HitmanPro.Alert BETA

Thank E="Krusty, post: 2741362, member: 124773"]The 'Stable' build is stable on my machines but the 'Beta' build is, well a beta.[/QUOTE]
Thank you i may try it

 

Yeah, that's a shame.

Glad to know that at least I'm not the only one on that boat (stuck on 604).

 

3.7.4 build 734 beta gives a CredGuard warning when opening the Nvidia settings panel from the Systray.

Code:

Mitigation   CredGuard

Platform     10.0.16299/x64 v734 06_5e
PID          1220
Application  C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
Description  NVIDIA Container 3.0

Reading LSASS (872) process memory: 0000000000000000 L1128

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFFB34865A4 KernelBase.dll           ReadProcessMemory +0x14
2  00007FFFB350BD86 KernelBase.dll           GetModuleFileNameExA +0x2a6
3  00007FFFB350BBD0 KernelBase.dll           GetModuleFileNameExA +0xf0
4  00007FFFB350B954 KernelBase.dll           EnumProcessModulesEx +0x84

5  00007FFFAA4D9B72 nvapi64.dll             
                    eb03                     JMP          0x7fffaa4d9b77

6  00007FFFAA4F7EE8 nvapi64.dll             
7  000000005AE5C429 nvxdapix.dll           
8  000000005ACDD841 nvxdapix.dll           
9  000000005ACCD2B9 nvxdapix.dll           
10 000000005AE3713A nvxdapix.dll           

Process Trace
1  C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [1220]
"C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -f "C:\ProgramData\NVIDIA\DisplaySessionContainer%d.log" -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\Session" -r -l 3 -p 30000 -c
2  C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [1856]
"C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\Local
3  C:\Windows\System32\services.exe [836]
4  C:\Windows\System32\wininit.exe [752]
wininit.exe

Thumbprint
2f4b65d09160adda754c2bb0d737821c4f2fbc3f7eca31d8c94735b4ba9fd996

 

3.7.4 build 734 beta generated a ROP mitigation for Glasswire:

Code:

Mitigation   ROP

Platform     10.0.16299/x64 v734 06_2a
PID          7556
Application  C:\Program Files (x86)\GlassWire\GlassWire.exe
Description  GlassWire 1.2

Branch Trace                      Opcode  To                            
-------------------------------- -------- --------------------------------
GetLastError +0x9                    RET  +0x1a21a                      
0x74740859 KernelBase.dll                 0x738CA21A hmpalert.dll        

0x01D0FAC7 GlassWire.exe           ~ RET* VirtualProtect()              
                                          0x76D06930 kernel32.dll        
            8bff                     MOV          EDI, EDI
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            5d                       POP          EBP
            ff253012d676             JMP          DWORD [0x76d61230]


0x01BF9337 GlassWire.exe             RET  0x01C39090 GlassWire.exe      

0x01BF9337 GlassWire.exe             RET  0x01C39090 GlassWire.exe      

0x01BF9337 GlassWire.exe             RET  0x01C0D9F2 GlassWire.exe      

0x01C3D49A GlassWire.exe           ~ RET* 0x01C873D8 GlassWire.exe      
            89eb                     MOV          EBX, EBP
            81c378000000             ADD          EBX, 0x78
            8b13                     MOV          EDX, [EBX]
            81e201000000             AND          EDX, 0x1
            81fa00000000             CMP          EDX, 0x0
            0f840e000000             JZ           0x1c87402
            89eb                     MOV          EBX, EBP
            81c378000000             ADD          EBX, 0x78
            81032609b97e             ADD          DWORD [EBX], 0x7eb90926
            81c71c000000             ADD          EDI, 0x1c
            81c6ffff0000             ADD          ESI, 0xffff
            29fb                     SUB          EBX, EDI
            89e9                     MOV          ECX, EBP
            01cf                     ADD          EDI, ECX
            89ff                     MOV          EDI, EDI
                                 (96F423B02E959B5F)


0x01BF9337 GlassWire.exe             RET  0x01C39090 GlassWire.exe      

0x01BF9337 GlassWire.exe             RET  0x01C0D9F2 GlassWire.exe      

0x01CDC604 GlassWire.exe           ~ RET* 0x01C0D86F GlassWire.exe      
            89fe                     MOV          ESI, EDI
            81e780000000             AND          EDI, 0x80
            89e8                     MOV          EAX, EBP
            09fe                     OR           ESI, EDI
            89c6                     MOV          ESI, EAX
            bf00040000               MOV          EDI, 0x400
            05af000000               ADD          EAX, 0xaf
            8b00                     MOV          EAX, [EAX]
            0508000000               ADD          EAX, 0x8
            ba00000000               MOV          EDX, 0x0
            81ef24000000             SUB          EDI, 0x24
            0fb708                   MOVZX        ECX, WORD [EAX]
            81eeffffff7f             SUB          ESI, 0x7fffffff
            81cf80000000             OR           EDI, 0x80
            89ef                     MOV          EDI, EBP
                                 (137C2CA50A85A19B)


0x01C3D49A GlassWire.exe           ~ RET* 0x01BF0EDA GlassWire.exe      
            89ee                     MOV          ESI, EBP
            81c6af000000             ADD          ESI, 0xaf
            8b36                     MOV          ESI, [ESI]
            81c600000000             ADD          ESI, 0x0
            0fb70e                   MOVZX        ECX, WORD [ESI]
            89ea                     MOV          EDX, EBP
            81c233000000             ADD          EDX, 0x33
            2b0a                     SUB          ECX, [EDX]
            89ef                     MOV          EDI, EBP
            81c7af000000             ADD          EDI, 0xaf
            89ee                     MOV          ESI, EBP
            81c6af000000             ADD          ESI, 0xaf
            8b3f                     MOV          EDI, [EDI]
            81c708000000             ADD          EDI, 0x8
            8b36                     MOV          ESI, [ESI]
            81c600000000             ADD          ESI, 0x0
                                 (C86B83924C1B4B35)


0x01D0BDF7 GlassWire.exe           ~ RET* 0x01C3CC48 GlassWire.exe      
            89e9                     MOV          ECX, EBP
            81c1af000000             ADD          ECX, 0xaf
            8b09                     MOV          ECX, [ECX]
            81c100000000             ADD          ECX, 0x0
            0fb739                   MOVZX        EDI, WORD [ECX]
            01ef                     ADD          EDI, EBP
            8b3f                     MOV          EDI, [EDI]
            21fa                     AND          EDX, EDI
            9c                       PUSHF      
            81f76e9c0e66             XOR          EDI, 0x660e9c6e
            b800000000               MOV          EAX, 0x0
            89ee                     MOV          ESI, EBP
            81c6af000000             ADD          ESI, 0xaf
            8b36                     MOV          ESI, [ESI]
            81c608000000             ADD          ESI, 0x8
            668b06                   MOV          AX, [ESI]
                                 (EEB0A8EEA57AC632)


0x01CDC604 GlassWire.exe           ~ RET* 0x01BF0EDA GlassWire.exe      
            89ee                     MOV          ESI, EBP
            81c6af000000             ADD          ESI, 0xaf
            8b36                     MOV          ESI, [ESI]
            81c600000000             ADD          ESI, 0x0
            0fb70e                   MOVZX        ECX, WORD [ESI]
            89ea                     MOV          EDX, EBP
            81c233000000             ADD          EDX, 0x33
            2b0a                     SUB          ECX, [EDX]
            89ef                     MOV          EDI, EBP
            81c7af000000             ADD          EDI, 0xaf
            89ee                     MOV          ESI, EBP
            81c6af000000             ADD          ESI, 0xaf
            8b3f                     MOV          EDI, [EDI]
            81c708000000             ADD          EDI, 0x8
            8b36                     MOV          ESI, [ESI]
            81c600000000             ADD          ESI, 0x0
                                 (C86B83924C1B4B35)


0x01C28067 GlassWire.exe           ~ RET* 0x01C8BD1C GlassWire.exe      
            89ef                     MOV          EDI, EBP
            be00000000               MOV          ESI, 0x0
            89eb                     MOV          EBX, EBP
            81c3af000000             ADD          EBX, 0xaf
            81c733000000             ADD          EDI, 0x33
            8b1b                     MOV          EBX, [EBX]
            89f8                     MOV          EAX, EDI
            81c30b000000             ADD          EBX, 0xb
            89ef                     MOV          EDI, EBP
            668b33                   MOV          SI, [EBX]
            01ee                     ADD          ESI, EBP
            ba00000000               MOV          EDX, 0x0
            89eb                     MOV          EBX, EBP
            81c3af000000             ADD          EBX, 0xaf
            81c70d000000             ADD          EDI, 0xd
            0b0f                     OR           ECX, [EDI]
                                 (A155113306A40655)


Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  01DDC3B6 GlassWire.exe          
            51                       PUSH         ECX
            60                       PUSHA      
            0f8800000000             JS           0x1ddc3be
            57                       PUSH         EDI
            5f                       POP          EDI
            50                       PUSH         EAX
            52                       PUSH         EDX
            0f31                     RDTSC      
            5a                       POP          EDX
            58                       POP          EAX
            61                       POPA      
            60                       PUSHA      
            60                       PUSHA      
            61                       POPA      
            0f8a00000000             JP           0x1ddc3d0
            60                       PUSHA      


Process Trace
1  C:\Program Files (x86)\GlassWire\GlassWire.exe [7556]
"C:\Program Files (x86)\GlassWire\GlassWire.exe" -hide
2  C:\Windows\explorer.exe [1288]
3  C:\Windows\System32\userinit.exe [5324]
4  C:\Windows\System32\winlogon.exe [948]
winlogon.exe
5  C:\Windows\System32\smss.exe [784]
\SystemRoot\System32\smss.exe 000000e4 00000080

Thumbprint
f86ad803fc099b13b42c23c1fe2ca6c966b1d6eae05e25d8cfcc0f8e86a30da0

 

Did HMPA protect Glasswire automatically or did you add it manually?

 

Great question. I added it a while back, but only experienced the mitigation (the one time) recently.

 

I'm using 3.7.3.b729 but even though I've added an exception to a specific .exe, when I try to open it, it's still blocked as "Malware"

Do I need to reboot the PC for it to become active?

 

The feature "Real-time Anti-Malware" is blocking it and at the moment no exclusions can be created for it.
It was planned last year but it hasn't appeared yet in newer versions. So, before you want to launch a blocked application you need to turn the Anti-Malware feature off.

 

If AV is Windows Defender, is it necessary or recommended to make any exceptions in HMPA?

 

I haven't.

 

It's sad that there hasn't been any new releases for us to play with in ages

 

Not that I'm aware of, however I did turn off exploit protection in Windows Defender (in the App and Browser Control section).

 

That’s because we are working on two new releases, including a huge one. Stay tuned!

 

Whoo-hoo! Looking forward to it (the huge one). Thanks for the teaser Mark.

 

1 Does HMPA work well with Windows 10 RS4 April Update?
2 Is it compatible with the Core Isolation feature of this update?
3 What is the latest beta version of HMPA that is relatively issue-free?

 

3.7.6 build 739 hasn't been naughty after I upgraded to 1803 yesterday. So for me it seems that all is well.

 

Same here!

 

Thanks, guys.
Many security solutions are hampered if you enable Core isolation.
Anyone know how it impacts HMPA?

 

didn't notice any problems with HMPA, but it totally killed virtualbox for me

 

Can you write a little more about this? What will it be like? What new features will it contain? etc., etc. About when will these versions appear? Thanks in advance for your answer.

 

HitmanPro.Alert 3.7.7 Build 746 BETA

Changelog (compared to build 739)

• Improved General performance
• Improved Credential Theft Protection, LSASS protection
• Improved Java mitigation profile, removed obsolete protections for Java processes
• Improved Intruder detection for trickbot
• Improved Office & IE11 compatibility
• Added wmic.exe to Application Lockdown to block abuse used in SquiblyTwo attack
• Added Japanese language
• Fixed Bug in mono (.NET xPlatform lib) causing a CallerCheck
• Fixed IE Godmode False positives
• Fixed Potential BSOD in CryptoGuard
• Fixed LoadLib Alert in Firefox when loading NPAPI plugin(s)
  
• Fixed Windows 7 hanging on shutdown
• Fixed WipeGuard on Hyper-V guest systems
• Several other minor fixes and improvements

Download (with drivers co-signed by Microsoft)
http://test.hitmanpro.com/hmpalert3b746.exe

Please let us know how this version runs on your machine. Thanks!

 

Very cool!

Will install and test now.

 

No problems to report so far.

 

I'm trying the latest beta on Windows 10 x64 Version 1703 Educational Edition with all updates in Virtualbox. The first time I Iaunched Firefox HMPA notified me that FF was being protected. I've closed, and launched FF several times since, and HMPA is no longer notifying me that the browser is being protected. I verified that HMPA is still injecting into FF using Process Explorer so I think it's still protected. Should HMPA notify the user that their browser is being protected each time they launch their browser again?

Edited 5/25/18 @ 11:39
I can see the border showing Safe Browsing, Exploit Mitigation, and Keystroke Encryption now. It's a little tough to being up due to the dimensions of my VM. I'm just needing to know if I should get a flyout prompt each time I open my browser notifying me that the browser is being protected.