Jump to content




IMPORTANT
We are happy to let you know that SIRUMIUM (ex crimeclub) is back online.
If you are old vendor here you will have one month bonus on your advertise and free banner in rotation.

ADVERTISE

All Activity

This stream auto-updates     

  1. Past hour
  2. Today
  3. Yesterday
  4. Last week
  5. Earlier
  6. ETHICAL HACKING WITH GO PROGRAMMING LANGUAGE: BUILD TOOLS -What is Hacking? -How to Use go language for Hacking -How to Change MAC address using golang. -How to create a TCP network Scanner -How to Perform Man in the Middle attack using golang -Perform Packet capturing and interception -Create your own malware -Running Commands remotely on victim. -Navigating File system on victim machine. -Stealing Files and Folders from victim machine. -Uploading Viruses on victim Machine. -Creating your own keylogger. -How to Package your malware into a trojan. https://mega.nz/file/HkhQibBB#cJZ-AWEblc6gOTWCNORWzKL1ykvvnL9Y4yfa7Pp0j3Q #ethical #hacking #security #video https://t.co/UEkPddSKpX 70 videos on how to hack guides. (NOT FORCED) donations goes to a foundation who help people from asia, africa and cambodia. thanks! BTC address: 32rUautm1SzUs5a1uefdN7iSQukpqC3UYV
  7. https://yadi.sk/d/3-tWgf_ZM6xMog there is this link but you need paid yandex disk to download if anyone has, can you download and re-upload the database somewhere else?
  8. "The file you are trying to download is no longer available." Another link?
  9. access to a big ipcamera vendor is for sale now, vendor is listed in top 5 type:ftp contents: firmware, brochures, etc domain: main website price : 0.07btc dm me for details
  10. Interesting, but there are less amount of people around here i'd like to contribute
  11. This URL not opening HTTPS://MAJOR.MS
  12. jordan all population info for sale db including more than 9M records full name, national number, sex, birthday, state,city, job,.... price: 1btc dm me
  13. 1- Maze: http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion 2- Corporate Leaks: http://hxt254aygrsziejn.onion 3- Suncrypt: http://nbzzb6sa6xuura2z.onion 4- Dopple Leaks: http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion 5- Netwalker: http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion/blog 6- REvil - Happy Blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion 7- CLOP: http://ekbgzchl6x2ias37.onion 8- Ragnar Locker: http://p6o7m73ujalhgkiv.onion 9- Sekhmet Leaks: https://sekhmetleaks.top 10- Avaddon Info: http://avaddongun7rngel.onion 11- Darkside: http://darksidedxcftmqa.onion 12- Mount Locker: http://mountnewsokhwilx.onion 13- Egregor: http://egregoranrmzapcv.onion 14- Conti News: http://fylszpcqfel7joif.onion/news
  14. Contact me for your Bank Logs, Dumps Fulls Paypals, Western Union Transfer / Bank Transfer service CONTACT ME ON: lCQ Nickname: @Freshyfresh ICQ UIN: 688 919 335 TELEGRAM: @realbest101
  15. https://mega.nz/file/Z58CXSID#17wkvMg5W-gzSqSxf8oIAXvwLPVeYXMeN7a83IjNO3M Password: xss.is
  16. Using Syscalls to Inject Shellcode on Windows After learning how to write shellcode injectors in C via the Sektor7 Malware Development Essentials course, I wanted to learn how to do the same thing in C#. Writing a simple injector that is similar to the Sektor7 one, using P/Invoke to run similar Win32 API calls, turns out to be pretty easy. The biggest difference I noticed was that there was not a directly equivalent way to obfuscate API calls. After some research and some questions on the BloodHound Slack channel (thanks @TheWover and @NotoriousRebel!), I found there are two main options I could look into. One is using native Windows system calls (AKA syscalls), or using Dynamic Invocation. Each have their pros and cons, and in this case the biggest pro for syscalls was the excellent work explaining and demonstrating them by Jack Halon (here and here) and badBounty. Most of this post and POC is drawn from their fantastic work on the subject. I know TheWover and Ruben Boonen are doing some work on D/Invoke, and I plan on digging into that next. I want to mention that a main goal of this post is to serve as documentation for this proof of concept and to clarify my own understanding. So while I’ve done my best to ensure the information here is accurate, it’s not guaranteed to be 100%. But hey, at least the code works. Said working code is available here Native APIs and Win32 APIs