VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Well, it is hard to say what the status is... Alex is doing most of the web stuff, as I am terrible with web stuff.

    BTW, the Windows 10 RDP Cuckoo Sandbox issue is finally fixed, so it is working now. It turned out to be an easy fix... all I had to do was upgrade VirtualBox on the Linux Cuckoo server... there was a bug. Go figure.
     
  2. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    :geek: :thumb: :D
     
  3. RobbieMacG

    RobbieMacG Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    3
    Location:
    Brisbane
    Would appreciate anyones spare 2 cents for this query please
     
  4. guest

    guest Guest

    my 2 cents is that with VS and sandboxie , BDTS is not needed especially on Win10.
    If you use BD because the Firewall, you can use Binisoft Windows Firewall Control (paid version) for lifetime with a small donation.
     
  5. RobbieMacG

    RobbieMacG Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    3
    Location:
    Brisbane
    Good to know, thanks guest
     
  6. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    445
    Location:
    Mercia
    Wow, that patent of yours is verbose Dan! I reckon your lawyers must have been paid by the word! :D
     
  7. mWave

    mWave Guest

    If you do not use ObRegisterCallbacks (the best documented and supported method by Microsoft for process protection, since doing any better would require you to exploit the Windows Kernel to change the pointer addresses in the System Service Dispatch Table without triggering BugCheck BSOD due to PatchGuard (Kernel Patch Protection feature) on x64 systems) then I am pretty sure bypassing the self protection you have in mind would be quite straight forward.

    You have a few options:
    1. Process to regularly check if the other processes are running, this can be defeated relatively easily.
    2. Injecting into every running process on the system to force the other programs to execute your own code which can be used to detour specific APIs like NtOpenProcess, this can be defeated relatively easily.
    3. Using DACL protection... Can be defeated straight forward if you have admin privileges or can exploit a trusted elevated process (e.g. DLL hijacking).
    4. I'm sure you'll think of more methods but if it's from user-mode then... straight forward.

    Of course to bypass your self-protection you would need to gain code execution, and since VDS is an Anti-Exe then you are already in a good situation. I am not focusing on that, I am just explaining self-protection.

    The way ObRegisterCallbacks works is similar to the effect of hooking functions like NtOpenProcess; when a handle is being requested for a process, your callback routine is invoked and this allows you to check the access rights and remove them -> the caller gets STATUS_ACCESS_DENIED returned.

    There is a reason as to why top AV vendors like Avast, AVG, Kaspersky, ESET, Avira, Bitdefender, Comodo, Trend-Micro and pretty much any other successful and well-known AV vendor use the documented kernel-mode callbacks... It doesn't involve patching the Windows Kernel (which can be done easily on x86) since that can cause big performance problems and mess a lot up (and MS do not like it), and it's secure since if it's implemented properly it won't be bypassed from user-mode without an Windows exploit, just like with PsSetCreateProcessNotifyRoutineEx.

    That being said, for GUI processes (processes with user32.dll loaded), SetWindowsHookEx will successfully inject code for remote code execution regardless of protected processes, the only fix for this is patching win32k.sys or using the hyper-visor (like Kaspersky) so you can use kernel-mode hooking without worrying about PatchGuard on x64 systems also. ;)

    But ok you can do whatever you want but at least I did try to set you in the smart direction.
     
    Last edited by a moderator: Mar 11, 2017
  8. mWave

    mWave Guest

    Avast, AVG, Kaspersky and other vendors have managed it fine so I'm sure you will. If the callback they have setup is beaten (e.g. kernel-mode code execution for termination) then they resort to process restarting with a watch dog process.
     
  9. plat1098

    plat1098 Guest

    I was kind of looking around at Themes and seeing what happens there and under High Contrast, I get this:
    Screenshot (22).png
    I tried clicking in the area that would "allow" whatever command line was trying to run and nothing happened. Then I got stuck in a Theme wasteland for a little while. VS interface doesn't seem to be functional in this scenario? Or do the fields work, they're just not visible?
     
  10. guest

    guest Guest

    Some visual glitches :cautious:
    Try to logout/login after switching the theme. Do you see the same "white VS-prompt" again?
     
