HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Occasionally get these when Firefox browsing in Sandboxie (now with HMPA 593):
    Code:
    Mitigation   ROP
    
    Platform     10.0.15063/x64 v593 06_45
    PID          169868
    Application  C:\Program Files\Mozilla Firefox\firefox.exe
    Description  Firefox 53.0.3
    
    Callee Type  ProtectVirtualMemory
                 0x000003589CBFD000 (4096 bytes)
    
    Branch Trace                              Opcode  To                                     
    ---------------------------------------- -------- ----------------------------------------
    0x00007FF8DDD07800 xul.dll                   RET  0x00007FF8DDD232AD xul.dll             
    
    0x00007FF8DE09E53C xul.dll                   RET  0x00007FF8DDD23297 xul.dll             
    
    0x00007FF8DE09E588 xul.dll                   RET  0x00007FF8DE09E509 xul.dll             
    
    0x00007FF8DDD23502 xul.dll                   RET  0x00007FF8DE09E4FD xul.dll             
    
    0x00007FF8DE09E5F5 xul.dll                   RET  0x00007FF8DE09E4EA xul.dll             
    
    0x00007FF8DDDF3B39 xul.dll                   RET  0x00007FF8DDD2326D xul.dll             
    
    0x00007FF8DDEE55B2 xul.dll                 ~ RET  0x00007FF8DDD23256 xul.dll             
    
    0x00007FF8DDEE5951 xul.dll                   RET  0x00007FF8DDEE5560 xul.dll             
    
    0x00007FF8DDEE5A7E xul.dll                   RET  0x00007FF8DDEE5875 xul.dll             
    
    0x00007FF8DE4C1B26 xul.dll                   RET  0x00007FF8DDEE5A74 xul.dll             
    
    SleepEx +0x10e                             ~ RET* 0x00000000005B6B9A EventMon.dll         
    0x00007FF9294F72EE KernelBase.dll                                                         
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                        0000                     ADD          [RAX], AL
                                             (411C9A94D3A96D68)
    
    
    NtDelayExecution +0x14                     ~ RET  SleepEx +0xa7                           
    0x00007FF92CF45A34 ntdll.dll                      0x00007FF9294F7287 KernelBase.dll       
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FF929501735 KernelBase.dll           VirtualProtect +0x35
    
    2  00007FF8DE1C2981 xul.dll                 
                        85c0                     TEST         EAX, EAX
                        743d                     JZ           0x7ff8de1c29c2
                        488b0d64fb8c02           MOV          RCX, [RIP+0x28cfb64]
                        483bd9                   CMP          RBX, RCX
                        0f822a984d00             JB           0x7ff8de69c1bf
                        4881c100000040           ADD          RCX, 0x40000000
                        483bf9                   CMP          RDI, RCX
                        0f871a984d00             JA           0x7ff8de69c1bf
                        b001                     MOV          AL, 0x1
                        488b5c2438               MOV          RBX, [RSP+0x38]
                        4883c420                 ADD          RSP, 0x20
                        5f                       POP          RDI
                        c3                       RET         
    
    3  00007FF8DDCE06DA xul.dll                 
    4  00007FF8DDD232C9 xul.dll                 
    5  00007FF8DE29B4A6 xul.dll                 
    6  00007FF8DDD468E3 xul.dll                 
    7  000003589BFDC664 (anonymous; xul.dll)   
    8  00000094B89EF280 (anonymous)             
    9  000003589CBFCD7E (anonymous; xul.dll)   
    10 00000094B89EF238 (anonymous)             
    
    Code Injection
    0000000000520000-0000000000526000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3752]
    0000000000530000-0000000000531000    4KB
    00007FF92CF19000-00007FF92CF1A000    4KB
    
    Process Trace
    1  C:\Program Files\Mozilla Firefox\firefox.exe [169868]
    2  C:\Program Files\Mozilla Firefox\firefox.exe [171512]
    3  C:\Windows\explorer.exe [10432]
    4  C:\Windows\System32\userinit.exe [4092]
    5  C:\Windows\System32\winlogon.exe [1236]
    winlogon.exe
    
    Thumbprint
    fa67dde075dc862b797f76d4cb430077e285c4bd0586486e1874b55c88e2042d
    
     
  2. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    news? *puppy*
     
  3. fehmi2029

    fehmi2029 Registered Member

    Joined:
    May 8, 2017
    Posts:
    7
    Location:
    Athens Greece
    Nothing yet
     
  4. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    i know :(...
     
