Since malware works fast and quiet there is demand to analyze, track and block such scrap at some central point. There is nothing as central as the kernel of an operating system. This white paper describes how to monitor and protect your Windows-based system by using a minifilter driver intercepting IRP_MJ-Functions in its PreOperation-Callback. The white paper also discusses some basic analyzing and protection drivers I have written in the past. By following Microsofts’ recommendation and guidelines for multiplatform compatible driver development, the resulting drivers are called kernel minifilter drivers that are reliable and compatible with all modern versions of Microsoft Windows (2000, XP, Vista, Server, 7 and 8) – including their 64 bit versions. Minifilter drivers are powerful tools to track and mitigate against many kinds of malware out there. Once you have build up your own minifilter drivers they are like a Swiss Army Knife. I highly encourage everyone in the Windows based security scene to have a deep look into the powerful stuff one can achieve with minifilter drivers.
↧
Kernel-based monitoring on Windows (32/64 bit)
↧
Fentanyl 0.1
Fentanyl is an IDAPython script that makes patching significantly easier. Fentanyl lets you patch from IDA Pro or Demo easily. Most patches can be done without touching a hex editor but if you must edit raw bytes you can simply use IDA's hex view. You can also undo and redo changes to the idb.
Fentanyl supercedes other tools for binary patching by being able to assemble with IDA's built in assemblers which can support more than x86 and x86_64. Fentanyl also automates commonly performed patches. One of Fentanyl's best features is that it supports Undo/Redo. We can see changes to the graph live and undo them if they aren't to our liking.
Fentanyl supercedes other tools for binary patching by being able to assemble with IDA's built in assemblers which can support more than x86 and x86_64. Fentanyl also automates commonly performed patches. One of Fentanyl's best features is that it supports Undo/Redo. We can see changes to the graph live and undo them if they aren't to our liking.
↧
↧
PinMe! 0.4
I wanted to be able to view and access all windows from the click of the tray icon and be able to set their
window state to either TopMost or NotTopMost quickly and in a discreet manner. PinMe! was primarily useful
for me whilst debugging applications where I wanted to maintain the view of the debugger or debuggee.
PinMe! allows you to set the window state even if its not currently in view. There is no need to drag icons
on to the window you want to set as TopMost or bring your windows to view first and then select them as is
usually done by other similar applications.
How To Install PinMe!
*********************
Simply unarchive (extract) the files to a folder and run. No installation is required.
If you would like PinMe! to appear at every start simply drag the "PinMe!.exe" file from the folder where
you have it saved to the "Startup" folder in your start menu.
Alternatively right click on the file and select either:
Pin to Taskbar
Pin to Start Menu
How To Use PinMe!...
********************
PinMe! lists all opened windows in Z-Order from the click of its tray icon.
Selecting a window positions that window to TopMost (always on top) - now the highest in Z-Order.
If you select a window that has already been given TopMost it will set it to NotTopMost (normal).
When selecting more than one window to TopMost, the TopMost windows will take priority in the order which
you selected them (first TopMost window selected at the bottom and newest at the top).
TopMost windows will show up with a locked icon next to it. Normal windows show their default icons.
PinMe! starts a watcher thread (on multi-core machines) that constantly monitors the window state and will
ensure it remains TopMost even if it gets minimised, sent to the tray or another program attempts to set it
back to NotTopMost. If PinMe! is unable to change the window state it will not attempt to start a watcher
thread.
PinMe! Restrictions...
**********************
There are some programs and applications which monitor their own window state(s) and will not allow PinMe!
to change them. It's possible to force this behaviour but its out of the scope and purpose of PinMe! and
often these programs already allow you to set their window states internally.
If the window is inactive, the process of the window is being debugged or currently in a paused state it
will not be possible to change the window state to TopMost or NotTopMost. This is not a limitation of
PinMe!, these windows are unable to receive messages whilst suspended or hung.
PinMe! does not support setting TopMost of child windows or tabs.
PinMe! Supported OS's...
************************
PinMe! has been tested as working on Windows XP to Windows 8.1.
PinMe! Version History...
*************************
v0.1 - Internal release
v0.2 - Internal release
v0.3 - Public release
- Monitors selected TopMost windows
- Internal code improvements
v0.4 - Improved application icon recovery, much faster method(s)
- Added support for windows protected with process security and access rights (mainly evident on
Windows 8.x)
- Fixed all GDI handle leaks
- Added check for taskbar restarted message, if taskbar crashes and restarts icons will show up again
- Minor code improvements
- Now includes a higher quality multi-layered application icon. It adds an extra (weighty) 422KB but
looks much better in the taskbar, desktop and start menu's. Hope you like pink!
- Lot lower memory footprint
window state to either TopMost or NotTopMost quickly and in a discreet manner. PinMe! was primarily useful
for me whilst debugging applications where I wanted to maintain the view of the debugger or debuggee.
PinMe! allows you to set the window state even if its not currently in view. There is no need to drag icons
on to the window you want to set as TopMost or bring your windows to view first and then select them as is
usually done by other similar applications.
How To Install PinMe!
*********************
Simply unarchive (extract) the files to a folder and run. No installation is required.
If you would like PinMe! to appear at every start simply drag the "PinMe!.exe" file from the folder where
you have it saved to the "Startup" folder in your start menu.
Alternatively right click on the file and select either:
Pin to Taskbar
Pin to Start Menu
How To Use PinMe!...
********************
PinMe! lists all opened windows in Z-Order from the click of its tray icon.
Selecting a window positions that window to TopMost (always on top) - now the highest in Z-Order.
If you select a window that has already been given TopMost it will set it to NotTopMost (normal).
When selecting more than one window to TopMost, the TopMost windows will take priority in the order which
you selected them (first TopMost window selected at the bottom and newest at the top).
TopMost windows will show up with a locked icon next to it. Normal windows show their default icons.
PinMe! starts a watcher thread (on multi-core machines) that constantly monitors the window state and will
ensure it remains TopMost even if it gets minimised, sent to the tray or another program attempts to set it
back to NotTopMost. If PinMe! is unable to change the window state it will not attempt to start a watcher
thread.
PinMe! Restrictions...
**********************
There are some programs and applications which monitor their own window state(s) and will not allow PinMe!
to change them. It's possible to force this behaviour but its out of the scope and purpose of PinMe! and
often these programs already allow you to set their window states internally.
If the window is inactive, the process of the window is being debugged or currently in a paused state it
will not be possible to change the window state to TopMost or NotTopMost. This is not a limitation of
PinMe!, these windows are unable to receive messages whilst suspended or hung.
PinMe! does not support setting TopMost of child windows or tabs.
PinMe! Supported OS's...
************************
PinMe! has been tested as working on Windows XP to Windows 8.1.
PinMe! Version History...
*************************
v0.1 - Internal release
v0.2 - Internal release
v0.3 - Public release
- Monitors selected TopMost windows
- Internal code improvements
v0.4 - Improved application icon recovery, much faster method(s)
- Added support for windows protected with process security and access rights (mainly evident on
Windows 8.x)
- Fixed all GDI handle leaks
- Added check for taskbar restarted message, if taskbar crashes and restarts icons will show up again
- Minor code improvements
- Now includes a higher quality multi-layered application icon. It adds an extra (weighty) 422KB but
looks much better in the taskbar, desktop and start menu's. Hope you like pink!
- Lot lower memory footprint
↧
ScyllaHide 0.1b
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
Usage standalone (debugger-independent):
InjectorCLI.exe For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll
Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks
NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx
Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
Usage standalone (debugger-independent):
InjectorCLI.exe
InjectorCLI.exe crackme.exe C:\HookLibrary.dll
Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks
NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx
Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar
↧
PE Runtime Data Structures 1.0
This is a diagram of PE runtime data structures. I used OmniGraffle. I will post the OmniGraffle files when I get ahold of them again. They are on another computer.
I was inspired by Ero Carrera's [1] diagrams and Corkami [2]. I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from "Windows Internals 6" by Russinovich, Solomon, and Ionescu [3].
It is not finished, but I figured I should just upload it now instead of whenever I get around to finishing it. Hopefully I haven't made any mistakes. It will probably go through many iterations, maybe end up being interactive.
I was inspired by Ero Carrera's [1] diagrams and Corkami [2]. I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from "Windows Internals 6" by Russinovich, Solomon, and Ionescu [3].
It is not finished, but I figured I should just upload it now instead of whenever I get around to finishing it. Hopefully I haven't made any mistakes. It will probably go through many iterations, maybe end up being interactive.
↧
↧
PE Injection Explained
This is not another article on DLL injection or shellcode injection (already a lot of is available online). The method described here allows to inject the complete image of the running process module in the memory of another process, basically this means having two different codes running in the same process (or having one PE hidden inside another).
This technique is more powerful than classic code injection technique because it does not require any shellcoding knowledge, the program code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don’t need several files, the main exe self inject inside another process and calls itself in there. I don’t know who invented this method (official researchers or underground?). The thing is, the technique is not very widespread on the Internet and generally the source code lacks some explanation. Here I provide complete explanation of the technique and implementation source code at the end of article.
This technique is more powerful than classic code injection technique because it does not require any shellcoding knowledge, the program code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don’t need several files, the main exe self inject inside another process and calls itself in there. I don’t know who invented this method (official researchers or underground?). The thing is, the technique is not very widespread on the Internet and generally the source code lacks some explanation. Here I provide complete explanation of the technique and implementation source code at the end of article.
↧
OD2-ExPlug 201.10
+ Main Menu +
- Breakpoint Manager
. Import Breakpoints
. Export Breakpoints
- MAP File Master
. Import Labels
. Import Comments
. Import MAP To Library
. Clear All Labels
. Clear All Comments
- Open Label Tabel
- Plugin Debug Break
. DoMyJob
. Support..
- Option
- About...
+ Disasm Memu +
- Data Copy
. ASNI (str) (Copy ansi string to clipboard) (Ctrl + Alt + A)
. WIDE (str) (Copy wide string to clipboard) (Ctrl + Alt + W)
. BYTE (Copy 1 BYTE)
. WORD (Copy 2 BYTE)
. DWORD (Copy 4 Byte)
. Address (Copy selected address) (Alt + Insert)
- Breakpoint Manager
. Import Breakpoints
. Export Breakpoints
. Delete All INT3 BPs (Delete all INT3 Breakpoints)
. Delete All Hard BPs (Delete all Hardware Breakpoints)
. Delete All Mem BPs (Delete all Memory Breakpoints)
- Tools
. Notepad
. Calculator
. TaskMgr
. HashTool
. Configuration
- Label Master
. Add New Label (Ctrl + Shift + E)
. Open Label Table (Ctrl + Shift + T/L)
. Follow In Dump (Ctrl + D)
. Search By Google (Ctrl + Shift + G)
- ASM2Clipboard (Ctrl + Shift + A)
- ASCII Hint
- ByteCounter
- Go EIP (Shortcut Only: Esc)
+ Dump Menu +
- Data Copy
. ASNI (str) (Copy ansi string to clipboard) (Ctrl + Alt + A)
. WIDE (str) (Copy wide string to clipboard) (Ctrl + Alt + W)
. BYTE (Copy 1 BYTE)
. WORD (Copy 2 BYTE)
. DWORD (Copy 4 Byte)
. Address (Copy selected address)(Alt + Insert)
- Follow In Dump (Ctrl + D)
- Follow In Disassembler (Ctrl + Alt + D)
- Create DumpWindow (Ctrl + Alt + C)
- ReverseHex (Ctrl + Z)
- MiNiHash (Ctrl + Alt + Z)
+ Info Bar +
- Add selected count(er)
+ Register Menu +
- Hardware Breakpoint [ESP]
+ INT3Breakpoint Menu +
- Breakpoint->
. Set a few breakpoint
+ HotKey +
1. PRESS and HOLD "H" key in 0.5s to Register/Unregister Hotkey
2. You must PRESS and HOLD the hotkey in 0.1s for it work
. "Esc" : go EIP(current origin) (Allow on any MDIWindows)
. "," : Copy BYTE
. "." : Copy WORD
. "/" : Copy DWORD
. "`" : Copy Address
. "[" : Go to start of function (You must analysis code before use it)
. "]" : Go to end (RET) of function
. "Gray *" : Set "Malware Analysis" breakpoint group
. "Gray /" : Set "NET" breakpoint group
. NOTE: MAYBE THE HOTKEY DO NOT WORK WITH THE MOD OLLYDBG (SND v2.2)
(Use OllyDbg2FixeR Plugins To Fix Bug In SnD v2.2)
- Breakpoint Manager
. Import Breakpoints
. Export Breakpoints
- MAP File Master
. Import Labels
. Import Comments
. Import MAP To Library
. Clear All Labels
. Clear All Comments
- Open Label Tabel
- Plugin Debug Break
. DoMyJob
. Support..
- Option
- About...
+ Disasm Memu +
- Data Copy
. ASNI (str) (Copy ansi string to clipboard) (Ctrl + Alt + A)
. WIDE (str) (Copy wide string to clipboard) (Ctrl + Alt + W)
. BYTE (Copy 1 BYTE)
. WORD (Copy 2 BYTE)
. DWORD (Copy 4 Byte)
. Address (Copy selected address) (Alt + Insert)
- Breakpoint Manager
. Import Breakpoints
. Export Breakpoints
. Delete All INT3 BPs (Delete all INT3 Breakpoints)
. Delete All Hard BPs (Delete all Hardware Breakpoints)
. Delete All Mem BPs (Delete all Memory Breakpoints)
- Tools
. Notepad
. Calculator
. TaskMgr
. HashTool
. Configuration
- Label Master
. Add New Label (Ctrl + Shift + E)
. Open Label Table (Ctrl + Shift + T/L)
. Follow In Dump (Ctrl + D)
. Search By Google (Ctrl + Shift + G)
- ASM2Clipboard (Ctrl + Shift + A)
- ASCII Hint
- ByteCounter
- Go EIP (Shortcut Only: Esc)
+ Dump Menu +
- Data Copy
. ASNI (str) (Copy ansi string to clipboard) (Ctrl + Alt + A)
. WIDE (str) (Copy wide string to clipboard) (Ctrl + Alt + W)
. BYTE (Copy 1 BYTE)
. WORD (Copy 2 BYTE)
. DWORD (Copy 4 Byte)
. Address (Copy selected address)(Alt + Insert)
- Follow In Dump (Ctrl + D)
- Follow In Disassembler (Ctrl + Alt + D)
- Create DumpWindow (Ctrl + Alt + C)
- ReverseHex (Ctrl + Z)
- MiNiHash (Ctrl + Alt + Z)
+ Info Bar +
- Add selected count(er)
+ Register Menu +
- Hardware Breakpoint [ESP]
+ INT3Breakpoint Menu +
- Breakpoint->
. Set a few breakpoint
+ HotKey +
1. PRESS and HOLD "H" key in 0.5s to Register/Unregister Hotkey
2. You must PRESS and HOLD the hotkey in 0.1s for it work
. "Esc" : go EIP(current origin) (Allow on any MDIWindows)
. "," : Copy BYTE
. "." : Copy WORD
. "/" : Copy DWORD
. "`" : Copy Address
. "[" : Go to start of function (You must analysis code before use it)
. "]" : Go to end (RET) of function
. "Gray *" : Set "Malware Analysis" breakpoint group
. "Gray /" : Set "NET" breakpoint group
. NOTE: MAYBE THE HOTKEY DO NOT WORK WITH THE MOD OLLYDBG (SND v2.2)
(Use OllyDbg2FixeR Plugins To Fix Bug In SnD v2.2)
↧
Jumper 0.04
I always use Olly Expression window to enter many addresses and APIs but Olly does not save them all so that I have to enter the same addresses again and again so this sucks. Now I have a better and faster solution to handle this problem, Jumper.
↧
AddSym 0.1
Analysing unknown binaries especially malware drivers without symbols is a very tedious affair.
This WinDBG extension is an effort to reduce the tediousness by transferring the names IDA generated to WinDBG.
Run the IDC script to dump names to a sym file and use the extension in WinDBG to resolve the symbols from that file. The IDC script (tested in IDA Free 5 only and hacks are IDA Free 5).
