GFlagsX with Mitigation Options

Discussion in 'other anti-malware software' started by Mister X, Jun 21, 2017.

  1. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    252
    Location:
    united kingdom
    Thanks. In that case does it log anything to the event log, so you know malware has attempted to infect a process? If not, it's not for me and I will stick with HMP. Alert which provides more protections and greater visibility.
     
    Last edited: Jun 22, 2017
  2. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    675
    Location:
    Europe
    Is there someone here who can make a comparison between Mitigation protection between GFlagsX and HMP.Alert ?
     
  3. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,867
    The program itself is only a GUI for setting process mitigations in the registry "via IFEO registry settings". After mitigations have been set, Windows "is taking over" and is enforcing them
    (When your application starts, OS will look for specific registry values under that reg key, and act accordingly - #)
    You have to rely on "cryptic" events from the Windows Event Viewer (if it is logged at all)
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    As mood said, GFlagsX essentially applies only Microsoft built-in system mitigations as a per-process configuration.


    I've been cooking up a Dark build of GFlagsX. The only remaining problem is that I still can't figure out how to either remove the tab at the top or have that tab colored in dark as well. No luck yet which is why you can see a small white box in the top left corner. Anyway, if I can resolve that issue I will upload this Dark build later on tonight.

    GFlagsX-Dark.png
     
  5. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    252
    Location:
    united kingdom
    Thanks @mood and @WildByDesign
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    @askmark You're welcome. But as you had mentioned, if you want more visibility and more understanding of what is occurring on your system then HMP.A is definitely the better choice. It is quite likely that HMP.A utilize some (or many) of these mitigations already but via internal API in which they are able to capture more details of the process and actions being taken. And of course, they've got many, many additional mitigations as well.

    GFlagsX is more about making OS built-in security features more easily accessible. Part of a "Living Off The Land" or "Defending Off The Land" type of strategy but certainly could also be combined with other strategies as well.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,880
    Location:
    Mexico
    Thank you very much.
     
  9. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    Thanks again WildByDesign. Love it. :thumb:

    I've added my media player as I have it protected with MemProtect.
    I use MPC-BE with madVR and LAV filters

    mpc-be64.exe - 1111010101111105

    This works with MPC-HC and PotPlayer too. If your using Windows Media Player you could probably turn "Block Non-Microsoft Binaries" to "Always On" aswell (untested as I have it disabled)
     
    Last edited: Jun 23, 2017
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    @Mister X @JimboW You're welcome. Thank you for sharing your media player details as well JimboW. I use similar settings with MPC-HC with great results as well.

    Also, the "Block Non-Microsoft Binaries" to "Always On" works fantastic for Microsoft Office apps as well which denies the injection of any non-Microsoft signed .dll modules into Word, Excel, etc.
     
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,880
    Location:
    Mexico
    @WildByDesign

    Should I understand you actually did compile latest version 0.21 with your dark theme?
    Btw version 0.21 is not compiled in author's thread @github. Previous versions are.
     
    Last edited: Jun 23, 2017
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    Yes the few builds that I provided so far were all compiled by me based on version 0.21 and compiled with Visual Studio 2017. It's still driving me crazy trying to remove that small white box (tab) in the corner though. But I will have a look at the code again later tonight.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
  14. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    675
    Location:
    Europe
    @WildByDesign
    Could you please make a comparison between the differences Mitigation protections between GFlagsX and HMP.Alert ?
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    I am always happy to help and specifically when I've got the appropriate understanding and details. But unfortunately in this case, I have never actually installed or used HMP.Alert and therefore don't have any experience with it. HMP.A definitely has a lot more to it and GFlagsX simply allows the user to enable/disable Windows operating system built-in process mitigations. Quite likely, you may very well be able to combine both but that would not be necessary.

    At the moment on Creators Update, for example, I am running all of these process mitigations via GFlagsX combined with literally all process mitigations within EMET 5.52 until the Fall Creators Update where Microsoft will add the remaining EMET mitigations. I had given up on EMET for a few weeks but once I realized that Microsoft was taking the time to add EAF, EAF+ and those other ROP mitigations directly into the OS for Fall Creators Update, that signifies to me that there is still value in those mitigations.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    Here is an updated build of GFlagsX. I've included binaries for both Light and Dark theme. Please keep in mind that the Dark theme still has a visual glitch at the top where I can't figure out how to either hide the tab or apply color to the tab without destroying the functionality. This build is also based on the source code from 0.21 and I've just cleaned up the UI. I've tried my best to align things and look nicer.

    GFlagsX (2017-06-25)
    Link: https://sendit.cloud/k2rp2qwakozf
     
  17. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,880
    Location:
    Mexico
    Thanks a lot @WildByDesign

    It looks really nice here...

    GFlagsX v0.21.png
     
  18. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,880
    Location:
    Mexico
    @WildByDesign

    A little request and for the sake of aesthetics :p (sorry for bugging you btw), could you add this icon to the executable?

    flag.png

    It's found in the source code package.
     
  19. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,867
    Now i see the white line too :eek:
    Nevertheless the black version looks better :thumb:
     
  20. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Thanks! It's looking great!
     
  21. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    Dark theme looks great on my desktop :thumb:

    New Bitmap Image.png
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    The icon size bothered me as well. I've fixed it now although it may not be perfect because the way in which the developer resizes the icon dynamically in the source code makes it hard to match. Anyway, hopefully this is improved.

    GFlagsX (2017-06-25-iconfix)
    Link: https://sendit.cloud/9j17corjg0wf


    I agree, I would prefer the black version if I can figure that line (tab) situation. I will have a look at the code again soon. :thumb:


    @ExtremeGamerBR You're welcome. Glad you are enjoying it.
     
  23. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,880
    Location:
    Mexico
    Thanks, it looks fine just like the other one.

    What I meant to say is this icon:
    iconexe.png
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada
    @Mister X OK I see what you mean. I should be able to do that with Resource Hacker. I'll let you know how it goes.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,130
    Location:
    Toronto, Canada