HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,888
    Location:
    Outer space
    Disabling LoadLib for Firefox.exe worked for me.

    Great, awating new HMPA build :)
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    461
    Hi, thanks to you and Mark for the tip. I will have to check that out.
     
  3. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    301
    Interesting. That had not worked in my case.
     
  4. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,570
    I don't have Office 365 to test it, but the issue will be fixed soon:
     
  5. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    455
    Location:
    italy
    news? :isay:
     
  6. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,570
    Mitigation: ROP

    Firefox portable ESR v52.3.0
    HMP.A 712 beta
    Windows 10 Pro x64 / 1703 / 15063.540

    right after updating of an extension (uBlock Origin) this happened:
    Code:
    Mitigation   ROP
    
    Platform     10.0.15063/x64 v712 06_9e
    PID          2336
    Application  C:\Users\***\Downloads\FirefoxPortableESR\App\firefox64\firefox.exe
    Description  Firefox 52.3
    
    Callee Type  ProtectVirtualMemory
                 0x000001F9C9BF5000 (4096 bytes)
    
    Branch Trace                              Opcode  To                                    
    ---------------------------------------- -------- ----------------------------------------
    _aligned_free +0xd4                          RET  0x00007FF83BE5ED1E xul.dll ^0002      
    0x00007FF8648F51E4 mozglue.dll                                                          
    
    RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6 ^001D            
    0x00007FF87838FF89 ntdll.dll                      0x00007FF8648F51C6 mozglue.dll        
    
    _aligned_free +0x201                         RET  _aligned_free +0x8c ^000A            
    0x00007FF8648F5311 mozglue.dll                    0x00007FF8648F519C mozglue.dll        
    
    memset +0x19f                                RET  _aligned_free +0x7b ^0001            
    0x00007FF864CCC91F vcruntime140.dll               0x00007FF8648F518B mozglue.dll        
    
    RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x59 ^0022            
    0x00007FF87837447A ntdll.dll                      0x00007FF8648F5169 mozglue.dll        
    
    0x00007FF83C22B6B6 xul.dll                   RET  0x00007FF83BE5ECF5 xul.dll ^0001      
    
    _aligned_free +0xd4                          RET  0x00007FF83C22B6B2 xul.dll ^0002      
    0x00007FF8648F51E4 mozglue.dll                                                          
    
    RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6 ^0046            
    0x00007FF87838FF89 ntdll.dll                      0x00007FF8648F51C6 mozglue.dll        
    
    _aligned_free +0x201                         RET  _aligned_free +0x8c ^0010            
    0x00007FF8648F5311 mozglue.dll                    0x00007FF8648F519C mozglue.dll        
    
    memset +0x51                                 RET  _aligned_free +0x7b ^003C            
    0x00007FF864CCC7D1 vcruntime140.dll               0x00007FF8648F518B mozglue.dll        
    
    RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x59 ^001E            
    0x00007FF87837447A ntdll.dll                      0x00007FF8648F5169 mozglue.dll        
    
    0x00007FF83E054C68 xul.dll                   RET  0x00007FF83BE5ECE9 xul.dll ^0004      
    
    0x00007FF83BFFEC28 xul.dll                   RET  0x00007FF83BE5ECD9 xul.dll ^000C      
    
    0x00007FF83BF460AD xul.dll                   RET  0x00007FF83BE5ECA8 xul.dll ^0003      
    
    0x00007FF83C4A3846 xul.dll                   RET  0x00007FF83BF4608D xul.dll ^0186      
    
    0x00007FF83BF4624F xul.dll                   RET  0x00007FF83BF45F90 xul.dll ^07D9      
    
    0x00007FF83BCD4082 xul.dll                   RET  0x00007FF83BE5EC07 xul.dll ^0003      
    
    0x00007FF83C4A3846 xul.dll                   RET  0x00007FF83BCD406B xul.dll ^0003      
    
    _aligned_free +0xd4                          RET  0x00007FF83BCD405B xul.dll ^0002      
    0x00007FF8648F51E4 mozglue.dll                                                          
    
    RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6 ^001E            
    0x00007FF87838FF89 ntdll.dll                      0x00007FF8648F51C6 mozglue.dll        
    
    _aligned_free +0x201                       ~ RET* WaitForSingleObject() ^0278          
    0x00007FF8648F5311 mozglue.dll                    0x00007FF8749B97E0 KernelBase.dll    
                        4533c0                   XOR          R8D, R8D
                        e908000000               JMP          0x7ff8749b97f0
    
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FF8749E1735 KernelBase.dll           VirtualProtect +0x35
    
    2  00007FF83C1C1135 xul.dll              
                        85c0                     TEST         EAX, EAX
                        743d                     JZ           0x7ff83c1c1176
                        488b0dd8839102           MOV          RCX, [RIP+0x29183d8]
                        483bd9                   CMP          RBX, RCX
                        0f822bf44d00             JB           0x7ff83c6a0574
                        4881c100000040           ADD          RCX, 0x40000000
                        483bf9                   CMP          RDI, RCX
                        0f871bf44d00             JA           0x7ff83c6a0574
                        b001                     MOV          AL, 0x1
                        488b5c2448               MOV          RBX, [RSP+0x48]
                        4883c430                 ADD          RSP, 0x30
                        5f                       POP          RDI
                        c3                       RET      
    
    3  00007FF83BFFAB56 xul.dll              
    4  00007FF83BE5ED3D xul.dll              
    5  00007FF83BCD44A0 xul.dll              
    6  00007FF83BCE7B80 xul.dll              
    7  00007FF83C52CDF8 xul.dll              
    8  00007FF83BCF14F2 xul.dll              
    9  00007FF83BD82BE9 xul.dll              
    10 000001F9C902AFCD (anonymous; xul.dll)  
    
    Process Trace
    1  C:\Users\***\Downloads\FirefoxPortableESR\App\Firefox64\firefox.exe [2336]
    "C:\Users\***\Downloads\FirefoxPortableESR\App\firefox64\firefox.exe" -profile "C:\Users\***\Downloads\FirefoxPortableESR\Data\profile"
    2  C:\Users\***\Downloads\FirefoxPortableESR\FirefoxPortable.exe [1532]
    3  C:\Program Files\totalcmd\TOTALCMD64.EXE [5880]
    4  C:\Windows\explorer.exe [2492]
    5  C:\Windows\System32\userinit.exe [3496]
    6  C:\Windows\System32\winlogon.exe [844]
    winlogon.exe
    
    Thumbprint
    578f002a05d83cdf56daa0a04e67f1d9fc01dc66aadf9bbe319fbe146e0c9283
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,185
    Location:
    The etherlands
    @mood Was that uB0 1.13.8, or a later WebExtension version, like 1.14.4?
     
  8. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,570
    the WebExtension version of uBO (Pre-release)
     
  9. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    44
    +1
     
  10. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,570
    After starting (and stopping) of the service "ConnectMonSvc.exe" (NoVirusThanks ConnectMonSvc) i was greeted with a APC Violation. The number of Alerts climbed from 2 to 144 :ninja:
    The service is injecting a dll into a lot of processes :doubt:

    This issue has been solved with excluding of the service "ConnectMonSvc.exe".
    APC Protection is still enabled within HMP.A, and after launching of the service it doesn't trigger an alert anymore.
    Code:
    Mitigation   APCViolation
    
    Platform     10.0.15063/x64 v712 06_9e
    PID          6104
    Application  C:\Program Files\NoVirusThanks\ConnectMonSvc\Service\ConnectMonSvc.exe
    Description  NoVirusThanks ConnectMonSvc 1.1
    
    Callee Type  ProtectVirtualMemory
    
    NtQueueApcThread: kernel32.dll+0x18F20
    Context         : 0000026DE2130000 (unknown)
    Target PID      : 936
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFB97CEB0B3 hmpalert.dll             +0x2b0b3
    2  00007FFB97CE3DF3 hmpalert.dll             +0x23df3
    
    3  00000000005ABAA0 ConnectMonSvc.exe      
                        3b0546af0300             CMP          EAX, [RIP+0x3af46]
                        0f94c0                   SETZ         AL
                        84c0                     TEST         AL, AL
                        0f95c0                   SETNZ        AL
                        480fb6c0                 MOVZX        RAX, AL
                        f7d8                     NEG          EAX
                        89453c                   MOV          [RBP+0x3c], EAX
                        eb36                     JMP          0x5abaef
    
    4  00000000005ABE0B ConnectMonSvc.exe      
    5  00000000005AC059 ConnectMonSvc.exe      
    6  00000000005ACF54 ConnectMonSvc.exe      
    7  00000000005AB23B ConnectMonSvc.exe      
    8  00000000005B0A02 ConnectMonSvc.exe      
    9  000000000040B265 ConnectMonSvc.exe      
    10 000000000040B2FA ConnectMonSvc.exe      
    
    Thumbprint
    db795f2e1562efc14f6108240ceee13fa3f25128a3a992fcba8a0c76e4f64a62
     
  11. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    128
    Location:
    Philippines
    When is the next update?!
     
  12. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    455
    Location:
    italy
    :)
     
  13. Headcool

    Headcool Registered Member

    Joined:
    Dec 8, 2015
    Posts:
    7
    Yesterday I had severe performance problems on my PC. Task Manager showed that the RAM was almost full, but none of the applications used a significant amount of memory. RAMMap.exe showed that there were 8GB of memory allocated in the Nonpaged Pool. Poolmon.exe from the Windows Driver Kit listed a pool tag named "HMPS" as responsible for allocating this much storage.
    The "findstr /m /l /s HMPS *.sys" command showed that the only sys file containing a string called "HMPS" is hmpalert.sys. I therefore suppose that there is some sort of memory leak in your driver. I am currently using version 710.
     
  14. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,510
    Location:
    the Netherlands
    Thanks very much for your analysis, Headcool.
    Suspicions of memory leak were reported before
    (search: https://www.wilderssecurity.com/search/4122141/?q=memory leak&t=post&o=date&c[thread]=394398)
    but without the analysis such as yours, so thanks very much for that.
    I hope @erikloman and @markloman are aware of this issue, so that it will be fixed in the next build.
     
  15. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,570
    I had similar problems this Tuesday (Cumulative Update Win10 1703)
    I have clicked several times on "Search Updates" (Windows Update) and it has found nothing. After the 4th-5th time it has found updates and Windows was downloading them.
    After Windows has finished the download, "No update available" was displayed and nothing was installed o_O

    After i have stopped the HMP.A-service, Windows was able to download & install updates without problems.
    And i noticed that the time of the last update-check is now displayed ("Status - Last check: Today ...")
    (with HMP.A installed this info was missing :cautious:)

    There seems to be a Windows Update interference if HMP.A is installed :doubt:
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,185
    Location:
    The etherlands
    I had the same, and because of past experiences, I actually uninstalled HMPA (rather than just stopping the service), but WU still found nothing, so I ended up downloading KB4038788 from the MS Catalog and it successfully installed.

    WU then found the other updates (Flash, MRT, Office updates) etc., downloaded and installed them.

    So I am really puzzled now. Previously I also could not run DISM or SFC with HMPA installed (but that was not the case now), and the solution (from Mark himself) was to:

    1. Stop the HitmanPro.Alert Service
    2. Rename or delete the excalibur.db in C:\ProgramData\HitmanPro.Alert
    3. Reboot the machine or start the HitmanPro.Alert service again.

    The fact that WU didn't find anything even with HMPA uninstalled would point to something else being the cause. But I must say, I am pleased someone else (especially you @mood well, not pleased really - but you know what I mean), has experienced issues in this regard.

    I only have had these Cumulative Update issues on the one machine that has HMPA installed, build 604->712 (on three other machines the same update went smoothly).
    So I also still do suspect there can seem to be a Windows Update interference if HMP.A is (or has been?) installed. I did not check if HMPA ProgramData (excalibur.db, if that could be a culprit), was still there after the uninstall.

    Edit: Continuing previous PM with Mark, I have passed on #490.
     
    Last edited: Sep 14, 2017
  17. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,570
    In my case i can exclude that something else was broken, because Windows Update has found Updates & was able to install them, right after the service has been stopped.
    After booting up my PC today (without HMP.A), i can see again a correct status (WU): "Status - Last check: Today, ..."

    And i have disabled a lot of mitigations.
    In the category "Process Protection" only the first option was enabled, and all "new" features related to 3.7 (Credential Theft Protection, Local Privilege Escalation, ...) were disabled.
    Nevertheless there is still a (silent :cautious:) conflict if HMP.A is installed.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,185
    Location:
    The etherlands
    That had been my experience too, for the last few Cumulative Updates. Hence my confusion yesterday. Similarly I could run DISM ... /checkhealth and SFC /scannow just by disabling HMPA service, otherwise not.
    (I wondered then if DISM forms part of the WU process, the discovery of required updates ...).

    But anyway, hope Mark takes a deeper look at this. It doesn't seem pervasive, as there would surely be other reports?
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,185
    Location:
    The etherlands
    Btw just for info, I reinstalled HMPA after this round of Windows Updates, and now with HMPA up and running I do see the WU "Status - Last check: Today, ..." after running a check. :confused:
    Although I think I also had that message before. WU just didn't find anything.

    (I also have Credential Theft Protection, Local Privilege Escalation disabled).
    It is a bit of a head-scratcher. At least I'm not alone, though I remember now @shmu26 also had a similar issue: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-17#post-2696388.
     
    Last edited: Sep 14, 2017
  20. Theblackstar

    Theblackstar Registered Member

    Joined:
    Mar 27, 2016
    Posts:
    25
    Location:
    Italia
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,221
    Location:
    USA
  22. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    8,892
    Location:
    England
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,221
    Location:
    USA
  24. Theblackstar

    Theblackstar Registered Member

    Joined:
    Mar 27, 2016
    Posts:
    25
    Location:
    Italia
    The problem is serious..... my question to @erikloman is about :(
     
  25. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    33
    Location:
    Amsterdam, The Netherlands
    I am in the unfortunate position that I still have to work on a Vista x86 physical machine for a little longer than I really want to (an upgrade to Win7 is in the works). Yesterday I noticed that the stable build 3.6.7.604 does not protect applications on Vista x86 anymore and I cannot trace when that started. HMPA is supposed to work on Vista, but what I found is that it only does on Vista x64. On Vista x86 all programs are unprotected, as shown in Exploit protection > Active programs (titles translated from Dutch). Even when I try to protect them, by switching protection off and on and then restarting the application (e.g. Firefox), programs always appear as unprotected.

    Then I tested HMPA 3.6.7.604 in a fresh Vista x86 VM and got the same result: no protection. Then I tried the latest beta 3.7.712 and it was the same: no protection for Vista x86. I did not test the beta on Vista x64 as the stable build already works in Vista x64. One noteworthy addition: in a test upgrade to Windows 7 x86 from the same Vista x86 physical machine, HMPA does work after the upgrade.