Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. @Online_Sword

    I looked at the example of Pumpernickel on Execubits. It showed a blacklist with a priority whitelist and no regular whitelist. I also noticed that the commands of MemProtect are very simular to Pumpernickel, so assumed that that it also worked more or less like behavioral mode of SmartObjectBlocker. Thanks to you explanation I now understand that MemProtect works in default deny mode like Bounder does.

    Would be easier to understand the application when semantics would be the same across all programs. Could someone link to on a post or webpage where installation and use of Memprotect is explained?

    Thanks Kees
     
  2. Some time ago, he discussed this plan with me (through mail), only not making it a general purpose program, but a specific program to sandbox another program, e.g.

    Excubits Firefox Sandbox:
    - MZwriteScanner only allows Firefox to downloads its updater and executables in your windows download folder.
    - PumperNickel only allowing Firefox to change its (AppData) user folders
    - Bouncer only allows firefox to spawn the (firefox) updater.
    - PumperNickel allowing only the (Firefox)updater to chance the Firefox installation directory.
    - MemProtect to prevent any program to change Firefox allocated Memory.

    This would be a zero config setup which works in the background without hassling the user (no GUI, just logs and simple system tray icon) for pricing simular to MemProtect/MZwritescnanner general purpose drivers

    Don't know whether this plan is still viable (so place your pre-orders @WildByDesign , he is the one with an open line to Florian :) )

    Regards Kees
     
    Last edited by a moderator: Mar 3, 2016
  3. Does not work

    upload_2016-3-3_10-13-36.png
     
  4. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
  5. Ok thx, now it works
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've just done some testing with MemProtect again using Process Hacker and just a simple portable program (SpeedyFox.exe) for testing.

    It seems that with current version of Process Hacker (PH), it can now terminate the SpeedyFox.exe process. Although Process Hacker must be started with Admin privileges though. Without Admin, PH cannot terminate the process. Several point-release versions of PH prior, PH was not able to terminate the process even with Admin privileges. So it looks like there have been some changes within PH recently.

    Although PH still cannot view and/or alter Permissions for the protected process.
     
  7. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Could this be utilized by malwares? I think maybe you could submit this case to Florain.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Online_Sword It's difficult to say for sure. I will mention it to Florian anyway, for sure. But I have a feeling that it has more to do with my rule set and something to do with the way in which Process Hacker terminates processes (Admin priv. vs. non-Admin). It could be because I have allowed Process Hacker full control over Windows directory and such, and therefore I've probably allowed Process Hacker to indirectly terminate the process likely through a Windows built-in executable. I will have to remove some of my rules, go non-lethal, and take in a bunch of detailed logging and see better how Process Hacker achieves this and with which Windows executable it utilizes.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I think that maybe there has been some confusion over how Pumpernickel project driver works (in comparison to other Excubits drivers) and how to configure it. So it looks as though Florian has put together a small introduction blog post along with an instructional video. I believe that he plans on creating more instructional videos as well.

    Link: https://excubits.com/content/en/news.html
    Video: (also embedded in above blog post) https://excubits.com/content/videos/pumpernickel.mp4
     
  10. guest

    guest Guest

    I noticed it too. Memory, Environment and some more information is blocked.
    But with earlier versions of Memprotect it was not possible to terminate the application?

    Even if i run both (PH and the application) "protected", PH can still terminate the application. Without elevation of PH.
     
  11. nezic

    nezic Registered Member

    Joined:
    Jul 7, 2013
    Posts:
    8
    Hi, I like Pumperinckel very, but how to block process access for specific user (user name)?
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes, although it was several point-release versions of Process Hacker, possibly 2.36 or prior. MemProtect was blocking termination with normal rights and also Admin rights. But I guess something changed with the way that PH terminates processes specifically when elevated. Now it is only terminating with Admin rights.

    I don't think that you want to run PH in protected mode, just the other application that you want to protect.

