Bugtraq mailing list archives
RE: Bypassing Personal Firewalls
From: "Oliver Lavery" <oliver.lavery () sympatico ca>
Date: Fri, 21 Feb 2003 18:22:59 -0500
(Sidenote: a number of previous apps used to test PFWs or Application
Firewalls --
http://www.pcflank.com/art21.htm )
Yes, these are great tests. Most PFWs block them all now.
There are a number of ways to do this, you use the more popular method of
openprocess and
writeprocess memory. However, there is a limit to the number of api calls
which implement this.
Ultimately, this kind of code needs to be blocked, first, at the NT API
level... Such blocking
should use the same method as blocking the network calls, ie, "Do you want
to allow this
application to ..."
Yes. Before we go prompting users ever time someone calls CreateFile, though, there are much simpler measures. One of them would make OpenProcess require a priviledge of some sort (see below).
Most commonly, this would be used with writeprocess memory. Createremotethread would need to be blocked in this manner.
Postremotethreadmessage.
PostThreadMessage. Are some of the more dangerous calls, in this context.
You'll notice that all of these calls require a handle returned by OpenProcess (hProcess in my code).
After that, you are probably talking about having to do somesort of
signature analysis at the
binary level.
MD5 of the binary memory image! This is probably feasible, but good god it would resource intensive.
OpenProcess does require seDebugPrivileges, I believe.
No, and this is very much the point. According to MS docs: SeDebugPrivilege: Determines which users can attach a debugger to any process. This privilege provides powerful access to sensitive and critical operating system components. This only prevents users from using OpenProcess on system processes (winlogon.exe etc.). There need to be tighter restrictions on the use of OpenProcess. Cheers, ~ol
Current thread:
- Bypassing Personal Firewalls xenophi1e (Feb 21)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 21)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 21)
- Re: Bypassing Personal Firewalls Shaun Clowes (Feb 23)
- Re: Bypassing Personal Firewalls Johan Verrept (Feb 24)
- Re: Bypassing Personal Firewalls Shaun Clowes (Feb 24)
- Re: Bypassing Personal Firewalls Zow (Feb 24)
- Re: Bypassing Personal Firewalls Johan Verrept (Feb 24)
- Re: Bypassing Personal Firewalls Darwin (Feb 28)
- <Possible follow-ups>
- RE: Bypassing Personal Firewalls John Howie (Feb 23)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 24)
- Re: Bypassing Personal Firewalls Torbjörn Hovmark (Feb 24)
- RE: Bypassing Personal Firewalls John Howie (Feb 24)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)