Why Usermode Hooking Sucks – Bypassing Comodo Internet Security

[kupo]

I found this in the COMODO forums. I thought I share it here. -http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/
EDIT: I'll read it later and try if I can understand it, lol.

[tomazyk]

That's interesting reading.

On 64 bit OS most HIPS software can be bypassed somehow. Patchguard prevents them to implement same level of protection they can on 32 bit.

However, I still believe that protection Comodo and other HIPS developers are offering on 64 bit, is still better, than AV's and other blacklisting software can give you.

It would be nice if someone would test POC provided at the end of article and post results.

[Kees1958]

Yes user mode hooking has it weakness, but to to replace dll injection in every process by a malware instead of the Comodo dll, an malware executable has to run in the first place.

Windows7 does allow appinit technique for backward compatibility, but it has a hardening option when your HIPS does use this technique: allow only signed dll's to be used for AppInit Dll's, see http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx

So when a member on Win7 x64 could check whether guard64.dll and guard32.dll are signed, then this hardening technique could be applied: use the RequireSignedAppInit_DLLs setting, see

http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx

Apply this hardening tweak only when no other program is listed in AppInit section AND Comodo dll's are signed. It does not actually prevents the bypass, but makes it harder to replace the guard.dll

Regards Kees

[Hungry Man]

The thing about patchguard is that it puts the entire responsibility of security onto the operating system but it only tries to solve a single problem - rootkits.

So while MS does a great job at protecting themselves from rootkits they now prevent any security software from supplementing their product, which really sucks because their handling of security isn't too great (this may change with 8.)

When they implemented patchguard they basically said "We're the only ones who can handle security now." Big mistake sinc ethey suck at it.

Quote:

To conclude with, we’d like to stress that we do not hate the Comodo HIPS product. The bypassing method presented in this post is rather remote and applies only on SysWoW64 ( 32bit ) applications running on a 64bit Windows version. Attached you will find a proof of concept application that automates the process of generating executable that can bypass the installation of hooks throughout the process address space. Thank you for reading.

So this only applies to 32bit applications running on 64bit Windows.

[Ranget]

i don't understand or have any idea about rootkit
but i know that TDs rootkit found to Beat this Patchguard why Don't Security
stuff use the same technique


also want to know if OA is the same also what is comodo Response to this ?

[Brandonn2010]

Quote:

Originally Posted by Ranget

i don't understand or have any idea about rootkit
but i know that TDs rootkit found to Beat this Patchguard why Don't Security
stuff use the same technique


also want to know if OA is the same also what is comodo Response to this ?

Ha! I love that idea, but I'm sure MS would patch it somehow.

[blacknight]

I'm not sure to have understood, Comodo HIPS doesn't install itself at the kernel level ? As EqSesure done.

[tomazyk]

Quote:

Originally Posted by blacknight

I'm not sure to have understood, Comodo HIPS doesn't install itself at the kernel level ? As EqSesure done.

Not on 64 bit Windows. MS does not allow it. On 32 bit it does.

[Hungry Man]

Quote:

Originally Posted by Ranget

i don't understand or have any idea about rootkit
but i know that TDs rootkit found to Beat this Patchguard why Don't Security
stuff use the same technique


also want to know if OA is the same also what is comodo Response to this ?

It tried to bypass patchguard by writing to the MBR through the BIOS or some such thing.

It's generally best practice when writing a security program not to hack the operating system I would think lol

[TheWindBringeth]

For those interested in seeing the Comodo thread, this appears to be it:

http://forums.comodo.com/news-announ...-t84281.0.html

[blacknight]

Quote:

Originally Posted by tomazyk

Not on 64 bit Windows. MS does not allow it. On 32 bit it does.

Thanks . Good reason to don't use 64 bit.

[tomazyk]

Quote:

Originally Posted by Ranget

i don't understand or have any idea about rootkit
but i know that TDs rootkit found to Beat this Patchguard why Don't Security
stuff use the same technique

I believe that vendors won't risk the damage they can make by trying to "patch" the Patchguard.
Also, MS would probably sue them if they try to hack MS's OS. It would probably break some TOS, that user has agreed on, when OS was installed.

[tomazyk]

Quote:

Originally Posted by blacknight

Thanks . Good reason to don't use 64 bit.

Yes, for me, right now, it's the only reason I don't move to 64 bit

[funkydude]

Quote:

Originally Posted by tomazyk

Yes, for me, right now, it's the only reason I don't move to 64 bit

Then you will never move to 64bit because it will always be there. KPP ensures stability and security by preventing the fools that make these "security" products from tampering with the kernel.

I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure. We're talking about the same vendors that time and time again introduce their OWN security holes into the OS by doing dumb things like installing non-ASLR binaries. Every other month there's a thread about a security hole in a security product.

Also stability, there's a reason Win x64 is so much more stable than the old days of Windows XP, you don't have every program under the sun modifying the kernel so that even MS themselves is afraid to push Windows updates in fear of causing system crashes. The reason it's far safer to install updates these days isn't that MS somehow got better at it, it's that they stopped all this software from patching the kernel in the first place.

[tomazyk]

Quote:

Originally Posted by funkydude

Then you will never move to 64bit because it will always be there. KPP ensures stability and security by preventing the fools that make these "security" products from tampering with the kernel.

I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure. We're talking about the same vendors that time and time again introduce their OWN security holes into the OS by doing dumb things like installing non-ASLR binaries. Every other month there's a thread about a security hole in a security product.

Also stability, there's a reason Win x64 is so much more stable than the old days of Windows XP, you don't have every program under the sun modifying the kernel so that even MS themselves is afraid to push Windows updates in fear of causing system crashes. The reason it's far safer to install updates these days isn't that MS somehow got better at it, it's that they stopped all this software from patching the kernel in the first place.

