Bouncer (previously Tuersteher Light)

@Online_Sword Some of this command line scanning stuff and also .NET related functionality is beyond my expertise. However, I do have this command line scanning environment set up and I am happy to run some tests through it for you. Hopefully this information will be beneficial to you. If you want me to try anything else specific, please feel free to let me know.

Code:

*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > C:\Windows\System32\cmd.exe > D:\TestDLL\CSharp\CallDll.exe
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\SysWOW64\mscoree.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\SysWOW64\apphelp.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\SysWOW64\version.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\SysWOW64\msvcr120_clr0400.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7861e52ba2d943b167d29bdb87ff9d05\mscorlib.ni.dll
*** excubits.com beta ***: 2016/02/02_13:25:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
*** excubits.com beta ***: 2016/02/02_13:26:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\SysWOW64\urlmon.dll
*** excubits.com beta ***: 2016/02/02_13:26:21 > LSTCHECK > D:\TestDLL\CSharp\CallDll.exe > C:\Windows\SysWOW64\iertutil.dll

That is the logging output after running your CSharp executable and call to the corresponding DLL just to capture as much logging as possible. The "LSTCHECK" part is interesting because I have never seen that before, but also I do not know what it means. Please let me know if there is anything else you would like me to test.

 

@Online_Sword Here are the logging results for your CPlusPlus executable and DLL:

Code:

*** excubits.com beta ***: 2016/02/02_13:43:35 > LSTCHECK > C:\Windows\System32\cmd.exe > D:\TestDLL\CPlusPlus\CallDll.exe
*** excubits.com beta ***: 2016/02/02_13:43:35 > LSTCHECK > D:\TestDLL\CPlusPlus\CallDll.exe > C:\Windows\SysWOW64\apphelp.dll

For that case, the CallDll.exe crashed.

 

@WildByDesign

Thank you for your test.

Regarding your test on the CSharp program, it seems that the log generated this time is not different from the log in https://www.wilderssecurity.com/thre...cer-and-sob-can-actually-block-c-dlls.381809/ . So maybe we could say that CommandLineScanner does not significantly improve the capability of Bouncer in temrs of controlling .NET applications?

 

Great news. The beta works great on here.

@Online_Sword: I think what Florian mean with .NET are attacks he posted on his blog where attackers used .NET to compile c# or vb applications or if you start powershell by using command line. You are correct .NET executables itself are like executables, so should be blocked. As far as I understand there is also option to start .NET apps (exe) through other applications with command line option, in such case the cmdScanner in Bouncer can help to prevent if you only allow using such cmd parameters from trust location (as far as I understand, I am not a developer and also not a pro in this area).

 

Thanks.

 

I have been testing MemProtect more recently, particularly since Florian had released updated builds for all Beta Camp projects. But also because I finally have a better understand of how it works and how to create rules correctly.

In my testing, I am using MemProtect to protect a pretty basic process, which in my testing I am using speedyfox.exe. So that process is entirely protected by MemProtect. Then, I am using the latest versions of Process Explorer and Process Hacker. Both have full system access and are both started as Administrator to ensure full power/permissions in this testing.

Process Explorer and Process Hacker (both run as Admin) were not able to: terminate/kill the protected speedyfox.exe process, were not able to view Job Objects, were not able to view ASLR details, also were not able to either view or edit process Permissions whatsoever. Surely there were other limitations as well, but that is my initial observations thus far.

Needless to say, not that I understand how MemProtect works and how to better create rules, I can see tremendous potential here if/when this is integrated into Bouncer.

 

@WildByDesign
please help me,how install MemProtect?
and built in rule enough to prevent lock myself?
thanks

 

ok installed with Driver Signature Enforcement Overrider

 

Absolutely, I am happy to help.

First, if you are running a 64-bit version of Windows, you will more than likely need to run Windows in Test Mode because at the moment, MemProtect and other Beta Camp drivers are not digitally signed. But for testing purposes, I will give you the steps that you can follow. When the Stable releases come out, they will be signed.

Test Mode:

Spoiler: Test Mode

Open an elevated Command Prompt

Copy and paste the following, pressing Enter after each:

Code:

bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS

Code:

bcdedit -set TESTSIGNING ON

Now you must Restart Windows and you will always remain in Test Mode, which generally will show a Test Mode watermark on your lower right corner of your desktop to indicate that. Everytime you start Windows, it will be in Test Mode.

For future reference, I will give you the steps to get out of Test Mode. This is for if/when you decide to stop testing MemProtect. After you are out of Test Mode, the unsigned MemProtect driver will not load anymore. Enter the following commands from an elevated Command Prompt, pressing Enter after each line, then restarting Windows. You will then be out of Test Mode.

Code:

bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING OFF

The next step is that you need to "test sign" the driver. Microsoft provides free tools to do this, but it is beyond my abilities and it. I will provide you with a quick and easy method.

Spoiler: Test Signature

There is a free, portable tool called Driver Signature Enforcement Overrider 1.3b which is quite handy. The file downloaded is dseo13b.exe

VirusTotal Info: By the rules of this forum, I cannot post links to VirusTotal. I will just provide you with the SHA256 (39036a8f2ca0430fd57d86563bc783e0f1ad3144540b87cf2ec2dde9abb3b8cd) in which you can look it up at VT if you wish. You will notice some false positives over there due to the nature of what this program does.

• Run dseo13b.exe
• Choose the option "Sign a System File", click Next.
• Now copy and paste the location of where you have extracted MemProtect
• Example: D:\Tools\memprotect_beta\x64\MemProtect.sys
• Ensure that you use 32-bit or 64-bit driver, depending on your system.
• Press OK, and that file will now have a test signature and will only work within Test Mode.

Now you can install and configure MemProtect. Now, as with any of Florian's drivers, it is always best to use [#LETHAL] first so that there is no blocking, but keep [LOGGING] enabled so that you can obtain detailed logs to assist with creating rules based on your system and your usage patterns.

Florian provides a MemProtect.ini config file to get started with. So you can edit that with something like Notepad++ to get started. Or you could make a copy of the file. Most important thing is that the config file is in Unicode encoding which that file is by default.

Spoiler: Florian's Default MemProtect Config:

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\Program Files (x86)\Google\*>C:\Program Files (x86)\Google\*
C:\Program Files\Google\*>C:\Program Files\Google\*
[BLACKLIST]
C:\Users\Magnum\*>*
[EOF]

Spoiler: My Current MemProtect Test Config:

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\Program Files (x86)\Google\*>C:\Program Files (x86)\Google\*
C:\Program Files\Google\*>C:\Program Files\Google\*
*ProcessHacker.exe>C:\Windows\*
*ProcessHacker.exe>C:\Program Files (x86)\*
*ProcessHacker.exe>C:\Program Files\*
*ProcessHacker.exe>*peview.exe
*peview.exe>*ProcessHacker.exe
*procexp.exe>C:\Windows\*
*procexp.exe>C:\Program Files (x86)\*
*procexp.exe>C:\Program Files\*
*procexp64.exe>C:\Windows\*
*procexp64.exe>C:\Program Files (x86)\*
*procexp64.exe>C:\Program Files\*
*procexp.exe>*procexp64.exe
*procexp64.exe>*procexp.exe
C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe>C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe
C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe>C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe
D:\PortableApps\*>*
D:\Tools\*>*
[BLACKLIST]
D:\Tools-Protected\*>*
*CallDll.exe>*HelloDll.dll
[EOF]

Hopefully that gives you some ideas to work with. It's a great driver and it has been absolutely stable and efficient so far in my testing.

EDIT: I see that you have already got it working now, that's great. I will still post the reply anyway just in case the info is relevant to other users.

As you probably already know, the controls for MemProtect are pretty basic from an elevated command prompt:

Code:

net start memprotect
net stop memprotect
sc query memprotect

Good luck, have fun, and enjoy!

 

thank you very much for very detailed information

now let say i have default rule enable

now if i run for example ProcessHacker from "C:\tool" it must not able to inject any dll exe in to blacklist only?

 

First, it's important to ensure that MemProtect is working appropriately on your system before enabling the [LETHAL] blocking feature. By that, I mean you are able to start Windows, restart, doing your normal stuff without any significant logging/reported blockages from MemProtect.

So let's assume that you are at that point now, running smoothly.

From my test config:

Spoiler: Test Config - MemProtect

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\Program Files (x86)\Google\*>C:\Program Files (x86)\Google\*
C:\Program Files\Google\*>C:\Program Files\Google\*
*ProcessHacker.exe>C:\Windows\*
*ProcessHacker.exe>C:\Program Files (x86)\*
*ProcessHacker.exe>C:\Program Files\*
*ProcessHacker.exe>*peview.exe
*peview.exe>*ProcessHacker.exe
*procexp.exe>C:\Windows\*
*procexp.exe>C:\Program Files (x86)\*
*procexp.exe>C:\Program Files\*
*procexp64.exe>C:\Windows\*
*procexp64.exe>C:\Program Files (x86)\*
*procexp64.exe>C:\Program Files\*
*procexp.exe>*procexp64.exe
*procexp64.exe>*procexp.exe
C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe>C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe
C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe>C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe
D:\PortableApps\*>*
D:\Tools\*>*
[BLACKLIST]
D:\Tools-Protected\*>*
*CallDll.exe>*HelloDll.dll
[EOF]

In my blacklist section, from within D:\Tools-Protected\, that is where I was running SpeedyFox.exe (portable, unzipped) from within that blacklisted directory. So that is how MemProtect configures the sandboxing from the blacklisted section. And as far as Process Hacker and also Process Explorer go, those were fully allowed within my whitelist section to access the typical Windows system locations that it needs to access.

So, let's assume that you go full blocking mode now, [LETHAL] and restart the driver. Process Hacker and/or Process Explorer will be able to access the normal directories that they are supposed to. Then you can startup SpeedyFox.exe from the blacklisted/protected folder (or any executable you want for testing, really) and Process Hacker / PE will be trying to obtain memory information for that particular process, but since that process is sandboxed and configured within the blacklist section, PH/PE will now be denied access to that memory process/info and you will receive blockages/logging for PH/PE trying to access SpeedyFox.exe memory info.

Then from within PH/PE, you can try to access permissions for SpeedyFox.exe memory process, try to terminate it, etc. and it will be denied.

Anyway, I hope that I explained it well enough. Please feel free to ask any questions anytime.

 

ok thank you.
this is what i am doing.
i created this folder Tools-Protected and using your config file and put some exe in "Tools-Protected" folder then i run ProcessHacker from desktop(i first stop serveice then after update config again start service)
but this is what happen,i can do anything with exe file executed from "Tools-Protected" folder.
also i am runing windows 7.


here service status
SERVICE_NAME: MemProtect
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
also about installation, i re_read your #859 post.i used dseo13b.exe to going test mode then restart.then install MemProtect then sign file with dseo13b.exe then restart.so maybe problem from installation?
also i am running [LETHAL]
thankyou

 

ok i found one more mistake i do.

your config
D:\Tools-Protected\*>*

for my is
C:\Tools-Protected\*>*

i updated rule,but still i can do anything with process running from that folder

 

@co22 Just to confirm, you have enabled [LETHAL] mode, correct?

I will give MemProtect a try in a Windows 7 virtual machine tomorrow and check it out and will let you know how it goes.

 

yes,i deleted # inside [#LETHAL]
also my ProcessHacker version is 2.36
edit:also send an email to Florian to he look in to
updated rule with builtin rule still same result

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\Program Files (x86)\Google\*>C:\Program Files (x86)\Google\*
C:\Program Files\Google\*>C:\Program Files\Google\*
[BLACKLIST]
C:\Users\Magnum\*>*
C:\Tools-Protected\*>*
[EOF]

edit2:
just found that inject dll... and detach from debugger in ProcessHacker give me
access denied.
but i can kill,terminate process i can see ASLR,DEP state

 

@co22 Confirmed. I just gave MemProtect a spin on a physical Windows 7 32-bit machine, and I was able to confirm what you had experienced. It almost seems as though the Blacklist section is not being enforced on Windows 7. Thank you for bringing the details forward. I will pass this info along to Florian regarding Win7 and get him to test it out, provide a fix and whatever details come out of it. I will update you when I find out more.

 

@WildByDesign
thank you very much for confirming.here response from Florian
Thanks for the report, I will install a fresh Windows 7 and try to
reproduce the issue here. If I have an update I let you know.

Cheers
Florian



and i also send him this question regarding Pumpernickel.so i repost it here


it seems i have issues with Pumpernickel also in windows 7 or it may i think wrong.
since i don't know how it work exactly
i created folder "Dummy" in desktop then go to [LETHAL] mode and restart driver.
instead of notepad.exe i use Notepad2.exe ;

now i tested and i can create file with Notepad2.exe in Dummy folder.since there is a rule to allow in dummy folder

but the problem is i can drag and drop file from desktop into dummy folder-i think it should be prevented since this folder protected.

and if there is file inside dummy folder,then dummy folder can not be deleted but if it is empty then it can be deleted.so since it is protected
should not be deleted(empty or not empty).

also there is a rule *Notepad2.exe>*~~* so if i create any file with Notepad2.exe that don't have ~~ in their path/file name
should be deny.but i can create any file without ~~ in their file name in any location

also what about read and write protection at the same time?will be added?


notepad2 add some registry in that location so windows notepad won't launch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
https://github.com/XhmikosR/notepad2-mod/releases

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
# this rule allows Notepad2.exe to write only on files having ~~ in their path/file name..
*Notepad2.exe>*~~*
*Notepad2.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\iconcache_*.db
*Notepad2.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db
*Notepad2.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
*Notepad2.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
# some test rules for google chrome. works well in Windows 8.1 (32-bit)
*chrome.exe>C:\Users\*\AppData\Local\Google\Chrome\User Data\*
*chrome.exe>C:\Users\*\AppData\Local\Temp\etilqs_*
*chrome.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*
*chrome.exe>C:\Users\*\AppData\Local\Google\Chrome\User Data
*chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\iconcache_*.db
*chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db
*chrome.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
*chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\counters.dat
# this rule allows notepad2 to write into any file located in any folder somewhere in C:\Users\*\Dummy\*
!*Notepad2.exe>C:\Users\*\Dummy\*
[BLACKLIST]
# this rule blocks any attempts to write into any file located in any folder somewhere in C:\Users\*\Dummy\*
*>C:\Users\*\Dummy\*
[EOF]

 

@co22 Your testing of Pumpernickel has got me curious again as well. My initial testing (and still ongoing testing) of Pumpernickel has only been the initial features which was write protection. That was before PUmpernickel got features for Blacklist, and also blocking rename, delete, etc.

So you got me curious.

I tested several portable Explorer-like programs, but found that they still use explorer.exe underlying to achieve their operations.

So, from my testing, if you want to block that Dummy folder from files being moved, deleted, renamed, etc., try this in blacklist section:

Code:

[BLACKLIST]
*explorer.exe>C:\Users\*\Dummy\*

Also, your priority rule in your whitelist for notepad2.exe looks great. That should take priority over the blacklist rule and only allow notepad2.exe to alter anything within that Dummy folder.

EDIT:

Ok this is rather exciting!

Here is what I came up with. This is just using regular notepad.exe though, so you would have to change according to your protected folder and notepad2.exe

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
!*notepad.exe>D:\Tools-Protected\Test\*
[BLACKLIST]
*explorer.exe>D:\Tools-Protected\Test\*
[EOF]

This worked wonderfully. notepad.exe was able to do anything it needed to do within that folder, while using explorer.exe to delete, rename, move, etc. was denied. Excellent! Thank you for inspiring me to do some additional testing with Pumpernickel as well. It is far more powerful than I had initially imagined.

 

if you mean config should like this, the folder still can be deleted when it is empty.

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
!*Notepad2.exe>C:\Tools-Protected\Test\*
!*Notepad2.exe>C:\Users\*\Dummy\*
[BLACKLIST]
*explorer.exe>C:\Tools-Protected\Test\*
*explorer.exe>C:\Users\*\Dummy\*
*dllhost.exe>C:\Users\*\Dummy\*
*dllhost.exe>C:\Tools-Protected\Test\*
[EOF]

here response from Florian

and seems bouncer_beta wont work in windows 7 at least

 

OK, I see what you mean now. I was able to replicate as well, it blocked when there were items in the folder, but did not block when the folder was empty.

Solution:

Code:

[WHITELIST]
!*notepad.exe>D:\Tools-Protected\Test\*
[BLACKLIST]
*explorer.exe>D:\Tools-Protected\Test\*
*explorer.exe>D:\Tools-Protected\Test

Test\* refers to contents within the directory
Test as is (ensure no back slash at end) refers to the folder itself, whether it changes permissions, rename, delete, etc.

This method works now for what you were trying to achieve there.

EDIT:

Technically, you could also do the following to get it done in one line:

Code:

[BLACKLIST]
*explorer.exe>D:\Tools-Protected\Test*

 

What is the issue that you are experiencing with bouncer_beta build (I assume latest Beta Camp build) on Windows 7?

If you let me know what is happening, then I am happy to try to reproduce the issue on my end and pass along the details to Florian as well. I have a physical Windows 7 machine laying around now for testing and also a few virtual machines to test.

 

i have problem with bouncer_beta
i stopped driver (current demo version) then uninstalled with uninstall_driver.cmd then restart pc
then signed latest bouncer_beta driver then install it then replace config file(# was removed) inside bouncer_beta.then restart pc
now i see bouncer_beta wont block or log anything.

thank you this is what i want that is work very well

edit:still can be deleted but now after give it admin permission will deleted.
edit2: added below line will prevent delete

Code:

*>C:\Tools-Protected\Test

 

If you don't mind, would you be willing to copy your current Bouncer.ini config file here (within CODE tags) so that I can check it out? You could also send by PM if you don't want it public.

You're welcome. I'm glad that you've got it figured out and working well now. I see a lot of potential in that Pumpernickel driver, particularly if/when it is integrated into Bouncer.

 

tested Pumpernickel with LockHunter (delete on next restart feature).and Pumpernickel wont let it be done.thats very good

here this is what i use for beta

Code:

[LETHAL]
[LOGGING]
[SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
C:\New folder (2)\*
E:\Utility\*
C:\Users\Default\NTUSER.DAT.LOG2
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Sandbox\*
C:\KMPlayer\*
*Admin Tool.exe
*BouncerTray.exe
[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
[PARENTBLACKLIST]
[CMDWHITELIST]
!C:\Program Files\Excubits\Tuersteher\Tools\TuersteherTray.exe>*cmd.exe /c * Tuersteher
!C:\Program Files\Excubits\Tuersteher\Tools\Admin Tool.exe>C:\Windows\system32\cmd.exe /c * Tuersteher
!C:\Program Files (x86)\Excubits\Tuersteher\Tools\TuersteherTray.exe>*cmd.exe /c * Tuersteher
!C:\Program Files (x86)\Excubits\Tuersteher\Tools\Admin Tool.exe>C:\Windows\system32\cmd.exe /c * Tuersteher
!C:\Windows\*svchost.exe>C:\Windows\*rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {*} -Embedding
!C:\Windows\*svchost.exe>C:\*rundll32.exe C:\Windows\system32\invagent.dll,RunUpdate
!C:\Windows\*svchost.exe>C:\*rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
!C:\Windows\*svchost.exe>*rundll32.exe WSClient.dll,WSpTLR licensing
!C:\Windows\*wermgr.exe>"*runDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -responsepester
!C:\Windows\*svchost.exe>*rundll32.exe /d acproxy.dll,PerformAutochkOperations
*>*
[CMDBLACKLIST]
*>*rundll32*
*>*cmd*/c*
[EOF]

 

@co22 I am still analyzing your config and I will respond in more detail in the morning.

However, I did notice one missing section right away. You are missing the [BLACKLIST] section, should be right above [PARENTWHITELIST].

As follows in config in spoiler:

Spoiler: Config

Code:

[LETHAL]
[LOGGING]
[SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
C:\New folder (2)\*
E:\Utility\*
C:\Users\Default\NTUSER.DAT.LOG2
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Sandbox\*
C:\KMPlayer\*
*Admin Tool.exe
*BouncerTray.exe
[BLACKLIST]
[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
[PARENTBLACKLIST]
[CMDWHITELIST]
!C:\Program Files\Excubits\Tuersteher\Tools\TuersteherTray.exe>*cmd.exe /c * Tuersteher
!C:\Program Files\Excubits\Tuersteher\Tools\Admin Tool.exe>C:\Windows\system32\cmd.exe /c * Tuersteher
!C:\Program Files (x86)\Excubits\Tuersteher\Tools\TuersteherTray.exe>*cmd.exe /c * Tuersteher
!C:\Program Files (x86)\Excubits\Tuersteher\Tools\Admin Tool.exe>C:\Windows\system32\cmd.exe /c * Tuersteher
!C:\Windows\*svchost.exe>C:\Windows\*rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {*} -Embedding
!C:\Windows\*svchost.exe>C:\*rundll32.exe C:\Windows\system32\invagent.dll,RunUpdate
!C:\Windows\*svchost.exe>C:\*rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
!C:\Windows\*svchost.exe>*rundll32.exe WSClient.dll,WSpTLR licensing
!C:\Windows\*wermgr.exe>"*runDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -responsepester
!C:\Windows\*svchost.exe>*rundll32.exe /d acproxy.dll,PerformAutochkOperations
*>*
[CMDBLACKLIST]
*>*rundll32*
*>*cmd*/c*
[EOF]

I will go over in more detail tomorrow if I find anything else.