Secrets

Every WindowsNT box has a NSA trojan called _Total.exe which is loaded by kernel itself, it can override any user functions and start spying on command.

No such thing. Come with some proof next time you want to try to troll someone with your consipiracy theories. The NT kernel is quite an open piece of code and there's not many secrets about it. You can load trojans in many ways in an NT system, but none are really installed by default. If you really want to know about a govt ``trojan'' in MS products, then that would be fact that newer security features such as enforcement of signed device drivers and applications(UAC bypass) are bypassable by such agencies as MS includes various peculiar certificates in their system, however almost anyone with a few thousand dollars can get signed drivers and applications and easily add vulnerabilities in them which could then be exploited to do the same.

Every Windows library has some nops at the beginning of the functions so the NSA can redirect them somewhere else.

The NSA doesn't need such things since all of their agents are [spoiler][b][u]Microsoft Certified Systems Engineer: Security[/b][/u][/spoiler].

>>3
lol hotpatching support.

It's actually(x86):

mov edi,edi ; nop equivalent
push ebp
mov ebp,esp

which takes 5 bytes, or just enough for a longjmp.
This is used because MS wants to be able to hook exported functions live when they deliver updates to system libraries.
In the case the first 5 bytes contained non-relocatable code or jumps/calls, it would be a bit tricker to hook(but still possible).
This makes everyone which likes hooking system library functions happy and it provides MS with a reliable update mechanism for production systems where you can't afford to reboot after an update.

opensource software was invented by korea, and programmed completely by koreans

>>1
C:\Documents and Settings\Administrator>ps -A|head -n 3
  PID TTY   TIME COMMAND
    0   -   1d06 Idle
    0   -   1d06 _Total

OMIGAWD, it's tr00!

>>5
Actually it's
nop
nop
nop
nop
nop
function:
mov edi, edi
which is 5 bytes for a long jump and a 2-byte nop that can be atomically replaced with a short jump to the long jump. (Consider what would happen if another thread was at `push ebp' while you patch your jump in)

>>8
Those nops are not reliably there, they're just compiler generated alignment for modules built in Release mode. If the executable were built in Debug mode, then you'd have int3's there (or 0xCC filler) as alignment.
Your point about patching the 2 byte mov edi,edi instruction as a short jump is valid, but in practice, most third party hook libs just patch the mov edi,edi/push ebp/mov ebp,esp (and create a trampouline). There are a lot of ways to ensure that the EIP is not on the push ebp/mov ebp,esp instruction such as cleverly using page protection + exception handler or just pausing all threads and checking their context.

The Sussman was killed by the NSA in 1987 and was resurrected as a cyborg warrior programmed to discourage /prog/ from finding out about the NSA.

Now that you've read this the spirit of computer science will come to your bed tonight and hax your anus unless you repost this to five threads.

Nobody actually understand C++.

Why are you faggots talking about WinBLOWS [spiler]/prog/[/spoiler] is a GNU/Linux community

>>9
The nops are reliably placed there by /FUNCTIONPADMIN, which is implied by /HOTPATCH^{http://msdn.microsoft.com/en-us/library/ms173507.aspx}. I don't care if third party crap does it wrong or if you want to break atomicity with shitty workarounds.

Every Linux box has a GNU trojan called COPYING which is enforced by kernel itself, it can override any freedom and start spreading virally.

BSD was here, GNU is a loser.

This thread = a whole bunch of FUD

This board = a whole bunch of FUD

fudder

Go Solaris!

>>17
Have you left your sarcasm detector at home?

>>19
The Anti-fudder!

Pardon the link, but:
http://en.wikipedia.org/wiki/NSAKEY

>>18
This board = a whole bunch of FUN!

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCPAzfTdH0AAAEEALqOFf7jzRYPtHz5PitNhCYVryPwZZJk2B7cNaJ9OqRQiQoi
e1YdpAH/OQh3HSQ/butPnjUZdukPB/0izQmczXHoW5f1Q5rbFy0y1xy2bCbFsYij
4ReQ7QHrMb8nvGZ7OW/YKDCX2LOGnMdRGjSW6CmjK7rW0veqfoypgF1RaC0fABEB
AAG0LU5TQSdzIE1pY3Jvc29mdCBDQVBJIGtleSA8cG9zdG1hc3RlckBuc2EuZ292
PokBFQMFEDfTdJE+e8qoKLJFUQEBHnsH/ihUe7oq6DhU1dJjvXWcYw6p1iW+0euR
YfZjwpzPotQ8m5rC7FrJDUbgqQjoFDr++zN9kD9bjNPVUx/ZjCvSFTNu/5X1qn1r
it7IHU/6Aem1h4Bs6KE5MPpjKRxRkqQjbW4f0cgXg6+LV+V9cNMylZHRef3PZCQa
5DOI5crQ0IWyjQCt9br07BL9C3X5WHNNRsRIr9WiVfPK8eyxhNYl/NiH2GzXYbNe
UWjaS2KuJNVvozjxGymcnNTwJltZK4RLZxo05FW2InJbtEfMc+m823vVltm9l/f+
n2iYBAaDs6I/0v2AcVKNy19Cjncc3wQZkaiIYqfPZL19kT8vDNGi9uE=
=PhHT
-----END PGP PUBLIC KEY BLOCK-----

>>5
In fact, that works pretty well for bypassing hack protection in MMOs too. Just write a dll that has those 5 bytes and a jump to the original function +5 and voila, Mr. Hackprotection won't recognize your API-call anymore.

>>26
The better anti hack protections usually have both usermode and kernelmode hooks nowadays(but they're having trouble doing this for vista since fighting patchguard would mean risking BSoDing clients PCs each time MS updates it), and in the case loads the modules directly or bypasses protection's own hooks, then the kernel mode hooks won't get signaled that that API was just called and will BSoD the system. I've seen at least one such "hacking protection".

29 Name: Anonymous 2010-11-26 16:20

Don't change these.

Name:		Email:
Entire Thread Thread List

All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -