Forum Replies Created
-
Posts
-
I had not sad that this is easy, but there is no other way to track the module which actually called the system service.
Luckily for the actual winsock calls the stack is easy to restore (number and types of parameters are known) up to the calling module.
Ну это то как раз очень даже понятно, адрес/порт источника/назначения зависят от направления пакета. Можно было бы сделать более сложные правила (в том числе двунаправленные), но чем проще тем быстрее работает, да и в любом случае сложное правило можно записать как композицию простых.
Ну как-то вот так:
//**************************************************************************************
// 1. Outgoing HTTP requests filter: PASS OUT TCP packets with destination IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
// Network layer filter
in_addr address;
in_addr mask;
// IP address 64.251.25.36
address.S_un.S_un_b.s_b1 = 64;
address.S_un.S_un_b.s_b2 = 251;
address.S_un.S_un_b.s_b3 = 25;
address.S_un.S_un_b.s_b4 = 36;
// Network mask 255.255.255.255
mask.S_un.S_un_b.s_b1 = 255;
mask.S_un.S_un_b.s_b2 = 255;
mask.S_un.S_un_b.s_b3 = 255;
mask.S_un.S_un_b.s_b4 = 255;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_DEST_ADDRESS;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_AddressType = IP_SUBNET_V4_TYPE;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;
// Transport layer filter
pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;
//******************************************************************************************
// 2. Incoming HTTP responses filter: PASS IN TCP packets with source IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
// Common values
pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_SRC_ADDRESS;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_AddressType = IP_SUBNET_V4_TYPE;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;
// Transport layer filter
pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 80; // HTTP
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 80;
//***************************************************************************************
// 3. Drop all packets (skipped by previous filters) without processing in user mode
// Common values
pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[2].m_ValidFields = 0;
pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_DROP;
pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;
Правда, при таком наборе фильтров, к ntkernel.com можно будет достучаться только по адресу http://64.251.25.36, потому что DNS пакеты буду блокироваться. Для того чтобы работала DNS нужно добавить правило разрешающее DNS пакеты. Роутер добавлять необязательно (если конечно он выполняет роль DNS сервера, то можно разрешить к нему полный доступ, и заморачиваться специфическими DNS правилами).
The task is very similar to what debugger does when it shows you the call stack. You can try to search for open source debugging tools. Also debugging relative books should be helpful. Personally I like this one http://www.amazon.com/Advanced-Debugging-Addison-Wesley-Microsoft-Technology/dp/0321374460
You can parse the user mode stack of the calling thread. On the top of the stack is usually ntdll.dll and so on.
However, if you are trying to detect Trojan module then it can be a bit complex. It is possible to work with TDI directly thus bypassing most of the user mode network modules. It is event possible to bypass ntdll.dll by replicating necessary system calls in Trojan module. In this case Trojan DLL will be on top of the stack. This makes the task of parsing the call stack quite complex.
Please refer WWWCensor sample which do filter on all available network interfaces.
