MemProtect - Support & Discussion

@ WildByDesign

Perhaps you might have missed this post, but I was still wondering about this:

The reason I'm asking is because I was still trying to figure out why MemProtect blocks process execution. I've read a bit about which "process access rights" are removed from a protected process, see link.

So I'm guessing that it will simple block a monitored process from loading child processes, is this true? I'm a bit confused, because if this is the case, then Chrome wouldn't be able to run multiple browser processes.

https://www.microsoftpressstore.com/articles/article.aspx?p=2233328&seqNum=2

 

@Rasheed187 Sorry about that. I'm just not a big Firefox fan, although I imagine that Firefox can benefit greatly from memory protections in general.

I'm running some Firefox testing now following your suggestion to make Firefox a protected process. Initially, I was getting numerous blockages for plugin-container.exe (see logs below).

Spoiler: Logs

Code:

2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe
2016/09/08_13:12:32 > R:\Program Files\Mozilla Firefox\firefox.exe > R:\Program Files\Mozilla Firefox\plugin-container.exe

Therefore I had to create some rules to specifically allow firefox.exe to run/access plugin-container.exe process memory. I suppose this could be even beneficial in certain circumstances, for example, to block the browser process from accessing Flash executables when there are known exploits in the wild. But anyway, the blockages appear to be typical parent process control over child process.

If you want me to test anything else specifically, please feel free to let me know. I'm happy to help.

 

Thanks for testing. So I think we can conclude that MemProtect blocks process creation in a different way than AE, but the end result is the same. It basically removes "access rights" which will block a monitored (or protected) process from launching child processes.

So it's not the restricting of reading and writing to memory of other processes which is doing the blocking. I'm not exactly sure if this conclusion is right though. But basically, when it comes to purely blocking process execution, Bouncer will already do the job. You don't need MemProtect specifically to block payloads/exploits from running.

 

Returning from a holiday in Myanmar and having a few hours to kill at Dubai Airport, I decided to fight the sleep by ordering an extra strong coffee and enjoy the free Wifi to update my post on "using two free programs of Execubits to run vulnerable programs in containers".

What is the idea of running programs in containers?
Containers and sandboxes are often mixed terminologies in access control and virtualisation. In a container a program is blocked access to (critical) parts of the system. By containing file access (PumperNickel) and memory access (MemProtect) of vulnarable programs, you mitigate the impact of infections by malware (including exploits). Those vulnerable programs are only allowed to mess with their own (installation) folders and processes.

Although this looks a loose mitigation it is very effective, because it reduces the operating space of intrusions and exploits without the need for micro management rules configuration (hence easier to use and set and forget). Since the ini files are limited in size in the free versions, needing less rules is a nice bonus.

Containing Chrome as an example
In the example below Chrome is only allowed by Pumpernickel (Fides) to mess with its own installation folder and is only allowed by MemProtect to mess with the memory of its own processes (including starting other processes). The five questions marks wildcard after Program Files is used to apply these rules for both 32 and 64 bits.

1. Pumpernickel ini file rules

Note: Temp and Caches are general whitelist rules (allowed write access by unelevated process)​

Code:

[LETHAL]
[#LOGGING]
[WHITELISTMODIFY]
!C:\Program Files?????\*>C:\Windows\Temp\*
!C:\Program Files?????\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\*

!C:\Program Files?????\Google\Chrome\*>C:\Program Files?????\Google\Chrome\*

[BLACKLISTMODIFY]
C:\Program Files?????\Google\Chrome\*>C:\Windows\*
C:\Program Files?????\Google\Chrome\*>C:\Program Files?????\*

[WHITELISTREAD]
[BLACKLISTREAD]
[EOF]

2. MemProtect ini file rules

Note: TabTip and splow64.exe are general whitelist rules (for touch screen keyboard and printing).​

Code:

[LETHAL]
[#LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!C:\Program Files?????\*>C:\Windows\splwow64.exe
!C:\Program Files?????\*>C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

!C:\Program Files?????\Google\Chrome\*>C:\Program Files?????\Google\Chrome\*

[BLACKLIST]
C:\Program Files?????\Google\Chrome\*>*

[EOF]

Adding other vulnarable processes
Add the installation folder for every vulnarable program you wish to contain. In this example below I added Office. I use question marks in Office to make them applicable for all Office versions. You only need a few extra rules to add an additional vulnarable program to be 'contained' by Pumpernickel (file access) and MemProtect (memory access).

