HitmanPro.ALERT Support and Discussion Thread

So the automatic updater is still not enabled, or so it seems? Even as it is now about 11 days since HMP.A 3.1.11.374 was released?
That is not as Erik mentioned it should be, I guess.

 

I've always thought the purpose of HMPA keystroke encryption was to protect user credentials when logging into websites, so it makes sense for it to be in the browser template. Of course there are anti-keylogging apps that protect system wide such as keyscrambler premium.

 

For the browser i agree, the need is obvious, but why office apps don't get it when it is available; maybe there is a complex reason i'm not aware of.

 

I uninstall HMPA now before installing the new update. This works better than installing over the top for me sometimes. I had a few problems in the past installing over the top so now i always uninstall first.

 

I don't get it, if HMPA stopped the exploit, then the malware shouldn't even be able to run. Or was the malware already running before you installed HMPA?

 

I finally decided to bite the bullet and upgrade from Windows 7 to 10 (64-bit) before the deadline at the end of next month. About a week prior to doing the upgrade, I upgraded HMP.A from build 373 to 374. I just wanted to report that I have not had any issues with build 374 under either Windows 7 or 10.

 

Rasheed- I extracted the InfoStealer and ran it. Excellent timing of your post as I'll be throwing out a video on this when I get home tonight (tomorrow morning, actually).

 

PowerDVD 16

Code:

Mitigation   IAF

Platform     6.1.7601/x64 06_3a
PID          2480
Application  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe
Description  PowerDVD 16

Violation    60F4FCF6 is calling kernel32.dll IAT funcptr KernelBase.dll!GetProcAddress


Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  60F4FCF6 CLDShowX.dll            
            ff15b4110461             CALL         DWORD [0x610411b4]
            85c0                     TEST         EAX, EAX
            0f84e6020000             JZ           0x60f4ffea
            8d8de0fbffff             LEA          ECX, [EBP-0x420]
            51                       PUSH         ECX
            ffd0                     CALL         EAX
            83c404                   ADD          ESP, 0x4
            83bde0fbffff00           CMP          DWORD [EBP-0x420], 0x0
            0f84cd020000             JZ           0x60f4ffea
            c785dcfbffff00000000     MOV          DWORD [EBP-0x424], 0x0
            8d85dcfbffff             LEA          EAX, [EBP-0x424]
            50                       PUSH         EAX
            8b85ecfbffff             MOV          EAX, [EBP-0x414]

2  60F4F839 CLDShowX.dll            
3  60F1BF44 CLDShowX.dll            
4  740D2329 _PyBDRegioner.pyd      
5  740D2D8B _PyBDRegioner.pyd      
6  740D5766 _PyBDRegioner.pyd      
7  03091006 python27.dll             PyCFunction_Call +0x46
8  030D6D43 python27.dll            
9  030D4945 python27.dll            
10 030D245D python27.dll            

Process Trace
1  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe [2480]
PowerDVD.exe /launchmode classic noolreg
2  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe [1428]
PowerDVD.exe noolreg 
3  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe [7376]
4  C:\Program Files (x86)\CyberLink\PowerDVD16\Activate.exe [8136]
"C:\Program Files (x86)\CyberLink\PowerDVD16\Activate.exe" /Type OEM_FIRST_ACTIVATE /LaunchProgram "C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe"
5  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe [3964]
6  C:\Program Files (x86)\CyberLink\PowerDVD16\PDVDLP.exe [7144]
7  C:\Windows\explorer.exe [3620]
8  C:\Windows\System32\userinit.exe [2924]

Code:

Mitigation   ROP

Platform     6.1.7601/x64 06_3a
PID          5264
Application  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe
Description  PowerDVD 16

Branch Trace                      Opcode  To                              
-------------------------------- -------- --------------------------------
RtlEnterCriticalSection +0x37        RET  0x5A4C553F msmpeg2adec.dll      
0x771F2C47 ntdll.dll                                                      

RtlEnterCriticalSection +0x37        RET  0x5A4C6162 msmpeg2adec.dll      
0x771F2C47 ntdll.dll                                                      

0x5A4D1164 msmpeg2adec.dll         ~ RET* 0x5A4E6180 msmpeg2adec.dll      
            c3                       RET        


0x5A45E5FB msmpeg2adec.dll           RET  0x5A4F66C6 msmpeg2adec.dll      

0x5A4630D9 msmpeg2adec.dll           RET  0x5A45E5F8 msmpeg2adec.dll      

0x5A45E5FB msmpeg2adec.dll           RET  0x5A4DF166 msmpeg2adec.dll      

0x5A4630D9 msmpeg2adec.dll           RET  0x5A45E5F8 msmpeg2adec.dll      

SLGetWindowsInformationDWORD +0x49   ~ RET* 0x5A5212F6 msmpeg2adec.dll      
0x732921A4 slc.dll                                                        
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0000                     ADD          [EAX], AL
            0001                     ADD          [ECX], AL
                                 (3BCEA60DE3C9C0BC)


0x73291AB2 slc.dll                   RET  SLGetWindowsInformationDWORD +0x44
                                          0x7329219F slc.dll              

GlobalFree +0x13e                    RET  0x73291AAE slc.dll              
0x76875099 KernelBase.dll                                                

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  5A4C5566 msmpeg2adec.dll        
            85c0                     TEST         EAX, EAX
            8b8544ffffff             MOV          EAX, [EBP-0xbc]
            0f840c090000             JZ           0x5a4c5e80
            c78554ffffff01000000     MOV          DWORD [EBP-0xac], 0x1
            85f6                     TEST         ESI, ESI
            0f84fa080000             JZ           0x5a4c5e80
            f70300000020             TEST         DWORD [EBX], 0x20000000
            0f8561080000             JNZ          0x5a4c5df3
            8b9d20ffffff             MOV          EBX, [EBP-0xe0]
            83c304                   ADD          EBX, 0x4
            c645ab00                 MOV          BYTE [EBP-0x55], 0x0
            89bd34ffffff             MOV          [EBP-0xcc], EDI

2  5A4C616C msmpeg2adec.dll        
3  5A514AA2 msmpeg2adec.dll        
4  05DCFF27 InstantAud.ax          
5  05F28E19 InstantAud.ax          
6  05DBC88D InstantAud.ax          
7  60592512 quartz.dll              
8  605927F0 quartz.dll              
9  61C816EF InstantX.dll            
10 61C1D050 InstantX.dll            

Process Trace
1  C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe [5264]
"C:\Program Files (x86)\CyberLink\PowerDVD16\PowerDVD.exe" "\\NAS[...].MP4"
2  C:\Windows\explorer.exe [2592]
3  C:\Windows\System32\userinit.exe [3968]

 

Any news?

 

Angler is dead

 

so we are shielded against this threat...just because Angler passed away or (because) Alert (IAT?) is able to catch it before it exhibits its malicious behaviour?? (the technique involved in this particular exploit could be get on loan by other exploit-families )...

 

Exploits perform more operations that only function enumeration, so the EAT/IAT lookup is not the only stage in which an exploit can be blocked.

 

@erikloman
@markloman
It's now about two weeks since HMP.A 3.1.11.374 was released.
A friend told me 3.1.11.374 still wasn't offered by automatic update.
The automatic updater is still not enabled, or so it seems?
At Tweakers.net Erik mentioned that automatic update would be offered a week after the new build was released.
Why is this still not the case?
Has SurfRight forgotten to enable the automatic updater, or was decided to wait, and if so, then why?

 

FYI 3.1.11.374 is offered today as an automatic update to 373 installed version.

I have a question, how to add only keylogging protection to a specific app?

 

Just updated, all is working as expected here (Win10 TH2)

 

Start the application, open exploit mitigations, browse to running applications, add the process to the category "other" and disable all mitigations. After that you can test it with the alert test tool.

 

I just started to follow this forum. when you say "start the applicaton", what applicaton are you referring to? Is it Hitmanpro.alert? If so, I cannot see how to accomplish that.

 

Start the specific application that you want to add only keylogging protection to. That way it will appear as a running app in the HMPA list. You can then select it, etc, as FleishmannTV described.

 

@erikloman
@markloman

When is 64 bit HMP.A Exploit Test Utility coming back to SurfRight website ?

It has been gone for quite a while now...

 

It's still there, http://www.surfright.nl/en/downloads/

 

32-bit only... download the file and inspect it. The icon and properties clearly indicate 32 bit-only.

64 bit version was removed months ago and has never made it back...

 

I see that now after downloading, I was just going by what the description said on the website.

 

@hjlbx 64-bit is still there on the server, it just has not been updated in about a year or something like that.
Link: http://dl.surfright.nl/hmpalert64-test.exe

I still utilize that older 64-bit version for testing various things.

 

Why did Sophos remove the link ? Outdated ?