Addendum: BlackBox.Exe & AppLocker under Windows 7 from null on 2012-05-10 (BB-FullArchive.mbox)

From: null <">
Date: Thu, 10 May 2012 14:16:18 +0000

----boundary-LibPST-iamunique-2004909133_-_-
Content-type: text/plain

I was able to reproduce the error. I'm using a german Windows 7, so I'm in doubt if I was able to find the correct English ones, but I tried hard:

Call gpedit.msc then go to

Console Root->Local Computer Policy
->Computer Configuration
        ->Windows Settings
             ->Security settings
                 ->Application Control Policies
                     ->Applocker
                        ->Executable Rules

Right Click on Executable Rules and select "Create New Rule"

In the Wizard on the "Before You Begin" page click Next
select the radio button: "Allow" and click Next
select the radio button: "File Hash" and click Next
then browse to BlackBox.Exe
and you get immediately a message box which says:

that it "ist keine zulässige Win32-Anwendung. (Ausnahme von HRESULT: 0x800700C1)" which I translate to
"is not a valid Win32-Application (Exception of HRESULT: 0x800700C1)"

I'm starting to dig into "Microsoft PE and COFF Specification" http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx to find out, if there is a new flag or word necessary for forcing the loader or PE-Loader to recognize a valid Win32.

Regards & thanks in advance for any hints

--
   Bernhard
----boundary-LibPST-iamunique-2004909133_-_-
Content-type: application/rtf
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="rtf-body.rtf"
e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbXRleHQgXGRlZmYwe1xmb250dGJsDQp7XGYwXGZz
d2lzc1xmY2hhcnNldDAgQXJpYWw7fQ0Ke1xmMVxmbW9kZXJuIENvdXJpZXIgTmV3O30NCntcZjJc
Zm5pbFxmY2hhcnNldDIgU3ltYm9sO30NCntcZjNcZm1vZGVyblxmY2hhcnNldDAgQ291cmllciBO
ZXc7fX0NCntcY29sb3J0YmxccmVkMFxncmVlbjBcYmx1ZTA7XHJlZDBcZ3JlZW4wXGJsdWUyNTU7
fQ0KXHVjMVxwYXJkXHBsYWluXGRlZnRhYjM2MCBcZjBcZnMyMCBJIHdhcyBhYmxlIHRvIHJlcHJv
ZHVjZSB0aGUgZXJyb3IuIEknbSB1c2luZyBhIGdlcm1hbiBXaW5kb3dzIDcsIHNvIEknbSBpbiBk
b3VidCBpZiBJIHdhcyBhYmxlIHRvIGZpbmQgdGhlIGNvcnJlY3QgRW5nbGlzaCBvbmVzLCBidXQg
SSB0cmllZCBoYXJkOlxwYXINClxwYXINCkNhbGwgZ3BlZGl0Lm1zYyB0aGVuIGdvIHRvIFxwYXIN
ClxwYXINCkNvbnNvbGUgUm9vdC0+TG9jYWwgQ29tcHV0ZXIgUG9saWN5XHBhcg0KICAgIC0+Q29t
cHV0ZXIgQ29uZmlndXJhdGlvblxwYXINCiAgICAgICAgLT5XaW5kb3dzIFNldHRpbmdzXHBhcg0K
ICAgICAgICAgICAgIC0+U2VjdXJpdHkgc2V0dGluZ3NccGFyDQogICAgICAgICAgICAgICAgIC0+
QXBwbGljYXRpb24gQ29udHJvbCBQb2xpY2llc1xwYXINCiAgICAgICAgICAgICAgICAgICAgIC0+
QXBwbG9ja2VyXHBhcg0KICAgICAgICAgICAgICAgICAgICAgICAgLT5FeGVjdXRhYmxlIFJ1bGVz
XHBhcg0KXHBhcg0KUmlnaHQgQ2xpY2sgb24gRXhlY3V0YWJsZSBSdWxlcyBhbmQgc2VsZWN0ICJD
cmVhdGUgTmV3IFJ1bGUiXHBhcg0KXHBhcg0KSW4gdGhlIFdpemFyZCBvbiB0aGUgIkJlZm9yZSBZ
b3UgQmVnaW4iIHBhZ2UgY2xpY2sgTmV4dCBccGFyDQpzZWxlY3QgdGhlIHJhZGlvIGJ1dHRvbjog
IkFsbG93IiBhbmQgY2xpY2sgTmV4dFxwYXINCnNlbGVjdCB0aGUgcmFkaW8gYnV0dG9uOiAiRmls
ZSBIYXNoIiBhbmQgY2xpY2sgTmV4dFxwYXINCnRoZW4gYnJvd3NlIHRvICBCbGFja0JveC5FeGVc
cGFyDQphbmQgeW91IGdldCBpbW1lZGlhdGVseSBhIG1lc3NhZ2UgYm94IHdoaWNoIHNheXM6XHBh
cg0KXHBhcg0KdGhhdCBpdCAiaXN0IGtlaW5lIHp1bFwnZTRzc2lnZSBXaW4zMi1BbndlbmR1bmcu
IChBdXNuYWhtZSB2b24gSFJFU1VMVDogMHg4MDA3MDBDMSkiIHdoaWNoIEkgdHJhbnNsYXRlIHRv
IFxwYXINCiJpcyBub3QgYSB2YWxpZCBXaW4zMi1BcHBsaWNhdGlvbiAoRXhjZXB0aW9uIG9mIEhS
RVNVTFQ6IDB4ODAwNzAwQzEpIlxwYXINClxwYXINCkknbSBzdGFydGluZyB0byBkaWcgaW50byAi
TWljcm9zb2Z0IFBFIGFuZCBDT0ZGIFNwZWNpZmljYXRpb24iIGh0dHA6Ly9tc2RuLm1pY3Jvc29m
dC5jb20vZW4tdXMvd2luZG93cy9oYXJkd2FyZS9nZzQ2MzExOS5hc3B4IHRvIGZpbmQgb3V0LCBp
ZiB0aGVyZSBpcyBhIG5ldyBmbGFnIG9yIHdvcmQgbmVjZXNzYXJ5IGZvciBmb3JjaW5nIHRoZSBs
b2FkZXIgb3IgUEUtTG9hZGVyIHRvIHJlY29nbml6ZSBhIHZhbGlkIFdpbjMyLlxwYXINClxwYXIN
ClJlZ2FyZHMgJiB0aGFua3MgaW4gYWR2YW5jZSBmb3IgYW55IGhpbnRzXHBhcg0KLS1ccGFyDQog
ICBCZXJuaGFyZFxwYXINCn0=
----boundary-LibPST-iamunique-2004909133_-_---
BEGIN:VCARD
FN:(null)
N:;;;;
VERSION: 3.0
END:VCARD

Received on Thu May 10 2012 - 16:16:18 UTC

This archive was generated by hypermail 2.3.0 : Thu Sep 26 2013 - 06:30:03 UTC