In my last bpmtk post, I argued that although whitelisting DLLs (supplementary to whitelisting EXEs) prevents my Excel macro from loading the embedded DLL, it would be far too difficult to build and maintain such a whitelist of DLLs. However, Cd-MaN commented with a technique to add DLL restrictions to the Software Restriction Policies without building an exhaustive DLL whitelist, the details are in his excellent blogpost (step 3).
In a nutshell, Cd-MaN configures SRP to restrict allowed DLLs to those found in the Windows and Programs Files directories (a restricted user is not allowed to write to these directories).
To bypass this SRP configuration with my Excel macro, I had to update it so that it would perform the process manipulation directly, in stead of doing this manipulation from within the embedded DLL. And here his how I did it:
The trick is to call WriteProcessMemory directly from within the script to disable SRP. Because I didn’t want to recode my search-and-write function from C to VBscript, I hardcoded the addresses to write to (this will only work for the specified version of advapi32.dll). The effect of these 2 WriteProcessMemory calls is to patch advapi32.dll inside the Excel process, thereby disabling SRP so that the embedded DLL is allowed to load (of course, now that SRP is disabled for Excel, I can also just start another program).
A new version of my bpmtk utility (with the DLL version of bpmtk.exe) will be posted soon.
Didier Stevens 