none
Block a DLL (created in Visual Studio) with Applocker RRS feed

  • Question

  • Hi all,

    On my organization we want to implement Applocker to block unauthorized DLLs. So far, I've created a very simple test, I've created an exe file that loads a function stored on a DLL. I created the program using visual studio and C# 

    After configuring Applocker to Deny access to the Dlls of my test, for my surprise this don't stop my program from loading the function in the DLL. Is there a way to achieve this using Applocker?

    OS: Windows Server 2012 R2

    My Question is similar to this one, that never got replied

    https://social.technet.microsoft.com/Forums/en-US/3dbca178-22f1-475f-af2b-44f2473e2454/windows-7-applocker-and-net-dlls?forum=w7itprosecurity

    Update I've tried to block DLLs for Notepad++, using the same method and when I start Notepad++, I get a message that says "Can't load the dynamic library" So in fact it's working! I'm guessing in the first test my code somehow bypass Applocker rules. Can someone explain what to do in the case of .NET developments?

    Regards

    Oliver

    

    

    Thursday, April 25, 2019 6:17 PM

All replies

  • Is not AppLocker more of an solution that works with the Windows O/S starting with Win 7? Maybe you should post to a Windows forum concerning the usage of AppLocker.
    Thursday, April 25, 2019 6:56 PM
  • I suggest taking a look at this article:

    http://leastprivilege.blogspot.com/2013/04/bypass-applocker-by-loading-dlls-from.html#!/2013/04/bypass-applocker-by-loading-dlls-from.html

    From its content, apparently AppLocker is only blocking the libraries that are invoked using LoadLibrary. The article explains one of the ways to load a library into memory and then execute it from there, and this bypasses AppLocker.

    In the case of the .NET libraries created in Visual Studio, they do not contain "real" executable code. Instead they contain an intermediate code called MSIL that is converted into executable code at runtime by the JIT compiler, which is a part of the .NET Framework. Therefore, the .Net DLL is not actually loaded by the executable that calls it. Instead, it is treated as data by the JIT compiler, which leaves the results into memory for the caller to invoke. As we saw from the article above, such invocation in memory is not "caught" by AppLocker, and therefore the DLL runs without being blocked.

    Friday, April 26, 2019 7:36 AM
    Moderator