Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ obex Public
forked from dis0rder0x00/obex

Obex – Blocking unwanted DLLs in user mode

License

BSD-3-Clause license
0 stars 34 forks Branches Tags Activity
Star

marcostolosa/obex

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
images
images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
obex.c
obex.c
 
 

Repository files navigation

Obex - DLL Blocking

Obex is a PoC tool/technique that can be used to prevent unwanted modules (e.g., EDR or monitoring libraries) from being loaded into a newly started process during process initialization or at runtime.

Features

  • Spawns any process with arguments under debug control.
  • Blocks a configurable list of DLLs by name.
  • Works both for startup DLLs and dynamically loaded DLLs (LoadLibrary*).
  • Written in plain C with no external dependencies.

Usage

obex.exe "<command with args>" [dll1.dll,dll2.dll,...]
  • If no DLL list is provided, a default blocklist is used (at the time of writing just amsi.dll).
  • DLL names are case-insensitive.

How Does It Work?

Besides parsing cli arguments the PoC does the following (in a rough overview):

For deeper understanding check code (obviously) or contact me on discord or twitter.

Screenshot

The screenshot shows obex spawning powershell.exe with the default blocklist (only amsi.dll). Additionally you can see the spawned process’s module list to verify that amsi.dll was not loaded.

About

Obex – Blocking unwanted DLLs in user mode

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 100.0%