Would PG prevent socket bypass?

Discussion in 'ProcessGuard' started by Notok, Oct 2, 2004.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I've been playing around w/ X-Wall firewall which has support for NOD32 integration. Although NOD32 scans incoming traffic at the socket level, X-Wall promotes the idea of added security by making it scan traffic at the TCP level, potentially catching something that might try to slip past NOD's normal method of scanning. I was trying to get it to work right when it occured to me that PG might block the access needed to perform such a task. Am I correct in thinking this, or would it be worth it to research other areas of interest before reaching a conclusion?

    My very elementary guess here is that if something could gain direct access to the TCP/IP stack (or use it's own stack), it could open a raw socket to avoid detection.. although I have yet to read much of anything about raw sockets. My thought here is that either of these methods would probably require low level access that would be prevented by PG. Am I even in the right ballpark here? Do you have any search terms that might lead me in the right direction to understand these things?
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    to make a TCP connection, there must be an application listening and this application has to be allowed to run by Process Guard. Hope this helps.
    Dolf
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    PG is in no way a firewall, so don't expect it to block network traffic, even simple Winsock.
    However as mentioned, you can deny the malware to launch.

    regards,

    gkweb.
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I am aware that PG is in no way a firewall. What I'm wondering about is malware attempting to subvert NOD32's HTTP scanning. NOD32 scans at the socket level rather than the TCP level, which my firewall offers to remedy.

    I don't know what exactly is required to bypass winsock, but my suspicion is that it would either have to manipulate an existing driver, drop it's own driver, or perform/manipulate some other low level system function that would be covered by PG. If that's the case, something like X-Wall's antivirus integration would be unnecessary for someone that owns PG. Be it on my machine or someone else's that I'm helping. Does that make sense?
     
    Last edited: Oct 2, 2004
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Notok, To answer part of your question -If the malware needed to install a driver or sevice then Process Guard would stop it dead, however, as described in other threads, services.exe should not be given the Allow Services / driver install flag,
    as this is a route that malware might take to install itself but it would still need to run a .exe to initiate a driver / service install thus checksumming would also be activated.

    DCS maybe able to give a more authoritive answer to your whole question :)

    Cheers. Pilli
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    no driver need to be "installed", for instance you can use two files of WinpCap, packet.dll and npf.sys and just copy them on the right folders, no need to install a driver.
    No you can go under Winsock, but firewalls monitoring from Winsock to the NDIS layer (the lowest) won't be affected.

    regards,

    gkweb.
     
    Last edited: Oct 3, 2004
  7. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    I think I disagree.
    Maybe there are other ways to get past Windows' sockets, but WinPCap, the most common way to do it, uses a driver - npf.sys, that's a driver. The application that would try using it would have to install it and would be blocked by PG (if that is correctly configured and the app wouldn't do it via services.exe and so on...)

    Andreas
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I have had sucessfull bypass only with packet.dll I think.
    Anyway, I am using the MBtest leaktest, and I DO NOT install the files, just put them in the folders, so may be MBtest is just using packet.dll.

    EDIT : I have just did the test on a box where PG is not installed, and I do not install anything, I do not even reboot, MBtest use the file like this, any idea ?

    regards,

    gkweb.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Thanks, I think I'm starting to make sense of it now. Theoretically a program could drop it's own socket file to gain access to the TCP/IP stack. Any traffic generated by that should be picked up by any decent firewall. I think to get any more sophisticated would either involve tricking your firewall (which would depend on your particular firewall, and is a whole different discussion) or trying to go under it, which is something that would probably be covered by PG.
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    We'll need to wait for Andreas input for such conclusion, but it seems to me that it is teh case. Now, if like Andreas said it is not possible (that the driver has to be installed and used) then he will have to explain how a firewall can be bypass, whereas it perfectly monitor Winsock layer, by using WinpCap without installing a driver o_O

    Let's say we are between the 1 and the 0, waiting for a conclusion ;)

    regards,

    gkweb.

    EDIT : just tested, MBtest does not use npf.sys but only packet.dll.
    If I remove npf.sys it still works, but If I remove packet.dll it gives me an error.
     
  11. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    okay, seems to be possible. Notok's explanation sounds logical. Maybe there's two approaches then, one involving a driver and one that doesn't. I only remember that every time I was making use of WinPCap, RegRun alerted me that the list of installed drivers (or services? doesn't matter, PG should block installation of services as well) had changed. But it seems that depended on a specific use I (or the resp. app) was making of it.
    Can anyone check out the list of installed and running drivers and services (with RegRun, TDS-3 or whatever) while using the leaktest, ethereal or something that makes use of winpcap? If I get to it, I will try, but that'll still be a while.

    CU,
    Andreas

    gk, is that 0 or 1? ;)
     
  12. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That was pretty much my thought as well. At this point I'm thinking it really depends a lot on the OS. I'd still be interested in hearing what DCS has to say, Googling around a little I'm seeing a variety of different ways ranging from copying a couple files to installing a rootkit. I think I've got my basic question answered as far as my machine goes, but I'll still need more info before really being able to make decisions regarding other people's machines.


    Sysinternals' Process Explorer dynamically drops a driver file, as well, without needing to install or reboot. PG will block this behavior.. so I guess I'm back to square one, lol, does it require a driver to be installed to create it's own socket?
     
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think I am the most ready to answer you :)

    MBtest is just an executable that you download let's say on C:\.
    Then, you manually copy packet.dll into your /system32/ folder, and that's all, there is just two files, no setup, no reboot, no batch file.

    With just the executable the leaktest won't work, it needs the DLL.
    With the DLL, it bypass any firewall monitoring only Winsock layer.

    If you have more information about this you are welcome, but in the meanwhile, it seems to be more a 1 than a 0 ^^

    regards,

    gkweb.
     
    Last edited: Oct 3, 2004
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    deleted by me : see below
     
    Last edited: Oct 3, 2004
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Cool, thanks for that. I had visited the site in your sig earlier today and couldn't get MBtest to work at all. I still wonder if that isn't a restriction of the OS. I wish there was a leaktest to see if a firewall is capable of handling something that uses it's own TCP/IP stack, although I'm now wondering if the other file in MBtest isn't just that. In theory an application cannot, at any time, gain direct access to hardware in an NT based system... it has to go through the kernel, hence the need for a driver.
     
  16. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Yes it's right, even the RAW sockets still rely on Winsock If I am not wrong, you just forge the packets as you like, but it still the same Windows API you are using (sendto() recv(), setsockopt(), etc...).
    Using WinpCap requires so (now I am sure ;)) a driver.
    The simpliest way to test for MBtest like network issue would be to install a software using WinpCap, such as SNORT for windows (www.snort.org) as it is relying on it to sniff the network.

    regards,

    gkweb.

    EDIT : direct link is http://www.snort.org/dl/binaries/win32/
    NMAP for windows is also relying on Winpcap : http://www.insecure.org/nmap/nmap_download.html
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    lol

    Still left with the question of raw sockets, though. I'm not sure if something would have to install a driver to do that or not. It's using the existing tcp/ip stack, but I'm not sure of the restrictions around what needs to happen for something to gain that kind of access. I also know the rules have changed a little with SP2. I know that you need at least admin privledges to get raw sockets, but considering XP sets the user's acct as admin by default, that's not necessarily a big issue for the cracker right now.
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    LOL, wow, I knew I should have hit reload before writing that...
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    About RAW sockets, all that I can say is that prior to start coding your sockets, you must call the Winsock initialization API WSAStartup(), that's why I think that it is not an issue for the firewalls, it is just very anoying while a DDoS occurs to have untracable spoofed packets.

    regards,

    gkweb.

    EDIT : we should chat on MSN :D
     
  20. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Ehm. GK, would it be too much to ask you to just try it out? Making sure the driver is not loaded, then starting (and once allowing) mbtest (without having it allowed to install driver/services in PG) and see if we get a PG alert...?

    Can't say anything about raw sockets, I'm afraid.

    Andreas
     
  21. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    To "just try it out" is equal for me to install PG on my very old and slow laptop
    and I don't how it will goes... just doing it currently.
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hm this time I'm lost.

    I have installed PG, disabled learning mode, enabled all global protection, and removed any allow "install driver" from the protection list.
    When I start cmd and then MBtest PG asks me, but when MBtest does his work,
    I have no driver warning, althought MBtest is not on the protection list (just allowed to run) and that none app of the list has the right to install driver (so services.exe and csrss.exe does not).

    To sume it up, packets are sent (viewable on my remote sniffer) and no driver installation caught, so : WinpCap, driver or not ?

    Any idea o_O

    regards,

    gkweb.
     
  23. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    JASON!
    Au secours!
    ;)
     
  24. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    GK,
    do you have any tool at hand to list active services and drivers on your old, slow laptop? (I have to work on one of them all the time ;) )

    Andreas
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    When I install a firewall on this laptop, it takes ages to load ;)

    More test about MBtest :
    - npf.sys renamed, reboot (to ensure the driver is not loaded), launch MBtest, get the following error :

    Warning : PAcketGetNetInfoEx failed for adaptater 0
    Error : Couldn't find the appropriate adaptater

    - I rename correctly npf.sys, this time no error, PG tells nothing (I don't blame it that's just a fact ;)) and packets are sent out.

    So MBtest needs and use npf.sys, but not by loading the driver ?
    Is it really a driver ?

    I have nothing to list what is installed, but it is not a work or personal PC, nothing in particular has been installed, it's just a good Win XP + SP2 with PG and NOD32 and recently Outpost, and that's all.

    Any WinpCap experts lurking around ? :D

    regards,

    gkweb.
     
Thread Status:
Not open for further replies.