Jump to content

Full list of exploit mitigations


regenpijp
 Share

Recommended Posts

Dear Malwarebytes,

 

I was wondering if you could provide a full list of exploit mitigations that MBAE employs in order to stop certain type of attacks.

Currently I'm not able to fully compare MBAE with EMET. (Ease of use is not an issue)

 

For more IT involved people the list provided at: https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/?p=846361 might be a bit short.

 

I hope it's possible to answer this question.

 

Best regards,

Regenpijp

Link to post
Share on other sites

  • 1 month later...

In the past month I did some research on the exploit mitigations present in Malwarebytes Anti-Exploit based on behavior and log analysis. Below you will find a list of my findings.

NB: It is very likely that this list is incomplete due to undocumented mitigations.

 

Generic mitigations:

 

- DEP / ASLR

        Ensures that OS mitigations are enabled on protected processes.

 

- Stack pivot mitigation

        Triggers when a critical function (like VirtualProtect) is being called from an address outside of the current stack boundaries. This address could have been pivoted into ESP to create a fake stack.

        Will often be the first mitigation to block exploits relying on memory corruption vulnerabilities used in the wild against web browsers / Flash Player

 

- Stack Execution Prevention

        Triggers when critical function (like WinExec) are being called from executable memory on for example the stack or the heap.

        Prevents the execution of shellcode.

 

- Caller check

        Triggers when certain functions / ROP gadgets want to return to 'unusual' parts of memory.

        Prevents the execution of certain critical functions from user controlled memory.

 

- TEB integrity check

        Triggers when an entry of the TEB has been overwritten with for example 0x7fffffff.

 

- Heap spray mitigation

        Behavior witnessed: Prevents allocation of heap chunks in multiple areas on the heap.

        Prevents jumps to large ranges of heap memory commonly used by exploits.

        Will also break a large amount of exploits present in Exploit Kits which would rely on memory leaks to bypass ASLR. 

 

- Java specific mitigations

        Triggers when an executable has been downloaded trough Java and is being executed locally.

        Triggers when critical processes (like cmd.exe) are being executed.

        Prevents the execution of malicious code/commands through Java applets.

 

All in all I am impressed by the capacity of MBAE to block exploits used in the wild. An exploit targeting Flash Player or Internet Explorer could for example be blocked by at least four/five different mitigations.

Keep it going, pbust!  :)

 

Best regards,

Regenpijp

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.