Техника и философия хакерских атак

'-2004621.396.21832.884.14848 '. .: -,2004. 272.: . ().ISBN5-98003-127-8'!?621.396.21832.884.1ISBN5-98003-127-8 -,2004 ,2004,-. , . . -.,-.(),,,,,-(-. - , DVD- , - . , -, -). , , . , -,,., . , -.,!, -.: $ERRgI0 /HI-TECH, Kory Wee Key, Roman Hady, , , , , , Art D. Sere-duk, C0r, CrazyHamsters, GreY][akeR, JeskelA, neo_pegas, Patriot, Sergey R.,Stacy/Z/,StaverV.,TheSkull,tocopok,,, , , ,, , , , , , , ZZ, , (),,,,- , , , , , , - , .(EXECRK) - , -. , . -, -,...,., - : win32API , stealth- API- (, , , stealth). .-Intel++5.0.1,IntelFortran4.5,IntelC++7.0,-RecordNowAlcohol120%, UniLink,-. () - ( ). -- CD-ROM -, - Windows NT/W2K ( ! -Windows-). , - , - ( CloneCDAlcohol 120%), .4 -. ,, . , - , -. , ( ) - . -, , . , , , --(- ) .,- . .-,--. , , ! , -.-, , . , . , , . - : - ..-:, UNIXWindowsNT/W2K,(TELNET,POP3,IMAP4,NNTP,HTTP)-, -. --. 5 IDA IDAIDA. IDA-, ,! , , . -...- , ., (), , ... , . -(-,,).(, Penti-um-III, Pentium-4, Athlon SDRAM) , - -. , -.,-.,-,.,. , -,.: . ! , . ( !), -(. -,- ). , ....6 ( ) ! ( -), .-, :-, , -(/), , -., . . ., . , -! : (.). , , , - , -,.$-.,$1.,,(..-). . [email protected], [email protected]@smtp.ru. ( ). , . -, , ! ,! 7? ? , , :( ) -. , - . , . -(, -, , ). , , - , , - , /.,,, , , -. -, , : success fuck out,shitmotherfucker!..- , , ,() -. ,-.?,:-;, ... -;, - , ,., , . - , ---.: , ?-, , (, , -). -, . -, -- ! , , (, , ). --, , -. , , - . -, ., ,, CD-, . (, , -),...,!, , - . ?: , (/ -) . -, , , -,-,. 9,(). .-() , ,.,-, - , -(),-.: ( , ,); (-, , ,, -); , ,( , ---HASP, ,HASP,)., , , . , -?, . (!) , , / . , -, -, . , Internet share-ware, (!)..-,,,- , ... share-ware- - ( -, ). - . - 10 ?, CD, , - Registers...-. , , , ... ! -/, -(,,-).:- ., -. , -, , ; - , . , - , (, , -).(!)-TCP-/UDP-, -(-).-. , NETSTAT, Windows 9x/NT, TCPVIEW.-API-, , , , WINSOCS-,,,...., -. ? , -, . , ,, 11. , , -?!.,strcmp( ) ). ,,,!(,.)1.C5F11EA6h+c-:r:- `-ca`_u. +yccccua.cc+ar:`

c|a .-_u.[000_.cc. cac+- 00|:-:- ua.c. cr: .-_u..if (strcmp(legal_psw, user_psw))cc. .c:c ua.cc:.-`-cc. ua.cc c:|-``c. `-ca` .-!:.-.: 0.` crackme.C5F11EA6h.cpp .,.-, - , ? -, , ! , , .,-, -.,- ( , -,).hex-(, -HIEW), dumpbin, Win-dows-.(). :MS-DOS--,,- ( Borland).12 ( -)--. ?-, , , : , (, . . , ). -,- . , , -, ASCII-, -, , , ,.---(. etc), -., , -:2.>>00000||`|au8r:cw00000||||2c``000080c`cac+- 00|0000800/-:- ua.c0000800+yccccua.cc0000808.c:c ua.cc0000800ùa.cc c000080/|-``c. `-ca` .-!000080`2`/vrc0000800`/vr-a+00008|0|`/vr-a+_.r|arc:00008||`/vc-a+00008||`/vc-a+_.r|arc:00008|08`/v-a+|.:00008|`/v:r`-|.:00008|/0`/vyu-_r::c . my.good.password, 807Dh. , ? ( ) .(80AFh)-.,? 133.-. cac+- `c||/0|-x--:- ua.c+yccccua.ccua.cc chello, legal user! , . ,., . (, , -)-. ,, , .,....EXECRK, IDAPro. -.,crackme.C5F11EA6h . , . SOURCER. (, -). , : -?,-... ? ?, - . ,. , -?,?,!,-, ASCII- , , , - . , , - , , --., .data. (DOS. , TurboPascal -.)14 IDAViewSegmentsdata. , , :4.caa00080c0 aàc+-00|:- c| `cac+- 00|`.0/| . DATA XREF: sub_401000+Docaa00080c0 c| `-:- ua.c`.0caa000800/ a`rc: caa000800` a|y_cccc_ua.c c| `+yccccua.cc`.0 . DATA XREF: sub_401000+2Aocaa000800 a`rc: caa0008080 awc:c|a.cc c| `.c:c ua.cc`.0/|.0 . DATA XREF: sub_401000+62ocaa0008000 a|a.cc0|-`` c| ùa.cc c`.0/| . DATA XREF: sub_401000+7Aocaa0008000 c| `|-``c. `-ca` .-!`.0/|.0caa00080|0 cc c::- c::_0|/0,IDA (. . , ) (-). DATAXREF: sub_40100+62- [X References] [DATA], - , 0x62 sub_40100. sub_401000+62SRB_BufLen // , . // , , , // ! SRB_BufLen// , SendASPI32Command // // r: :=:cu-:_|/|. .``

// :.r-|8||_x-c8`81`+c` 8|`8||_|.:|cr:-.|.|8||_x-c8`81`+c` 8|`8||_|.:-:. :`.:c`c-:`.`// "" , , // |-ac-|--u0`. 8--:|-:`.,,``+ar:r: acc. c|a --ac`

crc -u. r: |.:_`-:. `1|_0|` = 000. 129r: accc`

:ur::c-.|8/0:|/w`0|/0 acau-_rc. -ac_rc. 8a8-cc. :_-c:`. -.: 0.`// // : 64 // ,// GetASPI32Buffer|.:_`-: = |/`|`_|-acàc[_`. u = +a``cc|.:_`-:`.// r: |-: = `-a--:||./8./8.||`` == ||` -.: |.// CD|/0_|/w_8``0|_|0|_`0acàc[|_`. acàc[2_`.u.|.:_`-:.acàc[_`. acàc[_`.w|/`8_|/0`.// warc8r:c`-0||-c|-:. `1|_0|``.-.: 0.` , , Windows 9x, Windows NT ! , , , , , , ASPI- , - , . MBR/boot-? ! - ! , - , ASPI32- ( - ASPI.SYS WINNT\System32\Drivers). -,NT,Win-dows 9x .SCSI-(.SPTI),-(SCSIIDE)-SCSI-.,(CD-ROM)- .,,CDROM.SYS--SCSI-. SCSI--, -SCSI- .130 , , , - -- . - CreateFile \\.\SCSI0:, -,SCSI-( ). IOCTL-SCSI-, . ! SCSI-()-(), - SCSI--, , , SCSI-(. SCSI--)., IOCTL- SCSI-, , . - : IOCTL_SCSI_GET_INQUIRY_DATA (. -NTDDK|`00|ccac-càur), , ( PHILIPSCDRW2412A), , -. NTDDKc||cr-x-, , , -. , CreateFile, -0c0-rc-,-, , - MS-DOS, WindowsNT.win32-Win-dowsNT, CreateFile(, C:\MYDIR\myfi-le.txt),win32\DosDevices\,-, -.-Native-NT,-.,:Native-NT \Device\HarddiskVolume1, myfile.txt : \Device\HarddiskVolume1\MYDIR\myfile.txt. CreateFile , -,., \DosDevices\win32WindowsNT.,, , native- SCSI. objdir \Dos\Devices(objdir\DosDe-vices|MORE), -(DDK-Soft-Ice,- c||cr `` ! , 131 \DosDevices , \??,,):91.SCSI-native-NT-8cr0 8y+|c`rcr:0-rc-1c-1c-|c08cr| 8y+|c`rcr:0-rc-1c-1c-|c|8cr2 8y+|c`rcr:0-rc-8craxar|, SCSI0: SCSI1: IDE- 0 1 .,IdePort0IdePort1IDE- . SCSI-, ATAPI.SYS . -\DosDevices\SCSI0:\DosDevices\SCSI1:,- \Device\ScsiPort0 \Device\ScsiPort1, win32, . , ATAPI.SYS-, , - .SCSI2:-, SCSI-- CD-ROM, Alcohol 120%, , - AXSAKI.SYS! ( CDROM.SYS), , , , , , ,. . SCSI- , , ,. WindowsNT-!, Alcohol 120%. , -:92.AXSAKI.SYS-x00020` a0:0|_+u c| `c:0|+u`.0-x00020 a08`x_2c0 c| `+08`x2c0`.0-x0002/0| a08`x_0|0 c| `+08`x0|0`.0-x0002/0| a0a:cc:r|a:r-_ c| ` !_8-v-cc_1:2|0`.0-x0002/2 a0x02x0x02x0x02 c| `0x+02. 0x+02. 0x+02. `.0-x0002/ aa.:c|r:c|cc. c| à.:c|r:c |cc.c`.0-x0002/c0 a8/:|`1...2|2 c| `+ a:|`.r...2|20x++a+++`.0 SCSI- STPI-, SCSI-, . ,- ! -132 .-SCSI-,. SRB- SCSI- ..?93.SCSI-,, .cy~a- n-cu..cu 8`81.cua|`0 = `-a-r`- 8`81|. 0||1`_w|1`+0||1`_|/0.1_8|/|_|/0+1_8|/|_w|1`.0.0||_18`1|0.0.0`.,, +0||||1| 8||oc

