this is an addition to rob311's post with a few questions of mine, i'm hoping some of you guys can help fill in the blanks.
this from FWBSharp aphex's example:
First there was FWB, DLL injection into a trusted application. Then the
firewall companies fought back by checking and blocking DLLs. Then we fought
back with FWB++, injection without a DLL. Now the firewall companies have
answered back by blocking CreateRemoteThread and all our little tricks.
FWB: DLL injection into some trusted application that is allowed by firewall
from C2k
FWB++: it doesnt use a DLL to inject into a process, its the code inject FWB technique
FWB#: the same as FWB++ but unhooks user level APIs to bypass firewalls
FWB+++ (or FWB#+): its the FWB# plus kernel mode API unhook SDTRestore POC Method
from stm (redundant)
dll injection = fwb
memory/code injection = fwb++ / fwbp+
bypassing fw hooks = fwb#
An example of FWB++ can be found here: http://www.trojanfrance.com/index.ph...by%20r3L4x.zip
the source code is well documented (C++) btw very small
FWB# from aphex's site http://iamaphex.net/downloads/FWBSharp.zip well documented source with a little intro
I'm assuming this is an example of FWB+++ as pointed out by SmokeAlot here at the forums: http://www.opensc.ws/showthread.php?t=387
and http://iamaphex.net/downloads/leaktest.zip
and a good explanation from LTT Coder from the same topic: Latest FWs like Zonealarm(ZA) hooks important APIs that are required to inject our code into remote process. And when they have hooked it then they can control which applications to be allowed to use the hooked apis such as LoadLibrary, WriteVirtualMemory, AllocateVirtualMemory....
These APIs are required by our RAT servers to inject, but ZA doesnt allow them to be used by our server.
What AFX leaktest do, is that it just unhooks the kernel-mode hooks that are hooked by ZA. When they're unhooked you can try the old injections methods and it won't be detected.
and some info on the sdtrestore poc method http://packetstorm.security-guide.de...-keong-tan.pdf
http://www.security.org.sg/code/sdtrestore.html
some good info related and explaining windows hooks etc: http://www.codeproject.com/threads/winspy.asp
this from FWBSharp aphex's example:
First there was FWB, DLL injection into a trusted application. Then the
firewall companies fought back by checking and blocking DLLs. Then we fought
back with FWB++, injection without a DLL. Now the firewall companies have
answered back by blocking CreateRemoteThread and all our little tricks.
FWB: DLL injection into some trusted application that is allowed by firewall
from C2k
FWB++: it doesnt use a DLL to inject into a process, its the code inject FWB technique
FWB#: the same as FWB++ but unhooks user level APIs to bypass firewalls
FWB+++ (or FWB#+): its the FWB# plus kernel mode API unhook SDTRestore POC Method
from stm (redundant)
dll injection = fwb
memory/code injection = fwb++ / fwbp+
bypassing fw hooks = fwb#
An example of FWB++ can be found here: http://www.trojanfrance.com/index.ph...by%20r3L4x.zip
the source code is well documented (C++) btw very small
FWB# from aphex's site http://iamaphex.net/downloads/FWBSharp.zip well documented source with a little intro
I'm assuming this is an example of FWB+++ as pointed out by SmokeAlot here at the forums: http://www.opensc.ws/showthread.php?t=387
and http://iamaphex.net/downloads/leaktest.zip
and a good explanation from LTT Coder from the same topic: Latest FWs like Zonealarm(ZA) hooks important APIs that are required to inject our code into remote process. And when they have hooked it then they can control which applications to be allowed to use the hooked apis such as LoadLibrary, WriteVirtualMemory, AllocateVirtualMemory....
These APIs are required by our RAT servers to inject, but ZA doesnt allow them to be used by our server.
What AFX leaktest do, is that it just unhooks the kernel-mode hooks that are hooked by ZA. When they're unhooked you can try the old injections methods and it won't be detected.
and some info on the sdtrestore poc method http://packetstorm.security-guide.de...-keong-tan.pdf
http://www.security.org.sg/code/sdtrestore.html
some good info related and explaining windows hooks etc: http://www.codeproject.com/threads/winspy.asp
712
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
