Bugtraq mailing list archives

RE: security enforcement - new monitor for winnt

From: "Oliver Lavery" <olavery () pivx com>
Date: Fri, 9 Aug 2002 01:35:20 -0400


        Liu Die Yu, are you sure you don't want to be calling _snprintf
here? ;) And since CreateFileW can be called with a 32,767 byte file name,
I'm not sure what'll happen when you stuff it into a 200 byte buffer when
it's converted to multi-byte... Call me crazy, but I'd be a little hesitant
to run this in a production environment (even though it's at version 6.0)

        Microsoft doesn't have a monopoly on buggy code with B0fs in it. ;)

        This is a good idea though, hooking is neat. I'm not so sure I'd say
it's unprecedented. Using AppInit_DLLs to load a hook DLL is a pretty common
trick. Still, a nice hack.

.text:10001AEB ; int __stdcall My_CreateFileW(LPCWSTR
lpWideCharStr,int,int,int,int,int,int)
.text:10001AEB                 public My_CreateFileW
.text:10001AEB My_CreateFileW  proc near               ; DATA XREF:
DllMain(x,x,x)+47o
.text:10001AEB                                         ; DllMain(x,x,x)+75o
.text:10001AEB 
.text:10001AEB var_CD0         = byte ptr -0CD0h
.text:10001AEB var_8D0         = dword ptr -8D0h
.text:10001AEB var_8CC         = dword ptr -8CCh
.text:10001AEB MultiByteStr    = byte ptr -8C8h
.text:10001AEB Text            = byte ptr -800h
.text:10001AEB lpWideCharStr   = dword ptr  8
.text:10001AEB arg_4           = dword ptr  0Ch
.text:10001AEB arg_8           = dword ptr  10h
.text:10001AEB arg_C           = dword ptr  14h
.text:10001AEB arg_10          = dword ptr  18h
.text:10001AEB arg_14          = dword ptr  1Ch
.text:10001AEB arg_18          = dword ptr  20h
.text:10001AEB 
.text:10001AEB                 push    ebp
.text:10001AEC                 mov     ebp, esp
.text:10001AEE                 sub     esp, 0CD0h
.text:10001AF4                 mov     [ebp+var_8D0], 0
.text:10001AFE                 call    sub_100012EF    ; _reg
.text:10001B03                 test    eax, eax
.text:10001B05                 jnz     loc_10001C42
.text:10001B0B                 lea     eax, [ebp+var_CD0]
.text:10001B11                 push    eax
.text:10001B12                 mov     ecx, [ebp+arg_4]
.text:10001B15                 push    ecx
.text:10001B16                 call    sub_10001383
.text:10001B1B                 push    0               ; lpUsedDefaultChar
.text:10001B1D                 push    0               ; lpDefaultChar
.text:10001B1F                 push    0C8h            ; cchMultiByte
.text:10001B24                 lea     edx, [ebp+MultiByteStr]
.text:10001B2A                 push    edx             ; lpMultiByteStr
.text:10001B2B                 push    0FFFFFFFFh      ; cchWideChar
.text:10001B2D                 mov     eax, [ebp+lpWideCharStr]
.text:10001B30                 push    eax             ; lpWideCharStr
.text:10001B31                 push    0               ; dwFlags
.text:10001B33                 push    0               ; CodePage
.text:10001B35                 call    ds:WideCharToMultiByte
.text:10001B3B                 mov     [ebp+Text], 0
.text:10001B42                 lea     ecx, [ebp+MultiByteStr]
.text:10001B48                 push    ecx
.text:10001B49                 lea     edx, [ebp+var_CD0]
.text:10001B4F                 push    edx
.text:10001B50                 call    ds:GetCommandLineA
.text:10001B56                 push    eax
.text:10001B57                 call    sub_100010C9
.text:10001B5C                 push    eax
.text:10001B5D                 push    offset aCreatefileSSSS ;
"CreateFile:%s > %s ==> %s --> %s"
.text:10001B62                 lea     eax, [ebp+Text]
.text:10001B68                 push    eax
.text:10001B69                 call    _sprintf
.text:10001B6E                 add     esp, 18h
.text:10001B71                 mov     [ebp+var_8D0], 0
.text:10001B7B                 jmp     short loc_10001B8C

Cheers,
~x

-----Original Message-----
From: Liu Die Yu [mailto:liudieyuinchina () yahoo com cn] 
Sent: March 29, 2004 11:35 PM
To: bugtraq () securityfocus com
Subject: security enforcement - new monitor for winnt

i want to stop ie:

writing EXE/CAB/LNK ... files,

calling MSHTA.EXE to parse remote web pages,

accessing files outside "favorites" and cache("content.ie5").

i want to stop WSCRIPT.EXE from parsing files inside TEMP and cache.

i want to stop the system running executable files located in 
TEMP and cache.

afaik, i can stop ie 0day exploits by doing these things.

so, i made this:

http://umbrella.name/winblox/

of course, free. and you can define your own rules easily(assuming you guys
know a bit about regular expression).



it's totally a new idea(afaik). so, not for operational uses. 

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004

Current thread:

security enforcement - new monitor for winnt Liu Die Yu (Mar 30)
- Re: security enforcement - new monitor for winnt Amir Mohammadkhani-Aminabadi (Mar 30)
  - Re: security enforcement - new monitor for winnt Liu Die Yu (Mar 31)
- RE: security enforcement - new monitor for winnt Oliver Lavery (Mar 31)
  - RE: security enforcement - new monitor for winnt Liu Die Yu (Mar 31)
- <Possible follow-ups>
- Re: security enforcement - new monitor for winnt http-equiv () excite com (Mar 30)