Would PG prevent socket bypass?

Discussion in 'ProcessGuard' started by Notok, Oct 2, 2004.

Thread Status:
Not open for further replies.
  1. ?Dingo

    ?Dingo Guest

    What if the above is a feature, not a bugo_O :D

    I mean, where have a heard that before o_O??
     
  2. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Now that's funny dude!

    Haha, good one! :eek:

    l8ter
    Jazzie
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Unless it was registered before PG was installed.. PG wouldn't block something from using a driver that the OS already recognizes. Hmm, times like this I wish I had a test machine. I'll have to keep looking around, but I found this rant about SP2 by googling last night, see if it makes any sense to you:
    http://www.codecomments.com/MSDN/message257012.html

    He's talking about specifically raw sockets, but it includes other things discussed here:
     
  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    From the looks of it, npf.sys is loaded (most likely as automatic or manual) sometime before you installed ProcessGuard. If you uninstall WinpCap and reinstall it, you should get an alert.

    If there are vulnerabilities for drivers you have allowed on your system, then it is the risk you'll have to take. :)
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    So, PG should actually alert on it. Now I suppose it's a matter of verifying (both on our and on DCS's part) that it does, provided that both winpcap and mbtest are not installed prior to PG.
    Correct?
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I would say that is correct Andreas. :)
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    I did not install WinpCap prior to install PG, but I have executed MBtest many time before. Does executing MBtest install the driver ?
    How can I manually uninstall it to be sure I have removed it ?

    Thanks.

    regards,

    gkweb.
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    And the other question is whether that type of attack actually reqires a driver, or whether that's just one way?
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I'm not sure if MBtest uses a driver or not GKweb, it probably doesn't now that I've re-read everything in this thread and done some searching.

    ProcessGuard doesn't block LSP modifications (it might in the future) which is another way to sort of divert traffic from applications. Firewalls and other similar programs however will see the LSP changes, so NOD might not be affected by that one.
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    For now it is not as if it was a critical issue since there is firewalls blocking MBtest (I won't disclose now my futur results when I will update my test page on my site, but at least 3 detects and block MBtest), but we just wanted to understand what were going on while using MBtest with the "npf.sys".

    If you want to have a deeper look at MBtest, go get his source code there :
    http://www.firewallleaktester.com/leaks/mbtest.zip

    EDIT : original author comments when it released MBtest :

    regards,

    gkweb.

    EDIT2 : I have asked to the MBtest author to reply here, let's see.
     
  11. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I looked at the source briefly and could find no code at all which has anything to do with drivers/services, so I must assume that this program assumes it is already loaded.

    So I guess "only takes a few lines of code" is where the driver is loaded in this situation, by the trojan or whatever.
     
  12. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Don't suppose you'd consider testing X-Wall, too? :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.