maggotboy
11-22-2002, 10:39 AM
Variety is the spice of life, and the more sniffers there are, and the broader the techniques, the better off we'll all be.
Using the demo code from the Microsoft Platform SDK, I'm working on a Winsock Layered Service Provider sniffing method. It'll sit in the provider chain in Winsock and in between certain calls to Winsock functions by EQ, the service provider will sniff the key. The layered service provider approach is also a resident DLL method, but it won't require SetWindowsHookEx(), so EQ will have to invoke an entirely different detection method to find it. I really like this idea, because firewall programs and other security programs use this method to intercept, block or otherwise sit on top of the TCP/IP stack and Verant can't easily decide for itself which LSP's are rogue sniffers.
I've actually got 3 more approaches (including the one I just mentioned).
1. Injecting a DLL into EXPLORER.EXE which spawns a worker thread to read the key cross-process. I have a couple tricks up my sleeve which may eliminate the need to enable debug privs for this.
2. Alter the V1 codebase to use a waitable timer which queues an APC callback (Asynchronous Procedure Call) into the linked DLL in EQ's address space. This requires an entirely different detection approach than the hooking method. I am not sure if this can be done for the V2 codebase just yet.
3. For Win9x users, inject a DLL into Explorer.exe which uses the undocumented ring-3 to ring-0 VxDCall method to read EQ's memory at the ring-0 level. Not sure if I have the skills to do this, and it may require some assembly.
Now, ideally the best approach is to write a WDM (Windows Driver Model) ring-0 driver to do all this...but unfortunately I *do* have real work to do and can't really afford to spend my waking moments doing all this research :)
Maggotboy
Using the demo code from the Microsoft Platform SDK, I'm working on a Winsock Layered Service Provider sniffing method. It'll sit in the provider chain in Winsock and in between certain calls to Winsock functions by EQ, the service provider will sniff the key. The layered service provider approach is also a resident DLL method, but it won't require SetWindowsHookEx(), so EQ will have to invoke an entirely different detection method to find it. I really like this idea, because firewall programs and other security programs use this method to intercept, block or otherwise sit on top of the TCP/IP stack and Verant can't easily decide for itself which LSP's are rogue sniffers.
I've actually got 3 more approaches (including the one I just mentioned).
1. Injecting a DLL into EXPLORER.EXE which spawns a worker thread to read the key cross-process. I have a couple tricks up my sleeve which may eliminate the need to enable debug privs for this.
2. Alter the V1 codebase to use a waitable timer which queues an APC callback (Asynchronous Procedure Call) into the linked DLL in EQ's address space. This requires an entirely different detection approach than the hooking method. I am not sure if this can be done for the V2 codebase just yet.
3. For Win9x users, inject a DLL into Explorer.exe which uses the undocumented ring-3 to ring-0 VxDCall method to read EQ's memory at the ring-0 level. Not sure if I have the skills to do this, and it may require some assembly.
Now, ideally the best approach is to write a WDM (Windows Driver Model) ring-0 driver to do all this...but unfortunately I *do* have real work to do and can't really afford to spend my waking moments doing all this research :)
Maggotboy