GFlagsX with Mitigation Options

Discussion in 'other anti-malware software' started by Mister X, Jun 21, 2017.

  1. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,688
    Location:
    Mexico
    Here is an open-source UI which can access/view/create/modify all of these Windows 10 process mitigations via IFEO registry settings. This tool is portable and does not require the use of the ProcessMitigations PowerShell module.

    This portable app allows you to set per-process mitigations. Therefore any process that starts, as long as it is setup here, will have the selected process mitigations enforced within the process without the need for the individual developers of other software having to set certain flags (DEP, for example) during binary compilation.

    The program itself is only a GUI for setting process mitigations in the registry "via IFEO registry settings". After mitigations have been set, Windows "is taking over" and enforcing them.
    (When your application starts, OS will look for specific registry values under that reg key, and act accordingly - #)
    You have to rely on "cryptic" events from the Windows Event Viewer (if it is logged at all)

    GFlagsX is more about making OS built-in security features more easily accessible. Part of a "Living Off The Land" or "Defending Off The Land" type of strategy.

    GFlagsX-mini-but-powerful.png

    Source (w/ screenshot): https://twitter.com/zodiacon/status/861238433687228417
    Link: https://github.com/zodiacon/GflagsX/releases

    Warning: Under certain unknown conditions and settings, some might experience BSODs in your systems. Take a snapshot or make system image prior making use of GFlagsX please. Use it at your own risk.

    Note by @WildByDesign :
    We should note that this would still likely work with Windows 8 and whatever other versions of Windows that utilize the IFEO MitigationOptions keys (https://theryuu.github.io/ifeo-mitigationoptions.txt). That is the most informative details I've ever found with regard to the IFEO mitigation options. It also explains in detail what each mitigation does and the possible options.

    Although some of that is getting outdated, but still good info. For example, dev Pavel for GFlagsX does different numbers for SEHOP, combining with DEP and such in the same bit number. I thought he was wrong at first, but then I realized he is the main author for Windows Internals books then I realized I have no reason to question him. But then I checked the ProcessMitigations PowerShell tool and it applies the same way. So GFlagsX is entirely correct with the numbers even though I thought it was wrong initially. But apparently both methods work. I believe that more mitigation options bit numbers will be created for when RS3 is released for the EAF, EAF+, IAT, ROP, etc. mitigations coming over from EMET. They ran out of bit number space within Windows so they created a new key somewhere. But anyway, Pavel will add it too as it gets closer.



    Credits for supplying infos to create this first post:
    @WildByDesign For finding the source code and creating compilations accordingly.
    @mood for his always invaluable input.
     
    Last edited: Jun 26, 2017
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,688
    Location:
    Mexico
    Release v0.21

    • Based on version 0.21
    • Removed additional tabs
    • Kept just the Process Mitigations

    Download: https://sendit.cloud/4is892s1tnn0
    VirusTotal: ~ Removed VirusTotal Results as per Policy ~
     
    Last edited by a moderator: Jun 21, 2017
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    One thing that I wanted to note as well (before I forget, because I am good at forgetting) is that we can all share the MitigationOptions (Hex) key with eachother if anyone wants to share mitigation settings for specific programs. The regular Ctrl+C and Ctrl+V is a bit finicky in this program. But if you highlight the number(s) within the Hex box in GFlagsX, you can then use right-click to copy and/or paste that way by right-clicking. So for example if you created a new image (new IFEO MitigationOptions entry), it starts with a number of 0. You would need to highlight that number your, right-click and choose paste after grabbing a shared Hex key here or elsewhere.
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    @Trooper Just pulling your question over from the other thread. Indeed, yes, these IFEO MitigationOptions via GFlagsX are per-process.
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    Is this just for Chrome and IE at present?
     
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,639
    Ok that is cool. Admittedly, some of this stuff is over my head. Can I base the settings you posted for Chrome into other apps? I assume those settings for Chrome are good to go? Thanks!
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    This is independent of browsers. This portable app allows you to set per-process mitigations. Therefore any process that starts, as long as it is setup here, will have the selected process mitigations enforced within the process without the need for the individual developers of other software having to set certain flags (DEP, for example) during binary compilation.

    @Mister X We should note that this would still likely work with Windows 8 and whatever other versions of Windows that utilize the IFEO MitigationOptions keys (https://theryuu.github.io/ifeo-mitigationoptions.txt).

    But what I am curious about is what the program does if a certain mitigation is not supported on a certain version of Windows. I don't know that yet. But I do know that for Windows 10, Anniversary Update and Creators Update have more mitigation options in comparison to the initial Windows 10 RTM release. Just as the upcoming Fall Creators Update will add some more process mitigations from EMET (EAF, EAF+, IAT, ROP, etc.)

