New experimental driver for beta features and DEP

Discussion in 'LnS English Forum' started by Frederic, Feb 12, 2006.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi All,

    Here is a modified driver for the crash when the beta/adv features and DEP are both enabled:
    http://looknstop.soft4ever.com/Beta/lnsfw1/LNSFW1-3.05p1.zip

    At this time this is only for the "Watch Thread Injection" feature. If the test is positive for this one, the same will be tried for the other beta features.
    So, don't try to activate the other beta features (through the registry) yet.

    Not sure at all it will work. If you don't like crashes, you should not test it ;)
    Only persons having issues with DEP protection should try it at this time. However, it should work the same on computers/systems without DEP.

    Thanks in advance for any report.

    Frederic

    Procedure is as usual:
    - rename c:\windows\system32\drivers\lnsfw1.sys to lnsfw1.old
    - put the new driver in c:\windows\system32\drivers
    - reboot
    - if the new driver is worst than before, revert to the .old file
     
  2. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Hey
    I have got all beta features enabled without a problem - only Thread Injection is crashing my system. Want me to try this driver too??

    Ruben
     
  3. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Does the naming of the new driver (3.05p1) hint at a new LnS version?

    What does this mean for the current line (2.05p3)?
     
  4. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    with new driver no crashes anymore. All betafeatures enabled

    Where can I test if its funcioning as the old one??

    Ruben
     
  5. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    New driver, all beta features enabled, NON hardware DEP system (just testing the driver on standard machine):

    After installing Kaspersky AV personal 5, reboot, computer freezes at login (select user name, enter password, freeze).

    Solved by removing new driver while in safe mode, put the old driver back and problem gone :)
     
    Last edited: Feb 13, 2006
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i too tested it on a non DEP-enabled system with all features enabled and so far everythings fine.
     
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Ruben,

    Thanks for testing the new driver.
    You need to run Thermite leaktest to verify that the "Watch thread injection" feature is working.

    You must not activate all the other beta features (the one with the registry settings) because nothing was done for these features. If you get a crash with the other beta features enabled, we won't know if it is normal or not.

    Regards,

    Frederic
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi SSK,

    Ok, thanks for testing and for the information.
    Maybe there is a compatibility issue with Kaspersky :(

    To answer your first post: the current driver version of the 2.05p3 is 3.05. This new driver is 3.05p1. Version numbering between the exe and the drivers are independant.

    Regards,

    Frederic
     
  9. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Thanks for the information! :). I'm going to check the new driver with KAV 6 beta as well, see if there are problems.

    EDIT: the problem is there as well with KAV 6.
     
    Last edited: Feb 13, 2006
  10. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    cried too early - got a bad crash sequence even with the new driver - I ahd all beta stuff enabled - yesterday after installing it and testing it worked great, but today:

    1. Y killed the exe of lns with one of phantoms tools, started the programm again, everything loked fine
    2. I updated wmplayer to version 10 - and restarted - lsass.exe made a system crash, explorer will shut down ... the whole story - help

    Ruben
     
  11. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i just got teh beta driver onto my athlon 64 comp with no problems however i dont know how to run the leaktest. it first say i have to have IE running and if i run IE tehn thermite, i get the following:

    http://img126.imageshack.us/img126/9632/thermite8pm.jpg

    and "securityfocus.html" on my desktop. did i fail the test?
     
  12. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Hello Ruben :)
    What do you mean by "... killed the exe of LnS..." Are you using a modified file of LooknStop.exe ?? "

    Thomas :)

    Not tested the beta driver yet. First I will create images of my harddrives, and I want to install all new Windows Updates (tomorrow is another huge MS patch-day :cool: )! And then I will test the new driver...
     
  13. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    no, no modified version of lns - Phantom in its ealry days made to little apps: "kill lns " and lns "shutdownprotection" - I used the later on my old notebook and wanted to set it again - but i mixed up the files so I hit "kill lns". It just shuts lns down, but when I restarted it all was fine till I restarted my machine - than everything went beserk. I don't know if that was the culprit cause after updating the wmplayer lns asked for permission for lsass, and some other system apps - and there after I got my crashes.

    Ruben

    Ruben
     
  14. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, the test is failed.
    Look 'n' Stop should display a popup saying Thermite is trying to connect.

    Frederic
     
  15. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Ruben,

    Don't forget only the "Watch Thread injection" should be enabled, not all the beta features.

    Thanks,

    Frederic
     
  16. fengyuanni

    fengyuanni Registered Member

    Joined:
    Feb 5, 2005
    Posts:
    1
    according to the advice of frederic,i did not active the reg file. but i got a crash with new beta drv after reboot. there was still the DEP crash yet.

    the brand of my computer is IBM THINKPAD T43. OS is winxp sp2.
     
  17. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    How do I go back?? I already had the betafeatures enabled, but with the regfile that comes in the package

    Ruben
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Code:
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw1]
    "ActivatedSoon"=dword:00000000
    "CheckDNSQ"=dword:00000000
    "CheckHSRE"=dword:00000000
    "CheckVAEUDTF"=dword:00000000
    "IPFragActive"=dword:00000000
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Replacing the driver alone will not reset these beta settings, you must manually undo, after undoing, re-boot Windows.
     
  20. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Thanks you are the man

    Ruben
     
  21. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Here is my test report:

    Brandnew DELL Notebook, 32bit-processor, WinXP-SP2, Software DEP only (No hardware DEP, I think :doubt: ) , LnS 2.05p3

    So far I had all beta features enabled, and I got system crashes, when either "Watch DNS calls" or "Watch Thread Injection", or both were enabled.

    This morning I Installed the new LNSFW1.SYS, rebooted and activated "Watch Thread Injection".

    Well, so far (after 8 hours of heavy work ;) ) no crashes !!

    Thx,
    Frederic :)
     
  22. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Thomas,

    Thanks for your report.

    Could you try Thermite to verify the Watch Thread Injection is enabled and working ?
    Look 'n' Stop should prompt you that Thermite is trying to connect.

    (before testing that, close & save any important files that could be open, in case of a crash).

    Thanks,

    Frederic
     
  23. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Frederic,

    Like tosbsas I also was too optimistic: This morning my machine produced 2 logon screens at startup (somehow over each other), and I was not able to login as any user at all.

    After one reboot I started in "Safe mode" and renamed the new "LNSFW1.SYS" back to run the original one :cool: Unfortunately, I did not unmark the option "Watch Thread injection" :blink: :gack: :oops: :ninja: o_O
    Well, with my next regular reboot I did not make it even up to the login screen :( :

    A wonderful blue screen appeared stating:
    STOP: c000021a {fatal system crash}
    The Windows logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000). 0x00000000
    The system has been shut down


    GREAT :mad:

    So, after one more reboot (now again in "Safe Mode") I could manually load LNS and deactivate the "Watch Thread Injection" option.

    With the next reboot everything is working as normal :) No surprise, since now I am running LNS without the new LNSFW1.SYS driver and without "Watch Threat Injection".

    Yes, in my case all beta features of LNS 2.05p3 were (are) still enabled. I fear that was the mistake on my side :doubt:

    Thomas :)
     
  24. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    share you feelings - exactly the same thing. Safe mode was something I didn't think about

    Ruben
     
  25. RetupmocSoft

    RetupmocSoft Registered Member

    Joined:
    May 8, 2005
    Posts:
    29
    Here is my test

    All test inside VMWare Workstation 5.5.1 @ 19175
    Real computer is:
    CPU: AMD Athlon64 with hardware-DEP
    RAM: 2048 MB
    OS: Windows XP (32bit), setting to "optout" DEP option by modify boot.ini.
    LNS: turn off Watch Thread Injection.
    LNS ver: 2.05p3 + 3.05 (old driver)

    Inside vmware's computer is:
    CPU: (the same as real computer.)
    OS: Windows XP (32bit), setting to "alwayson" DEP option by modify boot.ini.
    RAM: 512MB
    LNS: turn on Watch Thread Injection. (only)
    LNS ver: 205p3 + 3.05p1 (beta driver)

    Thermite seem could be captured by LNS 2.05p3 + 3.05p1 beta driver.
    No crash, but I don't install any antivirus inside VMWare's computer yet.
     

    Attached Files:

    • bbb.jpg
      bbb.jpg
      File size:
      135.7 KB
      Views:
      1,377
Thread Status:
Not open for further replies.