0-Days Not As Big of a Threat as You Think

Do HIPS often intercept those particular calls?

I mean, like I said it's possible for a particularly noisy HIPS to stop it but there are a lot of factors that make it a bit unreliable.

 

In terms of firewall outbound protections, some won't. Some can. But those without, an attack would not gain a foothold in the first place. Or one can combine with Firewall having HIPS capability/application control for the outbound protection for those without. The user can then finetune his ruleset or policy sandbox for a lockdown protection. Those HIPS with outbound firewall capability or a standalone Firewall with HIPS, a user, for e.g, can block the phoning home of svchost.exe or explorer.exe or service.exe or any other core system process compromised by the shellcode. Or block it from using other trusted process. That's why HIPS/firewalls have those kernel hooks to block such low-level calls. It is possible for a determined attacker to have a shellcode to disable those hooks. Certain HIPS have self-protections to resist such attacks or a way of knowing its kernel hooks have been disabled.

 

I wouldn't think they would, it's such common behavior. I guess some might, or maybe a paranoid mode.

Still, I wouldn't rely on a HIPS. Though I guess that's all there is to rely on - preventative measures.

 

Perhaps this will give you an idea of what HIPS can intercept. This is a RKU report taken from an XP unit in 2007, protected by the free version of SSM (2.0.8.583).

Code:

> SSDT State
NtAccessCheck
Actual Address 0xF86357AA
Hooked by: safemon.sys
NtAccessCheckAndAuditAlarm
Actual Address 0xF86357B4
Hooked by: safemon.sys
NtAccessCheckByType
Actual Address 0xF86357BE
Hooked by: safemon.sys
NtAccessCheckByTypeAndAuditAlarm
Actual Address 0xF86357C8
Hooked by: safemon.sys
NtAccessCheckByTypeResultList
Actual Address 0xF86357D2
Hooked by: safemon.sys
NtAccessCheckByTypeResultListAndAuditAlarm
Actual Address 0xF86357DC
Hooked by: safemon.sys
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Actual Address 0xF86357E6
Hooked by: safemon.sys
NtAddBootEntry
Actual Address 0xF86357FA
Hooked by: safemon.sys
NtAdjustGroupsToken
Actual Address 0xF8635804
Hooked by: safemon.sys
NtAdjustPrivilegesToken
Actual Address 0xF863580E
Hooked by: safemon.sys
NtAlertResumeThread
Actual Address 0xF8635818
Hooked by: safemon.sys
NtAlertThread
Actual Address 0xF8635822
Hooked by: safemon.sys
NtAllocateLocallyUniqueId
Actual Address 0xF863582C
Hooked by: safemon.sys
NtAllocateUserPhysicalPages
Actual Address 0xF8635836
Hooked by: safemon.sys
NtAllocateUuids
Actual Address 0xF8635840
Hooked by: safemon.sys
NtAllocateVirtualMemory
Actual Address 0xF863584A
Hooked by: safemon.sys
NtAreMappedFilesTheSame
Actual Address 0xF8635854
Hooked by: safemon.sys
NtAssignProcessToJobObject
Actual Address 0xF863585E
Hooked by: safemon.sys
NtCallbackReturn
Actual Address 0xF8635868
Hooked by: safemon.sys
NtCancelDeviceWakeupRequest
Actual Address 0xF8635872
Hooked by: safemon.sys
NtCancelIoFile
Actual Address 0xF863587C
Hooked by: safemon.sys
NtCancelTimer
Actual Address 0xF8635886
Hooked by: safemon.sys
NtClearEvent
Actual Address 0xF8635890
Hooked by: safemon.sys
NtClose
Actual Address 0xF2CFDD1E
Hooked by: C:\WINDOWS\system32\Drivers\fwdrv.sys
NtCloseObjectAuditAlarm
Actual Address 0xF86358A4
Hooked by: safemon.sys
NtCompactKeys
Actual Address 0xF86358AE
Hooked by: safemon.sys
NtCompareTokens
Actual Address 0xF86358B8
Hooked by: safemon.sys
NtCompleteConnectPort
Actual Address 0xF86358C2
Hooked by: safemon.sys
NtCompressKey
Actual Address 0xF86358CC
Hooked by: safemon.sys
NtConnectPort
Actual Address 0xF86358D6
Hooked by: safemon.sys
NtContinue
Actual Address 0xF86358E0
Hooked by: safemon.sys
NtCreateDebugObject
Actual Address 0xF86358EA
Hooked by: safemon.sys
NtCreateDirectoryObject
Actual Address 0xF86358F4
Hooked by: safemon.sys
NtCreateEvent
Actual Address 0xF86358FE
Hooked by: safemon.sys
NtCreateEventPair
Actual Address 0xF8635908
Hooked by: safemon.sys
NtCreateFile
Actual Address 0xF2CFD62B
Hooked by: C:\WINDOWS\system32\Drivers\fwdrv.sys
NtCreateIoCompletion
Actual Address 0xF863591C
Hooked by: safemon.sys
NtCreateJobObject
Actual Address 0xF8635926
Hooked by: safemon.sys
NtCreateJobSet
Actual Address 0xF8635930
Hooked by: safemon.sys
NtCreateKey
Actual Address 0xF863593A
Hooked by: safemon.sys
NtCreateMailslotFile
Actual Address 0xF8635944
Hooked by: safemon.sys
NtCreateMutant
Actual Address 0xF863594E
Hooked by: safemon.sys
NtCreateNamedPipeFile
Actual Address 0xF8635958
Hooked by: safemon.sys
NtCreatePagingFile
Actual Address 0xF8635962
Hooked by: safemon.sys
NtCreatePort
Actual Address 0xF863596C
Hooked by: safemon.sys
NtCreateProcess
Actual Address 0xF2CFDC92
