Does this site look plain?

This site uses advanced css techniques

Steve Friedl's Research Projects

Unixwiz BackStealth Toolkit

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

I picked up an interest in the "BackStealth" technology developed by Paolo Iorio, and have reversed engineered his work and extended it. This web page is the home of my more or less ongoing efforts, and I hope to keep it up to date for those who care to follow the progress.

NOTE: none of this technology works on Windows 95, 98 or ME: some key operating system calls are simply not present. Don't even bother. I do all my testing on Windows NT 4.0 and Windows 2000: don't know about XP yet.

What is BackStealth?

BackStealth is a technique for using DLL Injection on Win32 platforms to take over the process space of personal firewalls to make outgoing connections that are undetected by those firewalls. Using the system-debugger interface (which requires admin privs), the infecting program locates the firewall, allocates memory inside the firewall space, copies a bit of bootstrap code, and launches a remote thread. This remote thread loads a DLL that does the real work, and the firewall process is completely unaware that this is going on.

Because the firewalls typically trust themselves, they do not detect or report these outgoing connections, so any Backstealth-enabled malware will be able to work with impunity. The firewall vendors have scrambled to deal with this in varying ways, but ultimately I believe that this will be a losing battle.

My running analysis of Backstealth can be found in this thread at DSL Reports, and my own development efforts are found below.

Fetching and building the programs

Periodically I update the web site from my development snapshot, and the files are available individually or in a single large bundle. The bundle is built at the same time the file listing is.

• Individual file listing - with clickable links
• backstealth.tar.gz - gzip'd GNU tar file
• CHANGES.TXT - change log

All my development is done on a Windows 2000 Professional system at the command line, with Microsoft Visual C/C++. I use GUI for neither building nor running any of these tools: you need a CMD window for everything. I use GNU Make for my work because Microsoft's NMAKE is so lame.

Each of the EXEs in the file listings were built by me from the sources you find there: I promise no shenanigans, though it's not clear why you should believe this promise. I run these very EXEs on my own system.

List of firewall products currently detected

This is a web-ified version of the internal table that Backstealth uses to detect personal firewalls: it runs through memory looking for windows with the given names and/or classes, and the last one found is probed for the vulnerability. Inclusion in this list does not mean the product is vulnerable! It merely means that the developers are trying to test it, and we have been adding these descriptions as we find them.