HitmanPro.ALERT Support and Discussion Thread

deugniet · Nov 10, 2015

No problems with Flash 19.0.0.245 (Firefox only) and build 332 beta.

Windows 10 build 10240 x64/Norton Security with Backup v22.5.4.24

paulderdash · Nov 10, 2015

L10090 said: ↑

I believe the developer stated several times that HMPA will disables 'Keystroke Encryption' if it encounters an other program that is doing 'Keystroke Encryption' too.
Click to expand...

WSA 'Protects against keyloggers' - whether that is by means of keystroke encryption, I have no idea. I have looked for 'the developer stated several times' but have not been able to find those statements in this 296 page thread!
Anyhow, HMPA Keystroke Encryption is showing in 3.0 build 209, but not in 3.1 beta (on my Win 8.1 machine), so something has changed the interaction in 3.1. It may well be that HMPA Keystroke Encryption is working in 3.1, but not showing as @Victek suggested. I will need to try the HMPA Exploit Test Tool with 3.1, to verify this, but it is reassuring to see the evidence (orange flyout).

L10090 · Nov 10, 2015

erikloman said: ↑

HitmanPro.Alert 3.1 Build 332 BETA
..............................
Please let me know how this version runs on your computer
Click to expand...

W7-x64:
Installed build 332 over build 329 without problems.
After the hmpa installation reboot, NO encryption orange border showed in Firefox 43.0b1 but in IE11 the encryption orange border did show!
After a second reboot encryption is fully working in both IE11 and FF43.0b1.

EDIT: In my case this (minor) issue is repeatable:
After a clean uninstall/install of b332 the same encryption issue happens, a second reboot is required to get keystroke encryption in Firefox.

L10090 · Nov 10, 2015

paulderdash said: ↑

WSA 'Protects against keyloggers' - whether that is by means of keystroke encryption, I have no idea. I have looked for 'the developer stated several times' but have not been able to find those statements in this 296 page thread! ...........................
Click to expand...

As an example please see: https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-252#post-2502601

deugniet · Nov 10, 2015

L10090 said: ↑

EDIT: In my case this (minor) issue is repeatable:
After a clean uninstall/install of b332 the same encryption issue happens, a second reboot is required to get keystroke encryption in Firefox.
Click to expand...

After 2nd reboot it still does not show keystroke encryption in FF 42.0 and IE11. Guess its Norton-related.

Windows 10 build 10240 x64/Norton Security with Backup v22.5.4.24/Alert build 332 beta

busy · Nov 10, 2015

erikloman said: ↑

HitmanPro.Alert 3.1 Build 332 BETA

Please let me know how this version runs on your computer
Click to expand...

I'm getting black screen after the Windows Logo appears, right before the login screen. No problem with HMPA v3.0.

HMPA 3.1 + Outpost 9.2 (incompatibility with wl_hook.dll/wl_hook64.dll )

bjm_ · Nov 10, 2015

paulderdash said: ↑

I will need to try the HMPA Exploit Test Tool with 3.1, to verify this, but it is reassuring to see the evidence (orange flyout).
Click to expand...

Run tests with 3.0 first to familiarize and observe what you're expecting. Then you can play with 3.1.

maniac2003 · Nov 10, 2015

erikloman said: ↑

Looks like a conflict with an ASUS component (C:\Program Files\asustekcomputer.inc\ss2\userinterface\x64\ss2devprops.dll).
To what ASUS application does the component belong?
Click to expand...

That would be the Asus Sonic Suite 2 application. Part of the software delivered with my Asus Maximus VIII Hero motherboard.

paulderdash · Nov 10, 2015

bjm_ said: ↑

Run tests with 3.0 first to familiarize and observe what you're expecting. Then you can play with 3.1.
Click to expand...

OK. The Test Tool definitely shows the HMPA Keystroke Encryption is working in 3.0, and orange flyout works consistently.
In 3.1 build 332 beta the Test Tool also shows it is working, but orange flyout does not show consistently - though it does show occasionally.
Will revert to 3.0.
Win 8.1 64-bit. Firefox 42.

MD5 · Nov 10, 2015

Using both 3.1 beta build 329 and 332, I'm unable to use IE11.
Just after launching, browser startup is blocked by HMPA with the following details:

Code:

Mitigation   ROP

Platform     6.1.7601/x64 06_5e
PID          7096
Application  C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Description  Internet Explorer 11

Callee Type  LoadLibrary

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
BaseGetProcessDllPath +0x2f           RET LoadLibraryExW +0x16a          
0x7728C260 KernelBase.dll                 0x77292C1B KernelBase.dll      

SetThreadStackGuarantee               RET BaseGetProcessDllPath +0x2e    
0x7728C229 KernelBase.dll                 0x7728C25F KernelBase.dll      

wcsncmp +0x36                         RET SetThreadStackGuarantee        
0x77A68324 ntdll.dll                      0x7728C0AE KernelBase.dll      

CheckTokenMembership                  RET SetThreadStackGuarantee        
0x7729EAA2 KernelBase.dll                 0x7728C06E KernelBase.dll      

CheckTokenMembership +0x245           RET CheckTokenMembership           
0x7729E97A KernelBase.dll                 0x7729EA65 KernelBase.dll      

