<<< Date Index >>>     <<< Thread Index >>>

New Version of WinBlox is Available




Intro
=====
User-mode WINAPI-level and open-source tool for controlling the behavior of 
applications running on Windows workstations

http://umbrella.name/upid/winblox

Tech
====
* system-wide dll injection by CreateRemoteThread and intercepting 
CreateProcessInternalW of kernel32.dll;
* use detours of msresearch to hook api;
* a win9x version of CreateRemoteThread is also included for review and not 
implemented yet;
* simple pcre usage;
* all source code is available: 
http://umbrella.name/computer/winblox/winblox-open-2005.03.11.tar.gz
* perhaps you need a free building environment to start research: 
http://umbrella.name/computer/winblox/free_microsoft_visual_c_building_environment

*** go to http://umbrella.name/upid/winblox if the above direct links don't 
work ***

WinBlox in a Nutshell
=====================
Here is one classic example:

If you input "mms://google.com/" in the latest build of win32 Mozilla, you will 
see a dialog like this:
/----------------------------\
An external application must be launched to handle mms: links. requested link:
mms://google.com/
If you were not expecting this request it may be an attempt to exploit a 
weakness in that other program. Cancel this request unless you are sure it is 
not malicious.
[Launch application] [Cancel]
\----------------------------/

It's some kind of mechanism preventing external programs from being executed - 
pretty simple and valuable. With the help of WinBlox, you can have the same 
type of mechanism in IE in a matter of seconds - just add the following line in 
the configuration file named WBLIST.TXT:
/----------------------------\
Internet application is about to launch external program in a non-RPC way. 
$record.confirm.^.*@execute_program:.*\\(iexplore\.exe|mozilla\.exe) > .* ==> .*
\----------------------------/

And run CONSOLE.EXE, then it's done. You don't need admin privilege to do this. 
And there is absolutely no change made to your system registry, and no file 
other than one log file within WinBlox directory will be written(of course this 
means CONSOLE.EXE needs to be executed again after logoff or reboot). Now, 
input "mms://google.com/" in IE, and you will see a dialog like this:
/----------------------------\
WinBlox has detected an operation that requires your confirmation. Press NO to 
cancel it.
Internet application is about to launch external program in a non-RPC way.
__________
c:\program files\internet explorer\iexplore.exe > "c:\program files\internet 
explorer\iexplore.exe"
__________
User Account: user
Request Type: execute_program
Parameters: c:\program files\windows media player\wmplayer.exe --> "c:\program 
files\windows media player\wmplayer.exe" "mms://google.com/"
[YES] [NO]
\----------------------------/

Press "NO" and Windows Media Player will not be executed.

Highlight
=========
WinBlox is an ideal tool for hardening the security of Windows systems:

    * Simple: Based on mature results(PCRE and DETOURS), WinBlox source code is 
very small. And source code is so clear and short that you can review all in 
less than 2 hours.
    * Predictable: Great simplicity means no surprise.
    * Secure: Simplicity and open-source gives you secure software.
    * Flexible: Normal users will find great flexibility from regular 
expression, and developers will be able to easily change the behavior of 
WinBlox because of simplicity, structured design, document, and meaningful 
names.
    * Clean: no change to system registry; no file other than one log file 
within WinBlox directory will be written; don't need admin privilege.