I will move to 64 bit when I will get any benefits from using 64 bit instead of 32. Right now there is no benefits for me.

"I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure." Well, when it comes to security, people have trusted 3rd party vendors over MS for many years and rightly so. So, should we all abandon all 3rd party AVs, firewalls and other apps, just so we don't introduce new security holes to OS? Will that make computing safer?

BTW, most security holes that I read about are introduced by OS itself, MS software or other 3rd party non security related software.

[blacknight]

Quote:

Originally Posted by funkydude

Then you will never move to 64bit because it will always be there. KPP ensures stability and security by preventing the fools that make these "security" products from tampering with the kernel.

I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure. We're talking about the same vendors that time and time again introduce their OWN security holes into the OS by doing dumb things like installing non-ASLR binaries. Every other month there's a thread about a security hole in a security product.

Disagree. Many security products are much more reliable and trusty than MS, and is much more easy to find security holes and vulnerability in it

[kupo]

Quote:

Originally Posted by tomazyk

..."I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure." Well, when it comes to security, people have trusted 3rd party vendors over MS for many years and rightly so. So, should we all abandon all 3rd party AVs, firewalls and other apps, just so we don't introduce new security holes to OS? Will that make computing safer?...

Your choice if you want to abandon. But with Windows alone, you can have a secure computer.
Anti-Virus - MSE
Firewall - Windows Firewall w/ Advance Security
Drive Encryption - Bitlocker
Default-Deny - SRP or Applocker
Combine all with a Standard User Account and UAC, your pretty much secure without 3rd party software. Oh, I almost forgot the built-in imaging of Windows 7. System Restore also have improved in Vista and 7. You can also add EMET if you want to.

Quote:

BTW, most security holes that I read about are introduced by OS itself, MS software or other 3rd party non security related software.

It's not only security holes with 3rd party software, there is also stability.

[tomazyk]

Quote:

Originally Posted by skudo12

Your choice if you want to abandon. But with Windows alone, you can have a secure computer.
Anti-Virus - MSE
Firewall - Windows Firewall w/ Advance Security
Drive Encryption - Bitlocker
Default-Deny - SRP or Applocker
Combine all with a Standard User Account and UAC, your pretty much secure without 3rd party software. Oh, I almost forgot the built-in imaging of Windows 7. System Restore also have improved in Vista and 7. You can also add EMET if you want to.


It's not only security holes with 3rd party software, there is also stability.

Yes I know the possibilities that Windows 7 has introduced. Those are great security tools but I still wouldn't trade the software that I use for them. I might use some of them when I'll move to 64 bit.

P.S.: I haven't had any stability issues with setup that I'm using.

[Cudni]

User needs to let it run first. Nothing new. If it can execute without Comodo noticing that would be worrying.

[funkydude]

Quote:

Originally Posted by blacknight

Disagree. Many security products are much more reliable and trusty than MS, and is much more easy to find security holes and vulnerability in it

Wow you brought up so many valid counter points I completely changed my mind!

Quote:

Originally Posted by tomazyk

BTW, most security holes that I read about are introduced by OS itself, MS software.

That's factually incorrect, since the days of Vista, 7 and now taking it further with 8, MS have hardened their software a LOT. More exploits are found in 3rd party software.

Quote:

Originally Posted by tomazyk

or other 3rd party non security related software

Oh really?
Kaspersky: https://secunia.com/advisories/product/26220/
ESET: https://secunia.com/advisories/product/29913/
Avira: https://secunia.com/advisories/product/14194/
Symantec: https://secunia.com/advisories/product/18161/
McAfee: https://secunia.com/advisories/product/5273/

Now, I'm not saying these are a lot of exploits (although if you combine each companies products together they are a lot) but it just goes to show that the software "protecting" you can just as easily do the complete opposite.

[RejZoR]

Quote:

Originally Posted by blacknight

Thanks . Good reason to don't use 64 bit.

Since all my systems have 4+ GB of RAM i'm simply forced to use 64bit OS...

[tomazyk]

Quote:

Originally Posted by funkydude

Now, I'm not saying these are a lot of exploits (although if you combine each companies products together they are a lot) but it just goes to show that the software "protecting" you can just as easily do the complete opposite.

Yes the number of exploits is small compared to number of holes in Flash, Java, Office, IE ... Also, exploits in other 3rd party software are probably more targeted than exploits in security apps.

So, I still think that using security software is in most cases better than using none. Probability of getting hacked through hole in let's say AV, is much smaller, than probability of situation, when the same AV will save you from some kind of malware.

[funkydude]

Quote:

Originally Posted by tomazyk

So, I still think that using security software is in most cases better than using none.

I wasn't recommending using no security software, I was trying to say the idea of not upgrading to the better version of an OS whilst using security software as the sole reason for avoiding it is silly.

They may have reduced security software functionality in 64bit, but that is replaced by the improved protection mechanisms the OS itself brings, such as superior ASLR.

[blacknight]

http://forums.comodo.com/news-announ...t84281.15.html

[adrenaline7]

Quote:

Originally Posted by skudo12

Your choice if you want to abandon. But with Windows alone, you can have a secure computer.
Anti-Virus - MSE
Firewall - Windows Firewall w/ Advance Security
Drive Encryption - Bitlocker
Default-Deny - SRP or Applocker
Combine all with a Standard User Account and UAC, your pretty much secure without 3rd party software. Oh, I almost forgot the built-in imaging of Windows 7. System Restore also have improved in Vista and 7. You can also add EMET if you want to.


It's not only security holes with 3rd party software, there is also stability.

You just described my setup

Since this is an issue of not having access to the kernel, these issues would apply also to Online Armor, Defense Wall and Private Firewall?