MemProtect - Support & Discussion

Can you post the default ini for time saving purposes?

 

[LETHAL]
[LOGGING]
[#INSTALLMODE]
[#DEFAULTALLOW]
[#MODULEFILTER]
[WHITELIST]
*>*
[BLACKLIST]
*TaskMgr.exe>C:\Windows\notepad.exe
c:\windows\system32\dnsapi.dll>*
c:\windows\system32\w32time.dll>*
*explorer.exe>C:\Windows\notepad.exe
[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]

I was trying to test if memprotect is working, so I moved the explorer>notepad line from whitelist to blacklist, it did prevent me from starting that notepad. But task manager can still kill notepad

 

First of all, if you're using #defaultallow and *>* in whitelist, change it to defaultallow and remove the *>* line. More lines = slower performance, the main reason why my current config uses defaultallow with only 42 lines including [EOF] and the empty line after it. The other reason being that a default-deny config would take too much time to tweak in memprotect as I use new software regularly

Regarding your problem, I just opened a .txt file on my desktop by double-clicking it. In task manager, I right-click notepad.exe and click open file location, which leads me to C:\Windows\System32\notepad.exe , not C:\Windows\notepad.exe

After changing that line to *Taskmgr.exe>C:\Windows\System32\notepad.exe, I could not kill notepad.exe with task manager

 

The main job of Memprotect is to protect the memory of a process.
If you see that a program can't open/read/write/modify the memory of a protected process (or inject code into it) then you know that MemProtect is working.

 

Is the developer of Memprotect here in this forum ?

 

Apparently not, unfortunately .

 

The dev does not participate in the forum, but there are some very advanced users who do, and if there is an issue, they know how to contact the dev.

 

Well, with ini file given above. I can terminate c:\windows\notepad.exe and I did start that particular notepad in ]windows from explorer. This is Win 10 Home v1809.

 

You say it as if contacting the dev is like some magic ritual that only wizards can cast... Any1 can contact the dev from https://excubits.com/content/en/company_contact.html

Can't replicate. With this .ini file

Spoiler

[#INSTALLMODE]
[LETHAL]
[LOGGING]
[DEFAULTALLOW]
[#MODULEFILTER]
[WHITELIST]
[BLACKLIST]
*TaskMgr.exe>C:\Windows\notepad.exe
[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]

Make sure to leave another empty line after [EOF]. I go to C:\Windows\notepad.exe, I open it, go to task manager, right-click that notepad.exe, click End Task, and I get The operation could not be completed, access is denied and logs in memprotect

 

Creating of unkillable processes is out of the scope of MemProtect.
But nevertheless, it depends how the process is terminated.

Examples:
ProcessHacker will always be able to terminate protected processes, if it is utilizing the kernel driver.
If the kernel driver is not being used and if Processhacker is running with normal user privileges, it will not be able to terminate a protected process.
If the kernel driver is not being used and if Processhacker is running with administrator privileges, it will be able to terminate a protected process.

taskkill.exe launched with normal user privileges will be able to terminate a protected process without issues.
Third-party-application: NoVirusthanks Process Lister will not be able to terminate a protected process.

We can assume that if an application is able to launch taskkill or is even able to install a kernel driver, protected processes might be terminated.
For example: The user is visiting a website, it drops a malicious executable, it launches taskkill.exe, etc.

But if we protect all "vulnerable applications" (web browser, pdf reader, media player, etc.) we have secured the "main entry point" of malicious executables, dropped applications cannot even be launched and further damage is prevented.

Even if protected processes could be terminated in some way, MemProtect still poses a good protection and is doing its job as advertised (reading/writing/modifying of the memory of processes or injecting of code into them will be prevented).
It is also "kind of" an Anti-Executable. If we protect a PDF reader, for example SumatraPDF "*SumatraPDF.exe>*", SumatraPDF.exe cannot launch any other executable.

In #1 a list of access rights can be found which MemProtect is protecting (PROCESS_CREATE_PROCESS, PROCESS_VM_WRITE, etc.)

 

Uhmm, no it's not

With *taskmgr.exe>*notepad.exe rule in the blacklist, taskmgr can't kill notepad. With the same rule in the module blacklist, taskmgr can kill notepad.exe

For taskkill.exe, things are a bit weirder

taskkill /im notepad.exe shows me these 3 lines
ERROR: The process "notepad.exe" with PID 9764 could not be terminated.
Reason: This process can only be terminated forcefully (with /F option).
SUCCESS: Sent termination signal to the process "notepad.exe" with PID 15288.

And I get these logs in memprotect, I have a *>*notepad.exe rule in the blacklist that I changed after I opened notepad.exe, I don't have any other rules in this test .ini
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\explorer.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\explorer.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Windows\explorer.exe > C:\Windows\System32\notepad.exe

And notepad.exe does indeed close. However, when I add the /f switch, notepad.exe doesn't close, and I get these lines
ERROR: The process "notepad.exe" with PID 9764 could not be terminated.
Reason: Access is denied.

