Let’s see what Wikipedia has to say about detouring.

Source: Wikipedia
In computer programming, the term detouring covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a “detour”.

Detouring is used for many purposes, including debugging and extending functionality. Examples might include intercepting keyboard or mouse event messages before they reach an application, or intercepting operating system calls in order to monitor behavior or modify the function of an application or other component.

Detouring can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use detouring techniques. A wallhack is another example of malicious behavior that can stem from detouring techniques. It is done by intercepting function calls in a computer game and altering what is shown to the player to allow them to gain an unfair advantage over other players.

In this example the following functions are hooked ‘send’ and ‘recv’. Let’s see what MSDN has to say about these functions.

The send function sends data on a connected socket.
int send(
__in  SOCKET s,
__in  const char *buf,
__in  int len,
__in  int flags
);

The recv function receives data from a connected socket or a bound connectionless socket.
int recv(
__in   SOCKET s,
__out  char *buf,
__in   int len,
__in   int flags
);

The ‘detour trampoline’ function is mainly used to hook regular functions, if you would want to hook addresses then your best option is to use ‘DetourAttach()’. And that’s pretty much everything I have to say about detouring. There is a source and a compiled library available at the bottom at this post. Currently what this ‘hook/detour’ does is that it shows a MessageBox with the information buffer of the function, and then it continues as if nothing happened. You can always modify the source and make it filter/replace specific information, but you can also make it write all the information to a file.

Source: http://skilinium.com/blog/downloads/Win32DetourSocket.CPP
Binary: http://skilinium.com/blog/downloads/Win32DetourSocket.dll

Unless the executable is either packed or obfuscated, then you would have to unpack or de-obfuscate the program.

Source: Wikipedia
The CIL code is housed in .NET assemblies. As mandated by specification, assemblies are stored in the Portable Executable (PE) format, common on the Windows platform for all DLL and EXE files. The assembly consists of one or more files, one of which must contain the manifest, which has the metadata for the assembly. The complete name of an assembly (not to be confused with the filename on disk) contains its simple text name, version number, culture, and public key token. The public key token is a unique hash generated when the assembly is compiled, thus two assemblies with the same public key token are guaranteed to be identical from the point of view of the framework.[dubious – discuss] A private key can also be specified known only to the creator of the assembly and can be used for strong naming and to guarantee that the assembly is from the same author when a new version of the assembly is compiled (required to add an assembly to the Global Assembly Cache).

The tool ‘.NET Reflector’ has been used in this tutorial, let’s see what information Wikipedia gives us.

Source: Wikipedia
.NET Reflector is a free software utility for Microsoft .NET combining class browsing, static analysis and decompilation, originally written by Lutz Roeder. MSDN Magazine named it as one of the Ten Must-Have utilities for developers, and Scott Hanselman listed it as part of his “Big Ten Life and Work-Changing Utilities”.

.NET Reflector was the first .NET assembly browser. It can be used to inspect, navigate, search, analyze, and browse the contents of a .NET component such as an assembly and translates the binary information to a human-readable form. By default Reflector allows decompilation of .NET assemblies into C#, Visual Basic .NET and Common Intermediate Language. Reflector also includes a “Call Tree”, that can be used to drill down into IL methods to see what other methods they call. It will show the metadata, resources and XML documentation. .NET Reflector can be used by .NET developers to understand the inner workings of code libraries, to show the differences between two versions of the same assembly, and how the various parts of a .NET application interact with each other. There are a large number of addins for Reflector.

And that’s pretty much all the information you will need.

Video: http://skilinium.com/blog/downloads/_NET%20Reversal/_NET%20Reversal.html

Simple description about what the program is and does.

Source: 2-spyware
Major Defense Kit is a fake antivirus program that is promoted through misleading advertisements on infected websites or through the use of Trojan downloaders and other malware. Once installed, the program will be set to run when you start your computer. While running, Major Defense Kit will pretend to scan your PC and then display numerous infections, such as spyware, adware and Trojans. It will prompt you to pay for a full version of the program to remove the infections. In reality, though, it won’t remove any infections even if you purchase it. That’s because MajorDefenseKit is a virus itself and it reports non-existent infections on your computer. It goes without saying that you should remove Major Defense Kit from the computer as soon as possible. Please follow the removal instructions below.