,, 0`||/|'-| 8||oc |-.ccu-nce-||c |a 8`81.cua. = 0-rc-1c`c:c`|`0. 10``_8`81_|/88_`||0|0|_01|``. .|.r.-c:8`81_|/88_`||0|0|`. .|. 0. .-.:-c. /8`.,,().- DDK (, , , -).,,9.2SCSIPortI/OControlCodes:Ifaclassdriverforthetargettypeofdeviceexists, therequ-estmustbesenttothatclassdriver.Thus,anapplicationcansendthisrequestdirectlytothesystemport driver for atarget logical unit onlyif thereisnoclass driver for the type of device connected to that LU11( -, --, . ,-, -, LU, ). , -,-., - , -SCSI-(-!).CD-ROM, , !-, - SCSI-,., SCSI- ? , ! SCSI-, 13311. Q137247MSDNIOCTL_SCSI_MINIPORTandIOCTL_SCSI_PASS_THROUGHLimitations.SCSI--. -??! -!SCSI--SCSI--, -. --,,SCSI----. 134 .21./WindowsNT, .-(-), -(IDE/PCI/SCSI), SCSI-. -- - , -HBA(Host BusAdapter), / , . --ScsiPortXXX, , -(DLL), , . SCSI- ,SCSI-\Devi-ce\ScsiPortx, , SCSI-. ATAPI.SYS, CD-ROM- ATAPI-, DISK.SYS, ,-. - IOCTL-, DeviceIoControl NTDDSCSI.HIOCTL_SCSI_MINIPORT. NTDKK, : 0x4D008. , - DeviceIoControl, SCSI- CreateFile.,,:94.SCSI--.:SCSIx:,ScsiPortx,,| = `-a-r`-8`81|.0||1`_|/0+0||1`_w|1`.1_8|/|_|/0 +1_8|/|_w|1`. ||.0||_18`1|0. 0. ||`., , SCSI-, , ,IDE,,SecondaryIDE- ( CD-ROM ).- IOCTL-IOCTL_SCSI_GET_INQUIRY_DATA, --, (.NTDDK\SRC\STORAGE\CLASS\SPTI). - , SCSI-! - . SRB- - -SRB_IO_CONTROL,: 13595.SRB_IO_CONTROL,-yu-c-: .c _8||_10_`0|`|0