Hooked by: C:\WINDOWS\system32\Drivers\fwdrv.sys
NtCreateProcessEx
Actual Address 0xF2CFDC17
Hooked by: C:\WINDOWS\system32\Drivers\fwdrv.sys
NtCreateProfile
Actual Address 0xF863598A
Hooked by: safemon.sys
NtCreateSection
Actual Address 0xF2CFD713
Hooked by: C:\WINDOWS\system32\Drivers\fwdrv.sys
NtCreateSemaphore
Actual Address 0xF863599E
Hooked by: safemon.sys
NtCreateSymbolicLinkObject
Actual Address 0xF86359A8
Hooked by: safemon.sys
NtCreateThread
Actual Address 0xF86359B2
Hooked by: safemon.sys
NtCreateTimer
Actual Address 0xF86359BC
Hooked by: safemon.sys
NtCreateToken
Actual Address 0xF86359C6
Hooked by: safemon.sys
NtCreateWaitablePort
Actual Address 0xF86359D0
Hooked by: safemon.sys
NtDebugActiveProcess
Actual Address 0xF86359DA
Hooked by: safemon.sys
NtDebugContinue
Actual Address 0xF86359E4
Hooked by: safemon.sys
NtDelayExecution
Actual Address 0xF86359EE
Hooked by: safemon.sys
NtDeleteAtom
Actual Address 0xF86359F8
Hooked by: safemon.sys
NtDeleteBootEntry
Actual Address 0xF8635A02
Hooked by: safemon.sys
NtDeleteFile
Actual Address 0xF8635A0C
Hooked by: safemon.sys
NtDeleteKey
Actual Address 0xF8635A16
Hooked by: safemon.sys
NtDeleteObjectAuditAlarm
Actual Address 0xF8635A20
Hooked by: safemon.sys
NtDeleteValueKey
Actual Address 0xF8635A2A
Hooked by: safemon.sys
NtDisplayString
Actual Address 0xF8635A3E
Hooked by: safemon.sys
NtDuplicateObject
Actual Address 0xF8635A48
Hooked by: safemon.sys
NtDuplicateToken
Actual Address 0xF8635A52
Hooked by: safemon.sys
NtEnumerateBootEntries
Actual Address 0xF8635A5C
Hooked by: safemon.sys
NtEnumerateKey
Actual Address 0xF8635A66
Hooked by: safemon.sys
NtEnumerateSystemEnvironmentValuesEx
Actual Address 0xF8635A70
Hooked by: safemon.sys
NtEnumerateValueKey
Actual Address 0xF8635A7A
Hooked by: safemon.sys
NtExtendSection
Actual Address 0xF8635A84
Hooked by: safemon.sys
NtFilterToken
Actual Address 0xF8635A8E
Hooked by: safemon.sys
NtFindAtom
Actual Address 0xF8635A98
Hooked by: safemon.sys
NtFlushBuffersFile
Actual Address 0xF8635AA2
Hooked by: safemon.sys
NtFlushInstructionCache
Actual Address 0xF8635AAC
Hooked by: safemon.sys
NtFlushKey
Actual Address 0xF8635AB6
Hooked by: safemon.sys
NtFlushVirtualMemory
Actual Address 0xF8635AC0
Hooked by: safemon.sys
NtFlushWriteBuffer
Actual Address 0xF8635ACA
Hooked by: safemon.sys
NtFreeUserPhysicalPages
Actual Address 0xF8635AD4
Hooked by: safemon.sys
NtFreeVirtualMemory
Actual Address 0xF8635ADE
Hooked by: safemon.sys
NtFsControlFile
Actual Address 0xF8635AE8
Hooked by: safemon.sys
NtGetContextThread
Actual Address 0xF8635AF2
Hooked by: safemon.sys
NtGetDevicePowerState
Actual Address 0xF8635AFC
Hooked by: safemon.sys
NtGetPlugPlayEvent
Actual Address 0xF8635B06
Hooked by: safemon.sys
NtGetWriteWatch
Actual Address 0xF8635B10
Hooked by: safemon.sys
NtImpersonateAnonymousToken
Actual Address 0xF8635B1A
Hooked by: safemon.sys
NtImpersonateClientOfPort
Actual Address 0xF8635B24
Hooked by: safemon.sys
NtImpersonateThread
Actual Address 0xF8635B2E
Hooked by: safemon.sys
NtInitializeRegistry
Actual Address 0xF8635B38
Hooked by: safemon.sys
NtInitiatePowerAction
Actual Address 0xF8635B42
Hooked by: safemon.sys
NtIsProcessInJob
Actual Address 0xF8635B4C
Hooked by: safemon.sys
NtIsSystemResumeAutomatic
