Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 10 subscribers
  • Views 2376 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow use of SetWindowsHookEx() and WriteProcessMemory() to inject DLLs into an application ?

Peter Gaczi

On a commercial cloud server, I want to use two methods in my application to inject two DLLs into the address space of a second application.

The two methods are C++ calls to SetWindowsHookEx() and WriteProcessMemory() in my application.

What instructions do I give tech support at the cloud vendor, to set up Sophos, so that my DLL injections are not blocked by Sophos?

Thanks, Pete 



This thread was automatically locked due to age.
Parents
  • 0

    Do you know what mitigation this is alerted as? LoadLibrary? Have you confirmed there is a "detection" for this?  If you create a trial of Sophos Central, install to a computer, run your app, if you get a detection, the details will be in the application event log (eventid 911) and the same details will be shown in Central in the details view.  From there you can authorize it in various ways.

  • 0 in reply to jak

    Thanks for your input.

    I assume that Sophos is blocking the injection of DLLs, attempted by any of the three common Windows methods.

    Please describe the method(s) of authorization, so that I can pass instructions to the tech staff at the cloud vendor.

  • 0 in reply to Peter Gaczi

    You're probably better of testing this yourself end to end to see the workflows as it really depends on if and how the application is detected.  There is a chance the different load module mitigations may fire differently if it's loadlibrary calls, reflective dll injection, etc.

    It only takes a minute to create a Central account which is fully featured for 30 days at central.sophos.com.  To protect a computer takes about 10 minutes.  So in 15 mins you should be able to run your application and see what is detected and how you may want to document how your customer should exclude it.

    For example,  you can create a global exclusion:
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ScanningExclusions.html

    • Detected Exploits (Windows and Mac)

    This method sends down a thumbprint to the endpoint to whitelist the detection based on the client making the detection.

    There is also file path as per:
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ExploitExclusions.html

    for more pro-active exclusions but then this excludes the process from all mitigations which maybe more than you would want to recommend as the thumbprint is more specific.

    It's a little more involved than say typical process/file exclusions for on-access/demand AV scanning where an exclusion is more generic.

    I think it's worth seeing how your application behaves when exploit mitigation is running as different types of applications have different mitigations applied to them. So depending on the process being injected into you might get different mitigation alerts.

    Hope it helps.

    Regards,
    Jak

Reply
  • 0 in reply to Peter Gaczi

    You're probably better of testing this yourself end to end to see the workflows as it really depends on if and how the application is detected.  There is a chance the different load module mitigations may fire differently if it's loadlibrary calls, reflective dll injection, etc.

    It only takes a minute to create a Central account which is fully featured for 30 days at central.sophos.com.  To protect a computer takes about 10 minutes.  So in 15 mins you should be able to run your application and see what is detected and how you may want to document how your customer should exclude it.

    For example,  you can create a global exclusion:
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ScanningExclusions.html

    • Detected Exploits (Windows and Mac)

    This method sends down a thumbprint to the endpoint to whitelist the detection based on the client making the detection.

    There is also file path as per:
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/tasks/ExploitExclusions.html

    for more pro-active exclusions but then this excludes the process from all mitigations which maybe more than you would want to recommend as the thumbprint is more specific.

    It's a little more involved than say typical process/file exclusions for on-access/demand AV scanning where an exclusion is more generic.

    I think it's worth seeing how your application behaves when exploit mitigation is running as different types of applications have different mitigations applied to them. So depending on the process being injected into you might get different mitigation alerts.

    Hope it helps.

    Regards,
    Jak

Children
Unfiltered HTML