ZeroVulnerabilityLabs ExploitShield

Problem Solved, now only start up problem remains , it does not start during boot. I have to do it manually.
http://i.imgur.com/kUssY.png

I am logged in as God

 

Do you have plans to protect the built-in PDF app of Windows 8?

 

Today, I came across this blog post by Andrew Ruef on ExploitShield; link

-It is my belief that when ExploitShield uses the term ‘exploit’, they really mean ‘payload’.
-ExploitShield is great if the attacker doesn’t know it’s there, and, isn’t globally represented enough to be a problem in the large for an attacker. If the attacker knows it’s there, and cares, they can bypass it trivially.
-ExploitShield uses unnecessarily dangerous programming practices to achieve effects possible by using legitimate system services, possibly betraying a lack of understanding of the platform they aim to protect.

What's ZV Labs take on this piece and some of the claims and statements made?

 

Thanks for that link. A most interesting read.

 

We just posted our response here:
http://www.zerovulnerabilitylabs.com/home/the-objective-of-exploitshield-beta/

 

We want to clarify some parts of the Trail of Bits post which are technical incorrect with two examples. It is not our intention to get into any prolonged discussion but we do want to defend our work especially when it is being misinterpreted and misrepresented.

1) Are the page permissions of the address RX (read-execute)?
This is not true. The following is the actual ExploitShield code where the comparison takes place:

VirtualQuery ((LPVOID)dwMemory, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
if(mbi.AllocationProtect == PAGE_READWRITE)

In the case of Trail of Bits while reversing the ExploitShield.dll library they probably found this:


The comparison is done against the value 0×4 (CMP DWORD PTR SS:[EBP-18], 4) and that’s why their conclusion is totally incorrect because this value belongs to PAGE_READWRITE http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx.

It is possible that Trail of Bits has mistaken it with 0×40 which does equal to the PAGE_EXECUTE_READWRITE value mentioned in their article, but that has nothing to with our analysis and even less to do with our detection logic.

As you well know there are exploits that do not use ROP and which affect mainly XP machines where unfortunately the attacked program does not have DEP activated. Under these circumstances for the programs we protect, evaluating if the page which has called certain function comes from a PAGE_READWRITE memory area is a completely valid behavioral detection.

2) Is the address located within the bounds of a loaded module?
This logic as explained in their post is also incorrect since that is not the objective of ExploitShield. Rather we look for which loaded module the call comes from. With this explanation anybody can now probably get a good idea of the logic used in the ExploitShield analysis and the behavior of certain payloads.

“If either of these two tests fail, ExploitShield reports that it has discovered an exploit!”
Now I understand this comment. Initially we didn’t understand it because in addition to the checks mentioned above there are more things being considered in the equation. But I understand how based on a misunderstanding of how ExploitShield really works Trail of Bits arrived at this wrong conclusion.

-– David Sanchez Lavado, ZVL CTO

 

You've inspired me to test it out in my VM lab! I'll post my results and we can compare

 

I've been testing ExploitShield. I threw a known exploit at it but I got no alerts. Can you tell me where in the process of an exploit your program will send an alert?

Should I get an alert when ExploitShield recognizes certain behavior during an exploit as malicious? For instance, this exploit used pcttunnell protocol, pushed non-http traffic over http protocol, and the malicious server launched a nessus scan on my victim.

Should I get an alert from ExploitShield after an exploit has successfully executed? After I rebooted the victim post-exploit, I saw traffic outbound to an unknown new domain.

Before I say that ExploitShield didn't work for me, I'd like to make sure I'm actually testing what it is you say it's supposed to do. What could have gone wrong in my test?

 

Protection against these type of exploit payloads (reverse shells, meterpreter, tcp tunnels, etc.) are being developed for ExploitShield Corporate Edition. More info about the differences between Browser Edition and Corporate Edition at:
http://www.zerovulnerabilitylabs.com/home/exploitshield/

As you can see in the above URL ExploitShield Browser Edition is designed to block drive-by downloads by exploit kits. What you are testing is a different type of exploit.

 

I see that it works with Chrome.
What about other Chromium based browsers (Dragon, Iron, CoolNovo....)?

 

We have not tested those, but it might work with them.

 

OK, so it only stops drive-by exploits via the browser. I'll modify my test.

 

Will corporate edition be only available to be bought companies, or it will be available for anybody?
Will be free for personal use?
When can we expect the v0.8? I guess that the tray icon issue will be fixed.

 

ExploitShield Corp Edition will not be free for everybody. We might create an intermediate PRO version between the free Browser Edition and Corp Edition but that's still undecided.

Before end of 2012. We only have one more feature to finish. Yes it will have the tray icon and non-admin user accounts issues fixed.

 

Yes it will have the tray icon and non-admin

 

Drop the management and reporting options in a retail Pro for pay version at a reasonable price and I beleive you will end up with a cash cow

 

Absolutely. I, for one, would buy the Pro version in a heart-beat.

 

Make it 20$ lifetime licence and I'm in too...

 

Same here.

 

Hello Pedro,

Bump... (Just wondering...?)

 

count me in too

 

Me too, me too!

 

A strange thing happened to me today with ExploitShield. When I double click in Windows Explorer on some music or audio books on my computer and it opens in Windows Media Player corporate skin I get an exploit prevention notification. I do not get that notification if I open the same file with WMP compact skin. Also, I thought that this version of ExShield only protects you while browsing the web. Apart from this I really like this software.

JDS

 

Can you PM me the contents of your exploitshield.log please?

 

With Firefox (Win XP SP3), I've had two or three attempted Exploits blocked while accessing what I would consider "reputable" sites. The identified payload is always the same: NTDLL.DLL

Any significance to this?