Comments on: bpmtk: How About SRP Whitelists?

By: bpmtk: Bypassing SRP with DLL Restrictions « Didier Stevens

bpmtk: Bypassing SRP with DLL Restrictions « Didier Stevens — Wed, 25 Jun 2008 06:52:33 +0000

[...] with DLL Restrictions Filed under: Hacking, My Software — Didier Stevens @ 6:51 In my last bpmtk post, I argued that although whitelisting DLLs (supplementary to whitelisting EXEs) prevents my Excel [...]

By: Didier Stevens

Didier Stevens — Tue, 10 Jun 2008 17:19:46 +0000

I’ve read your post, thanks! So you avoid building an exhaustive lists of allowed DLLs by defining that all DLLs (and EXEs) in folders c:\Windows and c:\program files are allowed? Clever!

I’ll have to test this and try to bypass it

By: Cd-MaN

Cd-MaN — Tue, 10 Jun 2008 16:16:44 +0000

SRP is very good, you just have to configure it right

http://hype-free.blogspot.com/2008/04/windows-xp-high-security-configuration.html

Towards the middle of the page I describe how you change the default setting for SRP so that it applies to executables AND dlls, rather than just executables.

By: Dave

Dave — Mon, 09 Jun 2008 18:33:00 +0000

Thank you. It looks like I’m going to have to get “into” Python now. It’s something which I’ve wanted to delve into and this seems an ideal opportunity!

By: Didier Stevens

Didier Stevens — Mon, 09 Jun 2008 12:01:14 +0000

@Dave

Details can be found here: http://blog.didierstevens.com/2008/06/09/quickpost-embedding-an-executable-in-a-vbscript/

By: Didier Stevens

Didier Stevens — Mon, 09 Jun 2008 11:57:18 +0000

@DF

I really think whitelisting DLLs are too difficult to manage.
The problem with AV signatures, is that they are easy to bypass. This script is likely to be used in a targeted attack.

By: Quickpost: Embedding an Executable in a VBscript « Didier Stevens

Quickpost: Embedding an Executable in a VBscript « Didier Stevens — Mon, 09 Jun 2008 11:54:13 +0000

[...] in a VBscript Filed under: My Software, Quickpost — Didier Stevens @ 11:53 My latest bpmtk post got some people to ask me for the VBscript. I’ll do better, I’m posting the Python [...]

By: Dave

Dave — Sun, 08 Jun 2008 18:29:30 +0000

That’s very interesting. I tried to reproduce what you did … but failed miserably! I have some understanding of coding and managed to compile code that you supplied in relation to your Utilman series but I think I need some help here!

If I get it right, you produce your executable (maybe a HelloWorld.exe) but compile it as a DLL. I see that Sub DumpFile1(f) has a whole load of hex values and I presume that’s where the hex values of the DLL are entered?

I’ve managed to get the Macro Code into Excel 2003 but am not sure where the LoadLibrary and FreeLibrary declarations go. I don’t have a DLL but wherever I put these declarations on the Macro code, an error is generated when I run it from the button.

Can you post the code for your “MyDLL” (in the hope that I can compile it as I have done previously!) and give an indication about the Function Declarations?

Thanks for your efforts.

By: DF

DF — Fri, 06 Jun 2008 16:45:42 +0000

Wow this is a good question and quite out of my league but has got me thinking.

The only thing that I can see would be to go with the white list option. It certainly would be a large undertaking but at least in an enterprise environment with a standard computer template it should not need to be done very often. It would need to be created once and only updated every time new software was added. First installing any new software on a computer that had a fresh install and was never connected to a network should allow you to relatively easily identify any new Dll’s that would need to be added to the white list. Should should be able to push the updated whitelist out over group policy and limit the impact on users. But this would only really work in an enterprise environment, and no one ever said security was going to be easy.

The only other possible thing I can imagine would be to get updated AV signatures that would catch files with numerous strings of bytes in the scripting. It looks like that would be necessary to pull off the exploit and I can’t think of a legitimate reason for something like that to be included in a file, but I don’t really do any scripting so maybe there is some utility there.