|0|0 |-ac--:c|. ,, r.-c:8||_10_`0|`|0`|`|/| 8rc:a.-[8_. ,, c.|ayua .|.nuaue-ua|0|0 `r+-c.. ,, ac eu-~ c-.na|.~ e|.c|-|.~ .a.ucca e c-|0|0 `c:c``cc-. ,, cn ca|n||0|0 |-.:`cc-. ,, .n-c |a e-u|y cayc .ae-u-|.~|0|0 -:c|. ,, n.|a ec-c .-u-naea-cc oy1-ua u-.c` 8||_10_`0|`|0. -|8||_10_`0|`|0.,HeaderLength,-?! , - , .-, , Signature SRB_IO_CONTROL. - , : SRB_STATUS_INVALID_REQUEST (,, ). , -ATA-PI.SYSDISK.SYS,-, . , SCSIDISK, - - Alcohol 120% Alcoholx (, ).. , , MSDN, , , : ...thisspecificationdescribestheAPI foranapplicationtoissueSMART commands to an IDE drive under Microsoft Windows 95 and Windows NT.Under Windows 95, theAPI is implementedinaVendor SpecificDriver (VSD),Smartvsd.vxd. SMARTfunctionalityis implementedas apass through mecha-nismwherebytheapplicationsetsuptheIDEregistersinastructureandpassesittothedriverthroughtheDeviceIoControl API(...-API , SMART-IDE-MicrosoftWindows95WindowsNT.Windows95API , (VSDVendorSpecificDriver)Smartvsd.vxd. SMART--passthrough-,-IDE-, -, Devi-ceIoControl).! IDE--, -! ! SMART-- (. MSDNSpecifications Platforms 136 SMARTIOCTLAPI Specification), , - Windows NT. , NT VxD , . , SMARTAPI ... - , , - SMART NT ! , -?SDK, DDK-,NTDDK-! , scsi.h-:96.SMARTWindowsNT,-ControlCodeSRB_IO_CONTROL,,,, 8|/|` .uuc r: aaur,,+c-:r:- 10``_8`81_|1|1|0|`_8|/|`_v|810| 1_0v1`_8`81|0`+0x0c00`+c-:r:- 10``_8`81_|1|1|0|`_10|`1 1_0v1`_8`81|0`+0x0c0|`+c-:r:- 10``_8`81_|1|1|0|`_|/0_8|/|`_/``|1|8 1_0v1`_8`81|0`+0x0c02`+c-:r:- 10``_8`81_|1|1|0|`_|/0_8|/|`_`||8|008 1_0v1`_8`81|0`+0x0c0`+c-:r:- 10``_8`81_|1|1|0|`_|/|_8|/|` 1_0v1`_8`81|0`+0x0c0`+c-:r:- 10``_8`81_|1|1|0|`_018/|_8|/|` 1_0v1`_8`81|0`+0x0c0c`+c-:r:- 10``_8`81_|1|1|0|`_|`|||_8`/`|8 1_0v1`_8`81|0`+0x0c00`+c-:r:- 10``_8`81_|1|1|0|`_|/|_018/|_/|`08/v 1_0v1`_8`81|0`+0x0c0`+c-:r:- 10``_8`81_|1|1|0|`_8/v_/``|1||`_v/|8 1_0v1`_8`81|0`+0x0c08`+c-:r:- 10``_8`81_|1|1|0|`_`|`_01|_01/08 1_0v1`_8`81|0`+0x0c00`+c-:r:- 10``_8`81_|1|1|0|`_|/|_018/|_/|`0_01| 1_0v1`_8`81|0`+0x0c0a, WindowsNTSMART--!ATAPI.SYS- ! Microsoft, . -IOCTL-,?!,-, -. , , SMARTIOCTLAPI Specification, , --WindowsNTControlCodeSRB_IO_CONT-ROL. ,,IOCTL_SCSI_MINIPORT_IDENTIFY. SRB_IO_CONTROL -SENDCMDINPARAMS,:97.SENDCMDINPARAMS,IDE-yu-c-: .c _8|0`|01||/|/|8

0w0|0 c|.::-8r.-. ,, ua.-u oy1-ua e oauax .. |y10|08 r0r-|-c. ,, cuyyua. ccn-u-ara~ .|a~-|.- 10u-.cuce 137|` |0r-|.+|-. ,, 1...~-c.u |c-u n.ca. c~.a~ c |y~|` ||---c[_. ,, .au-.-ue.ucea|c0w0|0 c.|---c[_. ,, .au-.-ue.ucea|c|` ||.::-[|_. ,, ccna |a~.|a-c~ excn|cu oy1-u` 8|0`|01||/|/|8. -|8|0`|01||/|/|8. -|8|0`|01||/|/|8.DeviceIoControl: cBufferSize, bBuffer'a, . IDREGS , (, -,):98.IDEREGS,IDE-yu-c-: .c _10|08

