http://bbs.kafan.cn/viewthread.php?tid=233954

You can download this program from the folowing url.

http://www.divshare.com/download/4237917-764

Defensewall wouldn't let it run. ;D

Another piece of crap BSOD generator. Didn't dislodge a single driver from the table.

Script Kiddie wannabe garbage.

Running Comodo D+ with EQS 4.0 Beta 2

Sorry no cigar, try again later.

oh, Mj0011 is a famous chinese hacker.;D

I dunno who compile this funnyness MFC file but the only thing it does is generate a BSOD.

Certainly no hacker with any real skills would have conceived this junk file.

Needs some work. Just crashes here according to Dr. Watson after giving xx.exe permission to Simulate Keyboard/Mouse via ProSecurity 1.42. No PS hooks are removed. Tested on XP SP2, with and without the Microsoft Security Bulletin MS08-025 (KB941693) (http://www.microsoft.com/technet/security/Bulletin/MS08-025.mspx) patch applied.

Nick

I highly doubt a compiled MFC file is going to have any muscle to dislodge simple HIPS hooking as it requires some choice MS core mathmatics to pull off such a feat to opening Device\Physical Memory where theres a table sys in place to detect it.

It would take more then this piece of kiddie mud to force such a dispacement that extreme.

This MJ011 character is a famous one, I can vouch for that. Unfortunately, it appears that his/her credentials are more amusing than they are impressive. ;D

-{ Quote: "http://bbs.kafan.cn/viewthread.php?tid=233954

You can download this program from the folowing url.

http://www.divshare.com/download/4237917-764" }-

Uuuhm.. How does this bypass HIPS?
Run it... ZA OS firewall warned about and killed it...:blink:
No BSOD

Missing something?

Cheers,
Fax

Yez ! This iz da bomB ! It will bypass **** HiPS !!! Ya Men !

hmm,

the program crashes with defensewall, or at least it does on my machine.

is this what is supposed to happen, stop that program from running?

at least i dont get the BSOD.

Hi YankinNCrankin

Interested in your post comments.

I did not know that Returnil had a HIPS. Is it a separate product, or is it included in the Virtual System software?

If its the latter is it included in the free version?

Thanks for your help

TerryWood

OA 127, default mode



First alert - block (we don't want this nastie to tamper csrss.exe)
Second - block (just in case of attempt to infect entry point)

Then xx crashed. No BSOD

-{ Quote: "the program crashes with defensewall, or at least it does on my machine." }-
At mine one too.

-{ Quote: "
is this what is supposed to happen, stop that program from running?" }-
DW just stopped this program from SSDT unhooking- this caused GPF.

-{ Quote: "
at least i dont get the BSOD." }-
Yep, me too.

-{ Quote: "Another piece of crap BSOD generator." }-
It should be stopped before BSOD. BSOD does mean it tauched SSDT, which is fail.

Hi,

Could someone explain me what is the goal of this test : interception of the unhook attempt or test if a driver still hook after this attack ?

Thank you for your answer

regards,

MaB

Preamble: I write without having had a look at this PoC yet.

Ok, this software should be able to restore SSDT. And what with it?

It's obvious it could. It makes use of Win32k.sys vulnerability to execute code in kernel mode.

-{ Quote: "
MS08-025 addresses several vulnerabilities in win32k.sys where you can execute arbitrary code in kernel mode. These bugs can only be exploited locally and there is no remote vector we are aware of.
" }-

I mean, a previous test has been done to show some poor implementations of HIPS softwares that, under specified events, weren't blocking drivers loading. And this is ok, how to bypass HIPS softwares.

This one makes use of a Windows vulnerability (already patched, btw).

What does this test want to prove?

-{ Quote: "Hi,

Could someone explain me what is the goal of this test : interception of the unhook attempt or test if a driver still hook after this attack ?

Thank you for your answer

regards,

MaB" }-
I think this test is about ability to prevent unhooking. Once unhooking happened no technique can guarantee stability. Every code that has access to SSDT can modify it and cannot prevent others from modifying it. And once unhooking happened unhooker knows the real addresses of functions and can use them without SSDT. So even in case HIPS restores SSDT it is bypassed by maliciouse code.

It's definitely a joke file, come on and be real.

Oh, BTY, since i research on a regular basis far worse system file modifiers it doesn't matter if it sneaks in a remote thread or handle here or there.

The main premise is that IT FAILED! Period! Although i will admit nothing alerted at the time (At Least Not Comodo D+) because at the time i been fine tuning SuRun and not even relly sure EQS was active when this gunker come up in post but i tried it just for the giggles i knew it would be.

