I just checked it. They're using the same lousy kprocesshacker.sys. I happen to use Process Hacker because it offers a more convenient networking infos than Process Explorer - which buries the networking infos on a tab buried in a sub-GUI.
Shmu26 Config in 2018
- Thread starter shmu26
- Start date
I just checked it. They're using the same lousy kprocesshacker.sys. I happen to use Process Hacker because it offers a more convenient networking infos than Process Explorer - which buries the networking infos on a tab buried in a sub-GUI.
I don't think it has been, or at-least I haven't heard of it being patched.
The technique works by getting the VirtualBox driver to patch a flag in a module named CI.dll which is a module used by NTOSKRNL. This specific flag used in this module is used by the Windows Kernel to determine if driver signature enforcement is enabled or not, so if you patch the flag... Then you can do whatever you want. On some systems and in some situations, it can cause a BSOD, but to reduce this you can re-patch the flag after getting your unsigned "driver-less" driver loaded and then no one would even know something had gone wrong to identify the patch change.
The VirtualBox driver is exploited because it can access and patch the memory for this. Other drivers out there somewhere will be exploitable to do the same task as well.
It's really ridiculous if they have not patched their driver to stop this. It's just stupid.
Microsoft are being way to lenient with vendors of kernel-mode software, I think they should just start chucking around a ban hammer and lock down rules basically saying, "Patch your insecurities or get lost".
Microsoft has known about this matter for nearly as long as it has existed. Drivers are Microsoft's domain. And that makes Kernel matters and security wholly Microsoft's responsibility. That's all there is to it. I know there are those that would debate me to death on my position, but given Microsoft policies and programs they are the Kernel Police. So Microsoft is responsible to intercede and I will leave it at that.
We're hijacking @shmu26 's config thread.
- Jul 3, 2015
- 8,153
Keep on talkin' it doesn't bother me in the least.
- Mar 13, 2016
- 1,298
I am on holiday, will answer second week of April.
- Jul 3, 2015
- 8,153
Trying out new config:
Windows Defender
Andy Ful Hard_Configurator with SRP
Andy Ful ConfigureDefender
Excubits MemProtect (demo)
Excubits Pumpernickel (demo)
The default/deny SRP policy blocks also a list of vulnerable processes, and dll protection is enabled.
The excubits tools are configured to lock down exploitable apps, such as MS Office and Chrome.
Windows Defender
Andy Ful Hard_Configurator with SRP
Andy Ful ConfigureDefender
Excubits MemProtect (demo)
Excubits Pumpernickel (demo)
The default/deny SRP policy blocks also a list of vulnerable processes, and dll protection is enabled.
The excubits tools are configured to lock down exploitable apps, such as MS Office and Chrome.
- Dec 23, 2014
- 8,513
I am impressed.
The DLL protection is demanding and not convenient for most users.
Can you print from MS Office? Are there any side effects of locking MS Office via Excubits drivers?
The DLL protection is demanding and not convenient for most users.
Can you print from MS Office? Are there any side effects of locking MS Office via Excubits drivers?
- Jul 3, 2015
- 8,153
I don't have any problem with dll protection. I whitelisted three or four appdata and programdata folders using *.dll, for the folders used by my specific apps, and that's it. It does not slow down my apps.I am impressed.
The DLL protection is demanding and not convenient for most users.
Can you print from MS Office? Are there any side effects of locking MS Office via Excubits drivers?
MS Office with Excubits allows regular printing (I have HP officejet), but I can't print to fax unless I whitelist rundll32. That's how how my printer driver works.
I can even use the email command in Word, and email message opens in Outlook. But in fact, I use Outlook only for the calendar, not for email.
There may be some advanced functions that don't work, I can only say about the functions I use regularly.
This is my memprotect demo config. Some items are not relevant to my current config. I whitelisted Outlook because it has no email account associated with it, I use it only for the calendar.