|` |-a.-|-c. ,, 10 -a.-u-.cu|` |8-cc`c.:|-c. ,, 10 8-cc`c.:u-.cu|` |8-cc|.+|-|-c. ,, 10 8-cc|.+|-u-.cu|` |`y`c.|-c. ,, 10 `y`c.|-cu-.cu|` |`y`|rc||-c. ,, 10 `y`|rc||-cu-.cu|` |0r-|-ac|-c. ,, 10 0r-|-acu-.cu|` |`c++a:c|-c. ,, ca|n||u u-.cu|` ||---c. ,, .au-.-ue.ucea|c` 10|08. -|10|08. -|10|08.,ATA/ATPI-IDE, -Command,Drive/Head,CylinderHigh,CylinderLow, Sector Number, Sector Count Features, , IDEREGS - , ., ,., .,--! , - SENDCMDINPARAMS, -:bDriveNumber,,-138 .22.DeviceIoControl-Windows9x/NT13(,?).! , - SMART, , -IDEREGS-IDE-. -0xEC, Microsoft: TherearethreeIDEcommandssupportedinthisdriver, ID(0xEC), ATAPI ID(0xA1), andSMART(0xB0). Thesubcommandsof theSMARTcommands(featuresregistervalues)arelimitedtothecurrentlydefinedvalues(0xD0through0xD6, 0xD8through0xEF). SMARTsubcommand0xD7, writethresholdvalue, isnot allowed. Anyother commandorSMARTsubcommandwill result inanerror beingreturnedfromthedriver. AnySMARTcommandthatisnotcurrentlyimplementedonthetargetdrivewill resultinanABORTerrorfromtheIDEinterface(IDE-- : ID( 0xEC), ATAPI ID(0xA1) SMART(0xB0).SMART(featu-re-), : 0xD0 0xD6 0xD8 0xEF. 0xD7, SMART, -. . SMART-,, -ABORT-)., , ! ! ATAPI.SYS-,.99.ATAPI.SYS,IDE--x000|| a8crcr c| `SCSIDISK`.0 . 0/`/ | 8`81_|1|1|0|`+``c. ec c|a |aa c.|ayua .-x000|0-x000|0 `cc_|0 . `00 | 8`81_|1|1|0|`+|c|-x000|0 +c [-cr_. -|x-x000|| +c -ax. [-|x+|8|_-x000| u.| 8 . n.|a cuae|.ea-cu cuc.-x000|0 acc -ax. -x000|0 u.| c::- a8crcr .ac||a~ c.|ayua-x000| u.| -ax . c.|ayua. .-u-na||a~ .u.c--|.--x000| ca`` c|``c+ua-|-+cy. c.|ayu| cce.ana`-x000|c c+u -ax. 8-x000|8 |:. `cc_|808 . |-. |- cce.ana. cea.ea- ccna-x000|8-x000| +c -r.[-|x+|8|_ 13913!,.-x000|80| +c -ax.[-r+|0|_ . ..e-a- `c:c``cc--x000|80 c+u -ax. ||0c00| . IOCTL_SCSI_MINIPORT_SMART_VERSION-x000|800 |. `cc_|80 . couaoca 8|/|`_v|810|-x000|80 +c -cx. ||0c0|| . IOCTL_SCSI_MINIPORT_IDENTIFY-x000|8| c+u -ax. -cx .-x000|8|0 |. |c `cc_|820 . couaoca 10|`1-x000|8|8 ||- |c `cc_|808 . 1 `c:c``cc- 10|`1 `|| |a e|xcn-x000|8|/ c+u -ax. ||0c0/| . 10``_8`81_|1|1|0|`_|/|_018/|-x000|8| |a |c `cc_|808 . 1 `c:c``cc- |/|_018/| |a e|xcn-x000|82| u.| -|x .-x000|822 u.| -cr .-x000|82 ca`` .|_|2|2 . couaoa|ea- cca||- 8|/|`ca|n|-x000|828 |+u `cc_|0-x000|820 . -x000|2|2 .|_|2|2 ucc :-a . `00 | 8`81_|1|1|0|`+|00u

