cancel
Showing results for 
Search instead for 
Did you mean: 
orchechik
Level 7

hips rule for dll injection.

Hey ,

so i have benn trying for some time now  to try catching dll injections using the hips regular rules but it seems i need to make using the expert rules.

i tried making a rule using the simple rule making but there is no way to check for process imports using it . so i'm forced to use the expert way but i just have no idea how.

. i tired using the Hook functionlty which doesnt seem to work and anyway not quite what i'm looking for. so i will go over again in what kind of rule i want to create.

a rule to monitor the processes lsass.exe and svchost.exe for dll imports that r not signed by windows. any dll that is not signed and loaded to those processes i want to detect it .

I think i need the Program type of rule ?

any help please?

0 Kudos
3 Replies
c14us
Level 7

Re: hips rule for dll injection.

Hi

I borrowed this on the net (PwnDizzle: Custom McAfee HIPS Rules That Actually Work).

It logs dll injections to IE.I like it a lot.

You can use it as a template for other apps.

Regards

Claus

Rule {

tag browser_hook

Class Hook

Id 4001

level 3

attributes -no_trusted_apps

Executable { Include { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\IEXPLORE.EXE" } { -path "C:\\PROGRAM FILES\\INTERNET EXPLORER\\IEXPLORE.EXE" } { -path "C:\\PROGRAM FILES\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE" } { -path "C:\\PROGRAM FILES (X86)\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE" } { -path "C:\\PROGRAM FILES\\MOZILLA FIREFOX\\FIREFOX.EXE" } { -path "C:\\PROGRAM FILES (X86)\\MOZILLA FIREFOX\\FIREFOX.EXE" }}

Executable { Exclude { -path "C:\\example\\exclude" } }

Handler_Module { Exclude { -path "C:\\WINDOWS\\SYSTEM32\\DINPUT8.DLL" } { -path "C:\\WINDOWS\\SYSTEM32\\MSHTML.DLL" } { -path "C:\\WINDOWS\\SYSWOW64\\MSHTML.DLL" } { -path "C:\\WINDOWS\\SYSTEM32\\IEFRAME.DLL"} { -path "C:\\WINDOWS\\SYSTEM32\\MSCTF.DLL"} { -path "C:\\WINDOWS\\SYSTEM32\\EXPLORERFRAME.DLL"} { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\IEDVTOOL.DLL"} { -path "C:\\WINDOWS\\SYSWOW64\\SHELL32.DLL"} { -path "C:\\WINDOWS\\SYSTEM32\\SHELL32.DLL"} { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\IEXPLORE.EXE"} { -path "C:\\PROGRAM FILES\\MICROSOFT\\INTERNET EXPLORER DEVELOPER TOOLBAR\\IEDEVTOOLBAR.DLL"} { -path "C:\\PROGRAM FILES\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE"} { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\JSDBGUI.DLL"}

}

user_name { Include "*" }

directives hook:set_windows_hook

}

0 Kudos
orchechik
Level 7

Re: hips rule for dll injection.

Thanks!.

Do u know how can edit this templete to include Handler Module signer ? can u maybe create the rule ?

0 Kudos
c14us
Level 7

Re: hips rule for dll injection.

Q: Do u know how can edit this templete to include Handler Module signer ?

A: Sorry. But I would also like to know how to code it. If you figure it out, please post it.

You could try to experiment with thing like they write in the link provided above (It's a very good article):

Rule{

  tag "look for multiple signers/certs with stars in them because we only know pieces"

  Class Program

  Id 5809

  level 3

  Executable { Include { -sdn "*OU=MPR*" } \

  { -sdn "*OU=MOPR*" }

  }

  directives programSmiley Surprisedpen_with_wait etc...

}

If any signer is requered try to use -sdn "*=*"

Regards

Claus

0 Kudos