General protection options

Discussion in 'ProcessGuard' started by gkweb, Nov 28, 2003.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    In the "protection" menu, there is "General protection options" features, but i didn't find in the help any information about them, in particular about "Block DLL files from being added to APPINIT_DLLs registry key".

    what does it do ? why a trojan/malicious program would want to use this registry area ?

    thanks.
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Method: DLL/Code Injection
    Description: The attacking process 'injects' a DLL or code into the memory space of another process, allowing the attacking process to remain alive in the context of an existing process. This stealthy trick is starting to be used more frequently by remote access trojans, and can also be used to alter the behaviour of programs. Injected code can also easily terminate its host process, providing another option for process termination. Firewall leaktests often use this technique to bypass firewalls, usually by injecting a DLL into an application that's generally trusted by firewalls (such as Internet Explorer).

    (That's from the "Help'/"Miscellaneous Attacks" ). Pete
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I know what is DLL injection, but i didn't know this feature was DLL injection protection.

    thanks you.
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    It's DLL injection protection against that particular method of delivery. I've seen it talked about before, I just can't remember where at the moment. Pete
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    If i understand this right, this key can contain a list of dlls to be loaded by the OS into every 16-bit program that is being launched...

    Andreas
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    :eek:

    which would be more dangerous than a single DLL injection against one aimed program if your right :eek:

    happy to have such protection now.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Well actually trojans use "WriteProcessMemory" which is what WRITE blocks. And then they create a remote thread and write their code into that processes space, as if the target program was always running it. Its very clean and stealthy and why trojans have developed this way.

    So block that access to things you have in your firewall ruleset, and you have a REAL firewall back ? hope that helps :)
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    APP_Init DLLs are loaded into every process which also loads USER32.DLL.. nearly all processes. So an attack could be to write a DLL which attacks Process Guard (or other processes) once its loaded.

    This attack was mentioned but is it ever used ? no.. if it is though, Process Guard doesnt care. You can block them from ever being used, most systems will not ever load DLLs in that way anyway. If a program has put one there thats ok. If a new program is being installed that you know needs to add an entry here (doubtful), you could remove protection temporarily. Trusted software is fine, as long as the user has this control over attacks.
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes it isn't loaded by 16bit applications directly (since they are handled by ntvdm usually) but by user32.dll which Gavin noted. User32.dll is in 99% of windows programs and hence it gets loaded into most programs, it is a "microsoft documented" method of DLL injection we block. Not many legit programs use this, but some malicious programs do.

    -Jason-
     
Thread Status:
Not open for further replies.