A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #26339  by wayitech
 Wed Jul 22, 2015 9:47 am
Virmon firewall network monitor

2015-06 network communication monitor, TCP protocol prohibit process based .
Online TCP,UDP port etc.

32bit download address: http://www.virmon.cn/?download=virmonfw32
64bit download address: http://www.virmon.cn/?download=virmonfw64
Image

WFP driver based firewall, any suggestions will be appreciated.
Anyway, I have a questiion.Is there other Vulnerability driver like vboxdrv.sys , can pass DSE.thanks.
 #26345  by Vrtule
 Wed Jul 22, 2015 12:22 pm
Hello,

IIRC Windows 8 introduced an ability to monitor at link layer. Are you planning to add this feature? Of course, I may be wrong but they added several WFP layers that suggest this ability.

Do you need the DSE-bypass exploit in order to avoid purchasing of a Class 3 certificate for driver signing?
 #26347  by wayitech
 Wed Jul 22, 2015 12:46 pm
I have not window8 system environment, Now I Used Windows7 home edition 64 bit.
I think there is no processid information in link layer.But I am not sure.If MS do some
work on WFP layer , that can be very useful.

I really want some DSE-bypass exploit ,I Know DSEFIX. But I wan to study Vulnerability knowage by myself.
 #26350  by Vrtule
 Wed Jul 22, 2015 8:28 pm
think there is no processid information in link layer.
That's AFAIK true. My point was that prior Windows 8, it was not possible to monitor/modify at link layer, for WFP-based drivers. Which IIRC has changed in Windows 8.