MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    36
    Location:
    France
    I have Pumpernickel since some days, and yes, so far, happy with it. Now, regarding the initial MemProtect .ini, this is the reason of my question about MemProtect.
     
  2. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Try to kill process from TaskManager: go to "Details"-Tab, then select process and right-click, there select "kill process". I was also tricked, closing application in TaskManager is technically different from killing.

    Depend on what you want to defeats. @Windows_Security discussed it some times ago also. MemProtect can help to defeat againts attacks where exploit tries to inject code from, lets say browser, to another process, lets say explorer.exe. So MemProtect does not directly fight exploitable hole but what attackers do after exploting. You should also consider to use some kind of anti-exe like Bouncer, VoodooShield, NVT, AppGuard or just SRPs, too. In addition with Security Essentials / Windows Defender this all sums up to solid security boundary which should defeat many attacks. So I dont think its placebo, but you need to know what you are doing, or it is useless (and then itz placebo :) )

    You asking about efficiency: On my systems (including VMs) it runs smooth, I dont feel any lags. If I remember right some users had issues with some other security tools together with MemProtect, so you should test an see. From my experince it works fine.
     
  3. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    36
    Location:
    France
    Thank you for these explanations 4Shizzle !
    I'm back with VS since 3.48b, after one year on Appguard. Bouncer is certainly good but I will stick with VS.
     
  4. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    36
    Location:
    France
    I am wondering, when I watch some .ini files why the full path for a process is not written ?
    Ex :

    # KeePass
    !*KeePass.exe>*KeePass.exe
    !C:\Windows\explorer.exe>*KeePass.exe
    !C:\Windows\System32\svchost.exe>*KeePass.exe
    ...

    Why, for svchost, explorer, etc, the full path is given, but not for Keepass ?
    What happen if a malware has a process name as 'MalwareKeepass.exe' ?
    With a line like that (!*KeePass.exe>*KeePass.exe), we grant the access from the malware to the legitimate process.
    No ?
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,109
    If malware is named C:\Windows\Temp\abcKeePass.exe it has indeed access to our legitimate process KeePass.exe.
    Especially in this case it would be better to specify the full path or at least mention C:\Program Files\*KeePass.exe>*KeePass.exe
    to be sure that KeePass.exe from Program Files has access to the executable.
    Or, to harden it a little bit it might be better to replace *KeePass.exe with the full path before and after the >
    Code:
    !*KeePass.exe>*KeePass.exe
    !C:\Windows\explorer.exe>*KeePass.exe
    !C:\Windows\System32\svchost.exe>*KeePass.exe
    =
    !c:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe>c:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
    !C:\Windows\explorer.exe>c:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
    !C:\Windows\System32\svchost.exe>c:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
     
  6. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    36
    Location:
    France
    That's how I saw things.
    I will continue in this way. Thanks mood !
     
  7. As a rule of thumb writing allow rules can be best done with full path. For block rules it does not matter when you use wildcards. When the block rule covers the allow rule than it is also okay to use wildcards.

    I installed Mozilla Firefox not into its default library, but into Mozilla. I did the same with Chromium. This makes rule writing easy For example when you write *\Internet Explorer\* it covers both the Program Files folder and the AppData folder of IE. This and saves kilobytes. My MemProtect ini is less than 1MB (without comments).

    Code:
    [LETHAL]
    [#LOGGING]
    [WHITELIST]
    [DEFAULTALLOW]
    # allow access to own folder
    !*\Microsoft Office???\*>*\Microsoft Office???\*
    !*\Windows Media Player\*>*\Windows Media Player\*
    !*\Chromium\*>*\Chromium\*
    !*\Mozilla\*>*\Mozilla\*
    !*\PDFCreator\*>*\PDFCreator\*
    # allow printing
    !C:\Program Files\*>*splwow64.exe
    !C:\Program Files\*>*SumatraPDF.exe
    [BLACKLIST]
    #cage installation folders
    *\Microsoft Office???\*>*
    *\Windows Media Player\*>*
    #cage program files and appdata folders
    *\Chromium\*>*
    *\Mozilla\*>*
    *\PDFCreator\*>*
    *SumatraPDF.exe>*
    [EOF]
    
