General protection options

[gkweb]

In the "protection" menu, there is "General protection options" features, but i didn't find in the help any information about them, in particular about "Block DLL files from being added to APPINIT_DLLs registry key".

what does it do ? why a trojan/malicious program would want to use this registry area ?

thanks.

[spy1]

Method: DLL/Code Injection
Description: The attacking process 'injects' a DLL or code into the memory space of another process, allowing the attacking process to remain alive in the context of an existing process. This stealthy trick is starting to be used more frequently by remote access trojans, and can also be used to alter the behaviour of programs. Injected code can also easily terminate its host process, providing another option for process termination. Firewall leaktests often use this technique to bypass firewalls, usually by injecting a DLL into an application that's generally trusted by firewalls (such as Internet Explorer).

(That's from the "Help'/"Miscellaneous Attacks" ). Pete

[gkweb]

I know what is DLL injection, but i didn't know this feature was DLL injection protection.

thanks you.

[spy1]

It's DLL injection protection against that particular method of delivery. I've seen it talked about before, I just can't remember where at the moment. Pete

[Andreas1]

Quote:

quoting: gkweb link=board=40;threadid=16950;start=0#msg104882 date=1070028402]
"Block DLL files from being added to APPINIT_DLLs registry key".

what does it do ? why a trojan/malicious program would want to use this registry area ?

If i understand this right, this key can contain a list of dlls to be loaded by the OS into every 16-bit program that is being launched...

Andreas

[gkweb]

which would be more dangerous than a single DLL injection against one aimed program if your right

happy to have such protection now.

[Gavin - DiamondCS]

Well actually trojans use "WriteProcessMemory" which is what WRITE blocks. And then they create a remote thread and write their code into that processes space, as if the target program was always running it. Its very clean and stealthy and why trojans have developed this way.

So block that access to things you have in your firewall ruleset, and you have a REAL firewall back ? hope that helps

[Gavin - DiamondCS]

APP_Init DLLs are loaded into every process which also loads USER32.DLL.. nearly all processes. So an attack could be to write a DLL which attacks Process Guard (or other processes) once its loaded.

This attack was mentioned but is it ever used ? no.. if it is though, Process Guard doesnt care. You can block them from ever being used, most systems will not ever load DLLs in that way anyway. If a program has put one there thats ok. If a new program is being installed that you know needs to add an entry here (doubtful), you could remove protection temporarily. Trusted software is fine, as long as the user has this control over attacks.

[Jason_DiamondCS]

Yes it isn't loaded by 16bit applications directly (since they are handled by ntvdm usually) but by user32.dll which Gavin noted. User32.dll is in 99% of windows programs and hence it gets loaded into most programs, it is a "microsoft documented" method of DLL injection we block. Not many legit programs use this, but some malicious programs do.

-Jason-