HitmanPro.Alert BETA

No initial problems since I installed earlier today. It still shutdowns Firefox whenever I visit a Flickr site (heapspray).

 

Currently you can't have it both ways. We are working on a way to allow the SAM to be backed up but this basically also opens up a way to read the SAM for malicious purposes.

I am raising the priority of this issue because it is preventing us from turning this beta into a full release.

Could not have said it better

 

Can you/have you posted the details of the alert you are getting?
Found it:
https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-12#post-2685610

A specific Flickr.com URL would help tremendously

 

Running fine.

BTW: would HPMA (3.6) block the recent CCleaner malware?

 

No problems installing build 717 beta (upgraded from build 604). So far no problems with Sandboxie 5.20 (see earlier post about build 712 and Sandboxie).

Win10 1703 build 15063.608 x64/Norton Security v22.10.1.10

 

No problem so far with latest beta.

 

Using 3.70 712 for a long time and out of the blue I get this message on Firefox that is installed for a few weeks and being used all the time and HitmanPro did not find anything wrong.

Intruder

PID 2872
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 55.0.3

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
PR_Close
1 0x00007FF945F9E3B0 nss3.dll JMP 0x7ff900000460
2 0x00007FF900000460 (unknown) MOV RAX, 0x1bbf5260000
LOCK ADD DWORD [RAX+0x10], 0x1
CMP DWORD [RAX+0x14], 0x0
JZ 0x7ff9000004de
JMP 0x7ff900000486
3 0x00007FF900000486 (unknown)

PR_Read *
1 0x00007FF945F9E3B8 nss3.dll JMP 0x7ff900000702
2 0x00007FF900000702 (unknown) MOV RAX, 0x1bbf5260000
LOCK ADD DWORD [RAX+0x10], 0x1
CMP DWORD [RAX+0x14], 0x0
JZ 0x7ff900000780
JMP 0x7ff90000071e
3 0x00007FF90000071E (unknown)

PR_Write *
1 0x00007FF945F9E3C0 nss3.dll JMP 0x7ff9000005b1
2 0x00007FF9000005B1 (unknown) MOV RAX, 0x1bbf5260000
LOCK ADD DWORD [RAX+0x10], 0x1
CMP DWORD [RAX+0x14], 0x0
JZ 0x7ff90000062f
JMP 0x7ff9000005cd
3 0x00007FF9000005CD (unknown)

SSL_SetURL
1 0x00007FF94602F8D4 nss3.dll JMP 0x7ff9000001c2
2 0x00007FF9000001C2 (unknown) MOV RAX, 0x1bbf5260000
LOCK ADD DWORD [RAX+0x10], 0x1
CMP DWORD [RAX+0x14], 0x0
JZ 0x7ff900000240
JMP 0x7ff9000001e3
3 0x00007FF9000001E3 (unknown)

CreateFileA
1 0x00007FF960AD26E0 KernelBase.dll JMP 0x7ff900040462
2 0x00007FF900040462 (unknown)

CreateFileMappingNumaW
1 0x00007FF960ABD700 KernelBase.dll JMP 0x7ff900030462
2 0x00007FF900030462 (unknown)

CreateFileMappingW
1 0x00007FF960ABD6D0 KernelBase.dll JMP 0x7ff900030eeb
2 0x00007FF900030EEB (unknown)

CreateFileW
1 0x00007FF960A95260 KernelBase.dll JMP 0x7ff900030c46
2 0x00007FF900030C46 (unknown)

CreateProcessInternalW
1 0x00007FF960A98F70 KernelBase.dll JMP 0x7ff948940dd4
2 0x00007FF948940DD4 (unknown)

CreateRemoteThreadEx
1 0x00007FF960AC5710 KernelBase.dll JMP 0x7ff900040851
2 0x00007FF900040851 (unknown)

HeapCreate
1 0x00007FF960AD3630 KernelBase.dll JMP 0x7ff9000405b1
2 0x00007FF9000405B1 (unknown)

LoadLibraryA
1 0x00007FF960AD1C00 KernelBase.dll JMP 0x7ff9000401c0
2 0x00007FF9000401C0 (unknown)

LoadLibraryExA
1 0x00007FF960AD1C50 KernelBase.dll JMP 0x7ff900040af1
2 0x00007FF900040AF1 (unknown)

LoadLibraryExW
1 0x00007FF960A946E0 KernelBase.dll JMP 0x7ff900040701
2 0x00007FF900040701 (unknown)

LoadLibraryW
1 0x00007FF960ADCA80 KernelBase.dll JMP 0x7ff900030704
2 0x00007FF900030704 (unknown)

MapViewOfFile
1 0x00007FF960ABD560 KernelBase.dll JMP 0x7ff900040070
2 0x00007FF900040070 (unknown)

MapViewOfFileEx
1 0x00007FF960ACCF00 KernelBase.dll JMP 0x7ff9000309a2
2 0x00007FF9000309A2 (unknown)

VirtualAlloc
1 0x00007FF960ABDCB0 KernelBase.dll JMP 0x7ff900030312
2 0x00007FF900030312 (unknown)

VirtualAllocEx
1 0x00007FF960AD0D70 KernelBase.dll JMP 0x7ff90004030f
2 0x00007FF90004030F (unknown)

VirtualProtect
1 0x00007FF960AC4D60 KernelBase.dll JMP 0x7ff900030853
2 0x00007FF900030853 (unknown)

VirtualProtectEx
1 0x00007FF960B35140 KernelBase.dll JMP 0x7ff900030d9c
2 0x00007FF900030D9C (unknown)

WriteProcessMemory
1 0x00007FF960AD2B90 KernelBase.dll JMP 0x7ff9000409a0
2 0x00007FF9000409A0 (unknown)

CreateFileMappingA
1 0x00007FF961BCB370 kernel32.dll JMP 0x7ff900030070
2 0x00007FF900030070 (unknown)

CreateProcessA
1 0x00007FF961BCB970 kernel32.dll JMP 0x7ff900020ee0
2 0x00007FF900020EE0 (unknown)

CreateProcessInternalA
1 0x00007FF961BE9710 kernel32.dll JMP 0x7ff900020aef
2 0x00007FF900020AEF (unknown)

CreateProcessInternalW
1 0x00007FF961BE9790 kernel32.dll JMP 0x7ff9000301c1
2 0x00007FF9000301C1 (unknown)

CreateProcessW
1 0x00007FF961BCBEC0 kernel32.dll JMP 0x7ff900020c40
2 0x00007FF900020C40 (unknown)

SetProcessDEPPolicy
1 0x00007FF961BD1740 kernel32.dll JMP 0x7ff90002099f
2 0x00007FF90002099F (unknown)

WinExec
1 0x00007FF961C107F0 kernel32.dll JMP 0x7ff900020d91
2 0x00007FF900020D91 (unknown)

NdrpClientCall2
1 0x00007FF961CD2220 rpcrt4.dll JMP 0x7ff948940d54
2 0x00007FF948940D54 (unknown)

GetMessageA
1 0x00007FF963A8E8B0 USER32.dll JMP 0x7ff948940c58
2 0x00007FF948940C58 (unknown)

GetMessageW
1 0x00007FF963A94840 USER32.dll JMP 0x7ff948940c14
2 0x00007FF948940C14 (unknown)

PeekMessageA
1 0x00007FF963A8E300 USER32.dll JMP 0x7ff948940bd8
2 0x00007FF948940BD8 (unknown)

PeekMessageW
1 0x00007FF963A8E430 USER32.dll JMP 0x7ff948940b98
2 0x00007FF948940B98 (unknown)

KiUserApcDispatcher
1 0x00007FF9642F9B00 ntdll.dll JMP 0x7ff948940cd6
2 0x00007FF948940CD6 (unknown)

KiUserExceptionDispatcher
1 0x00007FF9642F9C50 ntdll.dll JMP 0x7ff948940d96
2 0x00007FF948940D96 (unknown)

LdrFindEntryForAddress
1 0x00007FF96426DAD0 ntdll.dll JMP 0x7ff900010d95
2 0x00007FF900010D95 (unknown) MOV RAX, 0x1bbf5260070
LOCK ADD DWORD [RAX+0x10], 0x1
CMP DWORD [RAX+0x14], 0x0
JZ 0x7ff900010e13
JMP 0x7ff900010db6
3 0x00007FF900010DB6 (unknown)

LdrGetProcedureAddress
1 0x00007FF964256EA0 ntdll.dll JMP 0x7ff90001045e
2 0x00007FF90001045E (unknown)

LdrGetProcedureAddressForCaller
1 0x00007FF964296960 ntdll.dll JMP 0x7ff900010ee4
2 0x00007FF900010EE4 (unknown)

LdrLoadDll
1 0x00007FF964259E70 ntdll.dll JMP 0x7ff900010c46
2 0x00007FF900010C46 (unknown)

LdrResolveDelayLoadedAPI
1 0x00007FF9642965E0 ntdll.dll JMP 0x7ff900020311
2 0x00007FF900020311 (unknown)

NtAllocateVirtualMemory
1 0x00007FF9642F6390 ntdll.dll JMP 0x7ff948940f16
2 0x00007FF948940F16 (unknown)

NtCreateFile
1 0x00007FF9642F6B30 ntdll.dll JMP 0x7ff900020850
2 0x00007FF900020850 (unknown)

NtCreateKey
1 0x00007FF9642F6430 ntdll.dll JMP 0x7ff96443000e
2 0x00007FF96443000E (anonymous; SYSFER.DLL)

NtCreateProcess
1 0x00007FF9642F7660 ntdll.dll JMP 0x7ff9000105b1
2 0x00007FF9000105B1 (unknown)

NtCreateSection
1 0x00007FF9642F69D0 ntdll.dll JMP 0x7ff9000201bf
2 0x00007FF9000201BF (unknown)

NtCreateThreadEx
1 0x00007FF9642F7740 ntdll.dll JMP 0x7ff900010853
2 0x00007FF900010853 (unknown)

NtCreateUserProcess
1 0x00007FF9642F7820 ntdll.dll JMP 0x7ff9000101bf
2 0x00007FF9000101BF (unknown)

NtDeleteFile
1 0x00007FF9642F7960 ntdll.dll JMP 0x7ff96443002a
2 0x00007FF96443002A (anonymous; SYSFER.DLL)

NtDeleteKey
1 0x00007FF9642F7980 ntdll.dll JMP 0x7ff96443007e
2 0x00007FF96443007E (anonymous; SYSFER.DLL)

NtDeleteValueKey
1 0x00007FF9642F79E0 ntdll.dll JMP 0x7ff964430038
2 0x00007FF964430038 (anonymous; SYSFER.DLL)

NtFreeVirtualMemory
1 0x00007FF9642F6450 ntdll.dll JMP 0x7ff948940ed6
2 0x00007FF948940ED6 (unknown)

NtMapViewOfSection
1 0x00007FF9642F6590 ntdll.dll JMP 0x7ff9000205af
2 0x00007FF9000205AF (unknown)

NtOpenFile
1 0x00007FF9642F66F0 ntdll.dll JMP 0x7ff964430054
2 0x00007FF964430054 (anonymous; SYSFER.DLL)

NtOpenKey
1 0x00007FF9642F62D0 ntdll.dll JMP 0x7ff964430062
2 0x00007FF964430062 (anonymous; SYSFER.DLL)

NtOpenKeyEx
1 0x00007FF9642F82A0 ntdll.dll JMP 0x7ff964430070
2 0x00007FF964430070 (anonymous; SYSFER.DLL)

NtProtectVirtualMemory
1 0x00007FF9642F6A90 ntdll.dll JMP 0x7ff900020070
2 0x00007FF900020070 (unknown)

NtQueueApcThread
1 0x00007FF9642F6930 ntdll.dll JMP 0x7ff948940d16
2 0x00007FF948940D16 (unknown)

NtReadVirtualMemory
1 0x00007FF9642F6870 ntdll.dll JMP 0x7ff948940c96
2 0x00007FF948940C96 (unknown)

NtRenameKey
1 0x00007FF9642F8C60 ntdll.dll JMP 0x7ff96443008c
2 0x00007FF96443008C (anonymous; SYSFER.DLL)

NtSetInformationFile
1 0x00007FF9642F6570 ntdll.dll JMP 0x7ff96443009a
2 0x00007FF96443009A (anonymous; SYSFER.DLL)

