more simple and flexible WinBlox(GET CONTROL OF WINNT SYSTEM)
SUBJECT : more simple and flexible WinBlox(GET CONTROL OF WINNT SYSTEM)
TO : bugtraq and dm@xxxxxxxxxxxxxxxxx
FROM : Liu Die Yu
tell me why the following message didn't get thru and there is no notification
about rejection.
***** ***** ***** ***** *****
expected readers
================
winnt(NT/2K/XP/2K3) users who know state-of-the-art protection(network
firewall, anti-virus, code
made by ms) is far from enough.
What is WinBlox
===============
You can understand WinBlox within 15 seconds, while i have spent nearly 3
months on it:
http://umbrella.name/winblox/what_is_winblox.htm
(Requires Macromedia Flash Plugin)
Current WinBlox
===============
open source and functional.
but not tested long enough for operational uses yet.
to get up2date info, visit:
http://umbrella.name/winblox
WinBlox 7.0 Enhancement
=======================
[1/6]USAGE : Get More Simple and Powerful Control
-------------------------------------------------[V]
Software consists of the following 4 files:
one setup program(WBD.EXE) , one monitor DLL(WBM.DLL), one config
file(WBLIST.TXT) and one log
file(WBLOG.TXT).
(the log file is not shipped with installation package)
WBD.EXE :use start/stop/status switch to enable WinBlox, remove WinBlox or
check current status
of WinBlox.
WBLIST.TXT :define actions = {record,filter,confirm} to take when operation
descriptor regular
expression pattern matches.
the format is:
[action_list][regular_expression_pattern]
("[regular_expression_pattern]" must start with "^")
for example:
record.filter.^.*iexplore.*
(record and kill any operation whose descriptor contains "iexplore")
NOTE:
"confirm" action will be treated as "filter" on "COMMANDLINE:" operation.
(MessageBox does not work there.)
[2/6]BUGFIX: LNK2005 Error during Compiling WBM(WinBlox Monitor)
----------------------------------------------------------------[V]
Many People reported that the monitor DLL cannot be compiled due to LNK2005
error.
Fixed in this release.
[3/6]SPEED : Faster Regular Expression Matching
-----------------------------------------------[V]
The speed is greatly improved by compiling regex pattern only once.
[+]GREAT Thanks to Oliver Lavery(olavery AT pivx DzeroT com) for suggestion of
this improvement.
[QUOTE]
your program will probably be MUCH faster (maybe up to 10x)
[/QUOTE]
[4/6]SPEED : Saved Many "strlen" Calls during Initialization
------------------------------------------------------------[V]
The startup speed of each program is improved by using as few "strlen" as
possible.
[+]Thanks to David Boyce(d DzeroT boyce AT ntlworld DzeroT com) for suggestion
of this
improvement.
[5/6]SOURCE: Index and Count Clarification
------------------------------------------[V]
replace "// 3" with "// count:3,index:2"
[+]Thanks David Boyce(d DzeroT boyce AT ntlworld DzeroT com) for suggestion of
this improvement.
[6/6]USAGE : Include Username in Operation Descriptor
-----------------------------------------------------[V]
Username is added in the descriptor of CreateFile operation in the following
format:
"[Username]@CreateFile:[Full_Filename_Of_EXE] > [Commandline] ==> [AccessType]
--> [Target_File]",
[+]Thanks to "Paul Jordison"(pjordison AT tablimited DzeroT com DzeroT au)
[QUOTE]
I have a need to check all operation sources and targets from my CITRIX Servers
(for network
security)
[...]
it shows that UserA ran application B and was accessing source C?
[/QUOTE]
Features Still in Wish List
===========================
[1/1]System-wide DLL Injection on Win9x
---------------------------------------[_]
WinBlox can work on Win9x if it's possible to inject WBM.DLL to all processes
on Win9x.
But I have not figured out howto yet.
"Bob Dickinson"(bob AT echeguren DzeroT com) and many others wanted this.
i don't want to turn them down.
Default Config File
===================
Default config file("WBLIST.TXT") does the following things:
#ie needs confirmation to write EXE(unless it's only WRITE_ATTRIBUTES) -
including EXE download
and Adodb.Stream writting to EXE
#record any file operation whose target filename contains "\_sensitiVe_\"
#kill and record tftp, ftp and net - too many attacks involve these commandline
tools
More Strict for Higer Security
==============================
#Only an account named "WRITEEXE" can issue file operation on EXE file.
#as a side-effect, no icon stored in EXE can be displayed any more.
#kill and record tftp, ftp and net - too many attacks involve these commandline
tools
Special Warning: Protect Log File
=================================
For higher security, you need to change the filename of log file("WBLOG.TXT").
To change the filename of log file:
change the value of "LOG_FILEID"(specified by "#define" macro) in the following
file:
open\wbm\detours\samples\wbm\wbm.cpp
and re-compile "WBM.DLL".
For more information on compiling, visit the official site:
http://umbrella.name/
This WBLIST.TXT file is only included in the "All Source Code and Document"
package.
===== END OF FILE =====
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/