Comments on: bpmtk: How About SRP Whitelists?

By: Circumventing SRP and AppLocker, By Design « Didier Stevens

Circumventing SRP and AppLocker, By Design « Didier Stevens — Mon, 24 Jan 2011 00:04:08 +0000

[...] blogged about a spreadsheet that creates a DLL in a temporary location, and loads it inside the Excel process with LoadLibrary. [...]

By: Quickpost: Shellcode to Load a DLL From Memory « Didier Stevens

Quickpost: Shellcode to Load a DLL From Memory « Didier Stevens — Thu, 28 Jan 2010 03:09:27 +0000

[...] previous posts, I showed how to load a DLL or shellcode with VBA in Excel. This is a combination of both techniques: a VBA macro loads and [...]

By: Spiral

Spiral — Fri, 03 Apr 2009 17:53:24 +0000

Including the dlls in the white list and defining the path rules as the windows dir and program files dir blanket, coupled with running as a limited user (no write access to windows dir or program files dir etc.) would seem to be effective, but I have yet to reproduce this trick… Very interesting approach I must say. Not 100%, but surely better.

By: Didier Stevens

Didier Stevens — Thu, 12 Mar 2009 19:55:47 +0000

You forget that you would also need to do that on each used dll.
And then again …

By: localhost

localhost — Wed, 11 Mar 2009 20:19:47 +0000

use forfiles (or equivalent approach) with objdump -x and sed (or grep or findstr) to generate a list of the dlls that programs use.

By: Didier Stevens

Didier Stevens — Mon, 12 Jan 2009 09:41:01 +0000

@jonpresty Can you be more specific for the HIPS?

FYI: I’m doing this with LUA.

Sandboxie will not stop the DLL from running. It will block it from modifying the environment.

By: jonpresty

jonpresty — Fri, 09 Jan 2009 14:13:02 +0000

How about using ramdisk overlay or using enhanced write filter (EWF) or embedded windows plus sandboxie plus your favorite hips under LUA?

By: bpmtk: Bypassing SRP with DLL Restrictions « Didier Stevens

bpmtk: Bypassing SRP with DLL Restrictions « Didier Stevens — Wed, 25 Jun 2008 06:52:33 +0000

[...] with DLL Restrictions Filed under: Hacking, My Software — Didier Stevens @ 6:51 In my last bpmtk post, I argued that although whitelisting DLLs (supplementary to whitelisting EXEs) prevents my Excel [...]

By: Didier Stevens

Didier Stevens — Tue, 10 Jun 2008 17:19:46 +0000

I’ve read your post, thanks! So you avoid building an exhaustive lists of allowed DLLs by defining that all DLLs (and EXEs) in folders c:\Windows and c:\program files are allowed? Clever!

I’ll have to test this and try to bypass it

By: Cd-MaN

Cd-MaN — Tue, 10 Jun 2008 16:16:44 +0000

SRP is very good, you just have to configure it right

http://hype-free.blogspot.com/2008/04/windows-xp-high-security-configuration.html

Towards the middle of the page I describe how you change the default setting for SRP so that it applies to executables AND dlls, rather than just executables.