Smart Object Blocker (Block EXE, DLL, Drivers)

Tomin2009 · Mar 19, 2017

Both filesigher and processsigner, also publishsigner don't work anymore.

novirusthanks · Mar 19, 2017

@Tomin2009

Is that happening on Windows 10 and within processes that have double code signing?

For example: https://www.digicert.com/images/dual-signing/signature-verification.png

Tomin2009 · Mar 19, 2017

novirusthanks said: ↑

@Tomin2009

Is that happening on Windows 10 and within processes that have double code signing?

For example: https://www.digicert.com/images/dual-signing/signature-verification.png
Click to expand...

Is it a bug or my rule's fault?

guest · Mar 20, 2017

Try to remove the space between % and :

Code:

[%FILESIGNER%   : Beijing Funshion Online Technologies Ltd.]
=>
[%FILESIGNER%: Beijing Funshion Online Technologies Ltd.]

Tomin2009 · Mar 20, 2017

mood said: ↑
Try to remove the space between % and :
Code:
[%FILESIGNER%   : Beijing Funshion Online Technologies Ltd.]
=>
[%FILESIGNER%: Beijing Funshion Online Technologies Ltd.]
Click to expand...
Thanks, it's my fault.

EASTER · Mar 20, 2017

Any expected release projected for the new revised SOB yet?

guest · Mar 21, 2017

EASTER said: ↑

Any expected release projected for the new revised SOB yet?
Click to expand...

Andreas want releases new ERP first , so new SoB is paused.

guest · May 21, 2017

Smart Object Blocker v1.4 Released (21 May 2017)
http://www.novirusthanks.org/products/smart-object-blocker/

[21-05-2017] v1.4.0.0

+ Added option to disable protection from tray icon menu
+ Added option to delete log files older than N days
+ By default, log files older than 30 days are deleted
+ Some minor updates
Click to expand...

guest · May 22, 2017

Nice, a new tool to play with again, waited for it. but still no GUI

Tomin2009 · May 21, 2017

mood said: ↑

Smart Object Blocker v1.4 Released (21 May 2017)
http://www.novirusthanks.org/products/smart-object-blocker/
Click to expand...

Nice tool to replace Bouncer from Excubits.

Tomin2009 · Jun 27, 2017

Latest SOB 1.4 slows down loading of Edge a lot.

pcalvert · Nov 18, 2017

Having a GUI isn't always necessary or even desirable. If a config file is intelligently laid out and well commented, editing it is fairly easy.

Here's a (simple) example from a Linux firewall called FireHOL:
Code:
#
# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#
# This configuration file will allow all requests originating from the
# local machine to be send through all network interfaces.
#
# No requests are allowed to come from the network. The host will be
# completely stealthed! It will not respond to anything, and it will
# not be pingable, although it will be able to originate anything
# (even pings to other hosts).
#

version 5

# Accept all client traffic on any interface
interface any world
    client all accept
That's a very simple configuration, but a more complicated ruleset can be created without much difficulty.

guest · Nov 18, 2017

GUI isn't really needed but way more convenient to implement rules. i'm a busy man , i dont have time to waste typing hundreds of lines when it can be in minutes via a GUI.

pcalvert · Nov 18, 2017

themorpethian said: ↑

I have it set up this way, the blocked process and dll using %FILEPATH% and the exceptions using %FILESIGNER%

Code:

// Processes Rules [Behavioral Mode]

// Rules:
[%CMDLINE%: *rundll32*;*eval*(*]

// Rules:
//[%PROCESS%: C:\Users\*]
[%PROCESS%: D:\*]
[%PROCESS%: E:\*]
//My DVD [%PROCESS%: G:\*]
[%PROCESS%: H:\*]
[%PROCESS%: I:\*]
[%PROCESS%: J:\*]


