c++ / delphi package - dll injection and api hooking
zonelink
Posts: 1 Joined: Wed Mar 11, 2009 10:19 am
Post
by zonelink » Wed Mar 11, 2009 10:27 am
Some of our customers are experiencing problems with Norton Internet Security during injection in svchost.exe.
NIS claims that
"Generic Host Process for Win32 Services" is trying to access internet with help of one or more unknown modules:
Program: svchost.exe
Modul : themedll.dll
Remote Address: 239.255.255.250:1900
Local Address: 127.0.0.1:1031
Protocol: UDP
themedll.dll is our injection library which hooks some system api calls but does not contain any internet access methods
This sounds like interprocess communication which are detected by NIS.
What could this be? And how to avoid it?
Davita
Posts: 163 Joined: Tue Sep 13, 2005 7:31 pm
Post
by Davita » Wed Mar 11, 2009 7:56 pm
probably you should report your dll to Norton for analyses I think.
iconic
Site Admin
Posts: 1066 Joined: Wed Jun 08, 2005 5:08 am
Post
by iconic » Thu Mar 12, 2009 1:37 am
Are you doing any socket work in your injected DLL, like bind to loopback on UDP port 1031?
--Iconic
Nico Bendlin
Posts: 46 Joined: Fri Apr 28, 2006 1:17 pm
Post
by Nico Bendlin » Thu Mar 12, 2009 9:27 am
Looks like one of the hosted services broadcasts/sends UPnP messages (search for "Simple Service Discovery Protocol" (SSDP)) and the stack walk includes your (not white-listed) module...
...there is not much you can do here. Besides telling the user that your module can be trusted.
(you might digitally sign (class 3 certificate) your library and ask Norton to add your modules to the white list)