Copy protection defeating

mmmmmmmmmmm

Sometimes, indeed often, there are obstacles. Or learn to ride or learn to jump over obstacles


CD-Cops
-------
If your CD is protected with CD-Cops, when executing the main .exe file, a window appears with the words CD and Cops in the title. Also, the following files will be present in the installation directory:

?
?
Eerrrmm, forgot to add these ^_^


CDCOPS.DLL
----------
Files with The .GZ_ and .W_X extentions.
To defeat this you can use the 'CD-Cops decrypter' - which should work on some CD's.


Copylok
-------
No details yet known.


Copy-Protected CD & The Bongle
------------------------------
At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).


DiscGuard
---------
A CD protected with DiscGuard will have the following files on the CD or in the installation directory:

IOSLINK.VXD
IOSLINK.SYS

At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).


LaserLock
---------
A LaserLock protected CD will have a hidden directory called "Laserlok" on it. This directory can be seen if you tell windows to "show all files". The folder was designed to contain files with unreadable errors so that the CD could not be copied correctly.
At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack). Sometimes this kind of protection can be got round using the 'Ignore Read Error' setting that a few good CD copiers have (CDRWin, Nero, DiskJuggler).


LockBlocks
----------
A LockBlocks protected CD will have 2 circles (5 mm and 3 mm), which cause a CD-R to lockup when being read.
At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).


SafeCast
--------
Detection on this is unknown at this moment in time.


SafeDisc
--------
A CD protected with SafeDisk will have the following files on the CD:

00000001.TMP
CLCD16.DLL
CLCD32.DLL
CLOKSPL.EXE.
GAME.EXE
GAME.ICD

To defeat this you need to Create a 1:1 copy of the CD and then use the "Generic SafeDisc Patch" (available from http://www.cdrsoft.com" to allow you to play the copy. Another method is to look for a patched game.exe file (do a search in a good search engine) and then do the following:
Create an image of the CD on your hard drive, but use the patched game.exe instead of the one actually on the CD. It is often better to use the CD-R drive to get the image file because the CD-R drive is more likely to avoid read errors.
Write the image file onto a blank CD-R at 1x (this will help to avoid errors).


SecuROM
-------
If a CD uses the SecuROM protection scheme, one of the following files will exist in the installed directory OR in the root of the CD:

CMS16.DLL
CMS_95.DLL
CMS_NT.DLL

To defeat this you can use a generic patch:
SecuROM R1: Get Generic SecuROM R2
SecuROM R2: Get Generic SecuROM R3
SecuROM R3: Get Generic SecuROM R4 v1.1
SecuROM R4: Get Generic SecuROM R5 v5.1
SecuROM R5: Get Generic SecuROM R5 v6.0


Here are some other techniques that are frequently used to protect CD's

Dummy Files
-----------
This can be detected by looking for large dummy files, mostly over 600 Mb, in the root of the CD (usually with a .AFP extension).

If the original CD is smaller than 659 Mb, you can do a CD copy which will re-create the exact Dummy Files on the copied CD. If the original CD is over 659 Mb then OverSize a 74 Minutes CD-R or just use an 80 Minutes CD-R to make an exact backup.

Illegal Table Of Contents (TOC) file
------------------------------------
This can be found by examining the tracks of the source CD. Usually there will seem to be a second data track (which is not allowed). Commonly, this track will appear after some audio tracks.

You can now bypass the illegal TOC files deliberately put on CD's as a form of protection by using a program such as 'Nero' or 'CDRWIN'. These programs have an option to ignore an illegal TOC file.


Protection Info

OverBurning CD's
----------------
To detect this, use a 74 minute writable CD and choose to do a test before writing - if the source CD has been overburned then the CD copier will come up with an error and tell you that your CD is not big enough (even if the source and destination CD's are both 74 mins!!).

To defeat this you can use a program such as 'Nero' or 'CDRWIN' to OverSize the CD-R using a capable CD-Writer . However, this can be dangerous if your CD writer does not support overburning - but there is another way! Simply get hold of an 80 minute writable and copy the source CD onto that!

The games 'Half Life', 'Kingpin', and 'Commandos' all use this method of protection.


Physical Errors
---------------
The CD is damaged on purpose. Most CD-Readers are not able to "copy" these kind of errors and will stop reading the CD. Few CD-Readers are able to copy these errors. The program 'BlindRead' can be very handy copying this protection.


PlayStation CD's
----------------
During the boot, the PSX chipset checks for an unknown sector on the CDS. This unknown sector is outside the mechanical range of the CD-Reader pickup. Therefore it is NOT possible to copy this track onto a CD-R.

To defeat this, install a modified Boot Chip (ModChip) inside the Playstation. This will trick the PlayStation so it thinks the inserted CD contains the right Country-Code & Bad Blocks.


Sega DreamCast CD's
-------------------
The Dreamcast actually uses GD-ROMs, which hold a maximum of 1Gb of Data instead of the standard 650-700 Mb. This provides a good level of copy protection as they cannot be reproduced using a standard CD-Writer.

A GD-ROM consists of 2 DATA tracks. The first is usually between 10 & 50 Mb and can be read by a normal CD-Reader. The second track is written in a high density format which is NOT accessible by a normal CD-Reader.

At the moment, there doesn't appear to be a perfect way of copying these CD's.
What are the different CD copying protections and how can I defeat them?

Here are most of the CD protections used to protect games and applications from people trying to copy them with their CD-R's. Most of the files and programs I mention here can be downloaded from http://www.cdrsoft.com .

ASTALAVISTA

Dll Injection Part TWO English

ADVERTISE by Guardian Angel: This article is not 'designed for idiots who do play the sorcerer's apprentice. This article 'aimed at those who love knowledge.
A call to friends in Italy that deal with information technology: Internet, 16 June 2009 Presidents of Parliamentary Groups Senate ROME
Dear President,
the 1415A ddl approved in the House of Deputies on 11 June us has, in many quarters, raised many doubts and misgivings as to its constitutional legitimacy and, more generally, the appropriateness of regulatory interventions that, through it, be carried out.
There is, however, a profile, so far, remained in the shade and little in-depth discussions of these days: the contents of paragraph 28. 1, whose unfortunate wording - also admitted that this was not the actual will of the extensor - is likely to determine an unacceptable restriction of freedom of expression that push online, quickly, to Italy in a position more rearward than it currently occupies (it's Forty-fourth) in the international ranking on freedom of information.


I urge you to sign the petition found at this address: http://www.firmiamo.it/norettifica otherwise of those articles, in Italy will only be a pale memory.



(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Dll Injection Part II


Welcome back...

Last time i explained to you what DLL Injection is.
"Injecting a dll into a running process, is inserting a dll into the process's address space..
as you all -should- know is that when you load a dll, it goes to your address space, which means that,
your variables/memory in general, are all accessible with normal pointers by the dll itself."


I also explained that you need to have a knowlege of the following things:

1) Memory management...You need to know how windows manages it's memory

2) PE Headers <--the most important thing if you're doin this in win9x/ME --

3) Basic debbuging APIs...These are some apis that allow you do debug a certain app

4) enough knowlege of asm...and OPCODES of instructions I also said that my tutorial is compatible with all versions of windows.

So don't go posting me saying 'CreateRemoteThread() will do all of what you have just done'...I told you that i'm doing this tutorial for everyone. And if it would make you happy, i will add some information about the functions you can use in higher versions than WinME/9x And I'm doing the same thing I did last time. I am "NOT" pasting full code in this tutorial either. No one is stupid enough like me to even think of posting such brief article about something that is hard to learn if you had no documentation. So, therefore, it is hard to accept distributing it to the public. Programmers all think that they got tired for searching all this. They're not going to let their sweat go to waste.

So they keep telling you "GO RESEARCH ON YOUR OWN",, and probably kick you off their chat rooms. So, i'm probably doing the same thing ::D::D::D::D -- Ok you should have made that dll file that i told you about last time.

I'll assume the dll is in C:\\NazSoft\\DLLINJ32.dll (Dll to inject) Remember also, that i asked you to make an exe project, that puts the dll into its address space using LoadLibrary() Now, we're going to do something else. FORCE an app to load the dll into its address space. That's what i did to mirc.exe. But first, i need you to create the exe file! Make an exe file, that has a dialog box with a button. If the button was clicked, this happens: MessageBox( 0, "Let's see whether this function gets intercepted or not?!!", "Hello world!", MB_OK ); I'll assume you named the exe file, C:\\NazSoft\\MYMSGBOX.exe (Target process) OK, For the first section of this part, we'll inject DLLINJ32.dll into MYMSGBOX.exe in 2 different ways, 1) Using

CreateProcess().... The injector (the program that will inject) will create a new process of that program. And simply inject using the debugging facilities. Recall from PART I: "Talking at a lower level, what my API Spy exactly does is 'debug' the chosen running process and thus suspending all of its threads. It will then use some special API functions to be able to read it's private address space...

(Read/WriteProcessMemory()) It will seek some place to inject some code into. It is ASM code ofcourse. What this ASM code does is: LoadLibrary("DLLtoINJECT.dll"); And add a breakpoint after the code. Then simply let the process run, starting with the beggining address of the injected code. When the breakpoint is reached, the threads are suspended again and the API Spy restores whatever bytes it has modified and restores all the registers and thus continuing with normal execution like if nothing happened. Kind of like hypnotising someone, slapping him, and bringing him back. He'll have no idea of what just happened. Anyway, The loaded DLL does its job normally. Simple as that." 2) Use a method to inject the dll into a thread, by knowing just it's ThreadId, ProcessId, and possibly base address of the program. This method is used to inject a dll into an ALREADY running process.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--However, there is one problem in both of these ways. To do all that, i use the debugging method. Which is not such a good idea. I'll explain why later, and an alternative that can be used in future versions of windows. Actually, WinME had my problem solved, and then NT3.1 made it better, then came WinXP, which made it even better than ever before!... We'll talk about it later --- Let's make the (Injector) --- #define TargetApp "C:\\NazSoft\\MYMSGBOX.exe" #define DLL "C:\\NazSoft\\DLLINJ32.dll" *** | | | | This is the CreateProcess() method: (*)(*)(*)(*)(*)(*)(*)


You use CreateProcess() to start the program, with DEBUG_ONLY_THIS_PROCESS flag set. This will let you use the windows' special debugging functions. If you read the link i gave you in part one about Basic Debugging, this should be no problem, and you must have seen that DebugActiveProcessStop() works _ONLY_ in WinXP and above...(There is no above. Maybe Longhorn? the new revolutionary version of blindows? i mean, windows?) This is one advantage of XP over other OS's...
(*)(*)(*)(*)(*)(*)(*)
So don't go saying, XP SUX XP SUX XP SUX This makes it a REAL problem, because if you are debugging a process, and terminate your own process, the debugged process will be terminated also, and there is no way to stop it from happening. Even visual studio 6's debugger can't keep an application being debuged from staying alive, upon closure of VC++, It always gives you a msgbox: "This command will stop the debugger. Do you wish to continue?"
--(*)(*)(*)(*)(*)(*)(*)
There you see the problem that debugging a process has, which XP fixed...This is why i said "...WinXP, which made it even better than ever before!..." :)... Actually, it didn't make it better than ever before, because CreateRemoteThread(), supported in NT3.1 and over, makes all of what i'm doing simpler. We'll talk about it later...
-- (*)(*)(*)(*)(*)(*)(*)
After you create the process, windows' loader will automatically set a break point, right before the process starts execution(because of the DEBUG_ONLY_THIS_PROCESS flag). So what you do is use WaitForDebugEvent(), and ContinueDebugEvent() to get notifications from windows, for a debugging event to occur in a process being debugged. One of them, is a breakpoint.
(*)(*)(*)(*)(*)(*)(*)
WaitForDebugEvent() just sits there waiting for an event, then suspends the execution of the thread, and returns.. It's your job to check it's return values and handle the events that you want. And then use ContinueDebugEvent() to let it continue execution.
(*)(*)(*)(*)(*)(*)(*)

--You need to keep waiting, until the target process exits, then you can exit. Because as i said, you can't stop debugging unless you terminate the target process(except in WinXP) When the first breakpoint occurs, you know that the process has been loaded in memory. Now, you need the Handle of the process, and the handle of the main thread (or any thread)

It's all gettable through CreateProcess's PROCESS_INFORMATION parameter(pInfo.hProcess, pInfo.hThread) Now that you have the process's handle, you can use ReadProcessMemory() and WriteProcessMemory() to read/write bytes into/out of the memory of the target process. (Ofcourse, you're not required to pause execution of the process in order to use these two functions, however in our case, you ARE required to ) "The process whose address space is read is typically, but not necessarily, being debugged. " is what MSDN had to say. I'll tell you why we need to pause execution. Now you know how you can use ReadProcessMemory(), and WriteProcessMemory(). What you should do is this. You need your knowlege of PE/COFF headers to find a writable address in the process's memory.

Once you have found it, you will have no problem in changing it's contents, whether it was required by the target process or not, because as i said before, the execution has been suspended, so the process won't find out that you have changed it's memory, until after it continues execution... but it will be too late at that time, cause you will have already restored whatever it was that you have changed. Just like hypnotising...
When you find a writable memory, you need to use your knowlege of asm, and the OPCODES of the instructions inorder to use WriteProcessMemory() to write in the asm instruction, which will call LoadLibrary() inorder to insert the DLL into it's address space. (Remember the exe program in part I? When it used LoadLibrary(), the MessageBox() function automatically got intercepted,

This is what should happen here. Ofcourse the dll that we made is not so good, because it has no function to restore the address of the import table that it changed. So it's your job to change the dll -if you like- and save the original address of the MessageBox() function, before chagning it to the entry point of the MyMsgBox() function, so that when you need to free the dll, you'd be able to restore the entry point of the MessageBox() function, from the entry point it has been set to ( MyMsgBox() in DLLINJ32.DLL) back to it's original entry point ( MessageBox() in USER32.DLL ) )
Ofcourse, this is not so required, because you might just leave the dll into the process's address space for ever. And when the process exits, no need to restore, cause IT EXITED. You haven't patched the exe. So everything will be restored back to it's original next time the program is started Ok, so you wrote in the asm instructions. Now, what they do is call LoadLibrary() and then breakpoint (INT 3h --OPCODE 0xCC) So that the debugger would recv a breakpoint event inorder to restore the bytes that were changed
--If you have enough knowlege of asm, you'll know that EIP is the address in memory of the current instruction being run. When you write the asm code in the target process, you need to change (after saving) the EIP register to the offset of the first byte of the asm instructions you have written in the memory address space of the process.

Then when break point occurs, restore the memory, and restore EIP to it's original address, so that the process would continue execution, like if nothing happened! You can use GetThreadContext() and SetThreadContext() in order to change/get the values of registers/flags of a running process. And these two functions "REQUIRE" the _thread_ "Not the process" to be suspended. The two functions take a thread handle, not a proces handle. Because a process can have more than one thread, a problem that might occur is that a thread will be suspended, but other threads are still running. This will wreck havoc in the system. But fortunatelly, The debugging functions will suspend the WHOLE process from running.
There is some other method i wanted to use, (other than debugging) which will have THIS problem. Because it doesn't suspend the process's execution, it will only suspend the execution of ONE thread.
(*)(*)(*)(*)(*)(*)(*)
That's why OpenThread() isn't supported in 9x, because Microsoft is afraid someone would get a thread handle, suspend it, and wreck havoc. But somehow, i donno why, WinME supports it, so do later versions...maybe Microsoft fixed something? or i donno...

This isn't our subject right now anyway... (I like writing confusing text..) ___ **WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING***
The following two paragraphs are irrelevant, so don't confuse your self, skip them for now.. ___ **WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING***
Anyway, i really think the debugging way is the best, if you can't use CreateRemoteThread()..
But if you found a way to suspend the whole thread, without the need of debugging, i think we can make the asm instructions give some notification to a FileMap (Shared memory between processes) that it has successfully loaded, so that the injector app would restore what it had chagned, so that the process would continue execution. You can let the dll do this for you. But then comes another problem, when code is injected, and run, and the dll gets loaded, what if, in the process, the thread continued execution, and it needed the portion of memory that we edited?? THERE!!! Now we have a problem!..This might cause a crash.. But then you might let the dll create some executable in a temp dir, and suspend execution. Then the executable will restore bytes, and exit, then the dll shuld somehow find a way to notify it self that it can resume thread execution..
IT NEVER ENDS!!!!! FIX A PROBLEM, FIND ANOTHER ONE...the BEST solution instead of using all that crap is either through debugging, or using CreateRemoteThread()...debugging can't be stopped, unless in WinXP, but what's the use? You can use CreateRemoteThread() instead of debugging, in XP... You can't use it in 9x/ME,,but ah well...what to do? this is the life...
Win98 will be soon out of the market. 2k already is i think. Atleast MS promised that they will remove it. It's been a whole year since the deadline they have given, but seems like it's still in the market. Maybe i don't read news alot. I've got too much work, anyway..
-- So now you understood the debugging method in a verbal way. I'll explain more about it, in a "codish" way..
BUT FIRST! let me tell you this, inorder to use ReadProcessMemory(), for finding some writable memory... You need to know the base address of the target process! I'll tell you how later.. and also, to find a writable memory, you shuld read the sections of the programs... Read about 'sections' in PE header... i usually get section ".data" as the writable part..maybe some other app has some other section? i dono... Actually, I DO know. There are apps that have sections with different names. for example, programs compiled with borland have different section names, than programs compiled in msVC++ (Another project to have fun with is, to open all exes of different compilers, in your machine, and save their import table and section names... The PE/COFF header specs should help...) If you notice, in asm programs you set sections like .CODE .DATA etc... It's all the same... VC++ uses .text, .idata and .data instead (.text == .CODE, ,.data == .DATA, , .idata == Import table ) .edata == export table, etc... (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) (*)(*)(*) (*) INJECTING A DLL INTO AN ALREADY RUNNING PROCESS (*)(*)*)(*)(*)(*)(*)(*)(*)(*)
(*)(*)(*) (*)(*)(*)
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

And now you know all about The CreateProcess() method. The other method, injecting into an ALREADY running process,
you need to use OpenProcess() to get a process handle, from a ProcessId, then use DebugActiveProcess() to start debugging.
Read DebugActiveProcess() in msdn, you will find answers to many questions that might have been raised when i gave you
this function. I'm not going to show an example on this function. You're on your own. Sorry, wish i could help.
But i'm not giving you the butter.

Read the "Debugging a Running Process" section in Basic Debugging section in msdn.

"
To debug a process that is already running, the debugger should use DebugActiveProcess with the process
identifier retrieved by OpenProcess. DebugActiveProcess attaches the debugger to the active process.
In this case, only the active process can be ..... To detach from the process being debugged,
the debugger should use the DebugActiveProcessStop function.
"
-MSDN

DebugActiveProcessStop isn't supported in versions before WinXP......go cry baby :P

-----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

ok, i showed you how the second method works...
Now.. the inefficient method that i was talking about... Doing all this without debugging..
You can skip this section if you want, it's for more advanced readers...
What i had in mind (I won't give code samples for this either, but this time, not because you need to reasearch on your own,
but beacuse i havn't done any code of it. And you never know, maybe this method is so inefficient, that you can't use it?)
ok here goes:

From the processes and thread section, i saw these functions:

OpenProcess, OpenThread, SuspendThread, ResumeThread

Look, get proces handle from the first function..Thread handle from the second.
Suspend the thread, use GetThreadContext/SetThreadContext and Read/WriteProcessMemory to read/write asm code
and modify/restore the registers, then Resume thread...
the asm code, can't use breakpoints, cause the app isn't debugging it, so the dll shuold somehow send some notification,
and suspend it's own execution. Then when the app recieves the notification, it will let it resume, after restoring everything.

There is more to it than just that...but you need to use your own imaginations

----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Somefunctions for you to look at, (interesting functions)

DebugBreak, DebugBreakProcess, DebugSetProcessKillOnExit, IsDebuggerPresent, GetStartupInfo, Sleep, SleepEx, SwitchToThread
ThreadProc, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue

There are some issues i haven't talked about here. You might encounter them ___MIGHT___
so if you did, read about TLS,,,Thread Local Storage..it shuold help you through for process's with more than one thread
(TlsAlloc, TlsFree, TlsGetValue, TlsSetValue)

----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

You're probably mad at me like hell, and not voting for me, because i asked you to reasearch on your own.
Too bad :PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

kidding..i'm sorry dude, but i'm serious. These are issues that need work from the programmer him/her self.
You can't just let it away like that :( I'm sorry once again. Maybe if you email me(on my yahoo account)
I might help you more on this, or else, i'm sorry. Besides, i didn't have that much time to write all the code
in here..i'm truly sorry...and i applogize for any inconvenience this did.

Once again, i'm sorry

----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Let's see what the asm code that needs to be injected shuold look like.
There are many different ways to code it's asm code..but this is my way.
and i like it like that.

{
mov eax, 0h ; change 0h to address to LoadLibrary()
mov ebx, 0h ; change 0h to offset to dll name (almost always at the end of this code comes the dll name)
; so it can be, offset of beggining of this code + the total size of the asm code. This points you
; to whatever that's after it. Which is, the dll name

push ebx ; Push parameter of LoadLibrary() into stack (dll name)
call eax ; call LoadLibrary()
pop ebx ; Pop ebx which was pushed -- if you don't do this, you'll get a funny scary error
; If you read about opcodeVOID's NakedFunctions,, and saw the asm instructions before and after
; high level functions,, there are the code(within them) that will check for whether you have restored what you have pushed into the stack
; so basically it's required, opcodeVOID :D :D :D But, he's still right, if you are an advanced programmer
; and know what you're doing, then you have no problem
;;; and also note that where you're writing this code, it is at it's lowest level, and there aren't
;;; code to check for this..a whole program destruction might occur without you knowing
; it's kind of like when you are sick, and probably have aids, and are dying, but don't have
; a nervous system to feel it. So, you won't feel pain, this might cause you to suddenly collapse and die :D

int 3h ; break point
; Immediately after this, comes the dll's whole path "C:\NazSoft\DLLINJ32.DLL" and don't forget the null character
}

These are the OPCODES:
{
char CodePage[4096] =

{ 0xB8, 00, 00, 00, 00, // mov EAX, 0h | Pointer to LoadLibraryA() (DWORD)
0xBB, 00, 00, 00, 00, // mov EBX, 0h | DLLName to inject (DWORD)
0x53, // push EBX
0xFF, 0xD0, // call EAX
0x5b, // pop EBX
0xcc // INT 3h
};

DWORD nob=15; //Number of bytes ^^^^^^
//comes right after this, the dll name...so just do this, strcpy(CodePage[nob], Dllname) to append the dll name..
the total size is (nob + strlen(Dllname) + 1) -- strlen retreives the string, without NULL character.
So you do +1, do also add the null character
------You might ask why i declared 4096 chars? well, a codePage is 4K,,,So i just did it,,,for,,,um,,,
no reason... :D :D

}

I'll give you some OPCODE lists with this tutorial for you to have use of..
You'll have fun reading it
--by the way, go to EFnet#C++ or #asm or #win32asm and ask for a full ebook of asm..
They shuld give you a free ebook called, "The art of assembly"
--

I suddenly changed my mind and added some tutorials with the .zip file :p
I even added some unneccessary stuff :P

--(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Here show you the code of CreateProcess() method:

--(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

declare these global vars:

CONTEXT OriginalContext; //Get/SetThreadContext's parameter
char OriginalCodePage[4096];
DWORD sizeofCP=0;
VOID* mySec; //my section...Offset of CodePage in the target process's memory, not this app's memory

BOOL InjectDLL_CreateProcess( char *TargetAPP, char *DLLTOINJECT )
{
BOOL B=FALSE, BREAK1=FALSE, BREAK2=FALSE;
STARTUPINFO sInfo;
PROCESS_INFORMATION pInfo;
DEBUG_EVENT dEvent;
DWORD ret;

ZeroMemory((VOID*)&sInfo, sizeof(sInfo));

B = CreateProcess(Filename, 0, 0, 0, FALSE, DEBUG_ONLY_THIS_PROCESS, 0, 0, &sInfo, &pInfo);
if(!B) return FALSE;

//-----
///
////
///// We need 3 things, ProcessHandle, ThreadHandle, and BaseOfImage (base address of executable file in memory)
////
///
//-----


HANDLE PHandle=pInfo.hProcess, THandle=pInfo.hThread; // Processhandle, Thread handle
VOID * BaseOfImage;
char DLLTOINJECT[] = "d:\\VCPrj\\MSNInject\\DLL\\Release\\DLL.dll";

while(1)
{
if( !(B = WaitForDebugEvent(&dEvent, INFINITE)) ) //Remember? -- dEvent is a structure that recv'es return of fucntion
return -1;

if(dEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT) //If the debug event was "Process has just been created"
{
BaseOfImage = dEvent.u.CreateProcessInfo.lpBaseOfImage; //Ok, now we have the base address of the exectable file in memory (remember before, when i said that i'll show you how to get it?)
}

if(dEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT) //if process terminated, then break the loop, so that you would exit function
break;

if(dEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT)//Check for breakpoint
{
if(dEvent.u.Exception.ExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT)
{//It is a break point;
if(BREAK1==FALSE)
{//First Breakpoint occured
B = InjectDLL( pInfo.hProcess, pInfo.hThread, BaseOfImage,
DLLTOINJECT); //The magical function, comes after this function

BREAK1 = TRUE;
if(!B)
return FALSE;
}else if(BREAK2==FALSE)
{//Second breakpoint occured (asm instructions have been all done, and int 3h was reached
ret = RestoreOriginalCodePage( PHandle, THandle, 0); //another function to restore
if(ret==0) return FALSE; //uhoh!!! Big big big big error...you need to restore what you have written, but couldn't,,,,i'll leave it to you, cause i, my self donno what to do, other than terminate the target process :P
BREAK2=TRUE;
}
}else
{ //if an Exception occured, and it wasn't a break point, then say DBG_EXCEPTION_NOT_HANDLED
//Because you haven't handled the exception, so let lindows,,i mean, windows handle it..
ContinueDebugEvent( dEvent.dwProcessId, dEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
continue;
}

}//end if

ContinueDebugEvent( dEvent.dwProcessId, dEvent.dwThreadId, DBG_CONTINUE);
//you don't need to handle event,,let it pass

}//end while()
}//end function

////////////////////

next function:

BOOL InjectDLL(HANDLE hProcess, HANDLE hThread, VOID* hModuleBase, char *DllName)
{//You must have debug access to hProcess (required for ReadProcessMemory() & WriteProcessMemory)

FARPROC LoadLibProc = GetProcAddress(GetModuleHandle("KERNEL32.dll"), "LoadLibraryA");
if(!LoadLibProc) return FALSE;

//This is the entry point addr of LoadLibrary()...It's usually, always the same for any process that loads kernel32.dll
//So unless there is some other explanation, i don't know
//But i personally found that this works all of the time


////////////////////////////////

char CodePage[4096] =

{ 0xB8, 00, 00, 00, 00, // mov EAX, 0h | Pointer to LoadLibraryA() (DWORD)
0xBB, 00, 00, 00, 00, // mov EBX, 0h | DLLName to inject (DWORD)
0x53, // push EBX
0xFF, 0xD0, // call EAX
0x5b, // pop EBX
0xcc // INT 3h
}; //i could have used structS instead, but unfortunatelly, because of many compilers' stupid padding, i didn't >:(
int nob=15; //no of bytes

char *DLLName; //DllName
DWORD *EAX, *EBX; //Look at codepage

DLLName = (char*)((DWORD)CodePage + nob); //Set the pointers
EAX = (DWORD*)( CodePage + 1); //
EBX = (DWORD*) ( CodePage + 6); //

strcpy( DLLName, DllName ); //copy dll name
*EAX = (DWORD)LoadLibProc; //EAX==LoadLibProc
*EBX = nob; // need to do this: *EBX = *EBX + (offset of CodePage)
////////////////////////////
sizeofCP = strlen(DllName) + nob +1; //remember this? --


//Here comes the complicated part, you can use CreateRemoteThread() instead of all this, actually, but unfortunatelly
//it isn't supported in all versions of windows...but i'll tell you how to use it after this code..
//I have an example code that i found from google groups

IMAGE_DOS_HEADER DOShdr;
IMAGE_NT_HEADERS *pNThdr, NThdr;
IMAGE_SECTION_HEADER SecHdr, *pSecHdr;
IMAGE_DATA_DIRECTORY DataDir, *pDataDir; //@@@@@@@@
DWORD dwD, dwD2, read, written;
CONTEXT Context; //GetThreadContext's parameter &&
BOOL B;

Context.ContextFlags = CONTEXT_CONTROL; //look at WINNT.h header file for more information
OriginalContext.ContextFlags = CONTEXT_CONTROL;
if(!GetThreadContext( hThread, &OriginalContext)) //Save original context -- remember that currently the process is totally suspended
{
dwD = GetLastError();
return FALSE;
}

// Check to see if we have valid Headers:
//
/////////Get DOS hdr
B = ReadProcessMemory(hProcess, hModuleBase, &DOShdr, sizeof(DOShdr), &read);
if( (!B) || (read!=sizeof(DOShdr)) ) return FALSE;
if( DOShdr.e_magic != IMAGE_DOS_SIGNATURE ) //Check for `MZ
return FALSE;

//Get NT header
B = ReadProcessMemory( hProcess,
(VOID*)((DWORD)hModuleBase + (DWORD)DOShdr.e_lfanew), &NThdr, sizeof(NThdr), &read);
if( (!B) || (read!=sizeof(NThdr)) ) return FALSE;
if( NThdr.Signature != IMAGE_NT_SIGNATURE ) //Check for `PE\0\0
return 0;

// Valid EXE header!
// Look for a usable writable code page: -- this is where you seek the sections for a usable section
//

/////
//
if( (dwD=NThdr.FileHeader.NumberOfSections) < psechdr =" (IMAGE_SECTION_HEADER*)" b="FALSE;" dwd2="0" iterate="" sections="" for="" part="" which="" shouldn="" modified="" whatsoever="" because="" nazsoft="" sez="" bit="" long="" super="" novel="" give="" information="" u="" know="" confused="" listen="" when="" say="" points="" addr="" info="" from="" as="" see="" base="" addresses="" dll="" file="" functions="" are="" same="" programs="" psechdr="" isn="" true="" just="" easier="" way="" don="" use="" casting="" opers="" want="" do="" make="" sure="" correct="" amount="" was="" characteristics="" writable="" section="" const="" idata="" import="" strcmpi="" ignore="" cases="" small="" t="" find="" usable="" code="" found="" virtualaddress="" mysec="(VOID*)(SecHdr.VirtualAddress" global="" where="" asm="" instructions="" shuold="" ebx="*EBX" also="" remember="" top="" of="" stuff="" can="" read="" will="" already="" saved="" re="" going="" thread="" we="" them="" now="" starts="" mega="" occurs="" god="" knows="" uh="" system="" crash="" occur="" try="" save="" memory="" might="" injected="" must="" call="" upon="" following="" context="" b="TRUE;" change="" eip="(DWORD)mySec;" would="" be="" funny="" get="" an="" error="" all="" that="" goes="" and="" ever="" ist="" hat="" chagned="" s="" ok="" go="" back="" second="" break="" point="" another="" function="" ret="RestoreOriginalCodePage(" big="" need="" restore="" you="" but="" couldn="" ll="" leave="" it="" cause="" my="" self="" donno="" what="" to="" other="" than="" terminate="" target="" process="" break2="TRUE;" so="" lets="" have="" look="" at="" notepad="" is="" giving="" me="" a="" headache="" right="" keeps="" saying="" not="" enough="" m="" typing="" the="" rest="" in="" com="" program="" i="" love="" this="" thing="" p="" return="" if="" 0=""> successful
// if -1 -> (0xFFFFFFFF) WriteProcessMemory returned FALSE
// else -> Amount of bytes written + 1
// (to get exact amount of bytes written, you must decrement return value by one!)
//

DWORD RestoreOriginalCodePage( HANDLE hProcess, HANDLE hThread, DWORD *outSize )
{
BOOL B;
DWORD written;
CONTEXT Context;

if(outSize) *outSize = sizeofCP; //Just for user's info

Context.ContextFlags = CONTEXT_FULL; //look at winnt.h
GetThreadContext( hThread, &Context); //Get current thread context
//This isn't required, it's just for you to check the return
//value of LoadLibrary()
////It is in the EAX register (Context.Eax)

B = WriteProcessMemory( hProcess, mySec, OriginalCodePage, sizeofCP, &written );
//Restore original codepage

if(!B) return -1;

if(written!=sizeofCP)
return written+1;

//Restore context (EIP)
B=SetThreadContext( hThread, (CONST CONTEXT*)&OriginalContext);
if(!B) return -1;

return 0;
}





OK ATLAST!!!!!1

so now we're done!
You've seen how to do all this,,,now let me tell you how CreateRemoteThread() works...
You can skip this if you want...



CreateRemoteThread:

The CreateRemoteThread function creates a thread that runs in the virtual address space of another process

HANDLE CreateRemoteThread(
HANDLE hProcess, // handle to process
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
);

Parameters:

hProcess
[in] Handle to the process in which the thread is to be created. The handle must have the PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ access rights. For more information, see Process Security and Access Rights.
lpThreadAttributes
[in] Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL, the thread gets a default security descriptor and the handle cannot be inherited.
dwStackSize
[in] Specifies the initial size of the stack, in bytes. The system rounds this value to the nearest page. If this parameter is zero, the new thread uses the default size for the executable. For more information, see Thread Stack Size.
lpStartAddress
[in] Pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information on the thread function, see ThreadProc.
lpParameter
[in] Specifies a single value passed to the thread function.
dwCreationFlags
[in] Specifies additional flags that control the creation of the thread. If the CREATE_SUSPENDED flag is specified, the thread is created in a suspended state and will not run until the ResumeThread function is called. If this value is zero, the thread runs immediately after creation.
Windows XP: If the STACK_SIZE_PARAM_IS_A_RESERVATION flag is specified, the dwStackSize parameter specifies the initial reserve size of the stack. Otherwise, dwStackSize specifies the commit size.
lpThreadId
[out] Pointer to a variable that receives the thread identifier.
If this parameter is NULL, the thread identifier is not returned.


------

Return Values:

If the function succeeds, the return value is a handle to the new thread.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

Note that CreateRemoteThread may succeed even if lpStartAddress points to data, code, or is not accessible.
If the start address is invalid when the thread runs, an exception occurs, and the thread terminates.
Thread termination due to a invalid start address is handled as an error exit for the thread's process.
This behavior is similar to the asynchronous nature of CreateProcess,
where the process is created even if it refers to invalid or missing dynamic-link libraries (DLLs).


-----

Remarks
The CreateRemoteThread function causes a new thread of execution to begin in the address space of the specified process. The thread has access to all objects opened by the process.

The new thread handle is created with full access to the new thread. If a security descriptor is not provided, the handle may be used in any function that requires a thread object handle. When a security descriptor is provided, an access check is performed on all subsequent uses of the handle before access is granted. If the access check denies access, the requesting process cannot use the handle to gain access to the thread.

The thread is created with a thread priority of THREAD_PRIORITY_NORMAL. Use the GetThreadPriority and SetThreadPriority functions to get and set the priority value of a thread.

When a thread terminates, the thread object attains a signaled state, satisfying any threads that were waiting for the object.

The thread object remains in the system until the thread has terminated and all handles to it have been closed through a call to CloseHandle.

The ExitProcess, ExitThread, CreateThread, CreateRemoteThread functions, and a process that is starting (as the result of a CreateProcess call) are serialized between each other within a process. Only one of these events can happen in an address space at a time. This means the following restrictions hold:

1) During process startup and DLL initialization routines, new threads can be created, but they do not begin execution until DLL initialization is done for the process.
2) Only one thread in a process can be in a DLL initialization or detach routine at a time.
3) ExitProcess does not return until no threads are in their DLL initialization or detach routines.



Terminal Services: Terminal Services isolates each terminal session by design. Therefore, CreateRemoteThread fails if the target process is in a different session than the calling process.





Windows NT/2000/XP: Included in Windows NT 3.1 and later.
Windows 95/98/Me: Unsupported.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Kernel32.lib.


--------------------

ok i copied it from msdn to here :P

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=cl8L4.162599%24bm.706013%40news1.alsv1.occa.home.com&rnum=2&prev=/groups%3Fq%3DLLProc%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3Dcl8L4.162599%2524bm.706013%2540news1.alsv1.occa.home.com%26rnum%3D2

Have a look at that site
It's an example of CreateRemoteThread() somone wrote...
I hope it's explanable from there?

plz post, and tell me if there shuold be part III
to fulfill something i haven't said right now
i will be glad to
if i had time


thats it for now
my eyes are draining

ok, thank you for reading PART II of my tutorial on how to inject a dll...

quiz:

What is dll injecting? And are its uses? And how do you do it? please elaborate :D :D

cya
-NRR TGA (aka NazSoft)
-CrankHank|EFNet#C++

Write to:
the-legions@mail.ru

DLL Injection - Part ONE - English

Article in english, this a short preamble by Guardian Angel

In questo momento, che io definisco "particolare", credo che tutti quelli che si occupano di informatica o hanno a che fare con il web, non sanno piu di che cosa parlare per non essere eventualmente fatti oggetto di segnalazioni o minacce. Qualsiasi cosa comunque, potrebbe essere usata contro di te, a meno che non parli della collezione di farfalle o delle tette della strafica di turno.
Io non ho una collezione di farfalle.
Non mi piace la gomma da masticare o manipolare chili di silicone.
Non mi piacciono le strafiche, mi piacciono le donne vere, in particolare una, da sempre, e prima o poi (anzi molto presto) credo che sara' l'unica.
Sono all'antica su certe cose, quindi come sempre controcorrente. Questo blog e' controcorrente.
Noi siamo per la libera circolazione delle idee e delle conoscenze. Noi siamo per il rispetto di tutti gli esseri umani che sono uguali, nella loro diversita'.
Ricordatevi che se mando articoli come questo, non e' che voglio incitare a fare i lamer da strapazzo, perche' questo e' il modo migliore per farsi beccare e ritrovarsi in un orto di cetrioli, se diffondo articoli cosi, e' perhe' vorrei che tutti siano in grado di conoscere determinate tecniche, non a scopo lesivo per altri, bensi per sapere come evitare perlappunto di trovarsi a vendere cetrioli.

E' in inglese, ed e' destinato a quelli che sono la parte "tecnica" dei lettori, con questo intendo dire appassionati non migliori. Chiunque puo fare determinate cose, basta soltanto cominciare.

























****************************
**
** BY: NRR - TGA
** Subject: DLL Injection - Part ONE
**
** -You'll probably steal this, and change my name to your name
** Then distribute like you want
** It's not like i can do anything about it, i'm just a poor lad
** who wishes the best for everyone...that's all
** --
** The original one is in this site all the time anyway, so don't waste your time :D :D
**
** The first revision is in www.planetsourcecode.com
**
** I have made some changes on this revision, and posted it to some other sites...
**
** Revision 2
**
****************************


It's time to rock! Time to have fun...
I'll tell you what DLL Injection is...
All explained simply, as if you're a dull, dumb donkey.

"Injecting a dll into a running process, is inserting the dll into the running process's address space.."
What you all -should- know is that when a process loads a DLL, whether statically or dynamically, it gets loaded into
the process's address space. Which means that, the process's/DLL's variables/memory in general, are all accessible
with normal C++ pointers by the DLL or the Process itself.

I'll explain how it works on win95/98/ME/XP/2k/NT everywhere :D --i did it all on VC++6... so i prefer
this compiler... Should work on .NET , probably on earlier versions too, I donno :P

One good use of DLL Injection would be to program an "API Spy" for example.
I called it like so and so have many other programmers. What such similar program would do is, according to some
specifications the user has provided, "Inject" a DLL into the chosen running process which monitors certain functions
of certain loaded DLLs and saves a log file of what function arguments were passed to that particular function.

Remember that when a DLL is loaded by a process, its image is loaded into the process's address space,
thus allowing both to access each other's variables simply using c++ pointers. Very interesting ;)...

Talking at a lower level, what my API Spy exactly does is 'debug' the chosen running process and thus suspending all of its threads.
It will then use some special API functions to be able to read it's private address space...(Read/WriteProcessMemory())
It will seek some place to inject some code into. It is ASM code ofcourse. What this ASM code does is: LoadLibrary("DLLtoINJECT.dll");
And add a breakpoint after the code. Then simply let the process run, starting with the beggining address of the injected code.
When the breakpoint is reached, the threads are suspended again and the API Spy restores whatever bytes it has modified and restores
all the registers and thus continuing with normal execution like if nothing happened. Kind of like hypnotising someone, slapping him, and bringing him back.
He'll have no idea of what just happened. Anyway, The loaded DLL does its job normally. Simple as that.

I told you what I shouldn't have... Don't think about all this now... PART II Explains the debugging part...

Some of you, so called 'experts', or probably arrogantly think they are experts, might tell people about CreateRemoteThread()...
Let me tell you this my friends...

"...it works on win95/98/ME/XP/2k/NT everywhere..."
-Above

Yes, also on win3.x and win32s, provided you do some small modifications...

I made a WSOCK32.DLL spy for mirc.exe... (mIRC chat client)
MAN !!! i had fun! I posted the log file with the tute...

Basically, DLL Inection gives you FULL control over an app.
Some of you script kiddies might think it's good for hacking, but once you get the hang of it, you'll have so much fun, that you'll drop hacking.
Hacking is bad. STAY AWAY FROM HACKERS

There are things you need to know before you read this article (Sorry couldn't just show 'em all, they're too much)

http://msdn.microsoft.com can be used to learn "ALL" of them

1) Memory management...You need to know how windows manages it's memory

2) PE/COFF Headers specifications <--the most important thing if you're doin this in win9x/ME -- 3) Basic debbuging APIs...Those are some APIs that help you to debug certain apps. 4) enough knowlege of asm...and OPCODES of instructions hmmm I think, if you read the WHOLE section of "Base Services" in The MSDN library, you should be able to learn all them steps(including PE/COFF SPECS) :P :P :P,, don't worry, i'll help you enough to find the articles that you need. Except ASM ofcourse, need to get some small "asm tutorial", then learn some "32bit asm" (API) Also read about Windows' calling conventions. ASM will help. First, let me tell you, i hate lazy people. You want to learn dll injection? atleast be glad that i posted some info in here, it took me a whole week to prepare an article like this. I'm not just giving you the butter, you need to research on your own...i'm just giving you a starter, and enough info to search on your own. If you don't like researching, then this article isn't for you. i'm sorry... ---Oh, forgot to mention, I love you "Matt Pietrek" I love you. You are Number one! I hope you read this! You can count me as one of your favorite students :P :P :P lol --- OK... How do i start? I told you what DLL Injection is... Well i'll talk more about it... Check the following links to learn what you need to learn: (I'll leave the asm part to you..search for it :D) *) Don't read it, i just found it interesting :P http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/dlldanger1.asp Base services section in msdn library is here: msdn.microsoft.com/library section: Windows Development->Windows Base Services

1) DLLs, Processes, and threads : read the dll section ( just learn to make a small dll that exports a function),
So basically, look at DllMain() dll callback function in msdn, it should be like a crash course on Dlls.
Processes, and thread, are really not necessary to read, but it's recommended to. Look at the reference instead.
Just have an overview on the function names, and what they do.. Just helps to give you some inspirations when needed :).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp


2) Debugging: (Read the basic debugging section only. It's easy BELEIVE ME)
(For PE Headers: read the Image Help Library, or look at step 3 instead)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp

3) Download the PE/COFF Format specifications file... It's a bit hard, but as i said, i'll help you through...
Just have a small peek at the Image Help Library section... Don't screw your self up :)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp

--- All of what i said, won't be REALLY neccessary if you are following me right.

Alright, let's start... What i'm doing is programming an API Spy. What this program does is, when the DLL I made becomes loaded into the address space of
the selected app, it monitors the MessageBoxA() function (if it was in the app's import table) and prepends "Nassoooor sez: " to every
MessageBox shown by the program. This is were knowledge of PE/COFF Format specs. is required.
(Note that i got my inspiration from Matt Pietrek's MEGA book, Windows 95 programming secrets - god bless you)

I'll start in a reverse way...
I'll make the DLL file first...
--
I'll put 3 functions in the DLL, which write the information to the log files (do them on your own :P)

HANDLE OpenLog( char *FileName );
BOOL AppendLog( HANDLE hLog, char *buffer, DWORD bufSize );
BOOL CloseLog( HANDLE hLog );
--
Read CreateFile() in msdn, it will help you make those 3 functions
OpenLog basically just does this:
return CreateFile( FileName, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, OPEN_ALWAYS, 0, 0 );
GENERIC_*: open file for read/write||
FILE_SHARE_READ: apps can read file while handle to it is opened
OPEN_ALWAYS: Open file, or create it if it does exist

AppendLog(...):
use SetFilePointer( hLog, 0, 0, FILE_END ) to set pointer to end of file
Then WriteFile() to write buffer to file :D

CloseLog(..):
CloseHandle( hLog );

that's it

--
Dude, if you haven't been able to understand all that, then believe me, this tutorial is not for you. Go out and play. Have fun, do your job. Just leave this tutorial alone.
--

First you need to make a dll, here is what it should do:

Put the 3 logfile functions in the dll...
When the dll is loaded ( in DllMain() ), and fdwReason is equal to DLL_PROCESS_ATTACH, do this:
Create the log file (OpenLog)
Append: "******************\r\nDLL_PROCESS_ATTACH\r\n"; (\r == CR, \n == LF -- in windows, atleast)
Then, Call the function that will "HOOK" MessageBox from the calling process.
........

The function that will "HOOK" MessageBox():

To hook MessageBox(), you must create a function that will be called INSTEAD of it.
Therefore, the function's definition must be exactly like the one of MessageBox:

int MessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); //This is how it's declared in msdn

int WINAPI MyMsgBox(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype); //This is how you declare it

//WINAPI is a calling convention, Search "CALLING CONVENTIONS" on msdn, it means push the parameters of the function
into the stack from Right-To-Left, instead of Left-To-Right (aha! Did you read an asm tutorial? tsk tsk tsk)

--Just always add WINAPI when it's an API function :P

Ok, and now you need to create a function type:

typedef int(WINAPI *MyMsgBoxProc)
(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype); //I hope you know what this means?

************************************
* Always remember that IRC chat rooms will help you alot in your programming.
* download mIRC if you're using windows..mIRC is a chatting client...www.mirc.com
* Enter "EFNet" server -- Channel: #C++,,, I'm CrankHank....or ask the operators for help,they're more preferable
***********************************

Okay, Did you read about PE headers??
Here is the code of the DLL:

// Hook proc.cpp
//

#include
#include
#include
#include

using namespace std; //Don't tell me you don't know what standard C++ is??

#define LogFile "d:\\logs\\LOG.txt"
#define Append(text) AppendLog(hLogFile, text, strlen(text))
//hLogFile is the global variable defined below:

HINSTANCE g_hInst=0;
HANDLE hLogFile=0;

BOOL DoHookProcs();
PROC WINAPI HookImportedFunction(HMODULE,PSTR,PSTR,PROC); //inspiration from Matt Pietrek

BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID _Reserved)
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
g_hInst = hInstance; //Remember dll instance

hLogFile = OpenLog( LogFile );
Append("\r\n************************\r\nDLL_PROCESS_ATTACH\r\n"); //(look at the #defines above
//The handle is a global variable in my case, so didn't need put it

DoHookProcs(); //<--main function return true; //if you return false, then the process that called LoadLibrary() will return 0 break; case DLL_THREAD_ATTACH: Append("DLL_THREAD_ATTACH\r\n"); //Remember that a program can have more than one thread break; //So you need to handle them in here, and in the next case,,,but, This is just a fast program //for processes with one thread,,works for them with multiple threads, but not all the time case DLL_THREAD_DETACH: Append("DLL_THREAD_DETACH\r\n"); // break; case DLL_PROCESS_DETACH: Append("DLL_PROCESS_DETACH\r\n********************\r\n\r\n"); //append (look at the #define) CloseLog(); //ummmmmmmmmmmmmm, guess what this does? return true; break; }//end switch(dwReason) return true; } //////// OK i hope you understood this, UNTIL NOW... Now all we have left is DoHookProcs(), then HookImportedFunction() If you haven't.. Then I think nothing from now on shall be understood.. //////////////////// /* Now, we need to "hook" MessageBoxA() If you learned PE/COFF header specs, then this should be easy What you need to know is look for the Import Table of the module loaded in memory(Running process). //You can get the module's base address by doing this: GetModuleHandle(0); (in the dll, HMODULE == BaseAddress of module) ...yeah, if you look at that address, you'll see the first bytes as the signature of a DOS MZ file!!! (READ THE PE/COFF SPECS THAT I INSTRUCTED YOU TO) ----------- After you find the import table, you iterate(enumerate) the functions imported in the dll (Note that a function will not be in the import table if it was loaded at run-time, not statically!) Look for the function that you want to hook, in our case, it's: DLLFile= USER32.DLL FUNCTION= MessageBoxA Remember that case is sensitive, and the 'A' at the end of MessageBox is also important. It's just declared like that in the DLL file, and vc++ (windows.h) does a #define MessageBox MessageBoxA Therefore MessageBox() is not a real function in the DLL, but MessageBoxA() is. ----------------- OKAY! - According to the PE/COFF specs that i told you to read.. In the .exe file, you'll find the function name in the import table, but when the image is in memory You WON'T... Only the entry point of the funcion (MessageBoxA()) will be in memory... You want the entry point. So ofcourse, you must look at the image in memory. You are already doing that. You need to get the entry point of "MessageBoxA" (in the HookImportedFunction() proc) using this: GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA"); //Note that i used GetModuleHandle... because USER32.dll is "SUPPOSED" to be already loaded, because the app calls //MessageBoxA from USER32.dll, right? So it must load the dll file in it's address space in order to do it! hehe // // So, you did GetProcAddress() to get the procaddr of MessageBoxA().... --------- Like I said, read The MSDN Library if you found an ununderstood function... and now, So you found the function in the import table... now what you need to do, is just save that value(entry point) --incase you wanted to restore it-- and replace it with your new entry point...Which will be your MyMsgBox()'s entry point.. Cool huh?? So whenever the program calls MessageBoxA()... MyMsgBox() gets called instead... In the function MyMsgBox(), you can do what ever it is that you want... And after you're done, you can either call the original MessageBoxA() function to let the program work normally as if no change has occured. BUTTTTTTTTTTTTT, not through just simply calling the function MessageBox(), doing that will be like recursively calling the MyMsgBox() function. What you must do is call the addr returned from GetProcAddres() that i told you to call, above^^ So, if you did this: OriginalMessageBoxProc = (MyMsgBoxProc)GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA"); What you then must do is this: OriginalMessageBoxProc( hWnd, lpText, lpCaption, uType ); //simple :D :D :D :D ^ |<--------------------------------\ | ok, you got that?????? now let's get to the code: | //Lets declare some things: |__________________________________________________________________ | typedef int(WINAPI *MyMsgBoxProc)(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype);//remember this? | MyMsgBoxProc OriginalMessageBoxProc; //<--------------This is where we store the original MessageBox()--/ // Macro for adding pointers/DWORDs together without C arithmetic interfering -- I got it from Matt Pietrek's book // Thought it'd be great to use.. #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue)) //This code is very similar to Matt Pietrek's, except that it is written according to my understanding... //And Matt Pietrek's also handles Win32s --(Because they have some sort of a problem, or something) PROC WINAPI HookImportedFunction(HMODULE hModule, //Module to intercept calls from PSTR FunctionModule, //The dll file that contains the function you want to hook PSTR FunctionName, //The function that you want to hook ("MessageBoxA" in our case) PROC pfnNewProc) //New function, this gets called instead { PROC pfnOriginalProc; //Read up MSDN for these IMAGE_DOS_HEADER *pDosHeader; IMAGE_NT_HEADERS *pNTHeader; IMAGE_IMPORT_DESCRIPTOR *pImportDesc; IMAGE_THUNK_DATA *pThunk; if ( IsBadCodePtr(pfnNewProc) ) return 0; // Verify that a valid pfn was passed --look at msdn-- pfnOriginalProc = GetProcAddress(GetModuleHandle(FunctionModule), FunctionName); //remember this? if(!pfnOriginalProc) return 0; pDosHeader = (PIMAGE_DOS_HEADER)hModule; //Look at ImgHelp function reference in the Image Help Library section in msdn ////////////////// To do this in an easier way, according to your imaginations ////////////////// I'm doing it this way, so you'd learn exactly what's happening //hModule is the Process's Base address, remember? (GetModuleHandle(0)) <-- even if called in the dll, it still // gets the hModule of the calling process //---That's why i saved hInstance of DLL, g_hInst, in DllMain(), because it's the only way to get it(i think) // Tests to make sure we're looking at a module image (the 'MZ' header) if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) ) return 0; if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) //Image_DOS_SIGNATURE is a WORD (2bytes, 'M', 'Z' 's values)
return 0;


// The MZ header has a pointer to the PE header
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); //it's like doing pDosHeader + pDosHeader->e_lfanew
// e_lfanew contains a RVA to the 'PE\0\0' Header...An rva means, offset, relative to the BaseAddress of module
// (Or file offset)----pDosHeader is the base address..and e_lfanew is the RVA,,, so summing them, will give you the
// Virtual Address..


// More tests to make sure we're looking at a "PE" image
if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
return 0;
if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE ) //IMAGE_NT_SIGNATURE is a DWORD (4bytes, 'P', 'E', '\0', '\0' 's values)
return 0;

// We now have a valid pointer to the module's PE header. Now get a pointer to its imports section
// This is where action and adventure starts
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader, //IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

//What i just did was get the imports section by getting the RVA of it(like i did above), then adding the base addr
//to it
//////////// pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
//////////// IMAGE_DIRECTORY_ENTRY_IMPORT==1 -- Look at that PE documentation i gave you in the links section
//////////// They are the only good ones i found in the internet,,,Also Pietrek's articles in MSJ and MSDN Magazine will
//////////// Be real helpful!


//Go out if imports table doesn't exist
if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
return 0; //pImportDesc will ==pNTHeader,, if the RVA==0,,, cause pNTHeader+0==pNTHeader -> stored in pImportDesc
//Therefore, pImportDesc==pNTHeader

// Iterate through the array of imported module descriptors, looking
// for the module whose name matches the FunctionModule parameter
while ( pImportDesc->Name ) //Name is a DWORD (RVA, to a DLL name)
{
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);

if ( stricmp(pszModName, FunctionModule) == 0 ) //str"i"cmp,,, you should ignore cases when comparing, in our case
break; //or strcmpi() in some compilers

pImportDesc++; // Advance to next imported module descriptor
}

// Get out if we didn't find the Dll name.
// pImportDesc->Name will be non-zero if we found it.
if ( pImportDesc->Name == 0 )
return 0;

// Get a pointer to the found module's import address table (IAT) =====IMAGE_THUNK_DATA *pThunk;
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
//This is what i was talkin about earlier...
//In pThunk, if it was image loaded in memory, you'll get the address to entry point of functions
//but in a disk file, It's a function name

// Look through the table of import addresses, of the found DLL, looking for the function's entry point
// that matches the address we got back from GetProcAddress above. (remember?)

while ( pThunk->u1.Function )
{
if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc )
{
// We found it! Overwrite the original address with the
// address of the interception function. Return the original
// address to the caller so that they can chain on to it.
pThunk->u1.Function = (PDWORD)pfnNewProc; // pfnNewProc is in the parameters of the function
//pfnOriginalProc = (PROC)(DWORD)pdw1;
return pfnOriginalProc;
}

pThunk++; // Advance to next imported function address
}

return 0; //function not found!!!!!
}
-------------------------------------------------------

THAT"S IT!!!!!!!
Ok, i'm glad we finished this function :P

remember the declarations?
{

//Lets declare some things:

typedef int(WINAPI *MyMsgBoxProc)(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype);//remember this?

MyMsgBoxProc OriginalMessageBoxProc; //<--------------This is where we store the original MessageBox() } This is how you call the above function,, OriginalMessageBoxProc = (MyMsgBoxProc)HookImportedFunction( GetModuleHandle(0), "USER32.DLL", "MessageBoxA", (PROC)MyMsgBox) ^^^^Insert this in the DoHookProcs() function... ok,,,,,,so this is the finished off dll: BOOL WINAPI DllMain(...) { . case DLL_PROCESS_ATTACH: g_hInst = hInstance; //Remember dll instance hLogFile = OpenLog( LogFile ); Append("\r\n************************\r\nDLL_PROCESS_ATTACH\r\n"); //(look at the #defines above //The handle is a global variable in my case, so didn't need put it DoHookProcs(); //<--main function return true; //if you return false, then the process that called LoadLibrary() will return 0 break; . . } and: BOOL DoHookProcs() { OriginalMessageBoxProc = (MyMsgBoxProc) HookImportedFunction( GetModuleHandle(0), "USER32.DLL", "MessageBoxA", (PROC)MyMsgBox); //check if no error occured, return false, if error, true if no error if(!OriginalMessageBoxProc) return false; return true; } okkkkkkkkk So the function MyMsgBox gets called instead of MessageBox()... Let's see how the funciton looks like,, this should be simple: int WINAPI MyMsgBox(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype) { int ret; //need to save ret value ofcourse char bufText[1024], bufCaption; strcpy(bufText, "Nassoooooor sez: "); strcat(bufText, lptext); strcat(bufText, "\n\n\n SAVED TO LOG FILE!!"); strcpy(bufCaption, "Caption=="); strcat(bufCaption, lpcaption); /////Do whatever crap that you want ret = OriginalMessageBoxProc( hWnd, bufText, bufCaption, utype ); //If you call MessageBox( instead,,, // one of 2 might happen: // 1) Get redirected back to this function, so it becomes like an infinite recursion function, until crash // 2) MessageBox() of the dll will be called. It has nothing to do with the process... // --Think, which of these 2 will happeN? if you did as i told you, and read the links that i gave you, and understood // all this, then you shuld have no problem in asnwering this quesion :D :D :D // Maybe do some stuff here Append("MessageBoxA Called!\r\n\tText=\"") Append(lptext); Append("\"\r\n\tCaption=\""); Append(lpcation); Append("\"\r\n\treturn value=...); . . ................. return ret; } that's it, we're done!! okay,,, when you put these functions in the dll, make this new program: win32app: in: WinMain(..) { HMODULE hModule; MessageBox(0, "Function not intercepted!", "NazSoft INFO BOX", 0); if(! (hModule=LoadLibrary("MyDll.dll")) ) MessageBox(0, "Function could not be intercepted!", "NazSoft INFO BOX", 0); else MessageBox(0, "Function intercepted!", "NazSoft INFO BOX", 0); FreeLibrary(hModule); MessageBox(0, "Function called after freeing library,,, A program crash will occur here, because we didn't restore the import table as it was :D :D", "NazSoft INFO BOX", 0); return 0; } MyDll.dll is that compiled dll above ------------------- That's it for PART ONE... You injected a dll into a process.. but it's not what we want, cause you need source code, recompilation, etc... In part two, i'll teach you how to do this in processes not yours... Just start a program like mirc.exe,, without modifying the source code,, and intercept the winsock fucntions,,, it's gonna be fun... So until then,,,.... cyaaaaaaa then, i'm posting part 2... It's ready already ;) so hurry up
lol cya

the-legions@mail.ruNon fare esperimenti se non sai che cosa stai facendo. Soprattutto usa il cervello e non pensare di essere furbo. Ci sara' sempre qualcuno che e' piu furbo di te. Se qualcuno avesse intenzione di usare quanto sopra a scopi non chiari, e' vivamente pregato di non contribuire con un operato non in linea con i principi esposti nella premessa, a rendere solo piu potenti i Grandi Censori della Rete.

ASTALAVISTA

Viva il presidente stallone - Silvio difeso dai Papi Boys-ITALIA CHE COSA STAI FACENDO?

Dopo i risultati del voto, dopo queste notizie, ho voglia di dire una sola frase:

ITALIA CHE COSA STAI FACENDO?

Continua la disfatta dello Stato Italiano, su quasi tutti i fronti, e vorrei essere ottimista usando il condizionale, ma non lo sono affatto.

Tengo a precisare che io personalmente non ho nessuna intenzione di farmi rappresentare al Parlamento Europeo da un Borghezio o da uno "Stallone" degni di un film- commedia della peggiore saga ital-deficente.

Come cittadino italiano, critico apertamente e profondamente tutti gli italiani che, con quale coraggio non lo so ancora, continuano a NON VOLER CAPIRE che non siamo in una telenovela, o forse Mediaset e' una droga cosi potente che ha rammollito il cervello di molte persone, oppure se e' vero quel detto che "gli uomini ad una certa eta diventano maiali" ebbene, questo e' il risultato.

Come uomo e come cittadino italiano (se continua cosi rinuncio alla cittadinanza italiana e lascio quella statunitense) mi dissocio apertamente da tutto questo che io definisco "schifezza" roba che fa impallidire i giornaletti porno.

Guardian Angel e' di sinistra. Questo blog e' di sinistra. Guardian Angel sono io, lo stallone e' un a figura che potrbbe andare o in una scuderia o tra le lenzuola, dipende dai gusti, io in questo momento direi che e' una figura da DARSI ALL'IPPICA con tutti i rincoglioniti Papy Boys che pensano che una dose di Viagra sia la soluzione alle loro porcal-voglie.

No, io non sono un santo, non faccio sesso-astinenza, sono un uomo anch'io, ma non penso che la virilita' sia qualcosa che vada ostentata o peggio, debba diventare un mezzo per fare adepti. E poi ci si lamenta delle donne che vengono violentate, ci si stupisce se la tua amica ha paura a tornare a casa con l'autobus, adesso non mi stupisco piu, anzi, e' da un bel po di tempo che non mi stupisco piu di niente, da quando ho visto che pure nel mezzo di un terremoto ci sono i "Boys". E adesso lo dico.

Molte donne qui (L'AQUILA SI ABRUZZO TERREMOTO) hanno rischiato di essere infastidite, ma la parola e' un'altra, non la posso dire ma e' facile da immaginare.

Mi vergogno di tutto questo, non ho parole per esprimere il mio disappunto e la mia insoddisfazione, ce l'ho apertamente con tutti quelli che non si stanno rendendo conto che stiamo precipitando in un baratro che porta la nostra Nazione indietro di un secolo minimo, come modo di pensare e come tutto il resto.

Passo alla notizia, questa e' stata diffusa via web, purtroppo, e' una delle poche volte che avrei voluto non diffondere un bel cazzo di niente.

Silvio difeso dai Papi Boys

Notizia del 8 giugno 2009 - 09:00

Al grido di "Viva il presidente stallone", interi gruppi di lettori di Libero.it prendono le parti del Premier sostenendo che tiene alta nel mondo l'immagine dell'italiano stallone. Davvero?

di Giorgia Camandona

Chi pensava che certe foto di ragazze sdraiate a bordo piscina avrebbero fatto scalpore si sbagliava di grosso. Altro che opinione pubblica sconvolta e scioccata. Altro che indignazione. Qua nessuno è più capace di storcere il naso. Tra i lettori di Libero.it sono in tanti a difendere Berlusconi, lo osannano addirittura, per le sue (presunte) doti di latin lover, per l'immagine da macho italiano che esporta (ma non stavamo esportando grandi figuracce?). Chiamateli pure Papi Boys.

Viva il Papi che brinda al compleanno di Noemi. Viva il Papi lui sì che sa organizzare le feste. Viva il Papi che ha una bella villa in Sardegna. Viva il Papi che è ricco e famoso e tutte le donne lo vogliono. Il senso è questo. Più o meno come quando i ragazzini impazzivano sotto il balcone di Corona appena scarcerato e questo gli lanciava le mutande con il suo nome sopra. Lo stesso genere di ammirazione, per chi finisce sui giornali (non importa per quale ragione), per chi ha denaro e belle donne. Sono questi i valori dell'italiano medio.

Manu706 la butta sul che ce ne importa, mica sono affari nostri: «Non posso credere che il quotidiano spagnolo non avesse di meglio da pubblicare! Ma chi se ne frega di cosa fa Berlusconi a casa sua? Chi se ne frega di cosa fanno i suoi ospiti? Chi se ne frega se va alla festa di una ragazzina?». Lallapiro sostiene che tutte le donne vorrebbero essere al posto di quelle ritratte nelle foto, a bordo piscina: «L'invidia fa parlare.... quante vorebbero stare al posto delle veline?». Poi c'è chi tira fuori Sircana: «Penso che sia meglio avere la casa piena di belle donne ( come quelle nelle foto e tutte maggiorenni) che andare in cerca di travestiti o squillo, per strada e negli alberghi». Alvin non fa giri di parole: «Beato lui (Silvio, ndr.) che può». Qualcuno fa notare che Noemi all'epoca delle foto era minorenne e Caspiterinz ha subito la risposta pronta: «Adesso siamo al ridicolo, allora io che ospito un amico di mio figlio che ha 17 anni e mezzo sono una pedofila??????» con tanti punti interrogativi.

E infine il grande classico: è tutta invidia. Iaietta82 chiosa: «Perché è proibito stare nudi in casa o invitare qualcuno nel proprio giardino! Vabbè che siete pieni di invidia e di odio ma francamente fate davvero ridere!».

Sì, facciamo davvero ridere, ma per motivi diversi

Notizia del 5 giugno 2009 - 12:00

Sequestrate in Italia, le pubblica stamattina "El Pais". Sono cinque: tanga e topless, Berlusconi in nero, un uomo nudo e gente che prende il sole. Il premier: «Non ho nessuna paura ma questa è una violazione del privato e una aggressione scandalosa»

"Las fotos vetadas por Berlusconi", il concetto in spagnolo suona così. Alla fine è stato El Pais a pubblicare "una selezione delle fotografie delle feste del Cavaliere". I famosi scatti di Antonello Zappadu (già denunciato dal premier per violazione della privacy e tentativo di truffa) a Villa Certosa nel maggio 2008, quelli sequestrati dalla Procura di Roma. Il fotografo sardo ieri aveva buttato il sasso: le ho vendute all'estero. E oggi abbiamo scoperto a chi. El Pais ne pubblica 5: ragazze in tanga e topless, un ospite maschile nudo, Berlusconi in nero, gente varia che prende il sole sui lettini. Niente di più niente di meno.

Le facce sono oscurate, tutte tranne quella del padrone di casa. C'è da dire che i toni degli articoli che accompagnano le immagini sono piuttosto duri. Tanto che certi titoli di casa nostra sono carezze al confronto. «Le foto - si legge nell'editoriale - non violano la privacy del primo ministro ma svelano la sua deriva autoritaria. Se finora le sue uscite erano state prese come uno scherzo, oggi esistono nuovi e gravi motivi per avvertire che il premier sta mettendo a rischio il futuro dell'Italia come Stato di diritto». Stangata finale: «Un'Italia che scivola lungo la china verso la quale la sta trascinando Berlusconi non è un motivo di preoccupazione solo per gli italiani, ma per tutti gli europei».

Giornali esteri amici e complici della sinistra italiana? Manco tanto visto che su El Pais, tra i tanti sul Noemigate, c'è un titolo che recita così: "Dónde está la izquierda italiana?"

Le foto di Villa Certosa pubblicate da El Pais

La lettera di Silvio Berlusconi al Garante della Privacy dove il Premier chiede di inibire la pubblicazione delle foto che lo riguardano

Scoop di l'Espresso che racconta delle feste di capodanno del Cavaliere tra donne, gioielli, shopping, balli e bagni in piscina. Nella foto: Camilla Ferranti

Ricordate Imma, la concorrente del reality "Un due tre... Stalla!" di Mediaset? Ebene, c'era anche lei secondo l'Espresso

Insieme a Marianna e Emanuela, gemelline sexy già meteorine di Emilio Fede

Peter Gomez e Marco Lillo hanno scovato una gola profonda, una partecipante al capodanno sexy in Sardegna del Cavaliere

Quello a cui sono state invitate anche Noemi e la sua amica Roberta (all'epoca ancora 17enni), per intenderci

Colpisce, tra le varie storie riportare da l'Espresso a base di feste e donne, il racconto su Sabina Began e sul suo tatuaggio: una farfalla circondata dalla frase "L'incontro che ha cambiato la mia vita: S. B." Ecco questa si e' data all'ippica come si vede alle sue spalle

Non è la prima volta che Silvio accoglie a casa sua giovani ragazze. Il settimanale "Oggi" pubblicò alcune foto, anche in copertina, dedicate a Silvio Berlusconi e alle sue giovani ospiti

Silvio non ha gradito la pubblicazione di queste immagini e ha minacciato querele contro il settimanale

Una delle misteriose ragazze che tiene per mano Berlusconi è Angela Sozio, ex concorrente del Grande Fratello "Stasera vado a giocare a bocce"

Le Silvio's girls (Belle bocce pero')

Si proprio belle bocce Bel gioco, altro che palestra............



Adesso, mando i risultati delle bocce, cioe' delle elezioni, qui tra bocce ed elezioni SONO RIMASTO SENZA PAROLE
Comunque, quello che fa Berlusconi nella vita privata sono cavoli suoi, io ce l'ho con quelli che lo votano.

Verso Strasburgo ladrona

L'Europa svolta a destra e da noi stravince la Lega. Frena il Pdl e a sinistra cala anche il Pd. Soddisfatto? Moltissimo Grazie. Libero chiaamati solo Infostrada e' meglio per te dammi retta (G.A.)

di Daniele Passanante Evidentemente ha pagato fare proseliti sul tema dei clandestini e la Lega ha vinto ancora. In Veneto alle Provinciali si è sfiorato addirittura il testa a testa tra Carroccio e Pdl, anche se alla fine il sorpasso non c'è stato. Persino Silvio Berlusconi che in campagna elettorale si è guadagnato la tessera virtuale della Lega (era il 10 maggio quando Roberto Calderoli aveva commentato il "no" del presidente del Consiglio alla società multietnica) ha cavalcato la tigre del clandestino e Ignazio La Russa a cose fatte l'ha accusato di avere fatto propaganda a Bossi. Risultato: il Popolo della Libertà ha perso qualche consenso, complice l'astensionismo galoppante (ha votato il 67% degli aventi diritto, il 6% in meno delle ultime Europee) e forse il caso Noemi. Ma il centrodestra nel suo complesso può stare tranquillo con il 45 per cento abbondante e l'Umberto può esultare. E infatti quel 10% raggiunto a livello nazionale era al di là di ogni aspettativa: «Se ci arrivassimo - aveva detto dopo aver votato in un seggio della sua Gemonio - sarei contento, molto contento». Situazione simile anche nel centrosinistra dove cala anche il Partito democratico, fermo al 26% (alle politiche aveva ottenuto il 33,2%). I sondaggi però davano il partito guidato da Dario Franceschini al 22% solo qualche mese fa e in fondo il Pd non ha perso moltissimo, mentre l'Italia dei Valori è salita all'8%. Insieme raggiungono il 34%, in totale 3 punti circa in meno rispetto alle Politiche dell'anno scorso. Ancora una débacle per la sinistra radicale che si è presentata divisa tra Prc-Pdci da una parte e Sinistra e Libertà, dall'altra. Potevano farcela se si fossero presentati insieme: la somma dei due partitini rosso-verdi raggiunge infatti il 6,5%. E invece distinti restano a casa e ottengono l'uno il 3,4% e l'altro il 3.1% senza raggiungere la quota di sbarramento del 4%. Un risultato che sommato a quello di Pd e Idv avrebbe portato il centrosinistra al 40.5%. Senza contare i Radicali, sconfitti anche loro con il 2.4%. Passa invece col 6.5% l'Udc di Pierferdinando Casini, partito che Massimo D'Alema ha provato a portare dalla sua parte senza risultato. Se il baffo della sinistra ci fosse riuscito, l'Italia sarebbe stata spaccata esattamente in due.

Signori Signore e Indecisi "Vado a vivere in campagna"


ASTALAVISTA
Oggi siamo in lutto, per cui abbiamo a cena tutta la Santa Inquisizione.
C'e' pure Frate Pomicione.
Tanto per stare al passo coi tempi.
E Sorella Luna.
Vestita di pelle.
UMANA

HELP REQUEST FOR THE ITALIAN FRIEND: ENRICO FORTI Sentenced to life in the USA (The final indictment of Public Prosecutor)

From:


The-Legions Pages on Facebook (USA)

To "\ALL/" USA Friends

HELP REQUEST FOR THE ITALIAN FRIEND: ENRICO FORTI Sentenced to life in the USA (The final indictment of Public Prosecutor)

Yesterday at 4:49am | The-Legions US

Beyond any reasonable doubt...

These the groups on Facebook for help Enrico Forti:

Andrea Casari pro Chico Forti

Chico Forti: un innocente condannato all'ergastolo!!

An absurd story! My friend Chico Forti, a former windsurfing champion, a producer of short films, was in Miami at the murder of fashion designer Versace and Cunanan suicide-----read more

To "\ALL/" The People who Still ^W A N T - T O - B E L I E V E^

The story of Enrico Forti (nicknamed Chico)
Sentenced to life without parole in the USA after an unfair trial with no way out
"The State does not have to prove that he is the shooter in order to prove that he is guilty…"
(From the final indictment of the Public Prosecutor)

Enrico Forti (known as Chico), Italian citizen from Trento and US resident in Miami (Florida) for several years, where he carried out entrepreneurial activities, has been accused by American judges to have killed an Australian called Pike, who was the son of an Australian entrepreneur with whom Forti had signed a contract to purchase a hotel complex in Ibiza (Spain). Forti refers to having defined the contract with Pike's father, who had asked to take his son with him to work in the hotel in order to get the boy used to a new way of life, seeing that his previous lifestyle was not accepted by his father. Forti specifies that the father had therefore requested that the three of them meet in Miami. Forti had organized the arrival of Pike jr. in Miami, to be followed a few days later by his father. Forti picked Pike jr. up from the airport and left him at a car park, where the latter told him that he was going to be picked up by friends where he would stay for a few days. Forti went to the other airport in Miami to meet his father-in-law who had long planned a visit to his daughter and son-in-law.

The morning after, the corpse of Pike jr. was found on a beach some distance from the place where Forti had dropped him off the night before.

Chico was arrested and then let off with two accusations a few days later. The first accusation was of murder, and the second was for fraud in relation to the purchase of the hotel complex with Pike. The second accusation was soon dropped, but the first accusation of murder remained.

Forti was arrested on bail again in October/November 1999, near to the date of his trial, after a year that he had lived a normal life, except for the fact that he was not allowed to leave the U.S. He was sentenced to life imprisonment in June 2000 for the murder of Pike jr. This sentence foresees no possible sanctioning, which means that if Forti is not absolved or reprieved, he will only leave the prison as a dead man.

As evidence shows and according to Forti's solicitors, the accusation is exclusively based upon a lie made on behalf of Forti, during the first hours of his arrest, when he denied knowing Pike jr. and was further led to believe that the father was also dead. A few hours after, the first version was changed, informing the authorities that Forti himself had actually gone to the airport to meet Pike jr. for the first time and collect him from the airport, confirming also that he had paid the airfare and that he would meet the father there a few days later. The board of inquiry also believe obvious that Forti could not have physically carried out the murder himself, but could have been the instigator. It is difficult to understand the motivation, as the deal with the father had concluded and the law in Anglo-Saxon countries is different to that in Italy where possessions are automatically passed onto the next of kin, as everyone is free to leave their possessions to whoever they desire.

In this specific case, there is no reason to believe that if the sale had not gone ahead, Pike jr. would have reaped any advantage, as relations between father and son had not been good for a while, and the son led an independent life away from his father with no particular ties.

The only element that sustains the accusation, and therefore determines Forti's condemnation to life imprisonment, is the lie voiced by Forti in the first hours of his arrest, that denying knowing Pike jr, because police of Miami say also lies to him, when saw to him that also Pike senior was not to be found. This is the voice of Enrico Forti during a little documentary by italian tv across 2004. [Chico Forti http://www.chicoforti.com] say that him denying knowing Pike jr, because after come back to Miami after listen the notice of the death of Pike jr, when the police saw to him the fake notice that also Pike senior was not to be found, him have take fear and saw a lie.

Enrico Forti don't had problems with justice before this fact.

