MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    500
    Location:
    Far East
    What does that mean? You select the app when you install with 'Install Mode' on and that gets it protected?
     
    Last edited: Aug 5, 2017
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,011
    That's one approach. With MZwritescanner which has to be off for any software install you have two options. One is the install mode, the other is on the program selection you have 3 options , Start,Stop and Reset( which does a stop and start) Usually for most things I just use stop. If you need to edit the config file then you restart.
     
  3. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    500
    Location:
    Far East
    Thanks

    But I already have programs installed so the 'Install Mode' don't work or does it only work when you install a new program?

    Also, how about Windows processes? Are they available for user to select and protect? Or are they protected by default?
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,011
    HI Niteranger

    At this point I would suggest reading thru the whole thread.

    All install mode does is turn off the protection. Has the same effect as the stop except if you use stop it turns back on after a reboot.

    As to windows processes, that's where going thru the thread will help. Some users have posted their ini files. The last part is where you are missing how these drivers work.
    There is no "selecting" or "default". If you want to have it protected you have to put it in the ini file or it isn't there.

    The only caution is the structure of those files is exact. Putting spaces in where they shouldn't be will result in the rule you entered being ignored.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,547
    Location:
    Toronto, Canada
    I have wanted to do this for quite some time, but unfortunately time has been very limited. I've finally had a chance to do some preliminary LSASS.EXE memory protection testing with MemProtect. It took some time to do the logging necessary to create some rules. I would advise to be super careful with lsass.exe because incorrect rules could cause system stability issues for sure.

    These are just preliminary rules that I will expand on later. There is some basic whitelist rules along with the blacklist rules to run lsass.exe as a protected process. Then some silence blocking ($) rules as well. I still have to mess around with some module whitelist and module blacklist stuff later to see which DLLs should and should not be allowed.

    Code:
    [WHITELIST]
    #   LSASS (lsass.exe) Protection
    !C:\Windows\System32\services.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\csrss.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\lsass.exe>C:\Windows\System32\*
    [BLACKLIST]
    #   LSASS (lsass.exe) Protection
    $C:\Windows\System32\lsass.exe>C:\Windows\SystemApps\*
    $C:\Windows\System32\lsass.exe>C:\Windows\explorer.exe
    $C:\Windows\System32\lsass.exe>C:\Program Files*
    *>*lsass.exe
    *lsass.exe>*
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,902
    Location:
    The Netherlands
    BTW, I haven't really followed all of this stuff, but isn't this the same?

    https://www.petri.com/enable-lsa-protection-windows-8-1-server-2012-r2
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,011
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,902
    Location:
    The Netherlands
    Why not, isn't the goal to make lsass.exe a protected process, or does MemProtect do more?
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,011
    That's like saying my goal is to get from Washington DC to Florida so if I drive or if I walk isn't it the same. Nope it isn't
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,547
    Location:
    Toronto, Canada
    As far as the end goal is concerned, both solutions end up running lsass.exe with the memory restrictions of protected process-light. So yes, a similar end goal. But as Pete mentioned, the route to getting to that end goal is slightly different. The built-in PPL by MS ensures that any non-signed, non-trusted DLL modules are blocked from any kind of memory access to/from lsass.exe process. Therefore blocking many credential stealing methods such as mimikatz and I believe also the EternalBlue exploit since those types of attacks involve memory manipulation of lsass.exe process.

    MemProtect would have the same end goal, however, it also gives you the opportunity to control any DLL module activity to/from lsass.exe process. Therefore, same end goal, just more granular control over the entire memory protection mechanisms. I'm actually using built-in PPL by MS to protect lsass.exe combined with MemProtect right now for testing purposes. So far the testing is going well, but it completely blew my mind how much access lsass.exe needs to nearly every aspect of the running Windows OS. Therefore the rules can be quite complex in the end. Being in the "drivers seat", so to speak, is what I appreciate most about MemProtect. I've got the final say and the overall control which is quite nice.

    Although, in the wrong hands, I would not want to imagine what it would be like if malware utilized this to create somewhat of a memory sandbox to protect the malware itself. That would be some significant power but that would indeed need some sort of kernel level exploit to achieve in the end.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,902
    Location:
    The Netherlands
    OK so with MemProtect you get a little more control. I wouldn't want to mess around with it, so the built-in setting in Windows is good enough for me.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,354
    Location:
    Mexico
    I can see licenses prices from Excubits products at their official site. Also I read the ToS, found nothing about lifetime licenses. Are they available?
    Lifetime + lifetime upgrades/updates.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,354
    Location:
    Mexico
    Well I think I didn't dig enough. Found in FAQ myself that:
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,772
    And you probably get a discount after one year, so you don't have to pay the full price.
    The post is from 2016, maybe things have changed in the meantime:
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,354
    Location:
    Mexico
    Thank you.
     
  16. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    I have a couple of questions about Memprotect:

    1. I get loads of entries logged from many different programs accessing explorer such as
    2017/12/28_20:01:54 > MEMORY > C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe > C:\Windows\explorer.exe
    What is happening here? These are logged as blocked but it does not appear to stop anything from working.

    2. Memprotect appears to stop program A running program B. Is this a duplication of Bouncers parent rules or is this different? If Bouncer does this better it would be nice to turn just this off in Memprotect so only bouncer controls execution and Memprotect can be configured to block everything else.
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,772
    1. For some reaons applications want to access the memory of explorer.exe.
    If the functionality of the Thunderbird is not affected (by blocking the access to explorer.exe) you can use a silent rule for this (which must be added on the top of the blacklist or at least above other rules for Thunderbird)
    Code:
    $C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>C:\Windows\explorer.exe
    2. This is how MemProtect works. If you block for example Firefox from accessing C:\Windows\*, Firefox can't access the memory of applications in C:\Windows\* and Firefox can't launch applications in C:\Windows\*

    For example: *\firefox.exe>C:\Windows\*
    If Firefox is not allowed to access C:\Windows\* and if Firefox is launching C:\Windows\cmd.exe, MemProtect is blocking it (in Process Hacker C:\Windows\cmd.exe can be seen as a suspended Process and it hasn't launched fully).
    [In #1 access rights are listed which MemProtect is blocking, one of them is: (The following specific access rights are not allowed from a process to a protected process: "PROCESS_CREATE_PROCESS")]

    In relation to the rule above:
    a) C:\Windows\cmd.exe = a protected process (at least for firefox.exe it is a protected process)
    b) Firefox is launching C:\Windows\cmd.exe = "specific access rights are not allowed from a process to a protected process" (see #1)
    = MemProtect has blocked the execution of C:\Windows\cmd.exe because it has blocked needed access rights to create the process.
     
  18. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    Thank you for the explanation.

    In Procmon I find many calls to QueryNameInformationFile with C:\Windows\Explorer.exe as target. I wonder if this is causing these entries.

    I am using silent rules to keep the entries out of the logs but it would be nice to know what I am blocking.
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,547
    Location:
    Toronto, Canada
    Blocking memory access will also block execution as well. But I believe what brought MemProtect functionality closer (similar) to that of Bouncer was the addition of the [MODULEFILTER] DLL filtering. This was done very similar to Bouncer's internal rules engine. Bouncer, no doubt, is far more powerful when it comes to execution control especially with module filtering and command line filtering.

    Therefore, you could disable MemProtect's module filtering if you wanted to since it does overlap similarly to Bouncer since you are using both drivers. Just switch [MODULEFILTER] to [#MODULEFILTER] to disable MemProtect's DLL/module filtering and then you will be back to just memory access protections entirely.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,547
    Location:
    Toronto, Canada
    Killing Protected Processes

    After some brief testing with PPLKiller (https://github.com/Mattiwatti/PPLKiller) and mimikatz (https://github.com/gentilkiwi/mimikatz) which have methods to forcefully remove the Protected Process Light (PPL) memory protection status from protected processes in Windows, I have determined that they both have no negative effect on MemProtect.