To begin, I want to cover why we would want to use syscalls in the first place. The answer is API hooking, performed by AV/EDR products. This is a technique defensive products use to inspect Win32 API calls before they are executed, determine if they are suspicious/malicious, and either block or allow the call to proceed. This is done by slightly the changing the assembly of commonly abused API calls to jump to AV/EDR controlled code, where it is then inspected, and assuming the call is allowed, jumping back to the code of the original API call. For example, the CreateThread and CreateRemoteThread Win32 APIs are often used when injecting shellcode into a local or remote process. In fact I will use CreateThread shortly in a demo of injection using strictly Win32 APIs. These APIs are defined in Windows DLL files, in this case MSDN tells us in Kernel32.dll. These are user-mode DLLs, which mean they are accessible to running user applications, and they do not actually interact directly with the operating system or CPU. Win32 APIs are essentially a layer of abstraction over the Windows native API. This API is considered kernel-mode, in that these APIs are closer to the operating system and underlying hardware. There are technically lower levels than this that actually perform kernel-mode functionality, but these are not exposed directly. The native API is the lowest level that is still exposed and accessible by user applications, and it functions as a kind of bridge or glue layer between user code and the operating system. Here’s a good diagram of how it looks: You can see how Kernell32.dll, despite the misleading name, sits at a higher level than ntdll.dll, which is right at the boundary between user-mode and kernel-mode. So why does the Win32 API exist? A big reason it exists is to call native APIs. When you call a Win32 API, it in turn calls a native API function, which then crosses the boundary into kernel-mode. User-mode code never directly touches hardware or the operating system. So the way it is able to access lower-level functionality is through native PIs. But if the native APIs still have to call yet lower level APIs, why not got straight to native APIs and cut out an extra step? One answer is so that Microsoft can make changes to the native APIs with out affecting user-mode application code. In fact, the specific functions in the native API often do change between Windows versions, yet the changes don’t affect user-mode code because the Win32 APIs remain the same. So why do all these layers and levels and APIs matter to us if we just want to inject some shellcode? The main difference for our purposes between Win32 APIs and native APIs is that AV/EDR products can hook Win32 calls, but not native ones. This is because native calls are considered kernel-mode, and user code can’t make changes to it. There are some exceptions to this, like drivers, but they aren’t applicable for this post. The big takeaway is defenders can’t hook native API calls, while we are still allowed to call them ourselves. This way we can achieve the same functionality without the same visibility by defensive products. This is the fundamental value of system calls. System Calls Another name for native API calls is system calls. Similar to Linux, each system call has a specific number that represents it. This number represents an entry in the System Service Dispatch Table (SSDT), which is a table in the kernel that holds various references to various kernel-level functions. Each named native API has a matching syscall number, which has a corresponding SSDT entry. In order to make use of a syscall, it’s not enough to know the name of the API, such as NtCreateThread. We have to know its syscall number as well. We also need to know which version of Windows our code will run on, as the syscall numbers can and likely will change between versions. There are two ways to find these numbers, one easy, and one involving the dreaded debugger. The first and easist way is to use the handy Windows system call table created by Mateusz “j00ru” Jurczyk. This makes it dead simple to find the syscall number you’re looking for, assuming you already know which API you’re looking for (more on that later). WinDbg The second method of finding syscall numbers is to look them up directly at the source: ntdll.dll. The first syscall we need for our injector is