NtSetInformationProcess
1 0x00007FF9642F6410 ntdll.dll JMP 0x7ff9000206fe
2 0x00007FF9000206FE (unknown)

NtSetValueKey
1 0x00007FF9642F6C80 ntdll.dll JMP 0x7ff9644300a8
2 0x00007FF9644300A8 (anonymous; SYSFER.DLL)

NtTerminateProcess
1 0x00007FF9642F6610 ntdll.dll JMP 0x7ff9644300b6
2 0x00007FF9644300B6 (anonymous; SYSFER.DLL)

NtTerminateThread
1 0x00007FF9642F6AF0 ntdll.dll JMP 0x7ff9644300c4
2 0x00007FF9644300C4 (anonymous; SYSFER.DLL)

NtUnmapViewOfSection
1 0x00007FF9642F65D0 ntdll.dll JMP 0x7ff948940e56
2 0x00007FF948940E56 (unknown)

NtWaitForDebugEvent
1 0x00007FF9642F9820 ntdll.dll JMP 0x7ff948940fd6
2 0x00007FF948940FD6 (unknown)

NtWriteVirtualMemory
1 0x00007FF9642F67D0 ntdll.dll JMP 0x7ff9000109a5
2 0x00007FF9000109A5 (unknown)

RtlCreateHeap
1 0x00007FF9642603E0 ntdll.dll JMP 0x7ff90001030e
2 0x00007FF90001030E (unknown)

RtlInstallFunctionTableCallback
1 0x00007FF9642C1AE0 ntdll.dll JMP 0x7ff948940f98
2 0x00007FF948940F98 (unknown)

RtlPcToFileHeader
1 0x00007FF96429C270 ntdll.dll JMP 0x7ff900010703
2 0x00007FF900010703 (unknown) MOV RAX, 0x1bbf5260070
LOCK ADD DWORD [RAX+0x10], 0x1
CMP DWORD [RAX+0x14], 0x0
JZ 0x7ff900010781
JMP 0x7ff900010724
3 0x00007FF900010724 (unknown)


Thumbprint
6b06cccc18c327f1c8746b60acc2db6a49115485cdc3f18e39effd7c986d8b11

 

Does this happen more then once?
What OS & Version are you running, and which other security software is installed and what add-ons are loaded in Firefox?
(If you don't wish to post public please DM me the details).

 

It started today and 717 produces the same message after restart. Even if I switch off SEP14 (Symantec) the message still occurs.

From Events:

Code Injection
000001F6BB222000-000001F6BB223000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [9028]
00007FFDE6776000-00007FFDE6777000 4KB
00007FFDE6778000-00007FFDE6779000 4KB
1 C:\Program Files\Mozilla Firefox\firefox.exe [9028]
2 C:\Windows\explorer.exe [2392]
3 C:\Windows\System32\userinit.exe [2952]
4 C:\Windows\System32\winlogon.exe [1008]
winlogon.exe
5 C:\Windows\System32\smss.exe [752]
\SystemRoot\System32\smss.exe 00000158 00000080

Microsoft Windows Pro [Version 10.0.14393]

Version: 1607 Build: 14393.1715

I had still had Firefox 43 32bits on the HDD and that works fine.

Starting in Firefox SafeMode still the same message so not likely a problem with a Add-on.

I got also some without SMSSS.exe

Code Injection
000002595A58F000-000002595A590000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [2872]
00007FF9642F6000-00007FF9642F7000 4KB
00007FF9642F8000-00007FF9642F9000 4KB
1 C:\Program Files\Mozilla Firefox\firefox.exe [2872]
2 C:\Windows\explorer.exe [3028]
3 C:\Windows\System32\userinit.exe [2708]
4 C:\Windows\System32\winlogon.exe [952]
winlogon.exe

Thumbprint
6b06cccc18c327f1c8746b60acc2db6a49115485cdc3f18e39effd7c986d8b11

update: I was using SEP 14 instead of 12.

