Re: how to develop a firewall to monitor process and protocol Driver and NDIS Intermediate Drivers

OSR_Community_User · June 23, 2004, 10:23am

On Wed, 2004-06-23 at 03:15, lists wrote:

how to monitor all protocol driver in the machine??? how sygate firewall
to do it ??
hook registerprotocol ??

I don’t know how sygate does it, but what you suggest would work,
eventually. You could also do what NDIS does when it loads protocol
drivers - look in the registry for binding information and hook all of
the protocols that way. Similar issues to the first method.

3 .if a trojan is a NDIS Intermediate Driver , how to block it and monitor
its communication ??

You’re in a hooking war at that point. You can either try (futilly,
really) to be the lowest IM in the stack at all times, which again you
can control using registry settings, or you can write another piece of
software that looks for any IM drivers and complains/etc. whenever it
finds one. My question would be this - how would you tell which IM
drivers are “trojans”? If you’re doing it by filename/checksum/etc.,
you could do it without any kernel code at all, just by reading the
registry and looking for the respective files. If you’re just
complaining about IM drivers in general, well, that seems like a pretty
bad practice.

I ship two IM drivers atm - I hope I don’t make your list.

-sd

Prokash_Sinha-1 · June 23, 2004, 10:51am

This was the ‘Name-of-the-game’ a few years back. I was deeply involved in
it, so half of my brain circuit was damanged due to it, and other half was
already damaged, so my suggestion would be to hack the network to find some
suggestion(s), therewere articles/code snippets etc.

It is certainly a long rocky ride, but yes once you register a protocol
driver, you will get back a handle that gives the chain of protocols already
registered, so highly forbidden hooking can take place …

As a note, MS’s new NDIS (6.0 ? ) and new filter-manager’s minifilter going
to make it lot easier, and some of us will have ligit branding…

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Steve Dispensa
Sent: Wednesday, June 23, 2004 7:20 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to develop a firewall to monitor process and
protocol Driver and NDIS Intermediate Drivers

On Wed, 2004-06-23 at 03:15, lists wrote:

how to monitor all protocol driver in the machine??? how sygate
firewall
to do it ??
hook registerprotocol ??

I don’t know how sygate does it, but what you suggest would work,
eventually. You could also do what NDIS does when it loads protocol
drivers - look in the registry for binding information and hook all of
the protocols that way. Similar issues to the first method.

3 .if a trojan is a NDIS Intermediate Driver , how to block it and
monitor
its communication ??

You’re in a hooking war at that point. You can either try (futilly,
really) to be the lowest IM in the stack at all times, which again you
can control using registry settings, or you can write another piece of
software that looks for any IM drivers and complains/etc. whenever it
finds one. My question would be this - how would you tell which IM
drivers are “trojans”? If you’re doing it by filename/checksum/etc.,
you could do it without any kernel code at all, just by reading the
registry and looking for the respective files. If you’re just
complaining about IM drivers in general, well, that seems like a pretty
bad practice.

I ship two IM drivers atm - I hope I don’t make your list.

-sd

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · June 23, 2004, 11:32pm

thank Steve Dispensa 's help.

1.Today I found a personal firewall —bitguard firewall . Its firewall
driver seem as a miniport filter driver .

as we know , a Im dirver must get data from miniport .so how this method
??

someone develop a firewall which use ndis hooking technology.
but he hook NdisMRegisterMiniport …so he can get all packet…
how this method ? can monitor im driver ?

“Steve Dispensa” ¦b¶l¥ó news:xxxxx@ntdev ¤¤
¼¶¼g…
> On Wed, 2004-06-23 at 03:15, lists wrote:
> > 2. how to monitor all protocol driver in the machine??? how sygate
firewall
> > to do it ??
> > hook registerprotocol ??
>
> I don’t know how sygate does it, but what you suggest would work,
> eventually. You could also do what NDIS does when it loads protocol
> drivers - look in the registry for binding information and hook all of
> the protocols that way. Similar issues to the first method.
>
> > 3 .if a trojan is a NDIS Intermediate Driver , how to block it and
monitor
> > its communication ??
>
> You’re in a hooking war at that point. You can either try (futilly,
> really) to be the lowest IM in the stack at all times, which again you
> can control using registry settings, or you can write another piece of
> software that looks for any IM drivers and complains/etc. whenever it
> finds one. My question would be this - how would you tell which IM
> drivers are “trojans”? If you’re doing it by filename/checksum/etc.,
> you could do it without any kernel code at all, just by reading the
> registry and looking for the respective files. If you’re just
> complaining about IM drivers in general, well, that seems like a pretty
> bad practice.
>
> I ship two IM drivers atm - I hope I don’t make your list.
>
> -sd
>
>
>