InterlockedCompareExchange +0x10      RET CheckTokenMembership +0x236    
0x77286AAC KernelBase.dll                 0x7729E96B KernelBase.dll      

CheckTokenMembership +0x210           RET CheckTokenMembership           
0x7729E945 KernelBase.dll                 0x7729EA5D KernelBase.dll      

SetThreadStackGuarantee +0x1b3        RET BaseGetProcessDllPath +0x12    
0x7728BA3A KernelBase.dll                 0x7728C243 KernelBase.dll      

RegisterWaitForSingleObjectEx +0xac      RET SetThreadStackGuarantee +0x1a5 
0x7728B2AC KernelBase.dll                 0x7728BA2C KernelBase.dll      

wcsrchr +0x2d                         RET RegisterWaitForSingleObjectEx +0x9e
0x77A6828F ntdll.dll                      0x7728B29E KernelBase.dll      

wcschr +0x25                          RET RegisterWaitForSingleObjectEx +0x8e
0x77A682BA ntdll.dll                      0x7728B28E KernelBase.dll      

RtlInitUnicodeStringEx +0x4b          RET LoadLibraryExW +0x5d           
0x77A68049 ntdll.dll                      0x77292B0E KernelBase.dll      

0x735694B9 SS2DevProps.dll            RET GetHotPatchInfo                
                                          0x7356BDDE SS2DevProps.dll     

0x735698AC SS2DevProps.dll            RET 0x735694B6 SS2DevProps.dll     

GetConsoleMode +0x46                  RET GetHotPatchInfo                
0x75E4136E kernel32.dll                   0x7356BD74 SS2DevProps.dll     

GetHotPatchInfo                       RET GetHotPatchInfo                
0x7356CDD0 SS2DevProps.dll                0x7356BCF1 SS2DevProps.dll     

GetHotPatchInfo                       RET GetHotPatchInfo                
0x7356CDD0 SS2DevProps.dll                0x7356BC6D SS2DevProps.dll     

LoadLibraryW +0x5                   * RET GetHotPatchInfo                
0x75E448E8 kernel32.dll                   0x7356B5A0 SS2DevProps.dll     
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            83e4f8                   AND          ESP, -0x8
            6aff                     PUSH         -0x1
            68feb95773               PUSH         DWORD 0x7357b9fe
            64a100000000             MOV          EAX, [FS:0x0]
            50                       PUSH         EAX
            64892500000000           MOV          [FS:0x0], ESP
            51                       PUSH         ECX
            a19ced5873               MOV          EAX, [0x7358ed9c]
            a801                     TEST         AL, 0x1
            752c                     JNZ          0x7356b5f1
            83c801                   OR           EAX, 0x1
            a39ced5873               MOV          [0x7358ed9c], EAX
            6a00                     PUSH         0x0
            c744241000000000         MOV          DWORD [ESP+0x10], 0x0
                                 (54CFC3DFAD8EE718)


CreateUri                             RET CreateFormatEnumerator         
0x75FF4B50 urlmon.dll                     0x76038211 urlmon.dll          

memset +0x68                          RET CreateUri                      
0x771D97F8 msvcrt.dll                     0x75FF4B49 urlmon.dll          

CoTaskMemAlloc +0x14                  RET CreateUri                      
0x7544EA60 ole32.dll                      0x75FF4B38 urlmon.dll          

CoFreeUnusedLibrariesEx               RET CoTaskMemAlloc +0x13           
0x7544EA44 ole32.dll                      0x7544EA5F ole32.dll           

RtlAllocateHeap +0xe6                 RET CoFreeUnusedLibrariesEx        
0x77A5E11C ntdll.dll                      0x7544EA43 ole32.dll           

RtlInitUnicodeString +0x164           RET RtlAllocateHeap +0xac          
0x77A5E394 ntdll.dll                      0x77A5E0E2 ntdll.dll           

memcpy                                RET RtlInitUnicodeString +0x164    
0x77A5DF2C ntdll.dll                      0x77A5E394 ntdll.dll           

memcpy                                RET RtlInitUnicodeString +0x4d     
0x77A5DF18 ntdll.dll                      0x77A5E27D ntdll.dll           

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  77292CA8 KernelBase.dll           LoadLibraryExW +0x1f7
2  75E448F4 kernel32.dll             LoadLibraryW +0x11

3  7356BDF4 SS2DevProps.dll          GetHotPatchInfo
            8bf0                     MOV          ESI, EAX
            ff1588c05773             CALL         DWORD [0x7357c088]
            8d8fe4000000             LEA          ECX, [EDI+0xe4]
            51                       PUSH         ECX
            8be8                     MOV          EBP, EAX
            ff15e0c05773             CALL         DWORD [0x7357c0e0]
            85c0                     TEST         EAX, EAX
            740d                     JZ           0x7356be1c
            8b0f                     MOV          ECX, [EDI]
            8b4904                   MOV          ECX, [ECX+0x4]
            c1e907                   SHR          ECX, 0x7
            f6c101                   TEST         CL, 0x1
            740d                     JZ           0x7356be29
            85f6                     TEST         ESI, ESI
            7409                     JZ           0x7356be29
            6a02                     PUSH         0x2


Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [7096]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6084 CREDAT:275457 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [6084]
3  C:\Windows\explorer.exe [4528]
4  C:\Windows\System32\userinit.exe [1664]

Any help really appreciated.

OS = W7 64bit
Antivirus = NOD32 64 bit 9.0.x

Victek · Nov 10, 2015

paulderdash said: ↑

OK. The Test Tool definitely shows the HMPA Keystroke Encryption is working in 3.0, and orange flyout works consistently.
In 3.1 build 332 beta the Test Tool also shows it is working, but orange flyout does not show consistently - though it does show occasionally.
Will revert to 3.0.
Win 8.1 64-bit. Firefox 42.
Click to expand...

Thanks for testing and confirming it works in 3.1 build 332 Beta even when the colored indicator doesn't show

erikloman · Nov 10, 2015

MD5 said: ↑

Using both 3.1 beta build 329 and 332, I'm unable to use IE11.
Just after launching, browser startup is blocked by HMPA with the following details:

Code:

Mitigation   ROP

Platform     6.1.7601/x64 06_5e
PID          7096
Application  C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Description  Internet Explorer 11

Callee Type  LoadLibrary

Branch Trace                      Opcode  To                            
-------------------------------- -------- --------------------------------
BaseGetProcessDllPath +0x2f           RET LoadLibraryExW +0x16a         
0x7728C260 KernelBase.dll                 0x77292C1B KernelBase.dll     

SetThreadStackGuarantee               RET BaseGetProcessDllPath +0x2e   
0x7728C229 KernelBase.dll                 0x7728C25F KernelBase.dll     

wcsncmp +0x36                         RET SetThreadStackGuarantee       
0x77A68324 ntdll.dll                      0x7728C0AE KernelBase.dll     

CheckTokenMembership                  RET SetThreadStackGuarantee       
0x7729EAA2 KernelBase.dll                 0x7728C06E KernelBase.dll     

CheckTokenMembership +0x245           RET CheckTokenMembership          
0x7729E97A KernelBase.dll                 0x7729EA65 KernelBase.dll     

InterlockedCompareExchange +0x10      RET CheckTokenMembership +0x236   
0x77286AAC KernelBase.dll                 0x7729E96B KernelBase.dll     

CheckTokenMembership +0x210           RET CheckTokenMembership          
0x7729E945 KernelBase.dll                 0x7729EA5D KernelBase.dll     

SetThreadStackGuarantee +0x1b3        RET BaseGetProcessDllPath +0x12   
0x7728BA3A KernelBase.dll                 0x7728C243 KernelBase.dll     

RegisterWaitForSingleObjectEx +0xac      RET SetThreadStackGuarantee +0x1a5
0x7728B2AC KernelBase.dll                 0x7728BA2C KernelBase.dll     

wcsrchr +0x2d                         RET RegisterWaitForSingleObjectEx +0x9e
0x77A6828F ntdll.dll                      0x7728B29E KernelBase.dll     

wcschr +0x25                          RET RegisterWaitForSingleObjectEx +0x8e
0x77A682BA ntdll.dll                      0x7728B28E KernelBase.dll     

RtlInitUnicodeStringEx +0x4b          RET LoadLibraryExW +0x5d          
0x77A68049 ntdll.dll                      0x77292B0E KernelBase.dll     

0x735694B9 SS2DevProps.dll            RET GetHotPatchInfo               
                                          0x7356BDDE SS2DevProps.dll    

0x735698AC SS2DevProps.dll            RET 0x735694B6 SS2DevProps.dll    

GetConsoleMode +0x46                  RET GetHotPatchInfo               
0x75E4136E kernel32.dll                   0x7356BD74 SS2DevProps.dll    

GetHotPatchInfo                       RET GetHotPatchInfo               
0x7356CDD0 SS2DevProps.dll                0x7356BCF1 SS2DevProps.dll    

GetHotPatchInfo                       RET GetHotPatchInfo               
0x7356CDD0 SS2DevProps.dll                0x7356BC6D SS2DevProps.dll    

LoadLibraryW +0x5                   * RET GetHotPatchInfo               
0x75E448E8 kernel32.dll                   0x7356B5A0 SS2DevProps.dll    
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            83e4f8                   AND          ESP, -0x8
            6aff                     PUSH         -0x1
            68feb95773               PUSH         DWORD 0x7357b9fe
            64a100000000             MOV          EAX, [FS:0x0]
            50                       PUSH         EAX
            64892500000000           MOV          [FS:0x0], ESP
            51                       PUSH         ECX
            a19ced5873               MOV          EAX, [0x7358ed9c]
            a801                     TEST         AL, 0x1
            752c                     JNZ          0x7356b5f1
            83c801                   OR           EAX, 0x1
            a39ced5873               MOV          [0x7358ed9c], EAX
            6a00                     PUSH         0x0
            c744241000000000         MOV          DWORD [ESP+0x10], 0x0
                                 (54CFC3DFAD8EE718)


CreateUri                             RET CreateFormatEnumerator        
0x75FF4B50 urlmon.dll                     0x76038211 urlmon.dll         

memset +0x68                          RET CreateUri                     
0x771D97F8 msvcrt.dll                     0x75FF4B49 urlmon.dll         

CoTaskMemAlloc +0x14                  RET CreateUri                     
0x7544EA60 ole32.dll                      0x75FF4B38 urlmon.dll         

CoFreeUnusedLibrariesEx               RET CoTaskMemAlloc +0x13          
0x7544EA44 ole32.dll                      0x7544EA5F ole32.dll          

RtlAllocateHeap +0xe6                 RET CoFreeUnusedLibrariesEx       
0x77A5E11C ntdll.dll                      0x7544EA43 ole32.dll          

RtlInitUnicodeString +0x164           RET RtlAllocateHeap +0xac         
0x77A5E394 ntdll.dll                      0x77A5E0E2 ntdll.dll          

memcpy                                RET RtlInitUnicodeString +0x164   
0x77A5DF2C ntdll.dll                      0x77A5E394 ntdll.dll          

memcpy                                RET RtlInitUnicodeString +0x4d    
0x77A5DF18 ntdll.dll                      0x77A5E27D ntdll.dll          

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  77292CA8 KernelBase.dll           LoadLibraryExW +0x1f7
2  75E448F4 kernel32.dll             LoadLibraryW +0x11

3  7356BDF4 SS2DevProps.dll          GetHotPatchInfo
            8bf0                     MOV          ESI, EAX
            ff1588c05773             CALL         DWORD [0x7357c088]
            8d8fe4000000             LEA          ECX, [EDI+0xe4]
            51                       PUSH         ECX
            8be8                     MOV          EBP, EAX
            ff15e0c05773             CALL         DWORD [0x7357c0e0]
            85c0                     TEST         EAX, EAX
            740d                     JZ           0x7356be1c
            8b0f                     MOV          ECX, [EDI]
            8b4904                   MOV          ECX, [ECX+0x4]
            c1e907                   SHR          ECX, 0x7
            f6c101                   TEST         CL, 0x1
            740d                     JZ           0x7356be29
            85f6                     TEST         ESI, ESI
            7409                     JZ           0x7356be29
            6a02                     PUSH         0x2


Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [7096]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6084 CREDAT:275457 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [6084]
3  C:\Windows\explorer.exe [4528]
4  C:\Windows\System32\userinit.exe [1664]

Any help really appreciated.

OS = W7 64bit
Antivirus = NOD32 64 bit 9.0.x

Click to expand...

Will be addressed in the new build.

jmonge · Nov 10, 2015

love this program

erikloman · Nov 10, 2015

Blog: Mitigating Wow64 Exploit Attacks
https://hitmanpro.wordpress.com/2015/11/10/mitigating-wow64-exploit-attacks/

A new Exploit Test Tool has been released to trigger the Wow64 bypass safely.
http://dl.surfright.nl/hmpalert-test.exe

jmonge · Nov 10, 2015

nice,its my faborite

test · Nov 10, 2015

erikloman said: ↑

Blog: Mitigating Wow64 Exploit Attacks
https://hitmanpro.wordpress.com/2015/11/10/mitigating-wow64-exploit-attacks/
Click to expand...

You guys deserve my money!

Krusty · Nov 10, 2015

deugniet said: ↑

After 2nd reboot it still does not show keystroke encryption in FF 42.0 and IE11. Guess its Norton-related.

Windows 10 build 10240 x64/Norton Security with Backup v22.5.4.24/Alert build 332 beta
Click to expand...

Nope, not Norton related. I have Keystroke Encryption in all browsers.

Check you have that setting enabled.

Click on Safety Notification and check you have it set to Application Start, then click on Colored window border and check you have Show live Keystroke Encryption in colorerd window border enabled.

SanyaIV · Nov 10, 2015

Have Intruder Alert for Internet Explorer (Whichever is installed with Windows 10) and Microsoft Edge with HMPA 332 beta in combination with Comodo Firewall. (Haven't tested earlier versions of HMPA, assuming this happened then as well, I just never used these browsers before)

Seems to only happen when the "Detect shellcode injection" option is enabled in the HIPS settings in Comodo Firewall.

To be honest I'm not sure something is wrong here, perhaps this is expected results?

Intruder

PID 9908
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
AlphaBlend
1 0x00007FFEF9B91090 MSIMG32.dll JMP 0x7ffefd2b1418
2 0x00007FFEFD2B1418 (unknown)

TransparentBlt
1 0x00007FFEF9B91630 MSIMG32.dll JMP 0x7ffefd2b13e0
2 0x00007FFEFD2B13E0 (unknown)

EncryptMessage
1 0x00007FFEFCCE5510 SspiCli.dll JMP 0x7ffefd2b13a8
2 0x00007FFEFD2B13A8 (unknown)

FilterConnectCommunicationPort
1 0x00007FFEFCF220A0 fltLib.dll JMP 0x7ffefd2b0180
2 0x00007FFEFD2B0180 (unknown)

FilterSendMessage
1 0x00007FFEFCF222C0 fltLib.dll JMP 0x7ffefd2b01b8
2 0x00007FFEFD2B01B8 (unknown)

CopyFile2
1 0x00007FFEFD32E7A0 KernelBase.dll JMP 0x7ffefd2b0378
2 0x00007FFEFD2B0378 (unknown)

CopyFileExW
1 0x00007FFEFD2EB260 KernelBase.dll JMP 0x7ffefd2b03b0
2 0x00007FFEFD2B03B0 (unknown)

CreateProcessInternalW
1 0x00007FFEFD2E6750 KernelBase.dll JMP 0x7ffefd4f000e
2 0x00007FFEFD4F000E (anonymous)

MoveFileWithProgressTransactedW
1 0x00007FFEFD31A220 KernelBase.dll JMP 0x7ffefd2b0340
2 0x00007FFEFD2B0340 (unknown)

SetProcessShutdownParameters
1 0x00007FFEFD32BDD0 KernelBase.dll JMP 0x7ffefd2b01f0
2 0x00007FFEFD2B01F0 (unknown)

BlockInput
1 0x00007FFEFE063080 user32.dll JMP 0x7ffefd2b0ca8
2 0x00007FFEFD2B0CA8 (unknown)

EnableWindow
1 0x00007FFEFE056130 user32.dll JMP 0x7ffefd2b0dc0
2 0x00007FFEFD2B0DC0 (unknown)

EndTask
1 0x00007FFEFE087960 user32.dll JMP 0x7ffefd2b0228
2 0x00007FFEFD2B0228 (unknown)

ExitWindowsEx
1 0x00007FFEFE05E6B0 user32.dll JMP 0x7ffefd2b0df8
2 0x00007FFEFD2B0DF8 (unknown)

GetAsyncKeyState
1 0x00007FFEFE051C60 user32.dll JMP 0x7ffefd2b0b90
2 0x00007FFEFD2B0B90 (unknown)

GetClipboardData
1 0x00007FFEFE05ABA0 user32.dll JMP 0x7ffefd2b0ce0
2 0x00007FFEFD2B0CE0 (unknown)

GetKeyboardState
1 0x00007FFEFE0603C0 user32.dll JMP 0x7ffefd2b0b20
2 0x00007FFEFD2B0B20 (unknown)

GetKeyState
1 0x00007FFEFE04FA50 user32.dll JMP 0x7ffefd2b0b58
2 0x00007FFEFD2B0B58 (unknown)

GetMessageA
1 0x00007FFEFE04AA50 user32.dll JMP 0x7ffef2540d4e
2 0x00007FFEF2540D4E (unknown)

GetMessageW
1 0x00007FFEFE04F8C0 user32.dll JMP 0x7ffef2540d0e
2 0x00007FFEF2540D0E (unknown)

IsDialogMessage
1 0x00007FFEFE08A7D0 user32.dll JMP 0x7ffefd2b0650
2 0x00007FFEFD2B0650 (unknown)

IsDialogMessageW
1 0x00007FFEFE042020 user32.dll JMP 0x7ffefd2b0688
2 0x00007FFEFD2B0688 (unknown)

keybd_event
1 0x00007FFEFE0AB5E0 user32.dll JMP 0x7ffefd2b04c8
2 0x00007FFEFD2B04C8 (unknown)

mouse_event
1 0x00007FFEFE056B40 user32.dll JMP 0x7ffefd2b0500
2 0x00007FFEFD2B0500 (unknown)

MoveWindow
1 0x00007FFEFE060220 user32.dll JMP 0x7ffefd2b0c38
2 0x00007FFEFD2B0C38 (unknown)

PeekMessageA
1 0x00007FFEFE04A4C0 user32.dll JMP 0x7ffef2540cce
2 0x00007FFEF2540CCE (unknown)

PeekMessageW
1 0x00007FFEFE04A5F0 user32.dll JMP 0x7ffef2540c8e
2 0x00007FFEF2540C8E (unknown)

PostMessageA
1 0x00007FFEFE054900 user32.dll JMP 0x7ffefd2b07d8
2 0x00007FFEFD2B07D8 (unknown)

PostMessageW
1 0x00007FFEFE0470A0 user32.dll JMP 0x7ffefd2b0810
2 0x00007FFEFD2B0810 (unknown)

PostThreadMessageA
1 0x00007FFEFE054880 user32.dll JMP 0x7ffefd2b0848
2 0x00007FFEFD2B0848 (unknown)

PostThreadMessageW
1 0x00007FFEFE052B00 user32.dll JMP 0x7ffefd2b0880
2 0x00007FFEFD2B0880 (unknown)

RegisterHotKey
1 0x00007FFEFE063C30 user32.dll JMP 0x7ffefd2b0d18
2 0x00007FFEFD2B0D18 (unknown)

RegisterRawInputDevices
1 0x00007FFEFE063C70 user32.dll JMP 0x7ffefd2b0bc8
2 0x00007FFEFD2B0BC8 (unknown)

SendDlgItemMessageA
1 0x00007FFEFE0B3050 user32.dll JMP 0x7ffefd2b0a78
2 0x00007FFEFD2B0A78 (unknown)

SendDlgItemMessageW
1 0x00007FFEFE031A90 user32.dll JMP 0x7ffefd2b0ab0
2 0x00007FFEFD2B0AB0 (unknown)

SendInput
1 0x00007FFEFE060460 user32.dll JMP 0x7ffefd2b0ae8
2 0x00007FFEFD2B0AE8 (unknown)

