SSM: folders, scripts-to-memory payloads

SSM puzzle: Twice recently, a perfectly good rule which was in the Normal group, moved itself over to the Blocked group.
I only remember the last instance - Few minutes ago I noticed that Opera is in the wrong group. Looking over the log, yesterday MediaMonkey wanted to start Opera and I blocked it. I've used Opera several times since with no issues even though it sat in the wrong place. (I just moved it and made explorer the parent, of course).
noone_particular, Have you ever seen such a thing happen?

me too. I wish there was something like SSM for Win7.

 

When you were prompted regarding MediaMonkey wanting to launch Opera, did you select make permanent rule, then click deny? If so, that moved Opera to the blocked category. SSM pro doesn't have the option to set parent-child permissions from the prompts. On the free version, that option was on the drop down menu, IMO a much better and more intuitive arrangement. On the pro version, parent-child permissions are best set from the rules interface, advanced properties for either the parent or child process.

 

Thank you so much! Yes, I most likely made a permanent block rule from prompt. Darn, that free vs paid confusion I keep forgetting to do things right.
I doubt Opera ran when it was in the block group. I probably used SeaMonkey. Anything in that group is access denied.

Re:RKU posts 19-20
Any idea whether there's some option someplace to make it show multiple hooks/function? I haven't found it.

 

I have the same problem. I'm used to the free version. The pro version doesn't run on my host/primary system. The only time I use the pro version is on virtual XP and 2K, which isn't that often. The prompts for the free version have an option that will open the application rule interface to the rule for the parent process, making it very easy to edit or customize the new rule. The pro version is more powerful, but IMO the interface and prompt designs were better before they changed them.

Regarding RKU, if there is such an option I haven't found it. I don't know if there's another utility that does better without adding a lot of other bloat.

 

In the pro version it confuses me. Perfect example: few minutes ago I wanted to run Wireshark which this last install of SSM hasn't seen.
I allowed explorer to run it, then Wireshark to run dumpcap with some command stuff, then services loaded two drivers and finally dumpcap with another command.
Parent-child rules were built properly and also the specific drivers allowed to load by services.. And all that from prompt.
So perhaps just denying works differently.

 

I'm assuming that you're running in the "block everything" mode. If I'm reading your post right, you were prompted about explorer running wireshark and about wireshark running dumpcap, but you weren't prompted about the drivers?

Go to the advanced properties>drivers tab for each of the above executables and for the rule groups each are contained in. What is listed in the default action drop box at the bottom? It needs to say "ask user"for the rule group and "inherited (ask user)"for the individual executables.

 

Not yet. Still too scared of that to use generally. For local stuff I'm under Green icon - it has to ask. I turn off UI when I go on the web, then "Block process creation" is in control.

I was prompted for services installing npf.sys and nmnt.sys drivers. And they now have checks in services.

It is "Ask user" for the Normal Group drivers, and it is "Inherited(Checked) for both applications.

We started this chapter because of MediaMonkey where SSM moved Opera to Block group 'cause I didn't allow and made permanent. It really loks to me like when Allow is used, parent-child are made. Your thoughts?

 

That will depend on the default settings for the containing rule group. If its default parent-child setting is "ask", that will be the basis for the individual rules in that group. Later tonight, I'll fire up the virtual XP to make certain.

 

It's still the same way. Parent-child rules are being made when Allow.

Changing the subject back to hooks:
For about a month I've been running without avast. Just firewall and SSM. Yes, I do images.
Long ago, in posts#13,18,19 we discussed hooks. I reported that Avast has 57/280 hooks when SSM was installed last, avast being active at that time.
So before totally getting rid of AV, an experiment:
I uninstalled Avast and SSM leaving just the firewall. Reinstalled SSM.
Then I installed Avast, so SSM was first. The same 57/280 avast hooks came in. All the rest hooked by SSM. And things were stable.
What the deep meaning of this is I'm not qualified to say, but I thought I'll tell you what I saw anyway.

Edit: fixed counts.

 

Regarding the hooks, I'm still suspecting that RKU is not displaying everything when there's more than one hook. There might be a way to find out. Look under "computer management", the device manager tab. On the view menu, you'll probably have to select "show hidden devices" in order to see it/them. The driver for SSM appears under non-plug and play drivers and loads at boot. The specific driver(s) for Avast, when do they load?
Regarding parent-child on SSM pro, I got distracted with other things and forgot all about this. I won't be able to check until after this weekend. Sorry.

