 jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1
| New 'Leaktest': Firewall Termination! Ok, if you've followed this thread:»[In the process of a new leaktest...] Firewalls...
you would know that I'm trying out a new leaktest that attempts to terminate firewall products before running a leak....
The attachment is a ZIP archive, because the program consists of two files...
1) EL_FirewallList.txt: This is a text file containing a list of processes to terminate. If you find that your firewall's process isn't in there, add it for a fair test. The file is NOT case sensitive. Each process goes on its own line. You may also start a comment (at the beginning of a line) with the '@' symbol.
2)EvilLeaker.exe: The main program .EXE
This program was created with Borland CBuilder, and I'm not too familiar with CB. If there are any problems, let me know. I'd be happy to fix them.
--
Attention Windows NT, 2000, and XP users:
If you get a bunch of 'Permission failed' messages, then try my Services Version at here: »New 'Leaktest': Firewall Termination! (just a little below, if you like scrolling  )
This one executes as a service... more powerful!
--
Edit: Re-uploaded EvilLeak, this time with the missing BPL inside the .ZIP.... Stupid Borland packages!
Edit 2: Finally got everything right! I promise!
Edit 3: Re-wrote the entire program with Visual C++ / MFC. From 5MB of nonsense .BPL's down to 280KB... this is much much better...
--
Word of advice: Never trust a doctor whose office plants have died...
P.S.: Thank you, Optimized, for making me premium!
[text was edited by author 2003-07-08 14:40:09]
[text was edited by author 2003-07-08 16:33:19]
[text was edited by author 2003-07-08 21:19:00]
[text was edited by author 2003-07-08 21:44:22] |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1
| Norton's Results.......SUCCESS! As far as results:
NIS/NPF (2003) PASSED, the program could not terminate the firewall services ('permission denied'), but it was able to terminate the tray icons...
Once the tray icons were down, new apps were automatically blocked from internet, but trusted apps still could access the internet! Great job, Norton!
--
Word of advice: Never trust a doctor whose office plants have died...
P.S.: Thank you, Optimized, for making me premium!
[text was edited by author 2003-07-08 14:41:30] |
|
|
|
| reply to jdong
Re: New 'Leaktest': Firewall Termination! Missing a .dll file, VCL60.bpl.
Shoddy Work, Mate. |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to jdong
Re: Norton's Results.......SUCCESS! C'mon, let's get with the program! Was it NIS or NPF? What release (and with what updates installed)? What OS? What settings? (Specifically, what about component control and application launch control, if you're testing NIS/NPF 2003?)
If you don't provide this kind of information, you're going to get ad nauseam comments about "It doesn't pass for me!"
--
Regards, Joseph V. Morris |
|
 MattUKPremium
join:2003-03-23
UK | reply to jdong
Re: New 'Leaktest': Firewall Termination! Its not shoddy work. Let's see yours then.
Fool.
Great one jdong!
--
Music is Spiritual. The music business is not |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | reply to anonyie
said by anonyie:
Missing a .dll file, VCL60.bpl.
Shoddy Work, Mate.
I'll get that incorporated into the ZIP right now...
Sorry about that. As I said before, I'm not too familiar with Borland's VCL.
--
Word of advice: Never trust a doctor whose office plants have died... P.S.: Thank you, Optimized, for making me premium! |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | reply to jdong
If that doesn't work, download the following libs:
»www.prokon.com/win/VCL60.ZIP
This should be the full VCL libs... Either stick that in your Windows\System32 folder OR stick it in the EvilLeak folder.
--
Word of advice: Never trust a doctor whose office plants have died... P.S.: Thank you, Optimized, for making me premium! |
|
| "A required .DLL file, BCBIE60.BPL, was not found."
--
Aim low, shoot high. |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1
| reply to jdong
Ok, I got my VM back up, and tested it there. Found lots of DLL's and BPLS that I needed. So, I finally got everything working! Edited attachments for this to work. Now in SFX RAR format to squeeze that size...
THUMBS DOWN BORLAND 
Deploying a MFC program took no more than a single (optional) DLL...
To everyone who had to go through the trouble of downloading the non-functioning test, I deeply apologize. This will be OFFICIALLY the last time I use a Borland product.
--
Word of advice: Never trust a doctor whose office plants have died...
P.S.: Thank you, Optimized, for making me premium!
[text was edited by author 2003-07-08 16:35:25] |
|
MattUKPremium
join:2003-03-23
UK | reply to jdong
Dev C++ from bloodshed, freeware and a great IDE > www.bloodshed.net
--
Music is Spiritual. The music business is not |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | said by MattUK:
Dev C++ from bloodshed, freeware and a great IDE > www.bloodshed.net
Yes, I've used it. I personally like VS.NET 2003 Ent Arch better... Good old MSDN universal...
I just decided to go creative and test an IDE I haven't used in ages... borland sucks.
--
Word of advice: Never trust a doctor whose office plants have died... P.S.: Thank you, Optimized, for making me premium! |
|
| reply to jdong
This was interesting to try out because I haven't tested ZAP's (or ZA+'s) client and fail/closed protection for the past few versions of the product, so this gave me an excuse to see how it's working now.
Running on Windows XP and with ZA+ 4.0 in its default installation settings, neither the vsmon.exe nor zaplus.exe (I had to added this name to the list) were killed by the EvilLeaker program. See first two images. Just to make sure the program was able to kill processes, I added notepad.exe to the list and confirmed it killed that without difficulty (image 3).
Then I wondered just what was protecting the zaplus.exe process and retested it after disabling in zaplus its "Protect the ZoneAlarm Plus client" setting (image 4). This indeed allowed EvilLeaker to then kill the zaplus.exe client. At this point, the vsmon firewall component was still running and still blocking the leaktest from getting out on to the Internet.
It's good to know that the client protection setting in the new ZAP actually does something. How it does it, I don't know, but it does somehow protect the client from being killed. As for vsmon.exe, I don't know why that isn't being killed. It does run as a service on XP, perhaps that is why.
--
Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily!
[text was edited by author 2003-07-08 18:50:19] |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | reply to jdong
Yes, no services may be killed by a user-launched program... (taskmanager seems to be a strange exception...)
I'm experimenting with NT Services, if I can install my program as a service, then I have system-account privs 
Meanwhile, it would be interesting to hear from some win9x/me users.
--
Word of advice: Never trust a doctor whose office plants have died... P.S.: Thank you, Optimized, for making me premium! |
|
TabletPremium
join:2003-01-15
Czech | A very good test I must admit. The test failed with NIS 2003 on WinXP Pro with exactly the same symptoms as Jdong described in his case. Frankly I was quite surprised that NIS survived this test, as it does not mention anywhere that it is protected against turning off. |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | reply to jdong
Thank everyone for their support. I'm currently cut-and-pasting my Borland code into Visual C++ 2003... I'm officially an MFC guy... |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | reply to jdong
This program has been re-wrote with MFC now. I've updated the ZIP file (yes, back to a ZIP file) and the screenshot to reflect that.
Note that unzipped, the old version was about 6MB with the BPL's. The MFC one, natively running under Windows, was only 280KB. Wow!
--
Word of advice: Never trust a doctor whose office plants have died... P.S.: Thank you, Optimized, for making me premium! |
|
 n0madLet Go Of My Ears, I Know What I'M DoingPremium
join:2002-12-10
Pearl, MS | reply to jdong
Ok, ran the leaktest. First SMC.exe would not let itself be shutdown. I believe however that the POP3 proxie for email was shutdown by your program. Atleast I got a message saying it was shutdown. Nothing else of note except when your program tried to access those 6 yahoo sites Sygate asked if this was allowed and I of coarse denied permission.
I use Sygate Pro 5.1 build 1615s
PC-cillian 2003 Program version 10.03 Build 1072
Engine Version 6.51
Pattern Version 585
RealScan Loaded
XP Home Edition version 5.1.2600
SP1, build 2600
I also have Pestpatrol Standard
version:06/23/2003 4.2.0.40
Memory Scan not loaded
TDS-3 V3.2.0 Execution protection Installed
Interesting Test JDong and I hope this information will help you in your experiments.
--
“Cry ‘HAVOC’and let slip the dogs of war!” |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | reply to jdong
Ok, here's the Services version of Evil Leaker (runs under Nt/2k/XP ONLY! of course! )
It runs under the local System Account, and can terminate Any process that Service Manager can! To use:
1) Unzip contents of file to C:\EvilLeaker\. You must use this path, or prepare to do some BAT and INI editing! LOL
2) Run "Install EvilLeaker As A Service.bat". The batch file registers a service called 'ELS' (a TLA: Evil Leaker Service) under Windows, then runs it.
3) Watch your firewall get assassinated!
4) When you're done, run the Uninstall batch file. It will stop the service and remove it. It may require a reboot to fully remove (it didn't for me on XP though...)
Norton Internet Security 'failed' this test. All of its services were terminated. But it did block ALL internet access!, so that's good.
--
Word of advice: Never trust a doctor whose office plants have died... P.S.: Thank you, Optimized, for making me premium! |
|
 VampirefoPremium,MVM
join:2000-12-11
Huntington, WV
kudos:1
| reply to jdong
Why not just use the net stop cmd? Then kill the process, here is a small example. I don't know all the services, nor the process running by each firewall.
--
TrojanHunter Stands For Privacy!!!!!!!
[text was edited by author 2003-07-08 22:21:14] |
|
| reply to jdong
Well I tried you new Leaktest program and it failed to load on my system consisting of...
WinXPPro (all updates installed)
Kerio v3 b6
The program did not load as your screen shot illustrates. Nothing happened.
Should I download and try the newest link to the file you have posted? |
|
