DEFENSEWALL TEST Part 1

Publié le par nicM and Kareldjag







                                                        Part I

                   Behaviour


1° Self-protection


Intro : Execution protection


DefenseWall doesn’t work on an execution-prevention principle. Then it won’t ever prevent Task Manager, Srip, notepad or calc.exe from being started (CreateProcessThread). It will just launch theses ‘trusted or ‘untrusted, according to the status of the parent process or folder.


a) Process termination


-Note : Tests in a) and b) are made with processes running ‘trusted -


* With Task Manager : Only the GUI (defensewall.exe) can be closed, protection is not altered.

* With APT : Only the GUI can be terminated, since Defensewall’s protection rely on a driver, so that it is not viewable as a process in APT.

* With Icesword : Here too, only the GUI can be terminated, the driver only appears as a “kernel module”, about which Icesword can’t do anything.


b) Service interruption/termination


* With CMD : The service is not in use (it is only running during the computer start), and therefore couldn't be terminated. Passed


* With Icesword : see in a). Passed

 

*With Osrloader: Passed.




c) Driver manipulation


* With Drvloader : Drvloader can’t stop/unload dwall.sys driver. Passed




* With SDTRestore : DefenseWall does prevent SDTRestore from accessing physical memory (when ‘untrusted), therefore its process is closed. Passed


 


2° Kernel protection



a) crashing


* With Bang : Bang can’t load and start its driver, as it is untrusted; then “Bang couldn’t bang!” : Passed




* With Regtest 2 : DW can’t prevent the computer from being shutdown to reboot, BUT the message window from Regtest is not showing after the reboot, meaning that Regtest couldn’t autostart/show it. Passed


* With CMD : DW doesn’t prevent the reboot. But no 'untrusted process being involved here, DefenseWall is not supposed to prevent it anyway. N/A


* With Kapimon (hooking services.exe) : Kapimon can perform the hook; however, it is running ‘trusted, then DefenseWall is not supposed to prevent it to do : Kapimon can’t load its driver if running ‘untrusted, and so couldn't hook anything. Passed


b) Physical memory access with Physmem :


Physmem is killed right when starting, because of its access to physical memory when launched ‘untrusted. Passed



c) Ring 0 injection : Ring 0 is prevented from creating/launching its service : Passed




3° Integrity protection


a) Integration of new DLLs in System32


* With BOWall : BOWall can load it’s new DLLs in System32 while beeing ‘untrusted, but all the new created DLLs are tracked by DefenseWall, and can be removed very easily with few clicks in the “Rollback” panel. Passed




* With Privbar : The DLL was manually added and registered into System32, so that this test was done with Privbar ‘trusted first. Then Privbar is successfully added to Internet Explorer.




...But may you load Privbar from the ‘untrusted zone (what happens when this is done by any ‘untrusted process, or with the folder Privbar ‘untrusted - yet loaded by a trusted process), then Privbar is not loaded in IE : Passed


      


And notice :



regsvr32 was set ‘untrusted when it tried to register the ‘untrusted DLL.

 



b) Load/unload a DLL in Internet Explorer with APM :


APM successfully adds a DLL into IE, although running ‘untrusted :




But can’t unload any DLL loaded in IE :




nb : as APM is prevented from opening all the other processes by DefenseWall (it can only see iexplore.exe, which is running for the test, and its own process, APM.exe), I couldn’t test it in this context, but if APM was able to inject a DLL into a ‘trusted process, DefenseWall would then set this process as ‘untrusted.


Since only ‘untrusted processes can be manipulated by APM, I consider the test is passed (NO 'trusted processes could be affected by APM).


c) DLL injection


* In IE with Copycat : Defense Wall does detect Copycat attempting to open processes running, then kill it. But the file “exploited”was downloaded in the meantime : Failed







* In Firefox with Kareldjagdll : DefenseWall can prevent the DLL injection, by preventing Kareldjagdll.exe to open FF. Passed






d) Hooking/Hijacking IE with Kapimon
: Kapimon can’t load its driver to perform this operation, if ‘untrusted. It can only do when running ‘trusted, but then DefenseWall protection is not involved anymore. Passed


e) Process modification via API:

With CMD and Apiguard run as untrusted, we're unable to install the protection and to modify service.exe and defensewall.exe: Passed.




4° Registry protection


* With Scoundrel simulator : All registry modifications are blocked by DefenseWall. Passed








* With Regtest 1 : All registry modifications are blocked here too by DefenseWall. Passed




* With RegHide : Although Reghide is launched ‘untrusted, it does successfully add the key and its value. The key is tracked by DefenseWall though. 1/2 (unable to delete it).





5° Message hook protection


* With Executehook : DefenseWall does block the attempt to install a global Windows hook (a WH_GETMESSAGE hook is installed when the test is done with Executehook ‘trusted). But Executehook can still open notepad. Passed




* With Hookdump : Ntvdm.exe is launched 'untrusted, then the global hook is blocked by DefenseWall, and keyboard strokes are not logged : Passed

 








* With Keylog : DefenseWall does block the global hook, so that Keylog doesn’t work. It’s unable to record keystrokes. Passed







6° Malware simulation with HookDemo and DFKThreat simulator


a) HookDemo


HookDemo fails to install and start its driver/service, and the autostart registry keys are prevented :Passed.


 

 

 




b) DFKThreat simulator


All DFKthreat Sim’ processes are launched ‘untrusted, and all its files are set ‘untrusted, including every files of the payload. The process swfactive.exe is prevented to open all other processes running, however it does disable successfully the antivirus (Antivir 7 during this test) – and keeps disabling its service as soon as you re-enable it :



However the firewall wasn’t affected at all (Jetico), like swfactive was supposed to do.


The event log viewer’s logs are cleared too.


The securityfocus.com html file was successfully downloaded, meaning that Thermite leaktest was able to inject thread into other processes :




Now, every other tricks were prevented by DefenseWall :


- The spyware was unable to install its service (Win32s_vanquish), therefore it couldn’t start at all :



- The rootkit (Vanquish.exe and Vanquish.dll) was unable to install, Allowing the user to see the “Vanquish Media Group” folder in Program Files :






- The Keylogger (Win32k.exe) was unable to record keyboard strokes, as it is only able to log names and messages from the programs opened (I did type text in notepad during the test, but as you can see, nothing is showing in the log, except that notepad was opened) :



- The spyware (Win32s.exe) was unable to start.


- the two registry changes (the one about Security center and the one to autostart, in HK_C_U/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer) didn’t happen :



So the only processes staying loaded are swfactive.exe, Win32K.exe and iexplore.exe (its window is hidden). Theses are killed very easily by DefenseWall, and all files/folders and registry keys were deleted successfully – except the file not seen by DefenseWall during the test : the html file downloaded by Thermite. 0wn3d.exe and Win32V.com didn’t start, so they’re not in the rollback list either (it looks like DefenseWall does only track executables files which were executed – plus registry changes and folders), but as they’re inside the Vanquish Media Group folder anyway, they’re gone too when the folder is deleted).





Result : the computer is clean after that ‘untrusted processes are killed, and ‘untrusted files are ‘rolled back (let’s call it a “cleaning”), or after a reboot. If DefenseWall didn’t prevent everything during the “infection”, all is clean after the “cleaning”, or the reboot : Passed


nb : the events were sometimes hard to track, as DefenseWall Event viewer’s logs are size- limited. During this test, eg, only swfactive.exe-related events were viewable, as this process was constantly trying to shut down Av/FW. Then all other interesting event log entries were deleted before I could see it.



                                                 Part II
















 

Publié dans HIPS TESTS

Commenter cet article

Online Shopping Stores 29/01/2010 22:13


Thank you for this great blog information!I'm finding this whole blogging world a great resource for any topic, and really inspirational.


Online Shopping Stores 29/01/2010 22:08


Thank you for this great blog information!I'm finding this whole blogging world a great resource for any topic, and really inspirational.