SendMessageA
1 0x00007FFEFE0449C0 user32.dll JMP 0x7ffefd2b08b8
2 0x00007FFEFD2B08B8 (unknown)

SendMessageCallbackA
1 0x00007FFEFE0B39D0 user32.dll JMP 0x7ffefd2b0998
2 0x00007FFEFD2B0998 (unknown)

SendMessageCallbackW
1 0x00007FFEFE04F970 user32.dll JMP 0x7ffefd2b09d0
2 0x00007FFEFD2B09D0 (unknown)

SendMessageTimeoutA
1 0x00007FFEFE054130 user32.dll JMP 0x7ffefd2b0928
2 0x00007FFEFD2B0928 (unknown)

SendMessageTimeoutW
1 0x00007FFEFE04CBC0 user32.dll JMP 0x7ffefd2b0960
2 0x00007FFEFD2B0960 (unknown)

SendMessageW
1 0x00007FFEFE03F4B0 user32.dll JMP 0x7ffefd2b08f0
2 0x00007FFEFD2B08F0 (unknown)

SendNotifyMessageA
1 0x00007FFEFE059A50 user32.dll JMP 0x7ffefd2b0a08
2 0x00007FFEFD2B0A08 (unknown)

SendNotifyMessageW
1 0x00007FFEFE045F30 user32.dll JMP 0x7ffefd2b0a40
2 0x00007FFEFD2B0A40 (unknown)

SetClipboardViewer
1 0x00007FFEFE060DE0 user32.dll JMP 0x7ffefd2b0c70
2 0x00007FFEFD2B0C70 (unknown)

SetParent
1 0x00007FFEFE0603B0 user32.dll JMP 0x7ffefd2b0c00
2 0x00007FFEFD2B0C00 (unknown)

SetWindowLongA
1 0x00007FFEFE056CD0 user32.dll JMP 0x7ffefd2b0768
2 0x00007FFEFD2B0768 (unknown)

SetWindowLongW
1 0x00007FFEFE040F30 user32.dll JMP 0x7ffefd2b07a0
2 0x00007FFEFD2B07A0 (unknown)

SetWindowsHookExA
1 0x00007FFEFE0327A0 user32.dll JMP 0x7ffefd2b06c0
2 0x00007FFEFD2B06C0 (unknown)

SetWindowsHookExW
1 0x00007FFEFE053610 user32.dll JMP 0x7ffefd2b06f8
2 0x00007FFEFD2B06F8 (unknown)

SetWinEventHook
1 0x00007FFEFE053F80 user32.dll JMP 0x7ffefd2b0730
2 0x00007FFEFD2B0730 (unknown)

SystemParametersInfoA
1 0x00007FFEFE0408A0 user32.dll JMP 0x7ffefd2b0d50
2 0x00007FFEFD2B0D50 (unknown)

SystemParametersInfoW
1 0x00007FFEFE04E1A0 user32.dll JMP 0x7ffefd2b0d88
2 0x00007FFEFD2B0D88 (unknown)

TranslateMessage
1 0x00007FFEFE0436A0 user32.dll JMP 0x7ffefd2b0618
2 0x00007FFEFD2B0618 (unknown)

BitBlt
1 0x00007FFF001FF3F0 gdi32.dll JMP 0x7ffefd2b03e8
2 0x00007FFEFD2B03E8 (unknown)

CreateDCA
1 0x00007FFF00200380 gdi32.dll JMP 0x7ffefd2b0260
2 0x00007FFEFD2B0260 (unknown)

CreateDCW
1 0x00007FFF00200240 gdi32.dll JMP 0x7ffefd2b0298
2 0x00007FFEFD2B0298 (unknown)

DeleteDC
1 0x00007FFF001D8500 gdi32.dll JMP 0x7ffefd2b0308
2 0x00007FFEFD2B0308 (unknown)

GetPixel
1 0x00007FFF001FD740 gdi32.dll JMP 0x7ffefd2b02d0
2 0x00007FFEFD2B02D0 (unknown)

MaskBlt
1 0x00007FFF00202700 gdi32.dll JMP 0x7ffefd2b0420
2 0x00007FFEFD2B0420 (unknown)

PlgBlt
1 0x00007FFF00247AC0 gdi32.dll JMP 0x7ffefd2b0458
2 0x00007FFEFD2B0458 (unknown)

StretchBlt
1 0x00007FFF001FFD90 gdi32.dll JMP 0x7ffefd2b0490
2 0x00007FFEFD2B0490 (unknown)

KiUserExceptionDispatcher
1 0x00007FFF00825410 ntdll.dll JMP 0x7ffef2540d96
2 0x00007FFEF2540D96 (unknown)

LdrLoadDll
1 0x00007FFF007AAEF0 ntdll.dll JMP 0x7ffef2540e13
2 0x00007FFEF2540E13 (unknown)

LdrUnloadDll
1 0x00007FFF007C80D0 ntdll.dll JMP 0x7ffefd2b0148
2 0x00007FFEFD2B0148 (unknown)

NtAdjustPrivilegesToken
1 0x00007FFF00823900 ntdll.dll JMP 0x7ffefd2b1258
2 0x00007FFEFD2B1258 (unknown)

NtAllocateVirtualMemory
1 0x00007FFF00823670 ntdll.dll JMP 0x7fff00a0000e
2 0x00007FFF00A0000E (anonymous)

NtAlpcConnectPort
1 0x00007FFF00823C40 ntdll.dll JMP 0x7ffefd2b1370
2 0x00007FFEFD2B1370 (unknown)

NtAlpcCreatePort
1 0x00007FFF00823C60 ntdll.dll JMP 0x7ffefd2b0e68
2 0x00007FFEFD2B0E68 (unknown)

NtAlpcSendWaitReceivePort
1 0x00007FFF00823D70 ntdll.dll JMP 0x7ffefd2b0e30
2 0x00007FFEFD2B0E30 (unknown)

NtClose
1 0x00007FFF008235E0 ntdll.dll JMP 0x7ffefd2b0110
2 0x00007FFEFD2B0110 (unknown)

NtConnectPort
1 0x00007FFF00823E80 ntdll.dll JMP 0x7ffefd2b10d0
2 0x00007FFEFD2B10D0 (unknown)

NtCreateEvent
1 0x00007FFF00823970 ntdll.dll JMP 0x7ffefd2b0ed8
2 0x00007FFEFD2B0ED8 (unknown)

NtCreateEventPair
1 0x00007FFF00823ED0 ntdll.dll JMP 0x7ffefd2b0f10
2 0x00007FFEFD2B0F10 (unknown)

NtCreateFile
1 0x00007FFF00823A40 ntdll.dll JMP 0x7ffefd2b11e8
2 0x00007FFEFD2B11E8 (unknown)

NtCreateMutant
1 0x00007FFF00823F60 ntdll.dll JMP 0x7ffefd2b0ea0
2 0x00007FFEFD2B0EA0 (unknown)

NtCreatePort
1 0x00007FFF00823FA0 ntdll.dll JMP 0x7ffefd2b0f80
2 0x00007FFEFD2B0F80 (unknown)

NtCreateSection
1 0x00007FFF00823990 ntdll.dll JMP 0x7ffefd2b1178
2 0x00007FFEFD2B1178 (unknown)

NtCreateSemaphore
1 0x00007FFF00824000 ntdll.dll JMP 0x7ffefd2b0f48
2 0x00007FFEFD2B0F48 (unknown)

NtCreateSymbolicLinkObject
1 0x00007FFF00824010 ntdll.dll JMP 0x7ffefd2b1290
2 0x00007FFEFD2B1290 (unknown)

NtCreateThread
1 0x00007FFF008239D0 ntdll.dll JMP 0x7ffefd2b0fb8
2 0x00007FFEFD2B0FB8 (unknown)

NtCreateThreadEx
1 0x00007FFF00824020 ntdll.dll JMP 0x7ffefd2b1338
2 0x00007FFEFD2B1338 (unknown)

NtFreeVirtualMemory
1 0x00007FFF008236D0 ntdll.dll JMP 0x7ffef2540f16
2 0x00007FFEF2540F16 (unknown)

NtLoadDriver
1 0x00007FFF00824440 ntdll.dll JMP 0x7ffefd2b1108
2 0x00007FFEFD2B1108 (unknown)

NtMakeTemporaryObject
1 0x00007FFF008244D0 ntdll.dll JMP 0x7ffefd2b12c8
2 0x00007FFEFD2B12C8 (unknown)

NtMapViewOfSection
1 0x00007FFF00823770 ntdll.dll JMP 0x7ffef2540e96
2 0x00007FFEF2540E96 (unknown)

NtOpenFile
1 0x00007FFF00823820 ntdll.dll JMP 0x7ffefd2b1220
2 0x00007FFEFD2B1220 (unknown)

NtOpenSection
1 0x00007FFF00823860 ntdll.dll JMP 0x7ffefd2b11b0
2 0x00007FFEFD2B11B0 (unknown)

NtProtectVirtualMemory
1 0x00007FFF008239F0 ntdll.dll JMP 0x7ffef2540ed6
2 0x00007FFEF2540ED6 (unknown)

NtSetInformationProcess
1 0x00007FFF008236B0 ntdll.dll JMP 0x7ffefd2b1300
2 0x00007FFEFD2B1300 (unknown)

NtSetSystemInformation
1 0x00007FFF00824DD0 ntdll.dll JMP 0x7ffefd2b1140
2 0x00007FFEFD2B1140 (unknown)

NtShutdownSystem
1 0x00007FFF00824E70 ntdll.dll JMP 0x7ffefd2b1028
2 0x00007FFEFD2B1028 (unknown)

NtSystemDebugControl
1 0x00007FFF00824F00 ntdll.dll JMP 0x7ffefd2b1060
2 0x00007FFEFD2B1060 (unknown)

NtTerminateProcess
1 0x00007FFF008237B0 ntdll.dll JMP 0x7ffefd2b1098
2 0x00007FFEFD2B1098 (unknown)

NtTerminateThread
1 0x00007FFF00823A20 ntdll.dll JMP 0x7ffefd2b0ff0
2 0x00007FFEFD2B0FF0 (unknown)

NtUnmapViewOfSection
1 0x00007FFF00823790 ntdll.dll JMP 0x7ffef2540e56
2 0x00007FFEF2540E56 (unknown)

NtWaitForDebugEvent
1 0x00007FFF00825030 ntdll.dll JMP 0x7ffef2540fd6
2 0x00007FFEF2540FD6 (unknown)

RtlInstallFunctionTableCallback
1 0x00007FFF008086C0 ntdll.dll JMP 0x7ffef2540f93
2 0x00007FFEF2540F93 (unknown)

Intruder

PID 9524
Application C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Description Microsoft Edge 11

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
EncryptMessage
1 0x00007FFEFCCE5510 SspiCli.dll JMP 0x7ffefd2b13a8
2 0x00007FFEFD2B13A8 (unknown)

deugniet · Nov 10, 2015

Krusty13 said: ↑

Nope, not Norton related. I have Keystroke Encryption in all browsers.

Check you have that setting enabled.

Click on Safety Notification and check you have it set to Application Start, then click on Colored window border and check you have Show live Keystroke Encryption in colorerd window border enabled.
Click to expand...

Solved, not Norton-releated. Nice one Krusty. Didnt know this setting existed.

bjm_ · Nov 10, 2015

paulderdash said: ↑

OK. The Test Tool definitely shows the HMPA Keystroke Encryption is working in 3.0, and orange flyout works consistently.
In 3.1 build 332 beta the Test Tool also shows it is working, but orange flyout does not show consistently - though it does show occasionally.
Will revert to 3.0.
Win 8.1 64-bit. Firefox 42.
Click to expand...

FWIW ~ 3.1 by Test Tool with Identity Protection On showed random reference to keystroke if and when random orange flyout.
My money is on orange flyout. No orange flyout no crypt. For all I know the whole thing is smoke and mirrors.
Smoke and mirrors presents confidence by 3.0. 3.1...not convinced. YMMV M2C

bjm_ · Nov 10, 2015

Victek said: ↑

Thanks for testing and confirming it works in 3.1 build 332 Beta even when the colored indicator doesn't show
Click to expand...

What does your testing show with Identity Shield On n' Off.

malware1 · Nov 10, 2015

How is that possible? I reinstalled Windows 7 on my PC and HMP.Alert is still activated (It was activated on the previous installation).

erikloman · Nov 10, 2015

Victek said: ↑

Thanks for testing and confirming it works in 3.1 build 332 Beta even when the colored indicator doesn't show
Click to expand...

If the keystroke indicator isn't displayed, try moving the window and then type something. Does it work then?

Azure Phoenix · Nov 10, 2015

paulderdash said: ↑

OK. The Test Tool definitely shows the HMPA Keystroke Encryption is working in 3.0, and orange flyout works consistently.
In 3.1 build 332 beta the Test Tool also shows it is working, but orange flyout does not show consistently - though it does show occasionally.
Will revert to 3.0.
Win 8.1 64-bit. Firefox 42.
Click to expand...

So, it seem my previous assumption was correct. Thanks for confirming.

Rasheed187 · Nov 10, 2015

L10090 said: ↑

What do you mean (based on what) that HMP.alert is causing so much false positives? In our environment there are 3 desktops and 2 laptops all running the same basic AV/Security SW (see my signature) and in total we had 2 false positives in the last 6 months!
Click to expand...

erikloman said: ↑

When you say Alert has "so many false positives". Please quantify your assumption? Which false positives are you referring to?
Click to expand...

Thanks for thee feedback. It's just that I'm a bit frustrated, I would love to use HMPA, but the last couple of times, it caused SBIE to malfunction, and on top of that I see quite a lot of people posting issues about for example ROP alerts. So I'm a bit hesitant to try it again.

Log in or Sign up

HitmanPro.ALERT Support and Discussion Thread

deugniet Registered Member

paulderdash Registered Member

L10090 Registered Member

L10090 Registered Member

deugniet Registered Member

busy Registered Member

bjm_ Registered Member

maniac2003 Registered Member

paulderdash Registered Member

MD5 Registered Member

Victek Registered Member

erikloman Developer

jmonge Registered Member

erikloman Developer

jmonge Registered Member

test Registered Member

Krusty Registered Member

SanyaIV Registered Member

deugniet Registered Member

bjm_ Registered Member

bjm_ Registered Member

malware1 Registered Member

erikloman Developer

Azure Phoenix Registered Member

Rasheed187 Registered Member

Log in or Sign up

HitmanPro.ALERT Support and Discussion Thread

deugniet Registered Member

paulderdash Registered Member

L10090 Registered Member

L10090 Registered Member

deugniet Registered Member

busy Registered Member

bjm_ Registered Member

maniac2003 Registered Member

paulderdash Registered Member

MD5 Registered Member

Victek Registered Member

erikloman Developer

jmonge Registered Member

erikloman Developer

jmonge Registered Member

test Registered Member

Krusty Registered Member

SanyaIV Registered Member

deugniet Registered Member

bjm_ Registered Member

bjm_ Registered Member

malware1 Registered Member

erikloman Developer

Azure Phoenix Registered Member

Rasheed187 Registered Member

Useful Searches