HitmanPro.ALERT Support and Discussion Thread

Thanks, wow, so many papers to read for me. lol (don't warry!)

So attacker can disable DEP after successful StackPivotting, then if I understand it correctly EMET's Memprot should prevent overriding the access permission by VirtualProtect in theory (not to mention it can be easily circumvented). Or if attacker tried ROP following StackPivot, Caller check comes into play unless this ROP is CALL-preceeded.
I can't find Memprot or its equivalent in HMPA, maybe I missed sth?

I still appreciated all your posts, it's always glad to be educated by more knowledgeable people like Roman browsers and you!

 

There will also be a nice presentation about bypassing EMET 5.1 at the Chaos Communication Congress this year:

https://events.ccc.de/congress/2014/Fahrplan/events/6161.html

They always have a free live stream and usually provide VODs of most talks within 2 or 3 days of the talk, so if you are interested you may want to check it out. I know I will .

 

Woops, it seems Chrome can't validate your first link's certificate as CA Cert Signing Authority is not in my root CA. Same for Firefox.
Also second link don't give me any contents, is this because it's not within 2 or 3 days of the next talk?

 

Which is to be expected. CACert is a community driven certificate authority. I don't think they are included by default in any major browser.

The Chaos Communication Congress hasn't started yet. It is scheduled for December 27th to 30th every year. So naturally there can't be VODs of it yet. The link is for the page where the VODs will show up once they are available.

 

He isn't actually bypassing EAF+. If EAF+ would have been enabled his info leak would become useless.
EAF+ is very strong: It basically severely mangles up all headers of protected dll's. But it causes a significant loss of performance (Sorry Microsoft). Besides that, the amount of gadgets that he's using can be reduced quite a bit.

Link: https://prezi.com/kyiaii0izrt4/deepsec-2014-emet-51-armor-or-curtain/

 

Slide 115 contains a demo video of the exploit. EAF+ is clearly enabled during that demo. Unless you want EAF+ blacklisting enabled for additional (all?) modules.

 

For EAF+ you have to supply modules you want to protect. By default these are mshtml.dll, jscript.dll, vbscript.dll, vgx,dll, Flash*.ocx iirc

I would like to refer you to slides 111 and 116 of https://prezi.com/kyiaii0izrt4/deepsec-2014-emet-51-armor-or-curtain/
In Slide 111 he mentions that EMET 5.1 contains more mitigations and the mitigations listed on this slide are never covered in his main presentation.
Furthermore he didn't mention "Finding bypass for EAF+" under "Migrating EMET 4.1 bypass to 5.0" on slide 116.

So I think it's plausible to assume that EAF+ was never protecting any dll's.

 

Which was the case in the video demo. Namely: mozjs.dll and xul.dll. The former being the module that is exploited.

The video demo suggests otherwise.

 

Okay, you're right. I didn't notice the demonstration video.

 

Any update on this and Prey compatibility?

 

No update yet. Sorry.

 

Thanks.

I had a look but couldn't find anything relating to HMP.A except looking for updates failing. I opened HMP.A today and it is showing 0 alerts now. Very odd!

 

I've had the mouse plugged in for as long as I've been using HMP.Alert all the way back to version 2.0

 

Okay, I installed the root CA in sandbox and could visit the site w/out overriding warnings.

I got it, thanks for explanation!

 

Found another bug, Spotify keeps crashing and doesn't even start up with HMP Alert installed. Same like with Call off Duty AW crash bug which was fixed. Renaming the HMP .dll files fixes the problem.

 

Spotify performs an actual ROP in its startup. Disable CFI for Spotify.

 

Why would i disable it for Spotify if i allready disabled exploit mitigation and all other protections of HMP Alert and it still keeps crashing? Or where do i even disable it? Spotify is not even in the applications list in HMP Alert.

 

Odd. I run Spotify as well. Can you run AppCrashView and send me the info?

 

Post #3317 redux: I'm using an AMD processor, would it be a good idea to add a security program to compensate for not having the part of HMP.A that's Intel-based? If so, any suggestions?

I'm having a problem with the Taskbar not sliding open on mouse-over at the edge of the screen when Chrome is full-screen. The Taskbar doesn't open whenever the green border shows for a few seconds, and often even when the border isn't showing. Then I have to re-size the Chrome window down to get to the Taskbar.

 

The hardware-assisted feature is for Intel CPUs only. AMD currently has nothing comparable that can offer the same performance.

We will see if we can reproduce and come up with a fix. In the final you can disable the border. Though stuff should work despite the border.

 

OK, thanks. Maybe I'll use an Intel processor in my next build.

 

I have now even had IE11 not open after clicking the Task Bar icon, and opening Task Manager showed IE11 was running, so I have done as suggested and uninstalled MBAE. Since I still have a current license for HMP.A 3 RC (thanks again to Erik) I have activated HMP.A 3 RC Build 131.

Opening Windows Media Player still creates a ROP Attack Mitigation alert. Disabling Control-Flow Integrity allows WMP to open and function as normal.

Thank you.

 

Can you send me the details of the ROP. Should be in the Windows Event Log.

 

Erik,
I've sent you a PM. Please check if that is the information you require.

Thanks,
Dave

 

I'm testing build131, so far it works fine with Norton2014 even w/out reboot.

Some findings & suggestions:
-currently I have to run application to add exploit protection for custom programs, but can you add explorer-like browsing function, or at least option which I can directly input path & name for custom protection so that I don't need to launch every program I want to protect to add them?

-I disabled cryptguard, not because it is useless, but I have data & system backuped regularly & redunduntly so even if I was infected by such malware, at most (even when my local backups are locked too, though there's not much chance) I lost several hours. I personally want to keep as few as program/function running/enabled. So I'll personally very appreciated if you can add "Uninsall component" option rather than just disabling. This will be also helpful to address new conflicts until it is fixed.

-All protection works well, though encrypting keystroke don't work if I switch to Japanese input mode (expected).

-URLMon test for 64bit don't show any message even for "This application". Some exploit test for firefox (ROP-VirtualProtect and some of URLMon tests for 32bit) sometimes allow it to launch in same mode, but maybe it is okay?

-Oh, and I see there's obviously EMET's MemProt like exploit mitigation.