  11. plat1098

    plat1098 Guest

    Hi mood: That was the problem, you couldn't change Themes or log out because the cursor became a system-busy circle for a couple of minutes. I was literally stuck. Also, VS didn't seem to respond to clicks although it rightfully blocked a command line and an exe. Maybe that's why it stuck there until I got the cursor back and was able to remove the yuck from my desktop. The sfc /scannow and check for hardware errors were negative.. Bottom line: I just won't DO that anymore. I was surprised to see VS interface was apparently not functioning in this scenario, but thankfully the blocking capabilities were working.
     
  12. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    Yes, it was not easy to guess just where the X was to quit the GUI. My personal desktop is WInClassic with Classic Start Menu, but other family members have variations of Aero. Admin runs WInClassic but no wallpaper.

    But I had no problems trialling new desktop schemes, VS wasn't really happy until I quit my browser, but once that happend it was OK. I was never going to confirm a desktop change...

    I don't like Aero. Old-school is Classic!

    Mind you, Dan's not the only dev to fall for UI colour-non-matching :eek: How many users have been caught with WIndows-mandated "white" fonts in a light/pale Aero theme? :blink:
     
  13. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I had just booted up, and the tray icons loading, when I got the flashing VS icon. I opened the VS log,and I could tell from the last entries that a Windows update was underway. After, allowing for the restart, it was successful, i.e. available updates installed.

    Windows Updates_VS flashing icon_01.JPG Windows Updates_after reboot_ successfully completed_01.JPG /SPOILER]
     
  14. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    This may not be VS related, but how would one stop a Metasploit command prompt shell ?
     
  15. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    this software is grooooooovy baby...
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    It has been a rough few days, so I will have to respond to the posts and pm’s I missed asap.

    There were a lot of changes, and there is a small chance that something could go wrong… so if you are running a mission critical machine, I would wait a day or two before installing this version, to see how it does for the people who are risky enough to try it ;). I really think it is fine, but something could go wrong.

    3.54 Changelog

    Boot time protection… VS will start in Always ON mode, then toggle to your previous mode after 10 seconds. If we need to make this longer, please let me know.

    Gui starts much quicker and with the service

    Switch User / Multiple users issues should be fixed

    Self-Protection

    About the self-protection…

    I looked into several different methods for self-protection, and found that they all had at least one issue or another, and all could be bypassed, so I tried to do something else instead… here is what I did.

    In the highly unlikely event that malware tries to specifically target VS to kill or bypass it, the VoodooShieldService will kick in and completely lockdown the system, and block all new process creation until the computer is restarted… the user is notified of this as well. Basically, if malware is trying to disable your security software, there is no reason to take a chance to see if it is able to do so… so why not just lock the whole system down until reboot, just to be sure? That is… let’s say that your self-protection fails, and you have to restart your security software… well, that might give the malware a chance to do its thing.
    Keep in mind, VS will protect itself 99.99% of the time by blocking processes and scripts before they are ever allowed to start. It is only very special targeted attacks, like the one Adam created, where an already allowed processes that is running as a network service asked VS to exit.

    If VS continues to grow as it is, then I would guess in a year or two, malware authors might start to target VS. But once they realize that the second they start messing with VS, it simply locks the entire system down until it is rebooted, so hopefully this in and of itself will be a deterent.

    I might have forgotten something, but let’s see if Adam can bypass VS now ;).

    www.voodooshield.com/Download/beta3/InstallVoodooShield354beta.exe

    Thank you guys! Talk to you soon!
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Awesome. This is high tech at disposal of average user. Can't wait to test it. Thank you so much. :)
     
  18. plat1098

    plat1098 Guest

    Well, I threw this 3.54 version on here forthwith and it toggles as advertised. Toggle, baby, toggle!
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    BSOD on one machine. :(
     

    Attached Files:

    • BSOD.PNG
      BSOD.PNG
      File size:
      494.7 KB
      Views:
      29
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, that's not cool, thank you for letting me know though. When did it happen... right after installing VS or after reboot?
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Right after installing VS and before I had a chance to restart.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I was afraid something like that might happen... although I tested it on 4 different computers and did not have any issues.

    Please try this version and let me know, it should be fixed, thank you!

    www.voodooshield.com/Download/beta3/InstallVoodooShield354beta.exe
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Yes Sir, I'm on it. :)

    Same version number, Dan?
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you! Yeah, same version number ;).
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    So far so good!

    Installed over the previous 3.54 without a BSOD. Nice work, Dan! :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.