after some testing and installating NG, I decided to add another thing to NG beta 2: a learning-mode.
that makes the first days of NG installation a lot easier for user.
I think it takes at least 1 week.
BTW, the number of beta-testers is getting a little bit more in these days and its really good.
Monday, August 28, 2006
Saturday, August 26, 2006
driver file modification protection
I've done the driver file modification filter, and yesterday was a new record for me, working for 13 hours.
i'm preparing the NG wizard and setup and I will send the debug version of NG beta 2 to beta-testers, in the next few days.
i'm preparing the NG wizard and setup and I will send the debug version of NG beta 2 to beta-testers, in the next few days.
Friday, August 25, 2006
Direct physical memory access & driver loading
number 4 and 5 from the previous post is done.
just want to note that the protection against direct memory writing also helps defend against restoring SDT. the method described in www.security.org.sg/code/sdtrestore.html. This method uses the physical memory access too (\device\physicalmemory). So, by applying this filter we effectively stop SDTrestore from gaining write access to physical memory.
Now, I will work for number 7, modifying driver files on disk.
thats going to be a little bit hard.
just want to note that the protection against direct memory writing also helps defend against restoring SDT. the method described in www.security.org.sg/code/sdtrestore.html. This method uses the physical memory access too (\device\physicalmemory). So, by applying this filter we effectively stop SDTrestore from gaining write access to physical memory.
Now, I will work for number 7, modifying driver files on disk.
thats going to be a little bit hard.
Monday, August 21, 2006
Attacking Host-based Intrusion Prevention Systems
Few days ago Thomas emailed me a document about Attacking HIPS. (thanks thomas)
the document written by Eugene Tsyrklevich from SecurityArchitects.com . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:
I'll work on them and report back.
document link: http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-tsyrklevich.pdf
the document written by Eugene Tsyrklevich from SecurityArchitects.com . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:
- Using Symbolic Links to bypass filters
NG is actually protected against this kind of attack as it is designed to completely resolve all names before checking them against filters - Using Service Control Manager (SCM) to install drivers or something
NG detects all requests to SCM and check them against service & driver creation/modification settings/filter and can allow or deny them - ZwLoadDriver()
This one is also already protected by NG. - Using ZwSetSystemInformation's SystemLoadAndCallImage & SystemLoadImage to load drivers
I'm currently working on protecting NG's users from this kind of attack (takes some time) - Inject code by directly modifying the kernel memory (\Device\PhysicalMemory)
NG is not protected against this attack, I will work on this one after zwsetsysinfo one, it takes little time. - If a trusted system process is still allowed to load kernel drivers, use DLL injection to inject userland code into the trusted process and then load a malicious kernel driver
NG protect processes against DLL injection. - Modify an existing kernel driver in disk
It is also possible against NG protection, I'll work on it in the next few days.
I'll work on them and report back.
document link: http://www.blackhat.com/presentations/
Saturday, August 19, 2006
partition table protection done
low-level disk access filter done, now all applications trying to access harddisk directly can be detected.
the beta-testing will start next week cause there is a couple of things I want to add, I will write about it in next post.
the beta-testing will start next week cause there is a couple of things I want to add, I will write about it in next post.
Thursday, August 17, 2006
low-level disk access
thanks Krazaf,
after a new sample from Krazaf, I successfully found how this kind of attack can be detected.
it is not hard to implement and should take some hours/1 day.
I'll work on it, tomorrow.
after a new sample from Krazaf, I successfully found how this kind of attack can be detected.
it is not hard to implement and should take some hours/1 day.
I'll work on it, tomorrow.
GeSwall incompatibility
While running GeSwall along with NG, a BSOD triggers on almost random times, debug analysis didn't show anything, I think I should leave it and recommend not to use NG and GeSwall together.
as the BSOD triggered very rarely on my system, its harder to debug it.
So I give up on debugging this incompatibility issue.
as the BSOD triggered very rarely on my system, its harder to debug it.
So I give up on debugging this incompatibility issue.
Wednesday, August 09, 2006
everything is fine
there was just a couple of bugs.
they are ok now, but Im still looking for bugs.
20 Aug, the new beta 2 is going to start its tests by beta-testers who decided to help me debug NG b2.
till then I will work alone on debugging.
I have enabled a couple of features which was disabled, or I was decided to disable them in beta 2. I think I have enough ideas to keep future versions interesting.
BTW, I will keep NG free. and I don't keep it free to help people protect their systems or fight against malwares but to show the power of my software to everyone and to become famous. thats all.
they are ok now, but Im still looking for bugs.
20 Aug, the new beta 2 is going to start its tests by beta-testers who decided to help me debug NG b2.
till then I will work alone on debugging.
I have enabled a couple of features which was disabled, or I was decided to disable them in beta 2. I think I have enough ideas to keep future versions interesting.
BTW, I will keep NG free. and I don't keep it free to help people protect their systems or fight against malwares but to show the power of my software to everyone and to become famous. thats all.
Tuesday, August 01, 2006
debugging
as several incompatibility and bugs reported while using NG along with some other firewalls, anti-viruses, etc... . I have decided to run them on my computer and test them throughly, this is going to be the last step in NG beta 2 development.
I'll report bugs.
I'll report bugs.
Subscribe to:
Posts (Atom)
