[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050314025045.2012.qmail@www.securityfocus.com>
Date: 14 Mar 2005 02:50:45 -0000
From: Liu Die Yu <liudieyu@...rella.name>
To: bugtraq@...urityfocus.com
Subject: New Version of WinBlox is Available
Intro
=====
User-mode WINAPI-level and open-source tool for controlling the behavior of applications running on Windows workstations
http://umbrella.name/upid/winblox
Tech
====
* system-wide dll injection by CreateRemoteThread and intercepting CreateProcessInternalW of kernel32.dll;
* use detours of msresearch to hook api;
* a win9x version of CreateRemoteThread is also included for review and not implemented yet;
* simple pcre usage;
* all source code is available: http://umbrella.name/computer/winblox/winblox-open-2005.03.11.tar.gz
* perhaps you need a free building environment to start research: http://umbrella.name/computer/winblox/free_microsoft_visual_c_building_environment
*** go to http://umbrella.name/upid/winblox if the above direct links don't work ***
WinBlox in a Nutshell
=====================
Here is one classic example:
If you input "mms://google.com/" in the latest build of win32 Mozilla, you will see a dialog like this:
/----------------------------\
An external application must be launched to handle mms: links. requested link:
mms://google.com/
If you were not expecting this request it may be an attempt to exploit a weakness in that other program. Cancel this request unless you are sure it is not malicious.
[Launch application] [Cancel]
\----------------------------/
It's some kind of mechanism preventing external programs from being executed - pretty simple and valuable. With the help of WinBlox, you can have the same type of mechanism in IE in a matter of seconds - just add the following line in the configuration file named WBLIST.TXT:
/----------------------------\
Internet application is about to launch external program in a non-RPC way. $record.confirm.^.*@...cute_program:.*\\(iexplore\.exe|mozilla\.exe) > .* ==> .*
\----------------------------/
And run CONSOLE.EXE, then it's done. You don't need admin privilege to do this. And there is absolutely no change made to your system registry, and no file other than one log file within WinBlox directory will be written(of course this means CONSOLE.EXE needs to be executed again after logoff or reboot). Now, input "mms://google.com/" in IE, and you will see a dialog like this:
/----------------------------\
WinBlox has detected an operation that requires your confirmation. Press NO to cancel it.
Internet application is about to launch external program in a non-RPC way.
__________
c:\program files\internet explorer\iexplore.exe > "c:\program files\internet explorer\iexplore.exe"
__________
User Account: user
Request Type: execute_program
Parameters: c:\program files\windows media player\wmplayer.exe --> "c:\program files\windows media player\wmplayer.exe" "mms://google.com/"
[YES] [NO]
\----------------------------/
Press "NO" and Windows Media Player will not be executed.
Highlight
=========
WinBlox is an ideal tool for hardening the security of Windows systems:
* Simple: Based on mature results(PCRE and DETOURS), WinBlox source code is very small. And source code is so clear and short that you can review all in less than 2 hours.
* Predictable: Great simplicity means no surprise.
* Secure: Simplicity and open-source gives you secure software.
* Flexible: Normal users will find great flexibility from regular expression, and developers will be able to easily change the behavior of WinBlox because of simplicity, structured design, document, and meaningful names.
* Clean: no change to system registry; no file other than one log file within WinBlox directory will be written; don't need admin privilege.
Powered by blists - more mailing lists