New Beta Driver addressing additional vulnerabilities/Leaktests.

Discussion in 'LnS English Forum' started by Frederic, Nov 12, 2004.

Thread Status:
Not open for further replies.
  1. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Hi Frederic,

    I'm on WinXP SP2 + all available updates.
    I tweaked the running services (as per Blackvipers site, "Safe list"), so there could be a problem there. I was planning on a reinstall this weekend, so I'm going to do a normal install and report back here..
    No reinstall possible at the moment, so if its possible lets work from this set up.
     
    Last edited: Mar 6, 2005
  2. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Hi Frederic,

    Still interested in my FO4_KO1 problem? I am! :D

    System:
    WinXP SP2 Pro En + all updates
    LnS 2.05p2 + beta-drivers and registry settings.
     
  3. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Frederic, if you think this "problem" can't be solved, please let me know.

    If you want to know more about my system, let me know.

    If you are working on it PLEASE let me know.

    I REALLY like to get a reply here.
     
  4. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    SSK,

    Have you tried sending an E-Mail to Frederic? Usually this is the fastest way of getting support....

    Thomas :)
     
  5. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Hi Thomas,

    No I didn't. But will do. He replied a couple of my posts before to get some info, after that it went silent.

    Thanks for your reply!
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi SSK,

    This problem is related to the wininet.dll system file.
    So, send me this file (zipped format) at looknstop@soft4ever.com and I will try to see if there is something special with it.

    Regards,

    Frederic
     
  7. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Will do, thanks.

    Edit: file sent.
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Thanks for the file, I reproduced this issue with this particular version of wininet.dll (6.0.2900.2598 ), with another version (6.0.2900.2577) the problem doesn't appear. I don't know yet how to fix that.
    This is part of the uncertainty I had in my initial post :doubt: ("Please note this is an experimental driver, no guarantee it will work (even though it was sucessfully tested on different computers), not sure that the way of detection will be the final one, and not sure it will work with future updates of Windows.").

    Frederic
     
  9. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Hi Frederic, thanks for your quick work!
    What is your advise, leaving the driver on my system (maybe remove the reg dword that sets this detection) or remove the driver completely (maybe you have seen other problems during testing?).
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi SSK,

    Yes you can leave the driver on your system.
    When the driver detects the problem it automatically deactivates this feature.

    Frederic
     
  11. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    OK, thnx! (smart little program, by the way :D )
     
  12. ernstblaauw

    ernstblaauw Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    21
    I installed LnS 2.05p2. If I activate "Watch thread injection", my computer crashes with a BSOD and restarts.
    So I installed both new drivers (LNSFW1-d2 and LNSFW). But still, my computer crashes if I enable "watch thread injection". This happens if i start pcaudit2.
    The computer first loses the theme, and then a BSOD is coming. I think the computer crashes not that fast as with the "stable"-driver, but i'm not sure.
    I have an Athlon64 3000+ and Windows XP SP2 Dutch.

    BTW, it is a great program, despite this bug at my machine.

    edit:
    I enabled it again (and enable dll detection). Now it doews not crash. In the console I have only the following message, after pressing driver logs:
    FW:
    FW1:

    edit2:
    It has nothing to do with ddl detection. If I enable thread injection, the computer crashes if I start pcaudit2. But not directly, but first my taskbar disappears. After a couple of minuts, the computer shows a BSOD.
    After that, I set ActivatedSoon to 0. Now, if I enabled thread injection, the computer crashes directly after starting pcaudit2.
    What's wrong with my setup?
     
    Last edited: Mar 17, 2005
  13. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Ersnt,

    Could you confirm the problem appears only if you activate this option ?
    If yes, could you send me several minidump files that have been created when the BSOD occurs ?

    Thanks,

    Frederic
     
  14. ernstblaauw

    ernstblaauw Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    21
    I have no time now to tell you about my test (I will do that tomorrow), but I found out that LnS can't handle the NX-bit. It crashes because of that. If I disable that feature, LnS does not crash (but does also not stop pcaudit2).
     
  15. ernstblaauw

    ernstblaauw Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    21
    All those problms I describe below, are only if Watch Thread Onjection is enabled. If I disable that function, the program never causes a BSOD.

    The tests I did:

    1:
    Settings:
    ActivatedSoon 1
    Watch Thread Injection: Enabled

    As soon as I started pcaudit2 (and WTI is being trickered), I get the message that Explorer was closed because of prevention of data execution (all the system messages are translated into English by me, because I have a dutch WinXP SP2). Directly after that, I got a BSOD:
    'The system proces Windows Logon Process has been terminated unexpectedly.
    No minidump was created.

