Hi
Comodo developers have created a new set of security tests. The Comodo HIPS and Firewall Leak Test Suite contains five new tests that simulate a range of dangerous exploits – including Root Kits, Background Intelligent Transfer attacks and process injection attacks.
The suite is available for download here:
http://download.comodo.com/securitytests/CLT.zip (extract zip to local drive and open clt.exe )I've also attached the zip file to this post
Developer Notes:
Rootkit Installation 1 - Loads a driver in via ZwSetSystemInformation API. A very old, known and effective way to install a rootkit.
Rootkit Installation 2 - Loads driver by overwriting a standard driver (beep.sys) and starting it with service control manager (e.g. Trojan.Virantix.B).
DLL Injection 1 - Injects DLL into trusted process (svchost.exe) by injecting APC on LoadLibraryExA with "dll.dll" as a param. The string "dll.dll" is not written into process memory, it's from the ntdll.dll export table which has the same address in all processes. The APC is injected into second thread of the svchost.exe which is always in alertable state.
DLL Injection 2 - An old technique. The DLL is injected via remote thread creation in the trusted process, without using WriteProcessMemory.
BITS Hijack - Downloads a file from the internet using "Background Intelligent Transfer Service" which acts from the trusted process (svchost.exe)
The tests can be automatically run in sequence by selecting 'Run all Tests' or run individually. The GUI provides clear, color coded indication on whether target systems are vunerable or protected.
Please take a look at the new tests - all feedback greatly appreciated.
Paul
[attachment deleted by admin]