PCFlank Leaktest

Publié le par Kareldjag




This is the new version of the PCFlank Leaktest.

Since there's no "allow/permit" rule for the browser (in our case Internet Explorer), we can't consider that it bypasses firewalls.
In fact this leaktest just demonstrates a classical method of spying via browsers by using legitimate components and objects.
In our case, the technique used by PCFlank is called OLE automation application control.
This kind of methods was and is used also in deep-pentesting by many societies specialised in security auditing.


#    Time sent    Dur.    Process    Request    IRP Flags    FsContext    Path    Status    More info   
1    16:33:31.046    31    PCFlankLeaktest.exe    IRP_MJ_READ    00000043    E14890D0    C:[-=Not In Cache=-]    STATUS_SUCCESS    Offset 00000000-00024000 ToRead 4000 Read 4000
2    16:34:02.671    0    PCFlankLeaktest.exe    FASTIO_QUERY_OPEN        00000000    C:[-=Error 0xc000000d Getting Name=-]    STATUS_OBJECT_NAME_NOT_FOUND    FILE_OPEN CreOpts: 0x00200000 Access: 0x00000080 Share: 0x00000007 Attrib: 0 Result: FILE_SUPERSEDED AllocationSize: FF55C8EC-805B3A5D EndOfFile: FF55C878-FF55C91C Attrib: 0x00F80016
3    16:34:02.671    0    PCFlankLeaktest.exe    FASTIO_QUERY_OPEN        00000000    C:[-=Error 0xc000000d Getting Name=-]    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00200000 Access: 0x00000080 Share: 0x00000007 Attrib: 0 Result: 00000038 AllocationSize: 00000000-0007A000 EndOfFile: 00000000-00079C00 Attrib: 0x00000020
4    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CREATE    00000884    00000000    C:WINDOWSsystem32CLBCATQ.DLL    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00000060 Access: 0x00100020 Share: 0x00000005 Attrib: 0 Result: FILE_OPENED
5    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_QUERY_INFORMATION    00001014    E19350D0    C:WINDOWSsystem32CLBCATQ.DLL    STATUS_SUCCESS    FileNameInformation
6    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CLEANUP    00000404    E19350D0    C:WINDOWSsystem32CLBCATQ.DLL    STATUS_SUCCESS   
7    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CLOSE    00000404    E19350D0    C:WINDOWSsystem32CLBCATQ.DLL    STATUS_SUCCESS   
8    16:34:02.671    0    PCFlankLeaktest.exe    FASTIO_QUERY_OPEN        00000000    C:[-=Error 0xc000000d Getting Name=-]    STATUS_OBJECT_NAME_NOT_FOUND    FILE_OPEN CreOpts: 0x00200000 Access: 0x00000080 Share: 0x00000007 Attrib: 0 Result: FILE_SUPERSEDED AllocationSize: FF55C8EC-805B3A5D EndOfFile: FF55C878-FF55C91C Attrib: 0x00F80014
9    16:34:02.671    0    PCFlankLeaktest.exe    FASTIO_QUERY_OPEN        00000000    C:[-=Error 0xc000000d Getting Name=-]    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00200000 Access: 0x00000080 Share: 0x00000007 Attrib: 0 Result: 00000038 AllocationSize: 00000000-000D0000 EndOfFile: 00000000-000D0000 Attrib: 0x00000020
10    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CREATE    00000884    00000000    C:WINDOWSsystem32COMRes.dll    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00000060 Access: 0x00100020 Share: 0x00000005 Attrib: 0 Result: FILE_OPENED
11    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_QUERY_INFORMATION    00001014    E1935D90    C:WINDOWSsystem32COMRes.dll    STATUS_SUCCESS    FileNameInformation
12    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CLEANUP    00000404    E1935D90    C:WINDOWSsystem32COMRes.dll    STATUS_SUCCESS   
13    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CLOSE    00000404    E1935D90    C:WINDOWSsystem32COMRes.dll    STATUS_SUCCESS   
14    16:34:02.671    0    PCFlankLeaktest.exe    FASTIO_QUERY_OPEN        00000000    C:[-=Error 0xc000000d Getting Name=-]    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00200000 Access: 0x00000080 Share: 0x00000007 Attrib: 0 Result: 00000038 AllocationSize: 00000000-00000000 EndOfFile: 00000000-00000000 Attrib: 0x00000010
15    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CREATE    00000884    00000000    C:WINDOWSRegistrationR000000000007.clb    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00000060 Access: 0x00120089 Share: 0x00000001 Attrib: 0 Result: FILE_OPENED
16    16:34:02.671    0    PCFlankLeaktest.exe    FASTIO_QUERY_STANDARD_INFO        E19335F8    C:WINDOWSRegistrationR000000000007.clb    STATUS_SUCCESS    AllocationSize: 00000000-00006000 EndOfFile: 00000000-00005928 NumberOfLinks: 1 DeletePending: 0 Directory: 0
17    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_READ    00000900    E19335F8    C:WINDOWSRegistrationR000000000007.clb    STATUS_SUCCESS    Offset 00000000-00000000 ToRead 5928 Read 5928
18    16:34:02.671    0    PCFlankLeaktest.exe    IRP_MJ_CLEANUP    00000404    E19335F8    C:WINDOWSRegistrationR000000000007.clb    STATUS_SUCCESS   
19    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_QUERY_OPEN        00000000    C:[-=Error 0xc000000d Getting Name=-]    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00200000 Access: 0x00000080 Share: 0x00000007 Attrib: 0 Result: 00000038 AllocationSize: 00000000-0007C000 EndOfFile: 00000000-0007BA00 Attrib: 0x00000020
20    16:34:02.687    0    PCFlankLeaktest.exe    IRP_MJ_CREATE    00000884    00000000    C:WINDOWSsystem32winlogon.exe    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00000060 Access: 0x00100020 Share: 0x00000005 Attrib: 0 Result: FILE_OPENED
21    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_QUERY_STANDARD_INFO        E1907A50    C:WINDOWSsystem32winlogon.exe    STATUS_SUCCESS    AllocationSize: 00000000-0007C000 EndOfFile: 00000000-0007BA00 NumberOfLinks: 1 DeletePending: 0 Directory: 0
22    16:34:02.687    0    PCFlankLeaktest.exe    IRP_MJ_CLEANUP    00000404    E1907A50    C:WINDOWSsystem32winlogon.exe    STATUS_SUCCESS   
23    16:34:02.687    0    PCFlankLeaktest.exe    IRP_MJ_CLOSE    00000404    E1907A50    C:WINDOWSsystem32winlogon.exe    STATUS_SUCCESS   
24    16:34:02.687    0    PCFlankLeaktest.exe    IRP_MJ_CREATE    00000884    00000000    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib: 0 Result: FILE_OPENED
25    16:34:02.687    0    PCFlankLeaktest.exe    IRP_MJ_READ    00000900    E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000000 ToRead 200 Read 200
26    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000200 ToRead 200 Read 200
27    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000400 ToRead 200 Read 200
28    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000600 ToRead 200 Read 200
29    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000800 ToRead 200 Read 200
30    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000A00 ToRead 200 Read 200
31    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000C00 ToRead 200 Read 200
32    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00000E00 ToRead 200 Read 200
33    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    STATUS_SUCCESS    Offset 00000000-00001000 ToRead 200 Read 200
34    16:34:02.687    0    PCFlankLeaktest.exe    FASTIO_READ        E14890D0    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe   


And the number of loaded dll is not the same at the beginning (15) of the test and at the end (39):




NEXT



Publié dans METHODOLOGY

Commenter cet article