MemProtect - Support & Discussion

What does that mean? You select the app when you install with 'Install Mode' on and that gets it protected?

 

Thanks

But I already have programs installed so the 'Install Mode' don't work or does it only work when you install a new program?

Also, how about Windows processes? Are they available for user to select and protect? Or are they protected by default?

 

I have wanted to do this for quite some time, but unfortunately time has been very limited. I've finally had a chance to do some preliminary LSASS.EXE memory protection testing with MemProtect. It took some time to do the logging necessary to create some rules. I would advise to be super careful with lsass.exe because incorrect rules could cause system stability issues for sure.

These are just preliminary rules that I will expand on later. There is some basic whitelist rules along with the blacklist rules to run lsass.exe as a protected process. Then some silence blocking ($) rules as well. I still have to mess around with some module whitelist and module blacklist stuff later to see which DLLs should and should not be allowed.

Code:

[WHITELIST]
#   LSASS (lsass.exe) Protection
!C:\Windows\System32\services.exe>C:\Windows\System32\lsass.exe
!C:\Windows\System32\svchost.exe>C:\Windows\System32\lsass.exe
!C:\Windows\System32\csrss.exe>C:\Windows\System32\lsass.exe
!C:\Windows\System32\lsass.exe>C:\Windows\System32\*
[BLACKLIST]
#   LSASS (lsass.exe) Protection
$C:\Windows\System32\lsass.exe>C:\Windows\SystemApps\*
$C:\Windows\System32\lsass.exe>C:\Windows\explorer.exe
$C:\Windows\System32\lsass.exe>C:\Program Files*
*>*lsass.exe
*lsass.exe>*

 

BTW, I haven't really followed all of this stuff, but isn't this the same?

https://www.petri.com/enable-lsa-protection-windows-8-1-server-2012-r2

 

Why not, isn't the goal to make lsass.exe a protected process, or does MemProtect do more?

 

As far as the end goal is concerned, both solutions end up running lsass.exe with the memory restrictions of protected process-light. So yes, a similar end goal. But as Pete mentioned, the route to getting to that end goal is slightly different. The built-in PPL by MS ensures that any non-signed, non-trusted DLL modules are blocked from any kind of memory access to/from lsass.exe process. Therefore blocking many credential stealing methods such as mimikatz and I believe also the EternalBlue exploit since those types of attacks involve memory manipulation of lsass.exe process.

MemProtect would have the same end goal, however, it also gives you the opportunity to control any DLL module activity to/from lsass.exe process. Therefore, same end goal, just more granular control over the entire memory protection mechanisms. I'm actually using built-in PPL by MS to protect lsass.exe combined with MemProtect right now for testing purposes. So far the testing is going well, but it completely blew my mind how much access lsass.exe needs to nearly every aspect of the running Windows OS. Therefore the rules can be quite complex in the end. Being in the "drivers seat", so to speak, is what I appreciate most about MemProtect. I've got the final say and the overall control which is quite nice.

Although, in the wrong hands, I would not want to imagine what it would be like if malware utilized this to create somewhat of a memory sandbox to protect the malware itself. That would be some significant power but that would indeed need some sort of kernel level exploit to achieve in the end.

 

OK so with MemProtect you get a little more control. I wouldn't want to mess around with it, so the built-in setting in Windows is good enough for me.

 

I can see licenses prices from Excubits products at their official site. Also I read the ToS, found nothing about lifetime licenses. Are they available?
Lifetime + lifetime upgrades/updates.

 

Well I think I didn't dig enough. Found in FAQ myself that:

 

And you probably get a discount after one year, so you don't have to pay the full price.
The post is from 2016, maybe things have changed in the meantime:

 

Thank you.

 

I have a couple of questions about Memprotect:

1. I get loads of entries logged from many different programs accessing explorer such as
2017/12/28_20:01:54 > MEMORY > C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe > C:\Windows\explorer.exe
What is happening here? These are logged as blocked but it does not appear to stop anything from working.

2. Memprotect appears to stop program A running program B. Is this a duplication of Bouncers parent rules or is this different? If Bouncer does this better it would be nice to turn just this off in Memprotect so only bouncer controls execution and Memprotect can be configured to block everything else.

 

1. For some reaons applications want to access the memory of explorer.exe.
If the functionality of the Thunderbird is not affected (by blocking the access to explorer.exe) you can use a silent rule for this (which must be added on the top of the blacklist or at least above other rules for Thunderbird)

Code:

$C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>C:\Windows\explorer.exe

2. This is how MemProtect works. If you block for example Firefox from accessing C:\Windows\*, Firefox can't access the memory of applications in C:\Windows\* and Firefox can't launch applications in C:\Windows\*

For example: *\firefox.exe>C:\Windows\*
If Firefox is not allowed to access C:\Windows\* and if Firefox is launching C:\Windows\cmd.exe, MemProtect is blocking it (in Process Hacker C:\Windows\cmd.exe can be seen as a suspended Process and it hasn't launched fully).
[In #1 access rights are listed which MemProtect is blocking, one of them is: (The following specific access rights are not allowed from a process to a protected process: "PROCESS_CREATE_PROCESS")]

In relation to the rule above:
a) C:\Windows\cmd.exe = a protected process (at least for firefox.exe it is a protected process)
b) Firefox is launching C:\Windows\cmd.exe = "specific access rights are not allowed from a process to a protected process" (see #1)
= MemProtect has blocked the execution of C:\Windows\cmd.exe because it has blocked needed access rights to create the process.

 

Thank you for the explanation.

In Procmon I find many calls to QueryNameInformationFile with C:\Windows\Explorer.exe as target. I wonder if this is causing these entries.

I am using silent rules to keep the entries out of the logs but it would be nice to know what I am blocking.

 

Blocking memory access will also block execution as well. But I believe what brought MemProtect functionality closer (similar) to that of Bouncer was the addition of the [MODULEFILTER] DLL filtering. This was done very similar to Bouncer's internal rules engine. Bouncer, no doubt, is far more powerful when it comes to execution control especially with module filtering and command line filtering.

Therefore, you could disable MemProtect's module filtering if you wanted to since it does overlap similarly to Bouncer since you are using both drivers. Just switch [MODULEFILTER] to [#MODULEFILTER] to disable MemProtect's DLL/module filtering and then you will be back to just memory access protections entirely.

 

Killing Protected Processes

After some brief testing with PPLKiller (https://github.com/Mattiwatti/PPLKiller) and mimikatz (https://github.com/gentilkiwi/mimikatz) which have methods to forcefully remove the Protected Process Light (PPL) memory protection status from protected processes in Windows, I have determined that they both have no negative effect on MemProtect.

MemProtect protected processes' memory space remains fully protected since it applies PPL memory sandbox restrictions on-the-fly within kernel-mode.


Blacklisting Potentially Dangerous Modules/Executables

* keep in mind this blocks .exe as well, not just .dll modules, therefore effective at blocking/mitigating.
* if you already implemented this blacklist in Bouncer, no need to do this in MemProtect really
* always run non-lethal [#LETHAL] when testing major config changes such as this

On a side note, ever since the development of module filtering (DLL blocking) in MemProtect, I have been implementing Florian's Blacklist.txt rules in [MODULEBLACKLIST] section. I had to convert the blacklist to parent blacklist rules first with *> before each line. Please keep in mind that there may be some legitimate use cases for some of these blacklist items and therefore you can easily add whitelist overrides for legitimate use cases to the [MODULEWHITELIST] section.

Spoiler: MemProtect Module Blacklist Example

Code:

