Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
DDE_Server said:
Hi @Andy Ful
i want to know if there are away to export the rules you writes as white listed for firewall hardening to some readable format Text or html format
i am carious about these rules :):)
Click to expand...
Not in H_C. But, you can export the SRP Registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
 
  • Like
  • +Reputation
Reactions: shmu26, Protomartyr, Gandalf_The_Grey and 1 other person
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Andy Ful said:
Not in H_C. But, you can export the SRP Registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
Click to expand...
So there is no method to export it in readable format
I want to know the rules (basic windows functionality process and required ports you allowed when you hardcoded these rules however thatnks for your reply
You created the rules by experience or have some documentation about these process 🤔🤔😃😃?? I know that the question in the know how however I am interested
 
  • Like
Reactions: shmu26, Protomartyr, Gandalf_The_Grey and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
security123 said:
I mean the internal PDF feature, not external plugins. In Firefox that was isolated, so i guess it's in Chromium-Edge too and even better?
Click to expand...
This internal feature can be exploited similarly to a plugin. The PDF document opened by Edge can exploit the Edge process and Edge has access to the Internet.
If you will open the PDF document in PDF Reader (AppContainer), then exploiting the app is far less probable and you can block the Internet access.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Protomartyr, ForgottenSeer 85179 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
DDE_Server said:
So there is no method to export it in readable format
Click to expand...
On the contrary, it is very readable just like any txt file.
[/QUOTE]
...
You created the rules by experience or have some documentation about these process 🤔🤔😃😃??
[/QUOTE]
Both. You can read examples of using SRP rules in H_C documentation:
github.com

Hard_Configurator/Documentation/Part 3 - How do Software Restriction Policies work.pdf at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
github.com github.com
 
  • Like
Reactions: simmerskool, shmu26, Protomartyr and 4 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Andy Ful said:
On the contrary, it is very readable just like any txt file.
Click to expand...
...
You created the rules by experience or have some documentation about these process 🤔🤔😃😃??
[/QUOTE]
Both. You can read examples of using SRP rules in H_C documentation:
github.com

Hard_Configurator/Documentation/Part 3 - How do Software Restriction Policies work.pdf at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
github.com github.com
[/QUOTE]
Thanks a lot @Andy Ful for your patient to reply my questions i just love to learn. i am learning web development through udemy (hope i complete the whole course)
also is it opensource ?? in which language you wrote it :) :) ?
 
  • Like
Reactions: shmu26, Gandalf_The_Grey and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
DDE_Server said:
...
in which language you wrote it :) :) ?
Click to expand...
A few years ago H_C was intended to be a simple working GUI, so I chose AutoIt to build it. If I would know that H_C will become as complex as today, then I would choose another language.
But, in this way, I learned AutoIt which was completely new to me.:)
 
  • Like
Reactions: simmerskool, shmu26, Protomartyr and 2 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Andy Ful said:
A few years ago H_C was intended to be a simple working GUI, so I chose AutoIt to build it. If I would know that H_C will become as complex as today, then I would choose another language.
But, in this way, I learned AutoIt which was completely new to me.:)
Click to expand...
that the main requirement of any developer to be adaptable to learning never stuck for certain language or framework
my dream to work as a developer however i want to participate with a team
i learned many language and stuck at OOP as i lose motivation i want to build projects with a team and push code and learn version control system
i learned python C,C++ but stuck at the same point
i want to create a tool has good output. i plan to learn algorithm but it will require time. i chose web development to has an output help me step ahead
however this is difficult as i do that beside my main job (Electrical engineer)
 
  • Like
Reactions: Andy Ful and Gandalf_The_Grey
ErzCrz

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,025
Andy Ful said:
This internal feature can be exploited similarly to a plugin. The PDF document opened by Edge can exploit the Edge process and Edge has access to the Internet.
If you will open the PDF document in PDF Reader (AppContainer), then exploiting the app is far less probable and you can block the Internet access.
Click to expand...

Thanks for this. Downloaded Adobe Acrobat DC Reader. Though tempted by Foxit as well.
 
Sampei Nihira

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
Andy Ful said:
This internal feature can be exploited similarly to a plugin. The PDF document opened by Edge can exploit the Edge process and Edge has access to the Internet.
If you will open the PDF document in PDF Reader (AppContainer), then exploiting the app is far less probable and you can block the Internet access.
Click to expand...

