How to use

At the beginning you should choose working directory (by default %systemroot%\system32), then start searching by pressing "Find DLLs". As result two lists will be generated: 'Vulnerable DLL to protect' and 'DLL to block calls'. The first list corresponds to the protection by first method protection (vulnerable functions monitoring). The second list is for method of preventing of dynamic libraries functions execution.

At this stage you may choose which DLLs should patched by setting check boxes in "Protect DLLs" and "Block DLL calls" tabs, then start the patching by 'Protection/Protect DLLs'. The progress is indicated in "Protecting Result".

Upon completing the patch, appropriate message will be shown. During the patch original DLLs are not changed, but their updated copies are created. Patched DLLs are placed in the same directory and get the following names: new _ [original _ name].

To replace original DLL to patched DLL follow these steps:

1) Make a backup copy original DLL and rename it,

e.g.: ren [original _ name] orig_[original_name]

2) Rename patched DLL: ren new_[original_name] [original_name]

3) Reboot the system

BOWall package contains sample to test protection of the first method:

botest.exe < big _ string >

big _ string - string which causes buffer overflow by a calling MSVCRT.DLL!strcpy.

With input string of up to 15 symbols the local variable frame base pointer isn't rewritten and botest types: "without overflow". With input of a string by the size more than 15 symbols frame base pointer is overwritten. BOWall patch detects overflow and terminates affected process.

Note, any DLL can be successfully patched, including KERNEL32.DLL, NTDLL.DLL, etc, but you have to disable Windows File Protection first KB222473