Which program for dll load/inject virtualization??

[sunrise]

Hi,

please help, i need a security program that is able to cater for:

1. run a program, this program potentially will access a dll (call dll loading?), then modify the dll (dll injection?), resulting modified dill seems to be camouflage as indicdll.dll (keyboard lang shell hook extension, able to record inputs), injected to iexporer.exe for connection to internet.

2. Cant block the dll loading or maybe modification else program won't function.

3. But need to block the dll from internet connection.

4. After closing program, detect that malware and clean it or, going back to original state, either the cleaning is ok or actual modification of dll was prevented from taking place initially at all.(virtualization?)

5. Allow me to view the process, as in a log, what has taken place, instead of total silent, as i will not know if its really effective or not

I have tried using zonealarm pro with sas.
-> sas didnt detect real time. zonealarm pro block the program from running in component monitor. Once allow zonealarm to let program run, infected but sas cant start, sort of freeze, dont know why yet, maybe due to other reasons.

Tried comodo + spybotSD
-> program run, comodo alert me of indicdll possible keylogger, allow me to block it from internet. close program and run spybot but didnt detect. but i dont know if the indicdll is a camoflauge one, or it is the windows original dll which has been modified. so cant or do not know how to go back original state.

Tried comodo + sandboxie
-> program run, comodo alert me of indicdll possible keylogger, allow me to block it from internet. close program and run spybot but didnt detect. so cant or do not know how to go back original state.

some have advised me try cyberhawk/geswall/defensewall.
I want to know which one really can do the above as every time i tried once and didnt work, i have to clean my whole hdd and reinstall everything, but luckily using image.

[dah145]

Quote:

Originally Posted by sunrise

Hi,

please help, i need a security program that is able to cater for:

1. run a program, this program potentially will access a dll (call dll loading?), then modify the dll (dll injection?), resulting modified dill seems to be camouflage as indicdll.dll (keyboard lang shell hook extension, able to record inputs), injected to iexporer.exe for connection to internet.

2. Cant block the dll loading or maybe modification else program won't function.

3. But need to block the dll from internet connection.

4. After closing program, detect that malware and clean it or, going back to original state, either the cleaning is ok or actual modification of dll was prevented from taking place initially at all.(virtualization?)

5. Allow me to view the process, as in a log, what has taken place, instead of total silent, as i will not know if its really effective or not

I have tried using zonealarm pro with sas.
-> sas didnt detect real time. zonealarm pro block the program from running in component monitor. Once allow zonealarm to let program run, infected but sas cant start, sort of freeze, dont know why yet, maybe due to other reasons.

Tried comodo + spybotSD
-> program run, comodo alert me of indicdll possible keylogger, allow me to block it from internet. close program and run spybot but didnt detect. but i dont know if the indicdll is a camoflauge one, or it is the windows original dll which has been modified. so cant or do not know how to go back original state.

Tried comodo + sandboxie
-> program run, comodo alert me of indicdll possible keylogger, allow me to block it from internet. close program and run spybot but didnt detect. so cant or do not know how to go back original state.

some have advised me try cyberhawk/geswall/defensewall.
I want to know which one really can do the above as every time i tried once and didnt work, i have to clean my whole hdd and reinstall everything, but luckily using image.

KAV or KIS PDM could help you

[sunrise]

Hi,

KAV/KIS for this scenario, it can prevent or allow the dll loading/modification/injection. But i do not think one can go back original state once you allowed it. means cant do scenario 4, and no 5 as well if im not wrong.. same as zonealarm pro