And these logs in memprotect
1st try:
*** excubits.com demo ***: 2018/11/13_22:12 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:14 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:14 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:14 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:14 > MEMORY > C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:14 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:14 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
2nd try:
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\explorer.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe
*** excubits.com demo ***: 2018/11/13_22:18 > MEMORY > C:\Windows\System32\taskkill.exe > C:\Windows\System32\notepad.exe

So, seems like taskkill.exe without the /f command is like "hey dude, u better close urself or I will come and close u", so notepad.exe decides to close itself, however, when using the /f switch, NOW taskkill.exe is ******* and then he's like "well, if you won't listen to my non /f command, I will beat u up personally", but then memprotect blocks the beating. Essentially, a process is allowed to close itself. Even with *>*notepad.exe rule, I can close notepad.exe when clicking the X on the notepad.exe window. Which is (supposedly) notepad.exe closing itself. And same thing happens when using the non /f switch, taskkill tells notepad to close itself, and notepad.exe does so. Whereas with the /f switch, taskkill realizes notepad.exe is a stubborn dude and won't close itself (at least that's the supposed use of the /f switch is) and decides to close notepad himself, but because of the *>*notepad.exe rule, taskkill can't close notepad itself, because of the rule only notepad can close itself, close and kill are synonyms here. When using the /f switch with Memprotect Off, I get the message "SUCCESS: The process "notepad.exe" with PID 15300 has been terminated.", whereas without the /f switch, I get "SUCCESS: Sent termination signal to the process "notepad.exe" with PID 13300.", further confirming my theory that without the /f switch taskkill just nicely tells notepad to close itself, whereas with the /f switch taskkill decides to beat and close notepad personally, thus "has been terminated" and no "signal"

However, the fact that I get these 3 lines
ERROR: The process "notepad.exe" with PID 9764 could not be terminated.
Reason: This process can only be terminated forcefully (with /F option).
SUCCESS: Sent termination signal to the process "notepad.exe" with PID 15288.

when I try to kill notepad.exe without the /f command while memprotect is on, means that, essentially, taskkill first tries to kill notepad by paying some weird dude he saw on the street (the dude has no /f switch), however the dude fails, and then taskkill decides to nicely tell notepad to close itself. Whereas with the /f switch, taskkill comes personally, not sending a random dude. Essentially this likely means taskkill has higher permissions for killing a process when using /f switch. But even without /f switch, it still tries to use its lower permissions first to kill it, and only then tells it nicely to close itself. Weirdly however, when memprotect is off, I don't get the terminated message without the /f switch, just the signal message. So when memprotect is off, taskkill skips the random dude on the street and just directly tells notepad, straightforward guy. But when memprotect is on, he first tries the dude on the street, and only then tells notepad. However, I did a few more tries without the /f switch with memprotect on, and I only got the signal message, not the error message and the try /f message, so who knows how I got them the 1st time.

So, when a process is the only one that can kill itself, thus the only one that can access its memory, that means that yes, memprotect does stop a process from killing another one, unless the process is taskkill who's telling nicely the other process to close, since that apparently doesn't access that other process' memory. However, that ONLY works if the other process that taskill is trying to kill respects the nice message. I did a test with LeagueClient.exe, which is the client of the game League of Legends. Again, a *>*leagueclient.exe rule in the blacklist, with no other rules. This time, I only got
ERROR: The process "LeagueClient.exe" with PID 11540 could not be terminated.
Reason: This process can only be terminated forcefully (with /F option)
messages, and the process didn't close itself. So, it seems like only some processes, likely those made by microsoft, respect the "pls kill urself, I'm asking nicely" message by taskkill, since leagueclient.exe did not respect this message and did not close/kill itself. I then repeated this 10 times, without any success. And when using the /f switch, I again got the access denied message.

So, yes, memprotect stops a process from killing another one, unless the process sends a nice message to the other process telling it to kill itself, and the other process respects it

Enough fun with the normal blacklist, now let's see what happens when using the moduleblacklist

Once again, a process can access its own memory (or should I say, "module") and kill itself
Taskkill succeeds in closing notepad.exe without the /f switch, no logs here in memprotect
Taskkill also succeeds in closing notepad.exe with the /f switch, no logs here either in memprotect
Taskkill fails to close leagueclient.exe without the /f switch, no logs here, which means taskkill normally fails regardless of memprotect, leagueclient.exe refuses to kill itself and also runs elevated, while taskkill without /f switch does not seem to run elevated, which is supposedly why taskkill can normally only kill leagueclient.exe with the /f switch, elevation beats another elevation
Taskill successfully kills leagueclient.exe with the /f switch, no logs here either

So, this confirms that moduleblacklist does not impact a process' ability to kill another process. At least, if the former accesses the latter by memory, and not by "module". Explorer.exe uses both memory and module access, and you can't open a process if there's a *>*notepad.exe rule in either the blacklist (memory) or moduleblacklist (module)

