Define security-related limits for an executable and embed them into the application, EDR
/AV
products are responsible for retrieving the data at execution time and limit the application behavior based on the limits.
The tool aims to limit exploit capabilities.
whoami: @_qaz_qaz
Run AppSecurityLimits.exe
with an executable path and location of the JSON
file.
The tool creates .appsec
section in the executable and inserts the JSON
config file into the section.
If an executable contains .appsec
section and a magic string is .appseclimits_
then extract a JSON
content from the section and control the application behavior accordingly.
For Example, if a JSON
content contains following field:
{ ... "remote_process_access" : false, ... }
then an EDR/AV
product should deny calls like WriteRemoteProcess
since it's not intended to be used according to the application developer.
- LIEF (Apache License 2.0)
- nlohmann/json (MIT License)