Driver update for "ex-coat" vulnerability

Discussion in 'LnS English Forum' started by Frederic, Dec 15, 2006.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

  2. Phant0m

    Phant0m Registered Member

    This driver is for those who running under 2K/XP for those who don’t know…
  3. farmerlee

    farmerlee Registered Member

    I noticed they tested the p2 version. Is this new driver also for p3?

    I was surprised to see comodo listed there....
  4. Thomas M

    Thomas M Registered Member

    This must be a new driver, since otherwise Frederic would have posted the message in one of the above threats (like: "Sticky: 2.05p3 Package Available") o_O

    Can you please confirm, Frederic

    Thank you,
    Thomas :)
  5. Frederic

    Frederic LnS Developer


    Yes, this driver is for Win2k/XP, it can be used on top of 2.05p2 or 2.05p3.
    It can also be used under Vista (it is based on the Vista driver patch which is version 3.05v1, and this new one is 3.05v2).

    It contains also the fix for the case sensitive issue about "Unknown"/"UNKNOWN" when an application parent name is not retrieved.

  6. ubuntu

    ubuntu Registered Member

    Hi Frederic

    When will you release a special Chinese beta driver which support GBK character set translation and fix "ex-coat" vulnerability ?

  7. Phant0m

    Phant0m Registered Member

    Today I thought I'd give this driver a go, after updating the driver and restarted Windows XP Home, upon Windows loading a crash happens and system is re-booted.

    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arg1: 00000000, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000000, value 0 = read operation, 1 = write operation
    Arg4: f57b6443, address which referenced memory

    Debugging Details:

    READ_ADDRESS: 00000000


    f57b6443 0fbe11 movsx edx,byte ptr [ecx]




    PROCESS_NAME: avast.setup

    LAST_CONTROL_TRANSFER: from f57b8591 to f57b6443

    WARNING: Stack unwind information not available. Following frames may be wrong.
    b965722c f57b8591 00000140 b9657433 829290b8 lnsfw1+0xa443
    b965727c f57b8e7a 00000000 00000140 000007b8 lnsfw1+0xc591
    b9657554 f57afa8e 00000000 829290b8 82c386e8 lnsfw1+0xce7a
    b96575b0 f57acd4c 82c06598 82929008 8292909c lnsfw1+0x3a8e
    b965760c f57ad791 82c06598 82929008 8292909c lnsfw1+0xd4c
    b965767c 804e37f7 82c064e0 82929008 82bea9f0 lnsfw1+0x1791
    b965773c 805635e7 00000000 00000001 ffdff120 nt!IopfCallDriver+0x31
    b96576f4 f76514fa 82bea9c0 82929008 829290c0 nt!ObpCaptureObjectCreateInformation+0x19c
    b9657760 f7651a57 82bea9c0 82929008 829290c0 aswTdi+0x4fa
    b96577cc 804e37f7 82bea908 82929008 82929008 aswTdi+0xa57
    b96577dc 8057069a 82c70f00 82cfce64 b9657984 nt!IopfCallDriver+0x31
    b96578bc 8056316c 82c70f18 00000000 82cfcdc0 nt!IopParseDevice+0xa58
    b9657944 8056729a 00000000 b9657984 00000240 nt!ObpLookupObjectName+0x56a
    b9657998 80570b73 00000000 00000000 c310e400 nt!ObOpenObjectByName+0xeb
    b9657a14 80570c42 82cb0d08 02000000 b9657bb8 nt!IopCreateFile+0x407
    b9657a70 f5745483 82cb0d08 02000000 b9657bb8 nt!IoCreateFile+0x8e
    b9657c24 f574c2c7 82c6cfb8 82ccdf38 b9657c58 afd!AfdBind+0x2dc
    b9657c34 804e37f7 82c77f18 82c31008 806ee2d0 afd!AfdDispatchDeviceControl+0x53
    b9657c44 8056a101 82c310e4 82ec58a8 82c31008 nt!IopfCallDriver+0x31
    b9657c58 80579a8a 82c77f18 82c31008 82ec58a8 nt!IopSynchronousServiceTail+0x60
    b9657d00 8057bfa5 00000724 00000734 00000000 nt!IopXxxControlFile+0x611
    b9657d34 804de7ec 00000724 00000734 00000000 nt!NtDeviceIoControlFile+0x2a
    b9657d34 7c90eb94 00000724 00000734 00000000 nt!KiFastCallEntry+0xf8
    0011f4cc 00000000 00000000 00000000 00000000 0x7c90eb94


    f57b6443 0fbe11 movsx edx,byte ptr [ecx]


