HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,347
    Location:
    Hollow Earth - Telos
    Is HMPA 3 the same thing as HMPA 2.6.5 that i have.
     
  2. guest

    guest Guest

    First of all: afaik attackers like Elderwood have only bypassed DEP and ASLR and not all the other mitigations. (Okay I read about shellcode that bypasses EMETs EAF being used in the wild recently)

    Based on testing I performed a method exists which is able to bypass:
    - HMP.Alert 3 hardware assisted CFI
    - EMET Caller/SimExecFlow
    - MBAE caller check
     
    Last edited by a moderator: Dec 20, 2014
  3. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,011
    Location:
    Canada
    Done, when I rebooted my computer the second icon came back, still no border on IE before and after removing the mitigations. Does this mean IE is unprotected or just not showing that it is protected?
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,562
    Location:
    Among the gum trees
  5. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Is that method based on ROP? If not, it doesn't count as bypass - can't judge an fish on its ability to climb trees. Care to share?
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    No border, no protection. I have no clue what is going on. The iexplore.exe (32-bit) is listed under Browsers at the Applications screen? Or is it listed under Office?
     
  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,347
    Location:
    Hollow Earth - Telos
    I have a Border on IE32, Chrome, and Dragon, but not on IE64 and Maxthon Browsers.
     
  8. guest

    guest Guest

    Yes, it uses quite a complex ROP chain. Currently I'm still improving the PoC code. I want to be absolutely sure that it's not an issue created by the combination Sandy Bridge - Win7, so I'll have some development left.
     
  9. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,347
    Location:
    Hollow Earth - Telos
    I turned off the Browser Border and everything else in V3 except for CryptoGuard.
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,004
    At the moment I am not in the testing HMP.A mode... have stepped into one of my other snaphots. So, many betas I am involved with. I hope you understand. :)
     
  11. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    @erikloman Will we be given the chance to disable the green border? It gets really annoying when you hover to the close, minimize buttons, while you accidentally touch to very top of the screen and it shows.

    Anyway, This current release is working flawlessly. Even the keystroke encryption problems i had are now gone since build 125. Well done.

    regards.
     
  12. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,011
    Location:
    Canada
    Browsers When I look under Running Applications it shows that iexplore.exe is protected, but no border or encryption showing. It does not show IE 32 bit is protected. And now IE is not shutting down properly.
     
    Last edited: Dec 21, 2014
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Interesting, make sure you test your PoC with HMPA on a physical non-VM machine with an Intel Core i3, i5 or i7 processor. Otherwise our control-flow integrity (CFI) module is crippled as it cannot program the processor; it then has to use stack data like EMET, which you (the attacker) control for the ROP chain. Anyway, happy hunting!
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,562
    Location:
    Among the gum trees
    Has that happened yet? Has everyone been updated to build 130?

    Thanks.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    YOu would know it.
     
  16. reldel

    reldel Registered Member

    Joined:
    Aug 14, 2007
    Posts:
    27
    Location:
    Felton, DE, USA
    Using build 129, immediately after installing, Windows 8.1, IE 11, 64bit, Enhanced Protective Mode, Microsoft Sculpt wireless mouse connected by USB will no longer allow me to scroll pages in IE11 using mouse wheel. Only way to scroll pages in IE 11 is to use the scroll bar on right side of web pages in browser. Needs to be addressed/fixed.
     
  17. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    You're the first reporting this. What other security software do you have installed?
    Have you tried unplugging it and plugging it in again?
     
  18. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Win 8.1 x64 | HMPAlert3 RC Build 129

    Firefox in Sandboxie is crashing when opening Printing Dialog. HMPAlert DEP warning. Outside Sandboxie all is ok.

    Warning Details
    Code:
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="HitmanPro.Alert" />
      <EventID Qualifiers="0">911</EventID>
      <Level>2</Level>
      <Task>9</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-12-21T14:02:34.000000000Z" />
      <EventRecordID>455894</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NBx230</Computer>
      <Security />
      </System>
    - <EventData>
      <Data>C:\Program Files (x86)\Mozilla Firefox\firefox.exe</Data>
      <Data>DEP</Data>
      <Data>Mitigation DEP Platform 6.3.9600/x64 06_3a PID 9212 Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe Description Firefox 35 State = 1000, Type = 20000, Protect = 4</Data>
      </EventData>
      </Event>
     
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.0.22 build 131 Release Candidate

    Changelog
    • Improved compatibility with third-party security software/hooking engines, incl. Malwarebytes Anti-Exploit.
    • Fixed issue regarding CryptoGuard detecting mass file change by Dropbox.
    Download


    @Krusty13: This version does not automatically downgrade.
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Try disabling Enhanced Protected Mode in IE11 to see if that helps.

    Note: Just to see if that is having an effect on the scrolling; I recommend keeping it enabled.
     
    Last edited: Dec 21, 2014
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,131
    Location:
    USA
    Just to be clear, if you click on the large Exploit Mitigation tile in the advanced interface and then click on Applications (not Running Applications) you will see a list of protected applications under different headings; Browsers on the left and Office on the far right. The category implies which template is being applied to the application executable. Hope this is of some help.
     
  22. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,011
    Location:
    Canada
    build 131,still not showing IE protection
     
  23. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,347
    Location:
    Hollow Earth - Telos
    I can finally relax after adding a MBAE Shield for HMPA V3
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Build 131 on all machines. All is good
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    In that case you should also add MBAE to Alert in case MBAE gets attacked ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.