     
    Last edited by a moderator: Jan 17, 2017
  8. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    308
    Location:
    router
    i like instead of process being suspended will be auto terminated
    that can be done by driver itself or sign in the rule like priority and silent sign
    of course i know it may cause system instability.but for me better to auto terminated
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Running Mozilla Firefox as a Protected Process
    Protected Process-Light Memory Sandbox

    So far I have only tested this on Windows 10 64-bit systems. Windows 7 and others may require some additional rules for printing support from Firefox. If you have security software, you may have to add rules for the security software processes to access firefox.exe memory.


    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    [Protected Process - Firefox - Baseline]
    !*\Mozilla Firefox\*>*\Mozilla Firefox\*
    !C:\Windows\explorer.exe>*\Mozilla Firefox\*
    !C:\Windows\System32\*>*\Mozilla Firefox\*
    [BLACKLIST]
    #    [Protected Process - Firefox]
    *>*\Mozilla Firefox\firefox.exe
    *\Mozilla Firefox\firefox.exe>*
    *>*\Mozilla Firefox\plugin-container.exe
    *\Mozilla Firefox\plugin-container.exe>*
    [EOF]
    

    MemProtect.ini (Firefox Protected Process - Extra)
    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    [Protected Process - Firefox - Baseline]
    !*\Mozilla Firefox\*>*\Mozilla Firefox\*
    !C:\Windows\explorer.exe>*\Mozilla Firefox\*
    !C:\Windows\System32\*>*\Mozilla Firefox\*
    #    [Protected Process - Firefox - Additional]
    !*\Adguard\AdguardSvc.exe>*\Mozilla Firefox\*
    !C:\Windows\Temp\DPTF\esif_assist_64.exe>*\Mozilla Firefox\*
    !*\CCleaner\CCleaner*.exe>*\Mozilla Firefox\*
    !*\Mozilla Thunderbird\thunderbird.exe>*\Mozilla Firefox\*
    [BLACKLIST]
    #    [Silence Rules - Blocking Protected Process from accessing Explorer]
    $*firefox.exe>C:\Windows\explorer.exe
    #    [Protected Process - Firefox]
    *>*\Mozilla Firefox\firefox.exe
    *\Mozilla Firefox\firefox.exe>*
    *>*\Mozilla Firefox\plugin-container.exe
    *\Mozilla Firefox\plugin-container.exe>*
    [EOF]
    
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Great post!

    Have you ever made that kind of protection on Edge?

    Thanks!
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @ExtremeGamerBR Here is an Edge preliminary config which is working well in my testing. You can always choose to be more specific by making the full path rules instead. e.g. C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe instead of MicrosoftEdge.exe

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    [Protected Process - Microsoft Edge]
    !C:\Windows\System32\*>*\MicrosoftEdge.exe
    !C:\Windows\System32\*>*\MicrosoftEdgeCP.exe
    !C:\Windows\explorer.exe>*\MicrosoftEdge.exe
    !C:\Windows\explorer.exe>*\MicrosoftEdgeCP.exe
    !*\MicrosoftEdge.exe>C:\Windows\System32\*
    !*\MicrosoftEdgeCP.exe>C:\Windows\System32\*
    !*\MicrosoftEdge.exe>*\MicrosoftEdgeCP.exe
    !*\MicrosoftEdgeCP.exe>*\MicrosoftEdge.exe
    !*\MicrosoftEdgeCP.exe>*\MicrosoftEdgeCP.exe
    [BLACKLIST]
    #    [Protected Process - Microsoft Edge]
    *>*\MicrosoftEdge.exe
    *>*\MicrosoftEdgeCP.exe
    *\MicrosoftEdge.exe*>
    *\MicrosoftEdgeCP.exe*>
    [EOF]
    

    EDIT: I just tightened up the whitelist section below:

    Code:
    [WHITELIST]
    #    [Protected Process - Microsoft Edge]
    !C:\Windows\System32\*>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*
    !C:\Windows\explorer.exe>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*
    !C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*>C:\Windows\System32\*
    !C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*
     
    Last edited: Apr 2, 2017
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,109
    To optimize it a little bit, a wildcard can be used: \MicrosoftEdge*.exe, so we can remove some rules and have room for more rules (2 KB limit) :)
     
  13. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Thank you guys! I will test here.
     