OSR_Community_User · June 23, 2004, 11:38pm

windows rootkit use driver develop technology.

so later …many trojan will be a driver…

it will be a trend… then im driver trojan is nomal . ^_*

“Steve Dispensa” ¦b¶l¥ó news:xxxxx@ntdev ¤¤
¼¶¼g…
> On Wed, 2004-06-23 at 03:15, lists wrote:
> > 2. how to monitor all protocol driver in the machine??? how sygate
firewall
> > to do it ??
> > hook registerprotocol ??
>
> I don’t know how sygate does it, but what you suggest would work,
> eventually. You could also do what NDIS does when it loads protocol
> drivers - look in the registry for binding information and hook all of
> the protocols that way. Similar issues to the first method.
>
> > 3 .if a trojan is a NDIS Intermediate Driver , how to block it and
monitor
> > its communication ??
>
> You’re in a hooking war at that point. You can either try (futilly,
> really) to be the lowest IM in the stack at all times, which again you
> can control using registry settings, or you can write another piece of
> software that looks for any IM drivers and complains/etc. whenever it
> finds one. My question would be this - how would you tell which IM
> drivers are “trojans”? If you’re doing it by filename/checksum/etc.,
> you could do it without any kernel code at all, just by reading the
> registry and looking for the respective files. If you’re just
> complaining about IM drivers in general, well, that seems like a pretty
> bad practice.
>
> I ship two IM drivers atm - I hope I don’t make your list.
>
> -sd
>
>
>

OSR_Community_User · June 24, 2004, 6:09pm

On Wed, 2004-06-23 at 22:31, davisneilp wrote:

thank Steve Dispensa 's help.

1.Today I found a personal firewall —bitguard firewall . Its firewall
driver seem as a miniport filter driver .

I’ve never looked at it; it sounds from your description like an NDIS IM
driver. They have miniport and protocol components inside one .SYS
file.

as we know , a Im dirver must get data from miniport .so how this method
??

Look up NDIS Intermediate (IM) drivers in the DDK.

someone develop a firewall which use ndis hooking technology.
but he hook NdisMRegisterMiniport …so he can get all packet…
how this method ? can monitor im driver ?

There’s no reason to do this; an IM driver will accomplish the same
thing. You still have the hooking war, even if you don’t use an IM
driver.

-sd

OSR_Community_User · June 24, 2004, 6:13pm

On Wed, 2004-06-23 at 22:36, davisneilp wrote:

windows rootkit use driver develop technology.

so later …many trojan will be a driver…

it will be a trend… then im driver trojan is nomal . ^_*

Regardless, that doesn’t excuse using the same dumb techniques they use
–> two wrongs don’t make a right. There is a [more] correct way of
doing what you want, which I gather is basically trojan detection, and
you may not even need a kernel component to do it. The whole thing is a
Red Queen’s Race, though.

-sd

OSR_Community_User · June 25, 2004, 1:45am

Thank Setve Dispensa!!!

1 .Today I found a personal firewall —bitguard firewall . Its dirver is a
miniport filter driver.
How this method ? can monitor im driver?

2 . Some one use Ndis hook technology to develop firewall .
but diffience is that he hook NdisMRegisterMiniport… so he can get all
packet.
How this method ? can monitor im driver?

thanks a lot !

“Steve Dispensa” ¦b¶l¥ó news:xxxxx@ntdev ¤¤
¼¶¼g…
> On Wed, 2004-06-23 at 03:15, lists wrote:
> > 2. how to monitor all protocol driver in the machine??? how sygate
firewall
> > to do it ??
> > hook registerprotocol ??
>
> I don’t know how sygate does it, but what you suggest would work,
> eventually. You could also do what NDIS does when it loads protocol
> drivers - look in the registry for binding information and hook all of
> the protocols that way. Similar issues to the first method.
>
> > 3 .if a trojan is a NDIS Intermediate Driver , how to block it and
monitor
> > its communication ??
>
> You’re in a hooking war at that point. You can either try (futilly,
> really) to be the lowest IM in the stack at all times, which again you
> can control using registry settings, or you can write another piece of
> software that looks for any IM drivers and complains/etc. whenever it
> finds one. My question would be this - how would you tell which IM
> drivers are “trojans”? If you’re doing it by filename/checksum/etc.,
> you could do it without any kernel code at all, just by reading the
> registry and looking for the respective files. If you’re just
> complaining about IM drivers in general, well, that seems like a pretty
> bad practice.
>
> I ship two IM drivers atm - I hope I don’t make your list.
>
> -sd
>
>
>