 

I can't look at hidden devices since I did clean uninstallation of avast. Safemon.sys still there and the firewall stuff.
But I have few screen shots and some logs so this post is a summary from LoadOrder in sequence of appearance.
And counts confirmed from RKU list.
During boot phase:
SSM comes in, then aswRvt.sys (revert?), then aswVmm.sys (VM monitor). No hooks set by avast here.
During system:
aswSP.sys (filter activity), sets 3 avast hooks
(firewall driver SbFw.sys comes in here and sets 8 hooks)
aswTDI.sys, aswRdr.sys around system PNP_TDI phase, set no avast hooks
aswSnx.sys (filter virtualization) sets remaining 54 avast hooks

215/280 belong to SSM, and additional 4 belong to Windows. Total 284 functions in the RKU list. Done with accounting

 

I'm curious if SSM is loading its driver earlier and hooks the API first as a result. One could probably find out by changing when the SSM driver loads, setting it to load after Avast, then seeing if RKU reports differently.
These are for the driver of SSM free from a friends XP-SP2 system, all I have access to ATM. How does the settings for the Avast driver (the one setting the hooks) compare?

 

How can I tell when API actually gets hooked? that's well beyond my skills. I assumed it's when a driver loads.
For your experiment, clearly, I have to install avast again. Let it do its updates, settle, and at some point run SSM from explorer (I don't know if it's possible to change boot order). Look at hidden devices, and also LoadOrder and RKU and make sense of new logs. Is this what you have in mind? I just need to be sure. This is interesting.
(Installing avast is a bit of a pain because I have to be sooooo careful to not install Chrome. All blocking rules are in place in the firewall, still I have to watch'm like a hawk)

Actually it's 2 avast drivers setting hooks.
I can show hidden devices after I get avast back in, but that's alphabetical list here as well. IMO, it won't tell the sequence or anything about API.
Reminders: XPpro-SP3, Sunbelt Fw not Kerio, SSM 2.4.266.

 

I thought you still had Avast installed. If you do, just take a look for its drivers in the device manager and check what their startup settings are. Instead of reinstalling or changing Avast, it might be much easier to change the setting for SSM's driver so it loads later. Then compare the old and new RKU reports. If loading the driver for SSM later in the process causes RKU to display more hooks for it and fewer for Avast, that would confirm that it's reading only the last hook in the chain.

 

No, I don't have avast - I guess you missed it in post#36
If the main goal of this exercise is to see if RKU reports last hook in the chain, then I have an idea. Firewall hooks 8 functions. I could delay SSM boot and compare which firewall hooks get dropped.
But how do the delay? Delay it to Automatic since firewall hooks during System time?

 

This PC is SP2, is using SSM free 2.0.8.583, and Kerio 2.1.5. Kerio 2.1.5 appears to set 5 hooks.
NtClose, NtCreateFile, NtCreateProcess, NtCreateProcessEx, NtCreateSection

After setting SSM not to start automatically, I tried setting the SSM driver loading to system, demand, and disabled, then rebooted after each time. With the SSM driver loading later, RKU showed the 5 listed above as hooked by SSM. It said nothing about the hooks set by Kerio. I'm convinced that when there's more than one hook on a function, RKU only shows the last one set. I'd imagine that you'll see very similar results.

 

My computer did not like this simple experiment at all. It's XP-SP3, SunbeltFw 4.7.4.0, SSM 2.4.0.622
Summary of my adventures trying to do start type=Automatic and start type=System.
- safemon.sys startup type MUST be = BOOT.
- how the checkmark inside GUI for starting automatically or not is not relevant.
- SSM dislikes not loading at boot and required reinstallation/repair due to missing its own driver safemon.sys.
- So when I try to start it from Explorer I get "Driver not found, please reinstall SSM, Error 0" from SSM.
- After repair and reboot I saw device gets yellow "?" and that Windows, with no interference from me reset the start type in hidden devices to Boot.
- At one point starting SSM by Explorer failed due to missing driver, second reboot, missing still, and this reboot caused BSOD stop error 7E. Event log reported safemon didn't load.
- Since all the repairing and fixing didn't work, I uninstalled and reinstalled SSM. All is well now. Wheeew!

RKU is always the same: 15 firewall hooks, 4 ntoskrnl, rest all hooked by SSM when things are ok,
or 15 firewall hooks, all the rest hooked by ntoskrnl when SSM fails, at which point LoadOrder shows no safemon.sys in Boot section, System section, Automatic section.
So I can't answer a thing about RKU behavior, other than from how it behaved with avast, your conclusion makes most sense - shows the last hook.