Firewall tester,
Ought to be win32 compatible.

Regards
Posted on 2003-07-30 12:26:28 by Axial
Me:
App: Check your MailBox!
(You may have mail)

Me:
Me: Mail, where?
Me:

Me:
Me: Mail, where?
Me:


Me:
Me: Mail, where?
Me:

Me: Wonders, how does this app work? (It's not working for me, how does the mail I missed look like?)

Seriously, nothing happens, no mail, no firewall even... :(
Posted on 2003-07-30 13:52:15 by scientica
Well, it is possible it does not work with your system. Rare enough though. It requires you to have an already existing email client installed (outlook, the batch whatever...).
The mail is a small test mail, nothing else... Ideally you shouldn't see it as you have good firewall (thats the purpose of the app;) )
Posted on 2003-07-30 14:04:24 by Axial

Well, it is possible it does not work with your system. Rare enough though. It requires you to have an already existing email client installed (outlook, the batch whatever...).
The mail is a small test mail, nothing else... Ideally you shouldn't see it as you have good firewall (thats the purpose of the app;) )

Then your app must be incompatible with my system (and the way I deal with mails, don't use M$ Outlook/Inlook/opendoor/whatever-they-call-it (I wonder if there's anything left of it, most of it "disapeared" after I played hide-and-seek (serarch-and-destroy really :)) with it))

I use Pegasus Mail. Do you utilize the email client to actually send the email, so that it's the email client that sends the apps email. (thus the app wouldn't be using anything the firewall triggers on)
Posted on 2003-07-30 16:20:15 by scientica
Exactly how does this test work? Is it just about sending mails through Outlook? If that's so, it's only natural if firewalls don't complain... unless they are still configured in "learning mode". BTW, what do the "stealth" modes represent?
Posted on 2003-07-30 17:24:56 by QvasiModo
I've just corrected a bug but still, for a reason I don't know, the app refuses to connect when it's placed into "some" directories :confused: (it may be a buffer overflow somewhere, i'll check it later)

Well simply put it into c:\ it would work.

QvasiModo: I'm not using MAPI but winsock, and YES the trick is based on the assumption the default mail client has the right to send mail !
I use code injection, sorta hijacking ...

None : no stealth. Trying to directly send the mail.
Advanced : Hijacking of default mail client (DMC (in order to gain the rights )
Elite : Multiple Hijacking, inject code into explorer.exe which, in turn, inject's code into DMC . (This makes the firewall think an user clicked on the DMC because explorer.exe launched it)
Posted on 2003-07-31 04:03:20 by Axial
Scientica: I run my own code in the context of the default mail client. It should work with ALL client, including pegasus. Hopefully i'll get that bug :(
Posted on 2003-07-31 04:06:58 by Axial
This has been addressed in the past with the FW vendors, but there's really absolutley nothing you can do to prevent it.. Desing flaw of win32...
Posted on 2003-07-31 04:33:18 by FearHQ
This is not exaclty true. There are several way in win32 to obtain the parent process ID, even without writing a driver. ZoneAlarm Pro does it (and then it caches the "advanced stealth" (simple hijacking method) but NOT the elite one.
Posted on 2003-07-31 04:48:55 by Axial
Donkey : what do you mean by default block ? Did your firewall send you a warning ? if so, it is straightforward you didn't get any mail. Have you tried the other modes ?
Posted on 2003-07-31 04:55:38 by Axial
BTW if you just downloaded a firewall and didn't configure the rights of your mail client then all 3 modes will be blocked (as they need the rights of the MC...)
Posted on 2003-07-31 05:04:25 by Axial
I think it failed to get the DMC in HKEY_CLASSES_ROOT\mailto\shell\open\command.
The parser I wrote is pretty chaotic:rolleyes:
Posted on 2003-07-31 05:22:03 by Axial
Will the app work behind a proxy server or some "port (re)mapping service"? (thus the mail ports are non-standard)
When you use the DMC, do you use it's port settings too or do you assume port 110 (for POP3) and 25 (SMTP)?
Posted on 2003-07-31 05:27:16 by scientica
No proxy and no pop3, I just use smtp.
I found out that the programm wont work when the path is, for instance,
"C:\\INTERNET\\PMAIL\\WINPM-32.EXE -A -T %1"
instead of
"C:\INTERNET\PMAIL\WINPM-32.EXE -A -T %1"
Posted on 2003-07-31 05:33:58 by Axial
Why did you compress the executable with Petite? Anything to hide? :rolleyes:

Unpackable with "r!sc's petite enlarger v1.3" btw :)
Posted on 2003-07-31 06:05:42 by bazik

QvasiModo: I'm not using MAPI but winsock, and YES the trick is based on the assumption the default mail client has the right to send mail !
I use code injection, sorta hijacking ...

None : no stealth. Trying to directly send the mail.
Advanced : Hijacking of default mail client (DMC (in order to gain the rights )
Elite : Multiple Hijacking, inject code into explorer.exe which, in turn, inject's code into DMC . (This makes the firewall think an user clicked on the DMC because explorer.exe launched it)

Gotcha. So the firewall tester tries to fool the firewall, by masquerading as an application with permission to send mails.
I have a couple of suggestions:
1) How about reading the config of the most popular firewall apps? They usually store everything in the registry, and don't worry too much to hide the app names (usually they encrypt the permissions data, and sometimes not even that, they just put some hash to verify that the data was not tampered). That way you can know what applications are allowed to get past the firewall.
2) How about encrypting it with Yoda's crypter (or a similar, less known utility)?
3) How about posting the source code? :grin:
Posted on 2003-07-31 09:55:31 by QvasiModo

Why did you compress the executable with Petite? Anything to hide? :rolleyes:

Yes, it's compressed with PEtite 2.1. Or at least that's what PEId reports.
Posted on 2003-07-31 09:58:22 by QvasiModo
Nothing to hide, but I wrote a couple of procs that could easily be re-used in virii or trojans. (and these are not buggy :grin: ) Anyway you're right ! Im not responsible for what "lamer" may or may not do with this code.
So here is the source :

(now the funniest part goes on : you guys can help me on debuggin :grin: )
Posted on 2003-07-31 12:15:15 by Axial


Gotcha. So the firewall tester tries to fool the firewall, by masquerading as an application with permission to send mails.
I have a couple of suggestions:

1) How about reading the config of the most popular firewall apps? They usually store everything in the registry, and don't worry too much to hide the app names (usually they encrypt the permissions data, and sometimes not even that, they just put some hash to verify that the data was not tampered). That way you can know what applications are allowed to get past the firewall.


It would be a fastidious task and finally useless because of the numerous firewalls of the market. I wanted something that works everywhere.
Posted on 2003-07-31 12:44:21 by Axial

It would be a fastidious task...

Agreed. :)
...and finally useless because of the numerous firewalls of the market. I wanted something that works everywhere.

Not quite... if your program doesn't find any known firewall installed, it should behave as it does right now. And if you do find one, you can exploit any vulnerabilities particular to that software. It would be an extra feature.
Posted on 2003-08-01 12:40:29 by QvasiModo