pbust

How to verify that MBAE is working correctly

1 post in this topic

ID: 1   Posted (edited)

There are two ways to verify that Malwarebytes Anti-Exploit (MBAE) is installed and running correctly.

 

1- MBAE Exploit Test - For regular users

The attached mbae-test.exe utility was developed by Malwarebytes to simulate an exploit behavior in order to verify that MBAE is installed and working correctly. The utility only has two buttons labeled Normal and Exploit. The Normal button will open the Windows Calculator (calc.exe) using normal system calls which are typically used when users are trying to open the Calculator. The Exploit button will attempt to open the Windows Calculator using system calls which are typically used by exploits to launch their payloads (i.e. malware). Keep in mind that mbae-test.exe is NOT malicious. Even if you don't have MBAE install and click the "Exploit" button, the only thing that will happen is that the Windows Calculator will open. However if you have MBAE installed and running correctly, you will see an alert popup window from MBAE.

 

2- DLL Injection Verification - For techie users

Techies might prefer to verify that MBAE is working correctly with a more direct approach. The way MBAE works is by injecting its DLLs into protected applications. It does so by injecting mbae.dll for 32bit processes and mbae64.dll for 64bit processes. To verify that MBAE is working simply run Process Explorer or any other similar advanced task management utility, and use the Find (Ctrl+F) function to search for "mbae.dll" or "mbae64.dll". You should see mbae.dll listed under the process space of running and MBAE-protected applications. Remember to run Process Explorer as admin or click on "File -> Show Details for All Processes" to view all details.

mbae-test.zip

Edited by celee
updated zip file

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.