Malwarebytes Anti-Exploit

Some examples:

Test Stack Pivot (EMET)



Test ROP VirtualProtect() (MABE)



Test UrlMon (MBAE)

 

What is are you exactly trying to tell by posting results of the HMP Test Tool?

 

This latest version of MBAE can be used with EMET.
With the limits exposed.

 

in my pc, MBAE cant detect anything from HMP test tool

Tested in Win7 32bit

 

Forgive me if this has been asked before, but is there any current compatibility issues with Sandboxie?

 

If you've not added protection manually, then that's still I thing that you should do.
MBAE does not recognise the HMP Test Tool of the shelf for obvious reasons (No, not because it's written by a competitor)
Furthermore, a test tool itself is not telling the entire story.

 

I installed 1.06 and don't see anything in the log like i did in 1.05

 

Entries in the Logs tab have been replaced with the traybar balloon notifications, which can be turned off from Settings tab. There was some feedback that after running MBAE for weeks/months the Logs tab became un-usable with hundreds or thousands of similar entries. Looking for an exploit attempt became a problem in such cases.

 

There are no compatibility problems. But as you may already know, MBAE can not protect apps running inside the sandbox. At least not on Win 8.

 

Guidance here:
https://forums.malwarebytes.org/ind...frequently-asked-questions/page-2#entry911676

 

Must have missed this, but are there any plans to solve the problems on 64 bit systems? I still think it's a shame that MBAE can not offer this when compared to HMPA where it has been working seamlessly since day one.

 

Thank you for this, I appreciate it.

 

I had recently made some fresh vms to test some stuff in sbie so I decided to revisit the SBIE & MBAE issues.

I've prob said some of this before but I'll report my findings anyway.

Used Sandboxie 4.17.2 beta and MBAE 1.06.1.1018 in all machines.
Test apps I tried to use were Notepad and Internet Explorer.

Windows 7 32
Added the released MBAE template to the sandboxie.ini and ensured it was enabled.

Code:

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

According to procmon, the mbae-svc doesn't even attempt to inject the mbae.dll when the program is sandboxed.

Sandboxie has an advanced option allowing you to inject specific dlls so I added a line to the test box
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
Suprisingly this worked and MBAE then reported it was guarding it! Process Explorer showed the dll loaded and active. Sandboxies resource access monitor also showed the expected communication.

There are a few quirks to adding this line though and I can't be sure others won't spring up as well.
When I select 'Stop Protection' in MBAE and then load the app sandboxed it injects the dll as it should but then MBAE claims that 'cmd' is now protected and it seems to be communicating even though it's disabled? What rules are it enforcing?! I was really missing the logs right about then....

It also randomly says it's protecting cmd.exe when protection is enabled...but that's not often.

For anyone who wants to try this the command must be added to the sandboxie.ini directly ~ just like the template. You can add it per box or as a globalsetting. Just add it to the end of either one. Examples:

Code:

Global


[GlobalSettings]

Template=MBAE
Template=OfficeLicensing
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

[DefaultBox]

per box, in this case I was using the DefaultBox

Code:

[GlobalSettings]

Template=MBAE
Template=OfficeLicensing

[DefaultBox]

ConfigLevel=7
AutoRecover=y
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
Enabled=y
AutoDelete=y
NeverDelete=n
ForceProcess=notepad.exe
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

[UserSettings_4BC00582]

In my tests MBAE ignored those apps not added to it's list so I don't foresee any issues adding it globally for the sandboxes but look for any 'new issues' just in case.


I then tested this on Windows 7 x64 using the 64 bit dll injection instead as MBAE seems to handle the 32 apps fine by itself on this OS.
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
Amazingly it worked!



I then tested this on Windows XP SP3 and surprisingly it did NOT work. The dll was injected, the resource access monitor shows some communication but it stops and is never protected by MBAE.



I didn't test Windows 8.1 but I think I remember people having issues with both 32 and 64 bit injection there so (if that's correct) you can add both.

InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

It won't help with XP but at least Win7 (maybe vista and 8.1?) users should be able to use them together without manually toggling the MBAE protection now.

I could use a few people to try this on their systems and provide feedback!

I'll likely test this more myself and as long as it doesn't end up hitting a brick wall I'll make another detailed guide (better formatted as well!) for the template and include these. I wonder if they could just be appended to the template, hmm, back to the VM!

Update:
Seems to work so instead of doing what I said above just replace the template with the one below.

Code:

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

 

Very nice syrinx!

I will update the FAQ guidance while others are able to test it and provide feedback!

 

@syrinx
Thanks a lot!
Added those three lines to the template and it really works!
No more stop/start MBAE protection for 64bit programs, well I was able to test Chrome only but I believe it'll work with any application.
Tested on Win8.1.3 x64

 

@syrinx
Good Work !!!

Disappointed that it does not work with XP.
Is possible to find a remedy?

 

@syrinx
I have MPC-HC64 configured in its own dedicated sandbox but not protected by MBAE. When I launch the program MBAE doesn't log anything, it doesn't say now is protecting such program.
Then for testing, I created a new shield in MBAE and when running MPC-HC64 MBAE notifies its protection, as expected. So I think MBAE is not doing anything to unlisted/unshielded programs even though procexp is showing mbae64.dll injection.
Perhaps we need pbust's feedback on this matter no?

