New Version of WinBlox is Available
Intro
=====
User-mode WINAPI-level and open-source tool for controlling the behavior of
applications running on Windows workstations
http://umbrella.name/upid/winblox
Tech
====
* system-wide dll injection by CreateRemoteThread and intercepting
CreateProcessInternalW of kernel32.dll;
* use detours of msresearch to hook api;
* a win9x version of CreateRemoteThread is also included for review and not
implemented yet;
* simple pcre usage;
* all source code is available:
http://umbrella.name/computer/winblox/winblox-open-2005.03.11.tar.gz
* perhaps you need a free building environment to start research:
http://umbrella.name/computer/winblox/free_microsoft_visual_c_building_environment
*** go to http://umbrella.name/upid/winblox if the above direct links don't
work ***
WinBlox in a Nutshell
=====================
Here is one classic example:
If you input "mms://google.com/" in the latest build of win32 Mozilla, you will
see a dialog like this:
/----------------------------\
An external application must be launched to handle mms: links. requested link:
mms://google.com/
If you were not expecting this request it may be an attempt to exploit a
weakness in that other program. Cancel this request unless you are sure it is
not malicious.
[Launch application] [Cancel]
\----------------------------/
It's some kind of mechanism preventing external programs from being executed -
pretty simple and valuable. With the help of WinBlox, you can have the same
type of mechanism in IE in a matter of seconds - just add the following line in
the configuration file named WBLIST.TXT:
/----------------------------\
Internet application is about to launch external program in a non-RPC way.
$record.confirm.^.*@execute_program:.*\\(iexplore\.exe|mozilla\.exe) > .* ==> .*
\----------------------------/
And run CONSOLE.EXE, then it's done. You don't need admin privilege to do this.
And there is absolutely no change made to your system registry, and no file
other than one log file within WinBlox directory will be written(of course this
means CONSOLE.EXE needs to be executed again after logoff or reboot). Now,
input "mms://google.com/" in IE, and you will see a dialog like this:
/----------------------------\
WinBlox has detected an operation that requires your confirmation. Press NO to
cancel it.
Internet application is about to launch external program in a non-RPC way.
__________
c:\program files\internet explorer\iexplore.exe > "c:\program files\internet
explorer\iexplore.exe"
__________
User Account: user
Request Type: execute_program
Parameters: c:\program files\windows media player\wmplayer.exe --> "c:\program
files\windows media player\wmplayer.exe" "mms://google.com/"
[YES] [NO]
\----------------------------/
Press "NO" and Windows Media Player will not be executed.
Highlight
=========
WinBlox is an ideal tool for hardening the security of Windows systems:
* Simple: Based on mature results(PCRE and DETOURS), WinBlox source code is
very small. And source code is so clear and short that you can review all in
less than 2 hours.
* Predictable: Great simplicity means no surprise.
* Secure: Simplicity and open-source gives you secure software.
* Flexible: Normal users will find great flexibility from regular
expression, and developers will be able to easily change the behavior of
WinBlox because of simplicity, structured design, document, and meaningful
names.
* Clean: no change to system registry; no file other than one log file
within WinBlox directory will be written; don't need admin privilege.