    So I've got the main directory: C:\TESTING\

    Then I've got sub-directories:

    C:\TESTING\SpeedyFox\
    C:\TESTING\Process Hacker\
    C:\TESTING\Temp\

    Config:
    Code:
    [LETHAL]
    [LOGGING]
    [WHITELIST]
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    *ProcessHacker.exe>C:\Windows\*
    *ProcessHacker.exe>C:\Program Files (x86)\*
    *ProcessHacker.exe>C:\Program Files\*
    *ProcessHacker.exe>*peview.exe
    *peview.exe>*ProcessHacker.exe
    *ProcessHacker.exe>*ProcessHacker.exe
    [BLACKLIST]
    C:\TESTING\SpeedyFox\*>*
    [EOF]
    
    So within C:\TESTING\, I am only protecting the SpeedyFox in particular. Process Hacker has been given it's typical access that it needs to Window, Program Files, etc.

    So what should come up as blockages in the MemProtect logs, is parent process ProcessHacker.exe trying to access, at least in my example, speedyfox.exe

    Try to see if you can replicate the same folder/directory structure and config and see how it works for you. I will try some more testing of MemProtect within the next few days to try some different things.
     
  13. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    I think here you mean that if there are two users A and B, you want to create a rule that only allows A to access example.txt but prevent B to access that file, correct?

    I am afraid that the current version of Pumperinckel does not have such a feature...
     
  14. Does MemProtect has priority rules also?
     
  15. guest

    guest Guest

    #937
    I tried it, and now i wasn't able to terminate the process with PH (admin rights are needed)

    I used the same Blacklist and Whitelist,
    PH 2.36 = C:\TESTING\Process Hacker\
    Speedyfox = C:\TESTING\SpeedyFox\

    Then i started Speedyfox and PH:
    C:\TESTING\Process Hacker\App\ProcessHacker\x64\ProcessHacker.exe > C:\TESTING\SpeedyFox\speedyfox.exe
     
  16. Found MemProtect giving more issues as time available for tweaking a very strict Office 2007 memory mitigation (in the example of Florian, chrome is still allowed to inject all programs in program files, also Splwow64.exe needs to be allowed to print etc) , so left that for others to play with.

    Had better luck with Pumpernickel to sandbox Chrome (strictly), although I have to find out whether Adguard updates properly.

    [LETHAL]
    [#LOGGING]
    [WHITELIST]
    !*chrome.exe>C:\Users\*\Downloads
    !*chrome.exe>C:\Users\*\Downloads\*
    !*chrome.exe>C:\Users\*\AppData\Local\Google\*
    [BLACKLIST]
    *chrome.exe>*
    [EOF]

    Note I had not disabled the 8.3 filename creation on NTFS, that is why I used * (all users) in above priority whitelist. Because it was easy to port it to my Asus Transformer and wife's laptop I kept it that way.

    Downloads\* did not allow files to download, needed to add Downloads also. Thanks to @mood :thumb:
     
    Last edited by a moderator: Mar 7, 2016
  17. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    I asked Florain that whether MemProtect supports the priority symbol "!", he said it could support. So maybe you can try the following rules (I have not tested them by myself):

    Code:
    [LETHAL]
    [LOGGING]
    [WHITELIST]
    !*chrome.exe>*chrome.exe
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    [BLACKLIST]
    *chrome.exe>*
    [EOF]
    
    The reason why I write "!*chrome.exe>*chrome.exe" and "*chrome.exe>*" is because when I use ESET HIPS, I find that the only process that chrome needs to inject into is itself. Please correct me if I make a mistake here :)
     
  18. guest

    guest Guest

    I had this problem too. You have to add the directory itself to the whitelist.

    This rule alone is preventing chrome writing files to the Downloads-folder:
    !*chrome.exe>C:\Users\*\Downloads\*

    You have 2 choices:
    The directory itself is added. Chrome can now download files to the Downloads-folder:
    !*chrome.exe>C:\Users\*\Downloads\*
    !*chrome.exe>C:\Users\*\Downloads
    Or:
    You can write it like this, so you have only 1 rule:
    !*chrome.exe>C:\Users\*\Downloads*

    I wrote to the support, and they responded that "...because of technical reasons you have to add the directory itself too"
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood You are correct, absolutely. The 2 choices that you presented regarding the Downloads folder (or any folder) are appropriate and good advice.

