Some examples for protecting KeePass memory by running as a Protected Process-Light (PPL) with MemProtect and fortifying with Windows OS built-in process mitigations. My testing has been done with Windows 10 Pro Creators Update (64-bit). Spoiler: MemProtect.ini Code: [#INSTALLMODE] [#LETHAL] [LOGGING] [DEFAULTALLOW] [WHITELIST] # Protected Process - KeePass !*KeePass.exe>*KeePass.exe !C:\Windows\explorer.exe>*KeePass.exe !C:\Windows\System32\*>*KeePass.exe !*KeePass.exe>C:\Windows\System32\* [BLACKLIST] # Misc. Silence Rule Examples (Blocking access to KeePass) $*\Office1?\*>*KeePass.exe $*\Google\*>*KeePass.exe # Blocking Protected Process from accessing Explorer $*KeePass.exe>C:\Windows\explorer.exe # Protected Process - KeePass *>*KeePass.exe *KeePass.exe>* [EOF] KeePass MitigationOptions (via GFlagsX): MitigationOptions (HEX): 1111000101111105 KeePass process mitigations confirmed via Process Hacker:
@ExtremeGamerBR @EASTER You're welcome. So essentially this is a memory sandbox for KeePass with additional process mitigations to protect KeePass executable from any kind of DLL injections or unwanted memory access to better protect the integrity of your password database. This still allows the Ctrl+Alt+A global Auto-Type to work correctly which is great. Also zero overhead with all of this additional protection. Windows Internals 7th Edition on Protected Process-Light: This quote is referring to anti-malware software services, of course. But the same could certainly be applied upon KeePass running process or any other process of value which could benefit from additional protection mechanisms.
I tested GFlagsX with 1111000101111105 and everything worked fine. This is my MemProtect .ini for KeePass: Code: [#INSTALLMODE] [LETHAL] [LOGGING] [DEFAULTALLOW] [WHITELIST] !*KeePass.exe>*KeePass.exe !C:\Windows\explorer.exe>*KeePass.exe !C:\Windows\System32\*>*KeePass.exe !*KeePass.exe>C:\Windows\System32\* [BLACKLIST] $*\VMware\*>*KeePass.exe $*\Steam\*>*KeePass.exe $*\Office1?\*>*KeePass.exe $*\Chromium\*>*KeePass.exe $*\Windows Defender\*>*KeePass.exe $*\Process Lasso\*>*KeePass.exe $*\Process Explorer\*>*KeePass.exe $*\Process Hacker\*>*KeePass.exe $*KeePass.exe>C:\Windows\explorer.exe # Protected Process - KeePass *>*KeePass.exe *KeePass.exe>* [EOF] Then I tested what I can do with FIDES, so: Code: [#INSTALLMODE] [LETHAL] [LOGGING] [WHITELISTMODIFY] # [KeePass] !D:\Programas\Keepass\KeePass.exe>X:\Documentos\Senhas !D:\Programas\Keepass\KeePass.exe>D:\Programas\Keepass\* # [Veracrypt] !C:\Program Files\VeraCrypt\*>* [BLACKLISTMODIFY] # [KeePass] *>D:\Programas\Keepass *>X:\Documentos\Senhas [WHITELISTREAD] *>* [BLACKLISTREAD] [EOF] This way, my KeePass database and program files stays absolutely protected against external changes. @WildByDesign, thank you again! EDIT: Mine is not showing "Prefer system32 images", is this normal?
Process Hacker isn't showing "Prefer system32 images", its a "ProcessHacker-thing": I'm not sure what version of Process Hacker you are using but new mitigation strings were added in Oct. 2016. If you are using an older version, it isn't displaying "Prefer system32 images" because the mitigation string doesn't even exist in the sourcecode. PHP: if (ShortDescription) *ShortDescription = PhCreateString(L"Prefer system32 images"); if (LongDescription) *LongDescription = PhCreateString(L"Forces images to load from the System32 folder in which Windows is installed first, then from the application directory before the standard DLL search order.\r\n");
Your version is "too old" (v2.39.124 = March 2016) and it doesn't contain the new mitigation string which was added in Oct. 2016 @WildByDesign is probably using the nightly build of Process Hacker which contains the latest changes/mitigation strings.
Now I see. Using version 3.0.687 (https://wj32.org/processhacker/nightly.php) and everything is working as expected.
I have been reading some more documentation from Microsoft regarding Process Mitigations and more recent Microsoft documentation suggests that Arbitrary Code Guard (ACG) is a better and more powerful mitigation in comparison to all of the EMET ROP mitigations (PayloadRestrictions.dll). Essentially that ACG supersedes the PayloadRestrictions mitigations. Now, you cannot enabled ACG and any of the PayloadRestrictions mitigations because ACG blocks them all since PayloadRestrictions mitigations involves injecting the EMET module (PayloadRestrictions.dll) into any process that has any of those mitigations enabled. (see: https://github.com/deroko/payloadrestrictions) So naturally, I have been doing a trial of switching as many of my apps over from PayloadRestrictions mitigations to ACG whenever possible. The performance is much better as well. Anyway, I was not able to enabled ACG for KeePass 2.x because it involves dynamic code changes as normal operation. So ACG crashes 2.x builds. However, KeePass 1.x builds are a great candidate for enabling ACG and so far my testing has been quite successful.