Saturday, 6 December 2014

Security: Basic DDoS Internals (No-source code)


For a long time, I did not post any scripts nor source codes as a result of education. Nevertheless I am posting today regarding how DDoS works & why hackers perform them.

DDoS is a cyber-attack strategy used widely to make a machine resource or network resource unavailable to its intended users. Normally, DDoS is targeted to interrupt or suspend  services of a host connected to internet. DDoS is usually misunderstood by beginner security experts\developers, the general misunderstanding is about how to define a DDoS attack, To clarify DDoS is when two or more people, or bots try flood the target.

Lets get to the technicals of a DDoS attack, as stated DDoS is only sustained if the host is connected to the internet. This suggests that the attackers use internet packets\requests to attack the target. They do this via sending TCP\UDP\ICMP or HTTP packets to the target in order to request or upload information to cause the targets machine to focus on those requests and temporary disable all internet services. The target disables the internet services because as bandwidth is limited for all machines connected to internet, computers normally divide the bandwidth among all the services equally to ensure each service can run however computer does allow one service to request for more bandwidth, with this being said one can assume all services can ask for all the bandwidth for themselves.

This should mean if any one internet service is targeted with a lot of packets, the service would require more bandwidth to reply and process every request. This should mean as we increase the request sizes and packets sent as one time, the bandwidth consumption for the following service will increase & decrease the other internet services. As the consumption increases to a critical level, the machine does not have any more bandwidth left to share or give and this causes the machine to temporary drop off from internet until the DDoS stops.

Normally most DDoS tools tend to be multi-threaded to increase attack strength as more packets sent the more bandwidth should be consumed by the attack.

That said, now assume if the target has an bandwidth of 100 MB and let us assume there is perhaps 50 members who have a total bandwidth of 200 MB which we should deduce that on average each member has 4 MB of bandwidth. This said, since we only need 100 MB to drop the target from internet for a duration of time. The DDoS  mechanism\software\program\service will require 2 MB of bandwidth from each participant.

That in mind, using this 2 MB they will completely disable the target and drop it of the internet for a time-being therefore a successful attack has been completed.

Now, let me explain more about the after-effects both parties may face after or during the attack.

Let me discuss, pertaining what may happen during an DDoS attack. As the attackers request 2 MB from their 4 MB of average bandwidth. Their online connectivity will be half as fast as it were prior to the attack. This is practically a Newtonian law of Computing:

"Ever action has a equal and opposite reaction"

This makes complete sense, just because they used 2MB data to attack their internet also becomes 2 MB slower while making the target 2 MB slower. That in mind, its a basic equal and opposite reaction.

That said, it is quite possible for the attacker to "suicide" himself, in the process if he or she cannot overwhelm the target as the DDoS program may ask for additional bandwidth and over-time the bandwidth may completely used to take-down our target, so its always important to set an certain limit which MUST not be crossed  to avoid "net-suicide"

In that, you must understand the reason why malwares use only some percent of the internet bandwidth to avoid suspicion in case of failure of attack first to avoid being obvious due to raise in internet use which User may detect and find suspicious.

Before I conclude, let me explain about few symptoms of priori net-suicide, first most obvious symptoms is that your internet will become slow as it approaches the limit of net-suicide due to consumption of internet becoming practically maximum . Then, we would also notice processing power of computer becoming extremely high from say 2 - 3 % to 50 - 65 % which will be as a result of  computer trying to process all those requests from DDoS process. Then you will notice if you use Network sniffers such as WireShark, that the screen will be filled & filling up data which points to an DDoS taking place, These symptoms may appear on both Target and Attacker.

This will only be an introductory of what DDoS is before we use our white-hat C++ skills to develop an application for DDoS using multi-threading as well as Windows API, to show Proof-Of-Concept and for Ethical purposes & Educational purposes.

Kind Regards

Monday, 5 May 2014

Basic Simulation: Basic Gravity


Today as promised I'll be posting simulation programming basics. That being said, today I will be talking and discussing about Gravity however unlike my initial plan we will not be using any equations for simplicity purposes for the beginner audience. The simulation programming will be using OpenGL as I want the simulation programmer to be able to see an visual representation of their success rather than have few numbers shown upon screen making this topic nothing but a mere boring mathematical incorporation of physics.

That being said, this tutorial will only be using basic OpenGL function such as glTranslatef(), glRectf() and other similar function. Next, this tutorial will neither make use of a timer as it could be too complicated for the user who messaged me for this tutorial to be created. That in mind, we will not be even using gravitational constants such as 9.81 m/s^2.

To be brutally honest, this tutorial is really designed to show how easily we can create programs using BASIC OpenGL functions that a beginner can learn and apply in matter of few hours. Here is the source:

Basic OpenGL Gravity

Bare in mind that the code is not too pretty in terms of implementation and using functions such as Sleep() as an "Pixel" slower to ensure that the user can actually see the dot fall similar to that of gravity. That being said, it was designed for an newbie.

Hope you learned something new,

Wednesday, 9 April 2014

Still a alive - Update


I have not posted anything for a while, but I am going to be posting from now. I apologize for the long delay, I did not really get around to posting any interesting topics recently however I plan on also writing few blogs regarding security soon or later.

Nevertheless, I am going to be writing about physics, cosmology as well after people requested me to write few blogs pertaining about physics and space.

Anyway, in security I will be covering:

- Theories of Anti-Virus development (Heuristics)
- How DDoS works
- Theory of Network analysis
- Self-Protection mechanisms

I also have a long list of planned topics to cover in future:

- AI (Non-Game based)
- Encryptions
- Science of Sci-Fi
- Simulation Programming

That being said, stay tuned.

