Posts Tagged ‘windows’

Microsoft provides a client-side remote server toolset that finally hits the mark!

With the implementation of  Windows 7, Microsoft has released its latest Remote Server Administration Tools for Windows 7 and for the first time, I can imagine turning to Microsoft for remote management instead of all my favorite third-party tools.

Seriously — since I began my IT career I have been in search of tools to manage admin tasks more efficiently. Whenever I needed to manage my Windows servers or to handle administration tasks from my desktop, I have traditionally looked to third-party tools like Hyena, NETIQ, DGard Network Manager, and SPICEWORKS. Of course, Microsoft has provided admin packs to install on the desktop but they were quite lacking and often only handled a few of the administrative tasks.

When I found myself in situations where spending or implementing open source just did not play into the plan….remote desktop connections always saved the day. And Remote Server Administration Tools for Windows 7 is looking pretty good. It allows you to manage Windows Server 2008 R2 roles and features (it also allows to manage core servers remotely). The toolset provides some support for Windows Server 2008 (pre-R2) and Windows Server 2003 (will not support the core installation of Server 2003).
Some of the management tools include:

Active Directory (all the AD management tools are included)
DHCP Manager
DNS Manager

But it goes a bit further offering access to:
Server Manager
File Services Managements
AD certificate services
and even
Hyper-V Management

I have to say, for the first time ever, I am pretty impressed with the number of tasks that can be taken care of with the remote administrative tools pack as well as the speed at which they launched and ran (even when I had multiple tools running at once). You will need to have Windows 7 Enterprise, Professional, or Ultimate editions to install the remote server administrative tools. But if you are running in a network you need one of these versions anyway.

Not to be overlooked is the fact that the tool is free and you do not need to run in a remote session to manage your servers. Check out the Remote Server Administration Tools for Windows 7, I don’t think you’ll be disappointed!

http://www.networkworld.com/community/node/48745

Windows® 7 Launch Party is underway…

..and soon hosts will be among the first to see, use, and share Windows® 7 with their guests. Each host will be receiving a free party pack that includes a special, Signature Edition of Windows® 7 Ultimate.

Right now they are setting up their parties after choosing from four party themes — PhotoPalooza, Media Mania, Setting Up With Ease, and Family Friendly Fun. Each one is an exploration of the easy and exciting new ways to have fun and get things done with your PC.

Windows® 7 is designed to make your PC simpler and the things you do every day easier. Now lucky hosts and guests are about to see it before anyone else. And become a part of Windows® 7 history.

http://www.houseparty.com/windows7

Bazı Windows Live Hotmail kullanıcılarının şifre bilgilerinin, bir sahtekarlık olan “phishing” yöntemi ile yasadışı yollardan elde edildiğini ve bu bilgilerin bir Web sitesinde yayınlandığını öğrenen Microsoft, bu konuda harekete geçerek, Web sitesindeki şifre bilgilerinin derhal yayından kaldırılması talebinde bulunmuş ve soruşturma başlatmıştır. Yapılan soruşturmada Microsoft sunucularında herhangi bir güvenlik ihlali yaşanmadığı anlaşılmıştır. Halen şifre bilgileri açıklanan hesaplara erişim engellenmektedir. Kullanıcıların ise kendi hesaplarına güvenli bir şekilde ulaşmaları için gerekli araçlar sağlanmaktadır.
Web sitelerinin sahtelerini hazırlayarak, kullanıcıları kandırmayı ve şifrelerini elde etmeyi hedefleyen “phishing”, bugün maalesef yaygın olarak kullanılan bir yöntemdir. Microsoft, kullanıcılarının güvenli ve zengin bir çevrimiçi deneyim yaşamalarını sağlamakta kararlıdır ve bu yönde gerekli olan tüm önlemleri almaktadır. Kullanıcıların talep etmedikleri ekleri veya linkleri açarken son derece dikkatli olmaları, anti virüs yazılımlarını düzenli bir şekilde güncellemeleri gerekmektedir.

Microsoft kullanıcılarına şunları önermektedir:

• Şifreler ve Windows Live kullanıcı isimleri 90 günde bir yenilenmelidir.
• Sistem yöneticileri sadece bildikleri ve kimlik bilgilerine güvendikleri kullanıcıların girişini onaylamalıdır.
• “Phishing” siteleri başka sorunlara da yol açabildiği için antivirüs yazılımları daima güncel tutulmalıdır.

Saygılarımızla,
Microsoft Türkiye

http://www.microsoft.com/turkiye/haberler/hotmail.mspx

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text

Download

 Windows Installer (32-bit)

 Windows Installer (64-bit)

 Windows U3 (32-bit)

 Windows PortableApps (32-bit)

 OS X 10.5 (Leopard) Intel .dmg

 OS X 10.5 (Leopard) PPC .dmg

 Source Code

The 64-bit Windows installer requires the Microsoft Visual C++ 2008 SP1 Redistributable Package (x64) in order to run.

 

http://www.wireshark.org/

 

 

Dll injection in Windows Vista/2008 64bit can be made possible by using the same technique used in DLL Injection Windows Vista. The only difference is the target platform we compile our executable. In order to inject a library inside the address space of a 64bit process you need to compile a 64bit version of your library (DLL). The source code along with a pre-compiled executable and library are provided.

The Injector used in this article must be executed from a command line. It takes one (1) or two (2) arguments. The first argument is the path-name of your library, which must be quoted if it contains white spaces between it, and the other one is the Process ID (or PID) of the target program. If no PID is entered then the program injects the DLL inside it’s own Address Space. ASLR does not affect the usability of the program. For more information follow the link to the DLL Injection Windows Vista article above.

Below is an example of a DLL injected into a process:

Download Source code and executable

This article provides an insight on how to inject a dynamic library (DLL) into a 32 bit process in Windows Vista with the use of Remote Threads and taking into consideration the Address Space Layout Randomization (ASLR). The sample code used is written in assembly language (MASM32) using the WinAsm IDE. It should give you a better understanding on how dynamic libraries can be injected.

The concept of loading a library inside a process is simple. A programmer could dynamically load one by using the LoadLibrary function from Windows API for example:

#include
#include
#include

int main(int argc, char *argv[])
{
HANDLE hlib;
char *lib = "E:\\mylib.dll";
printf("Loading library: %s\n",lib);
hlib = LoadLibraryA(lib);
printf("Handle: %X\n",hlib);
system("PAUSE");
return 0;
}

Therefore we can use the CreateRemoteThread function to create a thread that executes the LoadLibraryA with the library’s path as an argument.

CreateRemoteThread

HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);

hProcess

Is the handle to the remote process we intend like to inject our library.

lpStartAddress

This is the address (or offset) of the function our thread will start executing. In our case this should be equal to the offset of LoadLibraryA in the remote process address space.

lpParameter

This is the address of the parameter (library pathname) we aim to set as an argument to the LoadLibraryA function. Note that this also has to be in the address space of our remote process.

The main issues we have to take into consideration are:

* The offset of LoadLibraryA is not constant (not after Microsoft implemented Address Space Layout Randomisation or ASLR)
* Our library’s pathname string does not exist in the remote thread’s address space

Offset of LoadLibraryA

LoadLibraryA resides within kernel32.dll which is an essential library for every process that runs in our operating system. After each restart there is a probability that the address of kernel32 library would change due to ASLR. Fortunately the address of LoadLibraryA in our process is the same with the one in the remote process. Therefore we will need to use the GetProcAddress in combination with GetModuleHandle. The example code below does this thing:

#include
#include
#include

int main(int argc, char *argv[])
{
HINSTANCE kernel32;
FARPROC proc;
char *procname = “LoadLibraryA”;
char *modulename = “Kernel32″;
kernel32 = GetModuleHandle(modulename);
printf(”hModule: %X\n”,kernel32);
proc = GetProcAddress(kernel32,procname);
printf(”hProc: %X\n”,proc);
system(”PAUSE”);
return 0;
}

Getting the pathname inside the remote process’s address space

To do such a thing we would need to allocate space in the remote thread’s address space using VirtualAllocEx function and then patch our pathname to it using WriteProcessMemory function. You can lookup this two functions on MSDN using the links below:

VirtualAllocEx
WriteProcessMemory

Another “hack” you are be able to use is that you could name you library after a string inside the executable file and then copy it inside the executables folder or any other folder defined by the PATH environment variable. For the example program’s hex dump below you could use ernel32.dll (at 00402229) or nel32.dll (at 0040222A) 32.dll (at 0040222D) or even NameA (at 00402243) as your library’s filename.

004020F0 ø .......Dialog

00402100 BoxParamA.´.EndD

00402110 ialog.ü.GetDlgIt

00402120 emTextA.±Messag

00402130 eBoxA.SetDlgIt

00402140 emTextA.user32.d

00402150 ll..R.CreateRemo

00402160 teThread..›.Exit

00402170 Process.Ì.Format

00402180 MessageA..GetC

00402190 urrentProcessId.

004021A0 (GetLastError..

004021B0 4GetModuleHandl

004021C0 eA..SGetProcAdd

004021D0 ress..OpenProc

004021E0 ess.\RtlZeroMem

004021F0 ory.ÞVirtualAll

00402200 ocEx..WritePro

00402210 cessMemory..ls

00402220 trlenA..kernel32

00402230 .dll....GetOpenF

00402240 ileNameA..comdlg

00402250 32.dll..........


Download Source code and executable