Author Topic: Safezone and Sandbox vs DllInjection  (Read 17903 times)

0 Members and 1 Guest are viewing this topic.

floste

  • Guest
Safezone and Sandbox vs DllInjection
« on: July 28, 2011, 02:17:30 PM »
I was using avast free for years and I like it, so i decided to donate some money by buying the pro version.

Then I just wondered: What is that SafeZone and how does it work?
I opened Process Explorer and noticed, that the processes run under the same user account o.O
I tried some simple dll-injection into the browser and the first attempt worked. This really made me laugh.

When I tried to save some screenshots I noticed that the file is created but empty afterwards, when I place it on the system drive. But saving to another drive was no problem at all.

Could you please tell me what this feature is supposed to prevent?

I'm curious to see whether this post will be deleted^^
« Last Edit: August 01, 2011, 10:51:08 PM by floste »

gdiloren

  • Guest
Re: Safezone vs DllInjection
« Reply #1 on: July 28, 2011, 03:36:39 PM »
From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info. Nothing else. Nothing goes from out into but you can go from in to out,so that's why they call it safezone. What's a dll injection and how do you do it?
 ???

floste

  • Guest
Re: Safezone vs DllInjection
« Reply #2 on: July 28, 2011, 05:38:10 PM »
DllInjection is when one process adds code to another running process. The target usually does not notice, but the code is executed inside the target process and can basically do anything on the behalf of the target. The injected code could intercept any userinput, network traffic, basically everything that is handled by the target process.

Quote
Nothing goes from out into
Obviously ANY program code can go into the "SafeZone" from outside (outside=normal desktop) ^^

Quote
From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info.
Yes, it is a browser without the usual addons and toolbars. But what is the point in having it on a seperate desktop, if that second desktop is just as secure as the regular one ???

Quote
and how do you do it
Ask google: http://lmgtfy.com/?q=dll+injection

MAG

  • Guest
Re: Safezone vs DllInjection
« Reply #3 on: July 28, 2011, 06:48:26 PM »
I'm curious to see whether this post will be deleted^^
Posts are not deleted on this forum unless spam or malicious as far as I can see.

I suspect it would help the program developer to investigate/comment if you posted full details of what you did - and any helpful screenshots.

YoKenny

  • Guest
Re: Safezone vs DllInjection
« Reply #4 on: July 28, 2011, 07:03:07 PM »
@ floste

Looks like you are German and need help using avast! "SafeZone" browser.

The built in Help is great in English for me but I am not sure what localized language you have installed but what I see
Quote
avast! SafeZone
The avast! SafeZone is an additional security feature in avast! Pro Antivirus and avast! Internet Security, which allows you to browse the web in a private, secure environment, invisible to the rest of your system. For example, if you do your banking or shopping online, or other security-sensitive transactions, you can be sure that your personal data cannot be monitored by spyware or key-logging software. Unlike the avast! Sandbox, which is intended to keep everything contained inside so that it cannot harm the rest of your system, the avast! SafeZone is designed to keep everything else out.

Please read:
How to attach a Picture or File on the forum:
http://forum.avast.com/index.php?topic=8982.0

floste

  • Guest
Re: Safezone vs DllInjection
« Reply #5 on: July 28, 2011, 07:19:47 PM »
Quote
I suspect it would help the program developer to investigate/comment if you posted full details of what you did - and any helpful screenshots.

This is a well-known and well-documented technique - every developer interested in windows security should know it. There are thousands of examples, demos and tutorials on the net, even a dedicated wikipedia article.

I think only a few details are important at all:
1. I am using Windows 7 x64 and Avast Pro 6.0.1203
2. Target I used: SafeZoneBrowser.exe, the one with the medium integrity level

Quote
need help using avast! "SafeZone" browser.
Not quite, maybe you should read the entire topic twice^^
Actually the developers of avast seem to have a problem, not I.

In deed, I see the german translation of this:
Quote
[...] cannot be monitored by spyware or key-logging software [...] the avast! SafeZone is designed to keep everything else out.
It took me 5 minutes to get code from outside to inside without doing anything inside. *giggle*
« Last Edit: July 28, 2011, 07:23:29 PM by floste »

MAG

  • Guest
Re: Safezone vs DllInjection
« Reply #6 on: July 28, 2011, 07:22:43 PM »
Yes, but can you provide the details/screenshots please.

floste

  • Guest
Re: Safezone vs DllInjection
« Reply #7 on: July 28, 2011, 08:20:49 PM »
The forum thinks the images are too large, so i use imagebanana

1. Enter SafeZone
-> Screenshot1:

2. Leave again
3. Do do dll injection
-> Screenshot2:

4. Go back and see what happend (I used a dll which starts cmd from DllMain)
-> Screenshot3



Note that it is technically NOT necessary to leave the SafeZone to do this. It should be easy to write a background program to automate this.

13N

  • Guest
Re: Safezone vs DllInjection
« Reply #8 on: July 28, 2011, 09:31:56 PM »
Process hacker has kernel level access, from which it can do anything to any process/file/hook/etc, likely including dll injection into application level.
The point is to prevent unknown 3rd party programs from gaining kernel level access, not to try to defend against them after the fact. Sure, you can add certain mechanisms to counter specific kernel program functions, but they can be easily bypassed and can add performance overhead and software incompatibilities.

No protection feature can protect you from a rootkited host.

floste

  • Guest
Re: Safezone vs DllInjection
« Reply #9 on: July 28, 2011, 10:18:58 PM »
I know it has the ability dude, I am not silly, BUT IT HAD NO KERNELMODE ACCESS when I used it:
1.) I explicitly disabled the kernelmode access in the options.
2.) I did not start it with admin rights, so it had no chance to load the driver
3.) It FAILS against AvastUI.exe

One can easily see whether it has kernelmode acces at the time:
If there are blank fields in "User Name" and "Integrity" columns then the driver is not loaded.
It there are no blank fields, it is likely to have kernelmode access.


Check it out yourself if you do not belive me!

Here are my loaded drivers, sorted by name (You won't find kprocesshacker.sys)


Well, at least you have some technical understanding^^
« Last Edit: July 28, 2011, 10:21:15 PM by floste »

13N

  • Guest
Re: Safezone vs DllInjection
« Reply #10 on: July 28, 2011, 10:58:12 PM »
I can confirm your findings (XP SP3, no kernel access from PH). Could you try to inject the dll in SafeBrowser child processes, instead of the parent one?(if you haven't tried already)
I found that it's not possible to inject in child processes, only in the parent one. I could be mistaken, but Chrome is probably built so that child processes are the ones dealing with web content/information sending/processing, so it's being protected from dll injection (or sniffing from parent) so there's no direct danger from information sniffing that way. But that still leaves that it's possible to "remotely" (tentative name, since it's not really a "remote") execute code in SafeZone from host PC (which is infected) which could sniff out info... in some alternate manner.
Would be nice to hear from devs about this.
« Last Edit: July 28, 2011, 10:59:51 PM by 13N »

MAG

  • Guest
Re: Safezone vs DllInjection
« Reply #11 on: July 28, 2011, 11:13:24 PM »
Would be nice to hear from devs about this.

I agree - it would be good if pk (the developer) could chip in.

It's interesting info. I don't have the level of understanding you guys have, but I have been pondering for a while whether the safezone virtual isolated desktop approach or the trusteer rapport block browser mods/logging/capture approach is actually the more secure against malware on the machine.

floste

  • Guest
Re: Safezone vs DllInjection
« Reply #12 on: July 28, 2011, 11:16:59 PM »
Quote
Could you try to inject the dll in SafeBrowser child processes, instead of the parent one?(if you haven't tried already)

Strange: It does not give an error, but no dll is loaded. However: One can read and write the process memory of the child processes from remote, so it is definitively possible to execute code. But I do not have the patience to turn on my compiler today, besides I normally charge people for writing that kind of code.

Quote
"remotely" (tentative name, since it's not really a "remote") execute
These kind are my speciality *haha*

Quote
It's interesting info. I don't have the level of understanding you guys have, but I have been pondering for a while whether the safezone virtual isolated desktop approach or the trusteer rapport block browser mods/logging/capture approach is actually the more secure against malware on the machine.

Well, such approaches are usually secure... as long as malware writers do not take em into consideration when writing their code. If the malware has admin rights (remember: UAC on standard level in Windows 7 is still broken by design) the machine is lost. If the malware has "only" user rights, a Secured desktop approach could really help, but only if it runs under a different user account! And avast makes the mistake that the secured browser is running under the same user account! That is the root cause of this flaw.
« Last Edit: July 28, 2011, 11:25:07 PM by floste »

MAG

  • Guest
Re: Safezone vs DllInjection
« Reply #13 on: July 29, 2011, 04:04:15 PM »
I believe browsers are set up to allow dll injection at some level by default (avast behaviour shield employs dll injection on browsers to monitor behaviour - and every time it does trusteer rapport blocks it on my system).

I can't see why the safezone browser should be set up this way though - it doesn't want to let anything else in.

And of course, rapport doesn't run in safezone.

Do any other AIS users find this thread a bit disconcerting - or is this in reality something that malware would struggle to replicate (ie an attack that is really only possible with more or less full control of the host machine)


Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3739
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Safezone vs DllInjection
« Reply #14 on: July 29, 2011, 05:01:03 PM »
it would be good if pk (the developer) could chip in.

I have send Petr an email with a link to this topic :)

Greetz, Red.
OS: Win 10 / iOS 17 / Debian 12 / Tails 5
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )