Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
8
Helpful
3
Replies

CSA figuring out a system function call from a buffer

Patrick Laidlaw
Level 4
Level 4

‎02-09-2006 11:16 AM - edited ‎03-09-2019 01:53 PM

Hello,

I have an event which system functions are executed from a buffer. I would like to figure out if there is a way to match just that pattern for that function that the software calls or not.

Atypical System Behavior Checks

Access system functions from code executing in data or stack space

Included patterns: ?

Here is the event:Text

Event Text TESTMODE: The process 'C:\Program Files\Land Desktop 2005\acad.exe' (as user SomeCompany\SomeUser) attempted to access a resource which would have resulted in the user being asked the following question. 'The process C:\Program Files\Land Desktop 2005\acad.exe is attempting to invoke a system function from a buffer. Do you wish to allow this?'

Event Time 2/9/2006 9:26:05 AM

Code ACL_QUERY_RSP_TESTMODE

PInt 407306247

PInt2 178

PString C:\Program Files\Land Desktop 2005\acad.exe

PString2 UID=SomeCompany\SomeUser>QID=424>HID=C:\Program Files\Land Desktop 2005\acad.exe

PString3 The process C:\Program Files\Land Desktop 2005\acad.exe is attempting to invoke a system function from a buffer. Do you wish to allow this?

args(6) LoadLibraryA

time 4761.1 (seconds since boot)

type APICALL

ProcessId 2592

ApiOperation BufferOverflowDetected

Credentials os=win32,T=SomeCompany\SomeUser,t=0105000000000005150000006750B36C5763DF0A3E753C37F1030000,G=SomeCompany\Domain Users,g=0105000000000005150000006750B36C5763DF0A3E753C3701020000

ApiPInt1 1635214387

ApiPString1 10005356 577471ff 7508ff15 40817f61

8bf885ff 7462688c 9e806157 ff156880

ApiPString2 LoadLibraryA

ApiPInt2 1244276

ApiPString3 90fc1200 33647761 10252b01 582bd004

502bd004 10502b01 10502b01 b4fc1200

b25b7761 10252b01 00000000 582bd004

bcfc1200 20262b01 10252b01 51000000

args(4) C:\DOCUME~1\SomeUser\LOCALS~1\Temp\AdskCleanup.0001.dir.0001\~de7039.tmp

ApiPInt3 1635214371

argi(4) 3

FlattenedForm (t-1139509565 n-141048400 z--32400 sm-152 sc-13 dm-1 dc-7 cd-834 p*(i-407306247 i-178 w-C:\Program%20Files\Land%20Desktop%202005\acad.exe w-UID=SomeCompany\SomeUser>QID=424>HID=C:\Program%20Files\Land%20Desktop%202005\acad.exe w-The%20process%20C:\Program%20Files\Land%20Desktop%202005\acad.exe%20is%20attempting%20to%20invoke% 20a%20system%20function%20from%20a%20buffer.%20Do%20you%20wish%20to%20allow%20this? a- a- a-LoadLibraryA a- r*(type-17 time-47611 pnd-83914536 rapi*(pid-2592 op-8 p*(i-1635214387 d-qaWuwDfDX9FDi8Ffaf4FHTi-f-pDIHgJEcyyx9FfObi a-LoadLibraryA i-1244276 d-qYVeamdz3fgeLSsayTc0ea1kqtaeqTsaqa1kbql*saGSBDxyquYkbaaaaaawRanb8YVeaaIjReaeLSsarbaaaa a-C:\DOCUME~1\SomeUser\LOCALS~1\Temp\AdskCleanup.0001.dir.0001\~de7039.tmp i-1635214371 i-3 ) cr-Owin32%00TSomeCompany\SomeUser%00t0105000000000005150000006750B36C5763DF0A3E753C37F1030000%00GSomeCompany\Domain% 20Users%00g0105000000000005150000006750B36C5763DF0A3E753C3701020000%00 ) ) ) )

Thank you for anyone that helps all posts will be rated reguardless of useful content.

Patrick

Labels:
0 Helpful
3 Replies 3

tsteger1
Level 8
Level 8

‎02-09-2006 01:34 PM

AutoCAD has been notorious for setting off CSA alarms. There was a bug fix published either last year or the year before for AutoCAD Lite because of it's behavior and we had to create exceptions for the network licensing application.

My solution was to add the acad.exe and aclt.exe executables to an application class that is allowed to write into memory owned by other processes and allowed to invoke system functions from code executing in data or stack space as long as the executable resides within the proper directory structure.

This seemed to be the least risky and most comprehensive exception because the patterns varied too much to make specific exceptions.

Hope this helps..

Tom S

Patrick Laidlaw
Level 4
Level 4
In response to tsteger1

‎02-09-2006 02:22 PM

Tom,

Thankyou for your reply with a little playing around I created an system api rule that would allow acad.exe to execute system function's from a buffer.

Atypical System Behavior Checks

Access system functions from code executing in data or stack space

Included patterns: *\LoadLibraryA\*

*\VirtualProtect\*

Patrick

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to tsteger1

‎02-09-2006 02:24 PM

Tom,

Thankyou for your reply with a little playing around I created an system api rule that would allow acad.exe to execute system function's from a buffer.

Atypical System Behavior Checks

Access system functions from code executing in data or stack space

Included patterns: *\LoadLibraryA\*

*\VirtualProtect\*

Patrick

0 Helpful
Customers Also Viewed These Support Documents