Video: http://skilinium.com/blog/downloads/Major Defense Kit/Major Defense Kit.html

Source: 2-spyware
AntiSpy Safeguard is a fake anti-spyware program that display false scan results as a tactic to scare you into thinking that your computer is infected with viruses. This fake program is advertised through websites that pretend to be online malware scanners that find infections on your computer, usually some Trojans, worms and other malicious software. Of course, the rogue program may come bundled with other malware onto your computer without your knowledge and pop-up in your computer screen like form nowhere. Also, malware authors distribute their bogus products using social engineering. Once installed, AntiSpy Safeguard will supposedly run a quick system scan and find a variety of files that it states are malware. These files, though, cannot be removed unless you first purchase the software. However, don’t purchase it. The scan results are false, so you may safely ignore them. Besides, AntiSpy Safeguard won’t remove any infections anyway because they simply don’t exist on your computer.

The video-tutorial is aimed at the removal of the ‘AntiSpy Safeguard’ program.

Video: http://skilinium.com/blog/downloads/AntiSpy Safeguard/AntiSpy Safeguard.html

It supports the following network types:
- IEEE 802.11 a (52 MB/s)
- IEEE 802.11 b (11 MB/s)
- IEEE 802.11 g (54 MB/s)

Source: Wikipedia
IEEE 802.11 is a set of standards carrying out wireless local area network (WLAN) computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee (IEEE 802). The base current version of the standard is IEEE 802.11-2007.

The contents of the package:
- 1x Kasens KS-G5000 (2W (2000 mW) amplifier).
- 1x 10 dBi antenna.
- 1x USB connector.
- 1x Driver CD.
- 1x BackTrack 3 & 4
- 1x English Manual

The manual includes information on how to find and crack wireless networks.

The Operating System (OS) that the amplifier supports.
- Windows 98SE
- Windows ME
- Windows 2000
- Windows XP
- Windows Vista
- Windows 7
- Apple
- Mac 10.4
- Linux 2.6
- BackTrack 3 (Linux)
- BackTrack 4 (Linux)

The antenna and the device itself are nearly reach the length of 50CM.

Personal opinion.

Pros:
The device only shows the networks that it can actually receive, unlike other products that just show every network that’s available (even if they can’t establish a actual connection).

Cons:
The device is so compact that it needs to be laying down instead of standing up (else it will just tumble over).

If you think I forgot to add something or if any information is in-correct, feel free to post a comment about it.

Here is the information that is written on the Back Cover.

“It’s imperative that everybody working in the field of cyber-security read this book to understand the growing threat of rootkits.”
–Mark Russinovich, editor, Windows IT Pro / Windows & .NET Magazine

“This material is not only up-to-date, it defines up-to-date. It is truly cutting-edge. As the only book on the subject, Rootkits will be of interest to any Windows security researcher or security programmer. It’s detailed, well researched and the technical information is excellent. The level of technical detail, research, and time invested in developing relevant examples is impressive. In one word: Outstanding.”
–Tony Bautts, Security Consultant; CEO, Xtivix, Inc.

“This book is an essential read for anyone responsible for Windows security. Security professionals, Windows system administrators, and programmers in general will want to understand the techniques used by rootkit authors. At a time when many IT and security professionals are still worrying about the latest e-mail virus or how to get all of this month’s security patches installed, Mr. Hoglund and Mr. Butler open your eyes to some of the most stealthy and significant threats to the Windows operating system. Only by understanding these offensive techniques can you properly defend the networks and systems for which you are responsible.”
–Jennifer Kolde, Security Consultant, Author, and Instructor

“What’s worse than being owned? Not knowing it. Find out what it means to be owned by reading Hoglund and Butler’s first-of-a-kind book on rootkits. At the apex the malicious hacker toolset–which includes decompilers, disassemblers, fault-injection engines, kernel debuggers, payload collections, coverage tools, and flow analysis tools–is the rootkit. Beginning where Exploiting Software left off, this book shows how attackers hide in plain sight.

“Rootkits are extremely powerful and are the next wave of attack technology. Like other types of malicious code, rootkits thrive on stealthiness. They hide away from standard system observers, employing hooks, trampolines, and patches to get their work done. Sophisticated rootkits run in such a way that other programs that usually monitor machine behavior can’t easily detect them. A rootkit thus provides insider access only to people who know that it is running and available to accept commands. Kernel rootkits can hide files and running processes to provide a backdoor into the target machine.

