Interesting HIPS leak test

Discussion in 'other anti-malware software' started by aigle, Jan 3, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    The utility is here( first post).

    http://bbs.kafan.cn/thread-201741-1-5.html

    Or direct download from here.

    ht tp://rapidshare.com/files/179482638/Project1.exe

    How to use: Drag the button from this utility to any application,s window, press Enter SPACE and the GUI/ window of other application will disappear( become invisible) although the application is still running in the task manager.

    Not sure what can be practical implication of this but I am told that same method can used to kill an application/ process. I am unable to read the Chineese forum, so one can correct me if i am wrong.

    I tried:

    GesWall - - - - - - -- - - - failed
    Comodo Defence Plus - - - - failed

    Try ur HIPS, guys! Let,s have a fun. :D :D

    Thanks a lot to xiaolin for his help and sending me the file.
     
    Last edited by a moderator: Jan 3, 2009
  2. wat0114

    wat0114 Guest

    Is there something else that needs to be done such as set the parent or type something in the Edit fields? All that happens here is the utility itself disappears - not the app's window - with no alerts from MD.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmm.... i don,t know really. It,s Chineese all.

    MD is supposed to defend against this I think. BTW can u explain how did u use it? I wrote a bit wrong, Press SPACE instead of Enter. I edited my post. Sorry

    Thanks
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I dont get it either.o_O
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    man it is in korean:D ,dont get ito_O
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    @djohn
    @jmonge

    Did u try to run it in the way i posted? Results?
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    OK

    I'll bite....but this is full of mystery

    Anyone taken on some training with this one yet o_O
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i did the direct download second choice and run it from there and processguard got it and block it,it alerted me and aplied block,now i will apply allow and see what happens:thumb:
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i did press space bottom and the gui and nothing happenso_O
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Do I drag to the gui of comodo and hit space and the Gui is suppose to disapear am I correct.Is nothing happens maybe I am doing something wrong.
     
  11. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    This is one weird test... I ran it sandboxed. It deleted even my tray icons when i dragged it to the systray! :argh: On the other hand, it took it 3 tries to delete fastone screencapture and while it disappeared from the working space, it was still running in the task manager.

    Threatfire didn't notice anything. This thing is like a GUI eraser. I also used it against Nero CD Speed. The GUI disappeared, but the process was still running. So it doesn't KILL the process, it "erases" the GUI...
     
  12. wat0114

    wat0114 Guest

    okay I got it to work using your initial instructions (hitting Enter) aigle, but it was on Foxit reader. MD alerted me (attempt to manipulate window of another process), but foxit still minimized even though I chose Deny?? Further attempts, however, resulted in nothing happening, other than the utility minimizing. So MD detected it at first but did not stop the utility from minimizing Foxit app's window on Deny selection. The results don't seem conclusive to me yet.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Yes but I am told that same techinique can be used to kill a process but one will need to write such a utility.
     
  14. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I am not an expert to be able to give a good answer to the feasibility of this, but IMHO, really KILLING the process, may be a tad different and may trigger a classical hips like Comodo. I would be very curious to see such a kill test in action, if someone decides to write it. I can't beleive easily that a classical hips will allow termination of a process without blinking.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for that nfo

    I certainly expect some results now.

    Plus i didn't untill now read that MD's developer fashioned it.

    EASTER
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Here is how I tested it.
     

    Attached Files:

  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Great screenshot.

    This will help those who might get lost in how to test this POC.

    Thanks from Easter on behalf of everyone else.

    EASTER
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Last edited by a moderator: Jan 3, 2009
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ah... I thought i posted wrong link.
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    no that was ok;)
     
  22. BrendanK.

    BrendanK. Guest

    Wait no sorry. OA fails :(
     
  23. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    What if you check some of the protection options in the advanced options?

    Edit: The settings can be found in the Programs section and then right-click the program/exe and click Advanced Options. The protection options include settings such as "Protect from Termination".
     
    Last edited: Jan 4, 2009
  24. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Not sure how this app can be classified as malicious ...

    And oh, its Chinese

     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    ooopppss:D chinnese:cool:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.