[%FILEPATH%: %PROFILE%\*]
//[%FILEPATH%: %LOCALAPPDATA%\*]
//[%FILEPATH%: %APPDATA%\*]
[%FILEPATH%: %COMMONAPPDATA%\*]
//[%FILEPATH%: %WINDOWS%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\*]
[%FILEPATH%: %WINDOWS%\Tasks\*]
[%FILEPATH%: %WINDOWS%\Temp\*]
[%FILEPATH%: %WINDOWS%\Registration\CRMLog\*]
[%FILEPATH%: %WINDOWS%\System32\com\dmp\*]
[%FILEPATH%: %WINDOWS%\System32\FxsTmp\*]
[%FILEPATH%: %WINDOWS%\System32\spool\PRINTERS\*]
[%FILEPATH%: %WINDOWS%\System32\spool\drivers\color\*]
[%FILEPATH%: %WINDOWS%\System32\Tasks\*]
[%FILEPATH%: %WINDOWS%\SysWOW64\com\dmp\*]
[%FILEPATH%: %WINDOWS%\SysWOW64\FxsTmp\*]
[%FILEPATH%: %WINDOWS%\SysWOW64\Tasks\*]
[%FILEPATH%: %WINDOWS%\tracing\*]
[%FILEPATH%: %ROOT%\Documents and Settings\]
[%FILEPATH%: %ROOT%\RECYCLER\*]
[%FILEPATH%: %ROOT%\System Volume Information\*]
[%FILEPATH%: %ROOT%\PerfLogs\*]
[%FILEPATH%: %RECENT%\*]
[%FILEPATH%: %WINDOWS%\Prefetch\*]
[%FILEPATH%: *\$Recycle.Bin\*]
[%FILEPATH%: *\Recycle.Bin\*]


[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\plugin-container.exe]

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\firefox.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\firefox.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\firefox.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\firefox.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\firefox.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\firefox.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\firefox.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\firefox.exe]

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\waterfox.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\waterfox.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\waterfox.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\waterfox.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\waterfox.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\waterfox.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\waterfox.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\waterfox.exe]

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\chrome.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\chrome.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\chrome.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\chrome.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\chrome.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\chrome.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\chrome.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\chrome.exe]

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\vivaldi.exe]

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\soffice.bin]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\soffice.bin]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\soffice.bin]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\soffice.bin]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\soffice.bin]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\soffice.bin]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\soffice.bin]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\soffice.bin]

//Prevent commonly exploited processes from executing processes
[%PARENTPROCESS%: *\javaw.exe]
[%PARENTPROCESS%: *\iexplore.exe]
[%PARENTPROCESS%: *\firefox.exe]
[%PARENTPROCESS%: *\waterfox.exe]
[%PARENTPROCESS%: *\opera.exe]
[%PARENTPROCESS%: *\AcroRd32.exe]
[%PARENTPROCESS%: *\plugin-container.exe]
[%PARENTPROCESS%: *\chrome.exe]
[%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%PARENTPROCESS%: *\MicrosoftEdgeCP.exe]
[%PARENTPROCESS%: *\winword.exe]
[%PARENTPROCESS%: *\excel.exe]
[%PARENTPROCESS%: *\wmplayer.exe]
[%PARENTPROCESS%: *\skype.exe]
[%PARENTPROCESS%: *\safari.exe]
[%PARENTPROCESS%: *\vivaldi.exe]

//Block execution of 16-bit processes
[%FILEPATH%: *:\WINDOWS\System32\NTVDM*]

//Block command-line strings used by Cryptolocker family
[%PROCESSCMDLINE%: *rundll32*Shell32.dll*Control_RunDLL*\*.exe*]
[%PROCESSCMDLINE%: *rundll32*javascript:*]
[%PROCESSCMDLINE%: *rundll32*;*eval*(*]
[%PROCESSCMDLINE%: *vssadmin*Delete*Shadows*/All*/Quiet*]
[%PROCESSCMDLINE%: *bcdedit*/set*recoveryenabled* No*]
[%PROCESSCMDLINE%: *bcdedit*/set*bootstatuspolicy*ignoreallfailures*]
[%PROCESSCMDLINE%: *bcdedit*-set*loadoptions*DDISABLE_INTEGRITY_CHECKS*]
[%PROCESSCMDLINE%: *bcdedit*/deletevalue*safeboot*/set*safebootalternateshell*false*]

And the allowed exceptions Process and dll exceptions using %FILESIGNER%

Code:

// Processes Rules [Behavioral Mode - Exclusions]

// Rules
// Software that updates itself
//Avira Free
[%FILE%: %TEMP%\*] [%FILESIGNER%: Avira Operations GmbH & Co. KG]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Avira Operations GmbH & Co. KG]
[%FILENAME%: WixStdBA.dll] [%PROCESS%: *\avira*.exe]

//Voodoshield
[%FILENAME%: %TEMP%\*] [%FILESIGNER%: VoodooSoft, LLC]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: VoodooSoft, LLC]
[%FILENAME%: InstallVoodooShield*.tmp ] [%PARENTPROCESS%: *\InstallVoodooShield*.exe]

//Vivaldi
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Vivaldi Technologies AS]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Vivaldi Technologies AS]
[%FILESIGNER%: Vivaldi Technologies AS] [%PARENTPROCESS%: *\vivaldi.exe]
[%FILEPATH%: %LOCALAPPDATA%\Vivaldi\*]
[%FILEPATH%: %APPDATA%\Vivaldi\*]  [%FILESIGNER%: Vivaldi Technologies AS]
//[%FILE%:  C:\Users\Steve\AppData\Local\Vivaldi\Application\vivaldi.exe]
//[%FILENAME%: vivaldi.exe] [%PARENTPROCESS%: *\explorer.exe]
//[%FILE%: %WINDOWS%\splwow64.exe] [%PARENTPROCESS%: *\vivaldi.exe]
//[%FILENAME%: explorer.exe] [%PARENTPROCESS%: *\vivaldi.exe]


//Zemana
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Zemana Ltd.]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Zemana Ltd.]
[%FILESIGNER%: Zemana Ltd.] [%PARENTPROCESS%: *\Zam.exe]

//Opera
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Opera Software ASA]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Opera Software ASA]
[%FILESIGNER%: Opera Software ASA] [%PARENTPROCESS%: *\opera.exe]

//Auslogics
[%FILE%PATH: %TEMP%\*] [%FILESIGNER%: Auslogics Labs Pty Ltd]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Auslogics Labs Pty Ltd]

//google
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Google Inc]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Google Inc]
[%FILESIGNER%: Google Inc] [%PARENTPROCESS%: *\chrome.exe]
[%FILEPATH%: %LOCALAPPDATA%\Google\*] [%SIGNER%: Google Inc]
[%FILE%:  %LOCALAPPDATA%\Google\Chrome SxS\Application\chrome.exe]
//[%FILE%: %WINDOWS%\splwow64.exe] [%PARENTPROCESS%: *\chrome.exe]
//[%FILENAME%: explorer.exe] [%PARENTPROCESS%: *\chrome.exe]
[%FILEPATH%: %LOCALAPPDATA%\Google\*]
//[%FILEPATH%: %LOCALAPPDATA%\Chromium\*]

//Microsoft
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Microsoft Corporation]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Microsoft Corporation]
[%FILEPATH%: %WINDOWS%\Temp\*] [%FILESIGNER%: Microsoft Corporation]

//Piriform Ltd Disk Defrag
[%FILE%PATH%: %TEMP%\*] [%FILESIGNER%: Piriform Ltd]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Piriform Ltd]
[%FILESIGNER%: Piriform Ltd] [%PROCESS%: *\CCleaner64.exe]

//Malwarebytes
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Malwarebytes Corporation]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Malwarebytes Corporation]
[%PARENTPROCESS%: C:\ProgramData\Malwarebytes\Malwarebytes Anti-malware\mbam-setup.exe]
[%FILENAME%: mbam-setup.tmp] [%PARENTPROCESS%: *\mbam-setup.exe]
[%FILESIGNER%: Malwarebytes Corporation] [%PROCESS%: *\mbam.exe]

//Firefox
[%FILE%PATH%: %TEMP%\*] [%FILESIGNER%: Mozilla Corporation]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Mozilla Corporation]
[%FILESIGNER%: Mozilla Corporation] [%PARENTPROCESS%: *\firefox.exe]
[%FILEPATH%: %LOCALAPPDATA%\Mozilla\*] [%SIGNER%: Mozilla Corporation]
[%FILEPATH%: %APPDATA%\Mozilla\*] [%SIGNER%: Mozilla Corporation]
//[%FILE%: %WINDOWS%\splwow64.exe] [%PARENTPROCESS%: *\firefox.exe]
//[%FILENAME%: helper.exe] [%PARENTPROCESS%: *\firefox.exe]

//Waterfox
[%FILEPATH%: %TEMP%\*] [%FILESIGNER%: Waterfox Ltd.]
[%PROCESS%: %TEMP%\*] [%FILESIGNER%: Waterfox Ltd.]
[%FILEPATH%: %LOCALAPPDATA%\Mozilla\*] [%SIGNER%: Waterfox Ltd.]
[%FILEPATH%: %APPDATA%\Mozilla\*] [%SIGNER%: Waterfox Ltd.]
[%FILESIGNER%: Waterfox Ltd.] [%PARENTPROCESS%: *\waterfox.exe]
//[%FILE%: %WINDOWS%\splwow64.exe] [%PARENTPROCESS%: *\waterfox.exe]
//[%FILENAME%: helper.exe] [%PARENTPROCESS%: *\waterfox.exe]

// Allow system files
[%FILEPATH%: %WINDOWS%\*]
[%FILEPATH%: %PROGRAMFILES%\*\*]
[%FILEPATH%: %PROGRAMFILESX86%\*\*]
//[%FILE%: %WINDIR%\system32\WerFault.exe]
//[%FILEPATH%: %WINDIR%\Temp\??_?????.tmp\setup.exe
//[%FILEPATH%: %WINDIR%\Temp\????????-????-????-????-????????????\*
//[%FILEPATH%: %WINDIR%\Temp\{????????-????-????-????-????????????}\*
//[%FILEPATH%: %WINDIR%\Temp\DPTF\*
//[%FILEPATH%: %WINDIR%\AppPatch\*
//[%FILEPATH%: %WINDIR%\assembly\*
//[%FILEPATH%: %WINDIR%\Branding\*
//[%FILEPATH%: %WINDIR%\ImmersiveControlPanel\*
//[%FILEPATH%: %WINDIR%\Installer\*
//[%FILEPATH%: %WINDIR%\Microsoft.NET\*
//[%FILEPATH%: %WINDIR%\servicing\*
//[%FILEPATH%: %WINDIR%\SoftwareDistribution\*
//[%FILEPATH%: %WINDIR%\System32\*
//[%FILEPATH%: %WINDIR%\SystemApps\*
//[%FILEPATH%: %WINDIR%\SysWOW64\*
//[%FILEPATH%: %WINDIR%\twain_32\*
//[%FILEPATH%: %WINDIR%\WinStore\*
//[%FILEPATH%: %WINDIR%\WinSxS\*
[%FILE%: %WINDIR%\explorer.exe]
[%FILE%: %WINDIR%\notepad.exe]
[%FILE%: %WINDIR%\splwow64.exe]
[%FILE%: %WINDIR%\Temp\MPGEAR.DLL]
[%FILE%: %WINDIR%\Temp\MPENGINE.DLL]
[%FILE%: %WINDIR%\Temp\???????.tmp\*]



[%FILEPATH%: %PROFILE%\Downloads\*]
[%FILEPATH%: %DESKTOPDIRECTORY%\My Space\*]
[%FILEPATH%: %LOCALAPPDATA%\Microsoft\OneDrive\*]
[%FILEPATH%: %COMMONAPPDATA%\Malwarebytes\*]
[%FILEPATH%: %COMMONAPPDATA%\Macrium\*]
[%FILEPATH%: %ROOT%\AMD\*
[%FILEPATH%: %COMMONAPPDATA%\EPSON\*]


[%PROCESS%: *:\WINDOWS\*]
[%PROCESS%: %PROGRAMFILES%\*]
[%PROCESS%: %PROGRAMFILESX86%\*]
[%PROCESS%: %WINDIR%\Temp\??_?????.tmp\setup.exe
[%PROCESS%: %WINDIR%\Temp\????????-????-????-????-????????????\*
[%PROCESS%: %WINDIR%\Temp\{????????-????-????-????-????????????}\*
[%PROCESS%: %WINDIR%\Temp\DPTF\*
[%PROCESS%: %WINDIR%\AppPatch\*
[%PROCESS%: %WINDIR%\assembly\*
[%PROCESS%: %WINDIR%\Branding\*
[%PROCESS%: %WINDIR%\ImmersiveControlPanel\*
[%PROCESS%: %WINDIR%\Installer\*
[%PROCESS%: %WINDIR%\Microsoft.NET\*
[%PROCESS%: %WINDIR%\servicing\*
[%PROCESS%: %WINDIR%\SoftwareDistribution\*
[%PROCESS%: %WINDIR%\System32\*
[%PROCESS%: %WINDIR%\SystemApps\*
[%PROCESS%: %WINDIR%\SysWOW64\*
[%PROCESS%: %WINDIR%\twain_32\*
[%PROCESS%: %WINDIR%\WinStore\*
[%PROCESS%: %WINDIR%\WinSxS\*
[%PROCESS%: %WINDIR%\explorer.exe
[%PROCESS%: %WINDIR%\notepad.exe
[%PROCESS%: %WINDIR%\splwow64.exe
[%PROCESS%: %WINDIR%\Temp\MPGEAR.DLL
[%PROCESS%: %WINDIR%\Temp\MPENGINE.DLL
[%PROCESS%: %WINDIR%\Temp\???????.tmp\*
//[%PROCESS%: %PROFILE%\steve\downloads\*


//Allow commonly exploited processes to execute processes signed by the same vendor
[%FILESIGNER%: Skype Software Sarl] [%PARENTPROCESS%: *\Skype.exe]
[%FILESIGNER%: Oracle America] [%PARENTPROCESS%: *\javaw.exe]
[%FILESIGNER%: Adobe Systems] [%PARENTPROCESS%: *\AcroRd32.exe]
[%FILESIGNER%: Apple Inc.] [%PARENTPROCESS%: *\safari.exe]

Basically %FILEPATH% used to block as with bouncer ,SSRP etc:, but using %FILESIGNER% to allow the publisher to install and update the own software.

Needs cleaned up but I rem out lines and keep trying different scenarios.

I will gladly put the Block and Behavioral Exceptions folders on my onedrive so all you have to do is replace them in your SOB folder.

Click to expand...

I like what you've done with this. Are you still using SOB and, if so, have you made any further refinements to your configuration?

Phil

themorpethian · Nov 24, 2017

pcalvert said: ↑

I like what you've done with this. Are you still using SOB and, if so, have you made any further refinements to your configuration?

Phil
Click to expand...

Pcalvert,
Sorry just seen your post. Basically no, had a lot of problems with it on the creators update.
Just going back to Simple Software Restriction Policy with Controlled Folder Access and some Exploit Guard protections.
If you want, after Ive tested these I'll give SOB another go!

BlackBox Hacker · Jan 12, 2018

novirusthanks said: ↑
I don't think you tested SOB correctly

With SOB you need to write your own custom rules.

Here is my rule (DLL.db) to block loading of DLLs on Desktop:
Code:
// Block loading of DLLs located on Desktop
[%FILE%: C:\Users\Dev\Desktop\*]
And here is SOB that blocked the loading of poc.dll file:

View attachment 259807

SOB is for experienced users who can write their own custom processes\dlls\drivers rules to block or allow what they want.

It comes with just a few sample rules to show how they are created, but they need to be tweaked as per needed.

However, for SOB-related questions please post on SOB thread

Also please use [ code ] when posting codes or logs.
Click to expand...
Very good point, but I would use a rule like this:
Code:
// Block loading of DLLs located on User Accounts
[%FILE%: C:\Users\*]
That should fix the security issues here, but what if the hacker creates the folder 'C:\User' path would this still be a security problem? And I don't think you can block the whole drive for example: 'C:\*' path? That would be very bad, because none of your DLL files will load into system memory! Well at least it's some protection against Cyber criminals. I also forgot that DLL exploits will load into memory using path: 'C:\Windows' as well.

Log:
Code:
[12/01/2018 14:44:13] Blocked DLL: C:\Users\BlackBox\Desktop\poc.dll
Rule: [%FILE%: C:\Users\*]
ImageBase: 0x64DC0000
EntryPoint: 0x64DC1000
SizeOfImage: 0x8000
Process: C:\Program Files\Google\Chrome\Application\chrome.exe
Parent: C:\Program Files\Google\Chrome\Application\chrome.exe
ProcessId: 340
ThreadId: 2792


[12/01/2018 14:44:23] Blocked DLL: C:\Users\BlackBox\Desktop\poc.dll
Rule: [%FILE%: C:\Users\*]
ImageBase: 0x64DC0000
EntryPoint: 0x64DC1000
SizeOfImage: 0x8000
Process: C:\Program Files\Google\Chrome\Application\chrome.exe
Parent: C:\Program Files\Google\Chrome\Application\chrome.exe
ProcessId: 340
ThreadId: 2456


[12/01/2018 14:46:17] Blocked DLL: C:\Windows\System32\igfxpph.dll
Rule: [%FILE%: C:\Windows\*]
ImageBase: 0x3BB0000
EntryPoint: 0x3BC5028
SizeOfImage: 0x36000
Process: C:\Windows\explorer.exe
Parent:
ProcessId: 1628
ThreadId: 3740


[12/01/2018 14:46:17] Blocked DLL: C:\Windows\System32\hccutils.dll
Rule: [%FILE%: C:\Windows\*]
ImageBase: 0x35D0000
EntryPoint: 0x35D9A8F
SizeOfImage: 0x1A000
Process: C:\Windows\explorer.exe
Parent:
ProcessId: 1628
ThreadId: 3740


[12/01/2018 14:52:45] Blocked DLL: C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23721_none_5c052bcda00f9399\GdiPlus.dll
Rule: [%FILE%: C:\Windows\*]
ImageBase: 0x74060000
EntryPoint: 0x740FD453
SizeOfImage: 0x191000
Process: C:\Windows\System32\consent.exe
Parent: C:\Windows\System32\svchost.exe
ProcessId: 2928
ThreadId: 3864


[12/01/2018 14:55:02] Blocked DLL: C:\Windows\WINDOWS\poc.dll
Rule: [%FILE%: C:\Windows\*]
ImageBase: 0x64DC0000
EntryPoint: 0x64DC1000
SizeOfImage: 0x8000
Process: C:\Program Files\Google\Chrome\Application\chrome.exe
Parent: C:\Program Files\Google\Chrome\Application\chrome.exe
ProcessId: 340
ThreadId: 452
This is also blocking system folder drivers is there anyway to fix this?

I don't need this part:
Code:
//Prevent commonly exploited processes from executing processes
[%PARENTPROCESS%: *\javaw.exe]
[%PARENTPROCESS%: *\iexplore.exe]
[%PARENTPROCESS%: *\firefox.exe]
[%PARENTPROCESS%: *\waterfox.exe]
[%PARENTPROCESS%: *\opera.exe]
[%PARENTPROCESS%: *\AcroRd32.exe]
[%PARENTPROCESS%: *\plugin-container.exe]
[%PARENTPROCESS%: *\chrome.exe]
[%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%PARENTPROCESS%: *\MicrosoftEdgeCP.exe]
[%PARENTPROCESS%: *\winword.exe]
[%PARENTPROCESS%: *\excel.exe]
[%PARENTPROCESS%: *\wmplayer.exe]
[%PARENTPROCESS%: *\skype.exe]
[%PARENTPROCESS%: *\safari.exe]

BlackBox Hacker · Jan 12, 2018

(SOB) Smart Object Blocker hacked!

Code:


                                          DLL Operation Report
                                                  produced by RemoteDLL

               (For latest version visit http://SecurityXploded.com/remotedll.php)


 Username: BlackBox


 Detailed DLL Operation Report
 ***********************************************************************************


 Starting the 'Inject DLL' Operation...
     Process = Calc.exe
     Inject DLL = C:\poc.dll
     Injection Method = CreateRemoteThread


 Step 1 => Opening target process [3280 - Calc.exe] for DLL Injection
     Success


 Step 2 => Writing the DLL Path Name [C:\poc.dll] into target process
     Success


 Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
     Successfully got the address of Kernel32.dll on target process
     Address of Kernel32.dll [Target Process] = 0x76470000
     Address of LoadLibrary [Target Process] = 0x764BDE85


 Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
     Waiting for Remote Thread to Terminate...
     Address of Injected DLL [C:\poc.dll] in target process = 0x64DC0000


 Successfully Injected the DLL into target process !!!

 ***********************************************************************************

There is no way that you can block this attack. You can also inject Web Browsers as well, this would bypass your firewall rules nice! Try injecting into your ftp process as well?

Code:

        DLL Operation Report
                                                  produced by RemoteDLL

               (For latest version visit http://SecurityXploded.com/remotedll.php)


 Username: BlackBox


 Detailed DLL Operation Report
 ***********************************************************************************


 Starting the 'Inject DLL' Operation...
     Process = Ftp.exe
     Inject DLL = C:\poc.dll
     Injection Method = CreateRemoteThread


 Step 1 => Opening target process [2732 - Ftp.exe] for DLL Injection
     Success


 Step 2 => Writing the DLL Path Name [C:\poc.dll] into target process
     Success


 Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
     Successfully got the address of Kernel32.dll on target process
     Address of Kernel32.dll [Target Process] = 0x76470000
     Address of LoadLibrary [Target Process] = 0x764BDE85


 Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
     Waiting for Remote Thread to Terminate...
     Address of Injected DLL [C:\poc.dll] in target process = 0x64DC0000


 Successfully Injected the DLL into target process !!!

 ***********************************************************************************

BlackBox Hacker · Jan 12, 2018

Last logs now this Security is not for me!

Code:


                                          DLL Operation Report
                                                  produced by RemoteDLL

               (For latest version visit http://SecurityXploded.com/remotedll.php)


 Username: BlackBox


 Detailed DLL Operation Report
 ***********************************************************************************


 Starting the 'Inject DLL' Operation...
     Process = Chrome.exe
     Inject DLL = C:\poc.dll
     Injection Method = CreateRemoteThread


 Step 1 => Opening target process [3384 - Chrome.exe] for DLL Injection
     Success


 Step 2 => Writing the DLL Path Name [C:\poc.dll] into target process
     Success


 Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
     Successfully got the address of Kernel32.dll on target process
     Address of Kernel32.dll [Target Process] = 0x76470000
     Address of LoadLibrary [Target Process] = 0x764BDE85


 Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
     Waiting for Remote Thread to Terminate...
     Address of Injected DLL [C:\poc.dll] in target process = 0x64DC0000


 Successfully Injected the DLL into target process !!!

 ***********************************************************************************



 DLL Operation Report
                                                  produced by RemoteDLL

               (For latest version visit http://SecurityXploded.com/remotedll.php)


 Username: BlackBox


 Detailed DLL Operation Report
 ***********************************************************************************


 Starting the 'Inject DLL' Operation...
     Process = Chrome.exe
     Inject DLL = C:\Windows\poc.dll
     Injection Method = CreateRemoteThread


 Step 1 => Opening target process [2468 - Chrome.exe] for DLL Injection
     Success


 Step 2 => Writing the DLL Path Name [C:\Windows\poc.dll] into target process
     Success


 Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
     Successfully got the address of Kernel32.dll on target process
     Address of Kernel32.dll [Target Process] = 0x76470000
     Address of LoadLibrary [Target Process] = 0x764BDE85


 Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
     Waiting for Remote Thread to Terminate...
     Address of Injected DLL [C:\Windows\poc.dll] in target process = 0x64DC0000


 Successfully Injected the DLL into target process !!!

 ***********************************************************************************

guest · Jan 12, 2018

Starting the 'Inject DLL' Operation...
Process = Calc.exe
[...]
Click to expand...

First your program (RemoteDLL) must be executed and how will it reach the system?
The user is visiting a malicious website, RemoteDLL is being downloaded and it will be executed?
With proper rules the browser or other vulnerable applications (it depends on the configuration) can be prevented from executing any files (for example with [%PARENTPROCESS%])
And In Lockdown any unknown file/dll/driver will be blocked from executing.

SOB isn't monitoring the memory of processes, and it is no anti-exploit.
SOB monitors all processes, dll's and drivers loaded in the system.

Normally files are dropped into the directory of the user or to \AppData\*
Now, after switching to Lockdown (unknown files/dll's/drivers are blocked) and proper %PARENTPROCESS%-rules, dropped files are most likely blocked.
Files might be dropped to C:\Windows\ but administrator privileges are needed.

BlackBox Hacker · Jan 12, 2018

mood said: ↑

First your program (RemoteDLL) must be executed and how will it reach the system?
The user is visiting a malicious website, RemoteDLL is being downloaded and it will be executed?
With proper rules the browser or other vulnerable applications (it depends on the configuration) can be prevented from executing any files (for example with [%PARENTPROCESS%])
And In Lockdown any unknown file/dll/driver will be blocked from executing.

SOB isn't monitoring the memory of processes, and it is no anti-exploit.
SOB monitors all processes, dll's and drivers loaded in the system.

Normally files are dropped into the directory of the user or to \AppData\*
Now, after switching to Lockdown (unknown files/dll's/drivers are blocked) and proper %PARENTPROCESS%-rules, dropped files are most likely blocked.
Files might be dropped to C:\Windows\ but administrator privileges are needed.
Click to expand...

Yes, I have all kinds of UAC exploits for all versions of Windows this also includes Linux as well!

Link:~ Removed VirusTotal Results as per Policy ~

Download link: https://blackboxhcker.blogspot.co.uk/2017/06/bypassuac-hacking-tool-new-malware-zer0.html

If you like SOB use it don't let me explain any more about this it's pointless really? The facts are there in logs and in my own mind are already made up and so is yours.

guest · Apr 20, 2018

@novirusthanks Any ETA for a new build? one that will be updated for Win10 Spring (not asking new features).

EASTER · Apr 20, 2018

guest said: ↑

@novirusthanks Any ETA for a new build? one that will be updated for Win10 Spring (not asking new features).
Click to expand...

Good question. Would like to learn this too.

This is actually the first time that I've gave serious attention to SOB and it's a sweet piece of cake.

However I think I will ask for a new feature. A corner screen toast pop up would be a PLUS!

novirusthanks · Apr 20, 2018

Yes, we should update the drivers (co-signed by MS) on the next week.

EASTER · Apr 20, 2018

On second thought, and operation, Nix that request.

The tray alert balloon is super rapid enough!

A really fine fashioned monitor driver. I'm sure that was intended from the beginning.

guest · Apr 21, 2018

novirusthanks said: ↑

Yes, we should update the drivers (co-signed by MS) on the next week.
Click to expand...

Awesome

Log in or Sign up

Smart Object Blocker (Block EXE, DLL, Drivers)

Tomin2009 Registered Member

novirusthanks Developer

Tomin2009 Registered Member

guest Guest

Tomin2009 Registered Member

EASTER Registered Member

guest Guest

guest Guest

guest Guest

Tomin2009 Registered Member

Tomin2009 Registered Member

pcalvert Registered Member

guest Guest

pcalvert Registered Member

themorpethian Registered Member

BlackBox Hacker Guest

BlackBox Hacker Guest

BlackBox Hacker Guest

guest Guest

BlackBox Hacker Guest

guest Guest

EASTER Registered Member

novirusthanks Developer

EASTER Registered Member

guest Guest

Log in or Sign up

Smart Object Blocker (Block EXE, DLL, Drivers)

Tomin2009 Registered Member

novirusthanks Developer

Tomin2009 Registered Member

guest Guest

Tomin2009 Registered Member

EASTER Registered Member

guest Guest

guest Guest

guest Guest

Tomin2009 Registered Member

Tomin2009 Registered Member

pcalvert Registered Member

guest Guest

pcalvert Registered Member

themorpethian Registered Member

BlackBox Hacker Guest

BlackBox Hacker Guest

BlackBox Hacker Guest

guest Guest

BlackBox Hacker Guest

guest Guest

EASTER Registered Member

novirusthanks Developer

EASTER Registered Member

guest Guest

Useful Searches