Addendum: BlackBox.Exe & AppLocker under Windows 7 from null on 2012-05-10 (BB-FullArchive.mbox)

From: null <">
Date: Thu, 10 May 2012 13:59:25 +0000

----boundary-LibPST-iamunique-1461651558_-_-
Content-type: text/plain

I was able to reproduce the error. I'm not shure, if I can translate the german names to the correct English ones, but I try:

Call gpedit.msc the go to

Console Root->Local Computer Policy
->Computer Configuration
        ->Windows Settings
             ->Security settings
                 ->Application Control Policies
                     ->Applocker
                        ->Executable Rules

Right Click on Executable Rules and select "Create New Rule"

In the Wizard on the "Before You Begin" page and click Next
then Radio Button: Allow and click Next
then Radio Button: File Hash and click Next
then browse to the BlackBox.Exe

and you get immediately a message box which says:

that it "ist keine zulässige Win32-Anwendung. (Ausnahme von HRESULT: 0x800700C1)" which I translate to
"is not a valid Win32-Application (Exception of HRESULT: 0x800700C1)"

I'm starting to dig into "Microsoft PE and COFF Specification" http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx to find out, if there is a new flag or word necessary for forcing the loader or PE-Loader to recognize a valid Win32.

Regards & thanks in advance for any hints

--
   Bernhard
----boundary-LibPST-iamunique-1461651558_-_-
Content-type: application/rtf
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="rtf-body.rtf"
e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbXRleHQgXGRlZmYwe1xmb250dGJsDQp7XGYwXGZz
d2lzc1xmY2hhcnNldDAgQXJpYWw7fQ0Ke1xmMVxmbW9kZXJuIENvdXJpZXIgTmV3O30NCntcZjJc
Zm5pbFxmY2hhcnNldDIgU3ltYm9sO30NCntcZjNcZm1vZGVyblxmY2hhcnNldDAgQ291cmllciBO
ZXc7fX0NCntcY29sb3J0YmxccmVkMFxncmVlbjBcYmx1ZTA7XHJlZDBcZ3JlZW4wXGJsdWUyNTU7
fQ0KXHVjMVxwYXJkXHBsYWluXGRlZnRhYjM2MCBcZjBcZnMyMCBJIHdhcyBhYmxlIHRvIHJlcHJv
ZHVjZSB0aGUgZXJyb3IuIEknbSBub3Qgc2h1cmUsIGlmIEkgY2FuIHRyYW5zbGF0ZSB0aGUgZ2Vy
bWFuIG5hbWVzIHRvIHRoZSBjb3JyZWN0IEVuZ2xpc2ggb25lcywgYnV0IEkgdHJ5OlxwYXINClxw
YXINCkNhbGwgZ3BlZGl0Lm1zYyB0aGUgZ28gdG8gXHBhcg0KXHBhcg0KQ29uc29sZSBSb290LT5M
b2NhbCBDb21wdXRlciBQb2xpY3lccGFyDQogICAgLT5Db21wdXRlciBDb25maWd1cmF0aW9uXHBh
cg0KICAgICAgICAtPldpbmRvd3MgU2V0dGluZ3NccGFyDQogICAgICAgICAgICAgLT5TZWN1cml0
eSBzZXR0aW5nc1xwYXINCiAgICAgICAgICAgICAgICAgLT5BcHBsaWNhdGlvbiBDb250cm9sIFBv
bGljaWVzXHBhcg0KICAgICAgICAgICAgICAgICAgICAgLT5BcHBsb2NrZXJccGFyDQogICAgICAg
ICAgICAgICAgICAgICAgICAtPkV4ZWN1dGFibGUgUnVsZXNccGFyDQpccGFyDQpSaWdodCBDbGlj
ayBvbiBFeGVjdXRhYmxlIFJ1bGVzIGFuZCBzZWxlY3QgIkNyZWF0ZSBOZXcgUnVsZSJccGFyDQpc
cGFyDQpJbiB0aGUgV2l6YXJkIG9uIHRoZSAiQmVmb3JlIFlvdSBCZWdpbiIgcGFnZSBhbmQgY2xp
Y2sgTmV4dCBccGFyDQp0aGVuIFJhZGlvIEJ1dHRvbjogQWxsb3cgYW5kIGNsaWNrIE5leHRccGFy
DQp0aGVuIFJhZGlvIEJ1dHRvbjogRmlsZSBIYXNoIGFuZCBjbGljayBOZXh0XHBhcg0KdGhlbiBi
cm93c2UgdG8gdGhlIEJsYWNrQm94LkV4ZVxwYXINClxwYXINCmFuZCB5b3UgZ2V0IGltbWVkaWF0
ZWx5IGEgbWVzc2FnZSBib3ggd2hpY2ggc2F5czpccGFyDQpccGFyDQp0aGF0IGl0ICJpc3Qga2Vp
bmUgenVsXCdlNHNzaWdlIFdpbjMyLUFud2VuZHVuZy4gKEF1c25haG1lIHZvbiBIUkVTVUxUOiAw
eDgwMDcwMEMxKSIgd2hpY2ggSSB0cmFuc2xhdGUgdG8gXHBhcg0KImlzIG5vdCBhIHZhbGlkIFdp
bjMyLUFwcGxpY2F0aW9uIChFeGNlcHRpb24gb2YgSFJFU1VMVDogMHg4MDA3MDBDMSkiXHBhcg0K
XHBhcg0KSSdtIHN0YXJ0aW5nIHRvIGRpZyBpbnRvICJNaWNyb3NvZnQgUEUgYW5kIENPRkYgU3Bl
Y2lmaWNhdGlvbiIgaHR0cDovL21zZG4ubWljcm9zb2Z0LmNvbS9lbi11cy93aW5kb3dzL2hhcmR3
YXJlL2dnNDYzMTE5LmFzcHggdG8gZmluZCBvdXQsIGlmIHRoZXJlIGlzIGEgbmV3IGZsYWcgb3Ig
d29yZCBuZWNlc3NhcnkgZm9yIGZvcmNpbmcgdGhlIGxvYWRlciBvciBQRS1Mb2FkZXIgdG8gcmVj
b2duaXplIGEgdmFsaWQgV2luMzIuXHBhcg0KXHBhcg0KUmVnYXJkcyAmIHRoYW5rcyBpbiBhZHZh
bmNlIGZvciBhbnkgaGludHNccGFyDQotLVxwYXINCiAgIEJlcm5oYXJkfX0AOAYAAA==
----boundary-LibPST-iamunique-1461651558_-_---

Received on Thu May 10 2012 - 15:59:25 UTC

This archive was generated by hypermail 2.3.0 : Thu Sep 26 2013 - 06:30:03 UTC