It loads the inputfile and gets IMAGE_NT_HEADERS->OptionalHeader->BaseofCode and creates a variable to subtract which is the difference between IDC function FirstSeg()-BaseofCode (namely ImageBase). Then enumarates Name from FirstSeg() to MaxEA(); and dumps the bare offsets (RVA - IMAGEBASE ) and names to a file c:\\idasym\\GetInputFile().idasym in a format compatible to strtoul&sprintf() like:
00000300,DriverEntry
00017ce5,SomeCrapFunction()
00100000,aURLhttp://malwarebasedotcom/malware/foo.exe
Bare offsets are dumped because it doesnt require rebasing in IDA and wouldnt have to worry about ASLR in WinDBG. Also bare offsets can help in naming virtual allocated blocks manually create an idasymfile with offset, name point it with an address in WinDBG and all offsets relative to that address will be named appropriately.
Simply analyse with IDA and MakeName (visible in names window | publics) run the IDC script in IDA to overwrite an existing idasym file or create a new one. Do !addsym in WinDBG for an updated disassembly.
This WinDBG extension is an effort to reduce the tediousness by transferring the names IDA generated to WinDBG.
Run the IDC script to dump names to a sym file and use the extension in WinDBG to resolve the symbols from that file. The IDC script (tested in IDA Free 5 only and hacks are IDA Free 5).
It loads the inputfile and gets IMAGE_NT_HEADERS->OptionalHeader->BaseofCode and creates a variable to subtract which is the difference between IDC function FirstSeg()-BaseofCode (namely ImageBase). Then enumarates Name from FirstSeg() to MaxEA(); and dumps the bare offsets (RVA - IMAGEBASE ) and names to a file c:\\idasym\\GetInputFile().idasym in a format compatible to strtoul&sprintf() like:
00000300,DriverEntry
00017ce5,SomeCrapFunction()
00100000,aURLhttp://malwarebasedotcom/malware/foo.exe
Bare offsets are dumped because it doesnt require rebasing in IDA and wouldnt have to worry about ASLR in WinDBG. Also bare offsets can help in naming virtual allocated blocks manually create an idasymfile with offset, name point it with an address in WinDBG and all offsets relative to that address will be named appropriately.
Simply analyse with IDA and MakeName (visible in names window | publics) run the IDC script in IDA to overwrite an existing idasym file or create a new one. Do !addsym
↧
↧
Exeinfo PE 0.0.3.5
Packer, compressor detector / unpack info / internal executable tools
Detects : Symbian / Android / Linux / Mac OS - files
Detects : Symbian / Android / Linux / Mac OS - files
↧
IDA Pro Translator 0.1
The IDA Pro translator is a plugin for IDA Pro that assists in decoding arbitrary character sets in an IDA Pro database into Unicode, then automatically invoking a web-based translation service (currently Google Translate) to translate that foreign text into English. While newer versions of IDA Pro include support for Unicode, this support is limited to text encoded in UTF-8 and UTF-16, and the font support for display is limited.
↧
Java Bytecode Reversing
I decided to make a Java bytecode reversing / jar patching tutorial I learned a lot from and wanted to share. A tutorial for complete beginners...
↧
Jumper 0.05
I always use Olly Expression window to enter many addresses and APIs but Olly does not save them all so that I have to enter the same addresses again and again so this sucks. Now I have a better and faster solution to handle this problem, Jumper.
↧
↧
OllyDbg2 PDK Delphi v0.1
OllyDbg2_PDK_4_Delphi(plugin2.pas) is ported from Cplus header(plugin.h)
You can use "plugin2.pas" to develop any plugin by delphi same as VC/C++ Builder/GCC
You can use "plugin2.pas" to develop any plugin by delphi same as VC/C++ Builder/GCC
↧
OllyDbg2 PDK FASM v0.1
FASM plugin template for OllyDbg 2.
↧
Purebasic - A Beginner’s Guide To Computer Programming
This book provides a quick introduction to the PureBasic programming language. PureBasic’s popularity has increased significantly in the past few years, being used for many purposes such as rapid software prototyping, creation of commercial applications and games, Internet CGI applications, while some people just use it for small utilities. This book has been written, with the complete novice in mind. We all need to start somewhere and I believe PureBasic is a fantastic first leap into the programming world. With PureBasic becoming more and more widely used, many people are starting out and finding they need the occasional push in the right direction or need an explanation of a certain feature or oddity. This book is to guide novices through their first steps and to give the seasoned programmer a quick overview of the language.
Although this book covers the essentials of the PureBasic language, I’ve kept this book’s scope quite narrow to make sure it’s not information overload for new users. Sometimes this text will refer to concepts and syntax in a simplistic way to be used as a stepping stone to more advanced texts or as a complement to the existing PureBasic helpfile.
For example I won’t talk much about how easy it is to use DirectX or OpenGL directly in PureBasic, otherwise this book would be triple in size and although topics such as pointers, threads and the Win32 API is talked about later in this book, don’t expect too many fancy examples as I’ve only given an overview to such advanced topics.
PureBasic raises the bar to not only what a Basic language should be but also what all languages should be. Clean, uncluttered syntax, small compiled executable files and a fantastically active community of programmers. Hopefully this book will give you a clear understanding of the core features of PureBasic and the design goals and philosophies behind its creation and hopefully make you want to learn more.
Despite this books limited scope, I think you will find this a great first book on PureBasic which will also give you a solid grounding on programming in general if you were to migrate to other languages. You will learn everything you need to start writing useful standalone programs. By the time you’ve finished this book, you will have learned not only the essentials of the language itself, but also how to apply that knowledge to day-to-day tasks. You will also be better equipped to tackle more advanced topics as they come your way.
Although this book covers the essentials of the PureBasic language, I’ve kept this book’s scope quite narrow to make sure it’s not information overload for new users. Sometimes this text will refer to concepts and syntax in a simplistic way to be used as a stepping stone to more advanced texts or as a complement to the existing PureBasic helpfile.
For example I won’t talk much about how easy it is to use DirectX or OpenGL directly in PureBasic, otherwise this book would be triple in size and although topics such as pointers, threads and the Win32 API is talked about later in this book, don’t expect too many fancy examples as I’ve only given an overview to such advanced topics.
PureBasic raises the bar to not only what a Basic language should be but also what all languages should be. Clean, uncluttered syntax, small compiled executable files and a fantastically active community of programmers. Hopefully this book will give you a clear understanding of the core features of PureBasic and the design goals and philosophies behind its creation and hopefully make you want to learn more.
Despite this books limited scope, I think you will find this a great first book on PureBasic which will also give you a solid grounding on programming in general if you were to migrate to other languages. You will learn everything you need to start writing useful standalone programs. By the time you’ve finished this book, you will have learned not only the essentials of the language itself, but also how to apply that knowledge to day-to-day tasks. You will also be better equipped to tackle more advanced topics as they come your way.
↧
PureBasic - Reference Manual
PureBasic is an ”high-level” programming language based on established ”BASIC” rules. It is mostly compatible with any other ”BASIC” compiler, whether it’s for the Amiga or PC format. Learning PureBasic is very easy! PureBasic has been created for beginners and experts alike. Compilation time is extremely fast. This software has been developed for the Windows operating system. We have put a lot of effort into its realization to produce a fast, reliable and system-friendly language.
The syntax is easy and the possibilities are huge with the ”advanced” functions that have been added to this language like pointers, structures, procedures, dynamic linked-lists and much more. For the experienced coder, there are no problems gaining access to any of the legal OS structures or Windows API objects.
PureBasic is a portable programming language which currently works on AmigaOS, Linux, MacOS X and Windows computer systems. This means that the same code can be compiled natively for the OS and use the full power of each. There are no bottlenecks like a virtual machine or a code translator, the generated code produces an optimized executable.
The main features of PureBasic
- x86, x64, 680x0 and PowerPC support
- Built-in arrays, dynamic linked-lists, complex structures, pointers and variable definitions
- Supported types: Byte (8-bit), Word (16-bit), Long (32-bit), Quad (64-bit), Float (32-bit), Double (64-bit) and Characters
- User defined types (structures)
- Built-in string types (characters), including ascii and unicode
- Powerful macro support
- Constants, binary and hexadecimal numbers supported
- Expression reducer by grouping constants and numeric numbers together
- Standard arithmetic support in respect of sign priority and parenthesis: +, -, /, *, and, or, «, »
- Extremely fast compilation
- Procedure support for structured programming with local and global variables
- All Standard BASIC keywords: If-Else-EndIf, Repeat-Until, etc
- Specialized libraries to manipulate BMP pictures, windows, gadgets, DirectX, etc
- Specialized libraries are very optimized for maximum speed and compactness
- The Win32 API is fully supported as if they were BASIC keywords
- Inline Assembler
- Precompiled structures with constants files for extra-fast compilation
- Configurable CLI compiler
- Very high productivity, comprehensive keywords, online help
- System friendly, easy to install and easy to use
The syntax is easy and the possibilities are huge with the ”advanced” functions that have been added to this language like pointers, structures, procedures, dynamic linked-lists and much more. For the experienced coder, there are no problems gaining access to any of the legal OS structures or Windows API objects.
PureBasic is a portable programming language which currently works on AmigaOS, Linux, MacOS X and Windows computer systems. This means that the same code can be compiled natively for the OS and use the full power of each. There are no bottlenecks like a virtual machine or a code translator, the generated code produces an optimized executable.
The main features of PureBasic
- x86, x64, 680x0 and PowerPC support
- Built-in arrays, dynamic linked-lists, complex structures, pointers and variable definitions
- Supported types: Byte (8-bit), Word (16-bit), Long (32-bit), Quad (64-bit), Float (32-bit), Double (64-bit) and Characters
- User defined types (structures)
- Built-in string types (characters), including ascii and unicode
- Powerful macro support
- Constants, binary and hexadecimal numbers supported
- Expression reducer by grouping constants and numeric numbers together
- Standard arithmetic support in respect of sign priority and parenthesis: +, -, /, *, and, or, «, »
- Extremely fast compilation
- Procedure support for structured programming with local and global variables
- All Standard BASIC keywords: If-Else-EndIf, Repeat-Until, etc
- Specialized libraries to manipulate BMP pictures, windows, gadgets, DirectX, etc
- Specialized libraries are very optimized for maximum speed and compactness
- The Win32 API is fully supported as if they were BASIC keywords
- Inline Assembler
- Precompiled structures with constants files for extra-fast compilation
- Configurable CLI compiler
- Very high productivity, comprehensive keywords, online help
- System friendly, easy to install and easy to use
↧
↧
PureBasic - Survival Guide
The PureBasic Survival Guide is a non-official set of pages to help newcomers and converts starting with PureBasic.
↧
Themida + WinLicense 2.x (Ultra Unpacker v1.2)
So you know already my older script which is no more up to date and failed mostly to unpack newer protected files. Now after working a long time on a new script to handle Themida and WinLicense targets its finished now so far. The script will unpack your files complete and you don't need to dump or fix anything!
All what you have to do now is to follow each video I made before you start to test the script so there are also some information which you need to know. Okay so then lets start!
All what you have to do now is to follow each video I made before you start to test the script so there are also some information which you need to know. Okay so then lets start!
↧
TitanHide 0.011
TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
Features:
- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)
- Protect DRx (HW BPs) (NtSetContextThread)
Test environments:
- Windows 7 x64 & x86 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)
Installation:
1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'ServiceManager.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service (specify the full path to TitanHide.sys)
5) Start the service you just created
6) Use 'TitanHideGUI.exe' to set hide options for a PID
NOTE1: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend :)
NOTE2: When using x64_dbg, you can use the TitanHide plugin (available on the download page).
NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can reenable it right afterwards
To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
Features:
- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)
- Protect DRx (HW BPs) (NtSetContextThread)
Test environments:
- Windows 7 x64 & x86 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)
Installation:
1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'ServiceManager.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service (specify the full path to TitanHide.sys)
5) Start the service you just created
6) Use 'TitanHideGUI.exe' to set hide options for a PID
NOTE1: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend :)
NOTE2: When using x64_dbg, you can use the TitanHide plugin (available on the download page).
NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can reenable it right afterwards
↧