    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: lnsfw1

    IMAGE_NAME: lnsfw1.sys


    SYMBOL_NAME: lnsfw1+a443

    FAILURE_BUCKET_ID: 0xD1_lnsfw1+a443

    BUCKET_ID: 0xD1_lnsfw1+a443

    Followup: MachineOwner
  8. Frederic

    Frederic LnS Developer

    Here is the driver update for the Chinese version of the driver: chinese

    Thanks Ubuntu for the tests (which have revealed an issue).


  9. Frederic

    Frederic LnS Developer

    We actually encountered the same issue with Ubuntu on the chinese version of the driver.

    After investigation, it appears the issue is applicable to the first version (non-chinese), as experienced by Phant0m.
    So, an update of this driver fixing the issue (thanks Phant0m for the test) is available here:


  10. Phant0m

    Phant0m Registered Member

    Frederic always quick to fixing bugs and issues; thanks Fred. :ninja:
  11. Enig123

    Enig123 Registered Member

    There's a problem after upgrade to patch v3, which is that LnS now stops to check executable file CRC changes.

    BTW, I'm under win2k3 standard 32-bit English version.
  12. Phant0m

    Phant0m Registered Member

    You absolutely right :thumb: , no warnings for application changes
  13. Thomas M

    Thomas M Registered Member

    Yes, exactely: I updated to the latest Firefox & Thunderbird, and LnS did not alert me about the updated *.exe. Even more, I could not connect to anything with the updated Firefox.
    So I went back to the old driver....

    Thomas :)
  14. Frederic

    Frederic LnS Developer


    Yes, I confirm this issue.
    Working on it...

  15. Frederic

    Frederic LnS Developer

  16. halcyon

    halcyon Registered Member

    Frederic, to confirm:

    3.05v4 fixes the issue when "LnS did not alert me about the updated *.exe" ?

    I can't find a changelog...
  17. Frederic

    Frederic LnS Developer

    Yes, this last update is supposed to fix that.

    3.05v1 => First driver for vista (based on 3.05 from 2.05p3)
    3.05v2 => First try for ex-coat detection
    3.05v3 => Fixing the crash reported by Phant0m
    3.05v4 => Fixing the problem for exe change no longer detected

  18. Phant0m

    Phant0m Registered Member

    I had some spare time to waste; I decided to perform some runs with some of these leaktests available… Here they are a limited few;

    • Copycat - Passes
    • WallBreaker - Passes [3/4]
    • PCAudit2 - Passes
    • BreakOut v1 - NOT-TESTED
    • BreakOut v3 - Passes
    • Jumper - Passes
    • PCFlank - Passes
    • CPILSuite v1.0.0.1 - Passes
    • CPIL Passes
    • DNSTesters - fails
    • pcAudit v3.0.0.9 - fails
    • pcAudit v6.3 – fails
    • osfwbypass-demo - fails

    Passes = Breached security, fails = Failure to breach security

    Was the LNSFW1-3.05v4 enhanced (other than the ex-coat support, and some minor bug fixes introduced with the ex-coat support…) any differently from the 2.05p3 pre-bundled LNSFW1.sys driver that would reflects some other leaktests? Reason I ask because different firewall leaktests ratings are showing Look ‘n’ Stop v2.05p3 even with its highest settings failing some like… DNSTesters, PCAudit2, osfwbypass-demo while my thorough tests show just the opposite…

    Little more information can be found available by visiting
Thread Status:
Not open for further replies.