injecting dll in process before the executables.

Hi i’am Using windows 7 64xb without uac.,
And i have discovered something like a " exploit/fails "

Okay , so , the application is a reverse engine , it inject a mana.dll in war3.exe ,

The Steps : manabars.exe warcraft III 1.24e patch
3. and it is injected without anyalerts !

with sandbox or not … , if a developers want take contact. 'ill give the executables , the .dll , but the game … cant give :open_mouth: . and fore more informations.

a little movies :
Before i run the game without any reverse engine ,
and the second i open manarbars.exe(reverse engine) and
i relaunch war3.exe for saw the diferences
(the differences it add blue bars at down of green bar).
with sandbox , it give a alerts ’ want to run as admin ’ ,i say yes , its useless to say block … at this alerts.
and i retested it without sandbox and , and give the same results no alerts ,
Proactive mode by defaults and trusted applications for defense+

At 1:20 you receive an elevated alert popup. You choose to allow it. I doubt very much the results would have been the same if you had chosen to block this.

I’m not sure I understand your logic about how it’s useless to choose Deny.

Could you please try to add manabars.exe to your pending files and see if it allows you. It may be that it is already a safe file. Also, what applications did you make trusted.

Also check and make sure manabars.exe hasn’t somehow been added to your safe files list.

its not added to safe files …
, and " a elevated alerts " where ? " do u want to run admin " if it go to sandbox , this alerts is poor.
btw , with or without sandbox , it inject into war3.exe manas.dll
if u dont trust me i Can remake a video with proof of safe files , etc and without sandbox.

Can you please upload manabars.exe to your post so I can check this out myself?

Also, are you telling me that you set the configuration to ‘proactive security’ and then disabled the sandbox and it was still able to inject itself? Did you change any other settings?

Is this a test application? If not, it should not be uploaded to the public forums. Uploading it to the Malware Research Group board (which is not public - you need to be a member) would be OK.

I was under the impression that this was not malicious. Am I wrong?

Sorry, I didn’t mean to imply it was malicious or not. I didn’t know, that’s why I was asking. :slight_smile:

I also didn’t want malicious programs posted on this board. I thought it was some sort of patch, but maybe I’m wrong. I think we’re on the same page here. :wink: I wasn’t even considering that it was malicious until you posted that.

On another note does anyone know how an application like this could bypass Defense+ (if it does) with the sandbox disabled and the file not trusted or in a safe list. I don’t have World of Warcraft, so I can’t actually test this on my own. That’s one of the main reasons I wanted it uploaded to the forum.

No problem. :slight_smile: As you said, our concerns are the same.

The only thing is with Defense+, it’s not just a matter of getting passed it once. Being a HIPS application it would have to continuously avoid it.

about malware-research :
The topic or board you are looking for appears to be either missing or off limits to you.

About malware or not :

Of course it is not a malware , its a reverse engine, a ‘hack’ for a game ,
And apparently the last cis do not prevents agains this code.
ofc i tested if comodo can detect another .dll injection , and the results is … yes it prevent with the same game.
! but not vs this files.

You have to be a member of the Malware Research Group to access it.

As its not malware can you please attach it to your next post? If you don’t want to do this can you please upload it to rapidshare, or a similar site, and PM me the download link.

It’s for this reason I would like to know your exact CIS configuration. Can you please walk us through exactly how you configured CIS? Can you please follow the steps for How to Submit Bug Reports.

Thank you.

Yes , i will pm you.
and i will report in bug reports,
and the config is proactive + trusted apps in def+.

World of Warcraft
Its not World of warcraft , Is warcraft 3 a different game.;msg395006


OK, thanks for the confirmation. As long as it can do harm to any user that might accidentally run it, I’m happy. :slight_smile:

Yes, as I said, you need to be a member of the group. You might have noticed users with the Malware Research Group title? They’re members of that group and, as such, have access to this non-public board. If you’re interested in doing Malware research yourself, then send Melih a PM and ask to join.