View Full Version : Question: WehnTrust
Painkiller
October 1st, 2006, 03:47 PM
Hi,
Did anyone used this software before ... any insights ?
10x guys
Painkiller;D
QBgreen
January 31st, 2007, 09:53 AM
I've come across a HIPS that claims to be designed to specifically protect against buffer overflow exploitation. It's called WehnTrust, and there is a Pro and freeware version. I'm going to give the freeware version a go. If anyone wants to read about it or download it, look here: http://www.wehnus.com/products.pl
Kees1958
February 1st, 2007, 02:37 AM
Hi,
I have tried it for a while. It randomises memory space. This prevents exploits from finding images in memory/stack and accessing an offset, because the address space is not fixed anymoere the accessed offset is not used for what the malware thinks it is used for. Therefore the memory/stack hack does not have the effects the malware tries to achieve.
Sounds complexe, example:
You can compare it with hacking the GUI of a exe file. Some people search for the text "files" within an exe file and change it to another value with notepad. Some exploits work in the same way only they do in memory/stack. They search for a fixed binary value and change the address space using the fixed binary value as a starting point.
Example find value '0A' and access the address space at offset 08. With this change they are able to change the logic of the program in memory.
The standard feature DEP (of XP) gives simular protection, by only allowing executables to access only the 'variable' parts of memory. Whentrust gives some more protection, because the attacked offset space could be a legal memory place to change (a variable).
Whentrust is a hardening tool with HIPS-like effects, to prevent overflow attacks. It is usefull when you do not use a overflow protection program or a classic HIPS like SSM (free version does protect against physical memory access, unlike ProSecurity free).
I uses SSM-free plus DEP now and think this is sufficient protection.
Regards
Meriadoc
February 1st, 2007, 03:19 AM
I have also used this - the free home version, hardly knew it was there.
Address Space Layout Randomization, ASLR like for UNIX based OS, but for Windows, cannot add anymore than above.
In xp turn DEP on for all programs.
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums