NoVirusThanks OSArmor: An Additional Layer of Defense

I've tested your old DLL monitoring tool NoVirusThanks and wow my dll files didn't even detect at all when loaded into memory.

Link: http://www.novirusthanks.org/products/dll-explorer/

Need to check out all your stuff on OSArmor see if I can exploit it?

I've already bypassed EMET 5.5 post on thread: https://www.wilderssecurity.com/thr...s-defender-exploit-guard.396007/#post-2730936

 

Yes, intentional check.
I did not install test 22 (first setup file).

 

Good, thanks for the info.

 

OSArmor is turning out so powerful. Nation State Players may decide they don't like OSArmor lol Using it in combination with other tools will definitely make it very hard to bypass.

 

Mbae-test just bypassed 'osarmor_setup_1.4_test23' version hahaha also very good options for the basic OSArmor 1.3.0.0 and advanced osarmor_setup_1.4_test23, but failed my Security Pentests. I have that many security tests! I gave up when 'Google Chrome' process was bypassed game over firewall access! I'm installing EMET 5.5 Software with Privatefirewall 7.0 Software much better security with HIPS Protection! You must block all Zer0-day exploits from executing code! I only had to test one code injection method called 'CreateRemoteThread' the basic technique.



Log:
Date/Time: 12/01/2018 01:26:02
Process: [1584]C:\Users\BlackBox\Desktop\test.pif
Parent: [1684]C:\Windows\explorer.exe
Rule: BlockPIFExt
Rule Name: Block execution of processes with .pif extension
Command Line: "C:\Users\BlackBox\Desktop\test.pif"
Signer:
Parent Signer:

Date/Time: 12/01/2018 01:26:12
Process: [2288]C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.00f\Perl_Exploit\bin\perl.exe
Parent: [1780]C:\Users\BlackBox\Desktop\exploit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.00f\Perl_Exploit\bin\perl.exe" C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.00f\Perl_Exploit\bin\update.pl
Signer:
Parent Signer:



DLL Operation Report
produced by RemoteDLL

(For latest version visit http://SecurityXploded.com/remotedll.php)


Username: BlackBox


Detailed DLL Operation Report
***********************************************************************************


Starting the 'Inject DLL' Operation...
Process = Chrome.exe
Inject DLL = C:\Users\BlackBox\Desktop\poc.dll
Injection Method = CreateRemoteThread


Step 1 => Opening target process [3860 - Chrome.exe] for DLL Injection
Success


Step 2 => Writing the DLL Path Name [C:\Users\BlackBox\Desktop\poc.dll] into target process
Success


Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
Successfully got the address of Kernel32.dll on target process
Address of Kernel32.dll [Target Process] = 0x77DC0000
Address of LoadLibrary [Target Process] = 0x77E0DE85


Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
Waiting for Remote Thread to Terminate...
Address of Injected DLL [C:\Users\BlackBox\Desktop\poc.dll] in target process = 0x64DC0000


Successfully Injected the DLL into target process !!!

***********************************************************************************

 

Osarmor_setup_1.4_test23 tries to block some UAC exploits, but fails the process can still load into memory, plus can cause damage to your computer system when exploits can't finish code! And there are command line UAC tools that can bypass UAC as well!



Log:
Date/Time: 12/01/2018 01:26:02
Process: [1584]C:\Users\BlackBox\Desktop\test.pif
Parent: [1684]C:\Windows\explorer.exe
Rule: BlockPIFExt
Rule Name: Block execution of processes with .pif extension
Command Line: "C:\Users\BlackBox\Desktop\test.pif"
Signer:
Parent Signer:

Date/Time: 12/01/2018 01:26:12
Process: [2288]C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.00f\Perl_Exploit\bin\perl.exe
Parent: [1780]C:\Users\BlackBox\Desktop\exploit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.00f\Perl_Exploit\bin\perl.exe" C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.00f\Perl_Exploit\bin\update.pl
Signer:
Parent Signer:

Date/Time: 12/01/2018 02:10:49
Process: [860]C:\Windows\System32\cmd.exe
Parent: [2884]C:\Windows\System32\eventvwr.exe
Rule: AntiExploitMicrosoftEventViewer
Rule Name: (Anti-Exploit) Protect Microsoft Event Viewer
Command Line: "cmd.exe" /cC:\Users\BlackBox\Desktop\installer.exe
Signer:
Parent Signer:

 

Well firewalls can still be bypassed without exploit protection even Privatefirewall 7.0 and Windows Firewall still needs EMET 5.5 for code injection rules for Web Browser processes such as 'Google Chrome' and "Internet Explorer" Software. Windows 10 already has Microsoft Edge and EMET is already in-built into the Operating System! While OSArmor Software fails protection I will have to say "NOTHANKS!" to NoVirusThanks my little joke!

 

Good grief, look what dropped by!

 

@BlackBox Hacker Dll monitoring isn't implemented yet. I requested it few days ago.

Testing dll injections on a product unable to monitor them is like testing a trojan on an adblocker...

If you want test dlls, use Smart Object Blocker which monitor dlls and drivers unlike OSA or ERP

 

Thanks for letting me know about the missing security module, I already have Smart Object Blocker. But what about blocking file extinction 'MMC' that don't work when blocking UAC exploits on system, When your HIPS Protection does a much better job!

 

Just had some more fun like bypassing Applocker Software, I just installed Smart Object Blocker and started exploiting the system and these are my logs!

// Processes Rules [Behavioral Mode]

// Rules:
//Prevent commonly exploited processes from executing processes
[%PARENTPROCESS%: *\javaw.exe]
[%PARENTPROCESS%: *\iexplore.exe]
[%PARENTPROCESS%: *\firefox.exe]
[%PARENTPROCESS%: *\waterfox.exe]
[%PARENTPROCESS%: *\iexplore.exe]
[%PARENTPROCESS%: *\opera.exe]
[%PARENTPROCESS%: *\AcroRd32.exe]
[%PARENTPROCESS%: *\plugin-container.exe]
[%PARENTPROCESS%: *\chrome.exe]
[%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%PARENTPROCESS%: *\MicrosoftEdgeCP.exe]
[%PARENTPROCESS%: *\winword.exe]
[%PARENTPROCESS%: *\excel.exe]
[%PARENTPROCESS%: *\wmplayer.exe]
[%PARENTPROCESS%: *\skype.exe]
[%PARENTPROCESS%: *\safari.exe]

[12/01/2018 11:29:48] Blocked Process: C:\Program Files\Internet Explorer\iexplore.exe
Rule: [%PARENTPROCESS%: *\iexplore.exe]
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4280 CREDAT:267521 /prefetch:2
Process Id: 648
Parent Process Id: 4280
Parent Process: C:\Program Files\Internet Explorer\iexplore.exe


Now I test the system directories using calc test!

Path: C:\Windows\system32\calc.exe

DLL Operation Report
produced by RemoteDLL

(For latest version visit http://SecurityXploded.com/remotedll.php)


Username: BlackBox


Detailed DLL Operation Report
***********************************************************************************


Starting the 'Inject DLL' Operation...
Process = Calc.exe
Inject DLL = C:\Users\BlackBox\Desktop\poc.dll
Injection Method = CreateRemoteThread


Step 1 => Opening target process [4136 - Calc.exe] for DLL Injection
Success


Step 2 => Writing the DLL Path Name [C:\Users\BlackBox\Desktop\poc.dll] into target process
Success


Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
Successfully got the address of Kernel32.dll on target process
Address of Kernel32.dll [Target Process] = 0x76DC0000
Address of LoadLibrary [Target Process] = 0x76E0DE85


Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
Waiting for Remote Thread to Terminate...
Address of Injected DLL [C:\Users\BlackBox\Desktop\poc.dll] in target process = 0x64DC0000


Successfully Injected the DLL into target process !!!

***********************************************************************************


DLL Operation Report
produced by RemoteDLL

(For latest version visit http://SecurityXploded.com/remotedll.php)


Username: BlackBox


Detailed DLL Operation Report
***********************************************************************************


Starting the 'Inject DLL' Operation...
Process = Ftp.exe
Inject DLL = C:\Users\BlackBox\Desktop\poc.dll
Injection Method = CreateRemoteThread


Step 1 => Opening target process [1008 - Ftp.exe] for DLL Injection
Success


Step 2 => Writing the DLL Path Name [C:\Users\BlackBox\Desktop\poc.dll] into target process
Success


Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
Successfully got the address of Kernel32.dll on target process
Address of Kernel32.dll [Target Process] = 0x76DC0000
Address of LoadLibrary [Target Process] = 0x76E0DE85


Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
Waiting for Remote Thread to Terminate...
Address of Injected DLL [C:\Users\BlackBox\Desktop\poc.dll] in target process = 0x64DC0000


Successfully Injected the DLL into target process !!!

***********************************************************************************


DLL Operation Report
produced by RemoteDLL

(For latest version visit http://SecurityXploded.com/remotedll.php)


Username: BlackBox


Detailed DLL Operation Report
***********************************************************************************


Starting the 'Inject DLL' Operation...
Process = Chrome.exe
Inject DLL = C:\Users\BlackBox\Desktop\poc.dll
Injection Method = CreateRemoteThread


Step 1 => Opening target process [2280 - Chrome.exe] for DLL Injection
Success


Step 2 => Writing the DLL Path Name [C:\Users\BlackBox\Desktop\poc.dll] into target process
Success


Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
Successfully got the address of Kernel32.dll on target process
Address of Kernel32.dll [Target Process] = 0x76DC0000
Address of LoadLibrary [Target Process] = 0x76E0DE85


Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
Waiting for Remote Thread to Terminate...
Address of Injected DLL [C:\Users\BlackBox\Desktop\poc.dll] in target process = 0x64DC0000


Successfully Injected the DLL into target process !!!

***********************************************************************************

Why block the process 'iexplore.exe' when I need to inject into process memory like this for Pentest? All this does is block some of the web browsers from loading into Memory! I'm also using the default Mode. OK, still game over firewall access when blocking rule '%PARENTPROCESS%: *\chrome.exe' this is very bad. This means just like Applocker you can bypass the path rules in the security policies enjoy! For you to block dll injection exploits block path: 'C:\Users\<Username>\AppData\Local\Temp' etc. But say the attackers uses the desktop path for exploit well didn't protect the user well. EMET "chrome" rules protect the process better when injection from any path. Now I'm back installing EMET Version 5.5 on my system and this works well with PrivateFirewall 7.0 Software HIPS Protection, which can also patch the UAC Security as well!

Screenshot: http://blackbox.uphero.com/POC.png

 

I don't think you tested SOB correctly

With SOB you need to write your own custom rules.

Here is my rule (DLL.db) to block loading of DLLs on Desktop:

Code:

// Block loading of DLLs located on Desktop
[%FILE%: C:\Users\Dev\Desktop\*]

And here is SOB that blocked the loading of poc.dll file:



SOB is for experienced users who can write their own custom processes\dlls\drivers rules to block or allow what they want.

It comes with just a few sample rules to show how they are created, but they need to be tweaked as per needed.

However, for SOB-related questions please post on SOB thread

Also please use [ code ] when posting codes or logs.

 

Yep, very good! but would a basic user use this Software, while EMET 5.5 Software is much easier to use! SOB lol. A log file is not code to me not like C++ code etc. But if you put it like this you can use it as code! But as I said before default deny works better and that comes with EMET Software! Why does the user have to specify the rules to fix the programming?

Code:

// Block loading of DLLs located on Desktop
[%FILE%: C:\Users\Dev\Desktop\*]

It's all about [ code ] [ code ] [ code ] really!

 

@BlackBox Hacker SOB is an anti-exe for advanced users with dll & drivers monitoring, EMET is an anti-exploit; they can't be compared.

If you want to compare EMET with something, do it with HitmanPro Alert or Malwarebytes' Anti-Exploit.

 

Yep, I only use Anti-Exploit Security Software! I like DLL Injectors as well for testing security. Do you mean 'anti-exe' for DLL load you are right about that, it blocked command line dll injectors on my test's Years back now, but I really like showing weakness in security!

 

NoVirusThanks OSArmor works a bit, if you like it use it? But I don't like it that much my opinion matters to only me!

 

Very good point, but I would use a rule like this:

Code:

// Block loading of DLLs located on Desktop
[%FILE%: C:\Users\*]

That should fix the security issues here, but what if the hacker creates the folder 'C:\User' path would this still be a security problem? And I don't think you can block the whole drive for example: 'C:\*' path? That would be very bad, because none of your DLL files will load into system memory! This isn't the first time that I have tested novirusthanks products and they didn't work good. Well at least it's some protection against Cyber criminals.

 

Can't find the thread for SOB can anybody help?

 

https://www.wilderssecurity.com/threads/smart-object-blocker-block-exe-dll-drivers.378369/

 

Thanks mate!

 

Tested the new version (test 23).
It is possible to verify 3 types of Anti-Exploit interventions.

With the HPA3 test and also installed MBAE (Custom Setting):

a) Tests where MBAE blocks excluding the intervention of OSA.

Example Stack Pivot 1 and all the others minus the ones written below.

b) Tests with the Error reporting pop-up.
L'Exploit Test Tool is closed.
No logs in MBAE.
The intervention of OSA is caused by rundll32.exe (DEP + ROP System() in msvcrt +URL Mon + URL Mon 2 + URL Mon 3)

c) Tests failed by MBAE ( ROP Win Exec() via Anti-Detour + Heap Spray 3)
The intervention of OSA in caused by calc.exe.


For now everything is OK.

"Run Windows Calculator" not an Exploit - The intervention of OSA is not correct.

Same concept for the MBAE Test.
See video below:

http://sendvid.com/uoqh31si

 

Fortunately, you can untick protection if you need to run something that's blocked.

Would be better to add an exclusion list so that legitimate software can run despite the rules while sill allowing for malicious malware to be blocked.

 

It already has an exclusion list, and: "+ Added a basic GUI app to create exclusions" #413