KeePass - Protected Process & Process Mitigations

Discussion in 'other software & services' started by WildByDesign, May 28, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some examples for protecting KeePass memory by running as a Protected Process-Light (PPL) with MemProtect and fortifying with Windows OS built-in process mitigations.

    My testing has been done with Windows 10 Pro Creators Update (64-bit).

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    Protected Process - KeePass
    !*KeePass.exe>*KeePass.exe
    !C:\Windows\explorer.exe>*KeePass.exe
    !C:\Windows\System32\*>*KeePass.exe
    !*KeePass.exe>C:\Windows\System32\*
    [BLACKLIST]
    #    Misc. Silence Rule Examples (Blocking access to KeePass)
    $*\Office1?\*>*KeePass.exe
    $*\Google\*>*KeePass.exe
    #   Blocking Protected Process from accessing Explorer
    $*KeePass.exe>C:\Windows\explorer.exe
    #    Protected Process - KeePass
    *>*KeePass.exe
    *KeePass.exe>*
    [EOF]
    

    KeePass MitigationOptions (via GFlagsX):
    MitigationOptions (HEX): 1111000101111105


    KeePass MitigationOptions.png


    KeePass process mitigations confirmed via Process Hacker:


    KeePass MitigationOptionsPH.png
     
    Last edited: May 28, 2017
  2. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Man, this is just perfect! Thank you very much!
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @ExtremeGamerBR @EASTER You're welcome. So essentially this is a memory sandbox for KeePass with additional process mitigations to protect KeePass executable from any kind of DLL injections or unwanted memory access to better protect the integrity of your password database. This still allows the Ctrl+Alt+A global Auto-Type to work correctly which is great. Also zero overhead with all of this additional protection.

    Windows Internals 7th Edition on Protected Process-Light:
    This quote is referring to anti-malware software services, of course. But the same could certainly be applied upon KeePass running process or any other process of value which could benefit from additional protection mechanisms.
     
  5. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    I tested GFlagsX with 1111000101111105 and everything worked fine.

    This is my MemProtect .ini for KeePass:

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !*KeePass.exe>*KeePass.exe
    !C:\Windows\explorer.exe>*KeePass.exe
    !C:\Windows\System32\*>*KeePass.exe
    !*KeePass.exe>C:\Windows\System32\*
    [BLACKLIST]
    $*\VMware\*>*KeePass.exe
    $*\Steam\*>*KeePass.exe
    $*\Office1?\*>*KeePass.exe
    $*\Chromium\*>*KeePass.exe
    $*\Windows Defender\*>*KeePass.exe
    $*\Process Lasso\*>*KeePass.exe
    $*\Process Explorer\*>*KeePass.exe
    $*\Process Hacker\*>*KeePass.exe
    $*KeePass.exe>C:\Windows\explorer.exe
    #    Protected Process - KeePass
    *>*KeePass.exe
    *KeePass.exe>*
    [EOF]
    
    
    
    Then I tested what I can do with FIDES, so:

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    #    [KeePass]
    !D:\Programas\Keepass\KeePass.exe>X:\Documentos\Senhas
    !D:\Programas\Keepass\KeePass.exe>D:\Programas\Keepass\*
    #    [Veracrypt]
    !C:\Program Files\VeraCrypt\*>*
    [BLACKLISTMODIFY]
    #    [KeePass]
    *>D:\Programas\Keepass
    *>X:\Documentos\Senhas
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    
    This way, my KeePass database and program files stays absolutely protected against external changes.

    @WildByDesign, thank you again!

    EDIT:

    Sem título.jpg

    Mine is not showing "Prefer system32 images", is this normal?
     
    Last edited: May 29, 2017
  6. guest

    guest Guest

    Process Hacker isn't showing "Prefer system32 images", its a "ProcessHacker-thing":

    I'm not sure what version of Process Hacker you are using but new mitigation strings were added in Oct. 2016.
    If you are using an older version, it isn't displaying "Prefer system32 images" because the mitigation string doesn't even exist in the sourcecode.
    PHP:
    if (ShortDescription)
        *
    ShortDescription PhCreateString(L"Prefer system32 images");

        if (
    LongDescription)
        *
    LongDescription PhCreateString(L"Forces images to load from the System32 folder in which Windows is installed first, then from the application directory before the standard DLL search order.\r\n");
     
  7. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Strange, I'm using:

     
  8. guest

    guest Guest

    Your version is "too old" (v2.39.124 = March 2016) and it doesn't contain the new mitigation string which was added in Oct. 2016
    @WildByDesign is probably using the nightly build of Process Hacker which contains the latest changes/mitigation strings.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I am also. Try again with the nightly latest.
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Now I see. Using version 3.0.687 (https://wj32.org/processhacker/nightly.php) and everything is working as expected.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I have been reading some more documentation from Microsoft regarding Process Mitigations and more recent Microsoft documentation suggests that Arbitrary Code Guard (ACG) is a better and more powerful mitigation in comparison to all of the EMET ROP mitigations (PayloadRestrictions.dll). Essentially that ACG supersedes the PayloadRestrictions mitigations.

    Now, you cannot enabled ACG and any of the PayloadRestrictions mitigations because ACG blocks them all since PayloadRestrictions mitigations involves injecting the EMET module (PayloadRestrictions.dll) into any process that has any of those mitigations enabled. (see: https://github.com/deroko/payloadrestrictions)

    So naturally, I have been doing a trial of switching as many of my apps over from PayloadRestrictions mitigations to ACG whenever possible. The performance is much better as well.

    Anyway, I was not able to enabled ACG for KeePass 2.x because it involves dynamic code changes as normal operation. So ACG crashes 2.x builds. However, KeePass 1.x builds are a great candidate for enabling ACG and so far my testing has been quite successful.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.