Bugtraq стр. 2 ftp..proftpd.org (example: ftp.nl.proftpd.org). Not all countries have mirrors; however you should select one that is geographically close to you. The MD5 sums for the source tarballs are: ca6bbef30253a8af0661fdc618677e5c proftpd-1.2.7p.tar.bz2 677adebba98488fb6c232f7de898b58a proftpd-1.2.7p.tar.gz 417e41092610816bd203c3766e96f23b proftpd-1.2.8p.tar.bz2 abf8409bbd9150494bc1847ace06857a proftpd-1.2.8p.tar.gz b89c44467f85eea41f8b1df17f8a0faa proftpd-1.2.9rc1p.tar.bz2 14ab9868666d68101ed942717a1632d1 proftpd-1.2.9rc1p.tar.gz 27e3f62a5615999adbbebcefa92b4510 proftpd-1.2.9rc2p.tar.bz2 9ce26b461b2fa3d986c9822b85c94e5f proftpd-1.2.9rc2p.tar.gz NetBSD-current: 25 августа, 2003 NetBSD-1.6 branch: 28 августа, 2003 NetBSD-1.5 branch: 28 августа, 2003 Использование LVM Сергей Яремчук # parted /dev/hda mkpartfs primary linux-swap 0 256 && parted /dev/hda mkpartfs primary ext2 256 ### # find /home ( -atime +365 -o -name '*.avi') -exec rm {}\; # find /home -size 200 > trash ; cat trash | less /dev/hda1 swap swap defaults,pri=1 0 0 /dev/hdc1 swap swap defaults,pri=1 0 0 /dev/hda1 /boot ext2 noauto 1 2 # # Multi-device support (RAID and LVM) # CONFIG_MD=y # CONFIG_BLK_DEV_MD is not set # CONFIG_MD_LINEAR is not set # CONFIG_MD_RAID0 is not set # CONFIG_MD_RAID1 is not set # CONFIG_MD_RAID5 is not set # CONFIG_MD_MULTIPATH is not set CONFIG_BLK_DEV_LVM=y # /sbin/fdisk /dev/hdс Command (m for help): p Disk /dev/hdс: 3243 MB, 3243663360 bytes 128 heads, 63 sectors/track, 785 cylinders Units = cylinders of 8064 * 512 = 4128768 bytes Device Boot Start End Blocks Id System /dev/hdb1 1 20 168682+ 82 Linux swap /dev/hdb2 21 785 3165088+ b Win95 FAT32 Command (m for help): t Selected partition 2 Hex code (type L to list codes): 8e Changed system type of partition 2 to 8e (Linux LVM) Command (m for help): p Disk /dev/hdс: 3243 MB, 3243663360 bytes 128 heads, 63 sectors/track, 785 cylinders Units = cylinders of 8064 * 512 = 4128768 bytes Device Boot Start End Blocks Id System /dev/hdb1 1 20 168682+ 82 Linux swap /dev/hdb2 21 785 3165088+ 8e Linux LVM Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: If you have created or modified any DOS 6.x partitions, please see the fdisk manual page for additional information. Syncing disks. # /sbin/pvcreate /dev/hda4 pvcreate -- physical volume "/dev/hda4" successfully created # /sbin/pvcreate /dev/hdb2 pvcreate -- physical volume "/dev/hdb2" successfully created # /sbin/vgscan vgscan -- reading all physical volumes (this may take a while...) vgscan -- "/etc/lvmtab" and "/etc/lvmtab.d" successfully created vgscan -- WARNING: This program does not do a VGDA backup of your volume group # /sbin/pvscan pvscan -- reading all physical volumes (this may take a while...) pvscan -- inactive PV "/dev/hda4" is in no VG [1.27 GB] pvscan -- inactive PV "/dev/hdb2" is in no VG [3.02 GB] pvscan -- total: 2 [4.29 GB] / in use: 0 [0] / in no VG: 2 [4.29 GB] # /sbin/vgcreate -s 32 test /dev/hda4 /dev/hdb2 vgcreate -- INFO: maximum logical volume size is 2 Terabyte vgcreate -- doing automatic backup of volume group "test" vgcreate -- volume group "my" successfully created and activated # /sbin/pvscan pvscan -- reading all physical volumes (this may take a while...) pvscan -- ACTIVE PV "/dev/hda4" of VG "test" [1.22 GB / 1.22 GB free] pvscan -- ACTIVE PV "/dev/hdb2" of VG "test" [2.97 GB / 2.97 GB free] pvscan -- total: 2 [4.29 GB] / in use: 2 [4.29 GB] / in no VG: 0 [0] # /sbin/lvcreate -L 1G -n lvm_usr test && /sbin/lvcreate -L 1G -n lvm_home test lvcreate -- doing automatic backup of "test" lvcreate -- logical volume "/dev/test/lvm_usr" successfully created lvcreate -- doing automatic backup of "test" lvcreate -- logical volume "/dev/test/lvm_home" successfully created # lvcreate -n stripedlv -i 2 -I 64 mygroup -L 20M # /sbin/lvscan lvscan -- ACTIVE "/dev/test/lvm_usr" [1 GB] lvscan -- ACTIVE "/dev/test/lvm_home" [1 GB] lvscan -- 2 logical volumes with 2 GB total in 1 volume group lvscan -- 2 active logical volumes # /sbin/mkfs.reiserfs /dev/test/lvm_home И монтируем в выбранное место. # mkdir /home/test # mount -t reiserfs /dev/test/lvm_home /home/test # df /dev/hda3 4032124 2789108 1038188 73% / ... /dev/test/lvm_home 1048540 32840 1015700 4% /home/test /dev/test/lvm_home /home/test reiserfs defaults 0 0 /sbin/vgscan /sbin/vgchange -ay # LVM initialization if [ -f /etc/lvmtab -a ! -e /proc/lvm ] ; then modprobe lvm-mod >/dev/null 2>&1 fi if [ -e /proc/lvm -a -x /sbin/vgchange -a -f /etc/lvmtab ]; then action $"Setting up Logical Volume Management:" /sbin/vgscan && /sbin/vgchange -ay fi /sbin/vgchange -an # /sbin/lvextend -L +1G /dev/test/lvm_home lvextend -- extending logical volume "/dev/test/lvm_home" to 2 GB lvextend -- doing automatic backup of volume group "test" lvextend -- logical volume "/dev/test/lvm_home" successfully extended # /sbin/resize_reiserfs -f /dev/test/lvm_home # df dev/hda3 4032124 2789108 1038188 73% / ... /dev/test/lvm_home 2097084 32840 2064244 2% /home/test # umount /dev/test/lvm_home # resize_reiserfs -s -1.5G /dev/test/lvm_home # lvreduce -L -1G /dev/test/lvm_home # resize_reiserfs -f /dev/test/lvm_home # lvcreate -L592M -s -n home_backup /dev/test/lvm_home lvcreate -- WARNING: the snapshot must be disabled if it gets full lvcreate -- INFO: using default snapshot chunk size of 64 KB for "/dev/test/home_backup " lvcreate -- doing automatic backup of "test " lvcreate -- logical volume "/dev/test/home_backup" successfully created # mkdir /mnt/snapshots # mount /dev/test/home_backup /mnt/snapshots mount: block device /dev/ops/dbbackup is write-protected, mounting read-only # umount /dev/test/home_backup # lvremove /dev/test/home_backup Установка IMAP4-сервера на базе cyrus-imapd + sendmail Денис Шергин # tar zxvf ./cyrus-sasl-2.1.15.tar.gz # cd cyrus-sasl-2.1.15 # ./configure --disable-otp --disable-krb4 --disable-gssapi --without-pam # make # make install # ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 # ldconfig # saslpasswd2 -c cyradmin # chown cyrus.mail /etc/sasldb2 # tar zxvf ./cyrus-imapd-2.1.15.tar.gz # cd cyrus-imapd-2.1.15 # ./configure # make # make install local6.debug /var/log/imapd.log auth.debug /var/log/auth.log # killall -1 syslogd # touch /etc/imapd.conf configdirectory: /var/imap partition-default: /var/spool/imap sievedir: /var/spool/sieve admins: cyradmin sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasl_mech_list: CRAM-MD5 PLAIN tls_cert_file: /var/imap/server.pem tls_key_file: /var/imap/server.pem # man imapd.conf # mkdir /var/imap # chmod 750 /var/imap # mkdir /var/spool/imap # chmod 750 /var/spool/imap # mkdir /var/spool/sieve # chmod 750 /var/spool/sieve # cd cyrus-imapd-2.1.15/tools # ./mkimap # chown -R cyrus.mail /var/imap # chown -R cyrus.mail /var/spool/imap # chown -R cyrus.mail /var/spool/sieve pop3 110/tcp imap 143/tcp imsp 406/tcp acap 674/tcp imaps 993/tcp pop3s 995/tcp kpop 1109/tcp sieve 2000/tcp lmtp 2003/tcp fud 4201/udp # cp master/conf/normal.conf /etc/cyrus.conf # /usr/cyrus/bin/master & # openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 365 # chown cyrus.mail /var/imap/server.pem # cd /usr/share/sendmail/cf/cf # cp ./linux.smtp.mc ./current.mc define(`confLOCAL_MAILER', `cyrusv2')dnl MAILER(`cyrusv2')dnl M4=`sh $BUILDTOOLS/bin/find_m4.sh` M4=/usr/bin/m4 # ./Build current.cf # cp ./current.cf /etc/mail/sendmail.cf # /usr/local/bin/imtest -m cram-md5 -a cyradmin your.hostname.domain # cp -R /usr/local/lib/perl5 /usr/lib/ # saslpasswd2 -c dummyuser # cyradm --user cyradmin --server your.hostname.domain your.hostname> cm user.dummyuser your.hostname> sq user.dummyuser 20480 # telnet your.hostname.domain sieve require ["reject","fileinto"]; # не принимаем почту и высылаем сообщение об отказе: if address :is :all "From" "annoying@badnet.domain" { reject "Достали"; } # фильтруем по subject корпоративный список рассылки: if header :contains "Subject" "corporate mailing" { fileinto "INBOX.lists.corporate"; } # еще один список рассылки: if header :is "List-Id" ї ";" { fileinto "INBOX.lists.bugtraq"; } # а это вообще странные письма - адресованы не нам: if anyof ( not address :all :contains ["To", "Cc", "Bcc"] "myname@myaddress.domain" ) { fileinto "INBOX.bad"; } # sieveshell -u cyradmin your.hostname.domain > put test.script > activate test > quit # make slx # make slx EXTRASPECIALS="SSLINCLUDE=/usr/include/openssl SSLLIB=/usr/lib" # tar zxvf ./libmcrypt-2.5.7.tar.gz # cd libmcrypt-2.5.7 # ./configure # make # make install # ldconfig # ./configure --with-imap=/usr/local/imap-2002d --with-imap-ssl=/usr/include/openssl --with-apache=./../apache_1.3.28 --with-mcrypt=/usr/local --with-iconv # make # make install # ./configure --activate-module=src/modules/php4/libphp4.a # make # make install # ./apachectl start # lynx http://your.hostname.domain/ Настраиваем ASPLinux 7.3 server edition Александр Шибенко iptables -t nat –A POSTROUTING –s 192.168.100.0/24 –d 0/0 –j SNAT --to-source 207.46.249.27 echo 1 > /proc/sys/net/ipv4/ip_forward service iptables save path = /var/spool/samba lp|hp:\ :sd=/var/spool/samba:\ :mx#0:\ :sh:\ path = /var/spool/samba lp|hp:\ :sd=/var/spool/samba/hp:\ :mx#0:\ :sh:\ service smb restart chkconfig --add smb chkconfig --level 345 smb on chkconfig --list smb service smb restart Как бороться с баннерами в ICQ? Дмитрий Репин tcpdump -li xl0 -w - src host НАШ_IP |strings GET /client/ate/ad-handler/ad_468/0,,93169~ acl ICQban urlpath_regex /client/ate/ad-handler http_access deny ICQban (/client/ate/ad-handler) dest icq { expressionlist icq/expressions redirect http://НАШ СЕРВЕР/squidGuard/noicq.html } pass ... !icq ... STOP DA BANNERS! =))) chown -R nobody /usr/local/squid/db/squidGuard killall -HUP squid Welcome to ICQ 2000a
Welcome to ICQ 2000a
SMTP AUTH in da Postfix + ... Андрей Мозговой --- /etc/my.cnf --- ... [mysqld] … skip-networking ... --- EOF /etc/my.cnf --- CREATE TABLE users ( uid int(11) NOT NULL auto_increment, gid int(11) NOT NULL default '12', alias varchar(255) NOT NULL default '', domain varchar(255) NOT NULL default '', active enum('1','0') NOT NULL default '1', maildir varchar(255) NOT NULL default '', password varchar(255) NOT NULL default '', password-crypt varchar(255) default NULL, owner varchar(255) NOT NULL default '', create_date datetime NOT NULL default '0000-00-00 00:00:00', change_date datetime NOT NULL default '0000-00-00 00:00:00', quota varchar(255) NOT NULL default 'NOQUOTA', comment text, PRIMARY KEY (uid), UNIQUE KEY alias (alias), FULLTEXT KEY comment (comment) ) TYPE=MyISAM COMMENT='Здесь хранится информация о почтовых бюджетах'; CREATE TABLE aliases ( id int(11) NOT NULL auto_increment, alias varchar(200) NOT NULL default '', rcpt varchar(200) NOT NULL default '', create_date datetime NOT NULL default '0000-00-00 00:00:00', change_date datetime NOT NULL default '0000-00-00 00:00:00', active enum('1','0') NOT NULL default '1', PRIMARY KEY (id), UNIQUE KEY alias (alias,rcpt) ) TYPE=MyISAM COMMENT='Здесь хранится информация о синонимах'; CREATE TABLE transport ( id int(11) NOT NULL auto_increment, domain varchar(128) NOT NULL default '', transport varchar(128) NOT NULL default '', create_date datetime NOT NULL default '0000-00-00 00:00:00', change_date datetime NOT NULL default '0000-00-00 00:00:00', active tinyint(4) NOT NULL default '1', gid int(11) NOT NULL default '12', PRIMARY KEY (domain), KEY id (id) ) TYPE=MyISAM COMMENT='Здесь храниться информация об обслуживаемых доменах'; --- ./configure --enable-login --with-mysql --with-openssl make make install --- * прочтите файл doc/install.html, чтоб сделать * все необходимые линки --- make tidy make -f Makefile.init makefiles \ 'CCARGS=-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -I/usr/include/sasl' \ 'AUXLIBS=-L/usr/lib/mysql -lmysqlclient -lz -lm -L/usr/lib/sasl2 -lsasl2' make ... make install --- *уточните пути до библиотек в вашей системе --- /etc/postfix/main.cf --- relay_domains = $transport_maps transport_maps = mysql:/etc/postfix/transport.cf virtual_alias_domains = $virtual_alias_maps virtual_alias_maps = mysql:/etc/postfix/aliases.cf virtual_gid_maps = mysql:/etc/postfix/gids.cf virtual_mailbox_base = / virtual_mailbox_domains = $virtual_mailbox_maps virtual_mailbox_maps = mysql:/etc/postfix/users.cf virtual_transport = virtual virtual_uid_maps = mysql:/etc/postfix/uids.cf --- EOF /etc/postfix/main.cf --- --- /etc/postfix/users.cf --- user = postfix password = PASSWORD dbname = mail table = users select_field = maildir where_field = alias additional_conditions = and active = '1' hosts = unix:/var/run/mysql/mysql.sock --- EOF /etc/postfix/users.cf --- --- /etc/postfix/gids.cf --- user = postfix password = PASSWORD dbname = mail table = users select_field = gid where_field = alias additional_conditions = and active = '1' hosts = unix:/var/run/mysql/mysql.sock --- EOF /etc/postfix/gids.cf --- --- /etc/postfix/aliases.cf --- user = postfix password = PASSWORD dbname = mail table = aliases select_field = rcpt where_field = alias additional_conditions = and active = '1' hosts = unix:/var/run/mysql/mysql.sock --- EOF /etc/postfix/aliases.cf --- --- /etc/postfix/transport.cf --- user = postfix password = PASSWORD dbname = mail table = transport select_field = transport where_field = domain additional_conditions = and active = '1' hosts = unix:/var/run/mysql/mysql.sock --- EOF /etc/postfix/transport.cf --- --- /etc/postfix/uids.cf --- user = postfix password = PASSWORD dbname = mail table = users select_field = uid where_field = alias additional_conditions = and active = '1' hosts = unix:/var/run/mysql/mysql.sock --- EOF /etc/postfix/uids.cf --- --- /usr/lib/sasl2/smtpd.conf --- pwcheck_method: auxprop mysql_user: postfix mysql_passwd: PASSWORD mysql_hostnames: localhost mysql_database: mail mysql_statement: select password from users where alias = '%u@%r' --- EOF /usr/lib/sasl2/smtpd.conf --- Bugtraq стр. 29 Appendix A: patch for OpenSSH 3.6.1 and earlier Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.18 diff -u -r1.16 -r1.18 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* @@ -69,6 +74,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +104,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } =================================================================== Appendix B: patch for OpenSSH 3.7 Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- buffer.c 16 Sep 2003 03:03:47 -0000 1.17 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } Свой собственный модуль Денис Колисниченко Листинг 1. Файл /etc/modules.conf (Linux Red Hat 7.3) alias sound-slot-0 i810_audio post-install sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -L >/dev/null 2>&1 pre-remove sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -S >/dev/null 2>&1 insmod <имя_файла_модуля> Module Size Used by Not tainted autofs 12164 0 (autoclean) (unused) nls_koi8-r 4576 2 (autoclean) nls_cp866 4576 2 (autoclean) vfat 12092 2 (autoclean) fat 37400 0 (autoclean) [vfat] usb-uhci 24484 0 (unused) usbcore 73152 1 [usb-uhci] rmmod имя_модуля modinfo usbcore filename: /lib/modules/2.4.18-3/kernel/drivers/usb/usbcore.o description: author: license: "GPL" Листинг 2. Каркас модуля ядра Linux (module.c) #define MODULE #define __KERNEL__ #include int init_module() { return 0; } void cleanup_module() { return 0; } Листинг 3. Шаблон модуля с переименованием стандартных функций (module2.c) #define MODULE #define __KERNEL__ #include // для модуля #include // module_init() и module_exit() int start() { return 0; } void stop() { return 0; } module_init(start); module_exit(stop); Листинг 4. Информация о модуле (module.c) #define MODULE #define __KERNEL__ #include MODULE_AUTHOR("Denis Kolisnichenko dhsilabs@mail.ru"); MODULE_DESCRIPTION("Linux kernel module"); int init_module() { return 0; } void cleanup_module() { return 0; } Листинг 5. Использование функции printk() #define MODULE #define __KERNEL__ #include #include // printk MODULE_AUTHOR("Denis Kolisnichenko dhsilabs@mail.ru"); MODULE_DESCRIPTION("Linux kernel module"); int init_module() { printk(“My module: Starting...\n”); return 0; } void cleanup_module() { printk(“My module: Stopping...\n”); return 0; } Листинг 6. Makefile нашего модуля (Makefile) CC=gcc PATH=/usr/include /usr/src/linux-2.4/include MODFLAGS:= -O3 -Wall –DLINUX –D__KERNEL__ -I$(PATH) module.o: module.c $(CC) $(MODFLAGS) -c module.c gcc –O3 -DMODULE -D__KERNEL__ -I/usr/include -c module.c insmod module.o extern int register_chrdev(unsigned int, const char *, struct file_operations *); Листинг 7. Драйвер устройства /dev/device (без структуры file_operations) #define MODULE #define __KERNEL__ #include #include #include #include // регистрация устройств #include // работа с портами ввода/вывода #include // резервирование прерывания // Имя нашего устройства #define DEV_NAME "device" // Порты ввода-вывода нашего устройства #define PORT_START 0x2000 #define PORT_QTY 10 // Память нашего устройства #define MEM_START 0x20000000 #define MEM_QTY 0x20 // Номер прерывания для нашего устройства #define IRQ_NUM 9 MODULE_AUTHOR("Denis Kolisnichenko dhsilabs@mail.ru"); MODULE_DESCRIPTION("Linux kernel module"); // Старший номер файла устройства static int Major; // Структура file_operations – пока пустая, но вскоре // мы ее напишем struct file_operations FO; // Обработчик прерывания void irq_handler(int irq, void *dev_id, struct pt_regs *regs) { return; } int init_module() { // Регистрируем устройство printk("My module: starting…\n"); Major = register_chrdev(0, DEV_NAME, &FO); if (Major < 0) { // Устройство не зарегистрировано printk("My module: registration failed\n"); return Major; } printk("My module: device registered, major number = %d\n",Major); // Резервирование портов ввода-вывода printk("My module: allocating io ports\n"); if (check_region(PORT_START, PORT_QTY)) { printk("My module: allocation io ports failed\n"); return -EBUSY; } request_region(PORT_START, PORT_QTY, DEV_NAME); printk ("My module: io ports allocated\n"); // Резервирование памяти if (check_mem_region(MEM_START, MEM_QTY)) { printk("My module: memory allocation failed\n"); release_region(PORT_START, PORT_QTY); return -EBUSY; } request_mem_region(MEM_START, MEM_QTY, DEV_NAME); printk ("My module: memory allocated\n"); // Резервирование прерывания if (request_irq(IRQ_NUM, irq_handler, 0, DEV_NAME, NULL)) { printk("My module: IRQ allocation failed\n"); release_mem_region(MEM_START, MEM_QTY); release_region(PORT_START, PORT_QTY); return -EBUSY; } printk ("My module: IRQ allocated\n"); return 0; } void cleanup_module() { // Освобождаем порты ввода-вывода release_region(PORT_START, PORT_QTY); printk("My module: release io ports\n"); // Освобождаем память release_mem_region(MEM_START, MEM_QTY); printk("My module: release memory\n"); // Освобождаем прерывание free_irq(IRQ_NUM,NULL); printk("My module: release irq\n"); // Отменяем регистрацию устройства if (unregister_chrdev(Major, DEV_NAME) < 0){ printk("My module: cannot to unregister device\n"); } printk("My module: device unregistered\n"); return; } My module: device registered, major number = 255 mknod device c 255 0 mknod device c 255 1 // Структура для хранения состояния устройства struct device_state { // 1 – устройство открыто, 0 - закрыто int dev_open; // Количество прочитанных байт из устройства ssize_t byte_read; // Количество записанных байт ssize_t byte_write; }; // Массив для хранения информации о состоянии устройств static struct device_state state[2]; Листинг 8. Функция открытия устройства static int device_open(struct inode *inode, struct file *fp) { struct device_state *dev_state; printk("My module: try to open device with minor number %d\n", MINOR(inode->i_rdev)); dev_state = &state[MINOR(inode->i_rdev)]; if(dev_state->dev_open) { printk("Devise is busy\n"); return -EBUSY; } dev_state->dev_open = 1; dev_state->byte_read = 0; dev_state->byte_write = 0; MOD_INC_USE_COUNT; return 0; } Листинг 9. Функция закрытия устройства static int device_close(struct inode *inode, struct file *fp) { struct device_state *dev_state; printk("My module: try to close device with minor number %d\n", MINOR(inode->i_rdev)); dev_state = &state[MINOR(inode->i_rdev)]; if(!dev_state->dev_open) { printk("Device is not open\n"); return 0; } dev_state->dev_open=0; MOD_DEC_USE_COUNT; return 0; } struct file_operations FO = { open: device_open, release: device_close }; Листинг 10. Модуль устройства device (module.c) #define MODULE #define __KERNEL__ #include #include #include #include // регистрация устройств #include // работа с портами ввода/вывода #include // резервирование прерывания // Имя нашего устройства #define DEV_NAME "device" // Порты ввода-вывода нашего устройства #define PORT_START 0x2000 #define PORT_QTY 10 // Память нашего устройства #define MEM_START 0x20000000 #define MEM_QTY 0x20 // Номер прерывания для нашего устройства #define IRQ_NUM 9 MODULE_AUTHOR("Denis Kolisnichenko dhsilabs@mail.ru"); MODULE_DESCRIPTION("Linux kernel module"); // Старший номер файла устройства static int Major; // Структура file_operations – пока пустая, но вскоре // мы ее напишем struct file_operations FO { open: device_open, release: device_close }; // Структура для хранения состояния устройства struct device_state { // 1 – устройство открыто, 0 - закрыто int dev_open; // Количество прочитанных байтов из устройства ssize_t byte_read; // Количество записанных байтов ssize_t byte_write; }; // Массив для хранения информации о состоянии устройств static struct device_state state[2]; // Обработчик прерывания void irq_handler(int irq, void *dev_id, struct pt_regs *regs) { return; } int init_module() { // Регистрируем устройство printk("My module: starting…\n"); Major = register_chrdev(0, DEV_NAME, &FO); if (Major < 0) { // Устройство не зарегистрировано printk("My module: registration failed\n"); return Major; } printk("My module: device registered, major number = %d\n",Major); // Резервирование портов ввода-вывода printk("My module: allocating io ports\n"); if (check_region(PORT_START, PORT_QTY)) { printk("My module: allocation io ports failed\n"); return -EBUSY; } request_region(PORT_START, PORT_QTY, DEV_NAME); printk ("My module: io ports allocated\n"); // Резервирование памяти if (check_mem_region(MEM_START, MEM_QTY)) { printk("My module: memory allocation failed\n"); release_region(PORT_START, PORT_QTY); return -EBUSY; } request_mem_region(MEM_START, MEM_QTY, DEV_NAME); printk ("My module: memory allocated\n"); // Резервирование прерывания if (request_irq(IRQ_NUM, irq_handler, 0, DEV_NAME, NULL)) { printk("My module: IRQ allocation failed\n"); release_mem_region(MEM_START, MEM_QTY); release_region(PORT_START, PORT_QTY); return -EBUSY; } printk ("My module: IRQ allocated\n"); return 0; } void cleanup_module() { // Освобождаем порты ввода-вывода release_region(PORT_START, PORT_QTY); printk("My module: release io ports\n"); // Освобождаем память release_mem_region(MEM_START, MEM_QTY); printk("My module: release memory\n"); // Освобождаем прерывание free_irq(IRQ_NUM,NULL); printk("My module: release irq\n"); // Отменяем регистрацию устройства if (unregister_chrdev(Major, DEV_NAME) < 0){ printk("My module: cannot to unregister device\n"); } printk("My module: device unregistered\n"); return; } static int device_open(struct inode *inode, struct file *fp) { struct device_state *dev_state; printk("My module: try to open device with minor number %d\n", MINOR(inode->i_rdev)); dev_state = &state[MINOR(inode->i_rdev)]; if(dev_state->dev_open) { printk("Devise is busy\n"); return -EBUSY; } dev_state->dev_open = 1; dev_state->byte_read = 0; dev_state->byte_write = 0; MOD_INC_USE_COUNT; return 0; } static int device_close(struct inode *inode, struct file *fp) { struct device_state *dev_state; printk("My module: try to close device with minor number %d\n", MINOR(inode->i_rdev)); dev_state = &state[MINOR(inode->i_rdev)]; if(!dev_state->dev_open) { printk("Device is not open\n"); return 0; } dev_state->dev_open=0; MOD_DEC_USE_COUNT; return 0; } Листинг 11. Фрагмент файла /usr/src/linux-2.4/include/linux/fs.h struct file_operations { struct module *owner; loff_t (*llseek) (struct file *, loff_t, int); ssize_t (*read) (struct file *, char *, size_t, loff_t *); ssize_t (*write) (struct file *, const char *, size_t, loff_t *); int (*readdir) (struct file *, void *, filldir_t); unsigned int (*poll) (struct file *, struct poll_table_struct *); int (*ioctl) (struct inode *, struct file *, unsigned int, unsigned long); int (*mmap) (struct file *, struct vm_area_struct *); int (*open) (struct inode *, struct file *); int (*flush) (struct file *); int (*release) (struct inode *, struct file *); int (*fsync) (struct file *, struct dentry *, int datasync); int (*fasync) (int, struct file *, int); int (*lock) (struct file *, int, struct file_lock *); ssize_t (*readv) (struct file *, const struct iovec *, unsigned long, loff_t *); ssize_t (*writev) (struct file *, const struct iovec *, unsigned long, loff_t *); ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); }; struct file_operations FO = { open: device_open, release: device_close read: device_read, write: device_write }; Управление сетевыми принтерами домена Иван Коробко Список доступных сетевых принтеров SET rootDSE_ = GetObject("LDAP://RootDSE") domain_ = "LDAP://" + rootDSE_.Get("defaultNamingContext") SELECT поле_1, поле_2, …, поле_n FROM “LDAP://dc=домен_1,dc=домен_2…,domen_n” WHERE objectClass=’тип_объекта’ Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.CommandTimeout = 120 objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.CommandText = "SELECT printername, printsharename FROM '"&domain_&"' WHERE objectClass='printQueue'" objCommand.properties("Timeout")=30 objCommand.properties("Cache Results")=false Set st = objCommand.Execute st.Movefirst On Error Resume Next Do Until st.EOF printer_name=St.Fields("PrinterName").Value shares_enum="" shares=St.Fields("printsharename").Value for each share in shares shares_enum=shares_enum+share next Response.write printer_name & shares_enum & chr(13) st.MoveNext Loop Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) Set st=objconnection.execute("SELECT shortservername, printsharename, FROM '" & Domain_ & " ' WHERE objectClass='printQueue'" ) Do Until st.EOF shares_enum="" shares=St.Fields("printsharename").Value for each share in shares shares_enum=shares_enum & share next server_name=St.Fields("ShortServerNAme").Value Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) st.MoveNext Loop Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) pq.name Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) pq.purge Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) For Each printJob In pq.PrintJobs status_pre=printJob.status select case status_pre case "0" status_="Нормально" case "1" status_="Пауза" case "18" status_="Ошибка" end select number_docum=number_docum summary = summary & ”Номер докумета: ” & number_docum & chr(13) & chr(13) & ”Статус: ” & status_pre & chr(13) & ”Приоритет: ” & printJob.Description & chr(13) & ”Пользователь: ” & printJob.User & chr(13) & ”Всего стр. ” & printJob.TotalPages & chr(13) & ”Размер, (Mb) ” & round(printJob.Size/1000000,2) & chr(13) & ”Статус: ” & status_pre & chr(13) & chr(13) Next Wscript.Echo summary On Error Resume Next Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) For Each printJob In pq.PrintJobs If (number_docum=2) then printJob.remove end if number_docum=number_docum Next H4 {font-size:11; font-family:Arial;} H5 {font-size:10; font-family:Arial;} H6 {font-size:9; font-family:Arial;} < META HTTP-EQUIV ="refresh" CONTENT=10 >
http://имя_страница.asp(htm)?П1=З1&П2=З2&...Пn=Зn http://printer_adsi.asp?Search_Text=HP set s_p_r= Request.QueryString(«Search_Text») <% %>

Название < INPUT TYPE="radio" VALUE="2" NAME="radGrp">Описание < INPUT TYPE ="radio" VALUE="3" NAME="radGrp">Размещение
http://printer_adsi.asp?Search_Text=hp&radGrp=1 default.htm Принтеры издательства ПРОСВЕЩЕНИЯ style.css H4 {font-size:12; font-family:Arial;} H5 {font-size:11; font-family:Arial;} H6 {font-size:10; font-family:Arial;} printer_adsi.asp <%@ Language=VBScript CODEPAGE=1251%> Выбор порядка упорядочивания админского софта

"Принтеры"



Название Описание Размещение
<% set rootDSE_ = GetObject("LDAP://RootDSE") domain_ = "LDAP://" + rootDSE_.Get("defaultNamingContext") Set objNameSpace = GetObject("WinNT:") Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.CommandTimeout = 120 objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.CommandText = "SELECT servername, printername, printsharename, location, description FROM '"&domain_&"' WHERE objectClass='printQueue'" objCommand.properties("Page size")=1000 objCommand.properties("Timeout")=30 objCommand.properties("Cache Results")=false Set st = objCommand.Execute st.Movefirst set radio_=Request.QueryString("radGrp") '- what is search - can 1 - fullname ,2 - location ,3 - description set s_p_r= Request.QueryString("Search_Text") summary="
" flag=0 i=0 on error resume next dim array_1(500) i=0 Do Until st.EOF printer_name=St.Fields("PrinterName").Value shares_enum="" shares=St.Fields("printsharename").Value for each share in shares shares_enum=shares_enum+share next server_name=St.Fields("servername").Value descrits_enum="" if vartype(St.Fields("description"))=8204 then descrits=St.Fields("description") for each des in descrits descrits_enum=descrits_enum+des next end if location_name=St.Fields("location").Value Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) status_printer=pq.status select case status_printer case "0" status_P="" case "1" status_P="" case "18" status_P="" end select select case radio_ case "1" summary_where_search= shares_enum & printer_name case "2" summary_where_search= descrits_enum case "3" summary_where_search= location_name end select if instr(Lcase(summary_where_search), Lcase(s_p_r)) then array_1(i)="" i=i+1 flag=1 end if st.MoveNext Loop up_array=ubound(array_1) for j=0 to up_array for i=0 to up_array if strcomp(array_1(i),array_1(i+1),0)=1 then temp=array_1(i) array_1(i)=array_1(i+1) array_1(i+1)=temp end if next next for i=0 to up_array summary=summary&array_1(i) next result_search=summary_header & "
Название принтера
" & status_P & "
" & printer_name & "
" & summary & "
" if flag=0 then result_search="
По запросу ничего не найдено!
" end if Response.write result_search %> view_printer.asp <%@language=VBScript %> <% set printer_name_to=Request.QueryString("Printer_to") set rootDSE_ = GetObject("LDAP://RootDSE") domain_ = "LDAP://" + rootDSE_.Get("defaultNamingContext") Set objConnection = CreateObject("ADODB.Connection") objConnection.Provider = "ADsDSOObject" objConnection.Open "ADSI" set st=objconnection.execute("SELECT shortservername, printername, printsharename, location, description, driverversion, drivername, portname, printlanguage, printcolor, printmaxresolutionsupported, printmemory, whencreated, whenchanged, servername, printpagesperminute FROM '" & Domain_ & " ' WHERE objectClass='printQueue'" ) Do Until st.EOF printer_name=St.Fields("PrinterName").Value if printer_name_to=printer_name then shares_enum="" shares=St.Fields("printsharename").Value for each share in shares shares_enum=shares_enum & share next descrits_enum="" if vartype(St.Fields("description"))=8204 then descrits=St.Fields("description") for each des in descrits descrits_enum=descrits_enum+des next end if location_name=St.Fields("location").Value driver_name=St.Fields("driverName").Value driver_version=St.Fields("driverVersion").Value if vartype(St.Fields("portName"))=8204 then ports=St.Fields("portName") for each port in ports port_name=port_name+port next end if support_color=St.Fields("printColor").Value Resolution=St.Fields("PrintMaxResolutionSupported").Value print_speed=St.Fields("PrintPagesPerMinute").Value server_name=St.Fields("ShortServerNAme").Value print_memory=St.Fields("PrintMemory").Value server_name=St.Fields("servername").Value when_created=St.Fields("WhenCreated").Value when_changed=St.Fields("WhenChanged").Value language_enum="" if vartype(St.Fields("printLanguage"))=8204 then formats=St.Fields("printLanguage") for each format in formats language_enum=language_enum+format next end if Set pq = GetObject("WinNT://" & server_name & "/" & shares_enum) set printer_change_status=Request.QueryString("change_status") select case printer_change_status case "1" pq.pause case "2" pq.resume case "3" pq.purge case "4" number_=1 number_to_="" For Each printJob In pq.PrintJobs set number_to_=Request.QueryString("number_doc") if cint(number_to_)=number_ then printJob.pause end if number_=number_+1 next case "5" number_=1 number_to_="" For Each printJob In pq.PrintJobs set number_to_=Request.QueryString("number_doc") if cint(number_to_)=number_ then printJob.resume end if number_=number_+1 next case "6" number_=1 number_to_="" For Each printJob In pq.PrintJobs set number_to_=Request.QueryString("number_doc") if cint(number_to_)=number_ then set del_docum=pq.printJobs del_docum.Remove cstr(printJob.name) end if number_=number_+1 next end select change_status=0 status_printer=pq.status select case status_printer case "0" status_P="" case "1" status_P="" case "18" status_P="" end select sum_jobs="
" number_docum=0 For Each printJob In pq.PrintJobs status_pre=printJob.status select case status_pre case "0" status_="" case "1" status_="" case "18" status_="" end select number_docum=number_docum+1 sum_jobs=sum_jobs & "" Next s1="

" & printer_name & "


Операции
Название документа
Пользователь
Приоритет
Кол-во (стр)
Размер (Мб)
Состояние
" & printJob.Description & "
" & printJob.User & "
" & printJob.Priority &"
" & printJob.TotalPages & "
" & round(printJob.Size/1000000,2) & "
"& status_ & "
Описание:
"& descrits_enum & "
Расположение:
" & location_name & "
" s2=" Драйвер:
" & driver_name & "
Сервер:
" & server_name & "
Версия:
" & driver_version & "
Порт:
" & port_name & "
" s3=" Тип данных:
"& pq.Datatype &"
Язык:
" & language_enum & "
Поддержка цвета:
" & support_color & "
Разрешение:
" & resolution & " dpi
" s4=" Скорость:
" & print_speed & " стр./мин.
Память:
" & print_memory & " Kб
" s5=" Создан:
" & When_created & "
Статус:
"& status_P & "

" & "
" b1="Принтер:
     " b2="      " b3="
" summary=s1 & s2 & s3 & s4 & s5 & b1 & b2 & b3 & "

" end if st.MoveNext Loop Response.write summary Response.write num_docum Response.write sum_jobs %> Обнаружение телекоммуникационных атак: теория и практика, snort Павел Закляков # md5sum snort-2.0.2.tar.gz 21b14d90e2a323831d85f3d845d64b23 snort-2.0.2.tar.gz # ./configure # rpm -i libpcap-0.6.2-12.i386.rpm # make # make install alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_seserver,established; content:"CEL "; nocase; content:!"|0a|"; within:100; reference: bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype: attempted-admin; sid:337; rev:5;) var HOME_NET 123.45.45.45 var HOME_NET [10.1.1.0/24,192.168.1.0/24] var EXTERNAL_NET any var RULE_PATH rules var RULE_PATH ../rules # /usr/local/bin/snort -o -i eth0 -d -c /etc/snort/snort.conf #!/bin/bash # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 79 11 # description: snort is a lightweight network intrusion # detection tool that currently detects more # than 1100 host and network vulnerabilities, # portscans, backdoors, and more. # # June 10, 2000 -- Dave Wreski # - initial version # # July 08, 2000 Dave Wreski # - added snort user/group # - support for 1.6.2 # Source function library. . /etc/rc.d/init.d/functions # Specify your network interface here INTERFACE=eth0 # See how we were called. case "$1" in start) echo -n "Starting snort: " # ifconfig eth0 up daemon /usr/local/bin/snort -o -i $INTERFACE -d -D \ -c /etc/snort/snort.conf touch /var/lock/subsys/snort sleep 3 if [ -f /var/log/snort/alert ] then rm /var/log/snort/alert fi echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort echo ;; restart) $0 stop $0 start ;; status) status snort ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 # chkconfig snortd on Борьба с вирусами Опыт контртеррористических операций Крис Касперски Листинг 1. Пример типичного «ксорного» расшифровщика с комментариями ; CODE XREF: sub_401090+58?j .text:004010DA loc_4010DA: .text:004010DA mov dl, [esp+ecx+0Ch] ; загрузить в DL следующий байт .text:004010DE xor dl, 66h ; расшифровать по XOR 66h .text:004010E1 mov [esp+ecx+0Ch], dl ; положить на место .text:004010E5 inc ecx ; увеличить счетчик на единицу .text:004010E6 cmp ecx, eax ; еще есть что расшифровывать? .text:004010E8 jl short loc_4010DA ; …если да, то мотаем цикл ; CODE XREF: sub_401090+48?j .text:004010EA loc_4010EA: Листинг 2. Так выглядит нормальный start-up от Microsoft Visual C++ 6.0… .text:00401670 start proc near .text:00401670 push ebp .text:00401671 mov ebp, esp .text:00401673 push 0FFFFFFFFh .text:00401675 push offset stru_420218 .text:0040167A push offset __except_handler3 .text:0040167F mov eax, large fs:0 .text:00401685 push eax .text:00401686 mov large fs:0, esp ; Get current version number of Windows .text:00401696 call ds:GetVersion .text:004016EC push 0 .text:004016EE call __heap_init .text:00401704 mov [ebp+var_4], 0 .text:0040170B call __ioinit .text:00401710 call ds:GetCommandLineA .text:00401716 mov dword_424F44, eax .text:0040171B call ___crtGetEnvironmentStringsA .text:00401720 mov dword_4235C0, eax .text:00401725 call __setargv .text:0040172A call __setenvp .text:0040172F call __cinit .text:00401754 call _main .text:00401763 call _exit Листинг 3. …а так выглядят окрестности точки входа вируса Win2K.Inta.1676 .text:00011000 start proc near .text:00011000 mov eax, [esp+arg_0] .text:00011004 lea edx, loc_11129 .text:0001100A mov [eax+34h], edx .text:0001100D lea edx, dword_117A0 .text:00011013 lea eax, aHh ; "HH" .text:00011019 mov [edx+8], eax .text:0001101C mov [eax+4], aSystemrootSyst .text:0001101C ; "\\SystemRoot\\system32\\drivers\\inf.sys" .text:00011023 push 1200h .text:00011028 push 0 .text:0001102D call ExAllocatePool .text:00011032 or eax, eax .text:00011034 jnz short loc_1103E .text:00011036 mov eax, 0C0000001h .text:0001103B retn 8 Листинг 4. Червь I-Worm.Kilez.h имеет стандартный стартовый код .text:00408458 start proc near .text:00408458 push ebp ; sub_408458 .text:00408459 mov ebp, esp .text:0040845B push 0FFFFFFFFh .text:0040845D push offset stru_40D240 .text:00408462 push offset __except_handler3 .text:00408467 mov eax, large fs:0 .text:0040846D push eax .text:0040846E mov large fs:0, esp .text:0040847B mov [ebp+var_18], esp ; Get current version number of Windows .text:0040847E call ds:GetVersion .text:004084AF xor esi, esi .text:004084B1 push esi .text:004084B2 call __heap_init .text:004084C4 mov [ebp+var_4], esi .text:004084C7 call __ioinit .text:004084CC call ds:GetCommandLineA .text:004084D2 mov dword_494E68, eax .text:004084D7 call ___crtGetEnvironmentStringsA .text:004084DC mov dword_493920, eax .text:004084E1 call __setargv .text:004084E6 call __setenvp .text:004084EB call __cinit .text:004084F0 mov [ebp+StartupInfo.dwFlags], esi .text:004084F3 lea eax, [ebp+StartupInfo] .text:004084F6 push eax ; lpStartupInfo .text:004084F7 call ds:GetStartupInfoA .text:004084FD call __wincmdln Листинг 6. «Заглушка», представляющая собой переходник к импортируемой функции и оттягивающая все перекрестные ссылки на себя ; CODE XREF: sub_432A58+C0?p BRAT0:00648310 CreateFileA proc near ; sub_432BC0+C0?p ... BRAT0:00648310 BRAT0:00648310 FF 25 48 44+ jmp ds:__imp_CreateFileA BRAT0:00648310 CreateFileA endp Листинг 7. Таблица импорта исследуемого приложения: наличие «паразитной» ссылки на CreateFileA указывает на факт вирусного заражения ; DATA XREF: CreateDirectoryA?r .idata:006A4440 extrn __imp_CreateDirectoryA:dword ; DATA XREF: CreateEventA?r .idata:006A4444 extrn __imp_CreateEventA:dword ; DATA XREF: CreateFileA?r .idata:006A4448 extrn __imp_CreateFileA:dword ; DATA XREF: sub_6A4140?r .idata:006A4448 ; DATA XREF: CreateProcessA?r .idata:006A444C extrn __imp_CreateProcessA:dword ; DATA XREF: CreateThread?r .idata:006A4450 extrn __imp_CreateThread:dword Анализ защиты программ и рекомендации по её усилению Станислав Гошко bc * cmp eax, esi bpx MessageBoxA 0167:00440347 jnz 00440375 bpx MessageBoxA push 0056d737 ; Помещается в стек смещение серийного номера push 0056d350 ; Помещается в стек смещение имени call 004c37b1 ; Вызов функции, которая проверяет корректность test eax,eax ; Проверка результата функции ; !!!!!!!!!!!!! jz 004c3ce1 bpx DialogBoxParamA bc * 41f89c: 90 90 90 41f8c4: EB 18 cmp [ebx+14],0 593598: EB 77d5c13a: push 0c 77d5c13c: push 77d6e498 77d5c141: call 77d439c0 push xxxxxxxx ................ push xxxxxxxx call GetWindowTextA push xxxxxxxx ................ push xxxxxxxx push return_address push 0c jmp (GetWindowTextA+2) push xxxxxxxx ................ push xxxxxxxx push return_address push 0c push 77d6e498 jmp (GetWindowTextA+7) if (!IsDebuggerPresent()) goto no_debugger //........................................ no_debugger: mov eax,fs:[018h] mov eax,[eax+30h] movzx eax,byte ptr [eax+02] ret push dword ptr fs:[0] push offset SEH_Handler mov fs:[0],esp pop dword ptr fs:[0] .386p .model flat extrn ExitProcess:PROC .data Hi dd 0 .code ;--------------------------------------------------------; start: pop ebx ; Адрес для вызова исключения call setupSEH Ex_Handler: mov esp,[esp+8] ; Ошибка дает нам старый ESP ; в [ESP+8] exit: push 0 ; Кладём в стэк 0 call ExitProcess ; И завершаем программу ;--------------------------------------------------------; setupSEH: push dword ptr fs:[0] ; Push оригинальный ; обработчик SEH mov fs:[0],esp ; И помещаем новый ; (который находится ; после первого call) mov eax,012345678h ; Пытаемся писать ; в ядро (что вызовет xchg eax,[ebx] ; исключение) end start push ss pop ss int 3 mov ebp,"BCHK" push ss pop ss int 3 db blabla ; Опкод модифицирующий ключ ; декриптования mov eax,04ebh jmp $-4 next: Полиномиальная арифметика и поля Галуа или информация, воскресшая из пепла II Крис Касперски Листинг 1. Сложение, выполненное по правилам полиномиальной двоичной арифметики (слева) и сложение, выполненное по правилам обычной арифметики (справа). 1101001 (69h) 1101001 (69h) +0100111 (27h) +0100111 (27h) ––––––– ––––––– 1001110 (4Eh) 10010000 (90h) Листинг 2. Функция, реализующая сложение/вычитание в полях Галуа. // функция возвращает результат сложения (вычитания) // двух полиномов a и b по модулю 2 int gf_sum(int a, int b) { return a ^ b; } Листинг 3. Процедура генерации look-up таблицы быстрого умножения полиномов. // степень RS-полинома (согласно Стандарта ECMA-130 – восемь) #define m 8 // n=2*m-1 (длина кодового слова) #define n 255 // количество ошибок, которые мы хотим скорректировать #define t 1 // k = n-2*t (длина информационного слова) #define k 253 // несократимый порождающий полином // согласно Стандарту ECMA-130: P(x) = x8 + x4 + x3 + x2 + 1 int p[m+1]={1, 0, 1, 1, 1, 0, 0, 0, 1 }; // таблица степеней примитивного члена int alpha_to[n+1]; // индексная таблица для быстрого умножения int index_of[n+1]; //-------------------------------------------------------- // генерируем look-up таблицу для быстрого умножения для GF(2m) // на основе несократимого порождающего полинома P© // от p[0] до p[m]. // // look-up таблица: // index -> polynomial из alpha_to[] содержит j=alpha^i, // где alpha есть примитивный член, обычно равный 2 // а ^ - операция возведения в степень (не XOR!); // // polynomial form -> index из index_of[j=alpha^i] = i; // // © Simon Rockliff //-------------------------------------------------------- generate_gf() { int i, mask; mask = 1; alpha_to[m] = 0; for (i = 0; i < m; i++) { alpha_to[i] = mask; index_of[alpha_to[i]] = i; if (p[i] != 0) alpha_to[m] ^= mask; mask <<= 1; } index_of[alpha_to[m]] = m; mask >>= 1; for (i = m+1; i < n; i++) { if (alpha_to[i-1] >= mask) alpha_to[i] = alpha_to[m] ^ ((alpha_to[i-1]^mask)<<1); else alpha_to[i] = alpha_to[i-1]<<1; index_of[alpha_to[i]] = i; } index_of[0] = -1; } Листинг 4. Функция быстрого табличного умножения полиномов в полях Галуа. // функция возвращает результат умножения двух полиномов // a на b в полях Галуа int gf_mul(int a, int b) { int sum; // немного оптимизации не повредит if (a == 0 || b == 0) return 0; // вычисляем сумму индексов полиномов sum = alpha_of[a] + alpha_of[b]; // приводим сумму к модулю GF if (sum >= GF-1) sum -= GF-1; // переводим результат в полиномиальную форму // и возвращаем результат return index_of[sum]; } Листинг 5. Функция быстрого табличного деления в полиномов в полях Галуа. // функция возвращает результат деления двух полиномов // a на b в полях Галуа, при попытке деления на ноль функция // возвращает -1 int gf_div(int a, int b) { int diff; // немного оптимизации не повредит if (a == 0) return 0; // на ноль делить нельзя! if (b == 0) return -1; // вычисляем разность индексов diff = alpha_of[a] – alpha_of[b]; // приводим разность к модулю GF if (diff < 0) diff += GF-1; // переводим результат в полиномиальную форму // и возвращаем результат return index_of[diff]; } Листинг 6. Ключевой фрагмент кодера Рида-Соломона, вырванный из прошивки IBM 3370. for (s0 = s1 = sm1 = i = 0; i < BLOCK_SIZE; ++i) { s0 = s0 ^ input[i]; s1 = GF_mult_by_alpha[ s1 ^ input[i] ]; sm1 = GF_mult_by_alpha_inverse[sm1 ^ input[i] ]; }; Листинг 7. Ключевой фрагмент декодера Рида-Соломона, вырванный из IBM 3370. // вычисляем синдром ошибки err_i = GF_log_base_alpha[ GF_divide[s1][s0] ]; // исправляем сбойный байт input[err_i] ^= s0;