Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    EASTER

    you still use ink pens? :D

    I thought that was only for old people that can't remember things anymore like me.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,545
    Location:
    U.S.A. (South)
    Yes, and just like in elementary school days am anxiously waiting to graduate up to Fountain Pens one day. :p
     
  3. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    87
    Both filesigher and processsigner, also publishsigner don't work anymore.
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    829
    Location:
    Italy
  5. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    87
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,431
    Try to remove the space between % and :
    Code:
    [%FILESIGNER%   : Beijing Funshion Online Technologies Ltd.]
    =>
    [%FILESIGNER%: Beijing Funshion Online Technologies Ltd.]
    
     
  7. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    87
    Thanks, it's my fault.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,545
    Location:
    U.S.A. (South)
    Any expected release projected for the new revised SOB yet?
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,129
    Location:
    Europe then Asia
    Andreas want releases new ERP first , so new SoB is paused.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,431
    Smart Object Blocker v1.4 Released (21 May 2017)
    http://www.novirusthanks.org/products/smart-object-blocker/
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,129
    Location:
    Europe then Asia
    Nice, a new tool to play with again, waited for it. but still no GUI :D
     
    Last edited: May 22, 2017
  12. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    87
  13. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    87
    Latest SOB 1.4 slows down loading of Edge a lot.
     
  14. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    Having a GUI isn't always necessary or even desirable. If a config file is intelligently laid out and well commented, editing it is fairly easy.

    Here's a (simple) example from a Linux firewall called FireHOL:
    Code:
    #
    # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
    #
    # This configuration file will allow all requests originating from the
    # local machine to be send through all network interfaces.
    #
    # No requests are allowed to come from the network. The host will be
    # completely stealthed! It will not respond to anything, and it will
    # not be pingable, although it will be able to originate anything
    # (even pings to other hosts).
    #
    
    version 5
    
    # Accept all client traffic on any interface
    interface any world
        client all accept
    
    That's a very simple configuration, but a more complicated ruleset can be created without much difficulty.
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,129
    Location:
    Europe then Asia
    GUI isn't really needed but way more convenient to implement rules. i'm a busy man , i dont have time to waste typing hundreds of lines when it can be in minutes via a GUI.
     
  16. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219

    I like what you've done with this. Are you still using SOB and, if so, have you made any further refinements to your configuration?

    Phil
     
  17. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    Pcalvert,
    Sorry just seen your post. Basically no, had a lot of problems with it on the creators update.
    Just going back to Simple Software Restriction Policy with Controlled Folder Access and some Exploit Guard protections.
    If you want, after Ive tested these I'll give SOB another go!
     
  18. BlackBox Hacker

    BlackBox Hacker Registered Member

    Joined:
    Dec 18, 2017
    Posts:
    95
    Location:
    UK
    Very good point, but I would use a rule like this:
    Code:
    // Block loading of DLLs located on User Accounts
    [%FILE%: C:\Users\*]
    
    That should fix the security issues here, but what if the hacker creates the folder 'C:\User' path would this still be a security problem? And I don't think you can block the whole drive for example: 'C:\*' path? That would be very bad, because none of your DLL files will load into system memory! Well at least it's some protection against Cyber criminals. I also forgot that DLL exploits will load into memory using path: 'C:\Windows' as well.

    Log:
    Code:
    [12/01/2018 14:44:13] Blocked DLL: C:\Users\BlackBox\Desktop\poc.dll
    Rule: [%FILE%: C:\Users\*]
    ImageBase: 0x64DC0000
    EntryPoint: 0x64DC1000
    SizeOfImage: 0x8000
    Process: C:\Program Files\Google\Chrome\Application\chrome.exe
    Parent: C:\Program Files\Google\Chrome\Application\chrome.exe
    ProcessId: 340
    ThreadId: 2792
    
    
    [12/01/2018 14:44:23] Blocked DLL: C:\Users\BlackBox\Desktop\poc.dll
    Rule: [%FILE%: C:\Users\*]
    ImageBase: 0x64DC0000
    EntryPoint: 0x64DC1000
    SizeOfImage: 0x8000
    Process: C:\Program Files\Google\Chrome\Application\chrome.exe
    Parent: C:\Program Files\Google\Chrome\Application\chrome.exe
    ProcessId: 340
    ThreadId: 2456
    
    
    [12/01/2018 14:46:17] Blocked DLL: C:\Windows\System32\igfxpph.dll
    Rule: [%FILE%: C:\Windows\*]
    ImageBase: 0x3BB0000
    EntryPoint: 0x3BC5028
    SizeOfImage: 0x36000
    Process: C:\Windows\explorer.exe
    Parent:
    ProcessId: 1628
    ThreadId: 3740
    
    
    [12/01/2018 14:46:17] Blocked DLL: C:\Windows\System32\hccutils.dll
    Rule: [%FILE%: C:\Windows\*]
    ImageBase: 0x35D0000
    EntryPoint: 0x35D9A8F
    SizeOfImage: 0x1A000
    Process: C:\Windows\explorer.exe
    Parent:
    ProcessId: 1628
    ThreadId: 3740
    
    
    [12/01/2018 14:52:45] Blocked DLL: C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23721_none_5c052bcda00f9399\GdiPlus.dll
    Rule: [%FILE%: C:\Windows\*]
    ImageBase: 0x74060000
    EntryPoint: 0x740FD453
    SizeOfImage: 0x191000
    Process: C:\Windows\System32\consent.exe
    Parent: C:\Windows\System32\svchost.exe
    ProcessId: 2928
    ThreadId: 3864
    
    
    [12/01/2018 14:55:02] Blocked DLL: C:\Windows\WINDOWS\poc.dll
    Rule: [%FILE%: C:\Windows\*]
    ImageBase: 0x64DC0000
    EntryPoint: 0x64DC1000
    SizeOfImage: 0x8000
    Process: C:\Program Files\Google\Chrome\Application\chrome.exe
    Parent: C:\Program Files\Google\Chrome\Application\chrome.exe
    ProcessId: 340
    ThreadId: 452
    
    This is also blocking system folder drivers is there anyway to fix this?

    I don't need this part:
    Code:
    //Prevent commonly exploited processes from executing processes
    [%PARENTPROCESS%: *\javaw.exe]
    [%PARENTPROCESS%: *\iexplore.exe]
    [%PARENTPROCESS%: *\firefox.exe]
    [%PARENTPROCESS%: *\waterfox.exe]
    [%PARENTPROCESS%: *\opera.exe]
    [%PARENTPROCESS%: *\AcroRd32.exe]
    [%PARENTPROCESS%: *\plugin-container.exe]
    [%PARENTPROCESS%: *\chrome.exe]
    [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%PARENTPROCESS%: *\MicrosoftEdgeCP.exe]
    [%PARENTPROCESS%: *\winword.exe]
    [%PARENTPROCESS%: *\excel.exe]
    [%PARENTPROCESS%: *\wmplayer.exe]
    [%PARENTPROCESS%: *\skype.exe]
    [%PARENTPROCESS%: *\safari.exe]
    
     
    Last edited: Jan 12, 2018
  19. BlackBox Hacker

    BlackBox Hacker Registered Member

    Joined:
    Dec 18, 2017
    Posts:
    95
    Location:
    UK
    (SOB) Smart Object Blocker hacked!

    Code:
    
                                              DLL Operation Report
                                                      produced by RemoteDLL
    
                   (For latest version visit http://SecurityXploded.com/remotedll.php)
    
    
     Username: BlackBox
    
    
     Detailed DLL Operation Report
     ***********************************************************************************
    
    
     Starting the 'Inject DLL' Operation...
         Process = Calc.exe
         Inject DLL = C:\poc.dll
         Injection Method = CreateRemoteThread
    
    
     Step 1 => Opening target process [3280 - Calc.exe] for DLL Injection
         Success
    
    
     Step 2 => Writing the DLL Path Name [C:\poc.dll] into target process
         Success
    
    
     Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
         Successfully got the address of Kernel32.dll on target process
         Address of Kernel32.dll [Target Process] = 0x76470000
         Address of LoadLibrary [Target Process] = 0x764BDE85
    
    
     Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
         Waiting for Remote Thread to Terminate...
         Address of Injected DLL [C:\poc.dll] in target process = 0x64DC0000
    
    
     Successfully Injected the DLL into target process !!!
    
     ***********************************************************************************
    
    There is no way that you can block this attack. You can also inject Web Browsers as well, this would bypass your firewall rules nice! Try injecting into your ftp process as well?

    Code:
            DLL Operation Report
                                                      produced by RemoteDLL
    
                   (For latest version visit http://SecurityXploded.com/remotedll.php)
    
    
     Username: BlackBox
    
    
     Detailed DLL Operation Report
     ***********************************************************************************
    
    
     Starting the 'Inject DLL' Operation...
         Process = Ftp.exe
         Inject DLL = C:\poc.dll
         Injection Method = CreateRemoteThread
    
    
     Step 1 => Opening target process [2732 - Ftp.exe] for DLL Injection
         Success
    
    
     Step 2 => Writing the DLL Path Name [C:\poc.dll] into target process
         Success
    
    
     Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
         Successfully got the address of Kernel32.dll on target process
         Address of Kernel32.dll [Target Process] = 0x76470000
         Address of LoadLibrary [Target Process] = 0x764BDE85
    
    
     Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
         Waiting for Remote Thread to Terminate...
         Address of Injected DLL [C:\poc.dll] in target process = 0x64DC0000
    
    
     Successfully Injected the DLL into target process !!!
    