In order to open a process, you need both explorer.exe and csrss.exe to have access to it in the whitelist, and you also need explorer.exe to have access to it in the modulewhitelist. Either of the 3 conditions not being fulfilled, and you'll only partly open it, as evidenced by the loading cursor left over in the explorer window (doesn't happen if you get the message below)

Also, when explorer is blocked in the moduleblacklist, you get "contact your system administrator" message (haven't tested if that also appears when blocked in the normal blacklist in combination with the module one), but this message does not appear when either explorer or csrss.exe or both are blocked in memory but explorer.exe is not blocked in moduleblacklist

 

is it worth buying now considering the last binary udpate was 2017 (take into consideration the latest 1903), also how the trial works, it is limited for 30 days (standard) ? the license 12 euro is for 1 pc or 1 user, best

 

AFAIK the demo version limits the size of the config file, and after a year, you need to reinstall the driver. Reinstalling the driver is not a big deal. I would not want to do it every day, but once a year is no sweat.

As for the lack of updates, I doubt that anything has changed so fundamentally in Windows that MemProtect would be affected. The driver is co-signed by Microsoft, that's all you need.

 

thanks, so it seams there is no reason not to use it, is there any hard incompatibility issue with other software like novirusthanks products or antimalware, or light virtualization software (deep freeze, shadow defender, time freeze)? I guess I will have to tweak around to make this compatible with some whitelisting (or it works with mostly everything out of the box?), I am also thinking if I use this, I should ditch malwarebytes anti exploit

 

I do not know of any hard incompatibilities.
I have heard people say that you should make exceptions for your AV and security softs in all the memory "cages", because the application you are caging might need to call back to the AV to verify if something is malware or not.

 

cages? ok I guess when I try it I will know what u mean, hopefully there are some examples avaiblable here or on other forums on how to make it compatible with AV via whitelisting
I need settings for zemana AM, eset, kaseprsky and avast

 

"Cage" is the term used for MemProtect, the idea is that the process or folder you are protecting is in a memory "cage", so to speak. The idea is that it cannot break out of the cage. If I put chrome.exe on the blacklist, it is in a "cage".

To whitelist your security softs, you just put their appropriate paths on the whitelist with ! at the beginning of the rule. ! means that this rule should override a contradicting blacklist rule.

 

so instead of default deny is there a way to allow everything (default allow) and just set some mitigation options, like hardening with "cages" the the isass.exe
or explorer.exe processes
(I have not tried the software yet)
I do alot of install uninstall on the fly, while the pc is almost completely clean of programmes, so the default deny could possibly be a pain in this scenario (I want some mitigations from the soft and not the full spectrum)

 

New version released.
More info available in the Newsblog (2020/01/06) [or in this post]

Download MemProtect (Binaries last updated on 2020/01/06)

 

New blog entry:

2020/01/22
Mitigate against IE Scripting vulnerability
Microsoft Internet Explorer Scripting Engine memory corruption vulnerability
https://excubits.com/content/en/news.html

Code:

*>C:\Windows\*jscript.dll

 

Hi all,

I've started trying to configure memprotect. Sadly my attempt to add exceptions to the blacklist (ie. write a specific whitelist rule that overrules a more general blacklist rule) Eventually I tried to make a configuration that should not block/log anything at all. See below.

Code:

[#LETHAL]
[LOGGING]
[#INSTALLMODE]
[DEFAULTALLOW]
[#MODULEFILTER]
[WHITELIST]
*explorer.exe>C:\Windows\notepad.exe
*>*
!C:\Program Files\Mozilla Firefox\*>C:\Program Files\Mozilla Firefox\*

[BLACKLIST]
C:\Program Files\Mozilla Firefox\*>C:\Program Files\Mozilla Firefox\*
[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]

Somehow it does block firefox. A few lines of the log show this:

Code:

2020/05/03_21:59:52 > MEMORY > C:\Program Files\Mozilla Firefox\firefox.exe > C:\Program Files\Mozilla Firefox\firefox.exe
2020/05/03_21:59:52 > MEMORY > C:\Program Files\Mozilla Firefox\firefox.exe > C:\Program Files\Mozilla Firefox\firefox.exe
2020/05/03_21:59:52 > MEMORY > C:\Program Files\Mozilla Firefox\firefox.exe > C:\Program Files\Mozilla Firefox\firefox.exe

I'm at a loss about how this is possible. I would really appreciate it if someone could help me with this.

Kind regards,
Durew

 

A priority rule needs to be on top.

 

Thank you! It all seems to be working now.

 

Just to let you folks know, EXCUBITS is no longer available on the net and the Company is undergoing what the developer calls a "strategic realignment." I don't know how ominous this is but the product(s) Developer remains available at <info@excubits.com> to assist anyone with fully licensed application issues.