Exetools - Interesting Code for Windows XP SP2 Firewall

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Interesting Code for Windows XP SP2 Firewall (https://forum.exetools.com/showthread.php?t=8174)

Interesting Code for Windows XP SP2 Firewall

Hi Guys,

I found some juicy articles on the web on bypassing or programming with Windows XP SP2 Firewall

hxxp://weblogs.asp.net/sjoshi/archive/2004/07/07/175309.aspx
hxxp://danagonistes.blogspot.com/2004/06/windows-xp-service-pack-2-and-windows.html
hxxp://www.unixwiz.net/techtips/xp-sp2.html

Enjoy

The material collection and collation is not extremely easy, laborious. Extremely good material.

Have a look at

Code:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

in the keys

Code:

AuthorizedApplications\List

and

Code:

GloballyOpenPorts\List

Using "GetModuleFileName", "RegCreateKey", "RegSetValueEx", and "RegCloseKey", you can add yourself to the Approved list. Do this before creating your socket to avoid your program from being suspended.

I've found that even with your application name in AuthorizedApplications, the program will still be suspended if you do UDP broadcasting, that's why I also mentioned GloballyOpenPorts.

Format of the keys are (for AuthorizedApplications):

Code:

        int nValueLen = wsprintf( szRegValue, "%s:*:Enabled:%s", szFileName, szProgBaseName );

        RegSetValueEx( hKey, szFileName, 0, REG_SZ, (PBYTE) szRegValue, nValueLen );

and (for GloballyOpenPorts):

Code:

        const char* szEnableMe = "1234:UDP:*:Enabled:Happy Program";

        RegSetValueEx( hKey, "1234:UDP", 0, REG_SZ, (PBYTE) szEnableMe, strlen(szEnableMe) );

(where 1234 is the port, and "Happy Program" is the program wanting to use it).

If your program will always be at a specified location, you can even use a .REG file.

Nice. One more weak personal firewall - just like all personal firewalls. The good thing about the others is, that no one has to use them. This one is integrated into the operating system (althoug it can be turned off). I don't like the way Windows develops into an operating system for stupid dumbasses, with automated updates, integrated firewall, and all that crap. A software-engineer, developing a network-tool, has to cope with these "great features", has much more service-requests (because many of the super-intelligent customers deny all network-access for the program - "to be safe"), and in the end pays the bill for Microsoft - just because there are so many idiots out there, who continously turn their machines into virus-spreadings-engines...

Very nice SGDT...

Windows XP firewall is a total joke!

and with all personal firewalls all you have to do is inject your code directly into internet explorer's EXE and you will bypass mst of them anyway (cause people ignore trafic caused by IE)

Nice Information, Thanks!

but you should not forget most new firewalls catches written memory into other processes and block them.

hi,

as redbull said, bypass firewalls is very easy injecting code in browser process...

so, below is my code for doing such, in c

it create the default browser as a suspended process, overwrite entrypoint with a code to load all dlls our process will need (and that can be different from the ones the browser load), and then signal that we can continue, overwriting the whole browser memory image with out one

so, with this routine, we dont need delta or similars hacks... any program (with a smaller memory image than browser) can run with browser inet permissions

vecna

ps: different of what MaRKuS-DJM said, i guess that some firewalls hook CreateRemoteThread(), and no memory writes... i still dont found problems with the code below