August 8th, 2004, 12:39 PM
Process Authentication + Process Injection
Hello people this is my first post so please be as harsh as you can (yes flame me if I am writing bull).I have exhausted the possible to me resources (google, couple of books) but still havenít come with an answer.
Here are my questions and my assumptions (Please correct assumptions or give answers when possible):
I have encountered something called a fingerprint of a program (usually executable file although other files have fingerprints as well), which is used by firewalls in order to verify that a program is what it poses to be as. I also understand a checksum can be used for the same purpose. Is fingerprint and checksum the same? If yes then what exactly is the checksum of a program? How do we get it, produce it? I understand that this can be later encrypted so it will not be easy to be spoofed. If I feed the firewall with the encryption output of that program then wonít I be able to fool the firewall? How exactly this entire process authentication does takes place? Is there another way for the firewall to authenticate a process (beside name and target folder running from)?
My drive for asking these questions is that I fell upon something called process injection attack. Can process injection attack be stopped by a firewall? How does process injection work exactly (what I know is that the leak process injects its self into the address space of a legal process)
Thank you in advance
P.S Should I have started two threads (process authentication, process injection)?
August 8th, 2004, 01:39 PM
Well I guess a fingerprint in this case is how the application is supposed to behave.
A checksum is for example md5 (commonly used today):
On linux/unix there should be a tool installed by default which generates md5 hashes.
[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
In essence, MD5 is a way to verify data integrity.
For windows, they are free to download, just google.
How does process injection work exactly (what I know is that the leak process injects its self into the address space of a legal process)
Current firewalls cannot block such activity. Note that this is for bypassing outbound detection.
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content
August 13th, 2004, 05:25 PM
Thanks for the Help el-half, the link does not work but i managed to find the article
in the phrack in issue 62( good think that they use urls with logical coherence).Excellent link containing everything on process injection.If you come up with any idea about my other queries please post here or pm me.