A clever and usable dll execution control

A smart dll execution control is must for CIS to protect against some exploits. dll execution control was there in v 4 but was useless practically. v 5 is devoid of any such control. With latest exploits, we do need it really. I am waiting how smartly comodo developers are going to implement it, as promised by egemen.

I have made an interesting thread about malicious dll execution versus HIPS here. Pls do post your thought. Thanks

Seems not many users are interested in dll control thing! I wish to have some words from the developers about its implementation.

Thanks

Here Defense+ v5 blocks execution of macrcrd.dll which Defence+ since v3.13 could not block without adding *.dll to execution control list:
RunDLL32 can load DLLs without triggering Run an executable alerts

Strange you can’t get those blocked with v5 :(. Can U share those proofs of concept (if they are not malicious), maybe someone else will try them against v5, too.

Can you post a screenshot of dll loading interception by CIS 5?

Here are the POCs I mentioned.

.lnk exploit POC

Link removed

dll vulnerability exploit POC

Link removed

Mod edit : Links to damaging or potentially damaging code is not permitted on the publicly accessible boards. I have PM’d the links to the poster that requested them.

I will when get my hands onto that macrcrd.dll. Soon.

Thanx, i received links.

I think they have added control for rundll.exe running DLLs but not DLLs in general.

In first case marcrd.dll and .ico file are placed into temp directory. Then special shortcut is created on a desktop by autoit script:


$var = EnvGet("TEMP")
FileInstall("MacRcrd.dll", $var  & "\MacRcrd.dll")
FileInstall("pig.ico", $var  & "\pig.ico")
FileCreateShortcut ("%windir%\system32\Rundll32.exe", [at]DesktopDir & "\Dancing Pigs.lnk",[at]WindowsDir, $var & "\MacRcrd.dll,PlayFile", "Funny Dancing Pigs",$var  & "\pig.ico")

So when launching .lnk (shortcut created) it executes following command:
%windir%\system32\Rundll32.exe \Temp\MacRcrd.dll,PlayFile

So in fact it is Rundll32.exe which executes (tries to execute) MacRcrd.dll.
Following alert was fired up:

In second case, i tried to invoke MacRcrd.dll directly from command line – opened cmd.exe and fed same command:
%windir%\system32\Rundll32.exe \Temp\MacRcrd.dll,PlayFile
Following alert was fired up:

Of course, in both cases, if alert is blocked then MacRcrd.dll fails to run. Hence dll execution control is present in v5 and i like it better than of v4.

[attachment deleted by admin]

No. It,s just rundll32.exe being treated as a special case. Dlls executed by rundll32.exe are intercepted specifically and may be some others as well but otherwise dll execution control is Non-Existent in CIS v5.

You are right.

[i][b]Mod edit : Links to damaging or potentially damaging code is not permitted on the publicly accessible boards. I have PM'd the links to the poster that requested them.[/b][/i]
They were just POCs, neither damaging nor potentially damaging.

But , if an unknown exe tries to invoke them, it cant due to sandbox restrictions? Or do they load and hence compromise system?

An unknown application will be able to load dlls even sandboxed.

The biggest danger is a safe application loading an unknown dangerous DLL of the same name as one it normally uses. I believe this is not prevented and the dangerous DLL would be full trusted.

Hi
there is no risk( in my opinion) if a safe apps load a dangerous dll as soon as safe app will breach D+ policy you will get alerted,

however problem lies in the fact once we know it is asafe application we generally allow all its action though unwanting in nature,

yep risk is prsent unless D+ makes a elobarate logging which user reviw occasinalyy

regrds

adi

Unless you are in paranoid mode safe applications are allowed to do things without any questions. If a safe application loads an unsafe DLL there is no protection as far as I know.

You are mistaken. CIS is not intercepting dll execution/ loading except in certain cases like in case of rundll32.exe.

Any update on this? Is there a plan to add DLL execution control to future versions of CIS?