RE: Bypassing Personal Firewalls

["Oliver Lavery" <oliver.lavery () sympatico ca>]

> (Sidenote: a number of previous apps used to test PFWs or Application
Firewalls -- 
> http://www.pcflank.com/art21.htm )

        Yes, these are great tests. Most PFWs block them all now.

> There are a number of ways to do this, you use the more popular method of
openprocess and 
> writeprocess memory. However, there is a limit to the number of api calls
which implement this. 
> Ultimately, this kind of code needs to be blocked, first, at the NT API
level... Such blocking 
> should use the same method as blocking the network calls, ie, "Do you want
to allow this 
> application to ..." 

        Yes. Before we go prompting users ever time someone calls
CreateFile, though, there are much simpler measures. One of them would make
OpenProcess require a priviledge of some sort (see below).

> Most commonly, this would be used with writeprocess memory.
> Createremotethread would need to be blocked in this manner.
Postremotethreadmessage. 
> PostThreadMessage. Are some of the more dangerous calls, in this context.

        You'll notice that all of these calls require a handle returned by
OpenProcess (hProcess in my code).

> After that, you are probably talking about having to do somesort of
signature analysis at the 
> binary level.

        MD5 of the binary memory image! This is probably feasible, but good
god it would resource intensive.

> OpenProcess does require seDebugPrivileges, I believe.

        No, and this is very much the point. According to MS docs:
SeDebugPrivilege:
Determines which users can attach a debugger to any process. This privilege
provides powerful access to sensitive and critical operating system
components.

        This only prevents users from using OpenProcess on system processes
(winlogon.exe etc.). There need to be tighter restrictions on the use of
OpenProcess.

Cheers,
~ol