Hi,
I am able to modify a solidified dll using a notepad on a Windows XP system.
The version of SolidCore deployed is 6.1.3.392.
Solidcore log when a dll is modified is shown below.
<FILE_MODIFIED file_name="C:\Program Files\TF\ltif.dll" pid="2952" process_name="C:\WINDOWS\system32\notepad.exe" ppid="4924" parent_process_name="C:\WINDOWS\system32\rundll32.exe" file_type="Unknown" is_system_file="false" user_name="Appox" workflow_id="PKGC_DEFAULT_ALLOW_UNINSTALL: rundll32.exe" />
a) I took a backup of the dll before modifying.
b) I deleted the content of the original dll by opening it in a notepad and saved it.
c) Application depending on this dll crashed when executed.
d) When I tried to replace this modified dll with the backup one, access denied message is displayed.
Why modification of the dll is allowed, but blocked from overwriting ?
Certainly could be a bug, but it sounds more like the difference between rights and rules for the two executables notepad.exe and explorer.exe.
SecurityGeek, How did you invoke notepad.exe from rundll32.exe?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA