BOWall Functioning Description
At the beginning of work it is offered to enter the working directory (Search directory), in which are DLLs. By default %systemroot%\system32 gets out. Further it is necessary to choose "Find DLLs" then the search and analysis DLL in the specified directory will be made. As a result of the given operation two lists will be generated: Vulnerable DLL to protect and DLL to block calls. The first list corresponds to protection by the first method (vulnerable functions monitoring). The second list is for method of an obstacle of dynamic libraries functions execution.
At this stage the opportunity is given to choose what DLL should be modified. After that on "Protect DLLs" or "Block DLL calls" the updating specified DLL is carried out. The results of this process, as well as all others, are displayed in a window "Protecting Result".
Upon termination of updating the appropriate message will be showed. Under updating original DLL do not change, but is created their updated copy. Modified DLLs get the following names:new _ [original _ name] in the sane directory.
For replacement original DLL to updated DLL it is necessary to execute the following:
1) Make a backup copy original DLL and rename them
for example: ren [original _ name] orig _ [original _ name]
2) Rename modified DLL: ren new _ [original _ name] [original _ name]
3) Reboot system
To test protection of the first method start the program which is included in the given archive:
Botest.exe < big _ string >
big _ string - string which causes buffer overflow by a call strcpy from MSVCRT.DLL.
With input of a string about up to 15 symbols the local variable frame base pointer isn't rewritten and botest gives out: "without overflow". With input of a string by the size more than 15 symbols there is a change of frame base pointer and the protection detects overflow. It termite a process by call of the privileged instruction, what shows a system error window:
Note, that anyone DLL can be successfully updated, including system: KERNEL32. DLL, NTDLL.DLL etc.
Cases of failures and incorrect work as a result of testing is not occurred. Only for protection with an obstacle of execution of dynamic libraries functions don't work self modified program that however isn't a error but follows from base of functioning of the given protection method.
Now there is a work above the following version where is implemented an opportunity to modify not only exported functions DLL but also statically linked vulnerable functions of standard Windows NT compilers libraries.
I'll be grateful for any comments to protection work and offers to improvements. It's planned to be distributed freely. I'll publish detailed algorithms description and sources at near future.