Mitigation: ROP Firefox portable ESR v52.3.0 HMP.A 712 beta Windows 10 Pro x64 / 1703 / 15063.540 right after updating of an extension (uBlock Origin) this happened: Code: Mitigation ROP Platform 10.0.15063/x64 v712 06_9e PID 2336 Application C:\Users\***\Downloads\FirefoxPortableESR\App\firefox64\firefox.exe Description Firefox 52.3 Callee Type ProtectVirtualMemory 0x000001F9C9BF5000 (4096 bytes) Branch Trace Opcode To ---------------------------------------- -------- ---------------------------------------- _aligned_free +0xd4 RET 0x00007FF83BE5ED1E xul.dll ^0002 0x00007FF8648F51E4 mozglue.dll RtlLeaveCriticalSection +0x39 RET _aligned_free +0xb6 ^001D 0x00007FF87838FF89 ntdll.dll 0x00007FF8648F51C6 mozglue.dll _aligned_free +0x201 RET _aligned_free +0x8c ^000A 0x00007FF8648F5311 mozglue.dll 0x00007FF8648F519C mozglue.dll memset +0x19f RET _aligned_free +0x7b ^0001 0x00007FF864CCC91F vcruntime140.dll 0x00007FF8648F518B mozglue.dll RtlEnterCriticalSection +0x2a RET _aligned_free +0x59 ^0022 0x00007FF87837447A ntdll.dll 0x00007FF8648F5169 mozglue.dll 0x00007FF83C22B6B6 xul.dll RET 0x00007FF83BE5ECF5 xul.dll ^0001 _aligned_free +0xd4 RET 0x00007FF83C22B6B2 xul.dll ^0002 0x00007FF8648F51E4 mozglue.dll RtlLeaveCriticalSection +0x39 RET _aligned_free +0xb6 ^0046 0x00007FF87838FF89 ntdll.dll 0x00007FF8648F51C6 mozglue.dll _aligned_free +0x201 RET _aligned_free +0x8c ^0010 0x00007FF8648F5311 mozglue.dll 0x00007FF8648F519C mozglue.dll memset +0x51 RET _aligned_free +0x7b ^003C 0x00007FF864CCC7D1 vcruntime140.dll 0x00007FF8648F518B mozglue.dll RtlEnterCriticalSection +0x2a RET _aligned_free +0x59 ^001E 0x00007FF87837447A ntdll.dll 0x00007FF8648F5169 mozglue.dll 0x00007FF83E054C68 xul.dll RET 0x00007FF83BE5ECE9 xul.dll ^0004 0x00007FF83BFFEC28 xul.dll RET 0x00007FF83BE5ECD9 xul.dll ^000C 0x00007FF83BF460AD xul.dll RET 0x00007FF83BE5ECA8 xul.dll ^0003 0x00007FF83C4A3846 xul.dll RET 0x00007FF83BF4608D xul.dll ^0186 0x00007FF83BF4624F xul.dll RET 0x00007FF83BF45F90 xul.dll ^07D9 0x00007FF83BCD4082 xul.dll RET 0x00007FF83BE5EC07 xul.dll ^0003 0x00007FF83C4A3846 xul.dll RET 0x00007FF83BCD406B xul.dll ^0003 _aligned_free +0xd4 RET 0x00007FF83BCD405B xul.dll ^0002 0x00007FF8648F51E4 mozglue.dll RtlLeaveCriticalSection +0x39 RET _aligned_free +0xb6 ^001E 0x00007FF87838FF89 ntdll.dll 0x00007FF8648F51C6 mozglue.dll _aligned_free +0x201 ~ RET* WaitForSingleObject() ^0278 0x00007FF8648F5311 mozglue.dll 0x00007FF8749B97E0 KernelBase.dll 4533c0 XOR R8D, R8D e908000000 JMP 0x7ff8749b97f0 Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FF8749E1735 KernelBase.dll VirtualProtect +0x35 2 00007FF83C1C1135 xul.dll 85c0 TEST EAX, EAX 743d JZ 0x7ff83c1c1176 488b0dd8839102 MOV RCX, [RIP+0x29183d8] 483bd9 CMP RBX, RCX 0f822bf44d00 JB 0x7ff83c6a0574 4881c100000040 ADD RCX, 0x40000000 483bf9 CMP RDI, RCX 0f871bf44d00 JA 0x7ff83c6a0574 b001 MOV AL, 0x1 488b5c2448 MOV RBX, [RSP+0x48] 4883c430 ADD RSP, 0x30 5f POP RDI c3 RET 3 00007FF83BFFAB56 xul.dll 4 00007FF83BE5ED3D xul.dll 5 00007FF83BCD44A0 xul.dll 6 00007FF83BCE7B80 xul.dll 7 