|
Leaktest information
|
| Website : |
http://www.firewallleaktester.com |
| Author : |
Guillaume Kaddouch |
| Dates : |
March 2006 (v1.0) |
| Categories : |
 : launcher,  DLL injection,  Registry 'injection' |
| Download : |
Jumper.exe  (View EULA) |
| MD5 |
2F615D1007B5A1E1FFF6E5CB5041DFBF |
| SHA-160 |
4972154DB17A97533B5BBA173E2A7AE6F2F2DD26 |
| Operating System : |
2000/XP |
|
|
Leaktest description
|
Usual firewall bypass methods, such as DLL injection and thread injection, are now
in the scope of the personal firewalls, and some of them provides a generic protection
against such activity.
Instead of modifying directly the target process memory, Jumper is making
the target to load by itself the foreign DLL. To do so, it writes to the 'AppInit_DLLs' registry entry,
it then kills explorer.exe which is reloaded automatically by Windows. Thus, explorer.exe automatically loads
jumper's DLL.
Once inside, because launching directly IE by giving it command line paramaters is watched, the DLL
modifies the IE's start page registry entry with all the data it wants to transmit (in our case the url +
the string 'CouldHaveBeenPersonalInformation'), and then launches IE.
At the end, IE's parent is the expected Windows Explorer (which is the parent of everything you manually launch),
and the final target process, Internet Explorer, is not modified nor attacked in any way.
|
|
Meaning
|
If the test is a success, this means that your firewall is not monitoring the critical registry entries.
Probably it is not to a firewall to do such a job, there is dedicated kernel registry protectors out there, but still, data
can be sent out this way (interesting point, ZA Pro firewall is already monitoring the IE's start page registry entry, just
to point that the idea of firewall watching network related registry entries has already been thought by firewall vendors)
|
(View EULA)
|
|