If the malicious PDF opens the browser, it still gets internet access.
Two old analyzes of Didier Stevens regarding PDFs:

blog.didierstevens.com

PDF, Let Me Count the Ways…

In this post, I show how basic features of the PDF language can be used to generate polymorphic variants of (malicious) PDF documents. If you code a PDF parser, write signatures (AV, IDS, …) …
blog.didierstevens.com blog.didierstevens.com

blog.didierstevens.com

Quickpost: /JBIG2Decode Trigger Trio

Sometimes a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 …
blog.didierstevens.com blog.didierstevens.com

Although the Shell Extensions problem will be obsolete today I have to admit that it has stayed with me.
I think it is interesting for young MT users to read.;)

Good night my friend.
 
  • Like
Reactions: Andy Ful, Protomartyr and DDE_Server
F

ForgottenSeer 85179

Sampei Nihira said:
If the malicious PDF opens the browser, it still gets internet access.
Two old analyzes of Didier Stevens regarding PDFs:

blog.didierstevens.com

PDF, Let Me Count the Ways…

In this post, I show how basic features of the PDF language can be used to generate polymorphic variants of (malicious) PDF documents. If you code a PDF parser, write signatures (AV, IDS, …) …
blog.didierstevens.com blog.didierstevens.com

blog.didierstevens.com

Quickpost: /JBIG2Decode Trigger Trio

Sometimes a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 …
blog.didierstevens.com blog.didierstevens.com

Although the Shell Extensions problem will be obsolete today I have to admit that it has stayed with me.
I think it is interesting for young MT users to read.;)

Good night my friend.
Click to expand...
These posts are from 2008/ 2009.
Don't think that this work nowadays with restrictions like AppContainer
 
  • Like
Reactions: Protomartyr and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
Sampei Nihira said:
If the malicious PDF opens the browser, it still gets internet access.
...
Click to expand...
If the malicious PDF can exploit the reader and run something, then there are several ways to get Internet access. You do not need the web browser for that.
If one does not want to open URLs embedded in the document and the Reader does not alert opening the URLs, then Exploit Protection can be used to block child processes.
 
Last edited:
  • Like
Reactions: simmerskool, harlan4096, ForgottenSeer 85179 and 1 other person
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Andy Ful said:
If the malicious PDF can exploit the reader and run something, then there are several ways to get Internet access. You do not need the web browser for that.
Click to expand...

it could abuse legit process for example one of the reader services which request internet access for example update services or crashing reporting services
 
  • Like
Reactions: Protomartyr and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
DDE_Server said:
it could abuse legit process for example one of the reader services which request internet access for example update services or crashing reporting services
Click to expand...
This is possible but would require high privileges. It is much easier to use a simple script to download/execute something malicious with standard rights. Obtaining high privileges by an exploit is not so common.
 
  • Like
Reactions: simmerskool, harlan4096, Protomartyr and 2 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Andy Ful said:
This is possible but would require high privileges. It is much easier to use a simple script to download/execute something malicious with standard rights. Obtaining high privileges by an exploit is not so common.
Click to expand...
but if the abused process has administrative privilege woud not that be possible ? almost all software require administrative right during installation and this give their services the same rights (which include firewall modifying rules ) ??
 
  • Like
Reactions: Protomartyr and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
DDE_Server said:
but if the abused process has administrative privilege woud not that be possible ? almost all software require administrative right during installation and this give their services the same rights (which include firewall modifying rules ) ??
Click to expand...
Usually, the exploit can run something with standard privileges. The process running with standard privileges cannot abuse something running with high privileges, except when another exploit is used to elevate the malicious process. Abusing the services is often used to hide the malicious process which already could do malicious actions.
 
  • Like
  • Thanks
  • +Reputation
Reactions: ForgottenSeer 85179, Protomartyr, oldschool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
ErzCrz said:
Thanks for this. Downloaded Adobe Acrobat DC Reader. Though tempted by Foxit as well.
Click to expand...
I am not sure if Adobe Reader DC (it is not the UWP app in AppContainer) can be safer than Foxit Reader. The first has the Attack Surface much bigger even if you use the AppContainer setting for Adobe Reader DC. Did you try Foxit MobilePDF?
 
  • Like
  • +Reputation
Reactions: ForgottenSeer 85179, Protomartyr, oldschool and 2 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
257
Views
18,196
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,320
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
535
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top