Wednesday, February 25, 2009

csrcs.exe Virus Manual Removal Steps

csrcs.exe

Don't confuse csrcs.exe with csrss.exe, csrss.exe is a legitimate windows service, whereas the csrcs.exe is a Trojan, or a virus. It resides in the

C:\Windows\System32\
folder.

To remove csrcs.exe and all its effects, first take
regedit
( Start > Run : regedit ). Then search for the string "csrcs.exe", and remove all occurrence of the string from the values. If there is a path given like "C:\Windows\System32\csrcs.exe" delete the entire value from the registry.

Next delete the file, from C:\Windows\System32.
If you do not find it, first show all hidden files. You may have to fix that in the registry to show hidden files. This has been covered in an earlier post. So once thats done delete the exe file.

Restart.
Hope that does it.
If not do comment,
I will get back to you ....

Wednesday, February 18, 2009

Edge Detection on Images

Intro
The following images show the result of applying various edge detection algorithms on this image.

Original Image


  1. Prewitt

    -1 -1 -1
    0 0 0
    1 1 1

  2. Sobel

    -1 -2 -1
    0 0 0
    1 2 1

  3. Laplacian 1

    -1 -1 -1
    -1 8 -1
    -1 -1 -1

  4. Laplacian 2

    0 -1 0
    -1 4 -1
    0 -1 0

  5. Stochastic

    0.802 0.836 0 -0.836 -0.802
    0.845 0.897 0 -0.897 -0.845
    0.870 1.000 0 -1.000 -0.870
    0.845 0.897 0 -0.897 -0.845
    0.802 0.836 0 -0.836 -0.802


Thursday, February 12, 2009

ARP Spoofing or IP Masquerade

What is IP Masquerade or ARP Spoofing?

In order to understand, What IP Masquerading or ARP Spoofing is we need to look into the working of the Ethernet. Ethernet is a Data Link Layer protocol, which uses MAC addresses embedded in the network interface cards (NICs) to communicate between devices. But the network layer and the above layer communicates using IP addresses. So in order to communicate, there must be some mechanism to map the IP addresses in network layer to the MAC addresses in the data link layer. This is accomplished using the ARP (Address Resolution Protocol). In this method when a packet needs to be sent to a destination machine, given its IP, the ARP protocol is used to send an ARP Request. This request is broadcast among the machines on the ethernet. If the machine is within the same ethernet, the MAC address of the corresponding machine is obtained from the machine as an ARP reply. This MAC address is cached by the machine, in an ARP Table and further packets to that IP is send to the machine with the MAC address.

Now the inherent flaw in the protocol is that, there is no mechanism to verify that the IP address corresponds to the MAC address and a forged ARP reply updates the ARP cache. So if a forged reply comes for an IP address and MAC pair, the ARP table gets updated. No questions asked.

Thus any machine in the network can act as if its another machine and hijack all the information flowing. This is called ARP spoofing or IP Masquerading.

Sunday, February 1, 2009

PERL Code to change Google talk status

Code : stat.pl
The following code changes the status of gmail/gtalk user status.
Requires NET::XMPP module, and with SSL modules installed.


#!/usr/bin/perl
#usage : perl stat.pl <status>
use strict;
use Net::XMPP;


## Pls fill in these here :)
my $username = "";
my $password = "";


my $hostname = 'talk.google.com';
my $port = 5222;
my $componentname = 'gmail.com';
my $connectiontype = 'tcpip';
my $tls = 1;

my $Con = new Net::XMPP::Client(debuglevel=>0);

my $status = $Con->Connect(
hostname => $hostname,
port => $port,
componentname => $componentname,
connectiontype => $connectiontype,
tls => $tls,
timeout => 10);

if (!(defined($status))) {
exit(0);
}

my $sid = $Con->{SESSION}->{id};
$Con->{STREAM}->{SIDS}->{$sid}->{hostname} = $componentname;

my @result = $Con->AuthSend(
username => $username,
password => $password,
resource => "neuron");

$Con->Send("<iq type='get' to='gmail.com'><query xmlns='http://jabber.org/protocol/disco#info'/></iq>");
$Con->Process();

my $iq = $Con->SendAndReceiveWithID("<iq type='get' to='$username\@gmail.com'><query xmlns='google:shared-status'/></iq>");

my ($status,$statuslist,$show) = ("","","");
$status = $1 if($iq->GetXML() =~ m/<status>(.*?)<\/status>/);
$statuslist = $1 if($iq->GetXML() =~ m/(<status-list(.*)<\/status-list>)/);
$show = $1 if($iq->GetXML() =~ m/<show>(.*?)<\/show>/);

my $status = $ARGV[0];

#Change status
$Con->Send("<iq type='set' to='$username\@gmail.com'><query xmlns='google:shared-status'>
<status>$status</status><show>$show</show>
$statuslist
</query></iq>");
$Con->Process();
$Con->PresenceSend(type=>'unavailable');
$Con->Process();
$Con->Disconnect();
$Con->Process();
exit;


Usage
perl stat.pl "my status"


Worked? or Crap?
Lemme know....
;)