HitmanPro.ALERT Support and Discussion Thread

This is normal for the CTPs as there are no updates, don't worry about it.

 

CTP3 still crashes Cyberfox 31(32 bit AMD version) with LoadLibrary, even if I uncheck Load Library migitation. Win7x86, other sec software: EMET 5 TP3, WSA 8.0.4.123, Defensewall 3.24

Code:

Mitigation  ROP
PID  1200
Application  C:\Program Files\Cyberfox\Cyberfox.exe
Description  Cyberfox 31
Callee Type  LoadLibrary
Stack Trace
#  Address  Module  Location
-- -------- ------------------------ ----------------------------------------
1  375B1593 (anonymous; EMET.dll)  
2  0057005C (anonymous)  
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL
  0000  ADD  [EAX], AL

 

CPT3 isn't compatible with EMET5, i was having major problems with IE11 when i had EMET5 & CPT3 installed together, uninstalling EMET5 fixed it for me.

 

Indeed, as mentioned in the release notes: https://www.wilderssecurity.com/thre...discussion-thread.324841/page-87#post-2405362

 

I recently found out that EMET can very well block the VirtualProtect via CALL gadget test if Simulate execution flow is increased to a higher count say 25, forgive my ignorance but I didn't think blocking this test is possible without hardware support, is this known to you?

 

I think the SimExecFlow detection by EMET is not on the actual exploit but its tripping over an EMET-incompatible hooking engine. What other security tools are you running? Perhaps MBAE?

 

Ah, unchecking EAF in EMET fixed the Cyberfox crash. I thought Alert was only incompatible with 5.0 final release, not the TP's.

 

No other security software only EMET.

 

@ erikloman and markloman

About the "Hollow Process Blocker", is this a different technique compared to standard "code injection"? I think you explained the purpose of this module earlier in the thread, but I can not find it anymore.

http://blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html

 

In computer programming, code injection generally means that an attacker introduces its own code into a running legitimate application to alter the course of code execution, not intended by the software vendor. Typically, code injection also happens during an exploit attack, where only small parts of a running application is altered to gain control over the computer for arbitrary code execution.

Even though it seems similar, a hollow process involves code _unmapping_ of an application's process. The attacker starts a legitimate application but immediately after it was loaded in memory, the entire code of the legitimate process is unmapped and the attacker maps his malicious program in its place. After this, the legitimate process is now running a totally different program. In the Windows Task Manager the process is visible under the initially started application (process name) - with all the properties of the legitimate application - but the running contents are completely different. Not on disk, only in memory. So the legitimate process serves solely as a container to run hostile code. And to be able to do this the attacker already has a foothold on the computer.
This technique is often used by Remote Access Trojans (RAT) to hide itself for the user and many antivirus products.

Without using virus signatures, HitmanPro.Alert 3 will block any malware or attacks that rely on this technique. So Hollow Process is another layer of defense to stop attackers.
Our Exploit Test Tool can perform a hollow process attack, see paragraph 3.16 of the Exploit Test Tool Manual.

 

The Exploit Test Tool and Manual are included in the HitmanPro.Alert 3 CTP3 download: http://test.hitmanpro.com/hmpalert3ctp3.zip
If you have any questions, be sure to consult the Manual first. It offers a lot of details and other useful information.

 

No problems CTP3 and Firefox 32.0.1/Sandboxie beta 4.13.4 (W7 64 bits).

 

No problems on Windows 7 Ultimate with Chrome 37.0.2062.120 m (64-bit).

 

2) Yes, you get both programs for the cost of Hitman Pro. Whenever HMP.A encounters an exploit, it will ask the user to run Hitman Pro. You can also use Hitman Pro as an on-demand scanner as usual without going via HMP.A.

 

Yes,you can add other applications.For example,i have added 'ccleaner64.exe' to HMPA using 'Other Mitigations' Template

Run the application you want to protected by HMPA.

Then go to Exploit mitigations>Running applications>NOT PROTECTED

Click that application,choose the Template which applies to the application like Media Player for SMPlayer.

Click Restart that application.

Now the application would be protected by HMPA.

Spoiler: Screenshots

 

Now you can see CCleaner in PROTECTED APPS,added to Exploit mitigations

Spoiler: Screenshots

 

Any thoughts about which apps to add that are not automatically included?

 

Media Players, IMs.

 

Any internet facing apps like Browsers,Download Managers,Email-clients,etc

 

You are welcome.

 

OK thanks, so in fact it is a bit different compared to standard "code injection". I do know that a lot of legitimate tools inject code, so it's a bit tricky to protect (non-expert users) against this without breaking stuff. I will try to test if other HIPS can spot this attack.