GFlagsX with Mitigation Options

Discussion in 'other anti-malware software' started by Mister X, Jun 21, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    Yes, I have experienced similar inconsistencies with the Ctrl+C/Ctrl+V functions in the Hex box. So I've just resorted to selecting the contents within the Hex box and utilizing the right-click copy/paste options which seem to work well.
     
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Thanks a lot.
     
  3. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    On Windows 8.1 32-bit this hex is working fine, i.e., meaning no crashes so far, in some apps executables:
    Code:
    10101111105
     
  4. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,473
    Does it have templates or something to know what to apply in order to not to break anything?
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    I've finally uploaded the binaries to GitHub for a more permanent hosting solution. I still have to upload much of the source code. I have to find a better way to upload the source code and figure out how to use Git properly.

    Link: https://github.com/WildByDesign/GFlagsX/releases/tag/GFlagsX
    * same binaries as before, just new hosting solution


    @lordraiden Unfortunately no templates. So one must proceed with caution. It is very much similar to EMET, whereas when a crash/conflict occurs, the best thing is to uncheck one mitigation at a time and retry until you find the conflicting mitigation. Once the mitigations are all set, you really don't need to modify settings for months unless any changes occur.
     
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    This is awesome, thanks a lot!
     
  7. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Anyone here is applying mitigations to those default exes in the list?

    exes.png
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    GFlagsX (2017-08-16)
    Dark Theme & Light Theme

    Download: https://github.com/WildByDesign/GFlagsX/releases/tag/2017-08-16
    • moderate UI updates and alignments
    • added info tooltips for all buttons in UI on mouseover
    • added detailed info tooltips for all Process Mitigations in UI on mouseover
    • renamed Disable Dynamic Code mitigation to Arbitrary Code Guard (ACG) per Win10 RS3
    • included upstream crash fix (zodiacon/GflagsX@a0b0357)
    This build/fork is specifically aimed toward managing IFEO MitigationOptions settings only. This applies advanced process mitigations on a per-process basis.

    All credits go to Pavel Yosifovich (https://github.com/zodiacon).
     
  9. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    @WildByDesign

    Thank you so much. Going to test this weekend. :geek:
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    @Mister X You're welcome. Please let me know if there are any issues. :thumb:
     
  11. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    @ExtremeGamerBR You're welcome.


    I've updated the UI a bit more and measuring things up, pixel by pixel, with the addition of an About (?) button to hover mouse over for build date and so on. I'm quite happy with where this is at right now so this may be the last build for a little while. Hopefully as Windows 10 RS3 (Fall Creators Update) build gets closer to release, the GFlagsX developer will update the mitigations to allow the new MitigationOptions registry binary format and add the remainder of the EMET mitigations. At that point, I will combine all of those incredible mitigations into the next release. There will be something like 25+ process mitigations in total at that point, so I will likely also have to change the UI a bit to fit that amount of mitigations. I am absolutely looking forward to that release of Windows 10 Fall Creators Update and also looking forward to those updated mitigations in GFlagsX at some point. The developer told me to remind him as it gets closer to release for RS3.


    GFlagsX 2017-08-18 with source
    Dark Theme & Light Theme
    Download: https://github.com/WildByDesign/GFlagsX/releases/tag/2017-08-18

    • added an About (?) button in UI to show compiled binary date (on mouse hover) so that we know which version we are using (simply just using build dates as version at this point)
    • resized/realigned UI to look more appropriate


    This build/fork is specifically aimed toward managing IFEO MitigationOptions settings only. This applies advanced process mitigations on a per-process basis.

    All credits go to Pavel Yosifovich (https://github.com/zodiacon).
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    I forgot to add an updated screenshot:

    GFlagsX 2017-08-18.png
     
  14. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    Can one use this pretty much 'out of the box'? If not, is there any guidance? I ask because I am having some issues with HMPA, which I was using to cover EMET (and more).

    Or is it best left well alone by non-experts? :cautious:
     
  16. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    @Mister X @ExtremeGamerBR You're welcome. I appreciate that. :thumb:

    @paulderdash As much as I wish that I could say that these MitigationOptions settings are easy to setup, it is not quite the case. It often requires trial and error, dealing with potential application crashes until you hit the right sweet spot. Similar to the trial and error with EMET. But once you've hit that sweet spot, it is very much "set and forget" and you don't need to do anything with it again until you install other programs, etc. But there are users here who would be happy to help you with testing certain mitigation settings. Just let us know your OS version and the applications that you would be interested in protecting. And any of us would be happy to share some MitigationOptions with you. :)
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    Thanks for the offer WBD :). I have played with EMET some time ago, but it is probably easiest for me to stay with MB3 Anti-Exploit module active only, for now.

    But will check out Exploit Guard in future, and GFlagsX after that.
     
  19. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    After this I do a reg backup for those specific entries, in case of Windows/apps reinstall.
     
  20. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    817
    Any suggestions for what to enable for outlook from office 365(office 2016) on windows 10 x64 latest version so i bypass the trial and error?
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    I generally suggest something like this for Microsoft Office applications:
    Code:
    1110110101111105
    Within the MitigationOptions (Hex) box, use the mouse to select whatever is in the box, right-click and choose Paste to paste that code in there. Then Apply Settings for the mitigations to be applied. You would have to close and re-open Outlook for the changes to apply. For some reason the typical Ctrl+C Ctrl+V copy/paste does not work well so that is why I suggest select with the mouse then right-click for Copy/Paste options within this GFlagsX app.

    Anyway, I use that Hex code for Microsoft Word and Excel. I have not used it specifically with Outlook though but hopefully that will give you something to start with. It is possible that certain Microsoft Office add-ins (extensions, however they call it) can potentially trigger some mitigations. But baseline Microsoft Office apps should be OK with that mitigation hex code.

    This is a fantastic idea, for sure. :thumb:
     
  22. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    817
    Thanks.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    GFlagsX (2017-08-24) with source
    Dark Theme & Light Theme

    Download: https://github.com/WildByDesign/GFlagsX/releases/tag/2017-08-24


    • some last minute UI polishing
    • better spacing (and font sizes) within all info tooltips
    • renamed Heap Terminate on Corruption mitigation to Validate Heap Integrity
    • renamed Strict Handle Checks mitigation to Validate Handle Usage
    • renamed Block Non-Signed Microsoft Images mitigation to Code Integrity Guard
    • mitigations that were renamed have their previous (also known as) name within info tooltip
    • mitigations were renamed to conform with official MS terminology in upcoming RS3 (Fall Creators Update)
    • mitigation descriptions (info tooltips) were also changed to match Defender Exploit Guard descriptions
    • previous descriptions were too complex for within a simple UI tooltip; new descriptions are short and simple

    This build/fork is specifically aimed toward managing IFEO MitigationOptions settings only. This applies advanced process mitigations on a per-process basis.

    All credits go to Pavel Yosifovich (https://github.com/zodiacon).
     
  24. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Good catch! Nice.

    Thank you.

    Looks really well:

    gflagsx.png
     
    Last edited: Aug 25, 2017
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,132
    Location:
    Toronto, Canada
    Guys/Gals, I was not expecting to do another release so soon. This is a minor release, however, I finally figured out how to disable that annoying window transitioning effect that you see when you first start the app up where the content, by default, transitions from left to right (or the opposite). This also resolves the visual glitch with the Dark app where you would briefly see that small white square in the top left corner of the window when you first run the Dark version.

    I think that I am finally happy with this from a UI perspective, for now anyway. :D


    GFlagsX (2017-08-26) with source
    Dark Theme & Light Theme

    Download: https://github.com/WildByDesign/GFlagsX/releases/tag/2017-08-26


    • disabled the default window transitioning effects where the content shifts when starting app
    • this also (finally) resolves the visual glitch of that small white box when starting the Dark app

    This build/fork is specifically aimed toward managing IFEO MitigationOptions settings only. This applies advanced process mitigations on a per-process basis.

    All credits go to Pavel Yosifovich (https://github.com/zodiacon).


    @Mister X You're welcome. Thank you for your feedback as well. :thumb: