Thanks for correcting me - I've never actually used it, however since it contains a HIPS module I assumed it would've included something like this.
thanks.Thanks for correcting me - I've never actually used it, however since it contains a HIPS module I assumed it would've included something like this.
Regardless, Emsisoft Anti-Malware/Internet Security definitely has protection against DLL injection.
If you're referring to the prevention of DLLs being loaded if they are malicious then it will depend on if the DLL is detected by the real-time scanner (so when DLLs are being loaded by programs they should be scanned by the product and if they are found to be classified as malicious then the module will be blocked from being loaded into the memory of the target process attempting to load the DLL).
I must admit that I lack a proper understanding of DLL attacks, but I have read about attacks that utilize a script or a exploit to download malicious DLLs. If they are new, the antivirus won't detect them.If you're referring to the prevention of DLLs being loaded if they are malicious then it will depend on if the DLL is detected by the real-time scanner (so when DLLs are being loaded by programs they should be scanned by the product and if they are found to be classified as malicious then the module will be blocked from being loaded into the memory of the target process attempting to load the DLL).
However, if you're referring to preventing a DLL being loaded which has been hijacked (e.g. system DLL which is vulnerable and thus malware has successfully patched it so it executes malicious code when it's loaded by a process and then jumps to the original code), it really depends on the situation and the product - and I am unaware on specific software which support mechanisms for attempting to detect this behaviour.
Without that being said, Emsisoft Anti-Malware does support protecting against "patching" of other programs. Although, I am unaware if this feature supports protection against DLL hijacking attempts (e.g. replacing a DLL with another one with the same file-name to trick software into loading the rogue copy and executing the malicious code). The chances that it does include protection against DLL hijacking to an extent are high though.
Hopefully I didn't misunderstand you again...
The AV will usually be aware of the DLL being loaded by a program into it's address space (memory) however depending on various factors it may not be able to identify the DLL as being malicious (containing malicious code).
I noticed that Kaspersky, when you enable TAM, seems to apply a sort of whitelisting approach to DLLs. I am not sure exactly how the system works, but it sure blocks a lot of DLLs for me, when the app is not on the KSN whitelist.The AV will usually be aware of the DLL being loaded by a program into it's address space (memory) however depending on various factors it may not be able to identify the DLL as being malicious (containing malicious code).
Most AV products will be alerted of programs loading a DLL through a kernel-mode callback known as PsSetLoadImageNotifyRoutine: PsSetLoadImageNotifyRoutine routine (Windows Drivers) - they get a notification (the callback function becomes invoked) when an image is loaded/mapped into memory (therefore including DLLs being loaded by processes).
The security product will (or should) be alerted that a DLL is being loaded/mapped into memory. Afterwards, it will utilise it's detection methods against the DLL file - if the DLL is detected to be malicious then it'll be cleaned off the system. Of course, no security product can detect 100% malware and therefore if the checksum detection/heuristics (or any other detection methods it may incorporate) don't pick-up a detection for the DLL, then it'll bypass the detection and will be loaded to execute it's malicious code.
Without that being said, if your AV product supports behavioural zero-day components such as dynamic heuristics/BB/HIPS modules, they should still remain active for any code being executed by the newly loaded DLL - unless the code being executed uses a trick/method to bypass the AV monitoring (preventing the AV from restricting access/controlling execution flow for specific actions).
Not sure if I misunderstood you again but hopefully not!
and what is done with the payload dll? Is a legit program forced to load it?
Malware can load the payload dll into the same process, and then without “spawning” (slang, it means to be born again in an area after having died!) another process, which is very useful to avoid Whitelist of security applications, to bypass some HIPS and some antivirus that support, in bad way, the memory scan, especially if the process is authorized, signed, and only in a second time the dll is loaded inside it.
does the payload dll get placed in a suspicious location, so that a good BB will block it from being loaded?
Everything is possible, but if the malware uses specific evasion techniques such as I said above, it is unlikely.
Often the dll downloaded isn't seen as dll : the script deobfuscate it before, once saved on the HD, and rundll32.exe is used to run the dll, with as parameter the function to call
so it sounds like dll attacks can be pretty tricky.
