Could anti-exe programs prevent applications from executing unknown dlls?

Why is bypassing Voodooshield being discussed in this thread, where the OP, On_line Sword has specifically asked about anti-exe programs?

Couldn't the bypassing of Voodooshield be discussed in the Voodooshield thread?

I would like to get back on topic: perhaps On_line Sword will return to continue to explore his question.

thanks,

----
rich

 

Yes.

 

As wilders users know, I have nothing to hide, I am an open book, so discussing anything in the open is perfectly fine with me. Hopefully no one in their right mind believes that VS uses confusion or fear to give away our free product. We simply present well documented facts in our marketing.

Although, I can see where fear might be an effective marketing tool if used properly, I can see why a company might resort to using it. If someone drinks and smokes a lot and are in bad shape because of it, and they go to the doctor, the doctor might have to resort to fear to save their life. I have no idea about the confusion part... I have never seen that in the AV industry.

 

The original discussion was about dll injection. There are two types of dll injection; disk based and memory based. Most disk based dll injection is not malicious although a number of them are so. Memory based dll injection is almost always malicious. Memory based dlls can also be hidden; i.e. not viewable using Process Explorer for instance.

What I gleaned from the discussion is VoodooShield is confident it can catch disk based dll injection. So can most AV software BTW. From what I have interpreted, VoodooShield is not effective against memory based dll injection. I would test this myself but have no desire to install VoodooShield at this time to do so.

 

I've tested exe and dll that OP sent through PM. Exe runs and at startup it looks for dll to load and report current date and time. If it can't find dll in same folder it starts and fails with an error. I believe that this is what OP was trying to achieve using anti-exe. So exe can run but it can't execute correctly because it can't run dll, even when dll is placed in same folder.
I've tested SRP and couldn't configure it that way.
I also tested Malware Defender but it doesn't detect dll loading. It only detects Net framework dlls loading. If I prevent those (legitimate) dlls from loading, program will fail. Otherwise it will run with no problem.
I might try to run other HIPS and Antiexes to see if they could be configured to block that dll loading (without blocking .NET dlls).

 

I do not believe that was what was decided, but I am not going to argue... it was fun for a while, but now it is kind of old.

Do you have a memory only exploit sample? If so, I would love to see it, please send it to me in the same PM that I used to send you the NSSLabs emails earlier today. Thank you!

 

No, I don't have any exploits readily at hand. Much to dangerous to handle.

I use the x64 inject exe and the reflective dll from here: https://github.com/stephenfewer/ReflectiveDLLInjection to do testing with. Since I assume VoodooShield would block the exe, this wouldn't be of much use to you. I use it to test my HIPS rules. You would have to allow the inject exe to run to determine if VoodooShield would allow the dll injection into a browser exe. You run it as follows:

C:\Users\xxx\Downloads\inject.x64.exe 3948 C:\Users\xxx\Downloads\reflective_dll.x64.dll

Note: 3948 was the target process id.

 

Actually Wikipedia has an pretty good article on various DDL injection methods malware can use: https://en.wikipedia.org/wiki/DLL_injection. I don't believe this adequately explains memory DLL injection, so refer to the links I posted in post #68.

 

I was thinking more along the lines of a malicous URL sample or something that would drop a memory only payload from an exploit.... I am not sure how you would "handle" an exploit, being that they are basically the pathway for the payload that could be "handled". And if you could "handle" an "exploit", why it would be more "dangerous" than a malicious executable payload?

 

@r41p41, I did not want to forget to ask you this, because it is vital... did you find anything in the VS 2.0 installer, gui or service that changed UAC in any way? It sounds like you did since you talked about it extensively, but I removed all of that long ago (unless I am forgetting something).

Please let me know either way, because it is absolutely vital that we remove it if there are remnants from VS 1.0.

 

Gees, Dan. Why not just offer him or her a job? he he.

 

I was not the one who made the claim that VS was primitive, he was. So I am simply calling him out.

I cannot make the claim the VS is bulletproof... if I did I would have to demonstrate that it is. I can say that no one has ever been able to bypass VS 2.0 because of a design flaw.

So it is fair for other people to make non supported claims about a product that I have spent almost 5 years of my life, working for free, to build, without demonstrating that it is true? And apparently the initial claim that he made was convincing enough for itman to believe... so this is an issue.

It is perfectly fine if the claim is true... but until we have tangible proof, no one will ever no for sure. The ONLY thing we know for sure at this point is that no one has ever demonstrated a bypass of VS 2.0 based on a design flaw. And until he, or someone else proves otherwise, it is going to remain that way.

I am still waiting to hear his response on post 164... this alone disproves a lot of what he is saying.

There are no remnants for UAC in VS 2.0, both him and I know that (but if he did see some, I would like to know). I am just curious why he brought up UAC, and what made him think that was the case. That is a MASSIVE hole in his story... it makes me think that he did not even try VS 2.0.

I am not the one who claimed that VS was easy to bypass... he was. I was just trying to give him a chance to substantiate his claim... do you think people who make unsubstantiated claims, especially when they are hidden behind their computer, deserve to be rewarded if they cannot demonstrate what they are saying is true?

 

... My post was a joke, hence the big smiley grin. I'm sorry I posted it now. I will not post in this thread again.

 

I know it was . I was just explaining why making unsubstantiated claims is not cool and dangerous .

I have no idea if the AppCertDll can be bypassed or not. Half of the people that I have talked to say that it can, and half of the people say that it is pretty darn robust.

I just want to know if it can be bypassed or not, and it sounds like he knows how to do it, but until he does it, no one will ever know for sure. He might even be surprised how difficult it might be once he starts to develop a bypass for it.

 

English is not his native language. He may also be using the term primitive in the same vein as programmatic primitives - e.g. read, write, map to memory... or just mean basic.

Any how, don't kid yourself. Given enough time, scrutiny and effort, it is inevitable that any security soft can be bypassed, boinked, smashed, whatever one chooses to call it - and that includes VS.

However, until someone provides a verifiable bypass, all of this discussion is merely speculation...

 

Absolutely! I agree 100%... nothing it totally bulletproof.

I think I just need to stick to what I specialize in... making VS and the GUI user-friendly and figuring how to safely allow as much good stuff as possible (the user experience). I know very little about exploits, AppCertDll and KMD.

The thing is, it would be ideal to bring these discussions to a conclusion before Vlad starts interacting with you guys. I mean, he is definitely extremely knowledgeable and has a lot of common sense so he would easily be able to defend himself... but I just do not want him to have to deal with the petty stuff.

 

Great advice, thank you Pete, I appreciate that very much!

 

@VoodooShield

I keep saying it over and over... until someone can provide verifiable proof that VS can\has been bypassed, it is mere speculation and pointless to keep discussing it.

You might want to ask admin to lock the thread... lest it be any more of a distraction...

 

Feeding the trolls, are you serious? I was so glad to finally see someone here who really seems to know what he is talking about and this is the welcome he gets. But thankfully he has learned his lesson so we can keep to ourselves and our enlightening discussions, much like in a Counter-Strike of Battlefield forum where the kids are talking about who's better, Navy Seals or Delta.

"Hey, did you know that anti-virus isn't enough and that you should use our super duper sandbox technology?"
"In all the time I've been using my anti-virus, I have never been infected once."
"Yes, but research clearly shows how easily it can be bypassed."
"Research clearly shows that your program can be bypassed as well."
"Yes, but that is only purely theoretical."
"From my point of view, your arguments are purely theoretical as well. Though if we are practical, I have been using our sandboxing godlike program for a while."
"And how did you like it?"
"Well, it never stopped a single threat, though not because it was bypassed, but rather because I've never encountered these advanced threats my anti-virus supposedly cannot stop. Yet it was really inconvenient and did give me a hell of a lot of problems, so it caused way more trouble than it's supposed to stop."
"Perhaps we can work these issues out."
"I didn't have any issues before using your program."

 

I understand the frustration, it took me 6 months to understand compilers when i was in 7th grade. But don't beat yourself up, you don't know how windows works and listen to what developers tell you every day. Even if you believe its unbypassable or cannot be bypassed, won't change the truth that without a driver your model is flawed.
i dont blame you, i blame the Testers and Developers who are feeding you with false ideas that its bulletproof.

Do you think nobody ever demonstrated a bypass for VS 2.0 based on design flaw, this is because out of 132,280 people on this forum maybe 100 understand windows?
or because noone even heard about VS as being bulletproof as of now? or because people have actual work to do at their office which allows them to survive?
its all three above and possibly even more.

i quote

which security products? do you understand how those work without jumping to conclusions? maybe they don't filter new processes to block in kernel mode because of some reason?
you don't mention which security product, what do they do what is their primary working mode and you expect me to reply to that?
Tell you what, i trust Kaspersky Proactive defense, make sure your VS blocks process before Proactive Defense alerts. May be then i might think that 6 years of Software development work and 5 years of homework that i did was useless because AppCert is a good method to block processes from execution. O_O
nothing disproves what i am saying, there has been no claim from your side providing any technical information on what why where but only 1 thing
*POC or no bypass and VS is BulletProof.* how does me not creating a POC prove otherwise?

i think you misunderstand when i say your VS removes UAC, btw i tried 2.5
r41p41$ md5 Install\ VoodooShield.2.50.exe
MD5 (Install VoodooShield.2.50.exe) = eee943bc4ff020489427bdb7d17cc367
Dan, There is no hole in my story, there is stupidity at your end because you dont even understand what i am trying to convey and are getting sidelined because of your lack of technical knowhow and getting irritated because its not making sense to you then blaming me for being stupid and having holes in my 'story' which is just a hypothesis. Common man, this is not even difficult to understand
WINAPI calls CreateProcess, CreateProcess calls CreateProcessInternal, CreateProcessInternal calls ZwCreateProcessEx() then after some time gives you callback
then resumes the process by using ZwResumeThread or terminates it by using ZwTerminateProcess.
How can that be tough to undestand. The bloody process is already created and waiting to be resumed. All any attacker has to do is make sure you dont get callback or hook terminateprocess and block it. I mean i thought i dont have to write this **** up because its understood, but what the hell.

here is the story, i blog on EMET and MBAE. a guy comments saying how is VS and appguard, i say appguard i didnt look VS i took a look protection is primitive (meaning not good as of now). Dan comes in and says he would love to see a bypass because he has not seen one in years and he is curious. Solving your curiosity, how does it help me? as for substantiating my claim, i did so in polite manner telling you the flaw so your developer can fix it. But idk what you guys talked on, Is there not 1 person who has a shred of technical information on this whole forum who understands what i am saying? i told you your flaws without asking for reward, when you ask for a bypass because of "POC or didn't happen" then i said about hosting a bug bounty and i'll happily participate.
How is that me making unsubstantiated claims and hidden behind my computer and cannot demonstrate what i am saying is t

@Peter: Yes i might seem to be a troll because i am just another user, but you are the one who is moderating the forum. Just because you didn't see a bypass/exploit on sandboxie doesn't mean its not possible. Similarly Just because you didn't see a bypass on VS doesn't mean its not possible. And the philosophy that
"POC or didn't happen" it is for people who have been fearless because they never saw it coming. Put the protection you think is best in place and when you have something substantial or worth the money the attackers will get you.
Guess what nobody forgets their first time.

Concluding, i dont care what you believe. Release a bug bounty, i will give you 1 pdf, html, doc whatever you want. Run it on a vulnerable VM and watch the colour drain from your eyes. Then prepare for your heart to crunch inside as on top of a disappointment you have to pay me as well. =)

 

Well said .

 

Moloch-shall-rise, you have no business commenting on trolls. Do you care for me to elaborate?

 

Good to see someone from kernel mode here. I saw your sign and i think you can understand what i have been saying. Your post highlights how stupid i have been trying to strike a conversation.

 

No, you don't have to. Everybody can know that I have composed Moloch-shall-rise's comments on the ghacks/voodooshield article and of course you know that because I told you that personally.

I am not a contributing member of the kernel mode forum, nor could I contribute anything meaningful there, because my knowledge level is about the same of most of the others here. I belong here.