1. Pumpernickel ini file rules

Note: the extra rules for Office are just below Chrome rules.​

Code:

[LETHAL]
[#LOGGING]
[WHITELISTMODIFY]
!C:\Program Files?????\*>C:\Windows\Temp\*
!C:\Program Files?????\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\*

!C:\Program Files?????\Google\Chrome\*>C:\Program Files?????\Google\Chrome\*
!C:\Program Files?????\Office????\*>C:\Program Files?????\Office????\*

[BLACKLISTMODIFY]
C:\Program Files?????\Google\Chrome\*>C:\Windows\*
C:\Program Files?????\Office????\*>C:\Windows\*

C:\Program Files?????\Google\Chrome\*>C:\Program Files?????\*
C:\Program Files?????\Office????\*>C:\Program Files?????\*

[WHITELISTREAD]
[BLACKLISTREAD]
[EOF]

2. MemProtect ini file rules

Note: the extra rules for Office are just below Chrome rules.​

Code:

[LETHAL]
[#LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!C:\Program Files?????\*>C:\Windows\splwow64.exe
!C:\Program Files?????\*>C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

!C:\Program Files?????\Google\Chrome\*>C:\Program Files?????\Google\Chrome\*
!C:\Program Files?????\Office????\*>C:\Program Files?????\Office????\*

[BLACKLIST]
C:\Program Files?????\Google\Chrome\*>*
C:\Program Files?????\Office????\*>*

[EOF]

Important: try out these rules with [#LETHAL] and [LOGGING]

​

 

Wow! Now I'm jealous
Btw thanks for sharing great knowledge.

 

@Mister X

When I was 16, I went with four friends to a fortune teller. She told one of us he would die at age 17, she also told me I would die at 34. My friend had an accident when he was 17 and his liver was torn and he died.. So I was convinced I would die at age 34. I slept only 4 to 5 hours per night because I wanted to make the most of my (short) life and made a bucket list of things I wanted to see.

1. Europe: Pantheneon and Colleseum
2. Middle east: Pyramids and Petra
3. Americas: Chitzen Itza and Machu Picchu
4. Asia: Angkor wat and Borobudur

By accident I entered IT an with luck I was assigned to new technology jobs so I was able to work as freelance and was so lucky to realize my bucket list list before I became 33. I had an heavy motor bike accident at 34, but survived, so the fortune teller was wrong. In 2011 I became aware of Bagan and wanted to visit this amazing temple complex. Because my wife had other holiday priorities I took some time to visit Myanmar.

Myanmar is as beautiful as travelling through Mexico (I have been there three times, once two months touring Mexico in a Mexican build Volkswagen Beetle). I am now 58 and recently made a new bucket list with my wife. Hope to stay around for a few years. and share setups at this forum and Malware Tips.

 

Lesson learned. Now we know certain future events can't be/are impossible to predict for the Universe's too complex, in general terms. We know this thanks to Science. Now that I'm 48 I teach my children to not believe in pseudoscience and protect from charlatans and many other types of quacks.

At least you got some good from your "quacked" believes: forcing yourself to visit those "magical" places before you died. L0L

I hope that as well. I really like your insights to this complex matter, computer security.


@ all: I apologize for the off-topic

 

Sandbox for Firefox with control over plugin-container and FlashPlayerPlugin under x64 and x86. This was just a project to follow through with an idea. I am not an avid Firefox user, therefore I don't know if/when I will update this config but I will work on it more if there is any interest in it.

Unfortunately this is over the 2kb limit of the demo version, but many of these entries and comments can be removed to reduce size.

Spoiler: Firefox Sandbox

Code:

