I'm developing the win32 version of sneak:

http://snarkles.net/scripts/sneak/sneak.php

The ASM source code is available on cyberarmy svn (for members only - free)

Check the forum for details:
http://www.cyberarmy.net/forum/sneak/messages/295244.html

This a very simple and small toolbar I wrote in my spare time.

I use the same set of tools very often and I find it very annoying to look for them in the start menu, on the desktop or in explorer.



I put this toolbar in the /run folder and don't use the start menu anymore. (it was also a way to try the excellent PNG lib by Thomas Bleeker)

You can find the file and the sources here

PS: respect the config file format or expect some funky behaviour :p

It is possible to restore infected files from the vault to the 'computer' using the option 'Restore File As'.

So I restored as 'blah.xyz' the wmf file AVG found the other day and I put it on the desktop.

My surprise was to discover that AVG restored the file as 'blah.xyz.wmf'...

Nice joke AVG, thank you.

After a couple of weeks of online inactivity, I've decided to finish coding geek reverser level 10.
Hopefully it will be live and ready by the end of the week.

I've also been developing a pseudo point-and-click type of rgp. (ie no fancy graphics and animations, just cool riddles, challenges, character development, turn-based fights...etc.)
I have good ideas, I just need to find the courage and time to finish it...

BinScan

I created this tool to quickly identify modifications in the PE, use of a TLS callback and Alternate Data Streams.

-> Some modifications done in the PE structure of an executable can prevent debuggers or other tools to open the executable.
-> A TLS callback can be used to execute code at the moment you open the executable in a debugger. (very dangerous)
-> Listing all the streams is essential when you analyse a file.

The PE and TLS functions are very basic and might not work on heavily modified executables.
For example it will crash on Delphi executables that have an unused TLS table or on optimised PE files.
Those will be fixed in future versions.

When you scan for Alternate data Streams, you will always see a record:



This is the default stream, the files itself.
The name of alternate data stream will appear between ::
For example, in the screenshot below, one alternate stream is called 1337stream3.exe

You can then open that file (stream) in notepad for example using:



Note that Alternate Data Streams will be lost if you transfer them using a non NTFS support.
(99% of mail servers)
But between you and me, it is possible to keep those streams if you compress the file with winrar :)

Click here to see a screenshot of the program.

Click here to download the program.

I'm in the process of cleaning and commenting the sources. They will be available later.

Now that the blog is online, I'll be able to share two or three tools I wrote.

The first one I'd like to share is WMF Creator. I already put a link in the comments of my article: Wmf Exploit but I thought it would look nicer here.

This tool will take care of calculating the header footer and adding some Meta functions. You just have to feed it with a binary file containing the code you want to execute. (a sample file that will open Regedit is included in the archive)

I first wanted to add more features to this tool but I will end the development to this version (1.1)

It works fine as a proof of concept and it's a good source for those who would like to see how easy it is to write in assembly for windows.

View screenshot

Download (source included)