Hi Jeff, > I don't believe a PE/PE+ executable needs a DLL extension to > be loaded by LoadLibrary and friends.
True, any file can be loaded this way, but our pretty extensive experimenting showed extremely few cases where legitimate applications (in this case mostly installers) loaded anything other than <something>.dll. The operating assumption here is that the initial executable (installer) is friendly but whatever it loads with LoadLibrary* can be potentially malicious. The attacker can therefore not choose which file the initial executable will load with LoadLibrary* but must plant a file that the executable is already set to load. > Perhaps a scanning/cleansing tool would be helpful. Certainly. In the mean time, "del Downloads\*" is a free and efficient superset of that ;-) Cheers, Mitja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
