I would like to point out that this was fixed in a week. I warned them a week ago, and today they notified me of the new release with this fix.
Correct. I would only worry about this in a highly targeted attack scenario, the type were the attacker knows you use SRP/AppLocker as a...
Mark's original article (from 2005) is here:...
I believe you mean malware/unwanted programs, not exploits. There is no vulnerability in AppLocker, hence no exploits. There is no current...
I got a very interesting comment on my blogpost: http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/ The...
I've seen "damage" mentioned here a couple of times, more specifically in a technical context: what are the permanent changes made to my machine?...
I've several posts and tools for mitigation in a layered security context. But I don't talk about mitigation at the SRP/AppLocker layer, simply...
No, ASLR has no impact on the execution of code inside DLLs. Unfortunately no, otherwise I would have mentioned it. Maybe an admin can reinforce...
Post is up http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/
That's not what I'm saying, you read me wrong, I never wrote about 100% protection. To make informed decisions about which security software you...
That's simple, the DLL runs in the context of the process, thus it also runs with low IL.
As some of you wonder what risk this brings, let me post something from my upcoming blogpost about this:
Correct. Let's take the example of an Internet Explorer exploit. You visit a web site which hosts such an exploit. This exploit uses a...
There's many malware in the wild that uses a DLL in stead of an EXE. It can be very harmful. Writing a (malicious) program in the form of a DLL...
If SRP/AppLocker allows the process to start, then yes, one can use LoadLibraryEx and the DLL will load. Yeah, "as well" is a better choice....
You're welcome! As I know there are many SRP/AppLocker users here on this forum, I decided to inform you first before I post on my blog (post is...
Yes, this shellcode writes to a temporary file, so the only change to make is to use LoadLibraryEx in stead of LoadLibrary, and to push 2 extra...
Token creation and assignment is done at process creation time. LoadLibrary(Ex) is used inside an existing process, and makes no new tokens...
I think some of you will find this interesting. While reading up on LoadLibraryEx, I noticed an interesting flag: LOAD_IGNORE_CODE_AUTHZ_LEVEL...
Because this is a SS thread. On my blog, you'll see that I didn't mention SS, and that I kept it generic. But the problem we are discussing here...
Update: I exchanged e-mails with SS, they might add DEP and ASLR in one of their future versions. They can't do it for the next version,...
I answered that before: http://www.wilderssecurity.com/showpost.php?p=1814351&postcount=130
No problem. It probably failed because you tried to change the flag while the DLL is in use (loaded in explorer.exe). Do the following:...
That is a question I can't answer for you. You have to ask yourself why do you use these security tools? Is it to protect your machine against...
If you don't need it, you can do that. One easy way is to change the name of the dll in the registry. Then if you want to temporarily reactivate...
Separate names with a comma.