“Understanding the ultimate attacker’s tool provides an important motivator for those of us trying to defend systems. No authors are better suited to give you a detailed hands-on understanding of rootkits than Hoglund and Butler. Better to own this book than to be owned.”
–Gary McGraw, Ph.D., CTO, Cigital, coauthor of Exploiting Software (2004) and Building Secure Software (2002), both from Addison-Wesley

“Greg and Jamie are unquestionably the go-to experts when it comes to subverting the Windows API and creating rootkits. These two masters come together to pierce the veil of mystery surrounding rootkits, bringing this information out of the shadows. Anyone even remotely interested in security for Windows systems, including forensic analysis, should include this book very high on their must-read list.”
–Harlan Carvey, author of Windows Forensics and Incident Recovery (Addison-Wesley, 2005)

Rootkits are the ultimate backdoor, giving hackers ongoing and virtually undetectable access to the systems they exploit. Now, two of the world’s leading experts have written the first comprehensive guide to rootkits: what they are, how they work, how to build them, and how to detect them. Rootkit.com’s Greg Hoglund and James Butler created and teach Black Hat’s legendary course in rootkits. In this book, they reveal never-before-told offensive aspects of rootkit technology–learn how attackers can get in and stay in for years, without detection.

Hoglund and Butler show exactly how to subvert the Windows XP and Windows 2000 kernels, teaching concepts that are easily applied to virtually any modern operating system, from Windows Server 2003 to Linux and UNIX. Using extensive downloadable examples, they teach rootkit programming techniques that can be used for a wide range of software, from white hat security tools to operating system drivers and debuggers.

After reading this book, readers will be able to

* Understand the role of rootkits in remote command/control and software eavesdropping
* Build kernel rootkits that can make processes, files, and directories invisible
* Master key rootkit programming techniques, including hooking, runtime patching, and directly manipulating kernel objects
* Work with layered drivers to implement keyboard sniffers and file filters
* Detect rootkits and build host-based intrusion prevention software that resists rootkit attacks

Visit rootkit.com for code and programs from this book. The site also contains enhancements to the book’s text, such as up-to-the-minute information on rootkits available nowhere else.

I haven’t been able to update my blog because I am quite busy lately. But I will post something real soon. I might post something about the new hardware I acquired.

Here is a simple Java Drive-by-Download, it uses the Jar-Signing of the JDK to bypass remote file creation errors (Lack of permissions), at the bottom of this post is a link to everything you need to make one, including: HTML page, Java Source Files, premade .keystore and Manifest, batch tools for quick and easy creation and a quick and simple guide to getting it working, right click each link and just save to a directory together on your pc.

Wikipedia
The expression drive-by download is used in three increasingly strict meanings:

1. Downloads which the user indirectly authorized but without understanding the consequences.
2. Any download that happens without knowledge of the user.
3. Download of spyware, a computer virus or malware that happens without knowledge of the user.

Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, an error report from the PC itself is being acknowledged, or that an innocuous advertisement popup is being dismissed; in such cases, the “supplier” may claim that the user “consented” to the download although actually unaware of having initiated an unwanted or malicious software download.

Source file: http://skilinium.com/blog/downloads/JAVADBD/game.java
All files: http://www.skilinium.com/blog/downloads/JAVADBD/

That meant I had a even bigger problem, I now couldn’t do anything anymore so I decided to buy a new mouse the ‘Logitech M500′.

I’ve used to for approximately 2 hours, and I absolutely love the scrolling feature.

This is what Logitech has to say about the scroll feature.

Scroll with it

Hyper-fast scrolling—one spin and you may never go back to an ordinary scroll wheel.

.

.
I’m still looking for another monitor support arm that fits my requirements. But you will notice it when I’ve found one. Anyways, keep checking every once in a while and I will probably add a Java section for all you cross-platform lovers. (Torsen will probably be offended because of this)..

- Skilinium

Let’s see what information we can find about it.

Wikipedia

Security Tool is a rogue antivirus  program that displays false scan reports intended to convince the user that his or her computer is infected with various forms of malware. This misleading software will tell the user that he or she needs to purchase the full version of the software to remove these threats. These so-called infections do not actually exist, however, as they are only attempts to frighten the user to purchase the full version of the software. This rogue is designed to scam the operator into giving the fake purchase panel their credit card number and information.

Methods of infection/variants

This fraudulent program is promoted through dangerous Trojans and hijacked browsers. It is fairly easy to determine the presence of the virus, as warning pop-ups continuously appear. Security Tool is a clone of Total Security 2009.

Another method of infection is that the user is directed to go to fake video websites. When the user clicks on the “video”, a box will pop up with what appears to be a flash player update. It is actually the installation file for the Security Tool program. If the user clicks on it, then it will claim that there was an error in the update, and the “video” will not play. However, the Security Tool virus will not appear until the computer is restarted.

Also, a user might be redirected to a site titled “My Computer Online Scan”. This site appears like the “My Computer” Window in Windows XP and will look like an online scan. However, the scan essentially the same thing as the Security Tool scan and after the scan, a normal-looking OS prompt will appear with the only options being to choose “Yes”, or “No”. Either button will install Security Tool onto the victim’s computer immediately and will begin its first fraudulent scan. This happens usually due to a browser hijacker being present in a user’s system. Installation through a hijacker can vary from including both the site and the OS prompt or just the OS prompt on its own.

It has also been known to mimic the Mozilla Firefox update screen, informing the user to update flash player.

Looks like the program does some pretty evil things, but that’s why they probably call it Malware.

Symptoms of infection

Security Tool gives unrealistic warnings from the Windows Security Center when downloaded onto the computer so that the user believes that the software is real and that their computer is legitimately infected with malware. It can lead to the worsening of the state of the computer system; and can also dramatically delay the speed of the computer. Security Tool also hijacks the web browser, essentially blocking the use of the browser. Every time the user attempts to run any program or any .exe file, it states that Security Tool has blocked it and prompts the purchase of Security Tool, which is supposedly required to delete malware. Messages that Security Tool tells the user can include:

“Your Computer is Infected!” and “Warning! 55 Infections Found!” With the next message being a prompt to upgrade to “full protection”. The number of infections is randomly generated, making it extremely obvious when the numbers are inconsistent between scans; or that there is more files you aren’t allowed to open than the number shown in the scan.

“Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs. Click here to remove it immediately with SecurityTool.”

“Security Tool Warning Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unauthorized modification by removing threats (Recommended)”

“Malware LSAS.Blaster.Worm is trying to use ____.exe to steal credit card numbers and send them to a hidden PC”

An occasional symptom of Security Tool is the computer failing to acknowledge that a flash drive has been inserted into the USB slot.

Another symptom is that the computer’s default desktop becomes an empty black or yellow screen with no icons, shortcuts, etc. displayed.

Depending on the severity of the infection, the computer may instantly shut down upon reaching the Windows login window as well as possibly disabling safe mode (by means of a BSOD upon entering it).

This will probably only work for ‘Security Tools 2010′, not the 2009 variant. But it will most likely update itself. The reason I posted this on my blog is because in the last month I had to remove 5 of these from customers computers. And then a light-bulb popped up above my head.

Video: http://skilinium.com/blog/downloads/Security Tool Removal/Security Tool Removal.html

Let’s look on MSDN for some information about the function ‘GetUsername’.

GetUsername
BOOL WINAPI GetUserName(
…__out    LPTSTR lpBuffer,
…__inout  LPDWORD lpnSize
);

lpBuffer [out]
A pointer to the buffer to receive the user’s logon name. If this buffer is not large enough to contain the entire user name, the function fails. A buffer size of (UNLEN + 1) characters will hold the maximum length user name including the terminating null character. UNLEN is defined in Lmcons.h.

lpnSize [in, out]
On input, this variable specifies the size of the lpBuffer buffer, in TCHARs. On output, the variable receives the number of TCHARs copied to the buffer, including the terminating null character. If lpBuffer is too small, the function fails and GetLastError returns ERROR_INSUFFICIENT_BUFFER. This parameter receives the required buffer size, including the terminating null character. If this parameter is greater than 32767, the function fails and GetLastError returns ERROR_INSUFFICIENT_BUFFER.

Let’s make a small explanation for these parameters.
lpBuffer – This is the buffer where the user-name will be stored.
lpnSize – Contains the size of the buffer.

Example:
char lpszUsername[255];
DWORD dUsername = sizeof(lpszUsername);

if(GetUserName(lpszUsername, &dUsername)){
…printf(“Username: %s\n”, lpszUsername);
}

And now it’s time to look on MSDN for the next function that’s called ‘GetComputerName’.

GetComputerName
BOOL WINAPI GetComputerName(
…__out    LPTSTR lpBuffer,
…__inout  LPDWORD lpnSize
);

lpBuffer [out]
A pointer to a buffer that receives the computer name or the cluster virtual server name. The buffer size should be large enough to contain MAX_COMPUTERNAME_LENGTH + 1 characters.

lpnSize [in, out]
On input, specifies the size of the buffer, in TCHARs. On output, the number of TCHARs copied to the destination buffer, not including the terminating null character. If the buffer is too small, the function fails and GetLastError returns ERROR_BUFFER_OVERFLOW. The lpnSize parameter specifies the size of the buffer required, including the terminating null character.

The parameters are pretty much the same, so let’s do a quick summary again.
lpBuffer – This is the buffer where the computer-name will be stored.
lpnSize – Contains the size of the buffer.

And now the source of GetComputerName

Example:
char lpszComputer[255];
DWORD dComputer = sizeof(lpszComputer);

if(GetComputerName(lpszComputer, &dComputer)){
…printf(“Computername: %s\n”, lpszComputer);
}

As I said, it’s a old snippet I found and I see that it can be improved. But I leave that up to you!