HitmanPro.ALERT Support and Discussion Thread

Is HMPA 3 the same thing as HMPA 2.6.5 that i have.

 

First of all: afaik attackers like Elderwood have only bypassed DEP and ASLR and not all the other mitigations. (Okay I read about shellcode that bypasses EMETs EAF being used in the wild recently)

Based on testing I performed a method exists which is able to bypass:
- HMP.Alert 3 hardware assisted CFI
- EMET Caller/SimExecFlow
- MBAE caller check

 

Done, when I rebooted my computer the second icon came back, still no border on IE before and after removing the mitigations. Does this mean IE is unprotected or just not showing that it is protected?

 

No, HitmanPro.Alert 3 RC is very different to HMP.A 2.

https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-114#post-2433635

 

Is that method based on ROP? If not, it doesn't count as bypass - can't judge an fish on its ability to climb trees. Care to share?

 

No border, no protection. I have no clue what is going on. The iexplore.exe (32-bit) is listed under Browsers at the Applications screen? Or is it listed under Office?

 

I have a Border on IE32, Chrome, and Dragon, but not on IE64 and Maxthon Browsers.

 

Yes, it uses quite a complex ROP chain. Currently I'm still improving the PoC code. I want to be absolutely sure that it's not an issue created by the combination Sandy Bridge - Win7, so I'll have some development left.

 

I turned off the Browser Border and everything else in V3 except for CryptoGuard.

 

At the moment I am not in the testing HMP.A mode... have stepped into one of my other snaphots. So, many betas I am involved with. I hope you understand.

 

@erikloman Will we be given the chance to disable the green border? It gets really annoying when you hover to the close, minimize buttons, while you accidentally touch to very top of the screen and it shows.

Anyway, This current release is working flawlessly. Even the keystroke encryption problems i had are now gone since build 125. Well done.

regards.

 

Browsers When I look under Running Applications it shows that iexplore.exe is protected, but no border or encryption showing. It does not show IE 32 bit is protected. And now IE is not shutting down properly.

 

Interesting, make sure you test your PoC with HMPA on a physical non-VM machine with an Intel Core i3, i5 or i7 processor. Otherwise our control-flow integrity (CFI) module is crippled as it cannot program the processor; it then has to use stack data like EMET, which you (the attacker) control for the ROP chain. Anyway, happy hunting!

 

Has that happened yet? Has everyone been updated to build 130?

Thanks.

 

Using build 129, immediately after installing, Windows 8.1, IE 11, 64bit, Enhanced Protective Mode, Microsoft Sculpt wireless mouse connected by USB will no longer allow me to scroll pages in IE11 using mouse wheel. Only way to scroll pages in IE 11 is to use the scroll bar on right side of web pages in browser. Needs to be addressed/fixed.

 

You're the first reporting this. What other security software do you have installed?
Have you tried unplugging it and plugging it in again?

 

Win 8.1 x64 | HMPAlert3 RC Build 129

Firefox in Sandboxie is crashing when opening Printing Dialog. HMPAlert DEP warning. Outside Sandboxie all is ok.

Warning Details

Code:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="HitmanPro.Alert" />
  <EventID Qualifiers="0">911</EventID>
  <Level>2</Level>
  <Task>9</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2014-12-21T14:02:34.000000000Z" />
  <EventRecordID>455894</EventRecordID>
  <Channel>Application</Channel>
  <Computer>NBx230</Computer>
  <Security />
  </System>
- <EventData>
  <Data>C:\Program Files (x86)\Mozilla Firefox\firefox.exe</Data>
  <Data>DEP</Data>
  <Data>Mitigation DEP Platform 6.3.9600/x64 06_3a PID 9212 Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe Description Firefox 35 State = 1000, Type = 20000, Protect = 4</Data>
  </EventData>
  </Event>

 

HitmanPro.Alert 3.0.22 build 131 Release Candidate

Changelog

• Improved compatibility with third-party security software/hooking engines, incl. Malwarebytes Anti-Exploit.
• Fixed issue regarding CryptoGuard detecting mass file change by Dropbox.

Download

http://test.hitmanpro.com/hmpalert3b131.exe​

@Krusty13: This version does not automatically downgrade.

 

Try disabling Enhanced Protected Mode in IE11 to see if that helps.

Note: Just to see if that is having an effect on the scrolling; I recommend keeping it enabled.

 

Just to be clear, if you click on the large Exploit Mitigation tile in the advanced interface and then click on Applications (not Running Applications) you will see a list of protected applications under different headings; Browsers on the left and Office on the far right. The category implies which template is being applied to the application executable. Hope this is of some help.

 

build 131,still not showing IE protection

 

I can finally relax after adding a MBAE Shield for HMPA V3

 

In that case you should also add MBAE to Alert in case MBAE gets attacked