am i right in thinking that a dll injection can only be written for one particular program e.g. while DLing or browsing the internet with firefox, if a dll injector was written for IE the dll injection cant take place? also, is there a program which will record which dlls are used by each program, so if an injection takes place the added dll will be flaged? im hoping that TDS, kerio 2.1.5 or a hash calculater does something along these lines. thank you
Don't know for certain, but I think the answer is yes, it is program specific. Haven't read about a program that keeps track of .dll's in the way you're asking about. There are Firewalls - two that I have experience with, ZAP and Sygate (free), that have the option to intercept .dll injection and ask for permission/denial. I suppose if I keep for a longer period of time the appropriate firewall logs, than that would constitute a record of .dll changes in the specific programs, or copy them to a seperate log of my own making a permanent record. After SP2 install, I became very busy giving permissions. Regards - Charles
thanks for answering, Charles. i think its program specific too. i have kerio 2.1.5 which has an internet application MD5 checker. do you know what it checks? (exe. dll.) thanks
Hello, You have different app against dll, code and handler injections. My favorite is SystemSafetyMonitor there are too : abstrusion Protector PC Internet Patrol Prevx and probably some others. Regards,
DLL injection isnt the only attack of its kind that you should be concerned about, for example if there's not much code that needs to be loaded into the target process then the attacker might just use WriteProcessMemory. CreateRemoteThread doesn't even need to be called if the new code is written into an area of existing code that will definately be executed. Process Guard is arguably the most advanced system available for blocking all of these sorts of attacks: http://www.diamondcs.com.au/processguard/index.php?page=attack-misc (Also note that the attacks page will be updated to include even more attacks when we release PG v3 in a week or two)
Yes, but there is a newer free version of SSM, that will shortly be released, that may be able to match Process Guard.
Yes, the author has contacted us. Not quite, but you know what they say about imitation and flattery ...
THAT'S GREAT NEWS GUYS, IN A WEEK OR TWO?? CANNOT WAIT ANY LONGER, but it seems it was finished till I read it about the vulnerability. You guys rock. really, adequate. my compliments.
Yes, our beta team are already testing the new v3 with promising results so far. Actually it was the discovery of the vulnerability that prompted us to create this new version, but as to the vulnerability itself, it's not much of a worry - it's an advanced attack that very few programmers will be able to pull off, and because of technical issues it's even harder to get it to work on multiple operating systems - the vulnerability demo only works under Windows 2000, as an example, and I'd be extremely surprised if a working exploit was ever created. Even if a working exploit was created it would be rendered useless within a week or two with the release of the new version of Process Guard anyway. The vulnerability itself is not Process Guard specific because the vulnerability (based on using \device\physicalmemory) can essentially be used to attack any process. It was only considered a Process Guard vulnerability because PG is the sort of program that should protect against that type of attack (even though nothing else does), so we've now developed a solution that's already built into the new version, which will make Process Guard the first and only program available that will allow you to add protection to other processes against this attack. We're also about to release a new version of Port Explorer, so you'll see both of these new versions in the coming weeks. Process Guard even has a new user interface - easier to use (yet still gives you that feeling of total control), and there are many enhancements to the driver that should also improve stability and fix issues that some people encountered with PG v2.
I also look forward to PG3. It's a nice program. As regards flattery and imitation: Tiny Personal Firewall and the 100% free System Safety Monitor are the second generation of Windows system firewalls (if you agree to call Secure4U, eSafe etc. the first generation). Process Guard came thereafter and it did many things better (easier to use and more focused than TPF, better protection than SSM due to kernel-mode driver). Now the developer of SSM tries to strike back by offering a driver-based SSM which continues to support several features (e.g., the customizable registry guard) still not included into PG. And the developers of the all-embracing TPF try to improve its GUI so that the application is easier to use and more focused on frequently-used & dangerous attacks like dynamic DLL injections. In light of the above, it seems to me that, in the future, there may be several good choices for the user (which is truly bad news for malicious people trying to hack your computer ;-).
And don't forget Prevx. I really am beginning to like that program because there is not a big learning curve with it. Starrob
I am not so sure about PrevX. What kind of benefits does it really offer? (Unfortunately, I was not able to install it on my machine due to compatibility issues.)
Currently Prevx offers the following protections: 1) Application modification protection 2) Batch and script file modification protection 3) Buffer overflow protection 4) Control panel applet modification protection 5) DLL modification protection 6) Driver related file modification protection 7) Protect Internet Explorer BHO's, Extensions, Main settings, Searching, Toolbars Registry Run protection 9) Registry Shell Command Hooking protection 10) Screen Saver modification protection 11) Vunerable file protection. Prevx works real well with Process Guard. That is a very tough combination for malware to get by. Starrob
As regards the different types of "modification protections": is this just a file integrity checker or is it something more sophisticated? How does it work?
thanks for all the replies theres alot to be learned. however, does anyone know the answer to the above question?. i dont think it has been answered, if it has, sorry for missing it. if id known the answer i wouldnt have had to start this thread if anyone can answer id be very happy . thanks.
Answer is a clear "no". CreateRemoteThread works for (almost) every program. An injector can simply search for any running programs and inject the DLL into each of them. Some trojans actually do this. As regards "recording DLLs". Have a look at Sygate PFW. But it's a nightmare...you will be bugged all the time.