-x000|2 c+u [-|u+a_|_. 0|0| . 8|/|`cc++a:ctext:00012437 jnz loc_12633 ; SMART, -x000|2 . ccna |a~.|ac~ .uce-u.-x000|20 +c.x -ax. [-|u+a_|`_-x000|2| +c -ax. [-|x+-ax-+0|0|_ . .auy-a- 0r-,|-acu-.cu e /-x000|28 - a`. | . cuae|.ea- an.u o. / c -n.|.u-u-x000|2/ |. `cc_|202 . -c. an.u o. uae-| |y. e|xcn.-x000|2c0 - a`. 2 . cuae|.ea- c-nyr.u o. / c -n.|.u-u-x000|2c2 |:. `cc_|202 . -c. c| |- uae-| |y. c e|xcn.-x000|2c8 +c a`. [-|u+a_2_ . .auy-a- -a.-u-.cu e /-x000|2c| c+u a`. 000| . c 8|/|` |/0 0/`/`-x000|2c0 +c [-|x+0``|_. a`-x000|20 |. `cc_|2c2 . -c. na. c .-u-xcn. -c couaoc--x000|200 c+u a`. 00|| . c 0|c`--`-x000|20| |. `cc_|2c2 . -c. na. c .-u-xcn. -c couaoc--x000|2| c+u a`. 008| . c 8|/|` |/| 0||/`10|8`-x000|2 |. |c `cc_|20| . -c. na. c .-u-xcn. -c couaoc--x000|2c c+u a`. 000| . c 8|/|` 018/| 0||/`10|8`-x000|2 |. |c `cc_|20| . -c. na. c .-u-xcn. -c couaoc--x000|20 c+u a`. 00/ . c 8|/|` |`||| 8`/`|8`-x000|2| |. |c `cc_|20| . -c. na. c .-u-xcn. -c couaoc--x000|20 c+u a`. 002| . c 8|/|` ||,08| /``|1||` /|`08/v`-x000|20 c+u a`. 002| . .ucu-cccu. | |- c.oc~. e |ayu-`!-x000|2 |. |c `cc_|20| . -c. na. c .-u-xcn. -c couaoc--x000|28| c+u a`. 00| . c 8|/|` `|` 01| 1||01/``-x000|28 |. |c `cc_|20| . -c. na. c .-u-xcn. -c couaoc--x000|28c c+u a`. 00| . c 8|/|` 8/v /``|1||` v/|8`-x000|28 |. |c `cc_|20| . -c. na. c .-u-xcn. -c couaoc--x000|280 c+u a`. 00|| . c 8|/|` |/| 0||/`10|8`-x000|28| |:. `cc_|20 . -c. |-. c cea.ea--x000|20|-x000|20| `cc_|20| . `00 | .|_|2|2+0||-x000|20| . ccna |a~.|a-c~ couaoca ca|n-x000|20| .-x000|20| u.| |140 -x000|20 ucu -ax-x000|20 c+u c0002`0|. -ax-x000|20/ |:. |c `cc_|2/c-x000|20` c+u c.cc u [-|x+_. 00|-x000|2/ |. |c `cc_|2/-x000|2/c-x000|2/c `cc_|2/c . `00 | .|_|2|2+88|-x000|2/c xc -ax. -ax-x000|2/-x000|2/ `cc_|2/ . `00 | .|_|2|2+0||-x000|2/ . ccna |a~.|a-c~ .a..c e .cu!-x000|2/ .-x000|2/ +c -r. cWRITE_PORT_UCHAR-x000|2/0 - a`. a`-x000|2/ |. |c `cc_|2`0-x000|2|| +c a`. [-|u+a_|`_-x000|2| | a`. |-x000|2|0 a:c a`. |-x000|2|8 u.| -ax-x000|2|0 u.| 2|-x000|2| ca`` -r . WRITE_PORT_UCHAR, IDE- , 12437h(),- , 12491h.-, , , EDITBIN.EXE,MicrosoftVisualStudio,WindowsNT-., -,,- ! ATAPI.SYS Microsoft . -ATAPI.SYS-,,- (, , -)., -, , - . --, , -,,,., , ATA-IDE--. 141100.,SCSI--r: /`/|1_|1|1|0|`_0|0crc`

r: a.|/|0|.c|a -|.:.r: | = 0.0w0|0 -.:-c.r: cc:c``-.c|a 8cr|c [|0_.c|a |.::- [r.-c: 8||_10_`0|`|0` + 8|010|0`|_.8||_10_`0|`|0 -u = 8||_10_`0|`|0 -` |.::-.8|0`|01||/|/|8 -ur: = 8|0`|01||/|/|8 -` |.::- + r.-c: 8||_10_`0|`|0``.// IDE- :c cc:c``- = 0. cc:c``- 2. cc:c``-++`

