Home > Blockchain >  What are the Antimalware Protected Process Light (AM-PPL) dll loading requirements?
What are the Antimalware Protected Process Light (AM-PPL) dll loading requirements?

Time:02-16

According to https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services- "any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate."

What are the conditions for a DLL to be considered "non-Windows"? In other words, what is a "Windows" dll.

I know for a fact that msmpeng.exe, an AM-PPL process will load C:\Windows\System32\slc.dll, an unsigned dll. Why is that permitted?

Any information is appreciated.

Thanks!

CodePudding user response:

A Windows DLL is a DLL shipped with Windows and signed by a chain that Microsoft defines as Windows. The leaf certificate is typically named something along the lines of "Microsoft Windows". This is different from a file shipped with MS Office etc. I can't rule out there being a file list involved somehow as well. I believe some Windows components like rundll32.exe and other host components are not fully trusted in all scenarios because they load external code.

slc.dll, like 99.999% of PE files shipped with Windows today, is signed. It is catalog signed, not with a embedded certificate. Use SigCheck to verify.

Page link:https//www.codepudding.com/Blockchain/302446.html

Prev:In windows using python how do I check if the middle mouse button is held down?
Next:How to accurately multiply a COleCurrency by a double?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding