Detection of hiding a process by HIPS

Yes, you are right. Test is not PASS if no such detection by HIPS.

 

Hi,

NAB is silent...

OA did not watch this kind of behaviour

Gmer of course report the hidden process

Regards,

MaB

 

I do believe, now that i think of it, SSM's process monitor shows the hidden process in grey. Not sure.

 

When run "untrusted", DefenseWall doesn't not let it do its hiding stuff by stopping the load of its driver HideProcDrv.sys. HideProc opens but it is just not "seeing" any active process other than itself. No alert given.

If run "trusted", SSM Pro ask if I want to allow Services.exe to load this driver, but when I say yes I instantly receive a BSOD (tried 3 times).

 

I confirm: SSM Pro gives two alerts, and not detects the hiding of notepad.

 

Can't test it with ProSecurity I got a BSOD when the driver loads...

 

Hi,

Bumping this post with more results

Mamutu did not detect hidden process
AVZ catch it (on demand scan)
F-Secure Blacklight, TM RootkiBuster and AVG antirootkit found the hidden process.

Regards,

MaB

 

EQS 4.0 Beta catches every approach of this test app instantly. Including attempt to load the driver.

Sorry, but i don't understand this test, i've used real rootkits that eqs HIPS intercepts and this one is so very simple.

Am i missing something? Or is it just that those other apps are blind to this driver loading?

Thanks EASTER

 

Hi,

Easter no offense but you did not understand the main goal of aigle's test : detection of a hidden/cloaked process by security apps.

Regards,

MaB

 

I understand and non taken.

Perhaps i just don't see the Logic in it ATM. If you drop your guard, yes a "hidden" may very well go undetected upon re-enabling if that's what was purposed. In that case, deep analysis tools would come into play then to disengage such an invasive intrusion and the HIPS having been off-line so to speak might very well disregard it entirely.

In that case, an AV/AS would need implimented to scan for these type hiddens.

But i see the point, if nothing is "resident" then such intrusions can easily go undetected. Seems at one point SSM was investigating if anything got added while it was out-of-service so to speak upon initiating again, dunno if that was ever implimented or if so how well it does.

Thanks EASTER

 

Finally tested it with ProSecurity (1.43) on my main machine. PS fails to detect the hiding process

 

Is DW suppose to pass this test?

 

Hello Ohmy,

I can personally confirm that DefenseWall successfully blocks HideProc.


Peace & Gratitude,

CogitoErgoSum

 

Aigle, CogitoErgoSum,

What good of you to test both GW and DW, so often.

Thanks

 

Hello Kees1958,

You are very welcome. Just doing my modest part to keep DW visible.


Peace & Gratitude,

CogitoErgoSum

 

HideProc installs a driver that is not detected on some XP machines.Comodo people have acknowledged this bug and it will be fixed in next update.

 

I have tested SSM Pro and it´s able to detect the hidden process, however, it´s not able to prevent the hiding of the process, same goes for NG. Process Explorer also can´t see the hidden process, btw.

 

How?

What about driver install?

 

I think real result should be not hiding prevention, but ability of hidden process to do things that visible process cannot, for example tamper memory, inject dll etc

 

Hello everybody ,

HideProc : a toy not badly , to divert itself a little ...

For my exemple : sched.exe , from Avira Antivir ( Antivirus Scheduler ) - hidden by HideProc :

# GMER : " Warning !!! GMER has found system modification, which might have been caused by ROOTKIT activity ."
I see the line in RED : " Process : C/Program Files/Avira/AntiVir Personal.../sched.exe ¤¤¤hidden¤¤¤ "

# RootAlyzer : Quick scan : one wheel in RED , and , in red : " Invisible processes ( from handles ) " . Double-click : Properties / Terminate / Save as file / OK .

# KX-Ray : I see Processes tab : in BLACK : sched.exe . SSDT tab : in BLACK : Module HideProcDrv.sys

#SREng : I see near clock :" WARNING : System Repair Engineer found 1 hidden processes. " .
Smart Scan : warning in yellow : " System Repair Engineer has detected a valid 3rd-party upload plug-in which have valid digital signatures in Upload sub-directory. ( YEAH!!! ) When you use 'Copy Suspicious Files to Suspicious Files sub-directory automatically function ...' . Hidden Process : C / Program Files / Avira ... / sched.exe . Well , welll ...



OTHER toy to divert itself ... www.SemanticHacker.com/
Other : http://personal-computer-tutor.com/rot13.htm
...and other : Google : Escapa!

Do you know a toy ( similar for HideProc ) to spyware / adwares ? ...

Thanks , PROROOTECT

 

EQS gives all the necessary prompts... And this tool some DRIVER_IRQ_NOT_LESS_OR_EQUAL bsods (?).

 

... and I would appreciate any feedback on my previous post , please ...

Thanks

 

Re:- SSM,

Yes, it is detected and alert shown.

I have been looking at this more with SSM, as for simple example:

For a single application with rules, you can then bring up the rules for that application, if you look, the end tab is for "options" which include an option for "Do not alert if detected as hidden". This does not appear to work as expected,.. I would also expect, or at least would like this option on the groups rather than just an option on a per application. I will ask SSM about this, I know I trust Vitk at SSM to answer/resolve any possible problems.

 

Thanks for knowing us that.

Out of all classical HIPS, only SSM has a ( sort of) real time process monitor. No other HIPS has such a feature as far as I know. It,s a great feature indeed.

 

I allowed HideProc to hide some tests. Despite of this OA gave me the very same alerts it gives w/o hiding those tests. I agree it would be nice to get notified of such strange acrivity, but I think for security purposes it is enough that hidden process cannot do more than not hidded one.