// ScsiPort ur:: 8cr|c. 8cr+c. cc:c``-`.// ScsiPort|= `-a-r`- 8cr|c.0||1`_|/0 + 0||1`_w|1`.1_8|/|_|/0 + 1_8|/|_w|1`. ||. 0||_18`1|0. 0.0`.r: | == 1|v/10_|/|0_v/|`// - ur::|||:a|`- c cu-: 8cr|c+c:.cc:c``-`.-.: |.`// IDE-:c | = 0. | 2. |++`

// +-+- |.::-. 0. r.-c: |.::-``.// SRB_IO_CONTROL// -u `r+-c. = |0000. // u -:c| = 8|010|0`|. // . u |-ac--:c| = r.-c: 8||_10_`0|`|0`. // u `c:c``cc- = 10``_8`81_|1|1|0|`_10|`1.// ^^^ , // . ATAPI.SYS "SCSIDISK":cuy c|a -` u 8rc:a.-. 8`81018|. 8`.// SENDCMDINPARAMS// ATA-, IDE-ur: |0r-|.+|- = |.ur: r0r-|-c|`c++a:c|-c = 10_/`/_10|`1.// -r: 0-rc-1c`c:c` |. 10``_8`81_|1|1|0|`. |.::-.r.-c: 8||_10_`0|`|0` + r.-c: 8|0`|01||/|/|8`|.|.::-. r.-c: 8||_10_`0|`|0` + 8|010|0`|. .-.:-c. 0``142 r: |.::-[08_!=0`// // IDE-, :c a = 08. a |0. a+=2 ùr::+c+c.|.::-[a+|_.|.::-[a_`.ur:::`.````c-|a:c`- |`. // SCSI--`-.: 0.`/WindowsNT/. . , ,-.--,(.SCSI--).-, -,,,. ! SPTI/ASPI! - ! , , ASPI-. boot-- ! , /-!Windows 9x -, MS-DOS-, win32--,,.--. : ) --,-IOCTL) --(I/OPermissionMapIOPM), -,... 143 NT DDK PORTIO, - IOCTL--, (, -, : |`00|cc-:-aùcrc). , , , / , , -,., -.,,,, . -genport.c, /:101.,,.,r: :|c = u01|c`c.: ++:|c + 0aa|.::-8r.-` u01|c`c.: ++|0|0_|`|ù01|c|a- + :|c` . 0aa|.::-8r.-|`` != 0`

-.: 8`/`|8_/``88_v10/`10|. ,, 1``-ca` uc :.+|-`, ,,, . -:102.ca- 10``_0|0_|/0_|0|`_|`|/|-||`|/|ù10|.::-=|/0_|0|`_|`|/|||`|/|`(ULONG_PTR)pLDI->PortBase+:|c``.|-a., , , , , ! Windows9x,--. , , , -, , .144 , -/-, --. , ,CD-ROM-. , - , - , ,., ASPI -, . -. DeviceIoControl(!), , -(-). DeviceIoControl ,,Break-Point, . MS-DOS,INOUT,-, ,,., WindowsNT,-,.(-,/-,),-...,IN/OUT-, , -Intel 80386+. ,, . InstructionSetReference, OUT. ,:103.OUTr: | == |` .. `| 10|` ++ v| == |```

/* Protected mode with CPL > IOPL or virtual-8086 mode */r: Any I/O Permission Bit for I/O port being accessed == 1`+0|0`. /* I/O operation is not allowed */-`-08` 8|`. /* Writes to selected I/O port */` 145-`-

