[Template_MBAE] ~ local template

[henryg]

I have been using the 'old' template for some months which seems to work fine. Should I be changing it? Windows 7 Pro x64.

And can one of you please change your posting name: bjm, btm very confusing

[Syrinx]

And can one of you please change your posting name: bjm, btm very confusing :lol:

Done, now someone just needs to ban btm!

[Syrinx]

@henryg The original (latest version) AIO template is still ok, I mainly separated them there to illustrate how certain lines are only used on certain versions or builds (32/64) of windows, particularly the manual dll injection lines. Having a path to a nonexistent file may add a few ms of time but it's not likely you'd notice any difference. You should be good with the one you have unless you just want to minimize the template.

The one line I might be nervous about is OpenIpcPath=$:mbae-svc.exe which was added for XP. That one you may want to remove if you're not on XP but I have this nagging in my head that says someone told me it might also have been needed for them on some other 32bit OS's as well. Not sure about that though...

[btm]

Just to confirm from the old act, I created Syrinx and will shortly be changing the password for this one to something I don't know and will be retiring btm. The delay for the posts being 'moderated' as a newb is a bit annoying but I'll get over it :P Anyone happen to remember offhand how many posts until the moderation is lifted?

[Syrinx]

I'm toying with an idea of automating the Template selection by breaking it down into 3 templates. One for 32 bit systems, one for 64 bit systems and one small one in addition for XP.

People could just add the entire chunk to the ini then the software compatibly tab would only show the one(s) correct for their system. Unfortunately for XP users it would require two selections but I can't think of a way around it. I'm also not sure if a system that was once XP but later upgraded to Vista 32 bit would retain the key I'm scanning for there. I don't have a 32 bit Vista disc to test it with :-/

Code: Select all

[Template_XPMBAE]

Tmpl.Title=MBAE (XP & SBIE 3.76 ONLY)
Tmpl.Class=Security
Tmpl.Scan=s
#Scan for key in registry, *should* only be found on XP : I hope!
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
OpenIpcPath=$:mbae-svc.exe

[Template_32MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit (x86)
Tmpl.Class=Security
Tmpl.Scan=s
#Scan for MBAE in registry, only found on 32 bit OS
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

[Template_64MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit (x64)
Tmpl.Class=Security
Tmpl.Scan=s
#Scan for MBAE in registry, only found on 64 bit OS
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

It makes the AIO code much larger but prevents unneeded lines from being used. Not sure how else I could pull it off.

[Mr.X]

Thanks a lot Syrinx. One question does it makes a difference from still using the old one? Either x86 or x64 I use it.

Code: Select all

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

[Syrinx]

The one you have is fine, I was just trying to think of a way to remove the unneeded lines (without manual input from the user) is all.

The only line I'd really be worried about is the XP only one (OpenIpcPath=$:mbae-svc.exe) which you don't have. So maybe something like this would be better for new users and keep it from getting complex?

Code: Select all

[Template_XPMBAE]

Tmpl.Title=MBAE (XP & SBIE 3.76 ONLY)
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
OpenIpcPath=$:mbae-svc.exe

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

I wonder if a .bat file to edit the sandboxie.ini automatically based on the OS would be easier for most people? I wouldn't want to use one made by a stranger but maybe some users would prefer it?

[henryg]

If anyone is savvy enough to use MBAE they can probably edit sandboxie.ini. Having said that, I originally made a total hash of it by not changing the file path to my location of MBAE (still makes me wince when I think about it), but a batch file would have to be pretty comprehensive to deal with all eventualities.

I had already taken out OpenIpcPath=$:mbae-svc.exe as was on Win 7 (now on Win 10).

And you changed your name. Hadn't realised until now - how perfect can anyone be!