Creating Malwarebytes 3 plugin - Development

So frustrating  ..... I ran the Malwarebytes 3.3 installer in my PE build, downloaded straight from the site, ---> it ran and installed perfectly <--- performed an update, ran a scan... Started building an Innounp plugin for everyone (Which is way easier than it previously used to be because Malwarebytes now only packages dllname,1.dll and dllname,2.dll - only 32bit and 64bit versions, no more 5/6 diff DLL's for each ver of windows.. Also only 1 .sys file into sys32\drivers instead of 3-4 drivers identified as well...) Went to bed thinking I was going to share it with all of you this morning... Tried to run the installer again to grab the reg keys and  It won't run and is throwing an error...NO CHANGE IN BUILD. The only thing I was playing with were dependencies for another application from inside the same build, tried retracing ->EXACT<- steps no luck. Driving me crazy for the past 24hrs.  Anyone able to get the installer to run to grab the reg keys from within a 10PESE build to generate the correct keys?



The error is supposedly caused by a certificate error that normally can be fixed with certmgr.msc by deleting untrusted certificates.  Something similar is happening here I have no idea how it ran before  The applications I was using were password reset applications im not sure if that would reset the untrusted certificates or pave way for installation but I will keep testing in the meantime.

Shoot me some MWBytes_3.3 links
I Need Winbuilder Version/Build/.ISO info/Arch. etc... INFO
"I'll be glad to help".
I assume you just need Regshot Unicode output.
I will also try to capture running Regshot, Regshot Unicode, and What Changed.
"It sometimes helps to have more info".
Running depends and GetDeps.au3 help immensely.

I'm not sure I get the "NO CHANGE IN BUILD" thing.
"You are booting a Win10PESE in VM:???, and then running the Installer.
It should be a blank slate...

Regards
RoyM

It is crazy I literally was super excited to bring this to TheOven and  I cannot reproduce what allowed the installer to run...

Link for Malwarebytes:
https://www.malwarebytes.com/mwb-download/thankyou/

Not sure if the correct CLSID etc will populate in the keys unless created during install in PE

-I Never test in VM, although they are quicker they do not always give the same results as the real thing.. which leads to but its worth it.

I was working on Heidoc iso downloader and 2 password reset plugins, nothing crazy I didn't even move anything into system32 or run any installers, I just tried to run heidoc and use proc monitor, failed to find anything useful at first glance, used my password resets to ensure they wouldnt crash, then ran mbam3 installer smh I do not know...Almost like it was a bug it ran...so mad I didn't get reg keys I missed my opportunity

Latest winbuilder, win10PESE -  source v1709, x64, net framework full package run from cd, c redist full package(default full package) run from cd as well

net framework full package run from cd,

Run from Ram 

Reply 5
http://theoven.org/index.php?topic=2260.msg24422#msg24422

I tried rebuilding with "run from ram" for .NET plugin and same error.  Not sure if its a .NET problem.  It may only be for the installer and somehow a bug let me run it once already... I think its a security certificate issue(trust), I extracted setup with innounp to get a copy of the certificates from {tmp} folder, to try to add them to trusted list.  I can get all the dependencies for windows cert system (almost) the cert*.dll/exe/msc from sys32 into my build, and view cert mgr but still cant import(button greyed out).

I think the only issue here is with the installer though.  Once correct keys are able to be copied into plugin and file placement is correct should work great.  Installer is the brick wall..

  the hardest part is done!

Still work needs to be done...plugin not complete

In order to get installer working in PE ImRamdisk must used to remove b: or installer will not run.  An error is thrown when using virtual disk for temp location. (This is only needed during install while getting plugin together)

Temp and Tmp environment variables must be changed to something other than b: (create a folder named temp on y:)

Code: [Select]

set temp=y:\temp
set tmp=y:\temp

Then installer will run.. 



I may still need help with plugin creation  we will see...

I am trying to add a download option to this plugin.

When using

Code: [Select]

%FileWeb_x86%=https://downloads.malwarebytes.com/file/mb3

The file is downloaded with no extension?

The above link automatically direct downloads the latest version, wget gets the right file it just doesn't use the correct name, the file thats downloaded can be renamed to .exe  Is this normal for download button? Is there a way to add a name or should I have the script rename it to latestmb3.exe? I currently am renaming the file after download get an error that the download didn't complete correctly however it is working correctly...(this only happens when i rename the file though, i think there is error checking to make sure file is downloaded and im renaming before it can check, i can fix this if this is the best way) Trying to make this correctly for community.

Also after moving everything into place in a new build I get the following error when running mbam.exe and it does not load.  Services are running but application won't open.  If I remove ramdisk and re-run the installer the application will open fine. (If I remove ramdisk and do not rerun the installer it still gives the same error, the ramdisk is not the problem for this only for install.) I am missing something..

ProgramData\MBAMService folder moved into ProgramData in wim / mbae64.sys and mbamswissarmy.sys moved moved into sys32\drivers folder in wim / program lives on y:\programs\malwarebytes (run from cd)

Added starting services to switchtoadmin.ini (mbamservice and mbamswissarmy), services start fine..

mbamtray loads fine if manually run..

These are the keys used(attached, too big to post), w/all files in place
 mbamregkeys4oven.txt (239.5 kB - downloaded 289 times.)

My post count is getting a little high, sorry about that, but that's everything I got on the topic, the only thing left now is final fix.

