Is your firewall reliable?

Is your firewall reliable?

Rogue software and Trojans have begun to "Retreat" from the kernel under the "suppression" of various firewalls and anti-virus software ", the traditional method of checking the relationship between locally opened ports and processes does not apply to illegal network access, and the personal firewall has become an essential software for installation. Currently, the mainstream personal firewall software is built on the Windows Kernel, but the Windows kernel driver is hierarchical. The layer at which the firewall works actually determines the performance of the firewall, the firewall working on the TDI layer does not know the data sending and receiving status of the NDIS layer, because the TDI driver layer is higher than the NDIS driver layer in the kernel. Trojans of the past (before the 1990s S) were common programs built on the Windows Application Layer. Firewalls working on the TDI layer can easily detect and block illegal network access, however, relying solely on the TDI layer to intercept Trojans and rogue software with indentions of the kernel is far from enough. The kernel Trojan is characterized by no dependency on the handle and no port (NDIS) bound)
), Can work on the TDI layer, or even on the NDIS layer. Therefore, a truly reliable firewall should establish a line of defense on the NDIS layer.

Although a truly reliable firewall should work on the NDIS layer, the personal firewall and the firewall used for the server have some differences after all, the firewall that works on the server only needs to determine whether to forward or discard the packet based on the protocol, address, and port. You can also analyze the packet content at an advanced level, based on the preset expert system, the firewall can determine whether it is a normal data packet or an illegal attack data packet. Such a firewall can also be implemented by hardware. However, personal firewalls require interaction with users. Most user data is based on the IP protocol, and users do not care about the details of the Protocol (it is difficult for most users to master these information ), therefore, in addition to filtering through the IP layer protocol, the main means of Personal Firewall is to allow or prevent a process (Program) from accessing the network according to the user's wishes, at this granularity, users are easy to understand and control. In this regard, the advantage of the firewall working on the TDI layer is that it can track the name of the Process initiating the access when network access occurs, so as to give a prompt to the user, the firewall working on the NDIS layer is not easy to achieve this. Because when data is sent, the upper-layer driver submits the data packet to the NDIS sending queue and then returns it. When the data packet is actually delivered, it cannot be determined which program (process) is sent, the program of the received data packet must be determined based on the port number, but the correspondence between the port number and the process is unknown at the NDIS layer, therefore, no matter whether the data is sent or received, the data of the process cannot be determined effectively. If you cannot determine which process accesses the network, it is unfriendly for (MOST) users to filter based on the address, port, and Protocol. Therefore, the best personal firewall (not necessarily the safest) it should be TDI + NDIS dual insurance: the TDI layer filters process-level access, and the NDIS layer filters based on addresses, ports, and protocols.

A friend asked me to recommend a good firewall software to him a few days ago. To be honest, I don't know which one is better, because I have never compared it. There is no right to speak without investigation, and it is not my own style to deal with it casually. In addition, I am recently verifying the feasibility of building a TCP/IP protocol in the kernel to bypass the firewall, I need to understand the capabilities of the current mainstream firewalls, so I have studied all the popular firewalls. I didn't expect it to be an eye-opener. I don't know it, but I was shocked. I first searched my personal firewall on the Internet. I didn't expect that there were so many kinds of websites that I didn't have time to perform it all over. I had to start with the most users. They were "Skynet firewall Personal Edition" and "Kingsoft network firewall ", there are several firewall software that not only provide network firewall functions, but also provide functions such as file access control and Process Creation protection, however, this article only compares their network protection functions.

The first is SkyNet firewall, which is my favorite firewall when I went to school. It is simple and easy to use. This time I used the Personal Edition of Skynet firewall (trial_release_v3.0_build1213), but the results were disappointing. SkyNet is a pure TDI firewall. Device Driver loading after Skynet is started:

Figure 1 network firewall Device Driver Loading

There are two ways to work on the TDI layer firewall. One is to make the filter driver mounted to a device that supports TCP/IP protocol. Simply put, the request sent to the TCP/IP protocol driver is first sent to it for filtering, and the other is to directly hook the driver dispatching function of the TCP/IP protocol using the Hook method. In comparison, first, it is easier to use bypass. When the driver-layer trojan or rogue software directly finds the TCP/IP driver to send requests, it can avoid the filter driver on attach, skynet driver is a filter driver. In addition to sending requests directly to TCP/IP drivers, SkyNet can be avoided. There is also a way to make it completely ineffective, is to directly remove the mounted filter driver, look at the following code:

Void bypassattachdevice (pdevice_object deviceobject)
{
Pdevice_object currentbj = deviceobject;

While (currentbj! = NULL)
{
Currentbj-> attacheddevice = NULL;
Currentbj = currentbj-> nextdevice;
}
}

As long as the trojan running on the driver layer runs the bypassattachdevice () function on the device driver, Skynet and all firewalls using this technology can be virtualized. I wrote a driver for verification. First, I disabled Internet Explorer to access the network in Skynet settings. In this case, Internet Explorer access will be disabled:

Figure 2 network firewall organizes IE to access the network

Then use the driver loading test tool to load the driver program compiled by myself (the file is attached with the loading tool and driver, and instructions for use, which can be used to test whether your firewall is secure ), suppose this is a trojan or rogue software running in the kernel:

Figure 3 load the bypass driver

After running, the network becomes invalid. Check whether Ie can access the network. Not only IE, but all prohibited programs can access the network:

Figure 4 network firewall failure

Conclusion: I'm really disappointed.

Next, let's take a look at Kingsoft network. This is something my friends like to use. I have always said that it is easy to use. This time I used Kingsoft security package 2008, which is included in Kingsoft security package, let's take a look at its driver loading:

Figure 5 Kingsoft subnet driver Loading

This is also a TDI filter, which does not work on the NDIS layer. You can use the previous tool to easily bypass the filter.

The next step is the rising star personal firewall, which is in version 2008. The driver of rising uses the easily bypass TDI hook on the TDI layer. In addition, the hook is also used on the NDIS layer. Let's first look at the situation of the TDI layer:

Figure 6 TDI hook of the rising star driver

Let's look at the hook situation at the NDIS layer:

Figure 7 rstar-driven NDIS Hook

From the driver's perspective, rising firewall is much better than the first two. I tried to manually restore the function to be hooked. Although the prompt "XX program wants to access the network" is no longer displayed after recovery, however, you still cannot access the network. If you are interested, you can study it.

Let's take a look at Kaspersky. This time, Kaspersky's Internet security package version 6.0 is used. From the driver perspective, Kaspersky adopts the TDI filter driver + NDIS Hook:

Figure 8 karatski driver Loading

However, it is possible that Kaspersky's NDIS Hook is only used to analyze the available data, or to implement the hook for other functions. In short, we can use this program to bypass Kaspersky's firewall function.

Let's look at the ice shield firewall. ice shield is a server firewall. This time it uses ice shield 8.1 build 60214. According to the driver loading situation, ice shield uses an NDIS intermediate layer driver without hook, it does not deal with transactions at the TDI layer. After all, it is not a personal firewall and there is no need to deal with tasks at the TDI layer (this is my opinion ). The advantage of working on the NDIS layer is that it can detect rootkit Trojans working on the TDI layer. However, for personal computer users, the design of Alibaba Cloud security is not very useful (or hard to understand, compared with other firewall software), the middle-layer driver is also easily hooked. The Rootkit Trojan can hook its processing functions. For example, if it points to an empty function, it can paralyze the Middle-layer driver.

The last one is the cloud firewall, which was found on the Internet. I have never heard of it before. The official version of v1.26 is used. In addition to the firewall function, this software also has many additional functions, such as file access monitoring and Registry Access monitoring. However, the Network Firewall uses the same policy as Kaspersky and can be used by bypass.

According to the analysis results, these firewall software has no problems with application access control, but there are many problems with Trojans and rogue software that also work at the kernel level, only the rising firewall has better results. Other firewall software is quite disappointing, especially the Skynet firewall. At last, it should be emphasized that even if rising uses TDI hook + NDIS Hook in this way, it is not necessarily secure, because network access control at the application level is still too coarse-grained, if you use the rootkit tool to inject Trojans into the processes of the firewall that allow access to the network, you can access the network under the firewall's eyes, for example, some BHO plug-ins of ie Do This.

Driver Loading Test Tool and bypass driver download

Appendix: How to Use the driver Loading Test Tool and bypass driver

First, copy hook_test.sys to the Windows system driver directory (if it is a Windows XP system, this directory may be C:/Windows/system32/drivers.pdf, and then run drv_test.exe, enter the complete path name of the driver file hook_test.sys in the driver file location, and enter the driver name in the driver name. This is important because the driver name is required for subsequent start, stop, and uninstall drivers, however, it is not necessarily "hook_test". Just enter the display name. After entering the information, click "install driver" to install the driver. If there is no error, click "Start driver" to start the driver. Then you can test your firewall software. The test method is very simple. It is to run a program that accesses the network. If the firewall is valid, a message is displayed, indicating whether to block the program from accessing the network. If the firewall fails, no prompt is displayed, to uninstall a driver, click "Stop driver" and then click "detach driver.