//
// Get system installed network interfaces
//
api.GetTcpipBoundAdaptersInfo ( &AdList );
//
// Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
//
ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;
//
// Create notification events and initialize the driver to pass packets thru us
//
for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
{
hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent[dwAdIndex])
{
printf("Failed to create notification event for network interface n");
return 0;
}
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
//
api.SetAdapterMode(&Mode);
//
// Set packet notification event for the network interface
//
api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
}
// Initialize common part of ETH_REQUEST
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
//
// Go into the endless loop (this is just a sample application)
//
while (TRUE)
{
//
// Wait before any of the interfaces is ready to indicate the packet
//
dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;
//
// Complete initialization of ETH_REQUEST
//
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Read packet from the interface until there are any
//
while(api.ReadPacket(&Request))
{
//
// Get Ethernet header
//
pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;
//
// Check if Ethernet frame contains IP packet
//
if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
{
//
// Get IP header
//
pIpHeader = (iphdr_ptr)(pEthHeader + 1);
//
// Check if IP packet contains TCP packet
//
if (pIpHeader->ip_p == IPPROTO_TCP)
{
//
// Get TCP header pointer
//
pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
//
// Get data size in the packet and pointer to the data
//
DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
// If packet contains any data - process it
if (dwDataLength)
{
//
// Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place � at the end
//
memcpy (szTempString, pData, dwDataLength);
for (unsigned t = 0; t < dwDataLength; ++t)
{
if (szTempString[t] == 0)
szTempString[t] = 0x20;
if (isalpha((UCHAR)szTempString[t]))
szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
}
szTempString[dwDataLength] = 0;
//
// Check if this packet payload contains user supplied pattern in ASCII code
//
if (strstr ( szTempString, szPattern ))
bDrop = TRUE;
}
}
}
}
if(bDrop)
{
printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
bDrop = FALSE;
}
else
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request);
}
}
//
// Reset signalled event
//
ResetEvent(hEvent[dwAdIndex]);
}
VirtNet is easy to build for x64, but I had not yet time to update INF file to allow installation on x64 systems. I will add x64 version when have got some spare time.
Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
The DLL can be packed and disassembler can’t decode it without additional effort. However, many things depends from the disassembler you use and particular BHO.
Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?
BHO is an in-process COM object and it should be registered as any normal COM object plus it has to create several registry entries specific to BHO. So if the particular BHO was not installed by you, then someone has managed to remotely execute installation code on your system.
Hmm, you mean that HL server reports its IP addresses to master server? If so then probably VirtNet adapter with assigned external IP address is a solution. In any case you will also need the correct port mapping on NAT device.
The problem may appear if HL server reports only one IP address (from which it communicate to master server).
– Must i set MAC address identical to physical network card ? i think yes
I think no, MAC address for VirtNet does not really makes sense because this adapter never really sends/receives packets.
– How frames are routed/dispatch between the 2 addresses
If you have got configured port mapping on NAT device you will receive packets to 192.168.2.200 and you don’t really need to care about routing.
– Is the Virtual IP is knowne from router. In this case have i to forward incoming frames to Virtual IP rather than 192.168.2.200
Don’t understand what you mean.
– Have i set new routes on server and/or router
I have already mentioned port mapping required on NAT device.
And the wwwcensor.exe doesn’t works in my computer to block a url. It doens’t stop the navigate.
It worked fine for me and not only for me. Do other samples work fine on your system? How do you actually use use it?
Could you send me a sample how to do this?
wwwcensor demonstrates URL/content filtering for HTTP protocol. It blocks any HTTP packets containing the command line specified keyword. An example, to block access to yahoo.com it should be used as below:
D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe
Command line syntax:
wwwcensor.exe pattern
pattern – phrase or word to block HTTP packets with.D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe yahoo
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet droppedNote, that it also blocks any packet containing “yahoo” word, not only packets to/from yahoo.com.
If ONLY URL filtering is required then you have two options:
1) Block DNS requests for the forbidden sites (this does not allow your system to figure out the IP address and access the site).
2) Parse HTTP packets for GET request and block packet if it requests the forbidden URL.An example, every registered COM DLL have a relative registry entry. It may happen that the COM DLL is removed from disk but the registry entry still exists. So you take the registry entry and check if it points to the existing DLL, if not then this registry entry is invalid.
Probably you are right and the mentioned tool monitors the process behavior and imported/used Win32 API. An example, not every normal process uses CreateRemoteThread.
Hmm, you can bypass Win32 and use native API. You can even rewrite some Winn32 APIs through another ones. However, there is no way for user mode application to do anything without somehow calling the kernel.
Though you don’t really need to import ntdll.dll functions, but use INT 2E (SYSCALL/SYSENTER) directly to call kernel services. Probably this is what mentioned in the quote you posted.
If the file was opened in non shared mode then you won’t be able to access it from another process using Win32 API. However, you still can open the volume device in raw mode (bypassing the filesystem) and read sectors containing file data.
