Security Hardening Tips for Windows XP

Yeah.. maybe that to.. Microsoft Motto: "If it compiles.. Ship it."

1. Disable DCOM 2. Disable Remote Desktop 2. Disable Port 445 3. Disable *.Chm Execution - Denies all Chm exploits. 4. Disable SSDP(UPNP) TCP Port 5000,UDP 1900 5. Disable File Sharing 6. Disable Auto Share Server 7. Disable Messenger Service 8. Disable Null Session 9. Force Guest upon connection to any share 10. Disable Sam Enumeration 11. Dont Display Last UserName 12. Disable Zip Files As Folders 13. Disable Multiple TSSessions 14. Disable CMD 15. Disable Network Neighbourhood. 16. Disable Internet Explorer 17. Disable Dial-up Networking 19. Disable MS Office 21. Disable explorer.exe 20. Disable Power On switch 21. Power Off

Hi Anybody has a VC++ sample code for an ActiveX control to be viewed via IE browser that is capable of downloading a file (say via winsock or http api) from the website where it is hosted? thanx in advance

Re:maybe somewhere in registers this information is located? ..Maybe.

If you're using VC 6. do the following: Menu item Project->Settings->Tab C++ -> Category 'Code Generation'-> set this option to 'Multithreaded' or 'Debug Multithreaded'

//Here goes.. this only copies ver from a src to dst file.. char srcfile[255], dstfile[255]; void changeVersion() { DWORD *dummy; char *verinfo; HANDLE hResource; LONG lParam=0 ; int size=0; dummy=new DWORD; size=GetFileVersionInfoSize(srcfile,dummy); verinfo=(char*) malloc (size); GetFileVersionInfo(srcfile,NULL,size,verinfo); hResource = BeginUpdateResource(dstfile, FALSE); if (NULL != hResource) { if (UpdateResource(hResource, RT_VERSION, MAKEINTRESOURCE(VS_VERSION_INFO), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPVOID) verinfo, size) != FALSE) { EndUpdateResource(hResource, FALSE); } } } //end code regs

Most viruses these days seem to be using this technique... (Re.."In each create and open a handle of the other process, and wait for close notification of the other process, when you get that notify, just shell the process again." ) How can it be countered .. programmatically or otherwise? Any ideas?

Your original poser was about about locating the correct hooking DLL. I assume you inject SAS to hide taskmanager/ capture change passwords sequence/ capture ALT-CTRL-DEL. If so, then the method you use (quite tricky to code correctly) seems ok. To capture system-wide keybd input for all threads/windows(except SAS input) one can also do without DLLs in far simpler fashion.. check this http://neworder.box.sk/newsread.php?newsid=10952

Check this /* * ndis_events - test program for receiving NdisMIndicateStatus() * events * Copyright (c) 2004, Jouni Malinen * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. * * Alternatively, this software may be distributed under the terms * of BSD license. * * See README and COPYING for more details. */ #define _WIN32_WINNT 0x0400 #include #include #include #include class CNdisSink; struct EVENT_HANDLER_MAP { const wchar_t* EventName; void (CNdisSink::*Handler)(IWbemClassObject *pObj); }; class CNdisSink : public IWbemObjectSink { public: CNdisSink(); ~CNdisSink(); // IUnknown members STDMETHOD(QueryInterface)(REFIID, LPVOID *); STDMETHOD_(ULONG, AddRef)(void); STDMETHOD_(ULONG, Release)(void); // IWbemObjectSink members STDMETHOD(Indicate)( long lObjectCount, IWbemClassObject **ppObjArray); STDMETHOD(SetStatus)( long lFlags, HRESULT hResult, BSTR strParam, IWbemClassObject *pObjParam); public: int RegisterAsyncNotification(IWbemServices *pSvc); private: void AdapterArrival(IWbemClassObject *pObj){} void AdapterRemoval(IWbemClassObject *pObj){} void ResetStart(IWbemClassObject *pObj){} void ResetEnd(IWbemClassObject *pObj){} void LinkSpeedChange(IWbemClassObject *pObj){} void MediaConnect(IWbemClassObject *pObj); void MediaDisconnect(IWbemClassObject *pObj); void MediaSpecific(IWbemClassObject *pObj); void ProtocolBind(IWbemClassObject *pObj){} void ProtocolUnbind(IWbemClassObject *pObj){} void DevicePowerOn(IWbemClassObject *pObj){} void DevicePowerOff(IWbemClassObject *pObj){} private: static EVENT_HANDLER_MAP s_EventHandlerMap[]; UINT m_cRef; }; EVENT_HANDLER_MAP CNdisSink::s_EventHandlerMap[] = { { L"MSNdis_NotifyAdapterArrival", &CNdisSink::AdapterArrival }, { L"MSNdis_NotifyAdapterRemoval", &CNdisSink::AdapterRemoval }, { L"MSNdis_StatusResetStart", &CNdisSink::ResetStart }, { L"MSNdis_StatusResetEnd", &CNdisSink::ResetEnd }, { L"MSNdis_StatusLinkSpeedChange", &CNdisSink::LinkSpeedChange }, { L"MSNdis_StatusMediaConnect", &CNdisSink::MediaConnect }, { L"MSNdis_StatusMediaDiscon

See http://www.codeproject.com/internet/getmac.asp?df=100&forumid=2459&exp=0&select=47194#xx47194xx maybe it'll help.. Keep a list of mac addresses in memory and periodically check if the list is up to date

Correct... my mistake. But the dll must call "CallNextHookEx" ..inside the callback function( whatever the programmer decides to name it). So you can search for this string instead.

Check for the following string in each of the dll's : "SetWindowsHook" You can open the dll's in notepad.exe .. most of the compiled code will be garbled .. however imported function names are always in text form.

http://www.google.co.in/search?q=callback+function

Exactly what i wanted... thanks a million

Thanks man.. can this info (gathered via getfileversion,extracticon) be used to set the version /icon of another exe file programmatically?

Hi folks.. Is there a way to read an exe file's version info, icon etc programatically using C/C++ ? e.g How do we read notepad.exe's version info via C/C++ calls? thanks in advance..

1. Speak CERN proxy syntax to the proxy server at PROXYIP:PROXYPORT e.g "CONNECT MYSERVERIP:MYSERVERPORT HTTP/1.1" 2. Use WinInet API instead e.g Use InternetOpen() with Flags INTERNET_OPEN_TYPE_PRECONFIG_WITH_NO_AUTOPROXY or INTERNET_OPEN_TYPE_PROXY

Check HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook

So you use Outlook2003.. not Outlook express. I personally don't have Outlook2003. But you may be able to locate the correct key in the registry yourself. Do a Find on the registry using a known E-mail account e.g abc@xyz.com. The key should show up in the find results.

HKCU means HKEY_CURRENT_USER.. HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts\ key is there in ALL Windoze boxes pal. XP/2003 etc etc. look it up again.