[#INSTALLMODE]
[LETHAL]
[LOGGING]
[#INSTALLMODE]
[DEFAULTALLOW]
[MODULEFILTER]
[WHITELIST]
!*software_reporter_tool.exe>*
!*chrome*>*chrome*
!*chrome.exe>C:\*\System32\rundll32.exe
!*OUTLOOK.EXE>*
!*Office1?\*>*Office1?\*
!*Office1?\*>*MsMpEng.exe
!*chrome*>*MsMpEng.exe
!*TogglDesktop.exe>*TogglDesktop\*
!*tixati.exe>*tixati\*
!*tixati.exe>*Downloads\*
!*WinSCP.exe>*WinSCP\*
!*WinSCP.exe>*Desktop\*
!*MsMpEng.exe>*
!*AppGuard\*>*
!*Blue Ridge Networks\*>*
[BLACKLIST]
$*Chrome\*>*
$*Office1?\*>*
$*TogglDesktop.exe>*
$*\tixati.exe>*
$*WinSCP.exe>*
[MODULEWHITELIST]
*>*
[MODULEBLACKLIST]
*EXCEL.EXE>*flash*.ocx
*EXCEL.EXE>*packager.dll
*EXCEL.EXE>*vbs.dll
*WINWORD.EXE>*flash*.ocx
*WINWORD.EXE>*packager.dll
*WINWORD.EXE>*vbs.dll
*>*system.management.automation.dll
*>*LxssManager.dll
[EOF]
- Dec 23, 2014
- 8,513
This entry will not work. The above is .NET DLL, and such DLLs are not covered by Excubits drivers (also ignored by SRP) . You can easily test it by running powershell.exe .
When system.management.automation.dll is blocked then powershell.exe cannot be executed.
- Apr 1, 2017
- 1,782
You can do the same with Eset hips(or other tools)t!why did you pay for this tool?if tis smth like a DLP system you can do it with any hips!or even windows inbuild stuff.
- Feb 24, 2017
- 1,661
- Dec 23, 2014
- 8,513
He uses a functional demo version that protects only a few entries.
- Jul 3, 2015
- 8,153
They are right, I use the free demo version.
With a different tool, it is not so easy to configure it like I did.
I have different exploitable apps set up with different rules, depending on what areas they need to read and write to.
For instance, Word needs read/write access to my Dropbox folder, because that is where my docs are. But Chrome does not need this access.
- Jul 3, 2015
- 8,153
Thanks. I didn't know that. So here is a case where Appguard has an advantage. And OSArmor has protection for it, too.
Any other way you know to block a dll like this?
Last edited:
- Dec 23, 2014
- 8,513
I think, that OSArmor in actual version is not prepared to block custom DLLs (by name or path). I suggested this feature to Andreas some time ago and he answered that it is possible. Maybe he will add this in the future. The problem with .NET DLLs is that they are compiled on the fly as opposed to the normal DLLs which are already compiled.
I do not know if there is a free application that can block .NET DLLs.
Last edited:
- Jul 3, 2015
- 8,153
Right, but over at Wilders, me and Peter kept bugging Andreas about it, until he wrote a specific rule for arguments containing system.management.automation.dll. Actually, I am not sure exactly how he did it, but he says he did it.
NoVirusThanks OSArmor: An Additional Layer of Defense
NoVirusThanks OSArmor: An Additional Layer of Defense
But in general, it does not block dlls.
- Jul 3, 2015
- 8,153
I brought up your point over at Wilders, and they claim that memprotect can block .NET DLLs. Someone posted me a screenshot from Process Hacker, to demonstrate that it was blocked. MemProtect - Support & Discussion
- Dec 23, 2014
- 8,513
It does not work. I ticked all options in OSArmor except 'Block execution of unsigned processes on user space'. Next, I copied powershell.exe to another location and renamed it, then I was able to execute renamed executable.
Last edited:
- Dec 23, 2014
- 8,513
I added your DLL rule to MemProtect MODULEBLACKLIST and still could run powershell.exe. When I added powershell.exe to the BLACKLIST, it was blocked.
Similar threads