    EDIT: Apparently Windows 7 also makes use of IFEO MitigationOptions keys as well. Although Windows 7 does not have as many mitigations, you could still use this tool.
     
    Last edited: Jun 21, 2017
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    Ok installed it in VB and when I click the executables drop down it show two browsers. Chrome and IE that is why I was asking. Looks complicated.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    You're welcome. Absolutely, yes. And similar to EMET, if a process mitigation causes a program to crash, you follow the process of elimination by unchecking one mitigation at a time until you find the culprit.

    Here are some baselines to try:

    chrome.exe 1110010101111105
    KeePass.exe 1110010101111105
    thunderbird.exe 1110010101111105
    WINWORD.EXE 1110110100111105
    EXCEL.EXE 1110110100111105

    EDIT: Adding some more from Bouncer, MemProtect, etc.
    BouncerTray.exe 1110110101111105
    Tray.exe 1110110101111105
     
    Last edited: Jun 21, 2017
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    I assume that your Windows install within VB just does not have very many processes within MitigationOptions applied yet.

    But for example if you wanted to protect KeePass. Within GFlagsX, press the New Image button. Within the box you put: KeePass.exe
    By default it starts with 0 for the MitigationOptions Hex. So you would select the 0 (or whatever number in that box) entirely so it is highlighted, right-click, and choose Paste to enter the Hex number shared here. Then hit Apply Settings at the bottom and it will fill out the mitigation boxes entirely for you.
     
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,688
    Location:
    Mexico
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    Ok that sound good but I don't have Chrome installed in VB and it still added it to the executables.
    It does show a bunch others like explorer.exe and dllhost a bunch of script stuff ect.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    @boredog I can't say for certain why there would be something there already for chrome.exe especially since you had not installed it. But regarding script binaries and other system binaries, quite often Microsoft has already applied certain mitigations and other settings within those IFEO keys. Quite often they just have SEHOP done via another key. But anyway, be very careful with system process, of course. MS has already tested and applied settings that they deem reliable and protected already. So don't alter or delete those. For these mitigations, I would apply these more to any kind of internet facing apps, similar to EMET and other anit-exploit tools. Or just apps that you want to have extra process protection such as KeePass.
     
  14. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Wow! This is great! Thanks.

    You changed your KeePass and Chrome settings (https://www.wilderssecurity.com/threads/keepass-protected-process-process-mitigations.394343/) (https://www.wilderssecurity.com/thr...on-management-tool.393096/reply?quote=2676060). Any particular reason?
     
    Last edited: Jun 21, 2017
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    Looking Perfecto!

    And working like a charm :thumb:
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,067
    Location:
    Toronto, Canada
    Good question. Sometimes I change settings very gradually and generally gets better and better as the days go by testing with various things. Going just by what I can remember, I believe that the main thing changed was likely adding Control Flow Guard for those and all of my other mitigation settings. Although I don't know for certain whether it is enforced with KeePass or not. Oh and I think I may have switched to Defer now for the Blocking Non-System Fonts since MS has since released a blog post suggesting not to use that mitigation anymore.
     
  17. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Perfect. Thanks, all settings seems to be working VERY well.
     
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    Can yo add other browser manually? I normally use Edge. The VM image I am using is part of MS trial for 90 days. Windows 10 Enterprise and so don't know if they had something for that before I installed it for Chrome or not.
     
  19. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    251
    Location:
    united kingdom
    If you protect a process with these mitigations what does Windows do if malware triggers them? Does it simply block the attack or does it halt the OS to prevent further damage.
     
  20. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,549
    It should be simply blocked. There is no pop up message or something similar.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    Exactly @WildByDesign and again many thanks for throwing yourself headlong into this and sharing useful benefits that come out of it.

    It's an interesting little program and through some trial and error for nonsystem 64bit apps I use, it's simple to see what works and what will not.

    Process of elimination.
     
  22. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,639
    I tried those setting for Chrome and got a bsod. More testing for moi. :)
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    I had a couple of local apps in applying some mitigations pop up and simply close :)

    Pulled back a couple of flags and it relieved the pressure.
     
  24. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,639
    For me I applied the Chrome settings as @WildByDesign posted. Was away from my computer for hours but Chrome was left open. Came back to a bsod lol. I put everything back to defer for now.
     
  25. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,688
    Location:
    Mexico
    Warning: Under certain unknown conditions and settings, some might experience BSODs in your systems. Take a snapshot or make system image prior making use of GFlagsX please. Use it at your own risk.

    Sorry for any inconvenience.
     
Loading...