  14. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Beside Edge protection: Does anybody knows how to general protect "ModernApps". As far as I understand they also gets protected by runtime sandobx (is this RuntimeBroker.exe?). For example the build in pdf-reader. how to protect this applications, or does it make no sense to put them on MemProtect list?
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    You could protect RuntimeBroker with MemProtect as well but I would be very careful and run [#LETHAL] non-lethal for a few days. RuntimeBroker along with all of the various modern apps are already well protected with individual AppContainer sandboxes. But if you want AppContainer sandbox protection + Protected Processes, here you go:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    [Protected Process - RuntimeBroker]
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    !C:\Windows\System32\RuntimeBroker.exe>*\WindowsApps\Microsoft.WindowsStore_?????.????.??.?_x??__8wekyb3d8bbwe\*
    !C:\Windows\System32\*>C:\Windows\System32\RuntimeBroker.exe
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\System32\*
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\explorer.exe
    !C:\Windows\explorer.exe>C:\Windows\System32\RuntimeBroker.exe
    #    [Protected Process - Microsoft Edge]
    !C:\Windows\System32\*>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*
    !C:\Windows\explorer.exe>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*
    !C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*>C:\Windows\System32\*
    !*\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*>*\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*
    [BLACKLIST]
    #   [RuntimeBroker]
    C:\Windows\System32\RuntimeBroker.exe>*
    *>C:\Windows\System32\RuntimeBroker.exe
    [EOF]
    


    If you use more modern apps then you will need to create similar rules to add more from the SystemApps and/or WindowsApps directories. Or you could create a wider whitelist rule to allow all modern apps such as:
    Code:
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\SystemApps\*
    !C:\Windows\System32\RuntimeBroker.exe>C:\Program Files\WindowsApps\*
    

    Anyway, this setup above is working well on my system (Creators Update) through several reboots now and zero issues. I would still recommend going non-lethal for a day or so to make sure.

    EDIT: Added Microsoft.WindowsStore to ruleset and changed to ? wildcards for version number.
     
    Last edited: Apr 6, 2017
  16. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
  17. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    After a finally take Memprotect serious, this is my config:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    [Chromium - Base Rules]
    !*chrome.exe>*chrome.exe
    !C:\Windows\explorer.exe>*chrome.exe
    !*chrome.exe>C:\Windows\explorer.exe
    !C:\Windows\System32\csrss.exe>*chrome.exe
    !C:\Windows\System32\svchost.exe>*chrome.exe
    !C:\Windows\System32\spoolsv.exe>*chrome.exe
    !C:\Windows\System32\sihost.exe>*chrome.exe
    !C:\Windows\System32\lsass.exe>*chrome.exe
    !C:\Windows\System32\audiodg.exe>*chrome.exe
    !C:\Windows\System32\wbem\WmiPrvSE.exe>*chrome.exe
    #    [Chromium - Security]
    !C:\Program Files\Windows Defender\MsMpEng.exe>*chrome.exe
    !*chrome.exe>*C:\Program Files\Windows Defender\MsMpEng.exe
    !C:\Windows\System32\smartscreen.exe>*chrome.exe
    #    [Chromium - Printing Support]
    !*chrome.exe>C:\Windows\System32\spool\drivers\*
    !*chrome.exe>C:\Windows\splwow64.exe
    !C:\Windows\splwow64.exe>*chrome.exe
    #    [Chromium - Additional Programs]
    !C:\Program Files\Process Lasso\ProcessLasso.exe>*chrome.exe
    !C:\Program Files\Process Lasso\ProcessGovernor.exe>*chrome.exe
    !C:\Windows\System32\Taskmgr.exe>*chrome.exe
    !D:\Programas\Process Explorer\Process Explorer.exe>*chrome.exe
    [BLACKLIST]
    #    [Block memory access to/from Chromium]
    $*\Steam\Steam.exe*>*chrome.exe
    $*\VMware Player\vmware-authd.exe>*chrome.exe
    *>*chrome.exe
    *chrome.exe>*
    [EOF]
    

    If anyone has any idea how to make this config more tight, let me know, please.

