Press "Enter" to skip to content

Posts published in April 2017

A simple c# Trojan Horse example

Sina Karvandi 0

A simple c# Trojan Horse example There were times when I started to learn C# just for creating trojans and this kind of stuffs. It was 4 years ago when I built this Trojan horse to use it for educational purposes but soon I understood that this kind of trojan horse that is written in such a high level programming languages like C# is not good enough because they are (almost) easily reversible and new Trojan horses should be written…

Import Address Table (IAT) in action

Sina Karvandi 4

Did you ever think about how different dll files with different versions and obviously with different addresses of functions work perfectly together ? The answer is Import Address Table (IAT). In the previous post I describe about how to get SSDT. IAT is somehow a User-Mode version of SSDT and in this post I’m gonna write about what I read and experience about IAT in action. Why IAT is important ? It is important because it gives PE executer a…

Lack of rechecking permissions in Android

Sina Karvandi 0

Yesterday me and one of my friends were working on an Android Penetration testing project. After testing some kinds of exploit then we somehow get root privilege with some kinds of limitations. In the case of this exploit we can just write to any file we want and we cannot do anything more because ASLR was preventing us to do. So we just think how we could do something to violate privacy of this Android device then as we know…

Bind9 chroot on debian 8

Shahriar 0

From Wikipedia: BIND, or named, is the most widely used Domain Name System (DNS) software on the Internet. On Unix-like operating systems it is the de facto standard. As you know chrooting a process is very beneficial for security as any compromise cannot have effect on the whole system. But be aware escaping from chroot is not impossible. and therefore should not be used as your only security measure on a production DNS resolver. Chrooting Bind is simple, however there…

Change User-Mode application’s virtual address through Kernel Debugging

Sina Karvandi 1

Well, it’s somehow an odd topic but sometimes it could be really helpful in some situations. So what are the situations? Imagine sometimes you need to access windows stuffs that aren’t available from user-mode debuggers like ollydbg or through user-mode debugging (e.g memory after 0x7fffffff). In my experience I see some conditions that protectors make a sophisticated check for finding any debugger in memory and then change their approach to stop reverser from reversing the rest of the code. In…