HitmanPro.Alert BETA

BTW, obviously HMPA is protecting against certain code injection techniques like process hollowing and APC code injection, but it does not block all type of techniques. So here is a technical question which has never become clear to me, but is it possible to block so called API hooking even after code injection has alread been performed by some malicious process?

To clarify, I'm not talking about anti-exploit techniques, but purely about malware that tries to directly inject code into some legit process like explorer.exe or firefox.exe for example. And isn't true that in order to perform API hooking like most banking trojans do, you first need to perform DLL injection, or are there other methods?

https://www.elastic.co/blog/ten-pro...-technical-survey-common-and-trending-process
https://nagareshwar.securityxploded.com/2014/03/20/code-injection-and-api-hooking-techniques/
https://www.apriorit.com/dev-blog/679-windows-dll-injection-for-api-hooks

https://attack.mitre.org/techniques/T1055/
https://attack.mitre.org/techniques/T1055/004/
https://attack.mitre.org/techniques/T1055/012/

 

version 907 installed without problems

 

Now that I think of it, most security tools like AV's will probably try to protect their hooks, so I guess you guys will need make some kind of whitelist.

As I already explained before, after installing some Windows update, it broke certain parts of my system at least partially. It seems to be mostly related to UWP apps. My question is, does HMPA perhaps interact in some weird kind of way with the Windows taskbar? Because I just noticed that I can't get the taskbar context menu to pop up anymore when I right click on it. And it's very weird that HMPA's tray-icon doesn't seem to respond to any commands.

 

My bad, I just saw that you can disable the keystroke encryption notification under the Safety Notifications settings, but why hide it. Also, it should be made more easy to disable or remove apps from the exploit mitigations, now you have to do it one by one.

And I already noticed that the only way to add apps to exploit mitigations is to first run some app that HMPA supports, come one guys this really needs to become better. You should be able to add any app in an easy way, perhaps even via the right click context menu, good idea or not?

 

I've done some more testing and seems like the ''Local Privilege Mitigation'' is not compatible with Sandboxie 5.49.8, when I open Vivaldi I get an alert from PrivGuard, but strangely enough it doesn't terminate Vivaldi, it continues to run normally. So can Sandboxie be whitelisted somehow?

 

Disable "Local Privilege Mitigation":

 

Yes that's what I've done. So if I understood correctly, there is no way to whitelist this stuff. Perhaps Ronny can tell me what malware abuses the Local Privilege Mitigation. And yes, Sandboxie might be overkill, but it also provides virtualization.

BTW Ronny, something I noticed is that HMPA automatically applies exploit mitigation to certain apps, I believe you should be able to turn this off. All in all, HMPA is a pretty good product except for these minor annoyances and the problem with the taskbar and tray-icon should be fixed of course.

I must say that exploit mitigations are not that important to me, to me the Safe Browsing, Process Protection and CryptoGuard features are the most important. That being said, can you explain to me what the "Application Lockdown" exploit mitigation exactly does?

 

Something weird happened. I installed Toddler Keys and all of a sudden HMPA automatically added apps to the safe browsing and exploit mitigation protections, I got to see tons of fly-outs without actually running these apps. These were the apps that I had removed from being protected. But anyway, it would also be nice to get tooltips to see which apps have been added via the small app icons, without having to go to Exploit Mitigations ---> Applications.

https://toddler-keys.informer.com/0.9/

Actually, I forgot to mention Credential Theft protection, this is another must have feature. But I haven't got a clue why there is no mention of it protecting cookies and browser credentials. It only states that it ''protects your credentials against password dumping'', whatever this means. Come on guys, it's all about the details, this stuff should be made more clear, you guys need to be on top of things.

 

I'm afraid that HMPA and Sandboxie don't work smoothly together, I just launched Edge sandboxed and I HMPA gave me a CookieGuard warning about the Sandboxie service SbieSvc.exe trying to read protected Edge data. Come on guys, HMPA should really implement a whitelist, it shouldn't keep warning about Sandboxie which is a trusted tool.

Not to forget that Sandboxie was owned by Sophos and Sophos Intercept X was partially based on Invincea X, which was partially based on Sandboxie. But I believe Sophos Intercept X has dropped the sandboxing feature that Invincea once used. I would actually bring it back, but that's just me.

 

No problem so far with 907 on 22449.rs_prerelease.210827-1350.

 

Did you or anyone else check out the problem with Toddler Keys? Somhow it triggered HMPA to automatically apply "safe browsing" and exploit protection to certain apps, this shouldn't be happening.

https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-77#post-3027409

 

I didn't know what TK was until I just searched for it. I don't have any complaint about

 

Where is the CookieGuard option?

 

Yes my bad, I should have pointed you to the post with the download link. I download it from here and I use it to clean my mouse. It's a tool that will install a so called global hook and I suspect this somehow triggered HMPA to show certain weird behavior.

https://toddler-keys.informer.com/0.9/

Yes, I had the same reaction, apparently it's included in the Credential Theft protection option, but it's not mentioned anywhere for some reason. Seems like they simply forgot about it.

 

HitmanPro.Alert 3.8.15 Build 911 Release Candidate

Changelog (compared tot build 907)

• Added LockdownLoadImage mitigation to applications under the Office protection category; mitigates e.g. CVE-2021-40444
• Added extended information in alert when CookieGuard detects cookie grab by untrusted code in a web browser, e.g., hashes of remote owner process and owner module
• Fixed compatibility of Enforce DEP with Norton Security
• Fixed small memory leak that occurred when switching CryptoGuard modes
• Improved HollowProcess (Main Thread Hijack; MTH) mitigation to detect Cobalt Strike Beacon installing over SMB
• Improved CookieGuard, fixed some small issues

Download
https://dl.surfright.nl/hmpalert3b911.exe

Please let us know how this version runs on your machine

 

Here the program is running smoothly.

 

Hitmanpro.Alert can detect and stop MITM attacks?

 

I'm getting this error on two machines when downloaing with Firefox 92. I have never seen such an error before.



Downloaded OK in Brave browser.

 

Does this Hitmanpro.Alert compatible with Windows 8.1?

 

Could it be the new httpS-setting (Firefox 91/92)? Download is from a http-server…

 

Fixed the link to HTTPS. My bad!
https://dl.surfright.nl/hmpalert3b911.exe

 

Yes, HitmanPro.Alert is compatible with Windows 8.1.

 

Thank You!

 

Mark,
Progam is still broken. Booting Virtual Box does not run on Win7 32-bit when HMPA is installed. Reported this once before and verified by your group, but not fixed. Is this at the bottom of the priority list?

Time to uninstall (again). I'm not using a license, so I can't disable anything as a work-around.

Spoiler

 

Yes, that was it.

Thanks guys.