Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 931 through 945 (of 1,496 total)
  • Author
    Posts
  • in reply to: Detecting of application component name #6638
    Vadim Smirnov
    Keymaster

      I had not sad that this is easy, but there is no other way to track the module which actually called the system service.

      Luckily for the actual winsock calls the stack is easy to restore (number and types of parameters are known) up to the calling module.

      in reply to: WinpkFilter static filters #6641
      Vadim Smirnov
      Keymaster

        Ну это то как раз очень даже понятно, адрес/порт источника/назначения зависят от направления пакета. Можно было бы сделать более сложные правила (в том числе двунаправленные), но чем проще тем быстрее работает, да и в любом случае сложное правило можно записать как композицию простых.

        in reply to: WinpkFilter static filters #6639
        Vadim Smirnov
        Keymaster

          Ну как-то вот так:


          //**************************************************************************************
          // 1. Outgoing HTTP requests filter: PASS OUT TCP packets with destination IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
          // Common values
          pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
          pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
          pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
          pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

          // Network layer filter
          in_addr address;
          in_addr mask;

          // IP address 64.251.25.36
          address.S_un.S_un_b.s_b1 = 64;
          address.S_un.S_un_b.s_b2 = 251;
          address.S_un.S_un_b.s_b3 = 25;
          address.S_un.S_un_b.s_b4 = 36;

          // Network mask 255.255.255.255
          mask.S_un.S_un_b.s_b1 = 255;
          mask.S_un.S_un_b.s_b2 = 255;
          mask.S_un.S_un_b.s_b3 = 255;
          mask.S_un.S_un_b.s_b4 = 255;

          pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
          pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_DEST_ADDRESS;
          pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_AddressType = IP_SUBNET_V4_TYPE;
          pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
          pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
          pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

          // Transport layer filter
          pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
          pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
          pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
          pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;

          //******************************************************************************************
          // 2. Incoming HTTP responses filter: PASS IN TCP packets with source IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
          // Common values
          pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
          pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
          pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
          pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

          pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
          pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_SRC_ADDRESS;
          pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_AddressType = IP_SUBNET_V4_TYPE;
          pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
          pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
          pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

          // Transport layer filter
          pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
          pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
          pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 80; // HTTP
          pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 80;

          //***************************************************************************************
          // 3. Drop all packets (skipped by previous filters) without processing in user mode
          // Common values
          pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
          pFilters->m_StaticFilters[2].m_ValidFields = 0;
          pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_DROP;
          pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;

          Правда, при таком наборе фильтров, к ntkernel.com можно будет достучаться только по адресу http://64.251.25.36, потому что DNS пакеты буду блокироваться. Для того чтобы работала DNS нужно добавить правило разрешающее DNS пакеты. Роутер добавлять необязательно (если конечно он выполняет роль DNS сервера, то можно разрешить к нему полный доступ, и заморачиваться специфическими DNS правилами).

          in reply to: Detecting of application component name #6636
          Vadim Smirnov
          Keymaster

            The task is very similar to what debugger does when it shows you the call stack. You can try to search for open source debugging tools. Also debugging relative books should be helpful. Personally I like this one http://www.amazon.com/Advanced-Debugging-Addison-Wesley-Microsoft-Technology/dp/0321374460

            in reply to: Detecting of application component name #6634
            Vadim Smirnov
            Keymaster

              You can parse the user mode stack of the calling thread. On the top of the stack is usually ntdll.dll and so on.

              However, if you are trying to detect Trojan module then it can be a bit complex. It is possible to work with TDI directly thus bypassing most of the user mode network modules. It is event possible to bypass ntdll.dll by replicating necessary system calls in Trojan module. In this case Trojan DLL will be on top of the stack. This makes the task of parsing the call stack quite complex.

              in reply to: how to capture packets of all adapters #6632
              Vadim Smirnov
              Keymaster

                Please refer WWWCensor sample which do filter on all available network interfaces.

                //
                // Get system installed network interfaces
                //
                api.GetTcpipBoundAdaptersInfo ( &AdList );

                //
                // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
                //
                ADAPTER_MODE Mode;
                Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

                //
                // Create notification events and initialize the driver to pass packets thru us
                //
                for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
                {
                hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

                if (!hEvent[dwAdIndex])
                {
                printf("Failed to create notification event for network interface n");
                return 0;
                }

                Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                //
                // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
                //
                api.SetAdapterMode(&Mode);

                //
                // Set packet notification event for the network interface
                //
                api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
                }


                // Initialize common part of ETH_REQUEST
                ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                Request.EthPacket.Buffer = &PacketBuffer;

                //
                // Go into the endless loop (this is just a sample application)
                //
                while (TRUE)
                {
                //
                // Wait before any of the interfaces is ready to indicate the packet
                //
                dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

                //
                // Complete initialization of ETH_REQUEST
                //

                Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                //
                // Read packet from the interface until there are any
                //
                while(api.ReadPacket(&Request))
                {
                //
                // Get Ethernet header
                //
                pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

                //
                // Check if Ethernet frame contains IP packet
                //
                if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
                {
                //
                // Get IP header
                //
                pIpHeader = (iphdr_ptr)(pEthHeader + 1);

                //
                // Check if IP packet contains TCP packet
                //
                if (pIpHeader->ip_p == IPPROTO_TCP)
                {
                //
                // Get TCP header pointer
                //
                pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

                //
                // Check if this HTTP packet (destined to remote system port 80, or received from it)
                //

                if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                {
                //
                // Get data size in the packet and pointer to the data
                //

                DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
                PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

                // If packet contains any data - process it
                if (dwDataLength)
                {
                //
                // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
                //
                memcpy (szTempString, pData, dwDataLength);
                for (unsigned t = 0; t < dwDataLength; ++t)
                {
                if (szTempString[t] == 0)
                szTempString[t] = 0x20;

                if (isalpha((UCHAR)szTempString[t]))
                szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
                }
                szTempString[dwDataLength] = 0;

                //
                // Check if this packet payload contains user supplied pattern in ASCII code
                //

                if (strstr ( szTempString, szPattern ))
                bDrop = TRUE;
                }
                }

                }
                }

                if(bDrop)
                {
                printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
                pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
                pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
                bDrop = FALSE;
                }
                else
                if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
                {
                // Place packet on the network interface
                api.SendPacketToAdapter(&Request);
                }
                else
                {
                // Indicate packet to MSTCP
                api.SendPacketToMstcp(&Request);
                }
                }

                //
                // Reset signalled event
                //
                ResetEvent(hEvent[dwAdIndex]);

                }
                in reply to: VirtNet on WXP x64 #6623
                Vadim Smirnov
                Keymaster

                  VirtNet is easy to build for x64, but I had not yet time to update INF file to allow installation on x64 systems. I will add x64 version when have got some spare time.

                  in reply to: Injecting Browser Helper Objects Remotely ==? #6622
                  Vadim Smirnov
                  Keymaster

                    Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?

                    The DLL can be packed and disassembler can’t decode it without additional effort. However, many things depends from the disassembler you use and particular BHO.

                    Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

                    BHO is an in-process COM object and it should be registered as any normal COM object plus it has to create several registry entries specific to BHO. So if the particular BHO was not installed by you, then someone has managed to remotely execute installation code on your system.

                    in reply to: Using VirtNet HELP !!! #6618
                    Vadim Smirnov
                    Keymaster

                      Hmm, you mean that HL server reports its IP addresses to master server? If so then probably VirtNet adapter with assigned external IP address is a solution. In any case you will also need the correct port mapping on NAT device.

                      The problem may appear if HL server reports only one IP address (from which it communicate to master server).

                      – Must i set MAC address identical to physical network card ? i think yes

                      I think no, MAC address for VirtNet does not really makes sense because this adapter never really sends/receives packets.

                      – How frames are routed/dispatch between the 2 addresses

                      If you have got configured port mapping on NAT device you will receive packets to 192.168.2.200 and you don’t really need to care about routing.

                      – Is the Virtual IP is knowne from router. In this case have i to forward incoming frames to Virtual IP rather than 192.168.2.200

                      Don’t understand what you mean.

                      – Have i set new routes on server and/or router

                      I have already mentioned port mapping required on NAT device.

                      in reply to: WinpkFilter sample in Visual Basic 6.0 #6617
                      Vadim Smirnov
                      Keymaster

                        And the wwwcensor.exe doesn’t works in my computer to block a url. It doens’t stop the navigate.

                        It worked fine for me and not only for me. Do other samples work fine on your system? How do you actually use use it?

                        Could you send me a sample how to do this?

                        wwwcensor demonstrates URL/content filtering for HTTP protocol. It blocks any HTTP packets containing the command line specified keyword. An example, to block access to yahoo.com it should be used as below:

                        D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe
                        Command line syntax:
                        wwwcensor.exe pattern
                        pattern – phrase or word to block HTTP packets with.

                        D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe yahoo
                        TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
                        TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
                        TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
                        TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped

                        Note, that it also blocks any packet containing “yahoo” word, not only packets to/from yahoo.com.

                        If ONLY URL filtering is required then you have two options:
                        1) Block DNS requests for the forbidden sites (this does not allow your system to figure out the IP address and access the site).
                        2) Parse HTTP packets for GET request and block packet if it requests the forbidden URL.

                        in reply to: Problem In Programming Registry #6611
                        Vadim Smirnov
                        Keymaster

                          An example, every registered COM DLL have a relative registry entry. It may happen that the COM DLL is removed from disk but the registry entry still exists. So you take the registry entry and check if it points to the existing DLL, if not then this registry entry is invalid.

                          in reply to: More Info Needed In Process Enumeration #6610
                          Vadim Smirnov
                          Keymaster

                            Probably you are right and the mentioned tool monitors the process behavior and imported/used Win32 API. An example, not every normal process uses CreateRemoteThread.

                            in reply to: creating win32 api == ? #6612
                            Vadim Smirnov
                            Keymaster

                              Hmm, you can bypass Win32 and use native API. You can even rewrite some Winn32 APIs through another ones. However, there is no way for user mode application to do anything without somehow calling the kernel.

                              Though you don’t really need to import ntdll.dll functions, but use INT 2E (SYSCALL/SYSENTER) directly to call kernel services. Probably this is what mentioned in the quote you posted.

                              in reply to: Accessing "in Use" Files == ? #6613
                              Vadim Smirnov
                              Keymaster

                                If the file was opened in non shared mode then you won’t be able to access it from another process using Win32 API. However, you still can open the volume device in raw mode (bypassing the filesystem) and read sectors containing file data.

                                in reply to: custom message on deletion of file… #6614
                                Vadim Smirnov
                                Keymaster

                                  You can use file system filter driver to monitor all file operations. However, in case of Windows message you have mentioned – it rather implemented in the Windows Explorer and you will be able to remove those files through the command line or another file manager.

                                Viewing 15 posts - 931 through 945 (of 1,496 total)