00007FF83C52CDF8 xul.dll 8 00007FF83BCF14F2 xul.dll 9 00007FF83BD82BE9 xul.dll 10 000001F9C902AFCD (anonymous; xul.dll) Process Trace 1 C:\Users\***\Downloads\FirefoxPortableESR\App\Firefox64\firefox.exe [2336] "C:\Users\***\Downloads\FirefoxPortableESR\App\firefox64\firefox.exe" -profile "C:\Users\***\Downloads\FirefoxPortableESR\Data\profile" 2 C:\Users\***\Downloads\FirefoxPortableESR\FirefoxPortable.exe [1532] 3 C:\Program Files\totalcmd\TOTALCMD64.EXE [5880] 4 C:\Windows\explorer.exe [2492] 5 C:\Windows\System32\userinit.exe [3496] 6 C:\Windows\System32\winlogon.exe [844] winlogon.exe Thumbprint 578f002a05d83cdf56daa0a04e67f1d9fc01dc66aadf9bbe319fbe146e0c9283
After starting (and stopping) of the service "ConnectMonSvc.exe" (NoVirusThanks ConnectMonSvc) i was greeted with a APC Violation. The number of Alerts climbed from 2 to 144 The service is injecting a dll into a lot of processes This issue has been solved with excluding of the service "ConnectMonSvc.exe". APC Protection is still enabled within HMP.A, and after launching of the service it doesn't trigger an alert anymore. Code: Mitigation APCViolation Platform 10.0.15063/x64 v712 06_9e PID 6104 Application C:\Program Files\NoVirusThanks\ConnectMonSvc\Service\ConnectMonSvc.exe Description NoVirusThanks ConnectMonSvc 1.1 Callee Type ProtectVirtualMemory NtQueueApcThread: kernel32.dll+0x18F20 Context : 0000026DE2130000 (unknown) Target PID : 936 Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFB97CEB0B3 hmpalert.dll +0x2b0b3 2 00007FFB97CE3DF3 hmpalert.dll +0x23df3 3 00000000005ABAA0 ConnectMonSvc.exe 3b0546af0300 CMP EAX, [RIP+0x3af46] 0f94c0 SETZ AL 84c0 TEST AL, AL 0f95c0 SETNZ AL 480fb6c0 MOVZX RAX, AL f7d8 NEG EAX 89453c MOV [RBP+0x3c], EAX eb36 JMP 0x5abaef 4 00000000005ABE0B ConnectMonSvc.exe 5 00000000005AC059 ConnectMonSvc.exe 6 00000000005ACF54 ConnectMonSvc.exe 7 00000000005AB23B ConnectMonSvc.exe 8 00000000005B0A02 ConnectMonSvc.exe 9 000000000040B265 ConnectMonSvc.exe 10 000000000040B2FA ConnectMonSvc.exe Thumbprint db795f2e1562efc14f6108240ceee13fa3f25128a3a992fcba8a0c76e4f64a62
Yesterday I had severe performance problems on my PC. Task Manager showed that the RAM was almost full, but none of the applications used a significant amount of memory. RAMMap.exe showed that there were 8GB of memory allocated in the Nonpaged Pool. Poolmon.exe from the Windows Driver Kit listed a pool tag named "HMPS" as responsible for allocating this much storage. The "findstr /m /l /s HMPS *.sys" command showed that the only sys file containing a string called "HMPS" is hmpalert.sys. I therefore suppose that there is some sort of memory leak in your driver. I am currently using version 710.
Thanks very much for your analysis, Headcool. Suspicions of memory leak were reported before (search: https://www.wilderssecurity.com/search/4122141/?q=memory leak&t=post&o=date&c[thread]=394398) but without the analysis such as yours, so thanks very much for that. I hope @erikloman and @markloman are aware of this issue, so that it will be fixed in the next build.
