I want to build the Tor browser with a new name and identity for the Windows OS. The goal is to avoid detection by network admins and applications such as antiviruses which I assume will search for application names and identities. I wanted to know if anyone has any experience in that regard and or any suggestions for me.
Why official tor browser doesnât work? Because the network manager has banned Tor software. Therefore I can not start any Tor session. They use Kaspersky security for this and I suspect that Kaspersky uses the software credentials (i.e. name or some kinds of ID) to detect and prohibit the software execution. On the other hand, Tor is a known anti censorship tool and in some countries such as mine it will be problematic to use such powerful anti-censorship tool. Having a program with the same functionality yet with different name and looks may help people like me.
I have limited information on that regard. Yet I know that any software that does not require installation (i.e. portable software) works fine. Having said that I donât know how does windows trust center work, and I want to experiment with that and learn. Maybe if I learn something from it i could use the same procedure for other banned software and social media such as Telegram.
I donât want to distribute the software to otherâs. I want it for my own personal use. If the tool prove to be useful I can share my experience with other people. Either they reproduce their own version or community will figure it out. At this stage I am the sole user of this product.
Iâm betting Kaspersky et al use some sort of hash and/or behaviour to ID a piece of software so you could name yours beer.exe and it would it would ring a bell somewhere.
Yet I know that any software that does not require installation (i.e. portable software) works fine.
OK understood, I assume we are talking here about a work environment. If portable software works in your target environment might Tails on a memory stick be the solution? Tails includes Tor Browser and thus you wonât need to actually install it on your network. A quick online search suggests you can use Telegram with Tails too. Good luck.
Iâm betting Kaspersky et al use some sort of hash and/or behaviour to ID a piece of software so you could name yours beer.exe and it would it would ring a bell somewhere.
But keep on trying
Ok. If Kaspersky uses hashes to identify programs changing a program name source code (not renaming the executable) would result in a new hash therefore avoiding detection. I am to some degree sure that these kinds of limitations are imposed by simply looking at the executable credentials. Why? Because I can compile and execute my executable and run it without any problem as long as the credentials are not on the blocked program list.
Please be careful with your advances. Most likely there are also written policies or rules which prohibit the use of software not approved by the company IT.
So if the TBB or tor will be detected on hardware which is used by you, you might get into trouble. Please check this first in your own interest and do not game the system if you are not absolutely sureâŚ
If you are on a company network there are also ways to detect/block tor by monitoring the traffic.
In case there is a web-proxy on your network to access the internet you will face other difficulties, if you do not have SOCKS5 or authentication is needed: My internet connection requires an HTTP or SOCKS Proxy | Tor Project | Support
By the way, I totally understand your network manager: In a corporate environment you do not want unknown software running, especially not software which interacts with the internet. In this case signatures of tor might be especially dangerous, because ransomware use(s)/(d) tor for C&C and data exfiltration.
If you have a proper reason for âclearâ internet and/or usage of software which is in some kind related to your job, talking to your manager and the IT might help to get the tools and access you need for work.
OK understood, I assume we are talking here about a work environment. If portable software works in your target environment might Tails on a memory stick be the solution? Tails includes Tor Browser and thus you wonât need to actually install it on your network. A quick online search suggests you can use Telegram with Tails too. Good luck.
Thank you for your suggestion. I will look into âTailsâ. However, the possibility of having a custom build for individuals who have enough computer skills to compile and build a custom and stealth bundle for themselves to avoid detection is of interest.
Especially in countries such as mine where the government sometimes spies and enforce you to remove some apps. For example, using one of your necessary apps (such as a banking app, etc.) they scan for the presence of other apps and give you a message to uninstall that app. Or worse they donât tell you but put you on a watch list.
I already saw this capability in one of the Android apps (Lucky Patcher) where the Google Play Store removes the app with its original identity. There is an option to install the Lucky Patcher with a random identity. And I thought is it possible to do that with Tor or other open source apps.
I understand this part and Iâm sure it is not a simple MD5 or SHA256 of the whole executable. Changing just 1 bit is enough to create a new hash. It is probably little snippets of the executable which make the ID.
I also mentioned program behavior which @atari addressed well.
You would have to do what the malware people do: Compile and test against major AV programs.
As for Tails: since you are in extreme restrictions you may be blocked from booting from a USB stick but give it a try⌠and Tails is really a pain in the tail to use but better than nothing.
Ditto on what atari said:
In such a restrictive environment I can only imagine the penalties⌠like being forced to listen to Barry Manilow for 3 or 4 days in a row.
Thank you for your advice. As for my job, I submitted a formal request and got approval for using Tor and some other applications I needed. So I will not be in danger. Yet, the question remains in my mind. Restrictions are powerful incentives for me to learn.
So from now on it is just my curiosity which I believe will lead to a better understanding of how these systems work. I will read the provided links and sources.
I am familiar with programming, but scientific programming, not application development. I was wondering how Windows programs identify themselves. For example, android apps identify themselves with a reversed web address you may have seen something similar to âcom.myWebsite.myAppNameâ in the source codes of Android applications. In my mind, I thought maybe Windows apps do it similarly.
Sometimes antiviruses do things in dumb ways. For example, with Kaspersky, if you make a script that makes copies of a file with different extensions on a shared directory, which I do in my scripts before messing with any files to avoid disasters, the antivirus marks your code as a trojan. for example:
You can avoid this detection simply by using known format extensions such as .sldprt, .stt, or even .exe.
So I will give it a shot and say maybe changing credentials, whatever they are help avoiding detection and policies. This was the reason for my question in the first place.
Where are the places that Tor has Identified itself and how can we change it to make new identities?
Sorry for the long response, and thank you for your insights and help.
For the behavior, I consulted with our IT guy . Some behaviors will raise red flags. For example, he said that when I see a constant connection to a server that exchanges some considerable amount of data, it is either a streaming service or a VPN, Proxy,âŚ
Having said that, it doesnât hurt to compile a program with a new identity and run it against major AV programs and see the results.
All in all, can you explain to me what are the Tor Browser repositories? I reckon there is a browser part, a Tor part, Snowflake, etc. I read that the Tor Browser repo is the modified firefox, and the tor-browser-build contains the build instructions for Tor and it downloads the necessary packages.
All in all, can you explain to me what are the Tor Browser repositories?
For a full build of Tor Browser youâll need this repo. This builds the whole Tor Browser Bundle (TBB - i.e. everything in the tor-browser dir in the download) including little-t tor and all other dependencies. Every component is compiled from scratch using something called RBM (Reproducible Build Manager - itself built by the Tor Project). The first build can take many hours, but subsequent builds will reuse the binaries already built if you are not patching them. The build wiki is here. This describes all the build dependencies (covered in the above repoâs README too), the process youâll need to follow to create patches & make a Windows distribution of your app & troubleshooting/debugging info too.
The tor-browser repo is for the firefox component of the TBB and just builds the browser itself - i.e. the firefox binary (which includes Tor Projectâs patches on FF). This can be built as a stand-alone, so long as you donât need to make any changes to the rest of the bundle. The little-t tor part of the bundle has itâs own repo too.
From personal experience I found it all pretty easy to follow (I build a patched Tor Browser with each new release for my Selenium project).