DNSshell -- Injection

Discussion in 'ProcessGuard' started by chameleon3, Mar 26, 2004.

Thread Status:
Not open for further replies.
  1. chameleon3

    chameleon3 Guest

    @Jason

    You have said in another forum ...

    "Also seems Process Guard v2.000 is the first to properly block this method of DLL injection. [links] "

    [ I have omitted the links because I am afraid that Paul will delete my post. This has happened too many times before and I do not want it to happen again ... :-( ]

    1.
    I would like to know how PG will block this injection technique. Will it specifically prevent the start of svchost.exe with flag CREATE_SUPSPENDED? Or will it block the start of svchost.exe in general?

    2.
    Does this DNS demo really bypass a personal firewall which has been properly configured and uses a rule which merely allows svchost to establish an outgoing connection via port 53 to the dns servers of the internet provider (and not to any other internet addresses)?

    TIA.
     
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    1. Well I don't really want to delve into how Process Guard specifically protects it, but it does it in a way which works all the time, it does not block applications from creating SVCHOST or any other process, it just fixes the vulnerability regarding access that PARENT process's have over their children.

    2. I would say that in that particular case the firewall would most probably block it (DNSShell that is), but last time I checked not many firewalls only added the respective address, they just added the port. I know you can easily set this up manually in most firewalls, but how many firewalls automatically do this? Plus.. this issue does not only extend to SVCHOST, but I will also not delve too far into what else is possible as to stop possible misuse of this information.

    chameleon3, what will it take for you to register a user account at Wilders. :)



    -Jason-
     
  3. chameleon3

    chameleon3 Guest

    1.
    Thanks! That was helpful. I can also imagine other ways of abusing this trick. I assume that PG will cover them, too?

    2.
    I have already registered at least two nicknames but cannot remember the passwords. Moreover, if I register myself I can be banned which is even more terrible than deleting my posts ;-) I also hate any registration procedures in general (as well as regsofts privacy policy). Last but not least you will probably know who I am. If not I can still send you an e-mail.

    Cheers.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It will cover quite a lot without any changes - for example look at the "special new method" of AV Killing in "TechKiller" im sure some know this AV Killer. Was very popular when released and is actually quite efficient. Completely blocked by Process Guard without even adding the target processes to the protection list. The trojan infects explorer.exe to kill processes :rolleyes:

    If anything serious comes up we will get emails :) For now everyone enjoy the protection available against many threats
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Please drop me an email, and we will settle that one

    We do have 11,000+ registered members over here - at most 3 have been banned. And since you actually did register before, looks to me you have nothing to worry about, Mr. N ;)

    You did before on several ocassions over here, didn't you? ;)

    We do indeed. So why not let's revive your most common and registered user name?

    Goes without saying ;)

    regards.

    paul
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    chameleon3 - I don't have any problems with what you've posted thus far, per se (certainly haven't seen you post anything that would even come close to getting you banned, for Heaven's sake) - but I'd like to give you my own personal take on what registration means.

    Registration means that you're a real person, first of all. By that I mean that you're (a) willing to stand behind everything you post in your own real "name" and (b) that you're approachable - whether through IM, email or PM.

    Even if everyone throws a fit about it, I'm going to state what I feel to be the obvious fact about "un-registered" and/or 'anonymous" posters - you can't trust what they post.

    I could take your nic - right now - and post something totally off-the-wall, un-truthful, insulting, illegal - whatever - and it would take intervention and time by the management of this or any other site to get it straightened out.

    Not making yourself readily identifiable (with one identity) on the Internet just doesn't give anyone any reason to give credence to anything you say - indeed, IMO, the complete opposite holds true.

    If you're saying, or asking, something that's true - why
    wouldn't you want to stand behind it with a real identity? What would you be afraid of? The webmasters/admins of a site can track down the origin of your posts, anyway, should they so desire - so what's the point of not registering if you want to be taken seriously? If you want to be trusted when you give answers or advice?

    BRB. Pete
     
  7. chameleon3

    chameleon3 Guest

    Pete- What a wonderful response! Your wisdom is beyond compare and I will gladly donate my entire income to your bank-account for the next ten years! Thank you for showing me the error of my ways!
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Do you get my point NOW? :D (I posted that, using his nic, in case anyone's wondering). Protect your "identity" via registration! Pete
     
  9. chameleon3

    chameleon3 Guest

    @Gavin

    Cool. PG is getting better and better.


    OFF TOPIC
    ________
    @Spy

    "Not making yourself readily identifiable (with one identity) on the Internet just doesn't give anyone any reason to give credence to anything you say."

    I am sorry but you have not convinced me. I do NOT want people to believe me because I have a reputation. I do NOT want people to be biased because of my positive or negative standing. I am NOT looking for fame. I do NOT care if someone impersonates me. I do NOT want to make internet friends or foes. I do NOT want to have a name, a gender or anything else.

    Just read my posts and make up your own mind.


    __

    Btw.: "The webmasters/admins of a site can track down the origin of your posts, anyway, should they so desire "

    They cannot unless you do not use a proxy.

    _____________

    @Paul

    " You did before on several ocassions over here, didn't you? "

    I believe that I used a disposable e-mail address ;-)
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That's beside the point - and you know it ;).

    Anyway, I for one am not forcing you or anyone to use his/hers registered user name. And according to our TOS, we will never reveal known info concerning a (registered) member unless the exptions formulated in our TOS. It's up to you in the end; going public (once more) or using all sorts of different guest names.

    regards,

    paul
     
Thread Status:
Not open for further replies.