So to refute, it DID NOT dislodge either of Comodo's D+ or EQS Table Hooks if that ever was the intention in the first place.

It just immediately BSOD and SSDT Hooks remained unmoved. I checked with RKU and other table viewers. LoL

SDTRestore for one is a true coded unhooker as is a number of other foul unhookers i keep samples of, and none of them Blue Screen but quietly either displace hooks or return them to defaults.

So this only remind me of an old April's Fool joke.

And so solcroft is spot on because he's right, it's more amusing then anything else.

-{ Quote: "oh, Mj0011 is a famous chinese hacker." }-
Never heard of this guy his fame seems to be pretty limited. ;D

-{ Quote: "It's definitely a joke file, come on and be real.

Oh, BTY, since i research on a regular basis far worse system file modifiers it doesn't matter if it sneaks in a remote thread or handle here or there.

The main premise is that IT FAILED! Period!" }-

OK, you may regard it this way. But actully BSOD does mean that code was injected and SSDT was modified. BSOD is a result of wrong code either in xx or in HIPS. But HIPS that allows usermode program to cause BSOD is not HIPS actually in case it is "by design" behaviour. In any case and under any criteria this is at least definite DOS. And you could see that other HIPS prevented xx from touching SSDT, so this is possible and not too difficult.

-{ Quote: "OK, you may regard it this way. But actully BSOD does mean that code was injected and SSDT was modified. BSOD is a result of wrong code either in xx or in HIPS. But HIPS that allows usermode program to cause BSOD is not HIPS actually in case it is "by design" behaviour. In any case and under any criteria this is at least definite DOS. And you could see that other HIPS prevented xx from touching SSDT, so this is possible and not too difficult." }-

Code was not injected my friend but REJECTED!, hence the Windows purpose of fatal exception error or BSOD.

To put it mildly, when it touched the sys driver in the table that interaction was immediately interpreted by i assume Windows itself, so while a case might be made that the HIPS didn't force the exception, certainly Windows did and rightly so.

To inject or insert directly would mean to REPLACE or DISPLACE the item or even add to the sys file already in position if even the default Windows ntoskerl.exe

Neither happened as it was immediately reflected on attempt = BSOD = Safe!

-{ Quote: "Code was not injected my friend but REJECTED!, hence the Windows purpose of fatal exception error or BSOD." }-

Seems you do not understand some basic things. Usermode code (ring 3) cannot produce BSOD by definition. Only kernel code (ring 0) can. This example was able to modify the data or inject a code that affected either SSDT or was executed in ring 0. In the both cases this a fail of HIPS (and also OS, but HIPS are there to fix OS holes).

As for BSOD == Safe. I strongly deny this idea. BSOD has unpredictable results, it may corrupt the whole system.

Allowed 1st Alert and got the 2nd Alert I blocked and nothing got loaded Returnil V 2.1.0.5826 passes. Returnils HIPS is pretty cool, nice and simple.

Allowing the program to run completely without blocking results in BSOD for me, I guess that would be the intended result,
I have yet to come across a test that can bypass a HIPS Alert silently mainly the 1st stage which is obvious execution allowed.

Returnil has HIPS???

-{ Quote: "Seems you do not understand some basic things. Usermode code (ring 3) cannot produce BSOD by definition. Only kernel code (ring 0) can. This example was able to modify the data or inject a code that affected either SSDT or was executed in ring 0. In the both cases this a fail of HIPS (and also OS, but HIPS are there to fix OS holes).

As for BSOD == Safe. I strongly deny this idea. BSOD has unpredictable results, it may corrupt the whole system." }-

Theres no sense arguing the point so i'll pass the benefit of the doubt in your favor.

All i'm saying from experience of testing this file by letting it run uninhibited as yankinandcrankin confirms is that it is by design nothing more then a BSOD generator on face value.

The purpose (again) of fatal exception is to alert the user an mismatch of sorts is been attempted where it doesn't line up with normal operating patterns and my PC is set to reboot on these occurances, and i might add with no ill affects.

I throw caution to the wind with POC's because of my extra drives so nothing ventured is nothing learned, but theres nothing gained either in this POC to unhook HIPS from the table.

I can verify nothing ill occured including file system because i'm using the same PC i run this on last evening and everything is as it was before.

Heck, i've deliberately BSOD's my unit several times before with various test files with no lingering evidence of corruption or other strange affects.

