Bouncer (previously Tuersteher Light)

@Cutting_Edgetech I use a program called Driver Signature Enforcement Overrider (dseo13b.exe) from http://www.ngohq.com/?page=dseo to sign the .sys files quickly and go into testsigning mode. It's a portable app too.

I think you will like current state of MZWriteScanner now, working wonders so far.

Can you test MemProtect driver? That is one that I am personally not as knowledgeable about since I've never put much thought into that aspect yet.

 

Supported OSes * Windows Vista 32-bit
* Windows Vista 64-bit
* Windows Server 2008 32-bit
* Windows Server 2008 64-bit
* Windows 7 32-bit
* Windows 7 64-bit

Guess I can't test it since that app doesn't include Windows 8. Really hope Florian gets around to signing at least the final versions of these.

 

I am using that driver signing program (dseo13b.exe) on Windows 10 and works well. I believe they just haven't updated it (or supported OS text on site) for a while now. But I'm certain it will work on 8.x as well.

All final/public releases will be signed.

 

Yes, I installed that application recently on my test machine. I have not tried using it yet though. I don't have a DVI cable for the monitor i'm using on my test machine right now. I loaned the one I had to my parents. I hope I have time to go buy a new one tomorrow. I've been wanting to for over a week now, but just have not had the time.

I know what the memory protection should be able to do in theory, but I will have to get creative in order to test that it is working. I don't have the right malware samples for doing that. I will try to think of another way. I don't think the type of exploit test tools used to test applications like HitmanPro Alert are designed to test the type of memory protection being developed by Florian.

 

@Cutting_Edgetech I am not entirely sure how to test MemProtect driver personally since I am not very familiar with injecting DLLs and so on. I suppose maybe one method to try could be using Process Hacker to try and inject a DLL. Not my area of expertise, that's for sure.

Anyway, on my test VM, I am running Bouncer, MZWriteScanner and MemProtect and they seem to be running extremely well and efficiently together. Each one seems to fill in any possible gaps that the other may have, so quite a tight solution when combined. I suppose a user could also add the CommandLineScanner driver as well for even tighter security. This is all within the kernel, so quite impressive. I suppose any one of these drivers might be fine just on their own as well. I'm using EMET as well in this test setup. The one catching my interest the most at the moment is MZWriteScanner because I see a lot of potential there with a creative configuration, it could do wonders. I just don't understand MemProtect enough at the moment though.

 

I have not used the latest mzwritescanner in house beta yet, but I do have it. I'm not sure I fully understand the description of how it works. I will go back, and read it again. I may have some questions about it. My main interest at the moment is Bouncer with it's memory protection, and the commandlinescanner. I want to see them combined in the kernel. I think the combination of those 3 will stop most exploits from being able to do any harm. I will look around the next few days to see if I can find the tools I need, and also some exploits. Finding the right exploits will be difficult I think. I have not been doing any malware testing for quite some time, and I have fallen out of the loop. I use to have a list of sources I used, but the list was small. I only did testing with actual malware maybe once out of every 2 months. I do remember having a hard time finding exploits. They were harder to get than the cryptomalware.

I went to Walmart today to get a DVI cable for my monitor so I could start using my test machine again, and they did not have any. The closest store in this area that I know has DVI cables is 2 hours away so I will have to order one online. ~ Removed off Topic Remarks ~ Luckily I use a PO Box at the Post Office for my mail, or the mailman may never find my physical address with my DVI cable LOL

 

@Cutting_Edgetech

~ Removed off Topic Remarks ~

Anyhow, I think perhaps the command line scanner might be nothing more than a parser... but, then again, it could be a whole lot more.

 

I'm not a developer so I don't understand the command line scanner kernel driver from a technical perspective very well, but I dug up a bit of info from the latest readme file for it.

If any of us wanted a more technical explanation of how it works under the hood, I'm sure that the developer would be happy to answer in more detail.

 

@Cutting_Edgetech MZWriteScanner essentially tracks any executables that are written to disk, obtains their SHA256 hash and keeps a log within the kernel, and when/if the user tried to run that executable it will be blocked based on SHA256 hash. So think of MZWriteScanner as giving extra protection to User profile directories, for example, or Windows\Temp and so on.You can also whitelist and blacklist based on directories and SHA 256 hash as well. MZWriteScanner in particular can create a really secure environment while browsing and can be used for malware analyses, determining drive-by-download sites and so on. You could use it just when browsing or all the time.

Once it goes public, it's just a matter of time for someone with a creative mind like @Windows_Security or others to use that as one piece of the puzzle in a multi-layer setup. MZWriteScanner intends to stay free as far as I know right now.

 

From the description of the scanner, it parses the command line code and identifies the executable... that is what a command line parser does... it analyzes the code sent to the CLI. That's how it works in NVT ERP, VS, etc.

 

@hjlbx

No, it is not just a parser. The description says:

"CommandLineScanner is also able to block executables by their filename or command line parameters using a classic white- and blacklist approach. With appropriate rules you are able to fully control appliactions and the command line options they are started with."

