Showing results for 
Search instead for 
Did you mean: 
Level 7

SolidCore DLL unauthorized modification issue


I am able to modify a solidified dll using a notepad on a Windows XP system.

The version of SolidCore deployed is

Solidcore log when a dll is modified is shown below.

<FILE_MODIFIED  file_name="C:\Program Files\TF\ltif.dll" pid="2952" process_name="C:\WINDOWS\system32\notepad.exe" ppid="4924" parent_process_name="C:\WINDOWS\system32\rundll32.exe"  file_type="Unknown" is_system_file="false" user_name="Appox" workflow_id="PKGC_DEFAULT_ALLOW_UNINSTALL:  rundll32.exe" />

a) I took a backup of the dll before modifying.

b) I deleted the content of the original dll by opening it  in a notepad and saved it.

c) Application depending on this dll crashed when executed.

d) When I tried to replace this modified dll with the backup one, access denied message is displayed.

Why modification of the dll is allowed, but blocked from overwriting ?

0 Kudos
2 Replies
Level 7

Re: SolidCore DLL unauthorized modification issue

Certainly could be a bug, but it sounds more like the difference between rights and rules for the two executables notepad.exe and explorer.exe.

0 Kudos
Level 12

Re: SolidCore DLL unauthorized modification issue

SecurityGeek, How did you invoke notepad.exe from rundll32.exe?

0 Kudos