PCFlank Leaktest part 2

Publié le par Kareldjag



Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
272    1476    POSTE2:Administrateur    C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe    

Ports:
Port    PID    Type    Path    
--------------------------------------------------

Explorer Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

IE Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

Loaded Drivers:
Driver File    Company Name    Description    
--------------------------------------------------

Monitored RegKeys
Registry Key    Value    
--------------------------------------------------

Kernel31 Api Log
    
--------------------------------------------------
***** Installing Hooks *****    
***** Install URLDownloadToFileA hook failed...Error: Asm Length failed? 0 JMP [B71788] Unknown identifier    
***** Install URLDownloadToCacheFile hook failed...Error: Asm Length failed? 0 JMP [B7178C] Unknown identifier    
719f70df     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)    
719f7cc4     RegOpenKeyExA (Protocol_Catalog9)    
719f737e     RegOpenKeyExA (0000001A)    
719f724d     RegOpenKeyExA (Catalog_Entries)    
719f78ea     RegOpenKeyExA (000000000001)    
719f78ea     RegOpenKeyExA (000000000002)    
719f78ea     RegOpenKeyExA (000000000003)    
719f78ea     RegOpenKeyExA (000000000004)    
719f78ea     RegOpenKeyExA (000000000005)    
719f78ea     RegOpenKeyExA (000000000006)    
719f78ea     RegOpenKeyExA (000000000007)    
719f78ea     RegOpenKeyExA (000000000008)    
719f78ea     RegOpenKeyExA (000000000009)    
719f78ea     RegOpenKeyExA (000000000010)    
719f78ea     RegOpenKeyExA (000000000011)    
719f78ea     RegOpenKeyExA (000000000012)    
719f78ea     RegOpenKeyExA (000000000013)    
719f78ea     RegOpenKeyExA (000000000014)    
719f78ea     RegOpenKeyExA (000000000015)    
719f78ea     RegOpenKeyExA (000000000016)    
719f78ea     RegOpenKeyExA (000000000017)    
719f78ea     RegOpenKeyExA (000000000018)    
719f78ea     RegOpenKeyExA (000000000019)    
719f78ea     RegOpenKeyExA (000000000020)    
719f78ea     RegOpenKeyExA (000000000021)    
719f2623     WaitForSingleObject(794,0)    
719f83c6     RegOpenKeyExA (NameSpace_Catalog5)    
719f737e     RegOpenKeyExA (00000005)    
719f7f5b     RegOpenKeyExA (Catalog_Entries)    
719f80ef     RegOpenKeyExA (000000000001)    
719f80ef     RegOpenKeyExA (000000000002)    
719f80ef     RegOpenKeyExA (000000000003)    
719f80ef     RegOpenKeyExA (000000000004)    
719f2623     WaitForSingleObject(78c,0)    
719e1afa     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)    
719e1996     GlobalAlloc()    
7c80b511     ExitThread()    
40ea5e     GetCurrentProcessId()=272    
40a0e3     GetVersionExA()    
5b0aef89     GetCurrentProcessId()=272    
5b09b1ba     IsDebuggerPresent()    
58b68454     GetCurrentProcessId()=272    
77f5b4c4     LoadLibraryA(COMCTL32.dll)=58b50000    
4023a9     WaitForSingleObject(780,ffffffff)    
58b55faa     GetCurrentProcessId()=272    

DirwatchData
    
--------------------------------------------------
WatchDir Initilized OK    
Watching C:DOCUME~1ADMINI~1.POSLOCALS~1Temp    
Watching C:WINDOWS    
Watching C:Program Files    
Created: C:DOCUME~1ADMINI~1.POSLOCALS~1Temp~DF4DCB.tmp    
Modifed: C:DOCUME~1ADMINI~1.POSLOCALS~1Temp~DF4DCB.tmp    
File: PCFlankLeaktest.exe
Size: 180224 Bytes
MD5: 0A77B6EE7040DBED6D5E6554784340F9


File Properties: CompanyName      PCFlank.com
FileDescription  Leaktest developed by PCFlank.com
FileVersion      1.0
InternalName     PCFlankLeaktest
LegalCopyright   Copyright (C) 1999-2006 PCFlank.com
OriginalFilename PCFlankLeaktest.exe
ProductName      PCFlankLeaktest
ProductVersion   

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 184Kb in 0,016 seconds
Urls
--------------------------------------------------
http://www.pcflank.com/pcflankleaktest/leak1test.php?ID=
http://www.pcflank.com/pcflankleaktest_results.htm
Your firewall has blocked an attempt to send the data. This means your firewall successfully protected your computer against such techniques to bypass its protection.2http://www.pcflank.com/pcflankleaktest_results.htm

RegKeys
--------------------------------------------------
Software

ExeRefs
--------------------------------------------------
File: PCFlankLeaktest_dmp.exe_
iexplore.exe
iexplore.exe
osPCFlankLeaktest.exe
PCFlankLeaktest.exe

Raw Strings:
--------------------------------------------------
File: PCFlankLeaktest_dmp.exe_
MD5:  8082fe220e4f890e29137aaec7449210
Size: 188418

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.

An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
bad exception
e+000
GAIsProcessorFeaturePresent
KERNEL32
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
 new
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
1#QNAN
1#INF
1#IND
1#SNAN
CONOUT$
('8PW
700PP
`h`hhh
xppwpp
profiler.log
InternetExplorer.Application
%02d:%02d:%02d   
%d/%02d/%02d %02d:%02d:%02d   
[-] mutex_lock::lock fault, error_code %08X
[-] mutex_lock::release fault, error_code %08X
[-] alloc_fixed_fault @%d
[+] alloc_fixed @%d ->%d
[~] free_fixed @%d ->%d
RSDS
d:testreleasePCFlankLeaktest.pdb
WideCharToMultiByte
MultiByteToWideChar
WaitForSingleObject
ReleaseMutex
CreateMutexW
CloseHandle
GetFileAttributesW
CreateFileW
SetFilePointer
WriteFile
OutputDebugStringW
GetSystemTime
GetCurrentThreadId
FindResourceW
LoadResource
LockResource
InterlockedDecrement
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetLastError
FlushInstructionCache
GetCurrentProcess
VirtualProtect
GetModuleFileNameW
lstrlenA
FreeResource
VirtualAlloc
VirtualFree
KERNEL32.dll
GetMessageW
TranslateMessage
DispatchMessageW
LoadStringW
LoadImageW
GetParent
GetSysColorBrush
LoadCursorW
RegisterClassW
GetDlgItem
SendMessageW
BeginPaint
EndPaint
DefWindowProcW
GetWindowLongW
SetWindowLongW
CallWindowProcW
CreateWindowExW
GetClientRect
MapWindowPoints
GetWindow
GetDlgCtrlID
GetClassNameW
GetWindowRect
MoveWindow
SendDlgItemMessageW
SystemParametersInfoW
SetDlgItemTextW
PostMessageW
GetSysColor
SetTimer
MessageBoxW
SetWindowPos
BringWindowToTop
ShowWindow
EndDialog
IsDialogMessageW
GetDesktopWindow
DefDlgProcW
USER32.dll
DeleteObject
CreateFontIndirectW
SetBkColor
SetTextColor
GDI32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
OleInitialize
CLSIDFromString
CLSIDFromProgID
CoCreateInstance
OleRun
ole32.dll
OLEAUT32.dll
InitCommonControlsEx
PropertySheetW
COMCTL32.dll
LocalFree
HeapFree
HeapAlloc
GetVersionExA
GetProcessHeap
GetStartupInfoW
RtlUnwind
RaiseException
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapDestroy
HeapCreate
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
GetProcAddress
GetModuleHandleA
ExitProcess
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
Sleep
HeapSize
GetCPInfo
GetACP
GetOEMCP
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetConsoleCP
GetConsoleMode
InitializeCriticalSection
LoadLibraryA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
FlushFileBuffers
.?AV_com_error@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
                          