 

Yeah we may need to see what his tests show (or others) cause it's baffling me. Perhaps yours is working more like what I saw in the Windows 7 32 bit machine since you're on 8.1? I took a break from it for now cause I wasn't making any head way figuring it out.

 

While trying to figure out why MBAE would not work on XP with the template in place I came across something rather odd in procmon.
It seems that on XP Sandboxie is mounting the registry at HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\USER\Sandbox_%user%_%sandbox%

Code:

NOTEPAD.EXE  3600  RegSetValue  HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\USER\Sandbox_Admin_DefaultBox  SUCCESS

That seems a bit dangerous to me, but I won't pretend to be an expert...also the double \\ after hivelist IS NOT a mistake, that's how it showed up!

In windows 7 it's using a much more reasonable HKU\Sandbox_%user%_%sandbox%

Code:

notepad.exe  2408  RegSetValue  HKU\SANDBOX_ADMINISTRATOR_DEFAULTBOX\user\current\software\classes\SymbolicLinkValue  SUCCESS

To find these examples I just did a search for RegSet after I first noticed it to see what the first one each sandbox mounted (I assume thats what that regset is; perhaps I should ask the almighty google?) was and used those.
I also noticed that there were alot of BAD IMPERSONATION results on XP with 0 on Windows 7
Does anyone have an idea why they are different or what the potential issues might be? It seems to my uneducated mind that the HKLM\System\CurrentControlSet\Control\ section would be more restrictive and perhaps be the cause of another issue I saw before in a sbie deletion thread when testing runas on XP along with the MBAE template not working here w SBIE (but I am by no means certain of either yet).
I do see the BAD IMPERSONATION errors on XP w sandboxie and no MBAE as well so it doesn't seem likely but I found both differences pretty darn weird and am hoping someone who understands this stuff better than I might be able to shed some light on it.

Update:
All right so it looks like that was just setting the path for the sandbox as the actual string is: \Device\HarddiskVolume1\Sandbox\Admin\DefaultBox\RegHive being created/set in the HKLM\System\CurrentControlSet\Control\hivelist
Wierd that I can't see that happening in the W7 procmon logs but somehow the key shows up similarly there. So nothing to see here. From what I can tell that Bad Impersonation thing simply amounts to an app trying to access something it doesn't have the rights to. eg when it asks for Maximum Allowed this shows up a lot. Nothing to see on this reply after all, move along

 

Malwarebytes Anti-Exploit 1.06.1.1019:
Changelogs: https://www.malwarebytes.org/support/releasehistory/#antiexploit

https://www.malwarebytes.org/downloads/

 

Thank you.
Changelog is of version .1018 at the website. I copied changelog of version .1019 from the installer program:

Spoiler: Changelog

Malwarebytes Anti-Exploit 1.06.1.1019

New Features:
• Added new Layer3 mitigations for IE, Java and Office.
• Added default protection for more popular browsers.
• Added Chromium-based browser application family.
• Added new alert window with exploit details.
• Added protection traybar tooltip notification.
• Added advanced configuration of mitigations per family.
• Added configuration for general settings.
• Added browse button when adding custom shields.
• Added new mechanism to reduce known false positives.
• Added anonymous submission of blocked exploits.
• Added confirmation window for file-format exploit submissions.
• Added Premium notifications in Free/Trial builds.
• Added support for Windows 10.

Improvements:
• Improved upgrade process to maintain existing custom shields.
• Improved visibility in GUI of Management Console exclusions.
• Improved error and crash reporting.
• Improved missing GUI notification for guest user accounts.
• Improved managed installation to avoid Start Menu folder creation.
• Improved settings tab by removing the need for Apply button.

Fixes:
• Fixed false positive with Word or Excel under certain conditions.
• Fixed false positive with LoadLibrary exploit mitigation.
• Fixed false positive with web-based Java applications.
• Fixed bug with timestamp conversions.
• Fixed bug which could cause protection to stop during startup.
• Fixed bug whereby LUA could start/stop protection.
• Fixed bug when trying to activate invalid license.
• Fixed user interface bug in settings tab.

 

I guess the real changelog for v1019 should be this:

• Added support for Windows 10.
• Improved settings tab by removing the need for Apply button.
• Fixed bug when trying to activate invalid license.
• Fixed user interface bug in settings tab.

 

I've looked through several more instances and tried various workarounds for clues but I'm afraid it's time for me to give up on getting the template to work with xp. As far as I can tell there is nothing being blocked from within sandboxie. Now that the template injects the mbae.dll 'manually' it should be working. It does get injected, it starts trying to communicate with the service but the mbae-svc.exe never reacts or respond to it. This could mean that sandboxie is doing something unintended on this particular OS and it's getting lost along the way or it could be a quirk in MBAE itself. Regardless of why, it just isn't able to create an MBAE_IPC_PROTECTION channel with the service and the dll eventually gives up and unloads itself.

 

bump lol
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=19132&start=15#p108784
https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-80#post-2484076

Hopefully ZeroVulnLabs shed some light on this...

 

He's traveling atm so it may take some time before he is free to test it himself. =(