  5. fehmi2029

    fehmi2029 Registered Member

    Joined:
    May 8, 2017
    Posts:
    7
    Location:
    Athens Greece
    i hope we will have news soon :)
     
  6. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.6.7 build 600 BETA

    Changelog
    • Added a Asynchronous Procedure Call (APC) mitigation which protects against the DoublePulsar code injection.
      This mitigation is part of Risk Reductions > Process Protection.
    • Added our thumbprint technology to the Load Library mitigation (reflective DLL injection protection).
    • Improved CryptoGuard.
    Notes
    • This version is co-signed by Microsoft.
    • Here's a quick demonstration video showing the new APC mitigation in action against a remote WannaCry ransomware attack that abuses the EternalBlue + DoublePulsar NSA exploits leaked by Shadow Brokers: https://www.youtube.com/watch?v=uKXYLMKq07s
      Users running HitmanPro.Alert version 2.6.5 (or newer) from April 2014 were already protected against the WannCry ransomware as it was stopped by CryptoGuard. The attack is now ALSO stopped at the exploitation level.
      The video actually shows our upcoming CTP2 but we back-ported the technology to this build.
    Download
    http://test.hitmanpro.com/hmpalert3b600.exe

    Please let us know this version runs on your computer :thumb:
     
    Last edited: May 22, 2017
  7. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Sounds good! :thumb:
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Mark, I saw you on Dutch TV, next time please promote HMPA a bit more LOL. BTW, could you give some more info about the DoublePulsar code injection technique? Has this Asynchronous Procedure Call (APC) method never been used before?
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Be careful. Since I had the beta on my test box I put 600 on my other box. Installed rebooted and the disk was trashed. Looked like the mbr was gone. Will do some testing after fixing the one box. Macrium is to the rescue now.

    Pete
     
  10. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I just installed it and I noticed something curious. When I go to the Process Protection page, the only mitigation I see is DLL Hijack Mitigation. In the video, there are 5 others including the newly added APC mitigation. Please explain this disparity?
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I believe that's my biggest fear. I installed HMPA (version before 600) on a laptop, and it started to act a bit weirdly. No other security software was installed. I'm not sure if the problem was caused by HMPA, I didn't have enough time to test it. I think all of these features are cool, but I'm always a bit scared it might break something, especially when combined with other security tools.
     
  12. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    Thanks very much, Pete!
    I will be more careful than usual with testing the new build 600 beta, I will create a new current image first, before testing this build. This may not be today, probably.
     
    Last edited: May 22, 2017
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    The TV guys and gals are always reluctant to promote a product. I'm lucky that they even mention my name ;)
    The protection against DoublePulsar is actually a generic protection. I can't go into detail on it, maybe later. AFAIK HitmanPro.Alert is currently the only soluton that blocks DoublePulsar at the exploitation level.
    As mentioned, the video shows a different more advanced build, 706, a CTP2 build. We are releasing it later this week. The 7xx builds include many new features, including Credential Theft Protection, a guard that helps prevent Local Privilege Escalation and several other new mitigations to thwart active adversaries.
     
    Last edited: May 22, 2017
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL, I was waiting for the moment you would say: HMPA is able to stop WannaCry, go get it! I did see HMPA's GUI in the background. To clarify, I wondered if the DoublePulsar code injection was truly a new technique, and I suppose it makes sense to always auto-block it, because legitimate apps won't use this method I suppose.
     
  15. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    OK, thanks Mark. I didn't look closely at the version of HMP.A in the video and just assumed it was 3.6.7 build 600 BETA. I immediately experienced feature envy :)
     
  16. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I saw it was incomplete, fixed it ;) More details on DoublePulsar and APC can be read here: https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/
    AtomBombing code injection also abuses APC to run code in another process.
     
  17. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Whoa! :eek:

    In future, I'll be sure to do a system image before installing a beta (am currently on build 704 on a Windows 7 box).
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I found two issues:

    1. BadUSB is not working with build 600
    2. Keystroke Encryption is not working with build 600

    We will address this tomorrow.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Now I am in a bit of a quandry. I just installed in a VM with no major issues. Only issue is VM and my test desktop have the private beta on and so it's a uninstall and then install 600. The box that trashed was an over the top. I saw a few strange things so I can't say with total certainty exactly what happened.

    Just be careful
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    @erikloman,
    @markloman,

    Thanks very much.
    I'll wait for that before imaging and testing.

    A few questions:

    Was build 600 based on build 593, plus the additions and improvements mentioned in the build 600 changelog?
    Is so, how can BadUSB and Keystroke Encryption be not working with build 600, if it was OK in 593?

    What do you think of the trashed system as experienced by Pete?
    What in build 600 could have been the cause of that?
     
    Last edited: May 22, 2017
  21. plat1098

    plat1098 Guest

    Yes, I just checked Keystroke Encryption, it is showing me whatever I typed in the orange bar, and very accurately at that. :oops:
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well it turns out all that happened was the mbr was trashed, not that that's good.

    But this really shows the importance of not only imaging, but test restoring the images.
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Confirmed.
     
  24. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +1 :thumb:
    Spot on, and seeing I test only in real world environments, I make sure to have a fresh working clone before any major
    install of a beta software, HMP.A included
     
  25. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Another example, while I only run tests on real hardware, not VMs
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.