In my last bpmtk post, I argued that although whitelisting DLLs (supplementary to whitelisting EXEs) prevents my Excel macro from loading the embedded DLL, it would be far too difficult to build and maintain such a whitelist of DLLs. However, Cd-MaN commented with a technique to add DLL restrictions to the Software Restriction Policies without building an exhaustive DLL whitelist, the details are in his excellent blogpost (step 3).
In a nutshell, Cd-MaN configures SRP to restrict allowed DLLs to those found in the Windows and Programs Files directories (a restricted user is not allowed to write to these directories).
To bypass this SRP configuration with my Excel macro, I had to update it so that it would perform the process manipulation directly, in stead of doing this manipulation from within the embedded DLL. And here his how I did it:
The trick is to call WriteProcessMemory directly from within the script to disable SRP. Because I didn’t want to recode my search-and-write function from C to VBscript, I hardcoded the addresses to write to (this will only work for the specified version of advapi32.dll). The effect of these 2 WriteProcessMemory calls is to patch advapi32.dll inside the Excel process, thereby disabling SRP so that the embedded DLL is allowed to load (of course, now that SRP is disabled for Excel, I can also just start another program).
A new version of my bpmtk utility (with the DLL version of bpmtk.exe) will be posted soon.
Didier Stevens 
[…] Filed under: Hacking — Didier Stevens @ 10:34 I developed another variant of my “Excel macro injects embedded DLL” […]
Pingback by Excel Exercises in Style « Didier Stevens — Thursday 23 October 2008 @ 10:35
Very interesting…
Comment by Spiral — Friday 3 April 2009 @ 18:03
Any updates of the bpmtk utility?
It realy helps since last year until yesterday..
Maybe the company has updated advapi32.dll and the version i have wont work anymore..
Thanks! More power!
Comment by rusmore — Friday 3 July 2009 @ 5:33
[…] the code of the previous post, the DLL appears in the list of loaded […]
Pingback by Quickpost: Shellcode to Load a DLL From Memory « Didier Stevens — Thursday 28 January 2010 @ 3:09