a
Software
EnableAWINLog
http://www.pcflank.com/pcflankleaktest/leak1test.php?ID=
http://www.pcflank.com/pcflankleaktest_results.htm
iexplore.exe
button
iexplore.exe
open
defwindowclass
C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vid
osPCFlankLeaktest.exe
Js2P
ssPP
bsJP2
1s%P
Js2P
ssPP
bsJP2
1s%P
PCFlank Leaktest - Launching IE
MS Shell Dlg
static
Start Internet Explorer
Static
PCFlank Leaktest - Entering custom "test" data
MS Shell Dlg
Enter the test data
Static
Static
PCFlank Leaktest - Viewing test results
MS Shell Dlg
Test Complete
&Open Browser..
You can see the test results here:
Static
Result
PCFlank Leaktest - Introduction
MS Shell Dlg
Static
PCFlank Leaktest
Static
PCFlank Leaktest!Your firewall has passed the test!Your firewall has failed the test
There is no running instance of Internet Explorer detected on your system. Please launch the browser using the following instructions.
The test attempts to avoid firewall detection when uploading custom data to PC Flank's server. Although this test is only a simulation of a possible attack and doesn't transmit any confidential data from your PC nor cause any damage, a real attack using such elaborate techniques to compromise firewall protection stands a good chance of getting through.
Therefore, you should stay alert and be prudent in the protection you ultimately choose. If your firewall fails, your safety could very likely be threatened in real-life situations.
This is where the real test of your firewall begins. Enter the string that will be sent to the Internet similar to what a malicious application would try to do in order to leak your personal data to the bad guys.
Enter any arbitrary text sting that will be sent to the Internet to simulate a possible data theft at
tempt. If after pressing the "Next" button your firewall doesn't ask for your permission for PCFlank Leaktest to connect to the Internet, your firewall is unable to prevent this type of activity.
Launch Internet Explorer as you normally do or click the "Start Internet Explorer" button for PCFlank Leaktest to start the browser.
Please note that if you click the "Start Internet Explorer" button some firewalls may intervene and ask for your permission, but since this is normal and the test has not yet started, your firewall is not being tested at this moment.
Nevertheless, we recommend that you manually start the Internet Explorer, just as you normally do, in order to eliminate false positives.
Your firewall is leaky - the data was successfully sent to the Internet. This means your firewall cannot reliably protect your computer on the Internet!
Your firewall has blocked an attempt to send the data. This means your firewall successfully protected your computer against such techniques to bypass its protection.2http://www.pcflank.com/pcflankleaktest_results.htm
(Either copy-paste the link into your web browser's address bar or click the "Open Browser" for the PCFlank Leaktest to open up the test results webpage for you. If, again, your firewall has intervened at this stage and asked for your permission to launch the Internet Explorer with the test results page, the test has already completed and your "allow" choice will not affect your protection status (you can see it for yourself by copy/pasteing the provided link into any of your browsers).TThis test demonstrates how your existing firewall protection can be easily bypassed.
Close
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
PCFlank.com
FileDescription
Leaktest developed by PCFlank.com
FileVersion
InternalName
PCFlankLeaktest
LegalCopyright
Copyright (C) 1999-2006 PCFlank.com
LegalTrademarks
OriginalFilename
PCFlankLeaktest.exe
ProductName
PCFlankLeaktest
ProductVersion
VarFileInfo
Translation
Processes:
PID    ParentPID    User    Path   
--------------------------------------------------

Here the message hooks by starting IE before the test (with IceSword):




And here the hidden windows (ole objects are used):




And the message hooks when opening the browser:




Some examples of packets captures with a protocol analyzer:























And the final result of the test:












Publié dans METHODOLOGY

Commenter cet article