10 Oct 2010 @ 4:02 PM 

Few days earlier one of my friend was bragging about OOPS concepts and how it protects private variables and sensitive data from outside world. I tried to explain that once it is being loaded to memory, we can access and change whatever you want with a suitable debugger. As per the saying “people won’t believe until they see”, I had to write a little bit of code to show that it is fairly easy to use reflection and there is no need for good old WinDbg for this simple thing :).

class MySecretClass
{
	private string mySecretinfo;
	public MySecretClass()
	{
		mySecretinfo = "dead-c0de";
	}

	public string GetMySecretInfo()
	{
		return mySecretinfo;
	}
}

private void btnNormal_Click(object sender, EventArgs e)
{
	MySecretClass mySecretClass = new MySecretClass();
	MessageBox.Show(mySecretClass.GetMySecretInfo());
}

private void btnReflection_Click(object sender, EventArgs e)
{
	MySecretClass mySecretClass = new MySecretClass();

	FieldInfo fi = typeof(MySecretClass).GetField("mySecretinfo", BindingFlags.NonPublic | BindingFlags.Instance);
	fi.SetValue(mySecretClass, "You are dead!");
	MessageBox.Show(mySecretClass.GetMySecretInfo());
}

Posted By: Dan
Last Edit: 10 Oct 2010 @ 04:14 PM

EmailPermalinkComments (1)
Tags
Categories: C#

 03 Oct 2010 @ 12:08 AM 

Executing batch files in UAC enabled Windows Vista/7 is a pain when the batch file is gonna make any changes to the restricted folders like windows or system32. UAC will just block any attempts to create or modify files from the protected folders. Hopefully there is an option to execute it with admin privileges by right clicking on bat file and selecting “Run as administrator”. This creates little trouble with current path. If bat is executed normally, it’s current path is the folder where bat resides, but if it is “Run as administrator” current path becomes \windows\system32. This will become a problem if we are trying to access a file which resides in the same folder as bat file. This problem can be resolved pretty easily by enabling command extensions and setting current path using %~dp0.

@setlocal enableextensions
@cd /d "%~dp0"

Posted By: Dan
Last Edit: 05 Oct 2010 @ 05:24 PM

EmailPermalinkComments (1)
Tags
Categories: Batch File, UAC

 27 Sep 2010 @ 11:37 AM 

We have seen dynamic IL compilation in managed environment and shellcode execution in unmanaged environment like C. What I present here is shellcode execution from C#. This particular trick uses CallWindowProc which were used by earlier VB6 programmers for inlining ASM in to the code or used LoadLibrary/GetModuleHandle and CallWindowProc for dynamic method invocation. There are couple of extra steps to work it in a managed environment, mainly due to Garbage Collector and *managed* nature.

namespace Shell
{
    class x86Shell
    {
        [DllImport("user32")]
        private static extern int CallWindowProc
            (IntPtr lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);

        public unsafe int Add(int a, int b)
        {
            // 8B45 0C         MOV EAX,DWORD PTR SS:[EBP+C]
            // 8B5D 10         MOV EBX,DWORD PTR SS:[EBP+10]
            // 03C3            ADD EAX,EBX
            // C2 1000         RET 10

            // 4 parameter can be passed to CallWindowProc and can be adressed from 0x0C, 0x10, 0x14 and 0x18
            byte[] shellCode = { 0x8B, 0x45, 0x0C, 0x8B, 0x5D, 0x10, 0x03, 0xC3, 0xC2, 0x10, 0x00 };
            fixed (byte* bytePointer = shellCode)
            {
                IntPtr pointer = (IntPtr)bytePointer;
                return CallWindowProc(pointer, a, b, 0, 0);
            }

        }
    }
}

Compile with /unsafe enabled. Well, the question remains… What is the use of these kinda techniques? may be some malware writers will use it(if malwares are coded in a managed language 😛 ) or some .NET obfuscator/protectors can use it to make reverse engineering a little harder(though they have to have both x86 and x64 version of the code)

Posted By: Dan
Last Edit: 27 Sep 2010 @ 11:46 AM

EmailPermalinkComments (7)
Tags
Categories: C#, Shellcode

 17 Sep 2010 @ 6:19 PM 

Well, This is the first post here and its kind of off-topic for me too. Anyway, we were doing some random stuffs and a requirement popped to make a internet connection from GSM module and send a GET request to a particular website which hosts the particular page that does the post processing of the information. I am listing the commands that were used to connect to GPRS and send TCP packets to web server. This can be also used for accessing FTP and other services hosted by different providers.

This is the GSM module we used for testing it.

We tested with a Airtel SIM and it works good 🙂
AT+CGATT=1
AT+CGDCONT=1,"IP","airtelgprs.com"
AT+CDNSCFG="202.56.231.117"
AT+CSTT="airtelgprs.com","",""
AT+CIICR
AT+CIFSR
AT+CIPSTATUS
AT+CIPHEAD=1
AT+CDNSORIP=1
AT+CIPSTART="TCP","www.google.com","80"
AT+CIPSEND
>GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us

Just use any compatible Terminal software and make sure you end the GET request with 2 CR LF.

Posted By: Dan
Last Edit: 05 Oct 2010 @ 05:26 PM

EmailPermalinkComments (0)
Tags
Categories: Hardware





 Last 50 Posts
Change Theme...
  • Users » 1
  • Posts/Pages » 15
  • Comments » 39
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.