[BLACKBOX] Addendum: BlackBox.Exe & AppLocker under Windows 7

From: [at]} <Treutwein>
Date: Thu, 10 May 2012 16:16:18 +0200

----boundary-LibPST-iamunique-2097749304_-_-
Content-type: text/plain

I was able to reproduce the error. I'm using a german Windows 7, so I'm in
doubt if I was able to find the correct English ones, but I tried hard:

Call gpedit.msc then go to

Console Root->Local Computer Policy
->Computer Configuration
        ->Windows Settings
             ->Security settings
                 ->Application Control Policies
                     ->Applocker
                        ->Executable Rules

Right Click on Executable Rules and select "Create New Rule"

In the Wizard on the "Before You Begin" page click Next
select the radio button: "Allow" and click Next
select the radio button: "File Hash" and click Next
then browse to BlackBox.Exe
and you get immediately a message box which says:

that it "ist keine zulässige Win32-Anwendung. (Ausnahme von HRESULT:
0x800700C1)" which I translate to
"is not a valid Win32-Application (Exception of HRESULT: 0x800700C1)"

I'm starting to dig into "Microsoft PE and COFF Specification"
http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx to find out,
if there is a new flag or word necessary for forcing the loader or PE-Loader
to recognize a valid Win32.

Regards & thanks in advance for any hints

--
   Bernhard
----
To unsubscribe, send a message with body "SIGNOFF BLACKBOX" to LISTSERV{([at]})nowhere.xy----boundary-LibPST-iamunique-2097749304_-_-
Content-type: application/rtf
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="rtf-body.rtf"
e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbXRleHQgXGRlZmYwe1xmb250dGJsDQp7XGYwXGZz
d2lzc1xmY2hhcnNldDAgQXJpYWw7fQ0Ke1xmMVxmbW9kZXJuIENvdXJpZXIgTmV3O30NCntcZjJc
Zm5pbFxmY2hhcnNldDIgU3ltYm9sO30NCntcZjNcZm1vZGVyblxmY2hhcnNldDAgQ291cmllciBO
ZXc7fX0NCntcY29sb3J0YmxccmVkMFxncmVlbjBcYmx1ZTA7XHJlZDBcZ3JlZW4wXGJsdWUyNTU7
fQ0KXHVjMVxwYXJkXHBsYWluXGRlZnRhYjM2MCBcZjBcZnMyMCBJIHdhcyBhYmxlIHRvIHJlcHJv
ZHVjZSB0aGUgZXJyb3IuIEknbSB1c2luZyBhIGdlcm1hbiBXaW5kb3dzIDcsIHNvIEknbSBpblxw
YXINCmRvdWJ0IGlmIEkgd2FzIGFibGUgdG8gZmluZCB0aGUgY29ycmVjdCBFbmdsaXNoIG9uZXMs
IGJ1dCBJIHRyaWVkIGhhcmQ6XHBhcg0KXHBhcg0KQ2FsbCBncGVkaXQubXNjIHRoZW4gZ28gdG8g
XHBhcg0KXHBhcg0KQ29uc29sZSBSb290LT5Mb2NhbCBDb21wdXRlciBQb2xpY3lccGFyDQogICAg
LT5Db21wdXRlciBDb25maWd1cmF0aW9uXHBhcg0KICAgICAgICAtPldpbmRvd3MgU2V0dGluZ3Nc
cGFyDQogICAgICAgICAgICAgLT5TZWN1cml0eSBzZXR0aW5nc1xwYXINCiAgICAgICAgICAgICAg
ICAgLT5BcHBsaWNhdGlvbiBDb250cm9sIFBvbGljaWVzXHBhcg0KICAgICAgICAgICAgICAgICAg
ICAgLT5BcHBsb2NrZXJccGFyDQogICAgICAgICAgICAgICAgICAgICAgICAtPkV4ZWN1dGFibGUg
UnVsZXNccGFyDQpccGFyDQpSaWdodCBDbGljayBvbiBFeGVjdXRhYmxlIFJ1bGVzIGFuZCBzZWxl
Y3QgIkNyZWF0ZSBOZXcgUnVsZSJccGFyDQpccGFyDQpJbiB0aGUgV2l6YXJkIG9uIHRoZSAiQmVm
b3JlIFlvdSBCZWdpbiIgcGFnZSBjbGljayBOZXh0IFxwYXINCnNlbGVjdCB0aGUgcmFkaW8gYnV0
dG9uOiAiQWxsb3ciIGFuZCBjbGljayBOZXh0XHBhcg0Kc2VsZWN0IHRoZSByYWRpbyBidXR0b246
ICJGaWxlIEhhc2giIGFuZCBjbGljayBOZXh0XHBhcg0KdGhlbiBicm93c2UgdG8gIEJsYWNrQm94
LkV4ZVxwYXINCmFuZCB5b3UgZ2V0IGltbWVkaWF0ZWx5IGEgbWVzc2FnZSBib3ggd2hpY2ggc2F5
czpccGFyDQpccGFyDQp0aGF0IGl0ICJpc3Qga2VpbmUgenVsXCdlNHNzaWdlIFdpbjMyLUFud2Vu
ZHVuZy4gKEF1c25haG1lIHZvbiBIUkVTVUxUOlxwYXINCjB4ODAwNzAwQzEpIiB3aGljaCBJIHRy
YW5zbGF0ZSB0byBccGFyDQoiaXMgbm90IGEgdmFsaWQgV2luMzItQXBwbGljYXRpb24gKEV4Y2Vw
dGlvbiBvZiBIUkVTVUxUOiAweDgwMDcwMEMxKSJccGFyDQpccGFyDQpJJ20gc3RhcnRpbmcgdG8g
ZGlnIGludG8gIk1pY3Jvc29mdCBQRSBhbmQgQ09GRiBTcGVjaWZpY2F0aW9uIlxwYXINCmh0dHA6
Ly9tc2RuLm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93cy9oYXJkd2FyZS9nZzQ2MzExOS5hc3B4
IHRvIGZpbmQgb3V0LFxwYXINCmlmIHRoZXJlIGlzIGEgbmV3IGZsYWcgb3Igd29yZCBuZWNlc3Nh
cnkgZm9yIGZvcmNpbmcgdGhlIGxvYWRlciBvciBQRS1Mb2FkZXJccGFyDQp0byByZWNvZ25pemUg
YSB2YWxpZCBXaW4zMi5ccGFyDQpccGFyDQpSZWdhcmRzICYgdGhhbmtzIGluIGFkdmFuY2UgZm9y
IGFueSBoaW50c1xwYXINCi0tXHBhcg0KICAgQmVybmhhcmRccGFyDQpccGFyDQpccGFyDQotLS0t
XHBhcg0KVG8gdW5zdWJzY3JpYmUsIHNlbmQgYSBtZXNzYWdlIHdpdGggYm9keSAiU0lHTk9GRiBC
TEFDS0JPWCIgdG8gTElTVFNFUlZATElTVFMuT0JFUk9OLkNIfX0ATUlOSQ=
----boundary-LibPST-iamunique-2097749304_-_---

Received on Thu May 10 2012 - 16:16:18 UTC