    Also, just to clarify, the reason for having to add the folder itself specifically is because as activity (I/O file writes, deletes, etc.) is occurring within that folder, actual Properties for that folder itself are also being written/modified. Examples: It could be anything really, such as folder permissions being changed, Date Modified, Date Accessed, etc. The typical folder Properties which we see within Windows Explorer or also some additional details when we choose to add more Columns to the view within Windows Explorer. So hopefully that clarifies what is happening behind the scenes there within Windows itself when it comes to accessing/modifying files within directories.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Regarding Pumpernickel and Adguard For Windows, I have only so far needed to add one whitelist rule specific to Adguard/Pumpernickel:
    Code:
    [WHITELIST]
    C:\Program Files (x86)\Adguard\AdguardSvc.exe>C:\ProgramData\Adguard\*.db*
    I have since gone through several Adguard update cycles and have not need to create further rules in Pumpernickel.
     
  21. Thx
     
  22. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Thanks for the updates, hints on the drivers. Pumpernickel works awesome on my Windows 8.1. Its great fun and i guess there is much to discover :)
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I keep getting an error message when attempting to start Bouncer's driver. The error message states "Data Present in one of the Parameters is more than the Function can operate on." Does this mean I have exceeded the data limit in the .ini file for the free version? I removed some of my rules, and i'm still receiving the message. The [PARENTBLACKLIST] is what I made changes to before receiving this error message. I added many to the [PARENTBLACKLIST].

    Code:
    [#LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [#CMDCHECK]
    [WHITELIST]
    C:\Windows\*
    C:\Program Files\*
    C:\Program Files (x86)\*
    C:\ProgramData\Microsoft\*
    C:\AMD\*
    C:\Users\achilles\AppData\Local\Zemana\Zemana AntiMalware\helpers\ArchiveManager.dll
    C:\ProgramData\ESET\ESET Smart Security\updfiles\nod0776.nup
    C:\Users\*\AppData\Local\Temp\ns?????.tmp\*
    ?:\*\MPSigStub.exe
    ?:\*\mrtstub.exe
    *Temp\mpam-????????.exe
    [BLACKLIST]
    ?:\$Recycle.Bin\*
    *regsvr32.exe
    *InstallUtil*
    *Regsvcs*
    *RegAsm*
    C:\Windows\ADFS\*
    C:\Windows\tracing\*
    C:\Windows\Tasks\*
    *InstallUtil.exe
    *IEExec.exe
    *DFsvc.exe
    *PresentationHost.exe
    *reg.exe
    *vssadmin.exe
    *aspnet_compiler.exe
    *csc.exe
    *ilasm.exe
    *jsc.exe
    *MSBuild.exe
    *vbc.exe
    *script.exe
    *iexplore.exe
    *journal.exe
    #*msiexec.exe
    *bitsadmin*
    *iexpress.exe
    *mshta.exe
    *systemreset.exe
    *bcdedit.exe
    *mstsc.exe
    *powershell.exe
    *powershell_ise.exe
    *hh.exe
    *set.exe
    *setx.exe
    [PARENTWHITELIST]
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    C:\ProgramData\Microsoft\*>*
    C:\AMD\*>*
    [PARENTBLACKLIST]
    *firefox.exe>*cmd.exe
    *firefox.exe>*rundll32.exe
    *firefox.exe>*taskhost.exe
    *firefox.exe>*conhost.exe
    *firefox.exe>*taskeng.exe
    *firefox.exe>*msiexec.exe
    !*plugin-container.exe>*cmd.exe
    !*plugin-container.exe>*rundll32.exe
    !*plugin-container.exe>*taskhost.exe
    !*plugin-container.exe>*conhost.exe
    !*plugin-container.exe>*taskeng.exe
    !*plugin-container.exe>*msiexec.exe
    !*notepad.exe>*cmd.exe
    !*notepad.exe>*rundll32.exe
    !*notepad.exe>*taskhost.exe
    !*notepad.exe>*conhost.exe
    !*notepad.exe>*taskeng.exe
    !*notepad.exe>*msiexec.exe
    !*FlashPlayerApp.exe>*cmd.exe
    !*FlashPlayerApp.exe>*rundll32.exe
    !*FlashPlayerApp.exe>*taskhost.exe
    !*FlashPlayerApp.exe>*conhost.exe
    !*FlashPlayerApp.exe>*taskeng.exe
    !*FlashPlayerApp.exe>*msiexec.exe
    !*FlashPlayerPlugin.exe>*cmd.exe
    !*FlashPlayerPlugin.exe>*rundll32.exe
    !*FlashPlayerPlugin.exe>*taskhost.exe
    !*FlashPlayerPlugin.exe>*conhost.exe
    !*FlashPlayerPlugin.exe>*taskeng.exe
    !*FlashPlayerPlugin.exe>*msiexec.exe
    !*PDFXCview.exe>*cmd.exe
    !*PDFXCview.exe>*rundll32.exe
    !*PDFXCview.exe>*taskhost.exe
    !*PDFXCview.exe>*conhost.exe
    !*PDFXCview.exe>*taskeng.exe
    !*PDFXCview.exe>*msiexec.exe
    !*mpc-hc64.exe>*cmd.exe
    !*mpc-hc64.exe>*rundll32.exe
    !*mpc-hc64.exe>*taskhost.exe
    !*mpc-hc64.exe>*conhost.exe
    !*mpc-hc64.exe>*msiexec.exe
    !*WINWORD.exe>*cmd.exe
    !*WINWORD.exe>*rundll32.exe
    !*WINWORD.exe>*taskhost.exe
    !*WINWORD.exe>*conhost.exe
    !*WINWORD.exe>*taskeng.exe
    !*WINWORD.exe>*msiexec.exe
    !*EXCEL.exe>*cmd.exe
    !*EXCEL.exe>*rundll32.exe
    !*EXCEL.exe>*taskhost.exe
    !*EXCEL.exe>*conhost.exe
    !*EXCEL.exe>*taskeng.exe
    !*EXCEL.exe>*msiexec.exe
    !*POWERPNT.exe>*cmd.exe
    !*POWERPNT.exe>*rundll32.exe
    !*POWERPNT.exe>*taskhost.exe
    !*POWERPNT.exe>*conhost.exe
    !*POWERPNT.exe>*taskeng.exe
    !*POWERPNT.exe>*msiexec.exe
    [CMDWHITELIST]
    *>*
    [CMDBLACKLIST]
    *>*rundll32*cmd*/c*
    *>*rundll32*
    *>*cmd*/c*
    [EOF]
    
    Edited 3/8 @ 6:29
     

    Attached Files:

    Last edited: Mar 8, 2016
  24. guest

    guest Guest

    Today Pumpernickel blocked writing to a "MS-DOS 8.3-Path", after starting Firefox Portable.
    O:\PORTAB~1\FIREFO~1\Data\profile\cert8.db o_O

    *** excubits.com beta ***: 2016/03/08_01:49 > O:\portable-software\FirefoxPortable\App\Firefox64\firefox.exe > O:\PORTAB~1\FIREFO~1\Data\profile\cert8.db

    I had to add an additional rule:
    [WHITELIST]
    !*>o:\portable-software*
    !*>O:\PORTAB~1*
    [BLACKLIST]
    *>o:\*

    Thunderbird, Fossamail, Firefox and Palemoon have this problem.
    Pumpernickel_8.3-Filename.png

    If you're using these programs and you have a "long filename" for these programs on the whitelist, better add a short one too.
    So that the cert8.db (and key3.db) in the Profiles-directory can be saved correctly.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Hopefully I can help you with this one. I assume that this is the latest Beta Camp driver. I actually experienced this very same error initially as well. Also, just like you, my first assumption was that it had something to do with the file size limitation and therefore tried removing some lines from my config but yet the error still continued. In my case, it turns out that I was working hard to maintain and cleanup my Bouncer.ini config file and ensuring that it was indeed placed within C:\Windows\. However, I then realized that the latest Beta Camp release is actually looking for Tuersteher.ini. Subsequently, the driver, once started, will also create a Tuersteher.log file as well. So my suggestion would be to make a copy of your Bouncer.ini for safe keeping, and create a copy and rename that copy to Tuersteher.ini and place in C:\Windows\ and try to start the driver now. This is what happened when I experienced that error anyway, so I hope that is helpful to you. Let me know how it goes and we can always troubleshoot further if the problem persists.

    EDIT: Very nice configuration, by the way. You've got some nice creative rules in there. Thank you for sharing.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.