[MODULEBLACKLIST]
# Excubits Blacklist - Source: https://excubits.com/content/files/blacklist.txt
# Last Updated: 2018/02/03
#
*>*\AppData\Local\Temp\*.bat
*>*\AppData\Local\Temp\*.cmd
*>*\AppData\Local\Temp\*.com
*>*\AppData\Local\Temp\*.exe
*>*\AppData\Local\Temp\*.scr
*>*\AppData\Local\Temp\*.sys
*>*\AppData\Roaming\*.bat
*>*\AppData\Roaming\*.cmd
*>*\AppData\Roaming\*.com
*>*\AppData\Roaming\*.exe
*>*\AppData\Roaming\*.scr
*>*\AppData\Roaming\*.sys
*>*\at.exe
*>*\Temp\*.zip\*.exe
*>*\Temp\*7z*\*.exe
*>*\Temp\*rar*\*.exe
*>*\Temp\*sfx\*.exe
*>*\Temp\*wz*\*.exe
*>*\Temp\*zip*\*.exe
*>*\Temp\7z*\*.exe
*>*\Temp\rar*\*.exe
*>*\Temp\wz*\*.exe
*>*aspnet_compiler.exe
*>*attrib.exe
*>*auditpol.exe
*>*bash.exe
*>*bcdboot.exe
*>*bcdedit.exe
*>*bginfo.exe
*>*bitsadmin*
*>*bootcfg.exe
*>*bootim.exe
*>*bootsect.exe
*>*ByteCodeGenerator.exe
*>*cacls.exe
*>*cdb.exe
*>*csc.exe
*>*csi.exe
*>*dbghost.exe
*>*dbgsvc.exe
*>*debug.exe
*>*DFsvc.exe
*>*diskpart.exe
*>*dnx.exe
*>*eventvwr.exe
*>*fsi.exe
*>*fsiAnyCpu.exe
*>*hh.exe
*>*IEExec.exe
*>*iexplore.exe
*>*iexpress.exe
*>*ilasm.exe
*>*infdefaultinstall.exe
*>*InstallUtil*
*>*InstallUtil.exe
*>*journal.exe
*>*jsc.exe
*>*kd.exe
*>*lpkinstall*
*>*LxssManager.dll
*>*mmc.exe
*>*msra.exe
*>*MSBuild.exe
*>*mshta.exe
*>*msiexec.exe
*>*mstsc.exe
*>*netsh.exe
*>*netstat.exe
*>*ntkd.exe
*>*ntsd.exe
*>*odbcconf.exe
*>*powershell.exe
*>*powershell_ise.exe
*>*PresentationHost.exe
*>*quser.exe
*>*rcsi.exe
*>*reg.exe
*>*RegAsm*
*>*regini.exe
*>*Regsvcs*
*>*regsvr32.exe
*>*RunLegacyCPLElevated.exe
*>*runonce.exe
*>*runscripthelper.exe
*>*schtasks.exe
*>*scrcons.exe
*>*script.exe
*>*sdbinst.exe
*>*sdclt.exe
*>*set.exe
*>*setx.exe
*>*Stash*
*>*syskey.exe
*>*system.management.automation.dll
*>*systemreset.exe
*>*takeown.exe
*>*taskkill.exe
*>*UserAccountControlSettings.exe
*>*utilman.exe
*>*vbc.exe
*>*visualuiaverifynative.exe
*>*vssadmin.exe
*>*wbemtest.exe
*>*windbg.exe
*>*wmic.exe
*>*xcacls.exe
*>?:\$Recycle.Bin\*
*>C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
*>C:\Users\Public\*
*>C:\Windows\$FORENSICS\*
*>C:\Windows\ADFS\*
*>C:\Windows\debug\WIA\*
*>C:\Windows\Fonts\*
*>C:\Windows\PLA\Reports\*
*>C:\Windows\PLA\Reports\de-DE\*
*>C:\Windows\PLA\Rules\*
*>C:\Windows\PLA\Rules\de-DE\*
*>C:\Windows\PLA\Templates\*
*>C:\Windows\Registration\CRMLog\*
*>C:\Windows\servicing\Packages\*
*>C:\Windows\servicing\Sessions\*
*>C:\Windows\System32\Com\dmp\*
*>C:\Windows\System32\FxsTmp\*
*>C:\Windows\System32\LogFiles\WMI\*
*>C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
*>C:\Windows\System32\spool\drivers\color\*
*>C:\Windows\System32\spool\PRINTERS\*
*>C:\Windows\System32\spool\SERVERS\*
*>C:\Windows\System32\Tasks\*
*>C:\Windows\System32\Tasks_Migrated\*
*>C:\Windows\SysWOW64\Com\dmp\*
*>C:\Windows\SysWOW64\FxsTmp\*
*>C:\Windows\SysWOW64\Tasks\*
*>C:\Windows\Tasks\*
*>C:\Windows\Temp\*
*>C:\Windows\tracing\*

Some override/exclusion rules (below) to prevent legitimate use case blockages. You would likely have to add some more rules regarding *>C:\Windows\Temp\* rule because lots of programs (Chrome, etc.) use that when they have updates. You can always run in non-lethal mode [#LETHAL] when there are updates so that you can capture some logging to create specific override/exclusion rules.

Spoiler: Example Overrides

Code:

[MODULEWHITELIST]
#   Blacklist Override
!C:\Program Files\Microsoft VS Code\Code.exe>C:\Windows\System32\reg.exe
!C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
!C:\Program Files\Intel\WiFi\bin\iWrap.exe>C:\Windows\System32\cacls.exe
!C:\Program Files (x86)\Microsoft Visual Studio\2017\*>*
#    Blacklist Override - Hyper-V Manager, Event Viewer, etc.
!C:\Windows\explorer.exe>C:\Windows\System32\mmc.exe
!C:\Windows\System32\svchost.exe>C:\Windows\System32\mmc.exe
#    Blacklist Override - DISM
!??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
!??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
!C:\Windows\System32\*>??*\Temp\????????-????-????-????-????????????\DismHost.exe

 

It is working as expected and launching of files is denied
Now MemProtect is an Anti-Executable

Code:

Launching of files in C:\portable\test\ is denied:
[MODULEBLACKLIST]
*>C:\portable\test\*

*** excubits.com demo ***: 2018/02/06_00:40 > MODULE > C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\portable\test\AppCrashView.exe
*** excubits.com demo ***: 2018/02/06_00:42 > MODULE > C:\Windows\explorer.exe > C:\portable\test\AppCrashView.exe

One more example:

Only Explorer is allowed to launch files in the directory C:\portable\test:
[MODULEWHITELIST]
!C:\Windows\explorer.exe>C:\portable\test\*
[MODULEBLACKLIST]
*>C:\portable\test\*

 

I'd like to try one of them but are Excubits actual setup compatible with XP or do I need to ask the developer for a specific one ?

Thanks

 

At least Windows 7 is required, but you can ask them via email if they have a "special version" for Windows XP.

 

Thanks @mood

I will do as advised by you