Sunday, 5 January 2014

Global Remote Detour: KiFastSystemCall


I am not planning on explaining my code too much but rather give code, which is more or less straightforward in terms of the functions used and the simple logic.

Unlike the previous remote detour given I am not really creating a running thread as that will just be too slow and unneeded work.

There are 2 functions needed for the global injection: Provider(void) & Injector(DWORD Pid)
The function Provider(void) is responsible for providing each process's PID to the Injector function, then the Injector function will:

  1. Open the PID via a call to OpenProcess
  2. Using the handle it will suspend the process, ready for injection
  3. It will then write the callback into the process memory space
  4. Then will create a char array of machine code (JMP ---) then will annotate the remote callback address on to the char array.
  5. The char array will be then written on KiFastSystemCall address, 
We have detoured KiFastSystemCall, the uses of such detours are endless:

  • Self-Protection
  • Proactive AV scanning
  • Complete Control over system
  • Helpful Debugging Information
The Code Metrics:

Line Count:  105 Lines
Size: 3.05 KB (3,125 bytes)

Stay Tuned,

Saturday, 30 November 2013

Detoruing x64 System Call Stub: X86SwitchTo64BitMode


It's been a while since I posted anything, anyway now that I am here I am going to be giving a detour for: X86SwitchTo64BitMode.

X86SwthTo64BitMode is the deepest call before everything switches into 64 bit mode and other inaccessible DLL files. Additionally X86SwitchTo64BitMode can be detoured fairly easily unlike KiFastSystemCall, a usual JMP would do the job especially because we don't care if we overwrite instructions because we are not jumping back to the original instruction.

The Code is more or less pretty straightforward for any Windows savvy users.

Link: X86SwitchTo64BitMode.cpp

As said before, this code can be easily incorporated into a Global detour, additionally you may find this suitable to incorporate into your projects with credits to - Code Empire.


Wednesday, 13 November 2013

Security: Process Injection & detouring


I will be posting on how to inject into foreign processes then place a detour on specific API's, our example being MessageBoxA however this technique can be adapted to any API detour with slight change. Some useful API calls to detour would be:
- NtOpenProcess
- NtTerminateProcess
- NtQueryDirectoryFile
- NtQuerySystemInformation 

more exotic API's include:

- TurboDispatchJumpAddressStart
- KiFastSystemCall
- X86SwitchTo64BitMode
- Wow64SystemServiceEx
- CpuSimulate

As you may guess, there is again both malicious and positive purposes. It is always beneficial to understand these things, especially in case these task raise up.

The injection is modified slightly from the Mozilla Firefox post which was posted last month. I could have placed a detour directly on the API address using few easy workarounds however I simply created a entire thread which places the detour, just to show it as a Proof-Of-Concept code to newbie security analysts & security developers.

The code follows:

  • Open the process with flag set to PROCESS_ALL_ACCESS however this can be reduced to bare minimum
  • Create and fill a _CODE structure ready to be added as a parameter to our injected thread
  • Then allocate all the space needed for the processes which include - Thread, Parameter
  • Create the remote thread
The explanation above shows the procedure to inject code into foreign process but the thread performs something more or less the most important part of the program:
  • Use the _CODE structure then store the appropriate members in specific typedefs to be called
  • Calls MessageBoxA with parameters being set to those given from the _CODE structure
  • Finally patches MessageBoxA to redirect the control to a callback 
  • Additionally the thread also patches the callback to ensure the callback returns the control back to original 
Now I will elaborate on the job of the callback:
  • The callback reinstates the lost bytes of the original instructions 
  • Jumps back to original MessageBoxA  
  • Returns 
You would get a good idea on how it works, however for those who still have no clue here is the download:

Until Next Time,

Thursday, 31 October 2013

Security: Social Engineering using UAC


Today, we will be exploiting the UAC Architecture - for developers wanting to become savvy on Windows, UAC is a abbreviation for User Account Control it is designed to allow individual processes to run in various Account Levels, additionally it protects the host from malicious software from gaining higher privileges without consent.
However Microsoft while developing UAC, and perform bug checks they forgot to notice Windows Command Preprocessor, functionality which defeats the purpose of Command Prompt.

As you know Windows Command Preprocessor has extremely rich parameter usage, which can be exploited in order to run a different program but UAC shows that the program is trusted:

*** The Username is blurred out, for obvious reasons ***

 The above UAC is the default UAC which pops up, this UAC is also set to the highest level to show it works effectively on the most harshest\secure PC's.
While this look completely trustable, you can see the real-trick when we click on the "Show details" expander control located bottom-left.
Once we click that the true identity is shown:

As you may observed, only when we press "Show details" expander control located bottom-left we can see the true identity of this UAC alert, however majority of the time 80-90% of the Users tend to never click on show details especially if the UAC has a trusted software wanting elevation.

To show even more, if we press publishers, it shows Certificate is OK, many may think this is about the Malware but the certificate is CMD.exe's therefore we have performed Social Engineering Attack.
We can easily perform this via a simple call to ShellExecuteExA\W, with the lpVerb set to - "runas" and lpFile set to - location of Cmd.exe however to start our Malware as well we can use lpParameters to elevate our Malware like so - /c start %Malware Path%.
This technique will not only reduce huge amount of code and effort but is useful when deploying untrusted applications in the sense that it does not contain any digital signatures.
Source code:

As you may see I have not included entire source file such as headers as those can be added upon easily.


UAC is pretty secure itself such as prevents buffer overflows (to a certain extent of course) and such similar attacks however, it need more stricter settings by maybe show a label suggesting a parameter is added or showing additional details by default rather than giving user a choice.

As for the current UAC, it can still be "hacked" via a code injection into UAC when it pops up to hide the "show details" tab  therefore evading prying eyes even further.

Stay Tuned,