You can do a lot more than just parsing the command line and its executable calling it with the command line. It is a very handy and powerful tool. It is a great tool to analyze malware actions. I have used it to track down what a specific threat is executing. A lot of malware threats currently use cmd.exe and/or powershell/vbscript for its actions, so it can be very helpful to see what and who is calling something. Florian said he is successfully using lots of his drivers in a malware analysis framework that detects or generates early warnings for (new) malware campaigns. I think this is where his drivers can be very useful.

 

I just downloaded an executable to an external drive. Mzwritescanner recorded it in the log, but the shield did not change to red. Is that expected behavior?

 

Ensure that [LETHAL] is set and also [SHA256]. Try placing the external drive letters in the blacklist section like this:

Code:

[BLACKLIST]
C:\Users\*
D:\*
E:\*
F:\*

Restart the driver and see if that makes the difference. The system tray icon should change to red with the executable written to disk and then when you go to execute that file it should be blocked.

EDIT: Just realized this now, icon files t_green and t_red accidentally contain an underscore after the file name (eg. t_green_.ico) Remove the underscore after the color, that is a mistake in that package and would result in tray icon not showing properly.

 

Indeed, he developed these drivers initially for use within his own malware analysis framework. The drivers are now being used by other security researches and also for education purposes through US CERT. These drivers were never really intended for consumer use as they are quite powerful, but many of us enthusiasts have shown interest and therefore got Florian considering consumer use a bit more these days.

 

I'm not using the latest internal release of mzwritescanner on this machine so there is no SHA256. I'm just waiting for my DVI cable to come in from Newegg for my beta test machine right now. I hope building a whitelist is not really time consuming.

 

I have some SHA256 hashing scripts that I am happy to share with you if/when you would like. It takes about 5 minutes to hash the entire system to create an initial hash list. But you can still use path rules, if you wish, and MZWriteScanner will still SHA256 hash any new executables written to disk to block execution.

The new MemProtect driver (with protected processes feature) is proving to be interesting. Even Process Explorer's own low level kernel driver is unable to manipulate or access certain info for these protected processes. I am still learning and trying to understand more about how to configure MemProtect though.

 

I will let you know when my test machine is ready. I keep giving away, and loaning out my hardware to family (computers, peripherals, etc.). I'm also very limited on space so testing has proven difficult lately.

 

MemProtect works also nice on my system: Windows 8.1, x86, fully patched. I just use MS Defender and Tuersteher (sometimes EMET, too), no interferences until now.

First configuration was a bit confusing to me, but now everything is stunning. I tried some dll injectors - all of them failed to inject dlls into protected processes.

Next steps: direct code injection (i expect it to fail too, because dll injection and code injection are at the same level to my understanding). Maybe I will try some Flash or Adobe-Reader exploits on a VM with metasploit, just to see if MemProtect catches them. If you follow Florian's recommendation to blacklist a browser and adobe reader from injecting code into other processes I guess this will do a very good job for most in-memory attacks (but it is just a guess, time will show).

Some quick questions on the sha256 thing (Bouncer/Tuersteher BETA):

Have you guys encountered some performance issues with the sha256 and parent cheking on?

Could you name tools to generate the values?

Do you hash all files or do you distinguish between executables and non-execubatles (MZ/PE-header files)? Any tools you recommend?

Well, I guess hashing costs too much time & space. I would only hash portable executables on ext. FAT/CDFS drives that are not protected by NTFS access rights. What are your experiences? What would you suggest?

Why does he use sha256? Most impl. I see use just MD5/SHA1 (okay, maybe MD5 is weak, but why not SHA-1? sha256 is slow and hash values need more space)

What are the use cases for parent checking? I do not see the BIG advantage in the new option. Maybe some examples will help to understand what this feature is good for. Lets say Florian's example on blocking cmd.exe/vbscript.exe/powershell.exe from word.exe/firefox.exe/iexplore.exe etc. makes sense somehow, but what else and why?

Thanks & Cheers.

 

Yes, using SHA-256 is going to come with a certain performance hit, more of a hit compared to MD5 and so on. I don't believe that the parent process checking is affecting it though, I think it is specifically regarding the SHA-256 hashing.

If you wanted to hash only individual files something like HashTab (http://implbits.com/products/hashtab/) is great. Or also HashMyFiles (http://www.nirsoft.net/utils/hash_my_files.html) for hashing a directory worth of files or so. Or for smarter hashing of an entire system, you can use scripts for free hashing programs such as OpenSSL or also Sigcheck (https://technet.microsoft.com/en-ca/sysinternals/bb897441.aspx) by Sysinternals. Sigcheck, in particular, has a flag (-e) to Scan executable images only (regardless of their extension).

I believe Florian chose SHA-256 because it has not been broken. His priority is always strict security. For some users, giving away some security for performance is a fair trade off, while some users they would rather take the performance hit in favor of a more secure system. Personally, I am glad that we are able to make the choice whether or not to use these different features.

I don't understand parent checking well enough to explain, but I do know that some users swear by it. Hopefully somebody else can explain this better so that we can all understand parent checking.

 

Thanks a lot. I will try these and give some feedback.

Well, I will ask Florian. Maybe he has some good examples to share.

 

Generating of hash works fine. Takes some time but is awesome

On parent checking: I asked the developer, now think I understood what it is good for. I try to explain:

With parent checking you can block and stop most initial steps of malware (mitigate early infection steps). For example: A lot of Microsoft Office document (doc,xls,ppt) threats contains malicious macro (script) that spawnes a scripting host like wscript.exe, powershell or cmd.exe with a .bat/.cmd file. The scripting hosts then download and starting up malware on system (the developer said: in most cases they download exe file into %temp%, then make it persistent in (registry-)autostart, then start this exe). With parent checking on you can avaoid initial step and then there is for example no scripting host allowed to execute from word, excel, power point to download and run a exe, or dll or sys. Maybe som user need to start, but developer said most user do not need such functionality, so you can blacklist -> block.

Example from developer: stop winword.exe as parent from starting scripting host (*script.exe, *powershell*, *cmd.exe, *bitsadmin.exe, *schtasks.exe, *csc.exe, *vbc.exe, *msiexec.exe, *reg.exe, *regedit.exe), so you are able to limit impact of exploration from infected doc threats. Sounds meaningful I think.

Another example: you can also ensure that browser exe (firefox.exe,iexplore.exe,chrome.exe) can't do the same for the exe from 1st example, to make sure a browser can't be used as vehicle for infections steps.

Developer said: It will for sure not block all and everything, but nothing will be 100% - so it is okay.

In addition to parent checking: white- and blacklist will also mitigate, because if you block exe/dll/sys from %temp% and other critical location, it can't be started either - with or without parent checking. So parent checking is add on feature. I think parent checking is indeed very powerful option we should have a eye on. It looks to be a additional protection level. Hopefully final version will be released soon. If using with new excubits memory protection driver together, system is well secured (but you should still use Firewall and AV - e.g. Windows Firewall and Defender, I would not go for other major AV crapware, it slows down system, strikes nerve with popups and stupid messages, and I do not trust what this major AV crap sends home for forensic issues).

Ok then, if we find reliable rules we could sahre them here, so other user maybe can benefit from solid set of rules from other forum users here.

 

I think that is a great idea for users to share rules here, absolutely. Parent checking can be another excellent layer for security and can be very strong as long as the rules created are strong to begin with. But I think that, in order to create these type of rules, we often have to look at many examples of malware to understand the method of infection used, then we can create specific rules based on that. I guess we need to know specifically what we want to protect and how we want to limit the potential steps. I know that I personally have quite a bit to learn with regard to parent checking. But as we come up with some solid rules with solid understanding/purpose behind those rules, I think that this would be a great place to share rules to help others as a community.

 

Some users (myself included) have been wondering more about the parent process checking feature, what it can prevent and so on. The developer, Florian, has answered that question for us. I believe the answer likely went out to the internal testers already but I figured I would quote the answer for users here as well.

 

The obvious questions for non-expert people like me is: are SOB and Bouncer alike?, are they competition to each other? If not alike what's the difference?

 

I believe that SOB follows Bouncer in a similar type of simplistic/efficient approach. I think that both SOB and Bouncer could be somewhat difficult for non-expert users. Any non-expert users that find both programs difficult to understand could always use tools such as VoodooShield, NVT ERP, etc.

I would say that Andreas (developer of SOB, ERP, etc.) has more experience in the consumer market and has a good skill for making a nice GUI along with good usability. Bouncer (and related drivers) are more for security researchers (forensic analysis), educational purposes, kiosk systems and also for some of the hardcore security enthusiasts like many members here at Wilders.

Both SOB and Bouncer run similar kernel-mode drivers. I don't think that SOB runs at system startup yet, although I assume that feature will come to SOB at some point and could also be done manually now anyway. I believe that Bouncer runs at a lower level and therefore seems to block execution before the other tools out there at the moment. But that does not mean anything negative as far as security goes with regard to other programs. SOB has much more customization for rules, environment variables and so on.

Bouncer used to be one single kernel-mode driver, but now there are several components:

• Bouncer (with path-based, SHA-256 hash-based, parent process, wildcards, etc.)
• CommandLineScanner (filtering of command lines, interpreters like Powershell, Python, Java, etc.)
  
• MZWriteScanner (monitors all executables written to disk, hashes and blocks based on SHA-256)
  
• MemProtect (prevents .DLL injection, prevent communication between processes, configure any process as Microsoft Protected Processes)

Any of these are sufficient on their own, yet could be configured to be a killer combination of any sort. The sky is kind of the limit and would really be based on one's own knowledge and creativity. At the moment, they are four separate kernel-mode drivers. But it is possible at some point in the future that some of that functionality could be combined, I just don't know. I don't know what makes sense from a development point of view as far as maintaining them goes, whether separate is better or combined, not sure. But I do hope that at some point soon the drivers will be able to all be configured within the same Admin Tool used for Bouncer.

Hopefully that explained things a bit better. I am not always good at explaining things.