More U can read:
HERE (Facebook Causes)
HERE (Facebook Causes 2)
HERE (EN-ITA Albaria Site)
HERE (Seve Home-ONE CHANCE FOR CHICO)
HERE (EN Wikipedia org)
HERE (Sailing Sardinia it)
EN Chicoforti com (Official Site)
HERE (EN ITA Chicoforti com Official Site)
HERE (IT La Soria di Chico Blog RAI it)
HERE (Indopedia)

CHICO HAS WRITTEN FROM PRISON READ THE LETTER

Into the jail but still I hope ` 26/05/2009 17:40 L'Adige According to the proverb "He who finds a friend finds a treasure" for some time I became rich, I discovered thousands of new and old friends through Facebook. It is true that "it is never too late '... now when I thought people had forgotten about me, here is the pleasant surprise. There are no words to express my gratitude and my emotions: you have revived the flame of my hope. It was said that in times of difficulty are not the words of the evil enemies that more injured, but the silence of friends ... I must say that, dear friends, have done a hell of noise, a noise that is also in this postaccio. Postaccio because it is! One day there is a soap, there's one day, one day the water is warm, the next day is cold, one day you require to walk in single file within the yellow stripes, two days after all ' outside. So total disorganization, so you need to suspect that the administration is of Italian origin! As you can see I certainly do not lack the proper mood. I like the joke to commiseration. My body was locked up physically, but my mind gallops continuously. Traveling to the memories of the past, the good old days with friends. The American justice system is bankrupt, I have no longer any doubt, is mainly based on physical and mental punishment, with little attention to rehabilitation. Consequently, the recidivism is enormous. People enter and exit from this place comes as a supermarket. Lack the motivation, the foundation for change for the better, to live in a society with basic rules. In the process, when the judges roam, retract hate, hate to admit having made a mistake and cover their backs each other, making common barrier. It takes a tsunami to open the doors. God willing, you are the tsunami of time! Maybe Obama decides to assimilate some point the law Latin, rather than become moldy with the Anglo-Saxon. The few rehabilitation programs are rarely useful. The people here have nothing to do. Television is queen. At 9 am, Sunday, transmit cartoons of Japanese Ninja (originally created for the age group 8-12 years). Hall, in front of the television, there is a seat free. All there between the magnets of Dr Gobbels, as Bonviva in its Sturmstruppen! Few know the sanctuary of meditation, and those that are lost in reminiscences of the past, recall the countless acts of violence. They have grown from the children, with violence as the only form of communication. Zombies are now, without past, without future and without a basis of human values. I try to help as I can, that small group that is thirsty to learn, understand and improve their standard of living. Almost everyone here knows who I am. The 'tam tam' of these places, the news spreads at the speed of sound. Part of their esteem and respect me, I look the part with circumspection, and part is totally indifferent. Thanks to my knowledge of languages can help centrosud-Americans and Haitians with Spanish and French in their tasks of school. Many have asked me to recount my adventures in the seven continents, it seems impossible that they could have lived so intensely in such a short time. A phrase that is often addressed, both by 'brown' than by 'blue' is: 'You do not belong here! "Translated:" You do not belong to this place. " And if it is true that a criminal knows recognize another criminal, I'm glad that an 'expert' judge me innocent. Perhaps one of the prosecutor or a judge of my case should spend some days in this place to "indoctrinated in the laboratory. This is the eighth continent. The no man's land where the only law that applies is the one of the strongest. Or are you predator, and live with predators, prey or six, and still live with the predators. The 'prey' are the worker ants to work more useful. The predatory class there are various "ethnic caste, perhaps better known as ghenghe, which are constantly in the fight against each other. The reasons are many, often trivial: one wrong word, given a soup lyophilized and not returned, change the channel, turn on the phone. The consequences are almost always catastrophic, in fact, these disputes often end with a handshake. There is always the desire, repressed or not, of revenge, revenge. In litigation there are no restrictions or rules of honor. But the conclusion is always the same: the inevitable severe punishment of the guards. Unfortunately, the meet has become an indispensable element for the survival of individuals when you lack of respect, uncontested open doors to other "bullies" to do the same ... and become prey. Io sono un po 'a white fly, in the middle of precarious balance. Being the only Italian I have a reference to ethnic group, let alone a gang. Teach, when I can, to those who require it and need it. Step dall'aiutare the illiterate to read and write, to explain where is the geographical position of Sicily. Many link the fact of being Italian with the association to a certain type of family (I only had the police in Miami that gave him for granted!). Unfortunately, most deny and stronger the conviction. Someone is calling me 'Don Chico' and when I try to explain to them that I never took the vows clergy responded, impassive, but no, not the don, the other, the one irrefutable proposals ... tightening at the same time the eye (if you have one to make!) to ensure their silence. I still remember the words of Mario Puzo (the soul's peace): "Dear Chico, the negative experiences have been the essence of my success." Perhaps this need for hope. I realize now how easy it is in ignorance and chaos, turning the people into a group of dangerous fanatics lobotomizzati. Just that you offer them something in which to believe. I am here every day I have the opportunity to wash, I get three meals a day and once every so often, a chicken thigh. More often a piece of liver (even if cooked to Charlie Chaplin) and, for the Celebration of American Independence July 4 2003, I received a slice of watermelon. I try to find positivism in darkness and also reflect the fact that there are two billion people who are worse than me. Who do not have to dress or a sheltered place to sleep, which does not have three meals a day, who do not know what the hot shower and, a fortiori, the watermelon. In the universal context I could find myself in a situation even more terrible. Yet, in a second, give up these 'convenience' for a night under the stars with my three children, told on a sailing boat in the roll of the ocean. Jenna Bleu, the light of my life, who with his face on my chest, fixing the eyes, told me: 'Dad, I know that one of those stars is for us. " When we talk on the phone Jenna Bleu often tells me to keep your eyes peeled for the rainbows, because it is certain that we shall meet at the base of the arch. Jenna Bleu spirit is always here with me in my heart, as you are old and new friends, you are helping the heart, which have much to give, to fly regularly! A hug to everyone. Even if virtual. Chico Forti
Italiano—Rileva lingua—AlbaneseAraboBulgaroCatalanoCecoCineseCoreanoCroatoDaneseEbraicoEstoneFinlandeseFranceseGalicianGiapponeseGrecoHindiIndonesianoIngleseItalianoLettoneLituanoMalteseNorvegeseOlandesePolaccoPortogheseRumenoRussoSerboSlovaccoSlovenoSpagnoloSvedeseTagalogTailandeseTedescoTurcoUcrainoUnghereseVietnamita > Inglese—AlbaneseAraboBulgaroCatalanoCecoCinese (semplificato)Cinese (tradizionale)CoreanoCroatoDaneseEbraicoEstoneFinlandeseFranceseGalicianGiapponeseGrecoHindiIndonesianoIngleseItalianoLettoneLituanoMalteseNorvegeseOlandesePolaccoPortogheseRumenoRussoSerboSlovaccoSlovenoSpagnoloSvedeseTagalogTailandeseTedescoTurcoUcrainoUnghereseVietnamita inverti

Senato della Repubblica Italiana: Caso Enrico Forti, detto "Chico"

From:


The-Legions Pages on Facebook

Legislatura 16º - Aula - Resoconto stenografico della seduta n. 170 del 11/03/2009

SANTINI, DIVINA, GIARETTA, MORRA, IZZO, DEL VECCHIO, D'AMBROSIO LETTIERI, TOMASSINI, MOLINARI - Al Presidente del Consiglio dei ministri e ai Ministri degli affari esteri e della giustizia - Premesso che:

al termine di un processo durato 24 giorni, il 15 giugno 2000 una giuria popolare della Dade County di Miami ha ritenuto colpevole di omicidio un italiano di Trento, Enrico Forti, condannandolo all'ergastolo, "per aver personalmente e/o con altra persona o persone allo Stato ancora ignote, agendo come istigatore e in compartecipazione, ciascuno per la propria condotta partecipata, e/o in esecuzione di un comune progetto delittuoso, provocato, dolosamente e preordinatamene, la morte di Dale Pike". Il delitto risale al 1998;

questa sentenza ha lasciato esterrefatti i presenti al processo e quanti avevano seguito il dibattimento processuale, increduli che una giuria abbia potuto emettere "oltre ogni ragionevole dubbio" un verdetto di colpevolezza sulla base di flebili e confuse prove circostanziali;

a seguito di attente verifiche e valutazioni sulla fondatezza di queste "prove circostanziali", si sono prodotti una tale quantità di dubbi che il sospetto che i fatti siano andati in modo completamente diverso da come sono stati presentati dall'accusa è divenuto quasi certezza;

si avverte la necessità di un'istanza per la riapertura del procedimento giudiziario per riformulare un verdetto, alla luce dei nuovi fatti accertati e delle inedite prove documentali;

la giustizia statunitense continua a negare questa possibilità, in base alla norma che non consente di giudicare due volte un cittadino per lo stesso reato. Inutilmente si cerca di fare capire che il reato potrebbe non sussistere;

da quasi nove anni Enrico Forti, detto "Chico", è rinchiuso in un carcere di massima sicurezza sito nelle paludi delle Everglades. L'accusa è di omicidio di primo grado ai danni di Dale Pike, figlio di un albergatore di Ibiza, Spagna, Anthony John Pike;

ex campione di windsurf ed eccellente documentarista, specializzato nei filmati sugli sport estremi, Chico Forti si trasferì da Trento in America, in cerca di fortuna, sfruttando la sua intelligenza eclettica ed il suo estro artistico e sportivo. Si stabilì in Florida, il Sunshine State. Sposò una californiana dalla quale ha avuto tre figli. La famiglia di Enrico Forti risiedeva a Williams Island, un quartiere esclusivo di Miami;

a dichiararlo colpevole è stata una sua bugia, detta nel Paese sbagliato, nel momento sbagliato ed alle persone sbagliate. In America, terra di forti contraddizioni, la menzogna privata o pubblica, è un delitto grave;

Dale Pike fu trovato morto in spiaggia, ucciso da ignoti. La polizia indicò il colpevole in Enrico Forti il quale aveva avviato rapporti d'affari con la vittima ed il padre;

Forti era entrato in pesante contrasto con la polizia, in relazione alle nebulose vicende che avevano portato alla morte dello stilista italiano Versace e, successivamente, del suo presunto assassino. Forti, anche in servizi televisivi, definì la polizia "corrotta", insinuando che essa avrebbe confuso le acque per salvaguardare i veri colpevoli. Da quel momento la sua vita fu sconvolta e si trovò nel mirino della polizia locale, fino all'incriminazione;

movente per l'omicidio era, secondo l'accusa, una presunta tentata truffa collegata all'acquisto di un albergo, per la quale Forti era stato assolto, precedentemente al processo per l'omicidio stesso;

ciò nonostante, il movente fu usato ugualmente in limine nella requisitoria finale dell'accusa dopo la quale non c'era più possibilità di replica da parte della difesa a causa della sua stessa decisione di non richiedere la testimonianza diretta di Forti durante il dibattimento. Questa grave negligenza dei difensori ha privato gli stessi di poter rettificare l'estrema scorretta iniziativa dell'accusa;

quando fu accusato dell'omicidio, con la mente annebbiata dalla paura e senza alcun supporto legale, Enrico Forti mentì alla polizia di Miami, dicendo di non avere incontrato la vittima. A nulla sono valsi gli sforzi suoi e dei suoi difensori per dimostrare la sua estraneità all'omicidio. Misteriosamente saltarono fuori prove imprevedibili e testimonianze di comodo, senza alcun sostegno probatorio;

Enrico Forti fu condannato al carcere a vita;

da quel momento incominciò una forte azione popolare per sostenere la richiesta di Forti di aprire un nuovo processo, alla luce delle nuove prove che lo scagionerebbero;

a Trento, sua città natale, è sorto un comitato che ha raccolto anche dei fondi per garantirgli il sostegno di bravi avvocati americani;

ad Enrico Forti è stato negato il diritto allo speed trial (processo veloce entro 20 giorni dall'arresto) per avvenuta scadenza dei termini di legge (6 mesi) dalla prima accusa all'arresto (20 mesi);

il diritto allo speed trial gli è stato negato perché applicata la regola Williams, cioè l'esistenza di una diretta connessione tra l'ottenimento di un illecito guadagno (truffa) e la consumazione dell'omicidio. Questa regola avrebbe dovuto essere revocata perché Enrico Forti era già stato assolto dall'accusa di frode in un precedente processo;

la deposizione rilasciata da Enrico Forti come testimone, durante la quale ha detto la bugia sul suo incontro con Dale Pike, avrebbe dovuto essere annullata perché coperta dai diritti Miranda che prevedono l'assistenza di un legale durante qualsiasi deposizione rilasciata da una persona ufficialmente accusata di un crimine;

questi diritti gli furono negati anche se, al momento di questa deposizione, era già il principale indiziato per l'omicidio;

a giudizio degli interroganti gli avvocati della difesa sono stati colti di sorpresa dall'accusa quando ha usato il movente della truffa per avvalorare la tesi dell'omicidio nell'arringa finale alla quale la difesa non aveva più diritto di replica. L'accusatore ha scorrettamente ignorato un accordo pre-processuale tra le parti, detto in limine, secondo il quale la truffa non avrebbe dovuto essere usata come movente, poiché da questa accusa Enrico Forti era già stato assolto. La giuria così non è mai stata informata di questo fatto ed è stata fuorviata nel suo giudizio finale; in questo modo si è violata la regola double Jeopardy secondo la quale, se un imputato è già stato assolto da un'accusa in un precedente processo, la stessa accusa non può essere usata in un altro processo;

in questi ultimi nove anni ripetutamente si è richiesta la riapertura del processo per addurre nuovi indizi probanti emersi a discarico dell'imputato e che le autorità preposte all'autorizzazione di tale riapertura non hanno ritenuto di dover accettare le motivazioni addotte;

un irrigidimento in tale posizione si è registrata al momento del trasferimento in Italia della detenuta terrorista Baraldini, poi scarcerata, con reazione indignata dell'opinione pubblica e delle autorità americane,

si chiede di sapere se il Governo abbia intenzione di attivarsi intervenendo presso le autorità degli Stati Uniti d'America per sostenere il ricorso alla Corte federale, presentato dai legali di Enrico Forti, come estrema possibilità per riaprire il caso e portare i molti elementi a discarico emersi in questi anni, utili a dimostrare la sua estraneità al delitto.

(3-00611)

Scarica il Documento Completo
Documento File PDF

Senato della Repubblica:Legislatura 16º - Aula - Resoconto stenografico della seduta n. 170 del 11/03/2009:
Riferimento

Seguito della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
# BOLDI, relatrice.
# LICASTRO SCARDINO, relatrice
# RONCHI, ministro
# PRESIDENTE
+ Fai click per espandere questa voceSaluto ad una rappresentanza di studenti
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
# BAIO, segretario
# INCOSTANTE (PD)
# Fai click per espandere questa voceESAME DEGLI ARTICOLI
* PRESIDENTE
+ Fai click per espandere questa voceSaluto ad una rappresentanza di studenti
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# GERMONTANI (PdL)
+ Fai click per espandere questa voceSaluto ad una rappresentanza di studenti
# PRESIDENTE
+ Ripresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
+ Fai click per espandere questa voceSui lavori del Senato Commissioni permanenti, autorizzazione alla convocazione
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
+ Fai click per espandere questa voceSulla protesta messa in atto dai radicali contro il sistema dell'informazione
# PORETTI (PD)
o Fai click per espandere questa voceRESOCONTO STENOGRAFICO
+ PRESIDENTE
+ Fai click per espandere questa voceComunicazioni della Presidenza
# PRESIDENTE
+ Fai click per espandere questa vocePreannunzio di votazioni mediante procedimento elettronico
# PRESIDENTE
+ Fai click per espandere questa voceSeguito della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
# BOLDI, relatrice
# LICASTRO SCARDINO, relatrice
# RONCHI, ministro
# PRESIDENTE
# BAIO, segretario
+ Fai click per espandere questa voceSaluto ad una rappresentanza di studenti
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# INCOSTANTE (PD)
# PRESIDENTE
# Fai click per espandere questa voceESAME DEGLI ARTICOLI
* MARINARO (PD)
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* ADAMO (PD)
* PRESIDENTE
* ADAMO (PD)
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* ADAMO (PD)
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* ADAMO (PD)
* PRESIDENTE
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* VICARI (PdL)
* FIORONI (PD)
* VICARI (PdL)
* PRESIDENTE
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* BOLDI, relatrice
* RONCHI, ministro
* PRESIDENTE
* MARINARO (PD)
* PEDICA (IdV)
* GHEDINI (PD)
+ Fai click per espandere questa voceSaluto ad una rappresentanza di studenti
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
# GERMONTANI (PdL)
# PORETTI (PD)
# D'ALIA (UDC-SVP-Aut)
# PETERLINI (UDC-SVP-Aut)
# BOLDI, relatrice
# BUGNANO (IdV)
# PRESIDENTE
# BUGNANO (IdV)
# PRESIDENTE
# BUGNANO (IdV)
# VICARI (PdL)
# GALLONE (PdL)
# BOLDI, relatrice
# RONCHI, ministro
# PRESIDENTE
# PEDICA (IdV)
# PRESIDENTE
# DE SENA (PD)
# PRESIDENTE
# FRANCO VITTORIA (PD)
# ANTEZZA (PD)
# PRESIDENTE
# PORETTI (PD)
# PRESIDENTE
# BONFRISCO (PdL)
# PRESIDENTE
# PETERLINI (UDC-SVP-Aut)
# PRESIDENTE
# PEDICA (IdV)
# BUONFIGLIO, sottosegretario
# PRESIDENTE
+ Fai click per espandere questa voceSaluto ad una rappresentanza di studenti
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
# DI NARDO (IdV)
# BOLDI, relatrice
# BOLDI, relatrice
# BUONFIGLIO, sottosegretario
# LUSI (PD)
# BUONFIGLIO, sottosegretario
# PRESIDENTE
# LANNUTTI (IdV)
# GERMONTANI (PdL)
# BARBOLINI (PD)
# BOLDI, relatrice
# RONCHI, ministro
# BOLDI, relatrice
# RONCHI, ministro
# PRESIDENTE
# MUSI (PD)
# INCOSTANTE (PD)
# PRESIDENTE
# LEGNINI (PD)
# FERRARA (PdL)
# PRESIDENTE
+ Fai click per espandere questa voceSui lavori del Senato Commissioni permanenti, autorizzazione alla convocazione
# PRESIDENTE
+ Fai click per espandere questa voceRipresa della discussione congiunta del disegno di legge n. 1078 - Legge comunitaria 2008 - e del Documento LXXXVII, n. 1
# PRESIDENTE
# PEDICA (IdV)
# VITA (PD)
# DI GIOVAN PAOLO (PD)
# GARAVAGLIA MARIAPIA (PD)
# PRESIDENTE
+ Fai click per espandere questa voceSulla protesta messa in atto dai radicali contro il sistema dell'informazione
# PORETTI (PD)
# PRESIDENTE
+ Fai click per espandere questa voceMozioni e interrogazioni, annunzio
# PRESIDENTE
+ Fai click per espandere questa voceOrdine del giorno per le sedute di giovedì 12 marzo 2008
# PRESIDENTE
o Fai click per espandere questa voceALLEGATO A
+ DISEGNO DI LEGGE 1078
+ Fai click per espandere questa voceDOCUMENTO Doc. LXXXVII, n. 1
# ARTICOLI, EMENDAMENTI E ORDINI DEL GIORNO RIFERITI AL DISEGNO DI LEGGE N. 1078
# Fai click per espandere questa voceARTICOLO 1 E ALLEGATI A E B NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLI 2 E 3 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLI 4 E 5 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLO 6 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 6
# Fai click per espandere questa voceARTICOLI 7 E 8 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 8
# Fai click per espandere questa voceARTICOLO 9 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 9
# Fai click per espandere questa voceARTICOLO 10 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLO 11 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
* ORDINI DEL GIORNO
# Fai click per espandere questa voceARTICOLI 12, 13, 14 E 15 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLI 16, 17, 18, 19 E 20 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 20
# Fai click per espandere questa voceARTICOLI 21, 22, 23 E 24 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
* ORDINE DEL GIORNO
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 24
# Fai click per espandere questa voceARTICOLO 25 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 25
# Fai click per espandere questa voceARTICOLI 26, 27, 28 E 29 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO TENDENTE AD INSERIRE UN ARTICOLO AGGIUNTIVO DOPO L'ARTICOLO 29
# Fai click per espandere questa voceARTICOLO 30 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLO 31 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLO 32 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLO 33, 34, 35 E 36 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLI 37, 38 E 39 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
# Fai click per espandere questa voceARTICOLI 40 E 41 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
* ORDINE DEL GIORNO
# Fai click per espandere questa voceARTICOLI 42 E 43 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLO 44 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLI 45 E 46 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
* ORDINE DEL GIORNO
# Fai click per espandere questa voceARTICOLO 47 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLO 48 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTO
# Fai click per espandere questa voceARTICOLO 49 NEL TESTO PROPOSTO DALLA COMMISSIONE
* EMENDAMENTI
+ PROPOSTE DI RISOLUZIONE AL DOCUMENTO LXXXVII, N. 1 6-00012 e 6-00013
o Fai click per chiudere questa voceALLEGATO B
+ Intervento del senatore Pedica in sede di illustrazione dell'emendamento 25.200 riferito all'articolo 25 del disegno d[...]
+ VOTAZIONI QUALIFICATE EFFETTUATE NEL CORSO DELLA SEDUTA
+ Congedi e missioni
+ Richieste di autorizzazione all'utilizzo di intercettazioni di conversazioni cui ha preso parte un senatore, deferimen[...]
+ Disegni di legge, trasmissione dalla Camera dei deputati
+ Disegni di legge, annunzio di presentazione
+ Autorità garante della concorrenza e del mercato, trasmissione di atti
+ Petizioni, annunzio
+ Fai click per espandere questa voceMozioni
# 1-00099
# 1-00100
# 1-00101
+ Fai click per chiudere questa voceInterrogazioni
# 3-00610
# 3-00611
# 3-00612
+ Fai click per espandere questa voceInterrogazioni con richiesta di risposta scritta
# 4-01250
# 4-01251
# 4-01252
# 4-01253
+ Interrogazioni, da svolgere in Commissione