    MemProtect protected processes' memory space remains fully protected since it applies PPL memory sandbox restrictions on-the-fly within kernel-mode. :thumb:


    Blacklisting Potentially Dangerous Modules/Executables

    * keep in mind this blocks .exe as well, not just .dll modules, therefore effective at blocking/mitigating.
    * if you already implemented this blacklist in Bouncer, no need to do this in MemProtect really
    * always run non-lethal [#LETHAL] when testing major config changes such as this


    On a side note, ever since the development of module filtering (DLL blocking) in MemProtect, I have been implementing Florian's Blacklist.txt rules in [MODULEBLACKLIST] section. I had to convert the blacklist to parent blacklist rules first with *> before each line. Please keep in mind that there may be some legitimate use cases for some of these blacklist items and therefore you can easily add whitelist overrides for legitimate use cases to the [MODULEWHITELIST] section.

    Code:
    [MODULEBLACKLIST]
    # Excubits Blacklist - Source: https://excubits.com/content/files/blacklist.txt
    # Last Updated: 2018/02/03
    #
    *>*\AppData\Local\Temp\*.bat
    *>*\AppData\Local\Temp\*.cmd
    *>*\AppData\Local\Temp\*.com
    *>*\AppData\Local\Temp\*.exe
    *>*\AppData\Local\Temp\*.scr
    *>*\AppData\Local\Temp\*.sys
    *>*\AppData\Roaming\*.bat
    *>*\AppData\Roaming\*.cmd
    *>*\AppData\Roaming\*.com
    *>*\AppData\Roaming\*.exe
    *>*\AppData\Roaming\*.scr
    *>*\AppData\Roaming\*.sys
    *>*\at.exe
    *>*\Temp\*.zip\*.exe
    *>*\Temp\*7z*\*.exe
    *>*\Temp\*rar*\*.exe
    *>*\Temp\*sfx\*.exe
    *>*\Temp\*wz*\*.exe
    *>*\Temp\*zip*\*.exe
    *>*\Temp\7z*\*.exe
    *>*\Temp\rar*\*.exe
    *>*\Temp\wz*\*.exe
    *>*aspnet_compiler.exe
    *>*attrib.exe
    *>*auditpol.exe
    *>*bash.exe
    *>*bcdboot.exe
    *>*bcdedit.exe
    *>*bginfo.exe
    *>*bitsadmin*
    *>*bootcfg.exe
    *>*bootim.exe
    *>*bootsect.exe
    *>*ByteCodeGenerator.exe
    *>*cacls.exe
    *>*cdb.exe
    *>*csc.exe
    *>*csi.exe
    *>*dbghost.exe
    *>*dbgsvc.exe
    *>*debug.exe
    *>*DFsvc.exe
    *>*diskpart.exe
    *>*dnx.exe
    *>*eventvwr.exe
    *>*fsi.exe
    *>*fsiAnyCpu.exe
    *>*hh.exe
    *>*IEExec.exe
    *>*iexplore.exe
    *>*iexpress.exe
    *>*ilasm.exe
    *>*infdefaultinstall.exe
    *>*InstallUtil*
    *>*InstallUtil.exe
    *>*journal.exe
    *>*jsc.exe
    *>*kd.exe
    *>*lpkinstall*
    *>*LxssManager.dll
    *>*mmc.exe
    *>*msra.exe
    *>*MSBuild.exe
    *>*mshta.exe
    *>*msiexec.exe
    *>*mstsc.exe
    *>*netsh.exe
    *>*netstat.exe
    *>*ntkd.exe
    *>*ntsd.exe
    *>*odbcconf.exe
    *>*powershell.exe
    *>*powershell_ise.exe
    *>*PresentationHost.exe
    *>*quser.exe
    *>*rcsi.exe
    *>*reg.exe
    *>*RegAsm*
    *>*regini.exe
    *>*Regsvcs*
    *>*regsvr32.exe
    *>*RunLegacyCPLElevated.exe
    *>*runonce.exe
    *>*runscripthelper.exe
    *>*schtasks.exe
    *>*scrcons.exe
    *>*script.exe
    *>*sdbinst.exe
    *>*sdclt.exe
    *>*set.exe
    *>*setx.exe
    *>*Stash*
    *>*syskey.exe
    *>*system.management.automation.dll
    *>*systemreset.exe
    *>*takeown.exe
    *>*taskkill.exe
    *>*UserAccountControlSettings.exe
    *>*utilman.exe
    *>*vbc.exe
    *>*visualuiaverifynative.exe
    *>*vssadmin.exe
    *>*wbemtest.exe
    *>*windbg.exe
    *>*wmic.exe
    *>*xcacls.exe
    *>?:\$Recycle.Bin\*
    *>C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    *>C:\Users\Public\*
    *>C:\Windows\$FORENSICS\*
    *>C:\Windows\ADFS\*
    *>C:\Windows\debug\WIA\*
    *>C:\Windows\Fonts\*
    *>C:\Windows\PLA\Reports\*
    *>C:\Windows\PLA\Reports\de-DE\*
    *>C:\Windows\PLA\Rules\*
    *>C:\Windows\PLA\Rules\de-DE\*
    *>C:\Windows\PLA\Templates\*
    *>C:\Windows\Registration\CRMLog\*
    *>C:\Windows\servicing\Packages\*
    *>C:\Windows\servicing\Sessions\*
    *>C:\Windows\System32\Com\dmp\*
    *>C:\Windows\System32\FxsTmp\*
    *>C:\Windows\System32\LogFiles\WMI\*
    *>C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    *>C:\Windows\System32\spool\drivers\color\*
    *>C:\Windows\System32\spool\PRINTERS\*
    *>C:\Windows\System32\spool\SERVERS\*
    *>C:\Windows\System32\Tasks\*
    *>C:\Windows\System32\Tasks_Migrated\*
    *>C:\Windows\SysWOW64\Com\dmp\*
    *>C:\Windows\SysWOW64\FxsTmp\*
    *>C:\Windows\SysWOW64\Tasks\*
    *>C:\Windows\Tasks\*
    *>C:\Windows\Temp\*
    *>C:\Windows\tracing\*

    Some override/exclusion rules (below) to prevent legitimate use case blockages. You would likely have to add some more rules regarding *>C:\Windows\Temp\* rule because lots of programs (Chrome, etc.) use that when they have updates. You can always run in non-lethal mode [#LETHAL] when there are updates so that you can capture some logging to create specific override/exclusion rules.

    Code:
    [MODULEWHITELIST]
    #   Blacklist Override
    !C:\Program Files\Microsoft VS Code\Code.exe>C:\Windows\System32\reg.exe
    !C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
    !C:\Program Files\Intel\WiFi\bin\iWrap.exe>C:\Windows\System32\cacls.exe
    !C:\Program Files (x86)\Microsoft Visual Studio\2017\*>*
    #    Blacklist Override - Hyper-V Manager, Event Viewer, etc.
    !C:\Windows\explorer.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\mmc.exe
    #    Blacklist Override - DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
    !C:\Windows\System32\*>??*\Temp\????????-????-????-????-????????????\DismHost.exe
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,772
    It is working as expected and launching of files is denied :)
    Now MemProtect is an Anti-Executable :geek:
    Code:
    Launching of files in C:\portable\test\ is denied:
    [MODULEBLACKLIST]
    *>C:\portable\test\*
    
    *** excubits.com demo ***: 2018/02/06_00:40 > MODULE > C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\portable\test\AppCrashView.exe
    *** excubits.com demo ***: 2018/02/06_00:42 > MODULE > C:\Windows\explorer.exe > C:\portable\test\AppCrashView.exe
    
    One more example:
    
    Only Explorer is allowed to launch files in the directory C:\portable\test:
    [MODULEWHITELIST]
    !C:\Windows\explorer.exe>C:\portable\test\*
    [MODULEBLACKLIST]
    *>C:\portable\test\*
    
     
  22. JDackNo

    JDackNo Registered Member

    Joined:
    Oct 27, 2014
    Posts:
    13
    Location:
    FRANCE
    I'd like to try one of them but are Excubits actual setup compatible with XP or do I need to ask the developer for a specific one ?

    Thanks:)
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,772
    At least Windows 7 is required, but you can ask them via email if they have a "special version" for Windows XP.
     
  24. JDackNo

    JDackNo Registered Member

    Joined:
    Oct 27, 2014
    Posts:
    13
    Location:
    FRANCE
    Thanks @mood

    I will do as advised by you:thumb:
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,011
    Okay guys and gals a question. How do you test to be sure memprotect is doing it's job?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.