AFAIK (http://en.wikipedia.org/wiki/Blue_Screen_of_Death#Windows_NT), a BSOD only occurs when some kernel code causes a crash. So, if you see a BSOD, it means that some code executing at ring0 caused a system crash.

-{ Quote: "AFAIK, a BSOD only occurs when some kernel code causes a crash. So, if you see a BSOD, it means that some code executing at ring0 caused a system crash." }-

I totally agree, it was a kernel mode entry attempt but it was repelled nonetheless.

Not sure but it's been said userland can force kernel disruption too.

-{ Quote: "I totally agree, it was a kernel mode entry attempt but it was repelled nonetheless." }-
Or it crashed the EQS drivers.

-{ Quote: "Or it crashed the EQS drivers." }-

Let's assume that was the case, at any rate they were reinstalled on reboot and set right back in place again as is the case of HIPS that program their positions in the SSDT Instructional Table.

Fact still remains, the POC or whatever junk it was did nothing at all to disrupt normal operations except to simply reboot the machine right back to previous working order again, including the HIPS.

I could have done that myself by rebooting with the reset button.

-{ Quote: "Theres no sense arguing the point so i'll pass the benefit of the doubt in your favor.

All i'm saying from experience of testing this file by letting it run uninhibited as yankinandcrankin confirms is that it is by design nothing more then a BSOD generator on face value." }-
Ok. Let me guess. You are Comodo user ? If yes, then yes, there is no sense in arguing.

One of Comodo users told me one brilliant wizdom: "the tests Comodo fails are not proper tests". Now I see that malware Comodo fails is just not proper malware. You are a winner, at this point I quit :)

Sorry, theres no winner here at all.

This test is really no HIPS test at all for HIPS because it was obviously rushed together without much thought or testing different platforms as well as service packs, so with that in mind, it was a pretty effective publicity stunt IMO.

xx.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: NO
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK

[ General information ]
* Application uses MFC.DLL.
* File length: 24576 bytes.
* MD5 hash: e18c84112c05db73f00a767946b75310.



(C) 2004-2006 Norman ASA. All Rights Reserved.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: xx.exe
Status: OK
MD5: e18c84112c05db73f00a767946b75310
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 13 Apr 2008 23:16:17 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

-{ Quote: " Not detected by Sandbox (Signature: NO_VIRUS)" }-
Oh, dear. This list is very impressive, of course. But the whole joke was not about this list, it was rather about approach. As for the lists. Be sure, the thing that causes BSOD will be in those lists very fast. Much less dangerous tests are there. Another option this test causes BSOD only with Comodo, then it will not be in the lists, of course.

At some point these tests have to come with a storyline to convince us how it would execute.
-{ Quote: "You are Comodo user ? If yes, then yes, there is no sense in arguing. " }-
Nice....

I guess MJ is a woman but I have only seen her posting at Sysinternals in the past and some Chinese sites.

Easter this woman is posting a lot of crappy code lately for some reason.
But I guess the stuff posted over at Sysinternals was debunked in a hurry by EP ;) using as everybody says an outdated RKU.
Then again if it wasn't EP debunking MJ who Will it be, since he wants nothing to do anymore with her challenges.

just checked the original thread in chinese, the MJ0011 list some notice:

1: this tool may casue the BSOD in the 2-cores CPU.
2: the GDT address which got by sgdt in Vmware is incorrect, may casue BSOD. please test it in the real os.

http://www.debugman.com/read.php?tid=1144

-{ Quote: "just checked the original thread in chinese, the MJ0011 list some notice:

1: this tool may casue the BSOD in the 2-cores CPU.
2: the GDT address which got by sgdt in Vmware is incorrect, may casue BSOD. please test it in the real os.

http://www.debugman.com/read.php?tid=1144" }-

Pffft, better check that, i only run single core and it choked up, also no VM here either.

It would go much better for her to just scrap that silly MFC project permanently to avoid any further embarrasment and comedy.

It was good enough for a chuckle though ;D

-{ Quote: "At some point these tests have to come with a storyline to convince us how it would execute.

Nice...." }-

This test tampers csrss.exe before BSOD. If your HIPS prevents it from tampering system process, no BSOD occures. This is plain simple.

I said execution, this test is an executable right...

xx.exe is an unauthorized executable and will be killed by Anti-Executable in nanoseconds. Case closed.
Why writing a malware, that has already an anti-dote ? What a waste of time.

8) -{ Quote: "I said execution, this test is an executable right..." }-
To say the truth I didn't dig deep enough to second or disclaim this :)

But the fact it causes BSOD shows that even in case it was not designed specially to BSOD, implementation is not correct enough to avoid it in all the cases.

