Execution Interception Doubt

metalforlife · May 6, 2009, 10:15pm

First of all, I am not even sure if my query is related to the quote above. Well, at least, this has what put the question into my head. What I want to ask is, can in anyway, CIS’s execution interception be bypassed? What I understand from Egemen’s explanation is that it is possible to execute a .dll file if it was embedded(?) into an .exe file? Which means that although you will get an alert for the launch of the .exe file, the .dll file will run unnoticed? But he explains in the 2nd paragraph that by adding “*.dll” to the list of executables in “Image Execution Control” it is possible to get an alert for this too. In this case, I should be getting two alerts, one for the launch of the .exe file and the other for the .exe file trying to execute the .dll file, right?

If my interpretation is completely of the mark and has nothing to do with what the discussion was about, then just a simple yes or no to the main question - Is it possible to bypass CIS’s execution interception - will suffice? If my interpretation was at least half-right, then I would like a baseline explanation, so that I can understand the subject at least at the base.

wj32 · May 7, 2009, 10:01am

metalforlife post:1:

First of all, I am not even sure if my query is related to the quote above. Well, at least, this has what put the question into my head. What I want to ask is, can in anyway, CIS’s execution interception be bypassed? What I understand from Egemen’s explanation is that it is possible to execute a .dll file if it was embedded(?) into an .exe file? Which means that although you will get an alert for the launch of the .exe file, the .dll file will run unnoticed? But he explains in the 2nd paragraph that by adding “*.dll” to the list of executables in “Image Execution Control” it is possible to get an alert for this too. In this case, I should be getting two alerts, one for the launch of the .exe file and the other for the .exe file trying to execute the .dll file, right?

If my interpretation is completely of the mark and has nothing to do with what the discussion was about, then just a simple yes or no to the main question - Is it possible to bypass CIS’s execution interception - will suffice? If my interpretation was at least half-right, then I would like a baseline explanation, so that I can understand the subject at least at the base.

Think about what a DLL is: a file containing code plus some support data to be able to load it properly (imports, exports, relocations, etc.). Nothing will stop a program from implementing its own DLL loader and performing the work of LdrLoadDll itself. Loading a DLL is not dangerous at all because the code runs in the security context and address space of the program. Think of a DLL as a shortcut for doing something. If a programmer wants to read a file, they use ReadFile in kernel32.dll. But nothing stops them from calling the kernel directly using the sysenter instruction. However, it’s easier (and more portable) to use ReadFile, so that’s what they use.

It’s (almost) impossible to bypass execution control. Here’s how you create a process:

Open the EXE file.
Create a section object from it (a section maps a file into memory among other things).
Tell the kernel to create the process from the section object. The kernel sets up the process with the EXE.

CIS intercepts programs at step 2. It’s technically possible to fork the current process using NtCreateProcess and then do some black magic to put an EXE into the process, but it would be very difficult. I’m sure CIS has some sort of safeguard against this anyway.