Journals

CodeBreakers Journal
Assembly Programming Journal

Journal Issues

Vol.5, No.1, 2008
Vol.4, No.2, 2007
Vol.4, No.1, 2007
Vol.3, No.2, 2006
RECON2006 Conf. Proc.
Vol.3, No.1, 2006
RECON2005 Conf. Proc.
Vol.2, No.1, 2005
Vol.1, No.2, 2004
Vol.1, No.1, 2004

Statistics

Members: 1925
News: 292
Web Links: 1
Visitors: 3680420

Who's Online

We have 1 guest online
Damn Vulnerable LinuxDamn Vulnerable Linux (DVL) is a Linux-based (modified Damn Small Linux) tool for IT-Security & IT-Anti- Security and Attack & Defense. [CLICK HERE FOR MORE INFOS! ]

Featured Conference Video

T16-Recon2006-Joe_Stewart-OllyBonE.gif OllyBone - Semi-Automatic Unpacking on IA-32. View the conference video here!
Home arrow About/Disclaimer
Unpacking bird's eye view
User Rating: / 0
PoorBest 
Written by Ero Carrera   
Side Story
The Dark Side of Winsock

The Winsock SPI, or Service Provider Interface, has been a part of Winsock since the advent of version 2.0. It enables providers to extend the Winsock API transparently, by installing their own hooks and chains to application API calls. However, its formidable capabilities are not put to widespread use... aside from spyware.

This lecture begins with a brief overview of the Windows TCP/IP Stack - reviewing the terminology, From NDIS to Winsock 2. We then delve further to explore Winsock, recapping the standard (Berkeley-Derived) API calls and their semantics.

Going "Under the Hood" of Winsock, we next explore the Service Provider Interface, and its potent use to extend (or spy on) the Winsock calls. We next show the unbearable lightness of intercepting DNS lookups and UDP/TCP based communication by a hidden DLL.

Finally, we conclude by trying to discuss countermeasures to this insidious channel.
Read More >>



Download: http://www.secure-software-engineering.com/downloads/recon2006/recon2006_Carrera_Unpacking.pdf