Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Some examples:

    Test Stack Pivot (EMET)


    Immagine.jpg

    Test ROP VirtualProtect() (MABE)

    Immagine3.jpg

    Test UrlMon (MBAE)

    Immagine4.jpg
     
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    This latest version of MBAE can be used with EMET.
    With the limits exposed.
     
  4. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    in my pc, MBAE cant detect anything from HMP test tool

    Tested in Win7 32bit
     
  5. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Forgive me if this has been asked before, but is there any current compatibility issues with Sandboxie?
     
  6. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    If you've not added protection manually, then that's still I thing that you should do.
    MBAE does not recognise the HMP Test Tool of the shelf for obvious reasons (No, not because it's written by a competitor)
    Furthermore, a test tool itself is not telling the entire story.
     
  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I installed 1.06 and don't see anything in the log like i did in 1.05
     
  8. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Entries in the Logs tab have been replaced with the traybar balloon notifications, which can be turned off from Settings tab. There was some feedback that after running MBAE for weeks/months the Logs tab became un-usable with hundreds or thousands of similar entries. Looking for an exploit attempt became a problem in such cases.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    There are no compatibility problems. But as you may already know, MBAE can not protect apps running inside the sandbox. At least not on Win 8.
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  12. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
  13. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I had recently made some fresh vms to test some stuff in sbie so I decided to revisit the SBIE & MBAE issues.

    I've prob said some of this before but I'll report my findings anyway.

    Used Sandboxie 4.17.2 beta and MBAE 1.06.1.1018 in all machines.
    Test apps I tried to use were Notepad and Internet Explorer.

    Windows 7 32
    Added the released MBAE template to the sandboxie.ini and ensured it was enabled.

    Code:
    [Template_MBAE]
    
    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    
    According to procmon, the mbae-svc doesn't even attempt to inject the mbae.dll when the program is sandboxed.

    Sandboxie has an advanced option allowing you to inject specific dlls so I added a line to the test box
    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    Suprisingly this worked and MBAE then reported it was guarding it! Process Explorer showed the dll loaded and active. Sandboxies resource access monitor also showed the expected communication.

    There are a few quirks to adding this line though and I can't be sure others won't spring up as well.
    When I select 'Stop Protection' in MBAE and then load the app sandboxed it injects the dll as it should but then MBAE claims that 'cmd' is now protected and it seems to be communicating even though it's disabled? What rules are it enforcing?! I was really missing the logs right about then....

    It also randomly says it's protecting cmd.exe when protection is enabled...but that's not often.

    For anyone who wants to try this the command must be added to the sandboxie.ini directly ~ just like the template. You can add it per box or as a globalsetting. Just add it to the end of either one. Examples:

    Code:
    Global
    
    
    [GlobalSettings]
    
    Template=MBAE
    Template=OfficeLicensing
    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    
    [DefaultBox]
    
    per box, in this case I was using the DefaultBox
    Code:
    
    [GlobalSettings]
    
    Template=MBAE
    Template=OfficeLicensing
    
    [DefaultBox]
    
    ConfigLevel=7
    AutoRecover=y
    Template=WindowsFontCache
    Template=BlockPorts
    Template=LingerPrograms
    Template=Chrome_Phishing_DirectAccess
    Template=Firefox_Phishing_DirectAccess
    Template=AutoRecoverIgnore
    RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
    RecoverFolder=%Personal%
    RecoverFolder=%Favorites%
    RecoverFolder=%Desktop%
    BorderColor=#00FFFF,ttl
    Enabled=y
    AutoDelete=y
    NeverDelete=n
    ForceProcess=notepad.exe
    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    
    [UserSettings_4BC00582]
    
    In my tests MBAE ignored those apps not added to it's list so I don't foresee any issues adding it globally for the sandboxes but look for any 'new issues' just in case.


    I then tested this on Windows 7 x64 using the 64 bit dll injection instead as MBAE seems to handle the 32 apps fine by itself on this OS.
    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
    Amazingly it worked!



    I then tested this on Windows XP SP3 and surprisingly it did NOT work. The dll was injected, the resource access monitor shows some communication but it stops and is never protected by MBAE.



    I didn't test Windows 8.1 but I think I remember people having issues with both 32 and 64 bit injection there so (if that's correct) you can add both.

    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

    It won't help with XP but at least Win7 (maybe vista and 8.1?) users should be able to use them together without manually toggling the MBAE protection now.

    I could use a few people to try this on their systems and provide feedback!

    I'll likely test this more myself and as long as it doesn't end up hitting a brick wall I'll make another detailed guide (better formatted as well!) for the template and include these. I wonder if they could just be appended to the template, hmm, back to the VM!

    Update:
    Seems to work so instead of doing what I said above just replace the template with the one below.

    Code:
    [Template_MBAE]
    
    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
    
     
    Last edited: Apr 21, 2015
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Very nice syrinx!

    I will update the FAQ guidance while others are able to test it and provide feedback!
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    @syrinx
    Thanks a lot!
    Added those three lines to the template and it really works!
    No more stop/start MBAE protection for 64bit programs, well I was able to test Chrome only but I believe it'll work with any application.
    Tested on Win8.1.3 x64
     
    Last edited: Apr 21, 2015
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    @syrinx
    Good Work !!! :thumb:

    Disappointed that it does not work with XP.:(
    Is possible to find a remedy?
    :)
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    @syrinx
    I have MPC-HC64 configured in its own dedicated sandbox but not protected by MBAE. When I launch the program MBAE doesn't log anything, it doesn't say now is protecting such program.
    Then for testing, I created a new shield in MBAE and when running MPC-HC64 MBAE notifies its protection, as expected. So I think MBAE is not doing anything to unlisted/unshielded programs even though procexp is showing mbae64.dll injection.
    Perhaps we need pbust's feedback on this matter no?
     
  18. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Yeah we may need to see what his tests show (or others) cause it's baffling me. Perhaps yours is working more like what I saw in the Windows 7 32 bit machine since you're on 8.1? I took a break from it for now cause I wasn't making any head way figuring it out.
     
  19. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    While trying to figure out why MBAE would not work on XP with the template in place I came across something rather odd in procmon.
    It seems that on XP Sandboxie is mounting the registry at HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\USER\Sandbox_%user%_%sandbox%
    Code:
    NOTEPAD.EXE  3600  RegSetValue  HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\USER\Sandbox_Admin_DefaultBox  SUCCESS
    
    That seems a bit dangerous to me, but I won't pretend to be an expert...also the double \\ after hivelist IS NOT a mistake, that's how it showed up!

    In windows 7 it's using a much more reasonable HKU\Sandbox_%user%_%sandbox%
    Code:
    notepad.exe  2408  RegSetValue  HKU\SANDBOX_ADMINISTRATOR_DEFAULTBOX\user\current\software\classes\SymbolicLinkValue  SUCCESS
    
    To find these examples I just did a search for RegSet after I first noticed it to see what the first one each sandbox mounted (I assume thats what that regset is; perhaps I should ask the almighty google?) was and used those.
    I also noticed that there were alot of BAD IMPERSONATION results on XP with 0 on Windows 7
    Does anyone have an idea why they are different or what the potential issues might be? It seems to my uneducated mind that the HKLM\System\CurrentControlSet\Control\ section would be more restrictive and perhaps be the cause of another issue I saw before in a sbie deletion thread when testing runas on XP along with the MBAE template not working here w SBIE (but I am by no means certain of either yet).
    I do see the BAD IMPERSONATION errors on XP w sandboxie and no MBAE as well so it doesn't seem likely but I found both differences pretty darn weird and am hoping someone who understands this stuff better than I might be able to shed some light on it.


    Update:
    All right so it looks like that was just setting the path for the sandbox as the actual string is: \Device\HarddiskVolume1\Sandbox\Admin\DefaultBox\RegHive being created/set in the HKLM\System\CurrentControlSet\Control\hivelist
    Wierd that I can't see that happening in the W7 procmon logs but somehow the key shows up similarly there. So nothing to see here. From what I can tell that Bad Impersonation thing simply amounts to an app trying to access something it doesn't have the rights to. eg when it asks for Maximum Allowed this shows up a lot. Nothing to see on this reply after all, move along :p
     
    Last edited: Apr 22, 2015
  20. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    160
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    Thank you.
    Changelog is of version .1018 at the website. I copied changelog of version .1019 from the installer program:
    Malwarebytes Anti-Exploit 1.06.1.1019

    New Features:
    • Added new Layer3 mitigations for IE, Java and Office.
    • Added default protection for more popular browsers.
    • Added Chromium-based browser application family.
    • Added new alert window with exploit details.
    • Added protection traybar tooltip notification.
    • Added advanced configuration of mitigations per family.
    • Added configuration for general settings.
    • Added browse button when adding custom shields.
    • Added new mechanism to reduce known false positives.
    • Added anonymous submission of blocked exploits.
    • Added confirmation window for file-format exploit submissions.
    • Added Premium notifications in Free/Trial builds.
    • Added support for Windows 10.

    Improvements:
    • Improved upgrade process to maintain existing custom shields.
    • Improved visibility in GUI of Management Console exclusions.
    • Improved error and crash reporting.
    • Improved missing GUI notification for guest user accounts.
    • Improved managed installation to avoid Start Menu folder creation.
    • Improved settings tab by removing the need for Apply button.

    Fixes:
    • Fixed false positive with Word or Excel under certain conditions.
    • Fixed false positive with LoadLibrary exploit mitigation.
    • Fixed false positive with web-based Java applications.
    • Fixed bug with timestamp conversions.
    • Fixed bug which could cause protection to stop during startup.
    • Fixed bug whereby LUA could start/stop protection.
    • Fixed bug when trying to activate invalid license.
    • Fixed user interface bug in settings tab.
     
  22. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    I guess the real changelog for v1019 should be this:

    • Added support for Windows 10.
    • Improved settings tab by removing the need for Apply button.
    • Fixed bug when trying to activate invalid license.
    • Fixed user interface bug in settings tab.
     
  23. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I've looked through several more instances and tried various workarounds for clues but I'm afraid it's time for me to give up on getting the template to work with xp. As far as I can tell there is nothing being blocked from within sandboxie. Now that the template injects the mbae.dll 'manually' it should be working. It does get injected, it starts trying to communicate with the service but the mbae-svc.exe never reacts or respond to it. This could mean that sandboxie is doing something unintended on this particular OS and it's getting lost along the way or it could be a quirk in MBAE itself. Regardless of why, it just isn't able to create an MBAE_IPC_PROTECTION channel with the service and the dll eventually gives up and unloads itself.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
  25. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.