Sandboxie 3.76 & Malwarebytes Anti-Exploit

Discussion in 'sandboxing & virtualization' started by syrinx, Aug 6, 2014.

Thread Status:
Not open for further replies.
  1. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Ever since Malwarebytes Anti-Exploit (MBAE) was in beta I was always curious to try it. However according to all reports it was incompatible with sandboxie. The threads on the sandboxie forum beta section say that one of the next 4.x revisions will support it. The thing is I'm stuck on 3.76 due to a few issues in the 4.x line that still haven't been resolved and rather than run the affected apps unsandboxed, I've stuck with the older version.

    When I finally did test MBAE myself I quickly uninstalled it as the dll was not getting injected into the sandboxed apps, many of which also happen to be the ones I want protected with MBAE. Yesterday I took another look at it and tried to do some troubleshooting of my own hoping that 3.76 might play more nicely with MBAE than the 4.x line and not require any changes to the code/exe.

    My first attempt seemed promising but quickly proved to be a failure. (this can be found on the SBIE forum :p)
    Today I took another look at it and came up with a much more extensive template. The only hitch I ran into was that an addon I use for sandboxie, "sandboxie extra", does seem to cause issues with MBAE and certain applications. Removing that from the equation fixed my issues and thus far has been rock solid.

    While I'm sure some extra tweaking will be on it's way as I explore it more or add different apps to MBAE and sandboxie I thought other 3.76 users may want to try it as well. So far my tests have been limited to Sandboxie 3.76 on Windows 7 32bit.
    _____________________________________________________________________________________
    [Template_MBAE]

    Tmpl.Title=MBAE
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    ______________________________________________________________________________________
    That block can be pasted into the sandboxie.ini and, after reloading the configuration file, activated by running the Software Compatibility option under the configure menu assuming MBAE is already installed.

    The dll can now be injected and (hopefully) do it's job.

    I ran the MBAE exploit test in the sandbox and got an alert that it was blocked. It seems to be functioning but I sure could use more input from fellow 3.76 users who may want to use MBAE for 3.x sandboxed apps.
     
  2. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thanks for this info., as I'll likely be trying to run SBIE v3.76 along with MBAE too in the future. I'm waiting for it to mature a bit still, but maybe I'll have something to add later, and hopefully others will too. I'm on XP Pro SP3 though so my info. may not be relevant.
     
  3. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Neat idea if compatibility can be achieved without punching holes in Sandboxie. Just about had it with EMET at the moment and I wouldn't mind paying for a paid version of anti-exploit that protects more than the browser. Just can't figure out if I would actually put it to use. I don't use adobe reader (using built-in PDF reader in browser, adobe flash player (except when HTML5 isn't supported), or any of the other crapware: Silverlight, QuickTime, Windows Media Player, Real-time, etc.
     
  4. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Posting a few updates I made elsewhere over the few days.

    update:
    Been using this setup for over a day now so I figured I'd post a small update. I managed to get the sbiextra addon aka "Block Process Access" sort of working with it again. I found that it was the NtOpenProcess blocking that was causing the crashes with MBAE enabled. The rest seem to be working fine, so I feel slightly better though I intend to look into this more when I have lots of free time.

    Even without the addon I randomly encounter a crash but it is a rare occurrence and I haven't yet caught it with the Resource Access Manager to see what may be different to add a rule for (if anything) This crash is not the actual app but appears to be the mbae.dll itself which then closes the app after pressing ok. This can occur at launch or exit of the sandboxed/MBAE protected app. Has yet to occur for me in mid-use.

    update2:
    A day later and I switched to the experimental build of MBAE. Good news is I haven't experienced a single crash on launch since. One crash on exit so far but it certainly reinforces my theory that it was MBAE and not a conflict with 3.76 sandboxie.

    update3:
    a few days later....
    I decided to revert one of my rules to an earlier state as the one posted above was just 'too' broad for my tastes. This is effectively the same exact stuff with one minor difference in the named buffer and another in the title. Still no conflicts found, or changes required, for functionality with MBAE. (Using MBAE experimental version 1.04.1.1007) No crashes since (except for) the first day of using it (beta version that is), even on exit!

    Code:
    [Template_Malwarebytes Anti-Exploit]
    
    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mAH*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mix*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*mAH*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    
     
Loading...
Thread Status:
Not open for further replies.