IRAQ: WHY? WARNING: Article exclusively to adult readers

Technorati ProfileWe don't forgive, For those who can not forget. For my friend Samer
We don't forgive - We don't forget

Samer, forgive me for publishing these photos. I know that you are not a wound that never heals. But everyone should know the truth. To avoid repeating the mistakes of the past. In order not to forget. Dude, I told you that I would have brought in your story. And you still harbor in my heart

From: The-Legions Pages on Facebook (Italian Version)

The-Legions's Notes

Back to The-Legions

View: Full | Compact

• The-Legions's Notes

Iraq::::::> The pictures that Obama does not want to publish
. .:: Warning::. IMAGES ARE NOT SUITABLE FOR CHILDREN

Go back to The-Legions Pages on Facebook

yesterday at 7:01 am

General Taguba, who retired in 2007, has stated its support for the decision of President Obama to stop, contrary to what had been decided in the first instance, the publication of photos.
"These photos show torture, abuse, rapes, and every kind of indecency, but I'm not sure that their publication order legal aid, and consequently put at risk our troops, the only protectors of our foreign policy," he said. "The only description of these photos is pretty horrible, trust my word," added the retired general.

::::::> ::::::> ::::::> ::::::> just a cock <::::::: <:::::: <:::::: <::::::

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN



WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN


WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN


WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN


WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

WARNING: IMAGES ARE NOT SUITABLE TO CHILDREN

ÛÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛÛÛ

ÛÛ²²²²²²²²²²²²²²²²²²²²²²²²±±²²²²²²²²²²²²²²²²²²²²²²²²ÛÛ
Come in a "\hell/" L I K E T H I S
ÛÛ²²²²²²²²²²²²²²²²²²²²²²²²±±²²²²²²²²²²²²²²²²²²²²²²²²ÛÛ
ÛÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛÛÛ


A NOTE: If these photos, despite the iron curtain of silence 'and silence have transpired, I can imagine what else there' and not 'never been disclosed.

Obama why? Obama who? A large frame?

We mount as I Fuck well , to all and to all the powerful heads fucking, doers, torturers, dictators, hungry for money and power, which in the neutral ideal of greatness at the expense of anyone who might (mal) happen on your street you killed , tortured, enslaved.


::::::>FUCK IT, everyone, of all ages and in all "\ HISTORY /"

This is the Iraqi flag BEFORE SOMEONE HAD DECIDED TO CHANGE

This is the real IRAQ National song
BEFORE SOMEONE HAD DECIDED TO CHANGE

The-Legions Pages on Facebook :::::> The-Legions

The-Legions's Notes

Iraq::::::> Le foto che Obama non vuole pubblicare.
.:ATTENZIONE:.
LE IMMAGINI NON SONO ADATTE AI MINORI

ASTALAVISTA

Wndows: qualche giochino sul sistema (English)

Microsoft, che teme molto che la gente capisca davvero che cosa significa usare un computer si guarda bene dal divulgare notizie o informazioni che possano portare ad una vera conoscenz. Le cose piu ridicole che ho letto provengono proprio dalla knpwledge bade di Micro: sfido chiunque a dire che nei momenti di bisogno ha trovato la soluzione del problema li. E non e' casuale, come molte altre cose del resto.
Per sfruttare pienamente le lamerate e i trucchetti che ogni tanto mi diverto ancora a "leggere" e ' necessario avere una buona conoscenza del registro di sistema, pena una

pulizia di Pasqua anticipata. Leggi: format
come del resto, tutte le modifiche e i suggerimenti che coinvolgono il registro.
Per cui:
Se qualcuno si ritrovasse con il pc inutilizzabile, non resti sorpreso. Io lo avevo detto.
Ed inoltre devo ance aggiungere ce queste cose non e' ce devono esere fatte ovvero messe in pratica con lo scopo di ledere l'altrui bene: questo e' una vigliaccata e una cosa che sta proprio fuori dal mio modo di pensare.

Conoscere vuol dire essere responsabili non essere stronzi, quella e' una cosa da lamer e basta.

Inoltre, PRIMA di apportare qualsiasi modifica fare un backup del registro. Se qualcuno non ha mai esportato un file di conf. dal registro di sistema questa e' la volta buona per farlo
.
**************************************************
************************************************************

Exiting Windows the Cool and Quick Way
--------------------------------------
Normally it takes a hell lot of time just Shutting down Windows, you have to
move your mouse to the Start Button, click on it, move it again over Shut Down,
click, then move it over the necessary option and click, then move the cursor
over the OK button and once again (you guessed it) click.This whole process can
be shortened by creating shortcuts on the Desktop which will shut down Windows
at the click of a button.

1}- Start by creating a new shortcut (right click and select New> Shortcut).
2}- Then in the command line box, type :-
C:\windows\rundll.exe user.exe,exitwindowsexec

This Shortcut on clicking will restart Windows immediately without any Warning.

To create a Shortcut to Restart Windows, use the following in the Command
Line box:

C:\windows\rundll.exe user.exe,exitwindows
This Shortcut on clicking will shut down Windows immediately without any
Warning.
************************************************************

Ban Shutdowns : A trick to Play on Lamers
-----------------------------------------
This is a neat trick you can play on that lamer that has a huge ego, in this
section I teach you, how to disable the Shut Down option in the Shut Down Dialog
Box. This trick involves editing the registry, so please make backups.

1}- Launch regedit.exe and go to : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In the right pane look for the NoClose Key.
2}- If it is not already there then create it by right clicking in the right pane and selecting New > String Value.(Name it NoCloseKey )
3}- Now once you see the NoCloseKey in the right pane, right click on it and select Modify.
4}- Then Type 1 in the Value Data Box.

Doing the above on a Win98 system disables the Shut Down option in the Shut Down
Dialog Box. But on a Win95 machine if the value of NoCloseKey is set to 1 then
click on the Start > Shut Down button displays the following error message:
This operation has been cancelled due to restrictions in effect on this
computer. Please contact your system administrator.
You can enable the shut down option by changing the value of NoCloseKey to 0 or
simply deleting the particular entry i.e. deleting NoCloseKey.
Instead of performing the above difficult to remember process, simply save the
following with an extension of .reg and add it's contents to the registry by
double clicking on it.
******************
REGEDIT4
*****************
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"="1"
Disabling Display of Drives in My Computer
This is yet another trick you can play on your geek friend. To disable the
display of local or networked drives when you click My Computer go to :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now in the right pane create a new DWORD item and name it NoDrives. Now modify
it's value and set it to 3FFFFFF (Hexadecimal) Now press F5 to refresh. When you
click on My Computer, no drives will be shown. To enable display of drives in My
Computer, simply delete this DWORD item. It's .reg file is as follows:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDrives"=dword:03ffffff
Take Over the Screen Saver
To activate and deactivate the screen saver whenever you want, goto the
following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ScreenSavers
Now add a new string value and name it Mouse Corners. Edit this new value to
-Y-N. Press F5 to refresh the registry. Voila! Now you can activate your
screensaver by simply placing the mouse cursor at the top right corner of the
screen and if you take the mouse to the bottom left corner of the screen, the
screensaver will deactivate.
Pop a banner each time Windows Boots
To pop a banner which can contain any message you want to display just before a
user is going to log on, go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinLogon
Now create a new string Value in the right pane named LegalNoticeCaption and
enter the value that you want to see in the Menu Bar. Now create yet another new
string value and name it: LegalNoticeText. Modify it and insert the message you
want to display each time Windows boots. This can be effectively used to display
the company's private policy each time the user logs on to his NT box. It's .reg
file would be:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon]
"LegalNoticeCaption"="Caption here."
Delete the Tips of the Day to save 5KB
Windows 95 had these tips of the day which appeared on a system running a newly
installed Windows OS. These tips of the day are stored in the Windows Registry
and consume 5K of space. For those of you who are really concerned about how
much free space your hard disk has, I have the perfect trick.
To save 5K go to the following key in Regedit:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Tips
Now simply delete these tricks by selecting and pressing the DEL key.
Change the Default Locations
To change the default drive or path where Windows will look for it's
installation files, go to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath
Now you can edit as you wish.
Secure your Desktop Icons and Settings
You can save your desktop settings and secure it from your nerdy friend by
playing with the registry. Simply launch the Registry Editor go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In the right pane create a new DWORD Value named NoSaveSettings and modify it's
value to 1. Refresh and restart for the settings to get saved.
CLSID Folders Explained
Don't you just hate those stubborn stupid icons that refuse to leave the
desktop, like the Network Neighborhood icon. I am sure you want to know how you
can delete them. You may say, that is really simple, simply right click on the
concerned icon and select Delete. Well not exactly, you see when you right click
on these special folders( see entire list below)neither the rename nor the
delete option does not appear. To delete these folders, there are two methods,
the first one is using the System Policy Editor(Poledit in the Windows
installation CD)and the second is using the Registry.
Before we go on, you need to understand what CLSID values are. These folders,
like the Control Panel, Inbox, The Microsoft Network, Dial Up Networking etc are
system folders. Each system folder has a unique CLSID key or the Class ID which
is a 16-byte value which identifies an individual object that points to a
corresponding key in the registry.
To delete these system Folders from the desktop simply go to the following
registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\Namespace{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
To delete an icon simply delete the 16 byte CLSID value within "NameSpace". The
following are the CLSID values of the most commonly used icons:
My Briefcase:{85BBD920-42AO-1069-A2E4-08002B30309D}
Desktop: {00021400-0000-0000-C000-0000000000046}
Control Panel:{21EC2020-3AEA-1069-A2DD-08002B30309D}
Dial-Up-Networking:{992CFFA0-F557-101A-88EC-00DD01CCC48}
Fonts: {BD84B380-8CA2-1069-AB1D-08000948534}
Inbox :{00020D76-0000-0000-C000-000000000046}
My Computer :{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Network Neighborhood:{208D2C60-3AEA-1069-A2D7-O8002B30309D}
Printers :{2227A280-3AEA-1069-A2DE-O8002B30309D}
Recycle Bin :{645FF040-5081-101B-9F08-00AA002F954E}
The Microsoft Network:{00028B00-0000-0000-C000-000000000046}
History: {FF393560-C2A7-11CF-BFF4-444553540000}
Winzip :{E0D79300-84BE-11CE-9641-444553540000}
For example, to delete the Recycle Bin, first note down it's CLSID value, which
is: 645FF040-5081-101B-9F08-00AA002F954E. Now go to the Namespace key in the
registry and delete the corresponding key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
Similarly to delete the History folder, delete the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{FBF23B42-E3F0-101B-8488-00AA003E56F8}
Sometimes, you may need to play a trick on your brother or friend, well this one
teaches you how to hide all icons from the Desktop. Go to the following registry
key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In the right pane create a new DWORD value by the name: NoDesktop and set its
value to: 1. Reboot and you will find no icons on the desktop.
Till now you simply learnt how to delete the special system folders by deleting
a registry key, but the hack would have been better if there was a way of adding
the DELETE and RENAME option to the right click context menus of these special
folders. You can actually change the right click context menu of any system
folder and add any of the following options: RENAME, DELETE, CUT, COPY, PASTE
and lots more.
This hack too requires you to know the CLSID value of the system folder whose
menu you want to customize. In this section, I have taken up Recycle Bin as the
folder whose context menu I am going to edit.
Firstly launch the registry editor and open the following registry key:

HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder.
In Case you want to edit some other folder like say the FONTS folder, then you
will open the following key:

HKEY_CLASSES_ROOT\CLSID\{CLSID VALUE HERE}\ShellFolder.
In the right pane there will be a DWORD value names attributes. Now consider the
following options:
To add the Rename option to the menu, change the value of Attributes to
50 01 00 20
To add the Delete option to the menu, change the value of Attributes to
60 01 00 20
3. To add both the Rename & Delete options to the menu, change the value of
Attributes to 70,01,00,20
4. Add Copy to the menu, change Attributes to 41 01 00 20
5. Add Cut to the menu, change Attributes to 42 01 00 20
6. Add Copy & Cut to the menu, change Attributes to 43 01 00 20
7. Add Paste to the menu, change Attributes to 44 01 00 20
8. Add Copy & Paste to the menu, change Attributes to 45 01 00 20
9. Add Cut & Paste to the menu, change Attributes to 46 01 00 20
10.Add all Cut, Copy & Paste to the menu, change Attributes to 47 01 00 20
We want to add only the Rename option to the right click context menu of the
Recycle Bin, so change the value of attributes to: 50 01 00 20. Press F5 to
refresh and then after rebooting you will find that when you right click on the
Recycle Bin a RENAME option pops up too.
To reset the default Windows options change the value of Attributes back to
40 01 00 20
The Registry File which one can create for the above process would be something
like the below:

REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell-Folder]
"Attributes"=hex:50,01,00,20
To access say the Modem Properties in the Control Panel Folder, the normal
procedure is: Click on Start, Click on Settings> Control Panel and then wait for
the Control Panel window to pop up and then ultimately click on the Modems icon.
Wouldn't it be lovely if you could shorten the process to: Click on Start>
Control Panel>Modems. Yes you can add the Control Panel and also all other
Special System Folders directly to the first level Start Menu. Firstly collect
the CLSID value of the folder you want to add to the start menu. I want to add
Control Panel hence the CLSID value is: 21EC2020-3AEA-1069-A2DD-08002B30309D
Now right click on the Start Button and select Open. Now create a new folder and
name it: Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
NOTE: Do not forget the period after the 'l' in Panel. Similarly all system
folders can be added to the Start Menu.(accept My Briefcase, I think)
Deleting System Options from the Start menu
You can actually remove the Find and Run options from the start menu by
performing a simple registry hack. Again like always Launch the registry editor
and scroll down to the below key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Right-click on the right pane and select New, DWORD Value. Name it NoFind.(To
remove the RUN option name it NoRun). Double-click the newly create DWORD to
edit it's value and enter 1 as its value. This will disable the FIND option of
the Start Menu and will also disable the default Shortcut key(F3 for Find.)
To restore the Run or find command modify the value of the DWORD to 0 or simply
Delete the DWORD value.
Fed Up of the boring Old Yellow Folder Icons?[Drive Icons Included]
NOTE: This trick hasn't been tried on Win98.
You can easily change the boring yellow folder icons to your own personalized
icons. Simply create a text file and copy the following lines into it:
[.ShellClassInfo]
ICONFILE=Drive:\Path\Icon_name.extension
Save this text file by the name, desktop.ini in the folder, whose icon you want
to change. Now to prevent this file from getting deleted change it's attributes
to Hidden and Read Only by using the ATTRIB command.
To change the icon of a drive, create a text file containing the following
lines:
[Autorun]
ICON=Drive:\Path\Icon_name.extension
Save this file in the root of the drive whose icon you want to change and name
it autorun.inf For Example, if you want to change the icon of a floppy, SAVE THE
icon in a:\icon_name.ico One can also create a kewl icon for the Hard Disk and
create a text file [autorun.inf] and store it in "c:\".
Securing NT
By default, NT 4.0 displays the last person who logged onto the system. This can
be considered to be a security threat, especially in the case of those who
choose their password to be same as their Username. To disable this bug which
actually is a feature, go to the following key in the registry editor:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Click and select the ReportBookOK item and create a new string value called
DontDisplayLastUserName. Modify it and set it's value to 1.
As a system administrator, you can ensure that the passwords chosen by the users
are not too lame or too easy to guess. NT has this lovely utility called the
User Manager which allows the administrator to set the age limit of the password
which forces the users to change the password after a certain number of days.
You can also set the minimum length of passwords and prevent users to use
passwords which already have been used earlier and also enable account lockouts
which will deactivate an account after a specified number of failed login
attempts.
When you log on to Win NT, you should disable Password Caching, this ensures
Single NT Domain login and also prevents secondary Windows Logon screen.
Simply copy the following lines to a plain text ASCII editor like: Notepad and
save it with an extension, .reg


----------------DISABLE.reg-----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001
----------------DISABLE.reg-----------------
To Enable Password Caching use the following .reg file:
--------------Enable.reg-----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000000
--------------Enable.reg-----------------

Cleaning Recent Docs Menu and the RUN MRU
The Recent Docs menu can be easily disabled by editing the Registry. To do this
go to the following Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now in the right pane, create a new DWORD value by the name: NoRecentDocsMenu
and set it's value to 1. Restart Explorer to save the changes.
You can also clear the RUN MRU history. All the listings are stored in the key:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
You can delete individual listings or the entire listing. To delete History of
Find listings go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find
Spec MRU
and delete.
Customizing the Right Click Context Menu of the Start Menu
When you right click on the start menu, only 3 options pop up: Open, Explore,
and Find. You can add your own programs to this pop up menu( which comes up when
we right click on it.) Open Regedit and go to the following registry key:

HKEY_CLASSES_ROOT\Directory\Shell
Right click on the shell and create a new Sub Key (You can create a new SubKey
by right clicking on the Shell Key and selecting New > Key.). Type in the name
of the application you want to add to the start menu. I want to add Notepad to
the Start Menu and hence I name this new sub key, Notepad. Now right click on
the new registry key that you just created and create yet another new key named
Command. Enter the full path of the application, in this case Notepad in the
default value of Command in the right
pane. So I Modify the value of the default string value and enter the full
pathname of Notepad:
c:\wndows\notepad.exe.
Now press F5 to refresh. Now if you right click on the Start Button you will
find a new addition to the Pop Up Menu called Notepad. Clicking on it will
launch Notepad.
We can not only add but also remove the existing options in this pop up box.
To delete the Find option, go to the following registry key:

HKEY_CLASSES_ROOT\Directory\Shell\Find
Delete Find. DO NOT delete Open else you will not be able to open any folders in
the Start Menu like Programs, Accessories etc.
BMP Thumbnail As Icon
You can actually change the default BMP icon to a thumbnail version of the
actual BMP file. To do this simply go to HKCU\Paint.Picture\Default. In the
right pane change the value of default to %1. Please note however that this will
slow down the display rate in explorer if there are too many BMP thumbnails to
display. You can use other icons too, simply enter the pathname.To restore back
to the normal change the vale of default back to:
C:\Progra~1\Access~1\MSPAINT.EXE,1.
Customizing The Shortcut Arrow
All shortcuts have a tiny black arrow attached to it's icon to distinguish from
normal files. This arrow can sometimes be pretty annoying and as a Hacker should
know how to change each and everything, here goes another trick. Launch the
Registry Editor and go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell
Icons.
Now, on the right pane is a list of icons ( we found out that on some systems,
Windows 98 especially, the right pane is blank. Don't worry, just add the value
as required ). Find the value 29. If it isn't there, just add it. The value of
this string should be C:\Windows\system\shell32.dll, 29 ( which means the 30th
icon in shell32.dll - the first one begins with 0 ). Now, we need blank icon to
do this. Just create one with white as the whole icon. Go here to learn how to
create an icon. Once done just change the value to C:\xxx.ico, 0 where "xxx" is
the full path of the icon file and "0" is the icon in it.
Now for some fun. If the blank icon is a bit boring, change it again. You will
find that under shell32.dll there is a gear icon, a shared folder ( the hand )
and much more. Experiment for yourself!
Use Perl to Get List or Services Running on your NT box
Use the following Perl Script to get a list of Services running on your NT
system


--------------script.pl-----------------
#!c:\per\bin\perl.exe
use Win32::Service;
my ($key, %service, %status, $part);
Win32::Service::GetServices(' ',\%services);
foreach $key (sort keys %services) {
print "Print Name\t: $key, $services{$key}\n";
Win32::Service::GetStatus( ' ',$services{$key};
\%status);
foreach $part (keys %status) {
print "\t$part : $status{$part}\n" if($part eq "CurrentState");
}
}
-------------script.pl-------------------


Internet Explorer Tricks and Tips
Resizable Full Screen Toolbar
The Full Screen option increases the viewable area and makes surfing more
enjoyable but sometimes we need the Toolbar but also need to have extra viewing
area. Now this hack teaches you how to change the size of the Internet Explorer
toolbar. This registry hack is a bit complicated as it involves Binary values,
so to make it simple, I have included the following registry file which will
enable the resizable option of the Internet Explorer toolbar which was present
in the beta version of IE.

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
"Theater"=hex:0c,00,00,00,4c,00,00,00,74,00,00,00,18,00,00,00,1b,00,00,00,5c,\
00,00,00,01,00,00,00,e0,00,00,00,a0,0f,00,00,05,00,00,00,22,00,00,00,26,00,\
00,00,02,00,00,00,21,00,00,00,a0,0f,00,00,04,00,00,00,01,00,00,00,a0,0f,00,\
00,03,00,00,00,08,00,00,00,00,00,00,00
*******************
HACKING TRUTH: Internet Explorer 5 displays the friendly version of HTTP errors
like NOT FOUND etc . They are aimed at making things easier for newbies. If you
would rather prefer to see the proper error pages for the web server you're
using, go to Tools, Internet Options and select the Advanced tab. Then scroll
down and uncheck the Show friendly http errors box.
*******************
Making the Internet Explorer & the Explorer Toolbars Fancy
The Internet Explorer toolbar looks pretty simple. Want to make it fancy and
kewl? Why not add a background image to it. To do this kewl hack launch the
Windows Registry Editor and go to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Internet Explorer\Toolbar\.
Now in the right pane create a new String Value and name it BackBitmap and
modify it's value to the path of the Bitmap you want to dress it up with by
rightclicking on it and choosing Modify. When you reboot the Internet Explorer
and the Windows Explorer toolbars will have a new look.
Change Internet Explorer's Caption
Don't like the caption of Internet Explorer caption? Want to change it? Open the
registry editor and go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main.
In the right pane create a new String Value names Window Title (Note the space
between Window and Title). Right click on this newly created String Value and
select Modify. Type in the new caption you want to be displayed. Restart for the
settings to take place.
Now let's move on to some Outlook Express Tricks.
Colorful Background
Don't like the boring background colors of Outlook Express? To change it launch
the Windows Registry Editor and scroll down to the

HKEY_CURRENT_USER\Software\Microsoft\Internet Mail And News key.
On the left pane, click on ColorCycle or select Edit and Modify in the menu. Now
change the value to 1. Close and restart. Now, launch Outlook Express and
whenever you open up a New Message, hold down ctrl-shift and tap the z key to
scroll to change the background color. Repeat the keystroke to cycle through the
colors.
Internet Explorer 5 Hidden Features

Microsoft Internet Explorer 5 has several hidden features which can be
controlled using the Windows Registry. Open your registry and scroll down to the
following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
Create a new DWORD value named x(See complete list of values of x below) and
modify it's value to 1 to enable it and to 0 to disable it.
NoBrowserClose : Disable the option of closing Internet Explorer.
NoBrowserContextMenu : Disable right-click context menu.
NoBrowserOptions : Disable the Tools / Internet Options menu.
NoBrowserSaveAs : Disable the ability to Save As.
NoFavorites : Disable the Favorites.
NoFileNew : Disable the File / New command.
NoFileOpen : Disable the File / Open command.
NoFindFiles : Disable the Find Files command.
NoSelectDownloadDir : Disable the option of selecting a download directory.
NoTheaterMode : Disable the Full Screen view option.
Hacking Secrets
Almost all system administrators make certain changes and make the system
restricted. System Administrators can hide the RUN option, the FIND command, the
entire Control Panel, drives in My Computer like D: A: etc. They can even
restrict activities of a hacker my disabling or hiding, even the tiniest options
or tools.
Most commonly these restrictions are imposed locally and are controlled by the
Windows Registry. But sometimes the smart system administrators control the
activities of the hacker by imposing restrictions remotely through the main
server.
Poledit or Policy Editor is a small kewl tool which is being commonly used by
system administrators to alter the settings of a system. This utility is not
installed by default by Windows. You need to install in manually from the
Windows 98 Installation Kit from the Resource Kit folder. user.dat file that we
saw earlier.
The Policy Editor tool imposes restrictions on the user's system by editing the
user.dat file which in turn means that it edits the Windows Registry to change
the settings. It can be used to control or restrict access to each and every
folder and option you could ever think of. It has the power to even restrict
access to individual folders, files, the Control Panel, MS DOS, the drives
available etc. Sometimes this software does make life really hard for a Hacker.
So how can we remove the restrictions imposed by the Policy Editor? Well read
ahead to learn more.
You see the Policy Editor is not the only way to restrict a user's activities.
As we already know that the Policy Editor edits the Windows Registry(user.dat)
file to impose such restrictions. So this in turn would mean that we can
directly make changes to the Windows Registry using a .reg file or directly to
remove or add restrictions.
Launch Regedit and go to the following Registry Key:

HKEY_CURRENT_USER/Software/Microsoft/CurrentVersion/Policies
Under this key, there will definitely be a key named explorer. Now under this
explorer key we can create new DWORD values and modify it's value to 1 in order
to impose the restriction. If you want to remove the Restriction, then you can
simply delete the respective DWORD values or instead change their values to 0.
The following is a list of DWORD values that can be created under the Explorer
Key-:
NoDeletePrinter: Disables Deletion of already installed Printers
NoAddPrinter: Disables Addition of new Printers
NoRun : Disables or hides the Run Command
NoSetFolders: Removes Folders from the Settings option on Start Menu (Control
Panel, Printers, Taskbar)
NoSetTaskbar: Removes Taskbar system folder from the Settings option on Start
Menu
NoFind: Removes the Find Tool (Start >Find)
NoDrives: Hides and does not display any Drives in My Computer
NoNetHood: Hides or removes the Network Neighborhood icon from the desktop
NoDesktop: Hides all items including, file, folders and system folders from the
Desktop
NoClose: Disables Shutdown and prevents the user from normally shutting down
Windows.
NoSaveSettings: Means to say, 'Don't save settings on exit'
DisableRegistryTools: Disable Registry Editing Tools (If you disable this
option, the Windows Registry Editor(regedit.exe) too
will not work.)
NoRecentDocsHistory: Removes Recent Document system folder from the Start Menu
(IE 4 and above)
ClearRecentDocsOnExit: Clears the Recent Documents system folder on Exit.
Nolnternetlcon: Removes the Internet (system folder) icon from the Desktop

Under the same key: HKEY_CURRENT_USER/Software/Microsoft/CurrentVersion/Policies
you can create new subkeys other than the already existing Explorer key. Now
create a new key and name it System. Under this new key, system we can create
the following new DWORD values(1 for enabling the particular option and 0 for
disabling the particular option):
NODispCPL: Hides Control Panel
NoDispBackgroundPage: Hides Background page.
NoDispScrsavPage: Hides Screen Saver Page
NoDispAppearancePage: Hides Appearance Page
NoDispSettingsPage: Hides Settings Page
NoSecCPL: Disables Password Control Panel
NoPwdPage: Hides Password Change Page
NoAdminPaqe: Hides Remote Administration Page
NoProfilePage: Hides User Profiles Page
NoDevMgrPage: Hides Device Manager Page
NoConfigPage: Hides Hardware Profiles Page
NoFileSysPage: Hides File System Button
NoVirtMemPage: Hides Virtual Memory Button
Similarly, if we create a new subkey named Network, we can add the following
DWORD values under it(1 for enabling the particular option and 0 for disabling
the particular option):
NoNetSetupSecurityPage: Hides Network Security Page
NoNelSetup: Hides or disables the Network option in the Control Panel
NoNetSetupIDPage: Hides the Identification Page
NoNetSetupSecurityPage: Hides the Access Control Page
NoFileSharingControl: Disables File Sharing Controls
NoPrintSharing: Disables Print Sharing Controls
Similarly, if we create a new subkey named WinOldApp, we can add the following
DWORD values under it(1 for enabling the particular option and 0 for disabling
the particular option):

Disabled: Disable MS-DOS Prompt

NoRealMode: Disable Single-Mode MS-DOS.

So you see if you have access to the Windows Registry, then you can easily
create new DWORD values and set heir value to 1 for enabling the particular
option and 0 for disabling the particular option. But Sometimes, access to the
Windows Registry is blocked. So what do you do? Go to the Windows Directory and
delete either user.dat or system.dat (These 2 files constitute the Windows
Registry.) and reboot. As soon as Windows logs in, it will display a Warning
Message informing you about an error in the Windows Registry. Simply ignore this
Warning Message and Press CTRL+DEL+ALT to get out of this warning message.(Do
not press OK) You will find that all restrictions have been removed.
The most kind of restriction found quite commonly is the Specific Folder
Restriction, in which users are not allowed access to specific folders, the most
common being the Windows folder, or sometimes even access to My Computer is
blocked. In effect, you simply cannot seem to access the important kewl files
which are needed by you to do remove restrictions. What do you? Well use the RUN
command. (START >RUN). But unfortunately a system administrator who is
intelligent enough to block access to specific folder, would definitely have
blocked access to the RUN command. Again we are stuck.

Windows is supposed to be the most User Friendly Operating System on earth. (At
least Microsoft Says so.)
It gives the User an option to do the same thing in various ways. You see the
RUN command is only the most convenient option of launching applications, but
not the only way. In Windows you can create shortcuts to almost anything from a
file, folder to a Web URL. So say your system administrator has blocked access
to the c:\windows\system folder and you need to access it. What do you do?
Simply create a Shortcut to it. To do this right click anywhere on the desktop
and select New > Shortcut. A new window titled Create Shortcut pops up. Type in
the path of the restricted folder you wish to access, in this case
c:\windows\system. Click Next, Enter the friendly name of the Shortcut and then
click Finish. Now you can access the restricted folder by simply double clicking
on the shortcut icon. Well that shows how protected and secure *ahem Windows
*ahem is.

****************
HACKING TRUTH: Sometimes when you try to delete a file or a folder, Windows
displays an error message saying that the file is protected. This simply means
that the file is write protected, or in other words the R option is +. Get it?
Anyway, you can stop Windows from displaying this error message and straightaway
delete this file by changing its attributes to Non Read Only. This can be done
by Right Clicking on the file, selecting Properties and then
unselecting the Read Only Option.

***************
There is yet another way of accessing restricted folders. Use see, DOS has a
lovely command known as START. Its general syntax is:
START application_path
It does do what it seems to do, start applications. So in you have access to DOS
then you can type in the START command to get access to the restricted folder.
Now mostly access to DOS too would be blocked. So again you can use the shortcut
trick to launch, c:\command.com or c:\windows\command.com. (Command.com is the
file which launches MS DOS).

Accessing Restricted Drives.
The problem with most system administrators is that they think that the users or
Hackers too are stupid. Almost all system administrators use the Registry Trick
(Explained Earlier) to hide all drives in My Computer. So in order to unhide or
display all drives, simply delete that particular key.(Refer to beginning of
Untold Secrets Section.)
Some systems have the floppy disk disabled through the BIOS. On those systems if
the BIOS is protected, you may need to crack the BIOS password. (For that Refer
to the Windows Hacking Chapter). Sometimes making drives readable (Removing R +)
and then creating Shortcuts to them also helps us to get access to them.
Further Changing your Operating System's Looks by editing .htt files

If you have installed Windows Desktop Update and have the view as Web Page
option enabled, you can customise the way the folder looks by selecting View >
Customise this folder. Here you can change the background and other things about
that particular folder. Well that is pretty lame, right? We hackers already know
things as lame as that. Read on for some kewl stuff.
Well, you could also change the default that is stored in a Hidden HTML Template
file (I think so..) which is nothing but a HTML document with a .htt extension.
This .htt file is found at: %systemroot%\web\folder.htt.
The %systemroot% stands for the drive in which Windows is Installed, which is
normally C:
You can edit these .htt files almost just like you edit normal .HTM or .HTML
files. Simply open them in an ASCII editor like Notepad. The following is a list
of .htt files on your system which control various folders and which can be
edited to customise the way various folders look.
controlp.htt Control Panel
printers.htt Printers
mycomp.htt My Computer
safemode.htt Safe Mode
All these files are found in the web folder in %systemfolder%. The folder.htt
file has a line:
'Here's a good place to add a few lines of your own"
which is the place where you can add your own A HREF links. These links would
then appear in the folder whose folder.htt file you edited. All this might sound
really easy and simple, but you see these .htt files do not contain normal HTML
code, instead they contain a mixture of HTML and web bots. Hence they can be
difficult for newbies to understand.
Well that's it for now, more tricks later, till then goodbye.

ASTALAVISTA

the-legions@mail.ru
ankit@bol.net.in
programmingforhackers-subscribe@egroups.com

Practical attacks against WEP and WPA

Da molte parti ho letto svariate metodologie su come "forzare" l'apertura di accesso ad una qualsiasi rete wireless. Piu o meno fantasiose. Diciamo che non solo e' possibile aprire anche il protocollo WPA, fino a un po di tempo fa considerato inattaccabile, e questo mi fa venire in mente le discussioni con i vari guru che sostenevano appunto la inattaccabilita di tale encription, ma il tempo, da ragione ai temerari :-)

Questo e' stato il materiale che abbiamo circa un anno fa mi pare, trovato piu interessante per approfondire la cosa.
Vorrei aggiungere, che non e' che per forza si deve craccare una rete wifi, si puo benissimo "bypassare", ma questo lo spieghero in un altro post, se potro' in italiano, questa volta posto in inglese, anche perche mi e' piu facile, strano ma vero, ed anche perche dal 9 aprile, come ho precedentemente annunciato, questo blog si avvale della collaborazione di autori che italiani non sono, e per mettere daccordo tutti, una lingua bisogna usarla e dobbiamo spesso usare l'inglese per rendere gli scritti comprensibili a tutti.

Comunque per eventuali problemi o altro c'e' la pagina dei commenti chiedete li oppure, l'indirizzo email del blog e':

the-legions@mail.ru

oppure ci trovate su Facebook a questo indirizzo:

http://www.facebook.com/pages/Gadara-Jordan/The-Legions/91257612473

I want describe to all two attacks on IEEE 802.11 based wireless LANs. The first attack is an improved key recovery attack on WEP,
which reduces the average number of packets an attacker has to intercept to recover the secret key. The second attack is (according to our know- ledge) the rst practical attack on WPA secured wireless networks, besides launching a dictionary attack when a weak pre shared key (PSK) is used.
The attack works if the network is using TKIP to encrypt the traffic. An attacker, who has about 12-15 minutes access to the network is then able to decrypt an ARP request or response and send 7 packets with custom content to network.

IEEE 802.11[2] is a standard family for wireless networks. Such networks can be found
in home, office, and enterprise environments and are quite popular today. If sensitive
informations are transmitted over a wireless network, privacy and integrity is a concern
and must be taken care of.
The rst version of the IEEE 802.11 standard supported a basic mechanism for
protecting such networks named Wired Equivalent Privacy (WEP). WEP requires all
clients and access points in the network to share up to four dierent secret symmetric
keys, which is clearly not optimal for a larger installation where users change frequently.
Most installations just use a single secret key named root key. WEP has some major
design
aws and was completely broken in 2001 by Fluhrer, Mantin, and Shamir.
They showed that an attacker can recover the secret key of the network with an average
consumer laptop in 1-2 hours.
More advanced attacks were published in the last years
making it possible to recover the secret key of the network in less than 60 seconds.
To x the problems of WEP, a new standard named Wi-Fi Protected Access (WPA)
was released in 2003, now part of the IEEE 802.11 specications.
The structure of this paper is as follows: In Section 2, we give an introduction to the
technical details of WEP and WPA and introduce the notation used in the rest of this
paper. In Section 3, we give an overview over a selected number of attacks on WEP.
In Section 4, we present a new attack on WEP, which reduces the number of packets
an attacker needs to intercept to recover the secret root key compared to previous
attacks. In Section 5, we present a new attack on WPA, which allows an attacker,
who has about 12-15 minutes access to a WPA protected network to send 7 packets to
the network with chosen payload and decrypt a single ARP packet. According to
our knowledge, this is the rst practical attack on WPA protected networks, besides
launching a dictionary attack against a weakly chosen pre shared key.

Notation
Numbers are always written in the decimal notation, for example 12 is the number
twelve. The signs + and · are addition and multiplication. (Z=nZ)+ is the additive
group of the numbers 0 to n-1, where all additions are done mod n. When operations
are done in (Z=nZ)+, we write a + b as a short form of a + b mod n. For arrays, we
use the [·] notation as used in many programming languages like C or Java. The
rst element in the array S is S[0]. Permutations are written as arrays too. If S is
a permutation, S-1 is the inverse permutation. For example, if S[i] = j holds, then
S-1[j] = i holds. When two arrays A and B are concatenated to a new array C, we
write C = AjjB. F2 is the nite eld with just the two elements 0 and 1. F2[X] is
the ring of polynomials over F2. When specifying estimations for a success probability
or similar things, we use the ≈ sign to note that a formula or a value is only a good
approximation, but not absolutely accurate.
Because WEP is mostly based on the RC4 stream cipher, we need to introduce
a notation for analyzing the RC4 stream cipher. RC4 consists of two algorithms, the
RC4-KSA, which transforms a key of length 1 to 256 bytes into an initial permutation
S of the numbers 0 to 255. The internal state of RC4 consists of this permutation S
and two numbers i and j used as pointers to elements of S. The RC4-PRGA generates
a single byte of keystream from such a state and then updates the state.
To analyze the cipher, we will write Sk and jk for the state of S and j, after exactly
k rounds of the loop starting in line 5 in Listing 1 have been executed. To make the
paper more readable, we write n for the constant value 256. Accordingly, we write
Sk+n and jk+n for the state of S and j, after the state was initialized by the algorithm
in Listing 1 and exactly k bytes of output have been produced by the algorithm in
Listing 2. When a key K is used for RC4 and a keystream X of arbitrary length is
produced, we write X = RC4(K). Please note that an attacker who knows the rst k
bytes of an RC4 key K also knows Sk and jk.
In a WEP protected network, all stations usually share a single symmetric key Rk
named root key. A single packet can easily be lost in an IEEE 802.11 network due to a
transmission error, so WEP needs to encrypt all packets independently. Because RC4
does not support an initialization vector by itself, WEP generates a per packet keyfor every packet. A three byte initialization vector IV is chosen and prepended to the
root key Rk which results in the per packet key K = IVjjRk. A keystream X = RC4(K)
is generated from K. To protect the integrity of the transmitted data, a 32 bit long
CRC32 checksum named ICV is appended to the data. The resulting plaintext is
then encrypted by XORing the plaintext (including the CRC32 checksum) with the
generated keystream. The ciphertext together with the corresponding unencrypted
initialization vector IV is then send over the air.
WEP originally only specied a 40 bit secret key Rk, but most vendors implemented
an additional mode where Rk had a length of 104 bits. The length of the corresponding
per packet keys K where 64 or 128 bit, and these variants were mostly marketed as 64
or 128 bit WEP. We restrict ourselves to the 104 bit variant, but our attacks can easily
be adopted for networks with dierent key lengths with only minor modications.

The FMS attack
Fluhrer, Mantin and Shamir published[4, 13] the rst key recovery attack on WEP in
2001. Their attack is based on the following ideas: An attacker who listens passively to
the traffc of a WEP protected network can record a lot of encrypted packets including
the initialization vectors used for these packets. Because the rst bytes of the plaintext
of most packets are easily predictable, the attacker is able to recover the rst bytes of
the keystreams used to encrypt these packets. The initialization vector is transmitted
unprotected with the packets, so the attacker initially also knows the rst 3 bytes of
the per packet key for all packets. All following bytes of the per packet key are the
same for all packets, but are initially unknown to the attacker.

A full key recovery attack on WEP can be built using this correlation. An at-
tacker captures packets from a WEP protected network and recovers the rst byte of
keystream used to encrypt these packets by guessing the rst byte of plaintext. There
are also various active techniques to generate traffc on a WEP protected network
even without the key, which allow the recovery of more than the rst 1000 bytes of
keystream per packet[1]. He selects the packets where the resolved condition holds
and calculates Ffms for these packets. Each result of Ffms can be seen as a vote for
the value of Rk[0]. After enough packets have been captured, the attacker makes a
decision for the value of Rk[0] based on the number of votes geberated by Ffms. If the
decision was correct, the attacker knows the rst l = 4 bytes of all per packet keys and
can continue with Rk[1]. Please note that all packets need to be reevaluated wether the
resolved condition holds, because this check depends on the value of Rk[0]. After all
bytes of Rk have been determined, the attacker checks the resulting key for correctness
using a number of trial decryptions. If the key is correct, the attacker has succeeded.
If the resulting key is incorrect, the attacker looks for a decision for Rk[i], were an
alternative value for Rk[i] was also very likely. The attacker corrects the decision in
the decision tree at depth i and continues the attack with the alternate decision.
Although the 5% success probability of Ffms looks impressive, the attack needs
4,000,000 to 6,000,000 packets to succeed with a success probability of at least 50%,
depending on the exact environment and implementation[14, 13]. The reason for this
is that the resolved condition holds only for a small amount of randomly chosen ini-
tialization vectors.

The KoreK attack
In 2004, a person under the pseudonym KoreK posted an implementation of
an advanced WEP cracking tool in an internet forum. KoreK used 16 additional
correlations between the rst l bytes of an RC4 key, the rst two bytes of the generated
keystream, and the next keybyte K[l]. Most of these correlations have been found by
KoreK him self, a few had been discussed[5] in public before. KoreK assigned names
like A u15 or A s13 to these attacks, the original FMS attack is called A s5 1 here.
Nearly all correlations found by KoreK use the approach that the rst or second
byte of the keystream reveals the value of jl+1 under some conditions, if 2-4 values
in S have a special constellation and are not changed during the remaining RC4-KSA
after step l + 1. An interesting exception is the A neg correlation, which doesn't vote
for a certain value of K[l]. Instead a value can be excluded from the list of possible
candidates for K[l], which can be seen as a negative vote for K[l].
The overall attack structure is the same decision tree based approach as for the
FMS attack. The number of captured packets is reduced to about 700,000 for 50%
success probability[14]. Again, the exact numbers depend on the exact environment
and the implementation and parameters used for the attack. One important factor is if
the initialization vectors are generated by a PRNG algorithm or if they are generated
sequentially by a counter.


The PTW attack
In 2007, a new generation of WEP attacks was published[15, 14] by Tews, Weinmann,
and Pyshkin. Their attack introduced two new concepts:
1. All previous correlations used required 2-4 values in S not to change during the
remaining RC4-KSA. They also had a lot of preconditions which need to hold to
use the correlation. Therefore, only a small number of packets could be used to
vote for a certain keybyte.

The PTW attack now works as follows: First an attacker captures packets and

recovers their keystreams as for the FMS and KoreK attack. The attacker knows
the rst l = 3 bytes of all per packets keys.
He now evalues Fptwm for every packet and every m Є { f1, ..., 13} and gets votes for Ó0 ... Ó12. After all packets
have been processed, the resulting root key is calculated using Rk[0] = Ó0 and
Rk[i] = Ói - Ói_1. If the key is correct, an alternative decision is made for one
of the values Ói and the key is updated using just 12 single subtractions without
the need to reevaluate all packets.
The attack needs just about 35,000 to 40,000 packets for 50% success prob-
ability, which can be collected in less than 60 seconds on a fast network. Only a few
seconds of CPU time is needed to execute the attack.
Some modications of the PTW attack have been proposed[16, 10] which reduce the
number of packets needed or allow the usage of the PTW attack in some special cases
where the recovery of full key streams is difficult.

The Chopchop attack

The chopchop attack allows an attacker to interactively decrypt the last m bytes
of plaintext of an encrypted packet by sending m•128 packets in average to the network.
The attack does not reveal the root key and is not based on any special properties of
the RC4 stream cipher.
We can summarize the chopchop attack as follows: Before encryption, a four byte
CRC32 checksum named ICV is appended to the data of the packet. The packet
with the trailing checksum P can be represented as an element of the polynomial ring
F2[X]. If the checksum is correct, P mod PCRC = PONE holds, where PONE is a
known polynomial and PCRC is a known polynomial too, which is irreducible. We can
write P as QX8 + R. Here R is the last byte of P and Q are all remaining bytes.
When the (encrypted) packet is truncated by one byte, Q will most probably have an
incorrect checksum.
Assume that the attacker knows R. Adding PONE + (X8)ֿ1(PONE + R) to Q
corrects the checksum again. If R was incorrect here, the resulting packet will have an
incorrect checksum. This addition can also be done on the encrypted packet.
Most access points can be used to distinguish between encrypted packets with correct
and incorrect checksum. For example if a client is not authenticated, and an access
point receives a packet from this client, the access point will generate an error message.
Packets with an incorrect checksum are silently discarded.
An attacker can use this to interactively decrypt packets. The attacker selects a
captured packet for decryption. He truncates the packet by one byte, guesses R,
corrects the checksum and sends the packet to the access point to nd out if his guess
for R was correct. If the guess for R was correct, the attacker now knows the last byte
of plaintext and can continue with the second last byte. If the guess war incorrect,
he makes another dierent guess for R. After at most 256 guesses and in average 128
guesses, he has guessed the correct value of R.


An improved attack on WEP
Unfortunately, after the release of the PTW attack, only little attention was drawn
towards the old KoreK attack. Compared to the PTW attack, the KoreK attack has
the advantage that it only needs the rst two bytes of the keystreams of all captured
packets. Usually, the recovery of the rst two bytes of keystream is much easier than
recovering the rst 15 or 31 bytes. A pleasant exception is the work done by Vaudenay
and Vuagnoux[16], who showed that the correlation used in the FMS attack can also
be rewritten to vote for ợi instead of Rk[i]. This correlation is one of the 17 correlations
used in the KoreK attack.

correlation used in the PTW attack can easily be modied to vote for the value of
ợ12 + ợi, even when the value of ợ12 is unknown at this moment. After the attacker
has decided on the value of ợ12, he can get additional votes for each ợi, by subtracting
the value of ợ12 from these votes. To use these additional correlations, an attacker
needs the keystream bytes X[15] to X[30], which can sometimes be recovered too.
Using all these ideas, we modied an implementation of the PTW attack1 resulting
in a new WEP cracking tool, which clearly needs fewer packets than previous imple-
mentations of the PTW attack. We decided to use the same key ranking strategy as
used for the original PTW attack. We limited the number of keys the implementation
tests before failing to 220. The same limit has been used by previous publications
about WEP attacks, so that it should be easier to compare our attack to previous
attacks.
Figure 1 shows the success rate of our implementation. For a 50% success rate, the
attack only needs about 24,200 packets, compared to 32,700 for the VX attack[16] and
35,000 to 40,000 for various implementations of the PTW attack.


Breaking WPA

Our second contribution is an attack on WPA[2]. WPA standardizes two modes how
payload can be protected during transmission, Temporal Key Integrity Protocol (TKIP)
and (AES-)CCMP. For this paper, we will concentrate on TKIP. TKIP is a slightly
modied version of WEP. TKIP implements a more sophisticated key mixing function
for mixing a session key with an initialization vector for each packet. This prevents all
currently known related key attacks because every byte of the per packet key depends
on every byte of the session key and the initialization vector. Additionally, a 64
bit Message Integrity Check (MIC) named MICHAEL[2] is included in every packet
to prevent attacks on the weak CRC32 integrity protection mechanism known from
WEP. To prevent simple replay attacks, a sequence counter (TSC) is used which allows
packets only to arrive in order at the receiver.
TKIP was designed so that legacy hardware only supporting WEP should be rmware
or driver upgradeable to TKIP. Therefore, the RC4 stream cipher is still used and the
ICV is still included in every packet.
We will now show that it is still possible to decrypt trac in a chopchop like manner
and to send packets with a custom content: Assume that the following conditions are
met: The network being attacked is using TKIP for client to access point communi-
cation. The IPv4 protocol is used with an IP range where most bytes of the addresses
are known to the attacker (for example 192.168.0.X). A long re-keying interval is used
for TKIP, for example 3600 seconds. The network supports the IEEE 802.11e Quality
of Service features[2] which allow 8 dierent channels (named TID - trac identier)
for dierent data
ows and a station is currently connected to the network.
These assumptions are quite realistic for most networks currently deployed in the
wild. To attack such a network, an attacker rst captures traffc, until he has found an
encrypted ARP request[11] or response. Such packets can easily be detected because
of the characteristic length. Additionally, the source and destination ethernet address
is not protected by WEP and TKIP and requests are always sent to the broadcast
address of the network. Most of the plaintext of this packet is known to the attacker,
except the last byte of the source and destination IP addresses, the 8 byte MICHAEL
MIC and the 4 byte ICV checksum. MIC and ICV form the last 12 bytes of the
plaintext.
An attacker can now launch a modied chochop attack as against a WEP network
to decrypt the unknown plaintext bytes. TKIP mainly contains two countermeasures
against chopchop like attacks:

*If a packet with an incorrect ICV value is received by a client, a transmission
error is assumed and the resulting packet is silently discarded. If the ICV value
is correct, but the MIC verication fails, an attack is assumed and the access
point is notied by sending a MIC failure report frame. If more than 2 MIC
verication failures occur in less than 60 seconds, the communication is shut
down, and all keys are renegotiated after a 60 second penalty period.
* When a packet has been received correctly, the TSC counter for the channel
it was received on is updated. If a packet with a lower value than the current
counter is received (the packet is received out of order), the packet is discarded.
Nevertheless, it is still possible to execute a chopchop attack. An attacker needs to
execute the attack on a dierent QoS channel than the packet was originally received
on. Usually, there will be a channel with no or low traffic where the TSC counter is
still lower. If the guess for the last byte during the chopchop attack was incorrect, the
packet is still dropped silently. If the guess was correct, a MIC failure report frame
is sent by the client, but the TSC counter is not increased. The attacker needs to
wait for at least 60 seconds after triggering a MIC failure report frame to prevent the
client from engaging countermeasures. Within a little bit more than 12 minutes, the
attacker can decrypt the last 12 bytes of plaintext (MIC and ICV). To determine the
remaining unknown bytes (exact sender and receiver IP addresses), the attacker can
guess the values and verify them against the decrypted ICV.
After the MIC and the plaintext of the packet is known, an attacker can simply re-
verse the MICHAEL algorithm and recover the MIC key used to protect packets being
send from the access point to the client. The MICHAEL algorithm is not designed
to be a one-way function and reversing the algorithm is as effcient as calculating the
algorithm forward.
At this point, the attacker has recovered the MIC key and knows a keystream for
access point to client communication. He is now able to send a custom packet to the
client on every QoS channel, where the TSC counter is still lower than the value used
for the captured packet. In most networks in the wild, all traffic is just transmitted
on channel 0, so that the attacker is now able to send 7 custom packets to the client.
After the attack has been successfully executed, an attacker can recover an additional
keystream within 4-5 minutes, because he just needs to decrypt the 4 byte ICV using
chopchop. The ip address bytes can be guessed, the MIC can then be calculated using
the known MIC key and then be veried against the ICV.
To cause damage, the attacker could for example send messages triggering IDS
systems which work on the IP layer. Alternatively, traffic could be rerouted using
fake ARP responses. The attacker could try to establish a bidirectional channel to
the client, if the client is connected to the internet using a rewall blocking incoming
traffic, but allowing outgoing traffic. The responses of the client cannot be read over
the air by the attacker, but could be routed back over the internet.
We created a proof of concept implementation of this attack2 to verify that the attack
actually works. We managed to attack hardware from various vendors, conrming that
this attack is really applicable against real world networks.

Conclusion:
WEP is known to be insecure since 2001, however we think that key recovery attacks
against WEP are still of interest. On the one hand, WEP is still used in the wild
and on the other, some companies are selling hardware using modied versions of the
WEP protocol, they claim to be secure. Secondly, the TKIP protocol used by WPA
is not much dierent from WEP, so that attacks on WEP can aect the security of
networks using TKIP, as seen in the paper.
Our attack on TKIP in Section 5 shows that even WPA with a strong password is
not 100% secure and can be attacked in a real world scenario. Although this attack
is not a complete key recovery attack, we suggest that vendors should implement
countermeasures against this attack. Because the problem can be xed in a high level
part of the protocol, we think that updates can easily be developed and deployed with
new drivers.



[1] Andrea Bittau, Mark Handley, and Joshua Lackey. The nal nail in WEP's coffin.
In IEEE Symposium on Security and Privacy, pages 386{400. IEEE Computer
Society, 2006.
[2] IEEE-SA Standards Board. Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specications. Communications Magazine, IEEE, 2007.
[3] Rak Chaabouni. Break wep faster with statistical analysis. Technical report,
EPFL, LASEC, June 2006.
[4] Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling

algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas
in Cryptography 2001, volume 2259 of Lecture Notes in Computer Science, pages
1{24. Springer, 2001.
[5] David Hulton. Practical exploitation of RC4 weakness in WEP environments,
2002. presented at HiverCon 2002.
[6] Robert J. Jenkins. Isaac and rc4. [http://burtleburtle.net/bob/rand/isaac.
html, 1996.
[7] A. Klein. Attacks on the RC4 stream cipher. Designs, Codes and Cryptography,
48(3):269{286, 2008.
[8] KoreK. chopchop (experimental WEP attacks). http://www.netstumbler.org/
showthread.php?t=12489, 2004.
[9] KoreK. Next generation of WEP attacks? http://www.netstumbler.org/
showpost.php?p=93942&postcount=35, 2004.
[10] Yuko Ozasa, Yoshiaki Fujikawa, Toshihiro Ohigashi, Hidenori Kuwakado, and
Masakatu Morii. A study on the Tews, Weinmann, Pyshkin attack against WEP.
In IEICE Tech. Rep., volume 107 of ISEC2007-47, pages 17{21, Hokkaido, July
2007. Thu, Jul 19, 2007 - Fri, Jul 20 : Future University-Hakodate (ISEC, SITE,
IPSJ-CSEC).
[11] D. C. Plummer. RFC 826: Ethernet Address Resolution Protocol: Or convert-
ing network protocol addresses to 48.bit Ethernet address for transmission on
Ethernet hardware, November 1982.
[12] David Sterndark. Rc4 algorithm revealed. Usenet posting, Message-ID:
, Sep 1994.
[13] Adam Stubbleeld, John Ioannidis, and Aviel D. Rubin. A key recovery attack
on the 802.11b wired equivalent privacy protocol (WEP). ACM Transactions on
Information and System Security, 7(2):319{332, May 2004.
[14] Erik Tews. Attacks on the wep protocol. Cryptology ePrint Archive, Report
2007/471, 2007. http://eprint.iacr.org/.
[15] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bit wep
in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung-Woo Lee, edi-
tors, WISA, volume 4867 of Lecture Notes in Computer Science, pages 188{202.
Springer, 2007.
[16] Serge Vaudenay and Martin Vuagnoux. Passive-only key recovery attacks on
RC4. In Selected Areas in Cryptography 2007, Lecture Notes in Computer Science.
Springer, 2007.

ASTALAVISTA


----m-------m----
.....| |(o o)| |
.......||(~)||:::::::::::::::::::::::::::::::::(((:>>Il Link non e' ancora attivo ma lo sara' presto...Nel frattempo toccare lo sponsor porta bene