    The base rules I pratically copied from @WildByDesign in this post.

    I tested Edge with the settings of this post and everything worked fine too.

    Thanks guys!
     
  18. mWave

    mWave Guest

    Is this product just based on ObRegisterCallbacks?
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I don't know because I am not a developer. But what I do know is that MemProtect (along with the other drivers) fully support writing kernel level events to viewed with DbgView or similar kernel debuggers. So that may show deeper into the kernel level functions used.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I received some exciting news from Florian today regarding MemProtect. Similar to EMET's ASR feature in which you can block specific .DLL modules from loading into specific processes, I had strongly suggested to add .DLL filtering to MemProtect. Florian has got this figured out now from a development perspective. This will be kernel level memory protection allowing the blockage of individual .DLL modules from loading into specific processes.

    With modern exploits and specific bypasses utilizing built-in Windows binaries and injecting malicious .DLL modules, etc., this will be a much needed feature. Anyway, I should have an internal test version of MemProtect in a few weeks followed by public beta shortly after. Therefore this may still be a month or two away from reaching stable MemProtect release, but knowing the fact that Florian has figured this out from a development perspective is quite exciting.

    Protected Processes with granular .DLL module filtering/blocking control. :thumb:
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    I thought MemProtect already supported this. Will this stop remote code execution, or will this strengthen containment? I'm not sure I understand.
     
  22. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Good questions.
    I thinks MemProtect currently blocks attempt to inject code from one executable (exploited one or malware) into other process. Example: browser was attacked then attacker (=his exploits code) tries to in most cases drop excutable (exe or DLL) and start it. Some exploits not just drop exe/dll and start, they inject code (or exe/dll) in other process. The last part of my sentence can already be blocked by MemProtect in my understanding. But it also often the case that attacker directly spawned another process or tries to load a dll into the attacked process itself. Example: browser was exploited and attacker tries do load a malicious dll into it doing more dirty stuff. Or attacker manages that other applications load dll, this not always appears to happen with code injection but also with direct loading like OS is loading dlls in processes. Arent there registry keys where you can define dlls which load into every new process automatically? Then a dll can be part of application although it is not intended to be by "nature" of a specific application.

    This sounds like you can create sets of dlls for a process and here limit what dll can load. Is this what you (@WildByDesign ) suggested to Florian? For most windows executbles this will not be so dynamic, so can one exactly define the amount of dlls loaded, for example, for word, firefox etc. But I dont have experience with this, can also be a hassle to define I thinks - needs some training... :eek:
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,109
    You can block specific .dll's from being loaded in the address space of the protected process.
    It will strengthen it.
    With the current version of MemProtect it is not possible.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    That sounds like a time consuming headache having to whitelist all the .dlls that already run within the process, and there is the possibility of additional .dlls that could crop up at any time as the developer releases updates.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Some interesting developments...
    Code:
    [LETHAL]
    [LOGGING]
    [MODULEFILTER]
    [WHITELIST]
    [BLACKLIST]
    [MODULEWHITELIST]
    [MODULEBLACKLIST]
    [EOF]
    
    So this is from a fully functional internal testing build. Hopefully if this internal testing goes well, this can reach Beta soon enough. But one thing that I have noticed so far with initial testing is that this upcoming version of MemProtect has some exciting potential for blocking (kernel level memory based) various .DLL injections and much more. :thumb:


    EDIT: Example logging based on blocking EMET shim/dll injection:
    Code:
    2017/06/04_18:41:47 > MODULE > C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe > C:\Windows\AppPatch\apppatch64\EMET64.dll
    
     
    Last edited: Jun 4, 2017