Personal Firewalls

Home Forums Discussions General Personal Firewalls

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #4905
    blackd0t
    Participant

      Hi!

      I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them? Do all such firewalls work similarily?

      I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?

      Regards,
      Black Dot.

      #5695
      Vadim Smirnov
      Keymaster

        I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them?

        Usually they utilize NDIS level filter and TDI one.

        Do all such firewalls work similarily?

        From the general point of view the answer is YES, but concrete realization and set of features can be very different.

        I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?

        Yes, this is possible.

        #5696
        blackd0t
        Participant

          Thanks for the reply!

          You mean that it’s possible to hook GetCommandLine() API in malware program to make firewall think it’s looking at something else? How does the firewall know which packet belongs to which process?

          If such thing can be done, why the only published method to bypass personal firewalls was to inject malware code into the other “privilleged” process?

          #5697
          Vadim Smirnov
          Keymaster

            You can do about anything if the malware includes kernel-mode component. The majority of users are usually logged on as user with Administrator rights which has the priviledge to install and load drivers. So there is no actual problem for the malware to install such a component (it can be even the primary component of the malware).

            Since such kernel-mode component can bypass firewall by many different ways, such as:

            1) Execution in the context of priviledged process (even simply create thread in the context of System process),.
            2) Blocking/cheating firewall components.
            3) Using it’s own protocol module and working with network directly.
            4) Working with TCPIP.SYS devices directly bypassing any possible upper level TDI filters.
            5) and so on…

            #5698
            blackd0t
            Participant

              Hmm…

              I have always used system wide dll inject, but is there really any reason to do it when you have such privilleges on the machine? I see that things can be done easier by hijacking APIs in Kernel-Mode. (i’m still a n00b in that matter)

              #5699
              Vadim Smirnov
              Keymaster

                I have always used system wide dll inject, but is there really any reason to do it when you have such privilleges on the machine? I see that things can be done easier by hijacking APIs in Kernel-Mode. (i’m still a n00b in that matter)

                It’s a great luck for us that the majority of malware authors are not familier with kernel mode programming. Otherwise, numerous kernel-mode trojans… Terrific… 😯

                AV companies prognose such a future, but I always hope for the better 🙄 😉

                #5700
                blackd0t
                Participant

                  SerpentFly, can you think of any idea how do personal firewalls know which process sent a packet when it detects network transfer?

                  #5701
                  Vadim Smirnov
                  Keymaster

                    TDI filter (filter driver for the MSTCP devices DeviceTcp, DeviceUdp, DeviceIp, DeviceRawIp, DeviceMULTICAST) detects the network operation running in the context of calling thread/process. The same is true for the LSP DLL (another weaker approach for application level firewalls).

                  Viewing 8 posts - 1 through 8 (of 8 total)
                  • You must be logged in to reply to this topic.