dll injection

Discussion in 'privacy general' started by iceni60, Aug 27, 2004.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    am i right in thinking that a dll injection can only be written for one particular program e.g. while DLing or browsing the internet with firefox, if a dll injector was written for IE the dll injection cant take place?
    also, is there a program which will record which dlls are used by each program, so if an injection takes place the added dll will be flaged? im hoping that TDS, kerio 2.1.5 or a hash calculater does something along these lines. thank you :)
     
  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    any ideas? or any good reading on the subject?
    thanks, :)
     
  3. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Don't know for certain, but I think the answer is yes, it is program specific.

    Haven't read about a program that keeps track of .dll's in the way you're asking about.

    There are Firewalls - two that I have experience with, ZAP and Sygate (free), that have the option to intercept .dll injection and ask for permission/denial. I suppose if I keep for a longer period of time the appropriate firewall logs, than that would constitute a record of .dll changes in the specific programs, or copy them to a seperate log of my own making a permanent record.

    After SP2 install, I became very busy giving permissions.

    Regards - Charles
     
    Last edited: Aug 30, 2004
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks for answering, Charles. i think its program specific too. i have kerio 2.1.5 which has an internet application MD5 checker. do you know what it checks? (exe. dll.) thanks
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    You have different app against dll, code and handler injections.

    My favorite is SystemSafetyMonitor

    there are too : abstrusion Protector
    PC Internet Patrol
    Prevx

    and probably some others.

    Regards,
     
  6. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Yes, SSM kept me very busy as well after SP2.

    Regards - Charles
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    DLL injection isnt the only attack of its kind that you should be concerned about, for example if there's not much code that needs to be loaded into the target process then the attacker might just use WriteProcessMemory. CreateRemoteThread doesn't even need to be called if the new code is written into an area of existing code that will definately be executed.

    Process Guard is arguably the most advanced system available for blocking all of these sorts of attacks:
    http://www.diamondcs.com.au/processguard/index.php?page=attack-misc

    (Also note that the attacks page will be updated to include even more attacks when we release PG v3 in a week or two)
     
  8. 1234

    1234 Guest

    Yes, but there is a newer free version of SSM, that will shortly be released, that may be able to match Process Guard.
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, the author has contacted us.

    Not quite, but you know what they say about imitation and flattery ... :)
     
  10. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    THAT'S GREAT NEWS GUYS, IN A WEEK OR TWO??

    CANNOT WAIT ANY LONGER, but it seems it was finished till I read it about the vulnerability. You guys rock. really, adequate.

    my compliments.
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, our beta team are already testing the new v3 with promising results so far. Actually it was the discovery of the vulnerability that prompted us to create this new version, but as to the vulnerability itself, it's not much of a worry - it's an advanced attack that very few programmers will be able to pull off, and because of technical issues it's even harder to get it to work on multiple operating systems - the vulnerability demo only works under Windows 2000, as an example, and I'd be extremely surprised if a working exploit was ever created. Even if a working exploit was created it would be rendered useless within a week or two with the release of the new version of Process Guard anyway.

    The vulnerability itself is not Process Guard specific because the vulnerability (based on using \device\physicalmemory) can essentially be used to attack any process. It was only considered a Process Guard vulnerability because PG is the sort of program that should protect against that type of attack (even though nothing else does), so we've now developed a solution that's already built into the new version, which will make Process Guard the first and only program available that will allow you to add protection to other processes against this attack.

    We're also about to release a new version of Port Explorer, so you'll see both of these new versions in the coming weeks. Process Guard even has a new user interface - easier to use (yet still gives you that feeling of total control), and there are many enhancements to the driver that should also improve stability and fix issues that some people encountered with PG v2.
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx, really.

    will not botter you further with questions
     
  13. -------

    ------- Guest

    I also look forward to PG3. It's a nice program.

    As regards flattery and imitation: Tiny Personal Firewall and the 100% free System Safety Monitor are the second generation of Windows system firewalls (if you agree to call Secure4U, eSafe etc. the first generation). Process Guard came thereafter and it did many things better (easier to use and more focused than TPF, better protection than SSM due to kernel-mode driver). Now the developer of SSM tries to strike back by offering a driver-based SSM which continues to support several features (e.g., the customizable registry guard) still not included into PG. And the developers of the all-embracing TPF try to improve its GUI so that the application is easier to use and more focused on frequently-used & dangerous attacks like dynamic DLL injections.

    In light of the above, it seems to me that, in the future, there may be several good choices for the user (which is truly bad news for malicious people trying to hack your computer ;-).
     
  14. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    And don't forget Prevx. I really am beginning to like that program because there is not a big learning curve with it.


    Starrob :D
     
  15. ------

    ------ Guest

    I am not so sure about PrevX. What kind of benefits does it really offer?

    (Unfortunately, I was not able to install it on my machine due to compatibility issues.)
     
  16. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Currently Prevx offers the following protections:

    1) Application modification protection
    2) Batch and script file modification protection
    3) Buffer overflow protection
    4) Control panel applet modification protection
    5) DLL modification protection
    6) Driver related file modification protection
    7) Protect Internet Explorer BHO's, Extensions, Main settings, Searching, Toolbars
    :cool: Registry Run protection
    9) Registry Shell Command Hooking protection
    10) Screen Saver modification protection
    11) Vunerable file protection.


    Prevx works real well with Process Guard. That is a very tough combination for malware to get by.



    Starrob
    [​IMG]
     
  17. As regards the different types of "modification protections": is this just a file integrity checker or is it something more sophisticated? How does it work?
     
  18. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks for all the replies :) theres alot to be learned. however, does anyone know the answer to the above question?. i dont think it has been answered, if it has, sorry for missing it. if id known the answer i wouldnt have had to start this thread if anyone can answer id be very happy :D . thanks.
     
  19. -----

    ----- Guest

    Answer is a clear "no". CreateRemoteThread works for (almost) every program. An injector can simply search for any running programs and inject the DLL into each of them. Some trojans actually do this.

    As regards "recording DLLs". Have a look at Sygate PFW. But it's a nightmare...you will be bugged all the time.
     
  20. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks for making it clear for me ----- :)
     
Thread Status:
Not open for further replies.