8 avril 2006
IDS for home users screenshots
Securepoint IDS
X-Ray IDS
Easy-Guard Intrusion Alert
An example of Packet Spoofer
Publicité
Publicité
14 décembre 2005
HackerDefender Driver Tracking
Load32 Start=B63B2000 Size=03E700 MOD=IRPDRV.SYS
===============================================================================
======================== Begin Trace IRPDRV Operations ========================
===============================================================================
>> IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:FFA76638, Proc:hxdef100.exe, Thr:6E4
FileObject: 80E132C0
> SecurityContext: B64BBA88
| SecurityQos: 80EBC320
| | Length: C
| | ImpersonationLevel: SecurityImpersonation
| | ContextTrackingMode: SECURITY_DYNAMIC_TRACKING
| +-------EffectiveOnly: 1
|
| AccessState: 80EBC288
| | OperationID: 0000000000084337
| | SecurityEvaluated: 0 (False)
| | GenerateAudit: 0 (False)
| | GenerateOnClose: 0 (False)
| | PrivilegesAllocated: 0 (False)
| | Flags: 1
| | RemainingDesiredAccess: 0 (0x0)
| | PreviouslyGrantedAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| | OriginalDesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| |
| | SubjectSecurityContext: FED5EC20
| | | ClientToken: 00000000
| | | ImpersonationLevel: 00000000 (SecurityAnonymous)
| | | PrimaryToken: E1D04DE0
| | +---------ProcessAuditId: 000006BC
| | SecurityDescriptor: 00000000
| | AuxData: 80EBC33C
| | AuditPrivileges: 00000000
| | ObjectName: (NULL)
| +----------ObjectTypeName: (NULL)
| DesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
+-FullCreateOptions: 60
Options: 1000060 (FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | 0x1000000)
FileAttributes: 0 (None)
ShareAccess: 0 (Exclusive)
EaLength: 0
<< IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:FFA76638- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:6E4)
>> IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:FFA76638, Proc:hxdef100.exe, Thr:6E4
FileObject: 80E132C0
>> IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0, Proc:hxdef100.exe, Thr:6E0
FileObject: 80EE4258
> SecurityContext: F9EE1A88
| SecurityQos: 80EBC320
| | Length: C
| | ImpersonationLevel: SecurityImpersonation
| | ContextTrackingMode: SECURITY_DYNAMIC_TRACKING
| +-------EffectiveOnly: 1
|
| AccessState: 80EBC288
| | OperationID: 0000000000084338
| | SecurityEvaluated: 0 (False)
| | GenerateAudit: 0 (False)
| | GenerateOnClose: 0 (False)
| | PrivilegesAllocated: 0 (False)
| | Flags: 1
| | RemainingDesiredAccess: 0 (0x0)
| | PreviouslyGrantedAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| | OriginalDesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| |
| | SubjectSecurityContext: FED5DAF4
| | | ClientToken: 00000000
| | | ImpersonationLevel: 00000000 (SecurityAnonymous)
| | | PrimaryToken: E1D04DE0
| | +---------ProcessAuditId: 000006BC
| | SecurityDescriptor: 00000000
| | AuxData: 80EBC33C
| | AuditPrivileges: 00000000
| | ObjectName: (NULL)
| +----------ObjectTypeName: (NULL)
| DesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
+-FullCreateOptions: 60
Options: 1000060 (FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | 0x10000ne)
ShareAccess: 0 (Exclusive)
EaLength: 0
<< IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:6E0)
>> IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0, Proc:hxdef100.exe, Thr:6E0
FileObject: 80EE4258
<< IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0- Error: STATUS_INVALID_DEVICE_REQUEST (Proc:hxdef100.exe, Thr:6E0)
>> IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0, Proc:hxdef100.exe, Thr:6E0
FileObject: 80EE4258
<< IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:6E0)
>> IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0, Proc:hxdef100.exe, Thr:6E0
FileObject: 80EE4258
> SecurityContext: F9EE1A88
| SecurityQos: 80EBC320
| | Length: C
| | ImpersonationLevel: SecurityImpersonation
| | ContextTrackingMode: SECURITY_DYNAMIC_TRACKING
| +-------EffectiveOnly: 1
|
| AccessState: 80EBC288
| | OperationID: 0000000000084339
| | SecurityEvaluated: 0 (False)
| | GenerateAudit: 0 (False)
| | GenerateOnClose: 0 (False)
| | PrivilegesAllocated: 0 (False)
| | Flags: 1
| | RemainingDesiredAccess: 0 (0x0)
| | PreviouslyGrantedAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| | OriginalDesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| |
| | SubjectSecurityContext: FED5DCClientToken: 00000000
| | | ImpersonationLevel: 00000000 (SecurityAnonymous)
| | | PrimaryToken: E1D04DE0
| | +---------ProcessAuditId: 000006BC
| | SecurityDescriptor: 00000000
| | AuxData: 80EBC33C
| | AuditPrivileges: 00000000
| | ObjectName: (NULL)
| +----------ObjectTypeName: (NULL)
| DesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
+-FullCreateOptions: 60
Options: 1000060 (FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | 0x1000000)
FileAttributes: 0 (None)
ShareAccess: 0 (Exclusive)
EaLength: 0
<< IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:6E0)
>> IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0, Proc:hxdef100.exe, Thr:6E0
FileObject: 80EE4258
<< IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0- Error: STATUS_INVALID_DEVICE_REQUEST (Proc:hxdef100.exe, Thr:6E0)
>> IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0, Proc:hxdef100.exe, Thr:6E0
FileObject: 80EE4258
<< IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:80EB86F0- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:6E0)
<< IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:FFA76638- Error: STATUS_INVALID_DEVICE_REQUEST (Proc:hxdef100.exe, Thr:6E4)
>> IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:FFA76638, Proc:hxdef100.exe, Thr:6E4
FileObject: 80E132C0
<< IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:FFA76638- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:6E4)
Load32 Start=B63B2000 Size=03E700 MOD=IRPDRV.SYS
===============================================================================
======================== Begin Trace IRPDRV Operations ========================
===============================================================================
>> IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:C0
FileObject: 80F08B58
> SecurityContext: B64ABA88
| SecurityQos: 8174E0A0
| | Length: C
| | ImpersonationLevel: SecurityImpersonation
| | ContextTrackingMode: SECURITY_DYNAMIC_TRACKING
| +-------EffectiveOnly: 1
|
| AccessState: 8174E008
| | OperationID: 00000000000A6EAA
| | SecurityEvaluated: 0 (False)
| | GenerateAudit: 0 (False)
| | GenerateOnClose: 0 (False)
| | PrivilegesAllocated: 0 (False)
| | Flags: 1
| | RemainingDesiredAccess: 0 (0x0)
| | PreviouslyGrantedAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| | OriginalDesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| |
| | SubjectSecurityContext: FE9B8C20
| | | ClientToken: 00000000
| | | ImpersonationLevel: 00000000 (SecurityAnonymous)
| | | PrimaryToken: E1263268
| | +---------ProcessAuditId: 00000140
| | SecurityDescriptor: 00000000
| | AuxData: 8174E0BC
| | AuditPrivileges: 00000000
| | ObjectName: (NULL)
| +----------ObjectTypeName: (NULL)
| DesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
+-FullCreateOptions:60 (FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | 0x1000000)
FileAttributes: 0 (None)
ShareAccess: 0 (Exclusive)
EaLength: 0
<< IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:C0)
>> IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:C0
FileObject: 80F08B58
<< IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- Error: STATUS_INVALID_DEVICE_REQUEST (Proc:hxdef100.exe, Thr:C0)
>> IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:C0
FileObject: 80F08B58
<< IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:C0)
>> IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:144
FileObject: 80EE97D8
> SecurityContext: B64BFA88
| SecurityQos: 8174E0A0
| | Length: C
| | ImpersonationLevel: SecurityImpersonation
| | ContextTrackingMode: SECURITY_DYNAMIC_TRACKING
| +-------EffectiveOnly: 1
|
| AccessState: 8174E008
| | OperationID: 00000000000A6EB9
| | SecurityEvaluated: 0 (False)
| | GenerateAudit: 0 (False)
| | GenerateOnClose: 0 (False)
| | PrivilegesAllocated: 0 (False)
| | Flags: 1
| | RemainingDesiredAccess: 0 (0x0)
| | PreviouslyGrantedAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| | OriginalDesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | F | |
| | SubjectSecurityContext: FE9B8B8C
| | | ClientToken: 00000000
| | | ImpersonationLevel: 00000000 (SecurityAnonymous)
| | | PrimaryToken: E1263268
| | +---------ProcessAuditId: 00000140
| | SecurityDescriptor: 00000000
| | AuxData: 8174E0BC
| | AuditPrivileges: 00000000
| | ObjectName: (NULL)
| +----------ObjectTypeName: (NULL)
| DesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
+-FullCreateOptions: 60
Options: 1000060 (FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | 0x1000000)
FileAttributes: 0 (None)
ShareAccess: 0 (Exclusive)
EaLength: 0
<< IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:144)
>> IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:144
FileObject: 80EE97D8
<< IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- Error: STATUS_INVALID_DEVICE_REQUEST (Proc:hxdef100.exe, Thr:144)
>> IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:144
FileObject: 80EE97D8
<< IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:144)
>> IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:144
FileObject: 80EE97D8
> SecurityContext: B64BFA88
| SecurityQos: 8174E0A0
| | Length: C
| | ImpersonationLevel: SecurityImpersonation
| | ContextTrackingMode: SECURITY_DYNAMIC_TRACKING
| +-------EffectiveessState: 8174E008
| | OperationID: 00000000000A6EBA
| | SecurityEvaluated: 0 (False)
| | GenerateAudit: 0 (False)
| | GenerateOnClose: 0 (False)
| | PrivilegesAllocated: 0 (False)
| | Flags: 1
| | RemainingDesiredAccess: 0 (0x0)
| | PreviouslyGrantedAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| | OriginalDesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
| |
| | SubjectSecurityContext: FE9BD150
| | | ClientToken: 00000000
| | | ImpersonationLevel: 00000000 (SecurityAnonymous)
| | | PrimaryToken: E1263268
| | +---------ProcessAuditId: 00000140
| | SecurityDescriptor: 00000000
| | AuxData: 8174E0BC
| | AuditPrivileges: 00000000
| | ObjectName: (NULL)
| +----------ObjectTypeName: (NULL)
| DesiredAccess: 1F01FF (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | 0x58)
+-FullCreateOptions: 60
Options: 1000060 (FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | 0x1000000)
FileAttributes: 0 (None)
ShareAccess: 0 (Exclusive)
EaLength: 0
<< IRP_MJ_CREATE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:144)
>> IRP_MJ_CLEANUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:144
FileNUP Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- Error: STATUS_INVALID_DEVICE_REQUEST (Proc:hxdef100.exe, Thr:144)
>> IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380, Proc:hxdef100.exe, Thr:144
FileObject: 80EE97D8
<< IRP_MJ_CLOSE Drv:HackerDefenderDrv100, Dev:HxDefDriver, IRP:81739380- STATUS_SUCCESS (Proc:hxdef100.exe, Thr:144)
Publicité
Publicité