Actual Address 0xF8635B56
Hooked by: safemon.sys
NtListenPort
Actual Address 0xF8635B60
Hooked by: safemon.sys
NtLoadDriver
Actual Address 0xF8635B6A
Hooked by: safemon.sys
NtLoadKey
Actual Address 0xF8635B74
Hooked by: safemon.sys
NtLoadKey2
Actual Address 0xF8635B7E
Hooked by: safemon.sys
NtLockFile
Actual Address 0xF8635B88
Hooked by: safemon.sys
NtLockProductActivationKeys
Actual Address 0xF8635B92
Hooked by: safemon.sys
NtLockRegistryKey
Actual Address 0xF8635B9C
Hooked by: safemon.sys
NtLockVirtualMemory
Actual Address 0xF8635BA6
Hooked by: safemon.sys
NtMakePermanentObject
Actual Address 0xF8635BB0
Hooked by: safemon.sys
NtMakeTemporaryObject
Actual Address 0xF8635BBA
Hooked by: safemon.sys
NtMapUserPhysicalPages
Actual Address 0xF8635BC4
Hooked by: safemon.sys
NtMapUserPhysicalPagesScatter
Actual Address 0xF8635BCE
Hooked by: safemon.sys
NtMapViewOfSection
Actual Address 0xF8635BD8
Hooked by: safemon.sys
NtModifyBootEntry
Actual Address 0xF8635BE2
Hooked by: safemon.sys
NtNotifyChangeDirectoryFile
Actual Address 0xF8635BEC
Hooked by: safemon.sys
NtNotifyChangeKey
Actual Address 0xF8635BF6
Hooked by: safemon.sys
NtNotifyChangeMultipleKeys
Actual Address 0xF8635C00
Hooked by: safemon.sys
NtOpenDirectoryObject
Actual Address 0xF8635C0A
Hooked by: safemon.sys
NtOpenEvent
Actual Address 0xF8635C14
Hooked by: safemon.sys
NtOpenEventPair
Actual Address 0xF8635C1E
Hooked by: safemon.sys
NtOpenFile
Actual Address 0xF8635C28
Hooked by: safemon.sys
NtOpenIoCompletion
Actual Address 0xF8635C32
Hooked by: safemon.sys
NtOpenJobObject
Actual Address 0xF8635C3C
Hooked by: safemon.sys
NtOpenKey
Actual Address 0xF8635C46
Hooked by: safemon.sys
NtOpenMutant
Actual Address 0xF8635C50
Hooked by: safemon.sys
NtOpenObjectAuditAlarm
Actual Address 0xF8635C5A
Hooked by: safemon.sys
NtOpenProcess
Actual Address 0xF8635C64
Hooked by: safemon.sys
NtOpenProcessToken
Actual Address 0xF8635C6E
Hooked by: safemon.sys
NtOpenProcessTokenEx
Actual Address 0xF8635C78
Hooked by: safemon.sys
NtOpenSection
Actual Address 0xF8635C82
Hooked by: safemon.sys
NtOpenSemaphore
Actual Address 0xF8635C8C
Hooked by: safemon.sys
NtOpenSymbolicLinkObject
Actual Address 0xF8635C96
Hooked by: safemon.sys
NtOpenThread
Actual Address 0xF8635CA0
Hooked by: safemon.sys
NtOpenThreadToken
Actual Address 0xF8635CAA
Hooked by: safemon.sys
NtOpenThreadTokenEx
Actual Address 0xF8635CB4
Hooked by: safemon.sys
NtOpenTimer
Actual Address 0xF8635CBE
Hooked by: safemon.sys
NtPlugPlayControl
Actual Address 0xF8635CC8
Hooked by: safemon.sys
NtPowerInformation
Actual Address 0xF8635CD2
Hooked by: safemon.sys
NtPrivilegeCheck
Actual Address 0xF8635CDC
Hooked by: safemon.sys
NtPrivilegeObjectAuditAlarm
Actual Address 0xF8635CE6
Hooked by: safemon.sys
NtPrivilegedServiceAuditAlarm
Actual Address 0xF8635CF0
Hooked by: safemon.sys
NtProtectVirtualMemory
Actual Address 0xF8635CFA
Hooked by: safemon.sys
NtPulseEvent
Actual Address 0xF8635D04
Hooked by: safemon.sys
NtQueryAttributesFile
Actual Address 0xF8635D0E
Hooked by: safemon.sys
NtQueryBootEntryOrder
Actual Address 0xF8635D18
Hooked by: safemon.sys
NtQueryBootOptions
Actual Address 0xF8635D22
Hooked by: safemon.sys
NtQueryDebugFilterState
Actual Address 0xF8635D2C
Hooked by: safemon.sys
NtQueryDefaultLocale
Actual Address 0xF8635D36
Hooked by: safemon.sys
NtQueryDefaultUILanguage
Actual Address 0xF8635D40
Hooked by: safemon.sys
NtQueryDirectoryFile
Actual Address 0xF8635D4A
Hooked by: safemon.sys
NtQueryDirectoryObject
Actual Address 0xF8635D54
Hooked by: safemon.sys
NtQueryEaFile
Actual Address 0xF8635D5E
Hooked by: safemon.sys
NtQueryEvent
Actual Address 0xF8635D68
Hooked by: safemon.sys
NtQueryFullAttributesFile
Actual Address 0xF8635D72
Hooked by: safemon.sys
NtQueryInformationAtom
Actual Address 0xF8635D7C
Hooked by: safemon.sys
NtQueryInformationFile
Actual Address 0xF8635D86
Hooked by: safemon.sys
NtQueryInformationJobObject
Actual Address 0xF8635D90
Hooked by: safemon.sys
NtQueryInformationPort
Actual Address 0xF8635D9A
Hooked by: safemon.sys
NtQueryInformationProcess
Actual Address 0xF8635DA4
Hooked by: safemon.sys
NtQueryInformationThread
Actual Address 0xF8635DAE
Hooked by: safemon.sys
NtQueryInformationToken
Actual Address 0xF8635DB8
Hooked by: safemon.sys
NtQueryInstallUILanguage
Actual Address 0xF8635DC2
Hooked by: safemon.sys
NtQueryIntervalProfile
Actual Address 0xF8635DCC
Hooked by: safemon.sys
NtQueryIoCompletion
Actual Address 0xF8635DD6
Hooked by: safemon.sys
NtQueryKey
Actual Address 0xF8635DE0
Hooked by: safemon.sys
NtQueryMultipleValueKey
Actual Address 0xF8635DEA
Hooked by: safemon.sys
NtQueryMutant
Actual Address 0xF8635DF4
Hooked by: safemon.sys
NtQueryObject
Actual Address 0xF8635DFE
Hooked by: safemon.sys
NtQueryOpenSubKeys
Actual Address 0xF8635E08
Hooked by: safemon.sys
NtQueryPerformanceCounter
Actual Address 0xF8635E12
Hooked by: safemon.sys
NtQueryQuotaInformationFile
Actual Address 0xF8635E1C
Hooked by: safemon.sys
NtQuerySection
Actual Address 0xF8635E26
Hooked by: safemon.sys
NtQuerySecurityObject
Actual Address 0xF8635E30
Hooked by: safemon.sys
NtQuerySemaphore
Actual Address 0xF8635E3A
Hooked by: safemon.sys
NtQuerySymbolicLinkObject
Actual Address 0xF8635E44
Hooked by: safemon.sys
NtQuerySystemEnvironmentValue
Actual Address 0xF8635E4E
Hooked by: safemon.sys
NtQuerySystemEnvironmentValueEx
Actual Address 0xF8635E58
Hooked by: safemon.sys
NtQuerySystemInformation
Actual Address 0xF8635E62
Hooked by: safemon.sys
NtQuerySystemTime
Actual Address 0xF8635E6C
Hooked by: safemon.sys
NtQueryTimer
Actual Address 0xF8635E76
Hooked by: safemon.sys
NtQueryTimerResolution
Actual Address 0xF8635E80
Hooked by: safemon.sys
NtQueryValueKey
Actual Address 0xF8635E8A
Hooked by: safemon.sys
NtQueryVirtualMemory
Actual Address 0xF8635E94
Hooked by: safemon.sys
NtQueryVolumeInformationFile
Actual Address 0xF8635E9E
Hooked by: safemon.sys
NtQueueApcThread
Actual Address 0xF8635EA8
Hooked by: safemon.sys
NtRaiseException
Actual Address 0xF8635EB2
Hooked by: safemon.sys
NtRaiseHardError
Actual Address 0xF8635EBC
Hooked by: safemon.sys
NtReadFile
Actual Address 0xF8635EC6
Hooked by: safemon.sys
NtReadFileScatter
Actual Address 0xF8635ED0
Hooked by: safemon.sys
NtReadRequestData
Actual Address 0xF8635EDA
Hooked by: safemon.sys
NtReadVirtualMemory
Actual Address 0xF8635EE4
Hooked by: safemon.sys
NtRegisterThreadTerminatePort
Actual Address 0xF8635EEE
Hooked by: safemon.sys
NtReleaseMutant
Actual Address 0xF8635EF8
Hooked by: safemon.sys
NtReleaseSemaphore
Actual Address 0xF8635F02
Hooked by: safemon.sys
NtRemoveIoCompletion
Actual Address 0xF8635F0C
Hooked by: safemon.sys
NtRemoveProcessDebug
Actual Address 0xF8635F16
Hooked by: safemon.sys
NtRenameKey
Actual Address 0xF8635F20
Hooked by: safemon.sys
NtReplaceKey
Actual Address 0xF8635F2A
Hooked by: safemon.sys
NtReplyPort
Actual Address 0xF8635F34
Hooked by: safemon.sys
NtReplyWaitReceivePort
Actual Address 0xF8635F3E
Hooked by: safemon.sys
NtReplyWaitReceivePortEx
Actual Address 0xF8635F48
Hooked by: safemon.sys
NtReplyWaitReplyPort
Actual Address 0xF8635F52
Hooked by: safemon.sys
NtRequestDeviceWakeup
Actual Address 0xF8635F5C
Hooked by: safemon.sys
NtRequestPort
Actual Address 0xF8635F66
Hooked by: safemon.sys
NtRequestWaitReplyPort
Actual Address 0xF8635F70
Hooked by: safemon.sys
NtRequestWakeupLatency
Actual Address 0xF8635F7A
Hooked by: safemon.sys
NtResetEvent
Actual Address 0xF8635F84
Hooked by: safemon.sys
NtResetWriteWatch
Actual Address 0xF8635F8E
Hooked by: safemon.sys
NtRestoreKey
Actual Address 0xF8635F98
Hooked by: safemon.sys
NtResumeProcess
Actual Address 0xF8635FA2
Hooked by: safemon.sys
NtResumeThread
Actual Address 0xF8635FAC
Hooked by: safemon.sys
NtSaveKey
Actual Address 0xF8635FB6
Hooked by: safemon.sys
NtSaveKeyEx
Actual Address 0xF8635FC0
Hooked by: safemon.sys
NtSaveMergedKeys
Actual Address 0xF8635FCA
Hooked by: safemon.sys
NtSecureConnectPort
Actual Address 0xF8635FD4
Hooked by: safemon.sys
NtSetBootEntryOrder
Actual Address 0xF8635FDE
Hooked by: safemon.sys
NtSetBootOptions
Actual Address 0xF8635FE8
Hooked by: safemon.sys
NtSetContextThread
Actual Address 0xF8635FF2
Hooked by: safemon.sys
NtSetDebugFilterState
Actual Address 0xF8635FFC
Hooked by: safemon.sys
NtSetDefaultHardErrorPort
Actual Address 0xF8636006
Hooked by: safemon.sys
NtSetDefaultLocale
Actual Address 0xF8636010
Hooked by: safemon.sys
NtSetDefaultUILanguage
Actual Address 0xF863601A
Hooked by: safemon.sys
NtSetEaFile
Actual Address 0xF8636024
Hooked by: safemon.sys
NtSetEvent
Actual Address 0xF863602E
Hooked by: safemon.sys
NtSetEventBoostPriority
Actual Address 0xF8636038
Hooked by: safemon.sys
NtSetHighEventPair
Actual Address 0xF8636042
Hooked by: safemon.sys
NtSetHighWaitLowEventPair
Actual Address 0xF863604C
Hooked by: safemon.sys
NtSetInformationDebugObject
Actual Address 0xF8636056
Hooked by: safemon.sys
NtSetInformationFile
Actual Address 0xF8636060
Hooked by: safemon.sys
NtSetInformationJobObject
Actual Address 0xF863606A
Hooked by: safemon.sys
NtSetInformationKey
Actual Address 0xF8636074
Hooked by: safemon.sys
NtSetInformationObject
Actual Address 0xF863607E
Hooked by: safemon.sys
NtSetInformationProcess
Actual Address 0xF8636088
Hooked by: safemon.sys
NtSetInformationThread
Actual Address 0xF8636092
Hooked by: safemon.sys
NtSetInformationToken
Actual Address 0xF863609C
Hooked by: safemon.sys
NtSetIntervalProfile
Actual Address 0xF86360A6
Hooked by: safemon.sys
NtSetIoCompletion
Actual Address 0xF86360B0
Hooked by: safemon.sys
NtSetLdtEntries
Actual Address 0xF86360BA
Hooked by: safemon.sys
NtSetLowEventPair
Actual Address 0xF86360C4
Hooked by: safemon.sys
NtSetLowWaitHighEventPair
Actual Address 0xF86360CE
Hooked by: safemon.sys
NtSetQuotaInformationFile
Actual Address 0xF86360D8
Hooked by: safemon.sys
NtSetSecurityObject
Actual Address 0xF86360E2
Hooked by: safemon.sys
NtSetSystemEnvironmentValue
Actual Address 0xF86360EC
Hooked by: safemon.sys
NtSetSystemEnvironmentValueEx
Actual Address 0xF86360F6
Hooked by: safemon.sys
NtSetSystemInformation
Actual Address 0xF8636100
Hooked by: safemon.sys
NtSetSystemPowerState
Actual Address 0xF863610A
Hooked by: safemon.sys
NtSetSystemTime
Actual Address 0xF8636114
Hooked by: safemon.sys
NtSetThreadExecutionState
Actual Address 0xF863611E
Hooked by: safemon.sys
NtSetTimer
Actual Address 0xF8636128
Hooked by: safemon.sys
NtSetTimerResolution
Actual Address 0xF8636132
Hooked by: safemon.sys
NtSetUuidSeed
Actual Address 0xF863613C
Hooked by: safemon.sys
NtSetValueKey
Actual Address 0xF8636146
Hooked by: safemon.sys
NtSetVolumeInformationFile
Actual Address 0xF8636150
Hooked by: safemon.sys
NtShutdownSystem
Actual Address 0xF863615A
Hooked by: safemon.sys
NtSignalAndWaitForSingleObject
Actual Address 0xF8636164
Hooked by: safemon.sys
NtStartProfile
Actual Address 0xF863616E
Hooked by: safemon.sys
NtStopProfile
Actual Address 0xF8636178
Hooked by: safemon.sys
NtSuspendProcess
Actual Address 0xF8636182
Hooked by: safemon.sys
NtSuspendThread
Actual Address 0xF863618C
Hooked by: safemon.sys
NtSystemDebugControl
Actual Address 0xF8636196
Hooked by: safemon.sys
NtTerminateJobObject
Actual Address 0xF86361A0
Hooked by: safemon.sys
NtTerminateProcess
Actual Address 0xF86361AA
Hooked by: safemon.sys
NtTerminateThread
Actual Address 0xF86361B4
Hooked by: safemon.sys
NtTestAlert
Actual Address 0xF86361BE
Hooked by: safemon.sys
NtTraceEvent
Actual Address 0xF86361C8
Hooked by: safemon.sys
NtTranslateFilePath
Actual Address 0xF86361D2
Hooked by: safemon.sys
NtUnloadDriver
Actual Address 0xF86361DC
Hooked by: safemon.sys
NtUnloadKey
Actual Address 0xF86361E6
Hooked by: safemon.sys
NtUnloadKeyEx
Actual Address 0xF86361F0
Hooked by: safemon.sys
NtUnlockFile
Actual Address 0xF86361FA
Hooked by: safemon.sys
NtUnlockVirtualMemory
Actual Address 0xF8636204
Hooked by: safemon.sys
NtUnmapViewOfSection
Actual Address 0xF863620E
Hooked by: safemon.sys
NtVdmControl
Actual Address 0xF8636218
Hooked by: safemon.sys
NtWaitForDebugEvent
Actual Address 0xF8636222
Hooked by: safemon.sys
NtWaitForMultipleObjects
Actual Address 0xF863622C
Hooked by: safemon.sys
NtWaitForSingleObject
Actual Address 0xF8636236
Hooked by: safemon.sys
NtWaitHighEventPair
Actual Address 0xF8636240
Hooked by: safemon.sys
NtWaitLowEventPair
Actual Address 0xF863624A
Hooked by: safemon.sys
NtWriteFile
Actual Address 0xF8636254
Hooked by: safemon.sys
NtWriteFileGather
Actual Address 0xF863625E
Hooked by: safemon.sys
NtWriteRequestData
Actual Address 0xF8636268
Hooked by: safemon.sys
NtWriteVirtualMemory
Actual Address 0xF8636272
Hooked by: safemon.sys
NtYieldExecution
Actual Address 0xF863627C
Hooked by: safemon.sys
NtCreateKeyedEvent
Actual Address 0xF8636286
Hooked by: safemon.sys
NtOpenKeyedEvent
Actual Address 0xF8636290
Hooked by: safemon.sys
NtReleaseKeyedEvent
Actual Address 0xF863629A
Hooked by: safemon.sys
NtWaitForKeyedEvent
Actual Address 0xF86362A4
Hooked by: safemon.sys
NtQueryPortInformationProcess
Actual Address 0xF86362AE
Hooked by: safemon.sys

