rundll.exe

Discussion in 'ProcessGuard' started by Rmus, May 30, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I notice that many users of PG give rundll.exe permission to run once. Why is this?

    Thanks,

    -rich
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Rich, Their is a risk. RunDLL32.exe is in itself harmless it as a system file. Malware/badly coded programs/etc. can use RunDLL32 to open popups, run keyloggers, etc.that some types of malware could use the rundll32 for installing malware if it is given permit always
    If you get an unexpected request from an unknown program, either ask here or google for further information on the unknown program.

    HTH Pilli.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks. I posted a few questions in another thread when I was looking for information on various anti-exe programs, but didn't see anything specific to this.

    Since most of these types of programs create a white list, I don't understand why you would worry about rundll.exe opening any malware, because no malware could ever install since it wasn't on the white list. At least that was my understanding of how PG works, but I may be wrong.

    regards,

    -rich
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes Rich, Processguard does check all .exe start ups and also any changes but I suppose there is a chance that one could inadvertently allow an .exe to install malware that may install another process or form of injection that is invoked by rundll32 say after a reboot. Hopefully DCS or a malware expert can describe a mechanism better than I. :)

    Pilli
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Pilli. I think this is one good reason to have a lockdown program as the last line of defense, such as ShadowUser or Deep Freeze: upon reboot, any inadvertent installation would be removed.

    As a matter of fact, since you bring up injection, I did write another company, and I'll share his response, if you'll accept it just in the interest of adding to the discussion, since it's a different company.

    My question was about Alternate Data Streams injection, but it can really apply to all types of injection where a file is altered:

    -----------------------------
    Answer = Yes, when installing Anti-Executable or by turning it on, we build a hash key of every executable including dlls installed at that point. If an executable is used by ADS to inject anything into another file, Anti-Executable will stop it. If by any means, it does get through, then since the data in the whitelist is not the same, it will recognize it as an unauthorized executable and not run.
    -----------------------------

    I just assumed PG did the same thing, so that once your whitelist is created, you don't really have to worry about it.

    When giving permission to install something, of course, this is a different scenario.

    regards,

    -rich
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, PG does create an MD5 hash for every .exe that is on it's list.
    With the four General protection tabs enabled you also effectively:
    Protect Physical Memory
    Block Global Hooks
    Block Rootkit/Driver/Service Installation
    Block Registry DLL Injection

    Regarding Add-Streams this link may help: http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams.

    Pilli
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the clarification, and the link - very informative.

    -rich

     
Thread Status:
Not open for further replies.