Monday, August 28, 2006

learning-mode

after some testing and installating NG, I decided to add another thing to NG beta 2: a learning-mode.

that makes the first days of NG installation a lot easier for user.

I think it takes at least 1 week.

BTW, the number of beta-testers is getting a little bit more in these days and its really good.

Saturday, August 26, 2006

driver file modification protection

I've done the driver file modification filter, and yesterday was a new record for me, working for 13 hours.

i'm preparing the NG wizard and setup and I will send the debug version of NG beta 2 to beta-testers, in the next few days.

Friday, August 25, 2006

Direct physical memory access & driver loading

number 4 and 5 from the previous post is done.

just want to note that the protection against direct memory writing also helps defend against restoring SDT. the method described in www.security.org.sg/code/sdtrestore.html. This method uses the physical memory access too (\device\physicalmemory). So, by applying this filter we effectively stop SDTrestore from gaining write access to physical memory.

Now, I will work for number 7, modifying driver files on disk.
thats going to be a little bit hard.

Monday, August 21, 2006

Attacking Host-based Intrusion Prevention Systems

Few days ago Thomas emailed me a document about Attacking HIPS. (thanks thomas)
the document written by Eugene Tsyrklevich from SecurityArchitects.com . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:

  1. Using Symbolic Links to bypass filters
    NG is actually protected against this kind of attack as it is designed to completely resolve all names before checking them against filters

  2. Using Service Control Manager (SCM) to install drivers or something
    NG detects all requests to SCM and check them against service & driver creation/modification settings/filter and can allow or deny them

  3. ZwLoadDriver()
    This one is also already protected by NG.

  4. Using ZwSetSystemInformation's SystemLoadAndCallImage & SystemLoadImage to load drivers
    I'm currently working on protecting NG's users from this kind of attack (takes some time)

  5. Inject code by directly modifying the kernel memory (\Device\PhysicalMemory)
    NG is not protected against this attack, I will work on this one after zwsetsysinfo one, it takes little time.

  6. If a trusted system process is still allowed to load kernel drivers, use DLL injection to inject userland code into the trusted process and then load a malicious kernel driver
    NG protect processes against DLL injection.

  7. Modify an existing kernel driver in disk
    It is also possible against NG protection, I'll work on it in the next few days.
I think thats enough description about attacks,
I'll work on them and report back.

document link: http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-tsyrklevich.pdf

Saturday, August 19, 2006

partition table protection done

low-level disk access filter done, now all applications trying to access harddisk directly can be detected.

the beta-testing will start next week cause there is a couple of things I want to add, I will write about it in next post.

Thursday, August 17, 2006

low-level disk access

thanks Krazaf,

after a new sample from Krazaf, I successfully found how this kind of attack can be detected.

it is not hard to implement and should take some hours/1 day.

I'll work on it, tomorrow.

GeSwall incompatibility

While running GeSwall along with NG, a BSOD triggers on almost random times, debug analysis didn't show anything, I think I should leave it and recommend not to use NG and GeSwall together.

as the BSOD triggered very rarely on my system, its harder to debug it.
So I give up on debugging this incompatibility issue.

Wednesday, August 09, 2006

everything is fine

there was just a couple of bugs.

they are ok now, but Im still looking for bugs.

20 Aug, the new beta 2 is going to start its tests by beta-testers who decided to help me debug NG b2.

till then I will work alone on debugging.

I have enabled a couple of features which was disabled, or I was decided to disable them in beta 2. I think I have enough ideas to keep future versions interesting.

BTW, I will keep NG free. and I don't keep it free to help people protect their systems or fight against malwares but to show the power of my software to everyone and to become famous. thats all.

Tuesday, August 01, 2006

debugging

as several incompatibility and bugs reported while using NG along with some other firewalls, anti-viruses, etc... . I have decided to run them on my computer and test them throughly, this is going to be the last step in NG beta 2 development.

I'll report bugs.