Topic: Creating Malwarebytes 3 plugin - Development  (Read 247 times)

0 Members and 1 Guest are viewing this topic.

Creating Malwarebytes 3 plugin - Development
« on: November 07, 2017, 03:30:31 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
So frustrating  :mad: ..... I ran the Malwarebytes 3.3 installer in my PE build, downloaded straight from the site, ---> it ran and installed perfectly <--- performed an update, ran a scan... Started building an Innounp plugin for everyone (Which is way easier than it previously used to be because Malwarebytes now only packages dllname,1.dll and dllname,2.dll - only 32bit and 64bit versions, no more 5/6 diff DLL's for each ver of windows.. Also only 1 .sys file into sys32\drivers instead of 3-4 drivers identified as well...) Went to bed thinking I was going to share it with all of you this morning... Tried to run the installer again to grab the reg keys and  :sad: :sad: :sad: It won't run and is throwing an error...NO CHANGE IN BUILD. The only thing I was playing with were dependencies for another application from inside the same build, tried retracing ->EXACT<- steps no luck. Driving me crazy for the past 24hrs.  Anyone able to get the installer to run to grab the reg keys from within a 10PESE build to generate the correct keys?

ila_rendered

The error is supposedly caused by a certificate error that normally can be fixed with certmgr.msc by deleting untrusted certificates.  Something similar is happening here I have no idea how it ran before  :huh: The applications I was using were password reset applications im not sure if that would reset the untrusted certificates or pave way for installation but I will keep testing in the meantime.
« Last Edit: November 07, 2017, 05:04:14 PM by bob.omb »

Re: Creating Malwarebytes 3 plugin - Development
« Reply #1 on: November 07, 2017, 04:33:25 PM »

RoyM

  • Apprentice
  • *
  • Date Registered: Aug 2017
  • Posts: 9
Shoot me some MWBytes_3.3 links
I Need Winbuilder Version/Build/.ISO info/Arch. etc... INFO
"I'll be glad to help".
I assume you just need Regshot Unicode output.
I will also try to capture running Regshot, Regshot Unicode, and What Changed.
"It sometimes helps to have more info".
Running depends and GetDeps.au3 help immensely.

I'm not sure I get the "NO CHANGE IN BUILD" thing.
"You are booting a Win10PESE in VM:???, and then running the Installer.
It should be a blank slate...

Regards
RoyM

Re: Creating Malwarebytes 3 plugin - Development
« Reply #2 on: November 07, 2017, 04:44:26 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
It is crazy I literally was super excited to bring this to TheOven and  :huh: I cannot reproduce what allowed the installer to run...

Link for Malwarebytes:
https://www.malwarebytes.com/mwb-download/thankyou/

Not sure if the correct CLSID etc will populate in the keys unless created during install in PE

-I Never test in VM, although they are quicker they do not always give the same results as the real thing.. which leads to :turtle: but its worth it.

I was working on Heidoc iso downloader and 2 password reset plugins, nothing crazy I didn't even move anything into system32 or run any installers, I just tried to run heidoc and use proc monitor, failed to find anything useful at first glance, used my password resets to ensure they wouldnt crash, then ran mbam3 installer smh I do not know...Almost like it was a bug it ran...so mad I didn't get reg keys I missed my opportunity

Latest winbuilder, win10PESE -  source v1709, x64, net framework full package run from cd, c redist full package(default full package) run from cd as well



« Last Edit: November 07, 2017, 06:04:27 PM by bob.omb »

Re: Creating Malwarebytes 3 plugin - Development
« Reply #3 on: November 08, 2017, 02:52:12 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374

Re: Creating Malwarebytes 3 plugin - Development
« Reply #4 on: November 08, 2017, 06:19:43 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
I tried rebuilding with "run from ram" for .NET plugin and same error.  Not sure if its a .NET problem.  It may only be for the installer and somehow a bug let me run it once already... I think its a security certificate issue(trust), I extracted setup with innounp to get a copy of the certificates from {tmp} folder, to try to add them to trusted list.  I can get all the dependencies for windows cert system (almost) the cert*.dll/exe/msc from sys32 into my build, and view cert mgr but still cant import(button greyed out).

I think the only issue here is with the installer though.  Once correct keys are able to be copied into plugin and file placement is correct should work great.  Installer is the brick wall..
« Last Edit: November 08, 2017, 11:47:43 AM by bob.omb »

Re: Creating Malwarebytes 3 plugin - Development
« Reply #5 on: November 10, 2017, 07:47:39 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
 :w00t: the hardest part is done!

Still work needs to be done...plugin not complete

In order to get installer working in PE ImRamdisk must used to remove b: or installer will not run.  An error is thrown when using virtual disk for temp location. (This is only needed during install while getting plugin together)

Temp and Tmp environment variables must be changed to something other than b: (create a folder named temp on y:)
Code: [Select]
set temp=y:\temp
set tmp=y:\temp

Then installer will run..  :thumbsup:

ila_rendered

I may still need help with plugin creation  :embarrassed: we will see...



« Last Edit: November 11, 2017, 05:06:53 AM by bob.omb »

Re: Creating Malwarebytes 3 plugin - Development
« Reply #6 on: November 11, 2017, 06:30:16 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
I am trying to add a download option to this plugin.

When using
Code: [Select]
%FileWeb_x86%=https://downloads.malwarebytes.com/file/mb3

The file is downloaded with no extension?

The above link automatically direct downloads the latest version, wget gets the right file it just doesn't use the correct name, the file thats downloaded can be renamed to .exe  Is this normal for download button? Is there a way to add a name or should I have the script rename it to latestmb3.exe? I currently am renaming the file after download get an error that the download didn't complete correctly however it is working correctly...(this only happens when i rename the file though, i think there is error checking to make sure file is downloaded and im renaming before it can check, i can fix this if this is the best way) Trying to make this correctly for community.
« Last Edit: November 11, 2017, 10:11:07 AM by bob.omb »

Re: Creating Malwarebytes 3 plugin - Development
« Reply #7 on: November 11, 2017, 02:45:43 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
Also after moving everything into place in a new build I get the following error when running mbam.exe and it does not load.  Services are running but application won't open.  If I remove ramdisk and re-run the installer the application will open fine. (If I remove ramdisk and do not rerun the installer it still gives the same error, the ramdisk is not the problem for this only for install.) I am missing something..

ProgramData\MBAMService folder moved into ProgramData in wim / mbae64.sys and mbamswissarmy.sys moved moved into sys32\drivers folder in wim / program lives on y:\programs\malwarebytes (run from cd)

Added starting services to switchtoadmin.ini (mbamservice and mbamswissarmy), services start fine..

mbamtray loads fine if manually run..

These are the keys used(attached, too big to post), w/all files in place
* mbamregkeys4oven.txt (239.5 kB - downloaded 8 times.)

My post count is getting a little high, sorry about that, but that's everything I got on the topic, the only thing left now is final fix.

**EDIT - I finally found out how I was able to get the installer to run without using ImDisk to remove the ramdrive(b:) - During system startup if you load the installer quickly enough (it seems before the ramdisk has time to load??) the installer will run without issue, all you need to do is quickly navigate to the mb3 installer file and select which language you would like...  once the installer GUI appears you can then wait as long as you'd like to proceed, about 10 seconds after you land on the desktop is all the time you have to do this)
« Last Edit: November 12, 2017, 07:30:43 AM by bob.omb »

 

Powered by EzPortal