**EDIT - I finally found out how I was able to get the installer to run without using ImDisk to remove the ramdrive(b:) - During system startup if you load the installer quickly enough (it seems before the ramdisk has time to load??) the installer will run without issue, all you need to do is quickly navigate to the mb3 installer file and select which language you would like...  once the installer GUI appears you can then wait as long as you'd like to proceed, about 10 seconds after you land on the desktop is all the time you have to do this)

More work has been done. - A plugin which leads us to the final hurdle has been created.  *EDIT

Hopefully this makes it easier for others interested in this plugin to contribute to it.  And also to easier to identify what if anything we are missing.

95% working Plugin attached (Program won't run yet, same error as above post.. this is the last obstacle to overcome for working plugin.)

To get to this point took a decent amount of effort, but we are here at this point because of the value of this tool, I hope others see the value as well and will take a look at this one with us.

BTW - In current state this is hardcoded for "Run from Ram" in a few minor ways.

When i try to run the Plugin then it doesn't work.

it actually says this:
CopyOrExpand - Failed to copy [%BaseDir%\Temp\Win10PESE\TempExtractFolder\Malwarebytes Anti-Malware\Malwarebytes Anti-Malware\mbamext,2.dl_] to: [%BaseDir%\Temp\Win10PESE\TempExtractFolder\Malwarebytes Anti-Malware\Malwarebytes Anti-Malware\mbamext.dll]: Das System kann die angegebene Datei nicht finden.

"Das System kann die angegebene Datei nicht finden."
The translation means: The system can't find the file.

can anyone help me?


I've already tried to rename the path as bob.omb told me:

Change this line inside of your plugin:

%ProgramFolder%=Malwarebytes Anti-Malware

==>

%ProgramFolder%=Malwarebytes

He then told me to post my problem in this thread.

Will re-check and reupload plugin tonight so you can at least get to the error we are stuck on and not something else...then we can figure it out together

Cannot reproduce the problem on my end.  The plugin executes successfully...



The plugin gets the setup file from this location: https://data-cdn.mbamupdates.com/web/mb3-setup-consumer/mb3-setup-consumer-3.3.1.2183.exe

Make sure you're not being blocked from accessing it, try to go there with a web browser and see if it serves you the file.  If it does not start a download, you're being blocked.

Anyone else having issues with plugin?

Can you post your log please?

I could download the File without any problems. And i got the same problem with another PC from a buddy. This one is my own PC.

I got the log in the Attachment if it helps. I got it in a Zip file because html isn't allowed here to upload.

Hi Bob.omb

I think there might be some confusion about plugin versions , as mbamext,2.dl (file that's failing in CopyR) isn't listed in your plugin as far as i can see, at least not in the last one of yours i tried
regards
APT

DaPuffer,

    If you are trying to help finish this plugin that we are developing for ---> Malwarebytes 3 <--- you have to download the plugin attached to replys in this thread,  it is not on the project server because it is not finished. We have to make it work first..

From your log I can see that you are using the OLD Malwarebytes plugin for Malwarebytes 2 - from the project Downloads>AppsY>Security>Anti-Virus>Malwarebytes_Anti-Malware_L plugin. (Try the packed version for MB2 - Thanks APT for testing)

Download the attached file FROM THIS THREAD, which is not fully completed, but will bring you to the error we are stuck on...

Re-Attached Plugin below:

 Malwarebytes Anti-Malware 3 (Bob.Omb).plugin.7z (138.85 kB - downloaded 100 times.)

Hi bob.omb,

sorry for late response.

updated old plugin (Download version) on server, so plugin not usable by new users anymore.
Also added current topic link.

(
+ That is the reason I do not like "Download" plugins for Complex or Frequent Updated applications.
+ That is the reason PC Packed have "FileContainer + Provide File + Download" options to work together.
      (APT might remember on another topic -> If required to be posted on another topic  )
)

DaPuffer,

    If you are trying to help finish this plugin that we are developing for ---> Malwarebytes 3 <--- you have to download the plugin attached to replys in this thread,  it is not on the project server because it is not finished. We have to make it work first..

From your log I can see that you are using the OLD Malwarebytes plugin for Malwarebytes 2 - from the project Downloads>AppsY>Security>Anti-Virus>Malwarebytes_Anti-Malware_L plugin. (Try the packed version for MB2 - Thanks APT for testing)

Download the attached file FROM THIS THREAD, which is not fully completed, but will bring you to the error we are stuck on...

Re-Attached Plugin below:

(Attachment Link)

No I used the download plugin wich gives me the newest version. from Yomi, the Malwarebytes Anti-Malware (L) (DL).
Because i wanted the newest version of MBAM.

Hi bob.omb,

sorry for late response.

updated old plugin (Download version) on server, so plugin not usable by new users anymore.
Also added current topic link.

(
+ That is the reason I do not like "Download" plugins for Complex or Frequent Updated applications.
+ That is the reason PC Packed have "FileContainer + Provide File + Download" options to work together.
      (APT might remember on another topic -> If required to be posted on another topic  )
)

Now i get it. I Thought the Download Plugin would be the newest 
Then i will try the "new" new one.

Updated plugin with help... Still stuck on memory error. 

Run from RAM for testing...

 Malwarebytes Anti-Malware 3 (Bob.Omb) - Test 2.plugin.7z (138.76 kB - downloaded 159 times.)

Hello,

I've really been trying to find or make a portable version of MalwareBytes 3.x for a while now without much success. This may be the closest thing to actually have something that works. I will test and see if I can help in any way. If you've made any progress since you last posted, please let me know.

Thanks!