DNSshell -- Injection

@Jason

You have said in another forum ...

"Also seems Process Guard v2.000 is the first to properly block this method of DLL injection. [links] "

[ I have omitted the links because I am afraid that Paul will delete my post. This has happened too many times before and I do not want it to happen again ... :-( ]

1.
I would like to know how PG will block this injection technique. Will it specifically prevent the start of svchost.exe with flag CREATE_SUPSPENDED? Or will it block the start of svchost.exe in general?

2.
Does this DNS demo really bypass a personal firewall which has been properly configured and uses a rule which merely allows svchost to establish an outgoing connection via port 53 to the dns servers of the internet provider (and not to any other internet addresses)?

TIA.

 

1. Well I don't really want to delve into how Process Guard specifically protects it, but it does it in a way which works all the time, it does not block applications from creating SVCHOST or any other process, it just fixes the vulnerability regarding access that PARENT process's have over their children.

2. I would say that in that particular case the firewall would most probably block it (DNSShell that is), but last time I checked not many firewalls only added the respective address, they just added the port. I know you can easily set this up manually in most firewalls, but how many firewalls automatically do this? Plus.. this issue does not only extend to SVCHOST, but I will also not delve too far into what else is possible as to stop possible misuse of this information.

chameleon3, what will it take for you to register a user account at Wilders.



-Jason-

 

1.
Thanks! That was helpful. I can also imagine other ways of abusing this trick. I assume that PG will cover them, too?

2.
I have already registered at least two nicknames but cannot remember the passwords. Moreover, if I register myself I can be banned which is even more terrible than deleting my posts ;-) I also hate any registration procedures in general (as well as regsofts privacy policy). Last but not least you will probably know who I am. If not I can still send you an e-mail.

Cheers.

 

It will cover quite a lot without any changes - for example look at the "special new method" of AV Killing in "TechKiller" im sure some know this AV Killer. Was very popular when released and is actually quite efficient. Completely blocked by Process Guard without even adding the target processes to the protection list. The trojan infects explorer.exe to kill processes

If anything serious comes up we will get emails For now everyone enjoy the protection available against many threats

 

chameleon3 - I don't have any problems with what you've posted thus far, per se (certainly haven't seen you post anything that would even come close to getting you banned, for Heaven's sake) - but I'd like to give you my own personal take on what registration means.

Registration means that you're a real person, first of all. By that I mean that you're (a) willing to stand behind everything you post in your own real "name" and (b) that you're approachable - whether through IM, email or PM.

Even if everyone throws a fit about it, I'm going to state what I feel to be the obvious fact about "un-registered" and/or 'anonymous" posters - you can't trust what they post.

I could take your nic - right now - and post something totally off-the-wall, un-truthful, insulting, illegal - whatever - and it would take intervention and time by the management of this or any other site to get it straightened out.

Not making yourself readily identifiable (with one identity) on the Internet just doesn't give anyone any reason to give credence to anything you say - indeed, IMO, the complete opposite holds true.

If you're saying, or asking, something that's true - why
wouldn't you want to stand behind it with a real identity? What would you be afraid of? The webmasters/admins of a site can track down the origin of your posts, anyway, should they so desire - so what's the point of not registering if you want to be taken seriously? If you want to be trusted when you give answers or advice?

BRB. Pete

 

Pete- What a wonderful response! Your wisdom is beyond compare and I will gladly donate my entire income to your bank-account for the next ten years! Thank you for showing me the error of my ways!

 

Do you get my point NOW? (I posted that, using his nic, in case anyone's wondering). Protect your "identity" via registration! Pete

 

@Gavin

Cool. PG is getting better and better.


OFF TOPIC
________
@Spy

"Not making yourself readily identifiable (with one identity) on the Internet just doesn't give anyone any reason to give credence to anything you say."

I am sorry but you have not convinced me. I do NOT want people to believe me because I have a reputation. I do NOT want people to be biased because of my positive or negative standing. I am NOT looking for fame. I do NOT care if someone impersonates me. I do NOT want to make internet friends or foes. I do NOT want to have a name, a gender or anything else.

Just read my posts and make up your own mind.


__

Btw.: "The webmasters/admins of a site can track down the origin of your posts, anyway, should they so desire "

They cannot unless you do not use a proxy.

_____________

@Paul

" You did before on several ocassions over here, didn't you? "

I believe that I used a disposable e-mail address ;-)