    2:
    Settings:
    ActivatedSoon 0
    Watch Thread Injection: Enabled
    If I start pcaudit2, I get the same message as above: Explorer was closed because of prevention of data execution, and at the same time my theme disappears. My Windows is looking like Windows Classic. Then my taskbar disappears, and after a minut or so, I get a BSOD with the message:

    Error: c0000145
    Cannot initialize program.


    This time a minidump is created. I attached it with this message (I renamed it to .log).

    3:
    Settings:
    ActivatedSoon 1
    Watch Thread Injection: Enabled
    Then, I realize that the message of the termination of Explorer is caused by the 'NX-bit' (No eXecution-bit). This bit is included in the Athlon64, which I have. Also the latest Pentium 4's have an equal bit. Maybe that bit was the cause of the crashed caused by LnS. So I edited my boot.ini: I removed '/noexecute=optin'.
    I restarted my computer, and now: LnS did not cause a BSOD at the moment I use pcaudit2! So my conclusion: LnS is incompatible with the NX-bit.
    (BTW, pcaudit2 was not blocked by LnS :( )

    I hope I helped you with my 'tests' and I hope you can solove this problem!

    With regards,
    Ernst
     

    Attached Files:

  16. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Ersnt,

    Thanks fo the test you did.

    I didn't tested by myself, but with what you are saying here, yes this set of features ("Watch Thread injection" and all the new ones in the beta driver) are probably not compatible with NX bit :(
    I don't know yet if there will a solution to have this compatible with the way of detection we are using.

    About PCAudit2 (when the NX Bit is disabled), could you confirm you activated the DLL detection. This is required for PCAudit2 (which will create a DLL with a name similar to a system one, for instance gdi32_.dll).
    If it is still not working, then the Driver logs from the console will be required to verify if the features were correctly activated or not (you can look at previous post about FOx_Ok and FOx_KO information).

    Frederic
     
  17. ernstblaauw

    ernstblaauw Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    21
    I restarted my computer, and now it blocks succesfully PCAudit2. So I suppose it is ok now!
    by the way, if I click at 'driver logs', I only see:
    FW:
    FW1:
    Sometimes is NCF or CFull added, but never FOx. Is this ok?
     
  18. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Ersnt,

    I you activated one of the new features with the new beta driver, or "Watch Dns Call", "What thread injection", you should see either some FOx_Ok or FOx_KO.
    But perhaps because of the NX bit you didn't activate these features.

    Frederic
     
  19. ernstblaauw

    ernstblaauw Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    21
    I enabled 'Watch Thread Injection' (and disabled the NX-bit), but I do not see anything like FOx_Ok or FOx_KO. But, PCAudit2 is blocked for example. Same situation if I enabled 'Watch DNS calls'. I think the console is not logging well.
     
  20. Micky

    Micky Guest

    Work Great Stop All 3 Tests Runing On Windows Xp Sp2 With all The Latest
    Updates .

    Could You Tell Me When There Will Be Another Beta Out o_O
     
  21. ernstblaauw

    ernstblaauw Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    21
    With more and more CPU's available (and running) with the NX-(AMD) or XD- (Intel) available, I think it is wise to add support for this kind of protection:
    - The NX-bit adds a nice protection to the computer, like WTI does. Both enabled is the most ideal solution.
    - New users who will activate WTI, will directly suffer a BSOD.

    So I think you need to rewrite this part of the program. Why is it incompatible? I mean, LnS doesn't create a buffer overflow, does it?

    Thanks,
    Ernst
     
  22. RetupmocSoft

    RetupmocSoft Registered Member

    Joined:
    May 8, 2005
    Posts:
    29
    Hi Frederic,

    Here is my FO4_KO1 problem report:

    LNS 2.05p3 + reg + reboot

    Both Windows XP SP2 are using EVID4226 patch to increase halfopen connections from 10 to 1000.

    Windows XP SP2 no any update (WinInet.dll - 6.0.2900.2180) --> FO4_OK

    Windows XP SP2 with latest update (WinInet.dll - 6.0.2900.2713) --> FO4_KO1
     
  23. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi RetupmocSoft,

    Thanks for your report.

    So it seems if the version is <= 6.0.2900.2577 it is ok, and if the version is >= 6.0.2900.2598 the problem appears.

    Frederic
     
  24. amano

    amano Guest

    Hmm. For me, just

    FO2_OK
    FO2_2_OK
    FO3_OK

    show up (LnS 2.05p3 installed, beta.reg applied, phantom ruleset v6 loaded, all advanced settings ticked but "RAW log" and "Watch DNS calls")

    This machine is XP SP2 and it is patched to the latest patches (wininet.dll as well).

    So for me FO4 and FO5 don't show up at all?? No xKO, nothing!

    What is KO5 referred to?

    Any help highly appreciated.
     
  25. amano

    amano Guest

    I referred to FO5 actually!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.