/* Real Mode or Protected Mode with CPL >16h,|0v |y- u [8| + 00_. 0|...!-, , [beta] (EXPIRED)(, -,.|`|`|0v 0.8|).... ! ,[beta](EXPIRED)., 41CFE4h , EXPIRED.,[/+08_, [|00|_ . , ! , , .||0|,|0|(-),...?! 44B030h (|u+|00) -....266 219.,00||00000 `/ 000/8`00||000000 |0v [00|00_./001B:0040366E CALL 004151F000||0000 `/ [|||2!0-/`|_! 44B030h .|_0/8`|. .|_0/8`|?.0/8`:220.00||000/8` /00 8|.0800||000/8 ||8| 8|00||000/00 CALL [KERNEL32!GetSystemTimeAsFileTime]00||000/00 |0v /.[8|_, , [|00|_ , [/ +08_, , . - , (/+08) 4001A0h, -... ! 4001A0h, (IDA)401000h,,PE-.PE-?! , ! - . , 4001A0h (c. PE- MicrosoftPortableExecutableandCommonObjectFileFormatSpecifi-cation,MSDN).,,,PE-(,, TimeStamp). , -!-,,-,,-,TimeStamp. , DataStamp!:0x00000000,0xFFFFFFFF, , , !/DataStamp( -)., 1A0h 3Eh 9Bh 1Ah 19h (, , )UniLink... 267221.|:rr: |0 [|-a_ |.r`c ||0` ! !!! TRIALEXPIRED! ! ! -, , ! !!!, , , ()!,,- . ,...268 . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . 8 . . . . . . . . . . . 9 . . . . . . . . . . 11 . EXE CRK . . . . . . . . . . . . . . . . . . . 14 . . . . . . . . . . . . . . . 27 WM_GETTEXT. . . . . . . . . . . . . . . . . . . . . 55WIN32API . . . . . . . . . . . . . . . . . . 58, . . . . . . . . . . . . . . . . . . . . . . . . . 59 API-. . . . . . . . . . . . . . . . . . 60 API- . . . . . . . . . . . . . 74 API- . . . . . . . . . . . . . . . . 77 . . . . . . . . . . . . . . . . . . . . 79 . . . . . . . . . . . . . . . . . . . . 80 . . . . . . . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . . . . . . . . . . . 88 ? . . . . . . . . . . . . . . . . . . . . . . . . . 90 ( ) . . . . . . . . . . . . . . . 98 . . . . . . . . . . . . . . . . . . 100 CDFS- . . . . . . . . . . . . . . . . . . . 101 cooked- ( ) . . . . . . . . 104 SPTI . . . . . . . . . . . . . . . . . . . . . . . 107 ASPI . . . . . . . . . . . . . . . . . . . . . . . 122 SCSI- . . . . . . . . . . . . . . . . . . . . . 130 SCSI-- . . . . . . . . . . . . . . . . . . 134 / . . . . . . . . . . . . 143 MSCDEX- . . . . . . . . . . . . . . . . . 152 . . . . . . . . . . . . 155 . . . . . . 156 . . . . . . . . . . . 157 . . . . . . . . . . . . 159, . . . . . . . . . . . . . . . . . . . . . . 163 TOC' . . . . . . . . . . . . . . . 163 . . . . . . . . . . . . . . . 165.. . . . . . . . . . . . 165. . . . . . . . . 165270 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165. . . . . . . . . . . . . . . . . . . . . . 171.. . . . . . . . . . 171. . . . 174 . . . . 176-? . . . . . . . . . . . 182 . . . . . . . . 183 . . . . . . . . . . . . . . 187Intel ++ 5.0.1 compiler . . . . . . . . . . . . . . . . . . . . . 187Intel Fortran 4.5. . . . . . . . . . . . . . . . . . . . . . . . . 193Intel C++ 7.0 compiler . . . . . . . . . . . . . . . . . . . . . . 198Record Now . . . . . . . . . . . . . . . . . . . . . . . . . . 203Alcohol 120% . . . . . . . . . . . . . . . . . . . . . . . . . . 206UniLink v1.03 . . . . . . . . . . . . . . . . . . 218UniLinkv1.03II, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236EntryPoint . . . . . . . . . . . . . . . . . . . 236 . . . . . . . . 238. . . . . . . . . . . . . . . . . . . . . . . 244stealthAPI-,HaronLoadLibrary . . . . . . . . . . . . . . . . . . . . . . . . 248stealthAPI-(II),HaronGetProcAddress . . . . . . . . . . . . . . 250IsDebuggerPresent . . . . . . . . . . . . . . 258USER32.DLLADVAAPI32.DLL . . . . . . . . 259,trial,expired . . . . . . . . . 262 271'...-123242,.,/20:(095)254-44-10,(095)252-36-96,(095)252-25-21E-mail:[email protected],.,..,.6,.1(.)70100/16.17..????-,.,46

Техника и философия хакерских атак

Documents

docaa00080c0 c

7aocaa0008000 c

0caa000800 cc c

x00022 a0x02x0x02x0x02

native scsi

srb scsi

ioctl scsi

scsi stpi