I had similar problems this Tuesday (Cumulative Update Win10 1703) I have clicked several times on "Search Updates" (Windows Update) and it has found nothing. After the 4th-5th time it has found updates and Windows was downloading them. After Windows has finished the download, "No update available" was displayed and nothing was installed After i have stopped the HMP.A-service, Windows was able to download & install updates without problems. And i noticed that the time of the last update-check is now displayed ("Status - Last check: Today ...") (with HMP.A installed this info was missing ) There seems to be a Windows Update interference if HMP.A is installed
I had the same, and because of past experiences, I actually uninstalled HMPA (rather than just stopping the service), but WU still found nothing, so I ended up downloading KB4038788 from the MS Catalog and it successfully installed. WU then found the other updates (Flash, MRT, Office updates) etc., downloaded and installed them. So I am really puzzled now. Previously I also could not run DISM or SFC with HMPA installed (but that was not the case now), and the solution (from Mark himself) was to: 1. Stop the HitmanPro.Alert Service 2. Rename or delete the excalibur.db in C:\ProgramData\HitmanPro.Alert 3. Reboot the machine or start the HitmanPro.Alert service again. The fact that WU didn't find anything even with HMPA uninstalled would point to something else being the cause. But I must say, I am pleased someone else (especially you @mood well, not pleased really - but you know what I mean), has experienced issues in this regard. I only have had these Cumulative Update issues on the one machine that has HMPA installed, build 604->712 (on three other machines the same update went smoothly). So I also still do suspect there can seem to be a Windows Update interference if HMP.A is (or has been?) installed. I did not check if HMPA ProgramData (excalibur.db, if that could be a culprit), was still there after the uninstall. Edit: Continuing previous PM with Mark, I have passed on #490.
In my case i can exclude that something else was broken, because Windows Update has found Updates & was able to install them, right after the service has been stopped. After booting up my PC today (without HMP.A), i can see again a correct status (WU): "Status - Last check: Today, ..." And i have disabled a lot of mitigations. In the category "Process Protection" only the first option was enabled, and all "new" features related to 3.7 (Credential Theft Protection, Local Privilege Escalation, ...) were disabled. Nevertheless there is still a (silent ) conflict if HMP.A is installed.
That had been my experience too, for the last few Cumulative Updates. Hence my confusion yesterday. Similarly I could run DISM ... /checkhealth and SFC /scannow just by disabling HMPA service, otherwise not. (I wondered then if DISM forms part of the WU process, the discovery of required updates ...). But anyway, hope Mark takes a deeper look at this. It doesn't seem pervasive, as there would surely be other reports?
Btw just for info, I reinstalled HMPA after this round of Windows Updates, and now with HMPA up and running I do see the WU "Status - Last check: Today, ..." after running a check. Although I think I also had that message before. WU just didn't find anything. (I also have Credential Theft Protection, Local Privilege Escalation disabled). It is a bit of a head-scratcher. At least I'm not alone, though I remember now @shmu26 also had a similar issue: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-17#post-2696388.
A question for @erikloman: at present, HP.Alert is able to prevent this type of attack? https://blog.checkpoint.com/2017/09/11/beware-bashware-new-method-malware-bypass-security-solutions/
Wow, that sucks. I hope security vendors cover this method of attack quickly. Thank you for the heads up!
Also a write up on it here https://www.wilderssecurity.com/thr...nux-shell-to-bypass-security-software.396662/
I am in the unfortunate position that I still have to work on a Vista x86 physical machine for a little longer than I really want to (an upgrade to Win7 is in the works). Yesterday I noticed that the stable build 3.6.7.604 does not protect applications on Vista x86 anymore and I cannot trace when that started. HMPA is supposed to work on Vista, but what I found is that it only does on Vista x64. On Vista x86 all programs are unprotected, as shown in Exploit protection > Active programs (titles translated from Dutch). Even when I try to protect them, by switching protection off and on and then restarting the application (e.g. Firefox), programs always appear as unprotected. Then I tested HMPA 3.6.7.604 in a fresh Vista x86 VM and got the same result: no protection. Then I tried the latest beta 3.7.712 and it was the same: no protection for Vista x86. I did not test the beta on Vista x64 as the stable build already works in Vista x64. One noteworthy addition: in a test upgrade to Windows 7 x86 from the same Vista x86 physical machine, HMPA does work after the upgrade.