Creating Malwarebytes 3 plugin - Development

In the scheme of things overall - a few KB- not a big matter..

Bob you have a lot of time invested to get this one...
But You never gave up...
Great Job...
 

Couldn't have done it without you 

Hi Galapo,

Thanks for updates, all relevant plugins updated.
I hope this is the last time we update hiderun and broadcastenvchange.

ps:
I do not see your attachments when I login. 
To download your attachments, I log out. 

*
About Hiderun x86, original version not seen by virus anymore at VirusTotal.
I silently revert back to original hiderun-x86 long time ago seeing VirusTotal reports.
 (maybe a year or more ago which did not cause trouble)

ps: Good side, Gena uses small hiderun the way you like. 

but hiderun-x64 found by AV ..... which is the reason of AV posts about hiderun around.
I feel "Original File name" on compile causing this (same feeling for AutoIT 3381)
We will see. 





@Bob.Omb

"Autorun.cmd at Root of USB" plugin
on your hands to update BroadCastEnvChange 

The Major Change I see is the ServiceConfig.json file...
Although not sure if files "Newly Created by you" ?? - But would assume if existed they would have pointed to C:\\

Sure, here you go. I'd personally use the original version, which I simply cannot match in getting mine to compile as small. 

Hi Galapo,

When writing other topic I remember:
 

Junc.exe from Olof L

http://www.ltr-data.se/opencode.html
Junc.zip - 7.7 KB (32 bit) / junc64.zip - 8.2 KB (64 bit) / junc.zip - 11.0 KB (ARM)
compiled 2018-05-13

Maybe you can get info from Olof L sourcecodes or directly from him via email.

I found the external drive where I had a virtual machine with Visual Studio installed. The resulting executables are slightly smaller.

Regards,
Galapo.

I have this MB3 plugin working on 2 out of 3 of my test machines. Bugs reported elsewhere about this plugin..

Anyone else having issues with this?

 

I may be missing something (this one has my head hurting  )

Maybe importing certificate info? I did not notice this as my two primary machines I have been testing on both work fine...  Until I was notified and then I tested on a third..

I cant seem to pinpoint where the failure is occurring... (Maybe with secureboot or patched winload.exe?)

It looks like the hash at the top of the ServiceConfig.json file does not match something and the self protection mechanism is kicking in and reassigning the paths for data (needed files) to default on the c:\

Code: [Select]

B191577A8A02F3CA15F219FE18AD5C3B5C89075CBC2263D276C51F1C798B7D12
{
   "affiliateId" : "",
   "affiliateName" : "consumer",
   "checkConfig" : true,
   "dataPath" : "X:\\ProgramData\\Malwarebytes\\MBAMService",
   "delayInterval" : 15000,
   "delayStart" : false,
   "installPath" : "Y:\\Programs\\Malwarebytes 3",
   "logFileBackups" : 10,
   "logFilePath" : "X:\\ProgramData\\Malwarebytes\\MBAMService\\logs\\mbamservice.log",
   "logFileSize" : 10485760,
   "maxLogLevel" : "info",
   "productBuild" : "consumer",
   "productCode" : "MBAM-C",
   "productVersion" : "3.6.1.2711"
}

It is a shame too because control of these paths would make it possible to completely make the application portable.. (except the services)

This means if your testing on a machine with Malwarebytes 3 installed on the host the plugin will work when running it from your USB.  If you do not have MB3 on the host the plugin will fail when running it from your USB..

- Back to the drawing board..

What a pain in the rear end this software is to make portable 

Instead, for the sake of usability now, I caved into James's method, and am using the installer file as a base.  I created a simple launcher with AutoIT3 that checks to see if the program is already installed at the default /VerySilent path, if it is it only opens the gui and completes(This way you don't reinstall every time you click the shortcut for the launcher), if not it silently installs MB3, removes the public desktop icon after install, then opens the gui.. (This needs to be done because silent install opens the software to tray and does not present the GUI)

It is compiled to MB3Launcher.exe but below is the au3 source

Code: [Select]

#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=mb3_MAINICON.ico
#AutoIt3Wrapper_Res_Description=Malwarebytes 3
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
Local $sFilePath = "X:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
Local $iFileExists = FileExists($sFilePath)
If $iFileExists Then
    Run('X:\Program Files\Malwarebytes\Anti-Malware\mbam.exe')
Else
    RunWait('MB3.EXE /VerySilent', @ScriptDir)
    FileDelete ('X:\Users\Public\Desktop\Malwarebytes.lnk')
    Run('X:\Program Files\Malwarebytes\Anti-Malware\mbam.exe')
EndIf
Exit

Res_Description=Malwarebytes 3 - is necessary so that pinned shortcut name displays correctly (as Malwarebytes 3) otherwise the EXE name is used for the pinned item.

The same process of downloading the latest version to the file container is still used in this version.

SE Plugin:  MB3_Consumer_SetupwithLauncher_Plugin.7z (458.8 kB - downloaded 90 times.)