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
#    Firefox - Sandbox Permissions
!C:\Program Files*>*firefox.exe
!*firefox.exe>*plugin-container.exe
!*plugin-container.exe>*firefox.exe
!C:\Windows\System32\*>*plugin-container.exe
!C:\Windows\System32\*>*firefox.exe
!*plugin-container.exe>*\Macromed\Flash\FlashPlayerPlugin_??_?_?_???.exe
!*\Macromed\Flash\FlashPlayerPlugin_??_?_?_???.exe>*plugin-container.exe
!*firefox.exe>*\Macromed\Flash\FlashPlayerPlugin_??_?_?_???.exe
!C:\Windows\System32\*>*FlashPlayerPlugin_??_?_?_???.exe
!*FlashPlayerPlugin_??_?_?_???.exe>*FlashPlayerPlugin_??_?_?_???.exe
#    Firefox - Explorer - Remove # below if crashes occur
!C:\Windows\explorer.exe>*firefox.exe
#!*firefox.exe>C:\Windows\explorer.exe
#!*plugin-container.exe>C:\Windows\explorer.exe
#!C:\Windows\explorer.exe>*plugin-container.exe
#!*FlashPlayerPlugin_??_?_?_???.exe>C:\Windows\explorer.exe
#    Firefox - Printing
!*firefox.exe>C:\Windows\splwow64.exe
!C:\Windows\splwow64.exe>*firefox.exe
#    Firefox - Specific to my system
!*FirefoxPortable.exe>*firefox.exe
!C:\Windows\Temp\DPTF\esif_assist_64.exe>*firefox.exe
!*AdguardSvc.exe>*plugin-container.exe
!*AdguardSvc.exe>*firefox.exe
[BLACKLIST]
#    Firefox - Explorer - Remove # below to silence explorer.exe in logs
#$*firefox.exe>C:\Windows\explorer.exe
#$*plugin-container.exe>C:\Windows\explorer.exe
#$C:\Windows\explorer.exe>*plugin-container.exe
#$*FlashPlayerPlugin_??_?_?_???.exe>C:\Windows\explorer.exe
#    Firefox - Sandbox Restrictions
*>*firefox.exe
*firefox.exe>*
*>*plugin-container.exe
*plugin-container.exe>*
*>*FlashPlayerPlugin_??_?_?_???.exe
*FlashPlayerPlugin_??_?_?_???.exe>*
[EOF]

 

Container approach to sandbox firefox with MemProtect and Pumpernickel

The idea of containers is pretty simple: allow processes to mess around with their own folders/processes, but prevent them to access UAC protected folders/processes. Isolate (sandbox) only a few vulnarable processes running rich content.

In the rules below all processes of Mozilla and Macromedia run in a limited user container and firefox and plugin-container are sandboxed. This reduces the number of rules to create and maintain (and as a result the size of ini-files).

1. Pumpernickel ini file (1 KB in size)

Code:

[LETHAL]
[#LOGGING]
[WHITELISTMODIFY]
#default allow write access to Windows temp and cache folders (which are protected by UAC on win 8.1 and 10)
!C:\Program Files?????\*>C:\Windows\Temp\*
!C:\Program Files?????\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\*

#allow Mozilla to change Mozilla folders
!C:\Program Files?????\Mozilla*\*>C:\Program Files?????\Mozilla*\*

#allow Macromedia to change Macromedia folders
!C:\Windows\System32\Macromed\*>C:\Windows\System32\Macromed\*

[BLACKLISTMODIFY]
#deny Mozilla to infect admin space (limited user container)
C:\Program Files?????\Mozilla*\*>C:\Windows\*
C:\Program Files?????\Mozilla*\*>C:\Program Files?????\*

#deny Macromedia to infect admin space (limited user container)
C:\Windows\System32\Macromed\*>C:\Windows\*
C:\Windows\System32\Macromed\*>C:\Program Files?????\*

[WHITELISTREAD]
[BLACKLISTREAD]
[EOF]

1. MemProtect ini file (1 KB in size)

Code:

[LETHAL]
[#LOGGING]
[DEFAULTALLOW]
[WHITELIST]
#default allow rules for printing and touch screen keyboard
!C:\Program Files?????\*>*splwow64.exe
!C:\Program Files?????\*>*TabTip.exe

#allow Mozilla access to other Mozilla processes
!C:\Program Files?????\Mozilla*\*>C:\Program Files?????\Mozilla*\*>

#allow Mozilla access to Macromedia processes
!C:\Program Files?????\Mozilla*>C:\Windows\System32\Macromed\*

#allow Macromedia access to other Macromedia processes
!C:\Windows\System32\Macromed\*>C:\Windows\System32\Macromed\*

[BLACKLIST]
#deny firefox and plugin-container to infect/modify all (other) processes (sandbox)
*\firefox.exe>*
*\plugin-container.exe>*

#deny Mozilla to infect admin space (limited user container)
C:\Program Files?????\Mozilla*\*>C:\Windows\*
C:\Program Files?????\Mozilla*\*>C:\Program Files?????\*

#deny Macromedia to infect admin space (limited user container)
C:\Windows\System32\Macromed\*>C:\Windows\*
C:\Windows\System32\Macromed\*>C:\Program Files?????\*

[EOF]

 

I suppose we should have known, kees1958 !!

 

@WildByDesign Any news on final releases of MemProtect and PumperNickel (I really have had no issues ever with the beta's)?

