Home › Forums › Discussions › General › Personal Firewalls
- This topic has 7 replies, 2 voices, and was last updated 19 years, 9 months ago by Vadim Smirnov.
-
AuthorPosts
-
February 28, 2005 at 3:02 pm #4905
Hi!
I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them? Do all such firewalls work similarily?
I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?
Regards,
Black Dot.February 28, 2005 at 10:54 pm #5695I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them?
Usually they utilize NDIS level filter and TDI one.
Do all such firewalls work similarily?
From the general point of view the answer is YES, but concrete realization and set of features can be very different.
I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?
Yes, this is possible.
March 1, 2005 at 9:13 am #5696Thanks for the reply!
You mean that it’s possible to hook GetCommandLine() API in malware program to make firewall think it’s looking at something else? How does the firewall know which packet belongs to which process?
If such thing can be done, why the only published method to bypass personal firewalls was to inject malware code into the other “privilleged” process?
March 1, 2005 at 12:43 pm #5697You can do about anything if the malware includes kernel-mode component. The majority of users are usually logged on as user with Administrator rights which has the priviledge to install and load drivers. So there is no actual problem for the malware to install such a component (it can be even the primary component of the malware).
Since such kernel-mode component can bypass firewall by many different ways, such as:
1) Execution in the context of priviledged process (even simply create thread in the context of System process),.
2) Blocking/cheating firewall components.
3) Using it’s own protocol module and working with network directly.
4) Working with TCPIP.SYS devices directly bypassing any possible upper level TDI filters.
5) and so on…March 1, 2005 at 11:31 pm #5698Hmm…
I have always used system wide dll inject, but is there really any reason to do it when you have such privilleges on the machine? I see that things can be done easier by hijacking APIs in Kernel-Mode. (i’m still a n00b in that matter)
March 2, 2005 at 8:55 am #5699I have always used system wide dll inject, but is there really any reason to do it when you have such privilleges on the machine? I see that things can be done easier by hijacking APIs in Kernel-Mode. (i’m still a n00b in that matter)
It’s a great luck for us that the majority of malware authors are not familier with kernel mode programming. Otherwise, numerous kernel-mode trojans… Terrific… 😯
AV companies prognose such a future, but I always hope for the better 🙄 😉
March 2, 2005 at 7:32 pm #5700SerpentFly, can you think of any idea how do personal firewalls know which process sent a packet when it detects network transfer?
March 2, 2005 at 8:40 pm #5701TDI filter (filter driver for the MSTCP devices DeviceTcp, DeviceUdp, DeviceIp, DeviceRawIp, DeviceMULTICAST) detects the network operation running in the context of calling thread/process. The same is true for the LSP DLL (another weaker approach for application level firewalls).
-
AuthorPosts
- You must be logged in to reply to this topic.