3 Replies Latest reply on May 4, 2015 10:27 AM by c14us

    hips rule for dll injection.

    orchechik

      Hey ,

      so i have benn trying for some time now  to try catching dll injections using the hips regular rules but it seems i need to make using the expert rules.

      i tried making a rule using the simple rule making but there is no way to check for process imports using it . so i'm forced to use the expert way but i just have no idea how.

      . i tired using the Hook functionlty which doesnt seem to work and anyway not quite what i'm looking for. so i will go over again in what kind of rule i want to create.

      a rule to monitor the processes lsass.exe and svchost.exe for dll imports that r not signed by windows. any dll that is not signed and loaded to those processes i want to detect it .

      I think i need the Program type of rule ?

      any help please?

        • 1. Re: hips rule for dll injection.
          c14us

          Hi

           

          I borrowed this on the net (PwnDizzle: Custom McAfee HIPS Rules That Actually Work).

          It logs dll injections to IE.I like it a lot.

          You can use it as a template for other apps.

           

          Regards

          Claus

           

          Rule {

          tag browser_hook

          Class Hook

          Id 4001

          level 3

          attributes -no_trusted_apps

          Executable { Include { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\IEXPLORE.EXE" } { -path "C:\\PROGRAM FILES\\INTERNET EXPLORER\\IEXPLORE.EXE" } { -path "C:\\PROGRAM FILES\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE" } { -path "C:\\PROGRAM FILES (X86)\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE" } { -path "C:\\PROGRAM FILES\\MOZILLA FIREFOX\\FIREFOX.EXE" } { -path "C:\\PROGRAM FILES (X86)\\MOZILLA FIREFOX\\FIREFOX.EXE" }}

          Executable { Exclude { -path "C:\\example\\exclude" } }

          Handler_Module { Exclude { -path "C:\\WINDOWS\\SYSTEM32\\DINPUT8.DLL" } { -path "C:\\WINDOWS\\SYSTEM32\\MSHTML.DLL" } { -path "C:\\WINDOWS\\SYSWOW64\\MSHTML.DLL" } { -path "C:\\WINDOWS\\SYSTEM32\\IEFRAME.DLL"} { -path "C:\\WINDOWS\\SYSTEM32\\MSCTF.DLL"} { -path "C:\\WINDOWS\\SYSTEM32\\EXPLORERFRAME.DLL"} { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\IEDVTOOL.DLL"} { -path "C:\\WINDOWS\\SYSWOW64\\SHELL32.DLL"} { -path "C:\\WINDOWS\\SYSTEM32\\SHELL32.DLL"} { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\IEXPLORE.EXE"} { -path "C:\\PROGRAM FILES\\MICROSOFT\\INTERNET EXPLORER DEVELOPER TOOLBAR\\IEDEVTOOLBAR.DLL"} { -path "C:\\PROGRAM FILES\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE"} { -path "C:\\PROGRAM FILES (X86)\\INTERNET EXPLORER\\JSDBGUI.DLL"}

          }

          user_name { Include "*" }

          directives hook:set_windows_hook

          }

          • 2. Re: hips rule for dll injection.
            orchechik

            Thanks!.

            Do u know how can edit this templete to include Handler Module signer ? can u maybe create the rule ?

            • 3. Re: hips rule for dll injection.
              c14us

              Q: Do u know how can edit this templete to include Handler Module signer ?

              A: Sorry. But I would also like to know how to code it. If you figure it out, please post it.

               

              You could try to experiment with thing like they write in the link provided above (It's a very good article):

               

              Rule{

                tag "look for multiple signers/certs with stars in them because we only know pieces"

                Class Program

                Id 5809

                level 3

                Executable { Include { -sdn "*OU=MPR*" } \

                { -sdn "*OU=MOPR*" }

                }

                directives program:open_with_wait etc...

              }

               

               

              If any signer is requered try to use -sdn "*=*"

               

              Regards

              Claus