Thx for your work as linking pin to the developer

 

The last time I had discussions with Florian it was specifically about MemProtect/Pumpernickel going stable release. I think that it would be especially important for MemProtect to follow the momentum and potential that it has going for it. Myself as well, I've experienced zero issues with both for quite some time now. So without a doubt, they've got a proven stability track record. I haven't heard from Florian now for about 3-4 weeks. Typically when Florian goes "dark" like that in the past it means that he is coding away like a maniac. I mean that in a positive way, of course. But what I mean is that usually when he doesn't communicate for a number of weeks like that it usually comes with big surprises in the end which I am usually not even expecting. Actually, one of the last things that I left off with my last conversation with him was regarding AppContainer control via kernel-level filtering. So I may very well have sent him off on a wild goose chase, so to speak. He is the kind of person who is extremely persistent and when he comes across a road block of some sort, he will study/research/code until he achieves satisfaction with his goals and generally does not give up. He was also studying some of Chromium's recent code base to see any tricks in which Google devs use for their AppContainer sandboxing for Windows 8.x and Windows 10. So it difficult to say what he has been plugging away (coding) at over these past few weeks.

The MemProtect/Pumpernickel drivers are stable. He's got EV cert in his possession and that EV cert signing has been working great in testing, as I've got a build of Bouncer which has EV cert on Windows 10 and allows me to run without disabling Secure Boot. In my last discussions with Florian, he stated that the main things holding him back from pushing as stable is documentation, in particular a manual and also the coding/documentation for individual pages on his web site. He just doesn't like to release as stable without solid documentation. The problem is that if he puts many hours into documentation, it takes away from coding time and vice versa. I have offered to help him with English documentation and also suggested to create some sort of Wiki type of community site/portable where users can contribute documentation, share rule sets, etc.

So not only do I agree and thing that releasing as stable would be good so that the momentum can continue to flow, but I also think that a very simple/basic GUI for MemProtect would really be beneficial for adoption as well. I don't think that the GUI would be nearly as complicated as it would be for Bouncer, since MemProtect config is really quite simple. If somebody had the coding skills to help with GUI creation, I would be more than happy to assist with UI design mockups, documentation, and so on.

 

I've got something special to share today. I have been working on a solid MemProtect for Chromium/Chrome for well over a month now. The idea was to get right down to the specific Windows system components that were allowed access and nothing beyond that. I usually work with a Windows 10 x64 system as my daily driver, however, I created a Windows 7 x64 and Windows 7 x86 virtual machines to ensure that my rule set had coverage for Windows 7 users (x64 and x86) as well. The idea here is that Windows built-in components are quite often used for exploits and such, and therefore sandboxes Chromium's memory space significantly with this config.

The first rule set below is my daily working MemProtect config which contains comments and different sections for Windows 7, etc. I've got a copy of MemProtect which is not restricted to the 2KB limit and therefore allows me to do more testing to share with the community. Other testers/paid users who have unlimited MemProtect can certainly feel free to use this config or anyone can feel free to remove sections which they do not need (such as extra programs, Windows 7, printing support, etc.)

Spoiler: MemProtect.ini (with comments, 4KB)

Code:

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
#    Chromium - Base Rules (Windows 10 x64)
!*chrome.exe>*chrome.exe
!C:\Windows\explorer.exe>*chrome.exe
!*chrome.exe>C:\Windows\explorer.exe
!C:\Windows\System32\csrss.exe>*chrome.exe
!C:\Windows\System32\svchost.exe>*chrome.exe
!C:\Windows\System32\spoolsv.exe>*chrome.exe
!C:\Windows\System32\sihost.exe>*chrome.exe
!C:\Windows\System32\lsass.exe>*chrome.exe
!C:\Windows\System32\audiodg.exe>*chrome.exe
#    Chromium - Google Specific - Updating - Etc
!*chrome.exe>*software_reporter_tool.exe
!*GoogleCrashHandler*.exe>*chrome.exe
!*GoogleUpdate*.exe>*chrome.exe
#    Chromium - Printing Support
!*chrome.exe>C:\Windows\System32\spool\drivers\*
!*chrome.exe>C:\Windows\splwow64.exe
!C:\Windows\splwow64.exe>*chrome.exe
#    Chromium - Windows 7 Specific (need to confirm)
!C:\Windows\System32\wbem\WmiPrvSE.exe>*chrome.exe
!C:\Windows\System32\services.exe>*chrome
!*chrome.exe>C:\Windows\System32\taskhost.exe
!*chrome.exe>C:\Windows\System32\dwm.exe
!*chrome.exe>C:\Windows\System32\dllhost.exe
#    Chromium - Additional Programs
!C:\Windows\Temp\DPTF\esif_assist_64.exe>*chrome.exe
!*\Mozilla Thunderbird\thunderbird.exe>*chrome.exe
!*chrome.exe>*\Mozilla Thunderbird\thunderbird.exe
!*\CCleaner\CCleaner*.exe>*chrome.exe
!*\Adguard\AdguardSvc.exe>*chrome.exe
!*\Office1?\*.EXE>*chrome.exe
!*EMET_GUI.exe>*chrome.exe
[BLACKLIST]
#    Chromium - Block Process Hacker and Process Explorer
$*procexp*.exe>*chrome.exe
$*ProcessHacker.exe>*chrome.exe
*chrome.exe>*procexp*.exe
*chrome.exe>*ProcessHacker.exe
#    Block memory access to/from Chromium
*>*chrome.exe
*chrome.exe>*
[EOF]

The second rule set below is the same config but has commented lines removed, a more simplified Program Files rule, and still contains printing support and Windows 7 support.

Spoiler: MemProtect.ini (2KB demo limit)

Code:

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!*chrome.exe>*chrome.exe
!C:\Windows\explorer.exe>*chrome.exe
!C:\Windows\System32\csrss.exe>*chrome.exe
!C:\Windows\System32\svchost.exe>*chrome.exe
!C:\Windows\System32\spoolsv.exe>*chrome.exe
!C:\Windows\System32\sihost.exe>*chrome.exe
!C:\Windows\System32\lsass.exe>*chrome.exe
!C:\Windows\System32\audiodg.exe>*chrome.exe
!C:\Program Files*\Google\Update\*>*chrome.exe
!*chrome.exe>C:\Windows\System32\spool\drivers\*
!*chrome.exe>C:\Windows\splwow64.exe
!C:\Windows\splwow64.exe>*chrome.exe
!C:\Windows\System32\wbem\WmiPrvSE.exe>*chrome.exe
!C:\Windows\System32\services.exe>*chrome
!*chrome.exe>C:\Windows\System32\taskhost.exe
!*chrome.exe>C:\Windows\System32\dwm.exe
!*chrome.exe>C:\Windows\System32\dllhost.exe
!C:\Program Files*>C:\Program Files*
[BLACKLIST]
$*chrome.exe>C:\Windows\explorer.exe
$*procexp*.exe>*chrome.exe
$*ProcessHacker.exe>*chrome.exe
*>*chrome.exe
*chrome.exe>*
[EOF]

Regarding blacklist rule $*chrome.exe>C:\Windows\explorer.exe: I have tested this many times on Windows 10 and has never caused crashes or issues and therefore I simply used the silent symbol $ to stop logging for that rule line. If any users have immediate crashing issues with Chromium (particularly Windows 7) because of this blacklist $*chrome.exe>C:\Windows\explorer.exe rule, I would suggest to remove that line from the blacklist and place !*chrome.exe>C:\Windows\explorer.exe at the top of your whitelist section to fix the issue. Although I do not think that will be necessary.

 

I received an email from Excubits:

All drivers are signed on November 5, 2016 except Bouncer which is October 30, 2016.


http://excubits.com/content/en/home.html

 

And the website was updated, all tools are now available via "Products"-menu.
A Buy-Button (PayPal) and the price is now listed on every Product-page.

 

The only thing I don't like is the products lack of a recognizable versioning scheme...

 

Interesting, any news on a more user friendly GUI for all of these tools?

 

Has anyone tried the latest MemProtect with Appguard? I assume there will be a conflict, but it would be awesome if they could be used together.

I'm still waiting for the day that Bouncer, MemProtect, and Pumpernickel are rolled into one product.

 

Could someone tell me what the limitations are for the Demo version of MemProtect?

 

@Cutting_Edgetech From ini file:

 

Deleted.

 

Thank you! I had the last beta version of MemProtect that was released, but deleted it by mistake a moment ago. It's ok though, I may purchase the full version of MemProtect if I find it works with my setup.

 

There is a small tray-utility with the following options:
* open/clear logfile
* open/exchange config-file
* start/stop/restart MemProtect
* Install Mode On/Off

but rules have still to be made with "notepad"

 

Awesome program, bought a license immediately.

Just out of curiosity, I tried to find out what removing *>* in [whitelist] would do. Suffice to say, it was not a good idea

 

@FleischmannTV Also there is quite a big difference between [DEFAULTALLOW] and [#DEFAULTALLOW]. [#DEFAULTALLOW] would block everything that is not specifically allowed, therefore would require quite a bit more rules to configure and possibly more granular control. Whereas [DEFAULTALLOW] would be a more targeted approach with less rules that need to applied. Myself personally, I've been really intrigued by MemProtect over the past few months and enjoying it. At the moment I am trying to create a bunch of different configs to share.