     ***********************************************************************************
    
     
    Last edited: Jan 12, 2018
  20. BlackBox Hacker

    BlackBox Hacker Registered Member

    Joined:
    Dec 18, 2017
    Posts:
    95
    Location:
    UK
    Last logs now this Security is not for me!

    Code:
    
                                              DLL Operation Report
                                                      produced by RemoteDLL
    
                   (For latest version visit http://SecurityXploded.com/remotedll.php)
    
    
     Username: BlackBox
    
    
     Detailed DLL Operation Report
     ***********************************************************************************
    
    
     Starting the 'Inject DLL' Operation...
         Process = Chrome.exe
         Inject DLL = C:\poc.dll
         Injection Method = CreateRemoteThread
    
    
     Step 1 => Opening target process [3384 - Chrome.exe] for DLL Injection
         Success
    
    
     Step 2 => Writing the DLL Path Name [C:\poc.dll] into target process
         Success
    
    
     Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
         Successfully got the address of Kernel32.dll on target process
         Address of Kernel32.dll [Target Process] = 0x76470000
         Address of LoadLibrary [Target Process] = 0x764BDE85
    
    
     Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
         Waiting for Remote Thread to Terminate...
         Address of Injected DLL [C:\poc.dll] in target process = 0x64DC0000
    
    
     Successfully Injected the DLL into target process !!!
    
     ***********************************************************************************
    
    
    
     DLL Operation Report
                                                      produced by RemoteDLL
    
                   (For latest version visit http://SecurityXploded.com/remotedll.php)
    
    
     Username: BlackBox
    
    
     Detailed DLL Operation Report
     ***********************************************************************************
    
    
     Starting the 'Inject DLL' Operation...
         Process = Chrome.exe
         Inject DLL = C:\Windows\poc.dll
         Injection Method = CreateRemoteThread
    
    
     Step 1 => Opening target process [2468 - Chrome.exe] for DLL Injection
         Success
    
    
     Step 2 => Writing the DLL Path Name [C:\Windows\poc.dll] into target process
         Success
    
    
     Step 3 => [Defeat ASLR] Calculating the LoadLibrary function address on target process
         Successfully got the address of Kernel32.dll on target process
         Address of Kernel32.dll [Target Process] = 0x76470000
         Address of LoadLibrary [Target Process] = 0x764BDE85
    
    
     Step 4 => Injecting the DLL into target process using the method 'CreateRemoteThread'
         Waiting for Remote Thread to Terminate...
         Address of Injected DLL [C:\Windows\poc.dll] in target process = 0x64DC0000
    
    
     Successfully Injected the DLL into target process !!!
    
     ***********************************************************************************
    
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,431
    First your program (RemoteDLL) must be executed and how will it reach the system?
    The user is visiting a malicious website, RemoteDLL is being downloaded and it will be executed?
    With proper rules the browser or other vulnerable applications (it depends on the configuration) can be prevented from executing any files (for example with [%PARENTPROCESS%])
    And In Lockdown any unknown file/dll/driver will be blocked from executing.

    SOB isn't monitoring the memory of processes, and it is no anti-exploit.
    SOB monitors all processes, dll's and drivers loaded in the system.

    Normally files are dropped into the directory of the user or to \AppData\*
    Now, after switching to Lockdown (unknown files/dll's/drivers are blocked) and proper %PARENTPROCESS%-rules, dropped files are most likely blocked.
    Files might be dropped to C:\Windows\ but administrator privileges are needed.
     
  22. BlackBox Hacker

    BlackBox Hacker Registered Member

    Joined:
    Dec 18, 2017
    Posts:
    95
    Location:
    UK
    Yes, I have all kinds of UAC exploits for all versions of Windows this also includes Linux as well!

    Link:~ Removed VirusTotal Results as per Policy ~

    Download link: https://blackboxhcker.blogspot.co.uk/2017/06/bypassuac-hacking-tool-new-malware-zer0.html :)

    If you like SOB use it don't let me explain any more about this it's pointless really? The facts are there in logs and in my own mind are already made up and so is yours.
     
    Last edited by a moderator: Jan 12, 2018
Loading...