MemProtect - Support & Discussion

At your service

Let's see if MemProtect really works.
a) We will prevent Chrome from opening any application (except its own executable)
After downloading a picture and clicking it in Chrome, launching of the picture viewer is prevented and the tray-icon of MemProtect (if running) should change its color and the event can be seen in the logfile (C:\Windows\Memprotect.log)

Code:

[WHITELIST]
!C:\Users\*\AppData\Local\Google\Chrome\*>C:\Users\*\AppData\Local\Google\Chrome\Application\chrome.exe
[BLACKLIST]
C:\Users\*\AppData\Local\Google\Chrome\*>*

Log:
2018/03/10_17:09 > MEMORY > C:\Users\XXX\AppData\Local\Google\Chrome\Application\chrome.exe > C:\Program Files\IrfanView\i_view64.exe

In Processhacker we can see that the process (i_view64.exe) is in a suspended state (grey color) and cannot start:


b) We can deny the access to the memory of applications.
In this example Processhacker isn't allowed to access the memory of "Notepad2.exe":

Code:

[BLACKLIST]
c:\Program Files\Process Hacker\ProcessHacker.exe>c:\Program Files\Notepad2\Notepad2.exe

Log:
2018/03/10_17:57 > MEMORY > C:\Program Files\Process Hacker\ProcessHacker.exe > C:\Program Files\Notepad2\Notepad2.exe

Reading of the memory is now denied:

Querying of module information is also denied:



c) Blacklisting of modules
We prevent the filemanager "Total Commander" of loading of the 7-Zip module:

Code:

[MODULEBLACKLIST]
*\TOTALCMD64.EXE>c:\Program Files\7-Zip\7-zip*.dll

Log:
2018/03/10_18:24 > MODULE > C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\Program Files\7-Zip\7-zip.dll

Before:

After blocking it (and relaunching of the filemanager) the file isn't loaded anymore ("7-Zip" in the rightclick menu is also gone):

 

I am trying out demo version.
I want to keep Chrome and MS Office 2016 out of mischief.
I am on Windows 10.
Two questions:
1 How to set memprotect and tray icon to autostart with Windows?
2 Is this config good for what I want?
If yes, I will remove the pound sign from LETHAL...

[#LETHAL]
[LOGGING]
[#INSTALLMODE]
[DEFAULTALLOW]
[#MODULEFILTER]
[WHITELIST]
C:\*\Chrome\*>C:\*\Chrome\*
C:\*\Office??\*>C:\*\Office??\*
[BLACKLIST]
C:\*\Chrome\*>*
C:\*\Office??\*>*
[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]

 

Thanks. Did it.

I have a problem with Chrome, it seems to need more permissions. It doesn't start up all the way, as I configured it. Any ideas?

And what is the admin tool? Can't find an explanation in the PDF. When I click on it, nothing happens.

 

I put ! in front of the whitelist entries, and now chrome works.
I don't understand what ! means, but if it works, it works...
Okay, I get it now. ! means a priority rule, so it overrides the blacklist.

 

It cannot be started on it's own, it will be launched by Tray.exe:

 

Thanks guys for all your help. I am up and running now.

 

To override a blacklist rule, "!" must be put in front of a whitelist rule else this whitelist rule has no effect.
If you want to override a priority whitelist rule, you can create a priority blacklist rule.

Priority (1=Highest)

1. Priority Blacklist rule
2. Priority Whitelist rule
3. Blacklist rule
4. Whitelist rule

And to "silence" certain blacklist rules (if you don't want to see logged events for a rule), "$" can be put in front of the rule.
Or if you want to silence a certain logged event, create a rule for it and put it to the front of the blacklist.

Code:

Logfile:
C:\Program Files\Mozilla Firefox\firefox.exe > C:\Windows\explorer.exe

Created silence rule to get rid of the logged event above (it has to be put above other similar blacklist rules):
[BLACKLIST]
$C:\Program Files\Mozilla Firefox\firefox.exe>C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe>*

= Now the "...\firefox.exe>C:\Windows\explorer.exe" event is not logged anymore.