 

Win 10 Pro x64 v1703 15063.608 - Firefox 55.0.3 - Sandboxie 5.21.2 beta - HitmanPro.Alert 3.7.0 build 717 beta

Mitigation PrivGuard

Platform 10.0.15063/x64 v717 06_45
PID 18820
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 55.0.3

Sweep

Code Injection
0000000000A50000-0000000000A56000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3904]
0000000000A60000-0000000000A61000 4KB
00007FFBCE509000-00007FFBCE50A000 4KB

I have disabled Local Privilege Mitigation again. This solves the problem, as it did in build 712.

 

W7-x64 Prof.:
Installed HitmanPro.Alert 3.7.0 build 717 Beta over 3.6.7 build 604, So far no issues!
Using both Firefox 55.0.3 and Firefox Nightly 57.0a1 Beta

 

Currently having no problem with SBIE on Win10 build, gonna install on Win7 and see how it goes..

 

Getting this error consistently upon startup. If Alert 717 is uninstalled, startup is clean.

 

Problems opening certain pages in Firefox with build 717:



This problem remains unresolved from b712: see here and here, for example.

 

Just a suggestion -
If Erik, Mark, Ronny, or others need to copy the thumbprint or other details, it would probably be more convenient if you could offer the Alert details copied from Windows Event Viewer, instead of a screen capture.

 

Looks like it only happens when I have a FF add-on, Avira Browser Safety enabled. Then any Flickr.com triggers HMPA heapspray warning.

 

I'm interested in the answer to this question too.

 

Updated 2 machines from 712 to 717, everything fine so far.
When I try to download the installer over HTTPS, it says the cert is only valid for dl.surfright.nl and files.surfright.nl.
Opening the HMPA interface by double-clicking the tray icon when the interface is already open will make the computer unresponsive for a short while. Noticed this with both 712 and 717. Haven't tried it on stable yet.
When you disable Credential Theft Protection, the tile doesn't indicate it is disabled by darkening like the other tiles to when features are disabled. This is also in both 712 and 717.

 

I tested with stable 604, on Windows 7 x64.
With stable 604, I cannot reproduce the issue that you reported with 712 and 717. The issue seems limited to 712 and 717 beta.

 

Re: Alert 717: Yes the Credential Theft Protection tile doesn't show it's disabled. Upon first installation, BadUSB still needs to be manually enabled. However, leaving Alert interface open and then double clicking on the tray icon very briefly results in a mouse pointer with an hourglass next to it and no loss of machine responsiveness on here. Task manager stays at zero.

 

Mitigation PrivGuard

Platform 10.0.15063/x64 v717 06_4e
PID 8504
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 61

Sweep

Code Injection
0000000000570000-0000000000576000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2604]
0000000000580000-0000000000581000 4KB
00007FFAE22B9000-00007FFAE22BA000 4KB
000001DDBB5F4000-000001DDBB5F5000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4540]
00007FFAE22E5000-00007FFAE22E6000 4KB
00007FFAE22E7000-00007FFAE22E8000 4KB
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4540]
2 C:\Windows\explorer.exe [432]
3 C:\Windows\System32\userinit.exe [2092]

Process Trace
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [8504]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1752,4207121111317483656,3321164833810175581,131072 --service-pipe-token=6D57DF93D03DED1CCB392E4326F14ABD --lang=en-US --extension-process --enable-offline-a
2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4540]
3 C:\Windows\explorer.exe [432]
4 C:\Windows\System32\userinit.exe [2092]

EDIT: No problem with Win7 so far.

 

Mitigation CredGuard

Platform 6.1.7601/x64 v717 06_2a
PID 2368
Application C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
Description Glary Utilities 5

\REGISTRY\MACHINE\SAM

Process Trace
1 C:\Program Files (x86)\Glary Utilities 5\Integrator.exe [2368]
"C:\Program Files (x86)\Glary Utilities 5\Integrator.exe" $(Arg0)
2 C:\Windows\System32\taskeng.exe [10404]
taskeng.exe {56BBA88C-FA37-4035-AF45-88FB31F77F8C} S-1-5-21-1652379323-4117330753-2859149145-1000:WORM_HOLE\Client:Interactive:Highest[1]
3 C:\Windows\System32\svchost.exe [700]
C:\Windows\system32\svchost.exe -k netsvcs

 

Got a Mitigation CredGuard when scanning my system with Zemana AntiMalware portable: