Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-20-2005, 15:43
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Interesting Code for Windows XP SP2 Firewall

Hi Guys,

I found some juicy articles on the web on bypassing or programming with Windows XP SP2 Firewall

hxxp://weblogs.asp.net/sjoshi/archive/2004/07/07/175309.aspx
hxxp://danagonistes.blogspot.com/2004/06/windows-xp-service-pack-2-and-windows.html
hxxp://www.unixwiz.net/techtips/xp-sp2.html

Enjoy
Reply With Quote
  #2  
Old 09-20-2005, 15:58
xtiaoshi's Avatar
xtiaoshi xtiaoshi is offline
bbs.pediy.com
 
Join Date: Feb 2005
Location: China. MainLand
Posts: 1,057
Rept. Given: 142
Rept. Rcvd 432 Times in 185 Posts
Thanks Given: 21
Thanks Rcvd at 212 Times in 99 Posts
xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499
The material collection and collation is not extremely easy, laborious. Extremely good material.
__________________
�����ԧ�ѧާާߧ�� ��ҧ֧��֧�֧ߧڧ� �ӧ�����ܧ� �� Windows Crack ���ҧ��֧ߧڧ�
���ѧ�-Dabei Guanyin ����է�ڧ�ѧ��ӧ� ���ѧ� �ҧ֧� �ާڧ�ѧҧ��
Reply With Quote
  #3  
Old 09-21-2005, 05:12
sgdt
 
Posts: n/a
Have a look at
Code:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
in the keys
Code:
AuthorizedApplications\List
and
Code:
GloballyOpenPorts\List
Using "GetModuleFileName", "RegCreateKey", "RegSetValueEx", and "RegCloseKey", you can add yourself to the Approved list. Do this before creating your socket to avoid your program from being suspended.

I've found that even with your application name in AuthorizedApplications, the program will still be suspended if you do UDP broadcasting, that's why I also mentioned GloballyOpenPorts.

Format of the keys are (for AuthorizedApplications):
Code:
	int nValueLen = wsprintf( szRegValue, "%s:*:Enabled:%s", szFileName, szProgBaseName );
	RegSetValueEx( hKey, szFileName, 0, REG_SZ, (PBYTE) szRegValue, nValueLen );
and (for GloballyOpenPorts):
Code:
	const char* szEnableMe = "1234:UDP:*:Enabled:Happy Program";
	RegSetValueEx( hKey, "1234:UDP", 0, REG_SZ, (PBYTE) szEnableMe, strlen(szEnableMe) );
(where 1234 is the port, and "Happy Program" is the program wanting to use it).

If your program will always be at a specified location, you can even use a .REG file.
Reply With Quote
  #4  
Old 09-21-2005, 05:38
aldente aldente is offline
VIP
 
Join Date: Jul 2003
Posts: 266
Rept. Given: 27
Rept. Rcvd 7 Times in 5 Posts
Thanks Given: 35
Thanks Rcvd at 10 Times in 9 Posts
aldente Reputation: 7
Nice. One more weak personal firewall - just like all personal firewalls. The good thing about the others is, that no one has to use them. This one is integrated into the operating system (althoug it can be turned off). I don't like the way Windows develops into an operating system for stupid dumbasses, with automated updates, integrated firewall, and all that crap. A software-engineer, developing a network-tool, has to cope with these "great features", has much more service-requests (because many of the super-intelligent customers deny all network-access for the program - "to be safe"), and in the end pays the bill for Microsoft - just because there are so many idiots out there, who continously turn their machines into virus-spreadings-engines...
Reply With Quote
  #5  
Old 09-21-2005, 19:13
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Very nice SGDT...

Windows XP firewall is a total joke!

and with all personal firewalls all you have to do is inject your code directly into internet explorer's EXE and you will bypass mst of them anyway (cause people ignore trafic caused by IE)
Reply With Quote
  #6  
Old 09-21-2005, 21:42
Unforgiv3N's Avatar
Unforgiv3N Unforgiv3N is offline
Friend
 
Join Date: Aug 2005
Posts: 172
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
Unforgiv3N Reputation: 0
Nice Information, Thanks!
Reply With Quote
  #7  
Old 09-22-2005, 23:51
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
but you should not forget most new firewalls catches written memory into other processes and block them.
Reply With Quote
  #8  
Old 09-23-2005, 01:55
ancev
 
Posts: n/a
hi,

as redbull said, bypass firewalls is very easy injecting code in browser process...

so, below is my code for doing such, in c

it create the default browser as a suspended process, overwrite entrypoint with a code to load all dlls our process will need (and that can be different from the ones the browser load), and then signal that we can continue, overwriting the whole browser memory image with out one

so, with this routine, we dont need delta or similars hacks... any program (with a smaller memory image than browser) can run with browser inet permissions

vecna

ps: different of what MaRKuS-DJM said, i guess that some firewalls hook CreateRemoteThread(), and no memory writes... i still dont found problems with the code below
Attached Files
File Type: rar runasbrowser.c.rar (2.2 KB, 21 views)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows debugger that can run code on breakpoint? jonwil Community Tools 5 01-17-2022 21:28
The Windows XP source code was allegedly leaked online DARKER General Discussion 21 11-20-2020 02:30
(Q) .NET App Source Code Protection (Silverlight, Windows Phone, Windows 8) delidolunet General Discussion 7 08-02-2013 10:33


All times are GMT +8. The time now is 19:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )