New Tool Obex Blocks DLLs, Aids Evasion Research
A new tool named Obex has been released, designed to prevent Dynamic Link Libraries (DLLs) from loading into processes. Developed by Netflix employee 'dis0rder00x', this proof-of-concept tool is available on GitHub for security researchers to explore evasion methods.
Obex works by intercepting DLL loading, hooking the function responsible, and checking against a configurable blocklist. It blocks specified DLLs both during startup and runtime, potentially hindering undetected malware or red team tools. The tool is written in C, has no external dependencies, and is lightweight and portable.
By default, Obex blocks the library for the Antimalware Scan Interface, but users can provide a custom list of DLLs to block. Security solutions widely use DLL injection for monitoring, and tools like Obex demonstrate methods to circumvent these defenses. If a DLL is on the blocklist, Obex simulates a failed load attempt, preventing the library from being injected into the process.
Obex, developed by Netflix's 'dis0rder00x', is a valuable resource for penetration testers and red teams, providing defenders with insights into evasion techniques. The tool is available on GitHub, intended for security researchers to understand and test these methods. Its ability to block DLLs during startup and runtime can help enhance security measures against undetected malware.