NtAllocateVirtualMemory. So we can fire up WinDbg and look for the NtAllocateVirtualMemory function in ntdll.dll. This is much easier than it sounds. First I open a target process to debug. It doesn’t matter which process, as basically all processes will map ntdll.dll. In this case I used good old notepad. We attach to the notepad process and in the command prompt enter x ntdll!NtAllocateVirtualMemory. This lets us examine the NtAllocateVirtualMemory function within the ntdll.dll DLL. It returns a memory location for the function, which we examine, or unassemble, with the u command: Now we can see the exact assembly language instructions for calling NtAllocateVirtualMemory. Calling syscalls in assembly tends to follow a pattern, in that some arguments are setup on the stack, seen with the mov r10,rcx statement, followed by moving the syscall number into the eax register, shown here as mov eax,18h. eax is the register the syscall instruction uses for every syscall. So now we know the syscall number of NtAllocateVirtualMemory is 18 in hex, which happens to be the same value listed on in Mateusz’s table! So far so good. We repeat this two more times, once for NtCreateThreadEx and once for NtWaitForSingleObject. Where are you getting these native functions? So far the process of finding the syscall numbers for our native API calls has been pretty easy. But there’s a key piece of information I’ve left out thus far: how do I know which syscalls I need? The way I did this was to take a basic functioning shellcode injector in C# that uses Win32 API calls (named Win32Injector, included in the Github repository for this post) and found the corresponding syscalls for each Win32 API call. Here is the code for Win32Injector: As you can see from the code, the three main Win32 API calls used via P/Invoke are VirtualAlloc, CreateThread, and WaitForSingleObject, which allocate memory for our shellcode, create a thread that points to our shellcode, and start the thread, respectively. As these are normal Win32 APIs, they each have comprehensive documentation on MSDN. But as native APIs are considered undocumented, we may have to look elsewhere. There is no one source of truth for API documentation that I could find, but with some searching I was able to find everything I needed. In the case of VirtualAlloc, some simple searching showed that the underlying native API was NtAllocateVirtualMemory, which was in fact documented on MSDN. One down, two to go. Unfortunately, there was no MSDN documentation for NtCreateThreadEx, which is the native API for CreateThread. Luckily, badBounty’s directInjectorPOC has the function definition available, and already in C# as well. This project was a huge help, so kudos to badBounty! Lastly, I needed to find documentation for NtWaitForSingleObject, which as you might guess, is the native API called by WaitForSingleObject. You’ll notice a theme where many native API calls are prefaced with “Nt”, which makes mapping them from Win32 calls easier. You may also see the prefix “Zw”, which is also a native API call, but normally called from the kernel. These are sometimes identical, which you will see if you do x ntdll!ZwWaitForSingleObject and x ntdll!NtWaitForSingleObject in WinDbg. Again we get lucky with this API, as ZwWaitForSingleObject is documented on MSDN. I want to point out a few other good sources of information for mapping Win32 to native API calls. First is the source code for ReactOS, which is an open source reimplementation of Windows. The Github mirror of their codebase has lots of syscalls you can search for. Next is SysWhispers, by jthuraisamy. It’s a project designed to help you find and implement syscalls. Really good stuff here. Lastly, the tool API Monitor. You can run a process and watch what APIs are called, their arguments, and a whole lot more. I didn’t use this a ton, as I only needed 3 syscalls and it was faster to find existing documentation, but I can see how useful this tool would be in larger projects. I believe ProcMon from Sysinternals has similar functionality, but I didn’t test it out much. Ok, so we have our Win32 APIs mapped to our syscalls. Let’s write some C#! But these docs are all for C/C++! And isn’t that assembly over there… Wait a minute, these docs all have C/C++ implementations. How do we translate them into C#? The answer is marshaling. This is the essence of what P/Invoke does. Marshaling is a way of making use of unmanaged code, e.g. C/C++, and using in a managed context, that is, in C#. This is easily done for Win32 APIs via P/Invoke. Just import the DLL, specify the function definition with the help of pinvoke.net, and you’re off to the races. You can see this in the demo code of Win32Injector. But since syscalls are undocumented, Microsoft does not provide such an easy way to interface with them. But it is indeed possible, through the magic of delegates. Jack Halon covers delegates really well here and here, so I won’t go too in depth in this post. I would suggest reading those posts to get a good handle on them, and the process of using syscalls in general. But for completeness, delegates are essentially function pointers, which allow us to pass functions as parameters to other functions. The way we use them here is to define a delegate whose return type and function signature matches that of the syscall we want to use. We use marshaling to make sure the C/C++ data types are compatible with C#, define a function that implements the syscall, including all of its parameters and return type, and there you have it! Not quite. We can’t actually call a native API, since the only implementation of it we have is in assembly! We know its function definition and parameters, but we can’t actually call it directly the same way we do a Win32 API. The assembly will work just fine for us though. Once again, it’s rather simple to execute assembly in C/C++, but C# is a little harder. Luckily we have a way to do it, and we already have the assembly from our WinDbg adventures. And don’t worry, you don’t really need to know assembly to make use of syscalls. Here is the assembly for the NtAllocateVirtualMemory syscall: As you can see from the comments, we’re setting up some arguments on the stack, moving our syscall number into the eax register, and using the magic syscall operator. At a low enough level, this is just a function call. And remember how delegates are just function pointers? Hopefully it’s starting to make sense how this is fitting together. We need to get a function pointer that points to this assembly, along with some arguments in a C/C++ compatible format, in order to call a native API. Putting it all together So we’re almost done now. We have our syscalls, their numbers, the assembly to call them, and a way to call them in delegates. Let’s see how it actually looks in C#: Starting from the top, we can see the C/C++ definition of NtAllocateVirtualMemory, as well as the assembly for the syscall itself. Starting at line 38, we have the C# definition of NtAllocateVirtualMemory. Note that it can take some trial and error to get each type in C# to match up with the unmanaged type. We create a pointer to our assembly inside an unsafe block. This allows us to perform operations in C#, like operate on raw memory, that are normally not safe in managed code. We also use the fixed keyword to make sure the C# garbage collector does not inadvertently move our memory around and change our pointers. Once we have a raw pointer to the memory location of our shellcode, we need to change its memory protection to executable so it can be run directly, as it will be a function pointer and not just data. Note that I am using the Win32 API VirtualProtectEx to change the memory protection. I’m not aware of a way to do this via syscall, as it’s kind of a chicken and the egg problem of getting the memory executable in order to run a syscall. If anyone knows how to do this in C#, please reach out! Another thing to note here is that setting memory to RWX is generally somewhat suspicious, but as this is a POC, I’m not too worried about that at this point. We’re concerned with hooking right now, not memory scanning! Now comes the magic. This is the struct where our delegates are declared: Note that a delegate definition is just a function signature and return type. The implementation is up to us, as long as it matches the delegate definition, and it’s what we’re implementing here in the C# NtAllocateVirtualMemory function. At line 65 above, we create a delegate named assembledFunction, which takes advantage of the special marshaling function Marshal.GetDelegateForFunctionPointer. This method allows us to get a delegate from a function pointer. In this case, our function pointer is the pointer to the syscall assembly called memoryAddress. assembledFunction is now a function pointer to an assembly language function, which means we’re now able to execute our syscall! We can call assembledFunction delegate like any normal function, complete with arguments, and we will get the results of the NtAllocateVirtualMemory syscall. So in our return statement we call assembledFunction with the arguments that were passed in and return the result. Let’s look at where we actually call this function in Program.cs: Here you can see we make a call to NtAllocateMemory instead of the Win32 API VirtualAlloc that Win32Injector uses. We setup the function call with all the needed arguments (lines 43-48) and make the call to NtAllocateMemory. This returns a block of memory for our shellcode, just like VirtualAlloc would! The remaining steps are similar: We copy our shellcode into our newly-allocated memory, and then create a thread within our current process pointing to that memory via another syscall, NtCreateThreadEx, in place of CreateThread. Finally, we start the thread with a call to the syscall NtWaitForSingleObject, instead of WaitForSingleObject. Here’s the final result: Hello world via syscall! Assuming this was some sort of payload running on a system with API hooking enabled, we would have bypassed it and successfully run our payload. A note on native code Some key parts of this puzzle I’ve not mentioned yet are all of the native structs, enumerations, and definitions needed for the syscalls to function properly. If you look at the screenshots above, you will see types that don’t have implementations in C#, like the NTSTATUS return type for all the syscalls, or the AllocationType and ACCESS_MASK bitmasks. These types are normally declared in various Windows headers and DLLs, but to use syscalls we need to implement them ourselves. The process I followed to find them was to look for any non-simple type and try to find a definition for it. Pinvoke.net was massively helpful for this task. Between it and other resources like MSDN and the ReactOS source code, I was able to find and add everything I needed. You can find that code in the Native.cs class of the solution here. Wrapup Syscalls are fun! It’s not every day you get to combine 3 different languages, managed and unmanaged code, and several levels of Windows APIs in one small program. That said, there are some clear difficulties with syscalls. They require a fair bit of boilerplate code to use, and that boilerplate is scattered all around for you to find like a little undocumented treasure hunt. Debugging can also be tricky with the transition between managed and unmanaged code. Finally, syscall numbers change frequently and have to be customized for the platform you’re targeting. D/Invoke seems to handle several of these issues rather elegantly, so I’m excited to dig into those more soon. Source: https://www.solomonsklash.io/syscalls-for-shellcode-injection.html
  17. any news on unicc new domain?
  18. Hello everyone !i'm selling last verison of dumps/ccv shop scriptfeatures: 1 - BTC API AUTO BALANCE ADD 2 - DUMPS / CCV CHECKER FOR 2 SITES like ( luxchecker - try2check ) 3 - section for dumps - section for ccv 4 - support ticket system5 - resellers sections with seller name and validty rate 6 - News - updates page on front webpage 7- easy admin control panel 8 - easy installation to ur site ..ESCROW IS VERY WELCOME !! price : 900$ ICQ : 635079947 JABBER : [email protected]
  19. This script can be used for multiple purposes but is focus in registering hosting and domains and or send fake invoices to anyone email. If you are using this script to scare someone with fake invoices be sure to use a VPN. The only thing that is required is fill the purchase forms with fake data and include the target email as the registrant. Download: http://nitroflare.com/view/DBB789A029C7660/WHMCS_Fake_Invoice.zip https://uploadrar.com/hiaqdb9pshep https://ddownload.com/v0u2e65yv0fa https://youdbox.com/zg7iphi8ndlj/WHMCS_Fake_Invoice.zip.html Virus Scan: The file is in plain text
  20. this is my group. all about just everything ^^
    https://t.me/joinchat/PnAV_xl7b-FzC7R_cKpI_Q
     

  21. might wanna check this out! https://doc.lagout.org/CloudStack/ https://doc.lagout.org/LPI/ https://doc.lagout.org/Others/ https://doc.lagout.org/distribution/ https://doc.lagout.org/dsp/ https://doc.lagout.org/electronics/ https://doc.lagout.org/network/ https://doc.lagout.org/operating system / https://doc.lagout.org/programmation/ https://doc.lagout.org/science/ https://doc.lagout.org/security/ https://doc.lagout.org/Alfred V. Aho - Data Structures and Algorithms.pdf https://doc.lagout.org/Computer Architechture.pdf https://doc.lagout.org/Computer Hardware Main Components.pdf https://doc.lagout.org/Computer Organisation %26 Fundementals.pdf https://doc.lagout.org/Embedded Hardware.pdf https://doc.lagout.org/Halte Aux Hackeurs - Stuart McClure - Eyrolles (4ème Ed.) - 2003.pdf https://doc.lagout.org/Mobile Communciations by Jochen Schiller.pdf https://doc.lagout.org/Operatin System Internals and Design Principles.pdf https://doc.lagout.org/Operating System Concepts.pdf https://doc.lagout.org/The Indispensable PC Hardware Book - Third Edition.pdf https://doc.lagout.org/config-fail2ban.tar.gz https://doc.lagout.org/readme.txt https://doc.lagout.org/rtfm-red-team-field-manual.pdf https://doc.lagout.org/tree.txt for ethical hacking ^^
  22. 4 spotify premium accounts for sale 3 of them are family accounts family = 10 USD single = 5 USD dm me
  23. 10 surfshark premium accounts for sale each account 20 USD payments will be in BTC DM me
  24. Multiply the number of connections to a site up to 50x. For single multi-thread denial of service use the old version (1.0) as it connects and disconnects 1 connection at the time in a continous mode. - Increase up to 50 users by typing the address - Works better with internet radios 50x - Works with any port (For example :8080) - Able to keep connection alive - Easy to use - Always run in a dedicated windows instalation (As it can take a lot of system resources) Download: https://www.file-upload.com/fh58xm7u39z8 Virus Scan: (8/60 - Lots of detections) https://www.virustotal.com/gui/file/371e6ae8265964ca2722ceb41db83b286f7026f698e699b3ff4b169798570b94/detection
  25. In 20 of May 2020, the hacking forum Nulled.ch was breached and the data published to a rival hacking forum. Over 43k records were compromised and included IP and email addresses, usernames and passwords stored as salted MD5 hashes alongside the private message history of the website's admin. Compromised data: Usernames, Email Addresses, Passwords, IP Addresses, Dates of Birth, Website Activity, Administrator Private Messages Note: My data is leaked in this database and it is a match. With the combination of the password hash and salt is possible to crack the password. Download 1: http://q.gs/19214853/nulledch-database http://gestyy.com/e0Zslj https://oke.io/4k5i Download 2: http://ddl.to/d/VLO6 https://uploadcenter.com/h255eujtdsx9.html http://hulkload.com/5wtipah0h22k https://mega4up.com/mqz90f5t6yuv https://userupload.in/hph5irhmepuc https://www.gulf-up.com/q30ooxdevxt9 http://spicyfile.com/h6mx70kq1o6s http://uploadhive.com/m9n1ybvbxitx.htm http://myfiles.onl/afcw8kh6d0mx https://www.xfileloads.com/9fjanfx1nx2y https://filezip.cc/i91c8chdongi https://uploadrar.com/u57l97njbxr9 https://dl1.indishare.in/wuy4dx3kvjy7 https://dropapk.to/4xjb45iqqrdv https://www.uploadship.com/bbdd1b6074f2a703 https://userscloud.com/djv7qduwpsxr https://clicknupload.co/rdrcyxryvdra https://www.file-upload.com/226nedt8umpl http://cornfile.com/vxybzta0ali2 https://nitroflare.com/view/327B1F87E6C8048/nulledch-database-leaked-20-of-may-2020.rar https://wupfile.com/3kn3euuznoe9/nulledch-database-leaked-20-of-may-2020.rar.html http://hexupload.net/4x9zno5rpt5s/nulledch-database-leaked-20-of-may-2020.rar.html http://uploadb.me/gq6aqs353nrj/nulledch-database-leaked-20-of-may-2020.rar.html https://youdbox.com/w7m17vkgpokf/nulledch-database-leaked-20-of-may-2020.rar.html https://hugesharing.net/1z9nv1zf4fp3/nulledch-database-leaked-20-of-may-2020.rar http://katfile.com/p3y2ompahozh/nulledch-database-leaked-20-of-may-2020.rar.html https://rapidgator.net/file/f7cdd973b1ff8aedf228f9533eb0f5ae/nulledch-database-leaked-20-of-may-2020.rar.html
  26. Exploit Kit for Websites... Free adb.html Paid More devices Download: https://www.file-upload.com/8n0zfs1jfdxn More about this exploit kit The paid product isn't available to anyone as it includes years of computer hacking and security expertize. The kit is the most complete archive to work with any internet computer and a web hosting account. Contact: [email protected]
  1. Load more activity
×