 

Well they can intercept whatever they like. I'm just curious if many HIPS will monitor such common calls.

I do see a lot of calls that would be helpful.

 

I see that you have ample free time like the time for e.g. you spent here in Wilders and since you are such a doubting thomas, why not see for yourself and try any HIPS.

On your test machines/VM, with RKU(Rootkit Unhooker) or Rootkit hook analyzer, check those kernel hooks of any particular HIPS you are trying to investigate.

While you're at it, check some shellcodes here... http://shell-storm.org/shellcode/shellcode-windows.php

Choose an exploit for an unpatched vanilla windows or a vulnerable application and do some local code execution. You can use HD Moore's metasploit framework with Armitage interface to make it easier.

See how HIPS or application firewalls fare against those exploits and their payloads.

You can some try some non-chatty HIPS like Ilya's Defensewall which also has some network/firewall monitors. Or check Geswall.

Then, you can code for your ubershellcode and see how you can bypass HIPS/firewall or see how HIPS/firewall block your shell.

There are also firewall leaktests you can try.

 

Who's doubting?

If I'm not feeling lazy I'll test some out.

 

A demonstration of how a HIPS(Policy Sandbox) can mitigate exploits even zero day kernel exploits(elevation of privilege) to protect in this case a server... http://www.gentlesecurity.com/protectnetwork.html

It can block for e.g. the payload of a shellcode which is to spawn the command shell from tunnelling via ftp.exe if you perform this demo test.

 

Thanks for the link.

I can definitely see it working.

 

Hi,

Can you explain these statements from your link:

Also,

• In these exploits, what is the payload that actually gains control of the server host? A script? A binary executable?
  
  
• Any URLs in the wild with this type of scenario?

thanks,


----
rich

 

For successful intrusions, an attacker or a malware requires some EXPLOITS either REMOTE OR LOCAL to gain LOCAL ACCESS, either on a vulnerability of a browser/plugins, on windows services, pdf and office applications, media players, windows core system files like the kernel win32k.sys for the most recent zeroday kernel exploit(true type font- Duqu) or win32k.sys/gdi32.dll-shimgvw.dll for the WMF vulnerability.

A hacker needs to gain a command shell, in order to GAIN some info for the succeeding attacks, uploading/downloading some files, executing commands like to start a vulnerable service via sc.exe, or executing uploaded rootkits/trojans depending on privileges gained. Or a hacker will use a simple shellcode to download and execute backdoors or rootkits or trojans. Having executables installed gives PERSISTENCE for suceeding attacks.

An attacker then used network sniffers or password crackers to gain further foothold on a network to steal confidential files, etc.

Shellcode usually either spawn the command shell(native cmd.exe tunneling through ws2_32.dll, ftp.exe/tftp.exe or telnet.exe, etc) or download the so called PAYLOADs like the trojan executables(dll, exe) serving as the command shell server program or the BACKDOOR which opens a listening port for e.g.

Browser exploits for the most part uses scripts to spawn a shellcode. Shellcodes on the other hand are scripts coded in machine language.

Here are shellcode examples that spawn a command shell...
http://shell-storm.org/shellcode/files/shellcode-173.php
http://shell-storm.org/shellcode/files/shellcode-484.php

Some hackers used the downloaded trojan/RAT or putty or netcat which is far better than the native telnet.exe as command shell server program. In the past, hackers used IRC executables as trojans. If no executables(dll or exe) are dropped to return a command shell, native windows executables are used like the command shell(cmd.exe) tunneling through raw sockets and open listeningports or through ftp.exe/tftp.exe. Scripts are needed to automate such tasks in that demo test.

Metasploit Framework's Meterpreter/VNC shell needed a meterpreter/vnc DLL payload(loaded from memory and not written on disk). This is very difficult to detect as the dll is not registered and such can bypass AV or defaultly configured HIPS or AE. But fortunately for us, it requires an initial remote or local code execution attack to gain local access.

URL? I think you need your neigborhood friendly hacker to host a webpage for the demo. Befriend a whitehat pentesters like HD Moore or some greyhats or even the blackhats.

Or do some PENTESTING yourself on networked VMs.

http://www.ericvb.com/archives/metasploit-hacking
http://www.fastandeasyhacking.com/manual

 

Thanks for the detailed reply.

Well, I'll pass on that and wait to find one in the wild!

regards,

-rich