FWB information and questions
来源:互联网 发布:深圳万户网络 编辑:程序博客网 时间:2024/06/05 00:16
this is an addition to rob311's post with a few questions of mine, i'm hoping some of you guys can help fill in the blanks.
this from FWBSharp aphex's example:
First there was FWB, DLL injection into a trusted application. Then the
firewall companies fought back by checking and blocking DLLs. Then we fought
back with FWB++, injection without a DLL. Now the firewall companies have
answered back by blocking CreateRemoteThread and all our little tricks.
FWB: DLL injection into some trusted application that is allowed by firewall
from C2k
FWB++: it doesnt use a DLL to inject into a process, its the code inject FWB technique
FWB#: the same as FWB++ but unhooks user level APIs to bypass firewalls
FWB+++ (or FWB#+): its the FWB# plus kernel mode API unhook SDTRestore POC Method
from stm (redundant)
dll injection = fwb
memory/code injection = fwb++ / fwbp+
bypassing fw hooks = fwb#
An example of FWB++ can be found here: http://www.trojanfrance.com/index.ph...by%20r3L4x.zip
the source code is well documented (C++) btw very small
FWB# from aphex's site http://iamaphex.net/downloads/FWBSharp.zip well documented source with a little intro
I'm assuming this is an example of FWB+++ as pointed out by SmokeAlot here at the forums: http://www.opensc.ws/showthread.php?t=387
and http://iamaphex.net/downloads/leaktest.zip
and a good explanation from LTT Coder from the same topic: Latest FWs like Zonealarm(ZA) hooks important APIs that are required to inject our code into remote process. And when they have hooked it then they can control which applications to be allowed to use the hooked apis such as LoadLibrary, WriteVirtualMemory, AllocateVirtualMemory....
These APIs are required by our RAT servers to inject, but ZA doesnt allow them to be used by our server.
What AFX leaktest do, is that it just unhooks the kernel-mode hooks that are hooked by ZA. When they're unhooked you can try the old injections methods and it won't be detected.
and some info on the sdtrestore poc method http://packetstorm.security-guide.de...-keong-tan.pdf
http://www.security.org.sg/code/sdtrestore.html
some good info related and explaining windows hooks etc: http://www.codeproject.com/threads/winspy.asp
this from FWBSharp aphex's example:
First there was FWB, DLL injection into a trusted application. Then the
firewall companies fought back by checking and blocking DLLs. Then we fought
back with FWB++, injection without a DLL. Now the firewall companies have
answered back by blocking CreateRemoteThread and all our little tricks.
FWB: DLL injection into some trusted application that is allowed by firewall
from C2k
FWB++: it doesnt use a DLL to inject into a process, its the code inject FWB technique
FWB#: the same as FWB++ but unhooks user level APIs to bypass firewalls
FWB+++ (or FWB#+): its the FWB# plus kernel mode API unhook SDTRestore POC Method
from stm (redundant)
dll injection = fwb
memory/code injection = fwb++ / fwbp+
bypassing fw hooks = fwb#
An example of FWB++ can be found here: http://www.trojanfrance.com/index.ph...by%20r3L4x.zip
the source code is well documented (C++) btw very small
FWB# from aphex's site http://iamaphex.net/downloads/FWBSharp.zip well documented source with a little intro
I'm assuming this is an example of FWB+++ as pointed out by SmokeAlot here at the forums: http://www.opensc.ws/showthread.php?t=387
and http://iamaphex.net/downloads/leaktest.zip
and a good explanation from LTT Coder from the same topic: Latest FWs like Zonealarm(ZA) hooks important APIs that are required to inject our code into remote process. And when they have hooked it then they can control which applications to be allowed to use the hooked apis such as LoadLibrary, WriteVirtualMemory, AllocateVirtualMemory....
These APIs are required by our RAT servers to inject, but ZA doesnt allow them to be used by our server.
What AFX leaktest do, is that it just unhooks the kernel-mode hooks that are hooked by ZA. When they're unhooked you can try the old injections methods and it won't be detected.
and some info on the sdtrestore poc method http://packetstorm.security-guide.de...-keong-tan.pdf
http://www.security.org.sg/code/sdtrestore.html
some good info related and explaining windows hooks etc: http://www.codeproject.com/threads/winspy.asp
- FWB information and questions
- fwb,fwb+,fwb++,fwbp+
- COM_QUIT and Questions
- POJ2371:Questions and answers
- POJ_2371 Questions and answers
- hdu Questions and answers
- BNU Questions and answers
- google questions and answers
- google questions and answers
- Interview Questions and Ans
- Interview Questions and Ans
- Uncertainy and information
- Keystore and keytool information
- URAL 1026. Questions and answers
- gSOAP toolkit questions and answers
- .NET Interview Questions And Answers
- ural 1026 Questions and Answers
- H.264 Questions and answer
- 人民战争 ?
- PHP中非期望致命错误的另一种处理方式:register_shutdown_function()
- asp.net调用Console程序,异常未结束的处理。
- 十大著名法则
- 1.1.5 Unlearning the Web
- FWB information and questions
- python--range()
- Debian的开机登录网络启动脚本
- 不生成一个新的LIST而直接对LIST的项目进行操作(转自python-cn list)
- log4j/log4e的使用
- Tomcat下配置MySQL数据库连接池
- 项目经理需知的Java技术问题
- HOW TO:获取DOS命令输出结果
- 你知道的Java,和你不知道的Java