Personal Firewalls

Home Forums Discussions General Discussion Personal Firewalls

This topic contains 7 replies, has 2 voices, and was last updated by  Vadim Smirnov 12 years, 9 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #4905

    blackd0t
    Participant

    Hi!

    I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them? Do all such firewalls work similarily?

    I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?

    Regards,
    Black Dot.

    #5695

    Vadim Smirnov
    Moderator

    I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them?

    Usually they utilize NDIS level filter and TDI one.

    Do all such firewalls work similarily?

    From the general point of view the answer is YES, but concrete realization and set of features can be very different.

    I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?

    Yes, this is possible.

    #5696

    blackd0t
    Participant

    Thanks for the reply!

    You mean that it’s possible to hook GetCommandLine() API in malware program to make firewall think it’s looking at something else? How does the firewall know which packet belongs to which process?

    If such thing can be done, why the only published method to bypass personal firewalls was to inject malware code into the other “privilleged” process?

    #5697

    Vadim Smirnov
    Moderator

    You can do about anything if the malware includes kernel-mode component. The majority of users are usually logged on as user with Administrator rights which has the priviledge to install and load drivers. So there is no actual problem for the malware to install such a component (it can be even the primary component of the malware).

    Since such kernel-mode component can bypass firewall by many different ways, such as:

    1) Execution in the context of priviledged process (even simply create thread in the context of System process),.
    2) Blocking/cheating firewall components.
    3) Using it’s own protocol module and working with network directly.
    4) Working with TCPIP.SYS devices directly bypassing any possible upper level TDI filters.
    5) and so on…

    #5698

    blackd0t
    Participant

    Hmm…

    I have always used system wide dll inject, but is there really any reason to do it when you have such privilleges on the machine? I see that things can be done easier by hijacking APIs in Kernel-Mode. (i’m still a n00b in that matter)

    #5699

    Vadim Smirnov
    Moderator

    I have always used system wide dll inject, but is there really any reason to do it when you have such privilleges on the machine? I see that things can be done easier by hijacking APIs in Kernel-Mode. (i’m still a n00b in that matter)

    It’s a great luck for us that the majority of malware authors are not familier with kernel mode programming. Otherwise, numerous kernel-mode trojans… Terrific… 😯

    AV companies prognose such a future, but I always hope for the better 🙄 😉

    #5700

    blackd0t
    Participant

    SerpentFly, can you think of any idea how do personal firewalls know which process sent a packet when it detects network transfer?

    #5701

    Vadim Smirnov
    Moderator

    TDI filter (filter driver for the MSTCP devices DeviceTcp, DeviceUdp, DeviceIp, DeviceRawIp, DeviceMULTICAST) detects the network operation running in the context of calling thread/process. The same is true for the LSP DLL (another weaker approach for application level firewalls).

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.