What are the Antimalware Protected Process Light (AM-PPL) dll loading requirements?
Question
According to https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services- "any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate."
What are the conditions for a DLL to be considered "non-Windows"? In other words, what is a "Windows" dll.
I know for a fact that msmpeng.exe, an AM-PPL process will load C:\Windows\System32\slc.dll, an unsigned dll. Why is that permitted?
Any information is appreciated.
Thanks!
1 answers
solution1
2 ACCPTED 2022-02-15 03:14:51
A Windows DLL is a DLL shipped with Windows and signed by a chain that Microsoft defines as Windows. The leaf certificate is typically named something along the lines of "Microsoft Windows". This is different from a file shipped with MS Office etc. I can't rule out there being a file list involved somehow as well. I believe some Windows components like rundll32.exe and other host components are not fully trusted in all scenarios because they load external code.
slc.dll, like 99.999% of PE files shipped with Windows today, is signed. It is catalog signed, not with a embedded certificate. Use SigCheck to verify.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.