Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Why would you want to use two programs which provide simular protection.

    As an example: do you think that the EAF of HPMA3 is really different from the EAF protection in EMET?
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I agree, it might be very counterproductive.
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Did you read my question? That's why I asked would disabling the redundant(similar) mitigations help improve the compatibility between the two.
     
  4. Yes I did read your question. I did not intend to redicule your question. It is like using two anti-keyloggers, two HIPS or two AV's it will always increase the chance of programs biting into each others tail.

    MBAE free works with EMET. Because both MBAE and EMET only inject their DLL into the programs they protect. Sow when you mutually exclude, fair chance of preventing incompatibility problems. HPMA injects a DLL into every process, therefore it will always cause some interference with simular programs, because they looking (and hooking) at the same internal mechanisms.
     
    Last edited by a moderator: Mar 23, 2015
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Are you sure HMPA injects into every process? The last time I checked with Process Explorer I could have sworn I found that HMPA was injecting into many processes, but not all of them. Do you mean HMPA injects into every newly spawned process, or all of the processes running on one's machine? I can check this again the next time I beta test another build. I ran into a huge conflict with HMPA, and Online Armor when testing build 166 so I decided to hold off on testing for a while since the developer never responded to my post. I think it was build 166 anyways. Online Armor injects into almost every process so there is a greater chance of conflict between OA, and HMPA than some other security products.
     
  6. You can find the answer in the HPMA thread, post #4112, let's keep this a MBAE thread.
     
  7. 142395

    142395 Guest

    Has anyone read This blog yet? (same guy as Smapei's link)
    MBAE bypassed is not my concern. My concern is here.
    Definitely it's not good sign. I remember when HMPA appeared, Pedro said having many feature is good but what important it its logic. This will be applied to MBAE itself. Having behavior protection is good, but if its memory protection is not on solid logic, it spoils the value of overall product.

    I hope to hear Pedro's reply about this.
     
    Last edited by a moderator: Mar 24, 2015
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    I'm sorry, I could not find that quote at EFF.org as you suggested.
    But I could find it at casual-scrutiny.
     
  9. 142395

    142395 Guest

    Woops, I wrongly pasted different link. Corrected.
     
  10. 142395

    142395 Guest

    Yup, the blog was interesting and showed me another way to bypass SP other than unpivoting before critical function.
    But what I cared about is copy-and-pasting the ROP gurad's code. Not about legal issue, but w/out proper adjustment according to author.

    BTW, fewer gadgets will be better if it have the same expression power, but even when it is quite long, provided those gadgets can most probably be found in common library, it's not much the matter I think, isn't it?
     
  11. Yep, leaving useless 16bit check in the code, allowing for a condition-drop-through error. Would be nice when someone from MBAE responds to this.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That was my biggest take-away from that article as well. I read it the other day and it was interesting. But the copy-paste concerned me. I know that the MBAE team has some very talented developers. So it would be interesting to hear more on this.
     
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Very interesting.
    Good Luck
    .:thumb:
     
  14. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    some posts of regenpijb are removed :'( !!!!

    waiting for explanation :-*
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It looks like he left the board :doubt:
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Opps... I thought I was in the HMPA thread. I must have had too many tabs open in my browser, and accidentally posted in the wrong thread. Thanks for letting me know!
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    The blog post refers to a way to disable MBAE due to some limitations of the hooking framework. That has since been fixed.

    Btw we didn't copy the ROP code from ROPGuard. This is absolutely not true. Our code is based on the Intel documentation. It is interesting that being a good researcher capable of finding the bypass he would make such an error in judgement about the ROP code.
     
  18. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    It is present in the latest stable (v1.05.1.1016)
    btw, why use a disarm when two ROP gadgets are enough for a bypass?
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Is this your new account regenpijb?

    Yes you are correct, the disarm was fixed with 1.06. As for your poc, eagerly waiting to check it out. Sounds promising.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Thank you for improving your magnificent program...
     
  21. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    New clean start, has its reasons.
    Less 'random' stuff, more substantiated stuff this time.

    EMET 5.2 is also possible using 2 gadgets.
     
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Using MBAE 1.06.1.102 on Windows 7 Professional SP1 x64. Twice now I have noticed that when I check the Advanced Settings that nothing was checked in the four tabs (all boxes were unchecked). I clicked Restore Defaults and it re-enabled them, but am wondering why/how they became disabled. Tray icon was showing that protection was active.
     
  23. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
    Also here (MBAE 1.06.1.1012 on Windows 8.1U3 Pro x32).
     
  24. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    Same thing happened to me a few days ago, I posted this on MBAE forum, sent them some logs, Pedro replied he thinks he found the problem, so I'm sure this will be corrected asap.
     
  25. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Okay, thanks d.c.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.