Memory access protection

Discussion in 'sandboxing & virtualization' started by Phyxion, Feb 17, 2012.

Thread Status:
Not open for further replies.
  1. Phyxion

    Phyxion Registered Member

    Joined:
    Sep 21, 2011
    Posts:
    11
    I'm looking for a program which features memory access protection (read/write), but it should also allow protection against ring0 drivers and/or lower level API's like NtReadVirtualMemory.

    I know Comodo Defense+ has memory access protection but I couldn't find a single piece of information about what it can protect against. I asked on their forum but didn't got a reply with information...

    Other applications are fine as well ofcourse, so the question is, does such an application exists and what is it called? Thanks!
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think you can actually do this natively in Windows with certain tokens... I can't remember though.
     
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    This is not exactly my area, but it sounds like EMET might offer some of what you want.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    EMET would not. What he's looking for is basically...

    you have program A and program B

    both exist in your RAM/ Memory. Their "address space" (stack, heap, libraries, executable) is their own.

    By default A can read B's memory.

    He's looking for a way to block that, which would be achieved through NtReadVirtualMemory as opposed to ReadVirtualMemory - this is what he's talking about when he says low level, he's talking about using the kernel API. Using the kernel API is preferable.

    Hopefully I'm right about what I've said. If I'm off, someone correct me.
     
  5. Phyxion

    Phyxion Registered Member

    Joined:
    Sep 21, 2011
    Posts:
    11
    Yes, that's what I meant. I want to protect a specific application from read/write of it's memory. I know Comodo Defense+ has memory protection, but I couldn't find if it also protected against ring0 drivers and low level API's like NtReadVirtualMemory. I went on the internet but I couldn't find anything basically.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, ProcessGuard which i've been using for some time now on XP, does what you require, & a Lot more :)

    pg1.gif

    pg2.gif

    What OS do you have ?
     
  7. Phyxion

    Phyxion Registered Member

    Joined:
    Sep 21, 2011
    Posts:
    11
    Windows 7 x64, but it doesn't look like ProcessGuard supports that (not that I could find a working website of it as well :().
     
  8. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  9. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    DUh. Yeah forgot about MD. That should do the job.
     
  10. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Since when MD being 7x64 compatible ?
    Or I missed something somewhere (I'd be very please if so, btw), did I ?
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    The vendor site says 32-bit.
     
  12. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    @OP
    Try out AppGuard, it has what you want and additional stuff, plus it works on 64bit.
    There's a long thread here on WS FYI: https://www.wilderssecurity.com/showthread.php?t=294876

    (I don't know the specifics about the app as I've never used it, but you can probably find info in the linked thread)
     
  13. Phyxion

    Phyxion Registered Member

    Joined:
    Sep 21, 2011
    Posts:
    11
    But how good is the protection of AppGuard? I couldn't find if it protected against ring0 drivers and low level API's. Comodo also features memory protection, and is free (not that I would mind to pay for an application which has all my wishes).
     
  14. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    It's a good question.

    Perhaps it might be worth asking it in the AppGuard 3.x 32/64 Bit thread where you can get an answer from an official Blue Ridge Networks representative.
     
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I haven't try AppGuard myself but if others can't show you how good it is, then, the only way to find out is to trial it yourself on your test machine/virtual machine.

    If for example, Appguard or Comode Defence+ can block the loading of the kernel driver of Process Explorer, then it passed that aspect. Now, allow for a moment the loading of the kernel driver of Process explorer so we can test whether Appguard can prevent in this case PRocess Explorer from reading the virtual memory of other process. If you can view the dll's of a process you selected on the lower pane view, then Appguard can't block Process explorer from reading the virtual memory of other processes enumerated.

    Regarding if Appguard can prevent a process from modifying (or writing the virtual) memory of other processes, you can check it with Cheat engine.- http://www.cheatengine.org/downloads.php

    Obviously, you can check whether Appguard or any security protection can block a process from reading the virtual memory of other process with Cheat Engine. As the prerequisite for that application in modifying the memory of other process is that it can read the virtual memory. So, if Cheat Engine can modify the memory or address space of Plants vs Zombies game and give you infinite money for e.g. then Appguard failed in providing memory access protection.

    You can try Sandboxie too. Check whether a Sandboxed Cheat Engine can read/modify the memory or address space of process outside of the sandbox.

    It is nicer to test various leak tests yourself than just trusting with blind faith that a security product can provide this and that.
     
    Last edited: Feb 20, 2012
  16. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    SpyShelter can do this..."Action Type" No 28 and 29

    120220142342_1.jpg
     
  17. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I think Zemana AntiLogger does it............
     
  18. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    AFAIK Online Armor Premium should also do it. Double click on any program in Programs control in the GUI or on any program name right click -> advanced options, and you get all the options to tinker with, including Physical Memory Access which you can set to Ask, Allow or Block.
     
Thread Status:
Not open for further replies.