 

I tried to print to fax in Chrome, while Chrome was blocked from everything except
!C:\*\chrome\*>C:\*\google\*
The spooling failed. (My printer is HP Officejet)
But with AppGuard, it works fine, even though AppGuard puts Chrome in memory guard.
Does anyone know why the difference?

 

The log said
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > C:\Windows\System32\rundll32.exe

So I made whitelist rule
!C:\*\chrome.exe>C:\Windows\System32\rundll32.exe

Now it works.

 

Try to remove the space before and after ">"

Code:

!C:\*\chrome.exe>C:\Windows\System32\rundll32.exe

 

Thanks!
Now it works, I edited my post.
Moral of the story: you can't just copy and paste from the log...

 

You're welcome

Btw.: I have seen that you have blocked "System.Management.Automation.dll" with Bouncer #1785
With Memprotect you can do something similar and you can prevent applications from loading of certain dll's.
Example:

Code:

[MODULEWHITELIST]
*>*
[MODULEBLACKLIST]
#   Blocking rundll32 from loading PowerShell
*rundll32.exe>*System.Management.Automation*.dll

Much more examples can be found there: #151

 

Now that's cool.
To make the rule a little wider, I suppose the last line could be like this:
*.exe>*System.Management.Automation*.dll
Or maybe that's not necessary? If rundll32 is the only way to load it.

 

When a running process calls an interpreter, such as cmd or rundll32, and tells it what to do, is this a memory event?

 

Any kind of process memory to process memory communication would trigger blockage with MemProtect. So if a process calls upon another process, it would be blocked. Previously, if a DLL module interpreter was loaded into a MemProtect protected process, it would not be blocked with older versions of MemProtect. But since current versions of MemProtect have the [MODULEFILTER] feature now, we've got the ability to whitelist and blacklist specific modules loading into specific processes which helps a lot in this regard to prevent interpreters which are loaded as modules.

However if you want better control over scripting/interpreters, the [CMDCHECK] feature in Bouncer is more powerful in that regard since you have full control over command lines.

 

If you block an application from accessing C:\Windows\* then the application is prevented from launching C:\Windows\cmd.exe or for example C:\Windows\system32\rundll32.exe.
The access to the memory of applications in C:\Windows\* is blocked, but also launching of them.

You should take this into account while writing of rules.
Some applications might need access to certain system files sometimes (printing of files= Chrome -> rundll32.exe) but you will see it in the logfile (or tray-icon) if it happens.

 

Thanks @WildByDesign and @mood
I didn't realize that even launching of applications is blocked.
This morning I tried to initiate a Chrome update, but it didn't work, and the log said Chrome > cmd.exe, so I whitelisted that. So I see that memprotect is best accompanied by Bouncer or another program that gives you finer control over command lines.

 

How can I test whether memprotect is working?
I already know that the execution prevention is working. I don't need to test that.
I want to test the reading of and injecting into memory.

 

Earlier I suggested to expand the MODULEBLACKLIST rule for System.Management.Automation*.dll
so that it will apply to *.exe, instead of limiting it to rundll32.

Now I know why this is not a good idea. My log says:

*** excubits.com demo ***: 2018/03/21_12:21 > MODULE > C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe > C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7f06bbe7908fb8d914459155ec6219e7\System.Management.Automation.ni.dll

 

This is what I currently use:
Link: https://www.wilderssecurity.com/thr...ods-test-apps-discussion.400434/#post-2736643

These are command line apps though, but I find that they are easier to work with when testing MemProtect. You will have to modify those commands to match that directory structure of your testing setup.

You can test injection apps that have a GUI as well but it is tricky because MemProtect blocks the PID (process ID) lookup initially. So in my testing, the command line apps are better for testing in that regard.

 

Thanks. I understand that you have put memprotect to the test, and it passed. Looks like an interesting tool, though.

 

@shmu26 You're welcome. Yeah, so far MemProtect has passed every test that I have thrown at it.

 

Is there any conflict between MemProtect (with rules for MS Office) and Windows Defender Exploit Guard?