook and log to a file.
I didn't get it to work yet,I'm still playing with it.
There are ways to hide listening sockets from netstat probably on Win9x in the same way you would hiding processes,I haven't really looked into that.
I did see an easy way to get files from other computers over the network,like from a www/ftp server using API's from WININET.DLL
Disassemble it,or any DLL file for that matter,and you'll see loads of API's
Then go to http://msdn.microsoft.com/ and search for them,you might find out how they work,alot easier than using BSD sockets,it you only require www/ftp connection.
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/22/02 10:40 AM

"There is a way on Windows 9x to hide any process not only from the Task Manager using RegisterServiceProcess but from the system itself by hooking Process32First/Process32Next API's
I don't know how to do the latter,but a coder called Vecna demonstrates it in a program he wrote,I haven't been able to test it."


Ah, man, what an awesome idea. I also have no idea how they hooked the API... *pauses a moment to think*... Well, you could simply rename the dll the API is stored in, and insert your own dll which acts as a redirect to the real dll - making sure the process you wish to hide doesn't get returned. I've seen this technique employed with a wsock32.dll clone. What a deceptively simple idea!

"I was playing with SetWindowsHookEx yesterday to do a global keyboard hook and log to a file.
I didn't get it to work yet,I'm still playing with it."


Man, hook me up if you get it working. I have made a dll in ANSI-C which does that... everything works if all I wanted was a local hook... *sigh*

"I did see an easy way to get files from other computers over the network,like from a www/ftp server using API's from WININET.DLL"

yep, I've used that before.

"Disassemble it,or any DLL file for that matter,and you'll see loads of API's"

Actually, why disassemble it? Do you have Visual Studio? Use their utility called "Depends". It is really sweet. You can see what API's is exported from a dll and much more.

Reply to Paragon:

BSD sockets (and winsock which was based off of it) was designed as a interface between the network and the application. The operating system managed the sockets, and the application calls API's to make use of those sockets. One of the rules the developer required is that two applications may not listen on the same port.
Posted by: James

Re: Hax0ring Windows security software - 07/23/02 07:32 AM

I don't have Visual Studio, and my Win32 API documentation is for Win3.1/Win95/NT4.
So,yeah,I know you don't have to disassemble any DLL files if you have updated docs.
Somtimes though,you will find undocumented API's inside these files,that you won't or can't get information for on say..the MSDN library CD-ROM's or microsofts site that i mentioned.When I get the the keyboard hook program to work properly,i'll let you know.
I have a Visual C++ keyboard hook example,also a mouse hook example for MASM32 if those are any good to you?
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/23/02 08:15 AM

nah, I've seen keyboard hook code in VC++ as well - but for some reason my ANSI-C code doesn't. It's quite perplexing. I've learned and seen all I can learn and see about global hooks - it just doesn't work! aaaaaaaaaaaaaaargh!

And I wouldn't touch VC++ with a 10 foot ****, well, especially not with a 10 foot ****... heh... It annoys me.

Another global hook I'd like to make is a message hook. You can do some serious app hacking with that baby.
Posted by: dashocker

Re: Hax0ring Windows security software - 07/23/02 05:59 PM

just curious, what are these global hooks?
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/23/02 06:31 PM

magic

Ask Jeeves
Posted by: dashocker

Re: Hax0ring Windows security software - 07/23/02 06:33 PM

lol
fuck you
Posted by: Paragon

Re: Hax0ring Windows security software - 07/24/02 07:23 PM

Correct me if I'm wrong, but hooks are essentially the parts where the OS interfaces with the hardware right? If you can intercept the hooks you can control the OS.
Posted by: infected9x

Re: Hax0ring Windows security software - 07/30/02 09:24 AM

you can make security plugins for all windows boxes go to http://www.download.com and download this program called x-setup its a great program for fixing windows crap and security probs and you can also download the plugin maker for it above the download [Machine] [Bust a Cap] <
Posted by: SilentRage

Re: Hax0ring Windows security software - 07/30/02 09:31 AM

actually, not quite. A hook is where you intercept interchange between the system and the hardware or between any one thing and another. Hooks are created by programs.
Posted by: SilentRage

Re: Hax0ring Windows security software - 08/06/02 05:22 PM

James. pergesu showed me this link. With this info you can give any application system permissions on any windows platform. I read it through and understand it completely. I think you will to.

http://security.tombom.co.uk/shatter.html
Posted by: Paragon

Re: Hax0ring Windows security software - 08/14/02 01:08 PM

Thanks for the link! Great reading, I'm learning all kinds of interesting stuff. Got any more?
Posted by: Satori

Re: Hax0ring Windows security software - 10/13/02 12:26 AM

Yeah, the problem comes when two apps attempt to grab the same port. One app can listen on one port and then filter the incoming data to different worker threads so that it has numerous functions being handled by one port (webservers and name-based hosting come to mind).

As for the question about remote DOS windows - no need to write your own, mate. RCMD has been around since NT 3.51, and is free for download from MS as part of the publically available resource kit. Not too hard to slip it into something else, too, as it's small and lightweight...

I can tell I've got alot to learn from you guys. I've been fending off hackers for years, without ever programming. I know alot about the tools and processes you guys utilize, and about the exploits that your custom code exploits, but I'm just now taking my first baby steps into writing my own stuff. Keep on posting good information! I'm learnign alot.

-Satori