-{ Quote: "I totally agree, it was a kernel mode entry attempt but it was repelled nonetheless.

Not sure but it's been said userland can force kernel disruption too." }-

it can, in case HIPS is poorly implemented or absent. There are undocumented hacks to get in kernel address-space from usermode. HIPS for one should prevent it.

My first post here :)
CFP 3.0.21.329 on XPSP2
xx.exe did not crashed if it is blocked by CFP (see screenshots), however if CFP is closed it "create" BSOD (crashed system)

199234 199235

-{ Quote: "My first post here :)
CFP 3.0.21.329 on XPSP2
xx.exe did not crashed if it is blocked by CFP (see screenshots), however if CFP is closed it "create" BSOD (crashed system)" }-

Great. We have finally got a correct person here, who can w/o extra words just post correct info :)

-{ Quote: "My first post here :)
CFP 3.0.21.329 on XPSP2
xx.exe did not crashed if it is blocked by CFP (see screenshots), however if CFP is closed it "create" BSOD (crashed system)

199234 199235" }-If u deny first popup, no BSOD.

I am not sure. I understand from this test that if there is no BSOD, test is pass. If I am correct then:

CFP- Passed
GesWall- Passed

It is best to just look at the thread on Sysinternals on this program.
Mj posts there.
program ment for non patched OS too

Claims people posting here are all idiots. Isn't that funny because some of here were going to the root kit dot come when she was still in diapers ;D

So what if we don't know chinese and go to the GREAT Chinese forums where all the worlds greatest programmer are. Most are like a family here. those that have been around along time that is. ;)

-{ Quote: "It is best to just look at the thread on Sysinternals on this program.
Mj posts there.
program ment for non patched OS too

Claims people posting here are all idiots. Isn't that funny because some of here were going to the root kit dot come when she was still in diapers ;D

So what if we don't know chinese and go to the GREAT Chinese forums where all the worlds greatest programmer are. Most are like a family here. those that have been around along time that is. ;)" }-


Yes an interesting read over at the Sysinternals forums.
Seems members at Wilders are well liked over there. ::)
Most of what they post is over my head, but I got the jest of it.

-{ Quote: "So what if we don't know chinese and go to the GREAT Chinese forums where all the worlds greatest programmer are." }-
I'm not really sure that all the world-greatest programmers are there :)

Lonewolf

yes the super elite hackers from SI think all AV's AT's HIPS & FW's are just a bunch of crap and of course Windows LOL
but with the new and improved Windows 7 coming out soon to a theater near you, I am they will have to start a new game. I wonder if 7 will have a multi kernel?

Anybody here doing any testing with it yet?

-{ Quote: "It is best to just look at the thread on Sysinternals on this program.
Mj posts there.
program ment for non patched OS too

Claims people posting here are all idiots. Isn't that funny because some of here were going to the root kit dot come when she was still in diapers ;D

So what if we don't know chinese and go to the GREAT Chinese forums where all the worlds greatest programmer are. Most are like a family here. those that have been around along time that is. ;)" }-

Hm, it may be they are the best programmers. I just wonder why don't they produce the best software ? What I see, all the "cool hackers" are young enough people. Then, after they stop being "cool hackers" they go to work in software companies to resist new "cool hackers" ..

-{ Quote: "...I understand from this test that if there is no BSOD, test is pass..." }-
I think you understand well ;D

-{ Quote: "Hm, it may be they are the best programmers. I just wonder why don't they produce the best software ? What I see, all the "cool hackers" are young enough people. Then, after they stop being "cool hackers" they go to work in software companies to resist new "cool hackers" .." }-

These boy are good at using the decompiler tool to "research" anything they are interested. some of them like to "copy the code" from decompiler and build them with a new name, then make a webste and sale their products. ;D

Comodo is aware of the trick so the program has no chance.

http://i25.tinypic.com/s24e20.png

@controler: the problem is especially windows subsystem for compatibility reasons.
Not sure if Windows7 will change that they simply make too much money to make drastic changes
but exactly that predicts them a critical future. Check Windows Collapses (http://www.heise.de/newsticker/IT-Analysten-Windows-kollabiert--/meldung/106358) (in german)

Yes I knew the young great hackers would go to work for the bigger companies and even start their own security web sites and that is a nice gesture indeed. Moving from the true dark side to the light side is always good for whatever reason, unless it is for money >:(

I don't know much about Windows 7 but do think it will be completely rewritten.
Not using the old windows kernel. This is why Vista will be short lived.
I guess we will see.

Mj mentions Komodo is crap but I know she isn't talking about Kevin.

If I was abetting man I would bet on Kevin above Mj. I would probably even bet on him over EP in knowledge about rootkits. As you know while he had his own business and had Gov contracts , he could not touch the kernel and did a great job of it until it could not be done that way anymore. He was not allowed to touch the kernel even from ring3. Most can see why not, BSOD
on GOV machines is not a nice thing.

Now does NSA use Windows, Linux or their own OS? How many other governments should design their own OS?

I think they can afford it, instead of spending trillions dominating the world.

OPPS did I make a political statement, not allowed here?

Back to sysinternals I go then. ;D

-{ Quote: "I am not sure. I understand from this test that if there is no BSOD, test is pass. If I am correct then:

CFP- Passed
GesWall- Passed" }-

Probably it would be faster to list HIPS that do not pass it ;D
None?

Fax

-{ Quote: "I'm not really sure that all the world-greatest programmers are there " }-Unfortunately we have less statements from chinese people would be interesting what they think.

-{ Quote: "If I was abetting man I would bet on Kevin above Mj. I would probably even bet on him over EP in knowledge about rootkits. As you know while he had his own business and had Gov contracts , he could not touch the kernel and did a great job of it until it could not be done that way anymore. He was not allowed to touch the kernel even from ring3. Most can see why not, BSOD
on GOV machines is not a nice thing." }-So this Kevin you are talking about is producer of Comodo? Sounds cool the Gov story.
-{ Quote: "Back to sysinternals I go then. " }-
Actually Sysinternals is abandonned.

SystemJunkie

Kevin didn't produce comodo but sold he 7 his wife's buisness to them. I am not sure what part he has in Comodo's Hips if any. He mainly works on Comobo BoClean and maybe with their Av people. he has been biching about Microsoft for years ;) I haven't spent much time over at the Comodo forums
but now that I have some free time, I might try to check it out.

I don't know if the government here has changed their minds about touching the kernel or not but maybe that is why they counted on companies that used hardware with it's own OS before the main machines to find rootkits.
MS's latest buy.
I am still interested to see if anyone is testing any part of Windows 7 at this time.

-{ Quote: "Why writing a malware, that has already an anti-dote ? What a waste of time." }-
Because that antidote is used by few people.

Why write a BSOD generator when you can use MyFault test app or anything like that.

This has got to be the silliest so-called HIPS test i ever seen, it was absolutely baseless and useless as a 2 day old popcicle on a 90 degree day.

It proved nothing. It even has the appearance of some script kiddie pieced together garage project.

Ok, let's compare it to SSS that was release some time back, a gui that at least had some substance to match.

I still don't get it.

-{ Quote: "

Claims people posting here are all idiots. Isn't that funny because some of here were going to the root kit dot come when she was still in diapers ;D
" }-

Not such a great observation when you realize that one despite visting the great "rootkit dot com" when they were in diapers one still know less than 1/10 what these kids do now... :P

Lusher

are you referring to the Windows OS, or programming in general?
That's what i am guessing you are referring to.

You probably are right about the 1/10th if looking only at what I asked above.


I know i was shunned here some years back for talking about rootkits becoming a problem in the future.

The only thing now that will stop the criminals is if the mobo, other hardware & bios manufacturers get it right together & microsoft works with them.
We know Joanna R is working with Phoenix.
anywho whatever.

-{ Quote: "Lonewolf

yes the super elite hackers from SI think all AV's AT's HIPS & FW's are just a bunch of crap and of course Windows LOL
but with the new and improved Windows 7 coming out soon to a theater near you, I am they will have to start a new game. I wonder if 7 will have a multi kernel?

Anybody here doing any testing with it yet?" }-

Hi controler

You probably read them and know they don't think much of Wilder's discussions but i really think they, the super so-called hackers are pinned against the wall and thats why they lash out. I made a comment they should offer a better improvement to HIPS then just running them down and our confidence in them or at least piece something together more useful to improve on HIPS instead of just running them down and calling us Sh*t for our support of them.

I post at both but i do not pull punches or take sides, security is #1, and if a POC is productive i'm all for that, but if they can't offer a better alternative then it's useless garble just to nick pick at HIPS supporters and their respective choice. I think there hackers are simply jealous because they can't completely climb the wall so they have nothing left but to lash out in frustration.

The latest so-called bypass sh*t HIPS is the biggest joke i seen yet but a good BSOD generator, but then anyone can fashion a BSOD file, thats lame stuff.