GASPAR Hooker Test

Publié le par Kareldjag



Result of online scans: the original file is detected by none AV on Virustotal, and the next image is related to the recompiled file as an .exe:





This file is a Proof of Concept trojan designed to illustrate some firewall evasion methods: it hooks via OpenProcess, VirtualAllocExe, WiteProcessMemory and CreateRemoteThread) of running applications and tries to bypass the firewall via wininet.dll (of allowed application like Internet Explorer).










And with Jetico firewall:




And we get a spate of popup alerts of Windows Data Execution Protection (DEP, more info here and here) in relation to all running and modifed application:





























Publié dans METHODOLOGY

Pour être informé des derniers articles, inscrivez vous :
Vous aimerez aussi :
Rootkit test 3
Rootkit test 3
METHODOLOGY Part 2
METHODOLOGY Part 2
Why some tests are done with HIPS disabled
Why some tests are done with HIPS disabled
METHODOLGY Part 3
METHODOLGY Part 3
PRESENTATION Part 2
ROOTKIT Test 2
Commenter cet article