HitmanPro.ALERT Support and Discussion Thread

No, default settings. Have just seen Peter2150 post above. Will try that to see if it makes any difference when I get time. Only had this problem since Bld 125 if that helps.

 

An answer on this question would be nice. But anyway, I installed the latest HMPA, and have not tested it extensively yet. How can I get a license-key? I did test the AKLT (key-logging tool) against IE, and HMPA stopped them all. I also see the fly out when IE is running sandboxed. So for now, no conflicts with Sandboxie and SpyShelter.

 

Nothing to report from my system yet; IE11 is working fine here, with EIS installed (and being unaware of a special hotfix, so probably not installed).

 

Hi Tarnak

The RC Builds do not update automatically.

Take Care
TheQuest

 

Latest RC installed here and as far as I can see working with with IE, Chrome, FF, Palemoon, Waterfox, Aviator, & Maxthon...but it is early days yet...

Baldrick

 

Erik,

With default settings I am still getting ROP alert from Windows Media Player and now with build 137 I'm getting a ROP alert from Windows Live Mail. I never had any problem with WLM with earlier builds.

Disabling Control-Flow Integrity allows both programs to open normally.

Thanks,
Krusty

 

I haven't used HMPA for months, so certain things might already be mentioned, but here are a couple of things I noticed:

- I do not get any fly-out with Opera 12 and Firefox 34 when sandboxed by Sandboxie. With IE there is no problem.
- No ability to add apps to the protection list, Firefox is not picked up by HMPA.

And why isn't it possible to install HMPA on the system, with an installer? I also noticed that there is no way to exit the GUI and quit all protection. Right now you must disable the service and you can even disable the drivers manually. There seems to be no self protection.

I also wonder about "keystroke encryption", it does not seem to protect all apps, so why not make a list of apps that it can protect automatically, sort of like KeyScrambler? I know you need to add apps to exploit mitigations, but if you will use the free version that won't work.

 

Win 8.1. | HitmanPro Alert Build 137 | Firefox 36 Beta 1

When trying to watch a youtube video Alert crashes Firefox (reports IAF)

Code:

Mitigation  IAF

Platform  6.3.9600/x64 06_3a
PID  4904
Application  C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Description  Firefox 36

Violation  1C0DA8A9 is calling MSAudDecMFT.dll IAT funcptr KernelBase.dll!GetProcAddress


Branch Trace  Opcode  To  
-------------------------------- -------- --------------------------------
DllCanUnloadNow +0x51ce  0x1C0DA894 (anonymous; mozglue.dll)
0x69C1284E MSAudDecMFT.dll  

DllGetClassObject +0x10ae8  RET DllCanUnloadNow +0x51cb  
0x69C2E5E8 MSAudDecMFT.dll  0x69C1284B MSAudDecMFT.dll  

DllCanUnloadNow +0x4042  RET DllCanUnloadNow +0x4d45  
0x69C116C2 MSAudDecMFT.dll  0x69C123C5 MSAudDecMFT.dll  

GetModuleHandleExW +0x35  0x1C0DAC11 (anonymous; mozglue.dll)
0x75AA0E75 KernelBase.dll  

GetCPInfo +0x1c8  RET GetModuleHandleExW +0x2f  
0x75AA0E38 KernelBase.dll  0x75AA0E6F KernelBase.dll  

LdrAddRefDll +0x52  RET GetCPInfo +0x1a6  
0x77E13FC2 ntdll.dll  0x75AA0E16 KernelBase.dll  

RtlSizeHeap +0x14e  RET LdrAddRefDll +0x4b  
0x77E050FE ntdll.dll  0x77E13FBB ntdll.dll  

RtlCreateHeap +0xa29  RET RtlInitializeResource +0xc0  
0x77E0D809 ntdll.dll  0x77E1AF60 ntdll.dll  

RtlUnicodeStringToAnsiString +0x3cf  RET LdrAddRefDll +0x28  
0x77E064BF ntdll.dll  0x77E13F98 ntdll.dll  

LdrGetDllHandle +0x19  RET GetModuleHandleExW +0x55  
0x77E10AB9 ntdll.dll  0x75AA0E95 KernelBase.dll  

LdrGetDllHandleEx +0x273  RET LdrGetDllHandle +0x18  
0x77E10D43 ntdll.dll  0x77E10AB8 ntdll.dll  

RtlFreeHeap +0x2788  RET LdrGetDllHandleEx +0x273  
0x77DF4978 ntdll.dll  0x77E10D43 ntdll.dll  

Stack Trace
#  Address  Module  Location
-- -------- ------------------------ ----------------------------------------

1  1C0DA8A9 (anonymous; mozglue.dll)
  898528eeffff  MOV  [EBP-0x11d8], EAX
  83bd28eeffff00  CMP  DWORD [EBP-0x11d8], 0x0
  7569  JNZ  0x1c0da921
  8b8618400f00  MOV  EAX, [ESI+0xf4018]
  ffd0  CALL  EAX
  898530eeffff  MOV  [EBP-0x11d0], EAX
  83bd30eeffff00  CMP  DWORD [EBP-0x11d0], 0x0
  7f0e  JG  0x1c0da8dd
  8b8530eeffff  MOV  EAX, [EBP-0x11d0]
  898550e6ffff  MOV  [EBP-0x19b0], EAX
  eb1b  JMP  0x1c0da8f8

2  1C0D9BD1 (anonymous; mozglue.dll)
3  1C0D4EA9 (anonymous; mozglue.dll)
4  1C0D0791 (anonymous; mozglue.dll)
5  69C1D511 MSAudDecMFT.dll  DllCanUnloadNow +0xfe91
6  69C1D451 MSAudDecMFT.dll  DllCanUnloadNow +0xfdd1
7  69C1D3BA MSAudDecMFT.dll  DllCanUnloadNow +0xfd3a
8  756837F0 combase.dll  ObjectStublessClient24 +0x4b60
9  756822C4 combase.dll  ObjectStublessClient24 +0x3634
10 75683A4E combase.dll  ObjectStublessClient24 +0x4dbe

 

Tonight I inserted a video DVD, to get me a kick from Patricia Kaas... ;-)

Windows media player 12 started, but Build 137 stopped me with an alert.
The same thing happend with an audio CD.

I usually play everything with mediaplayer classic home-cinema, but this time I didn't.

See picture:
http://abload.de/img/hmpalert-alertskj30.jpg

 

If you disable Control-Flow Integrity for Windows Media Player it will work normally.

 

One little detail: CFI is the mitigation that will stop your average ROP attack. Otherwise you would have to fall back to things like Stack Exec and Application Lockdown.

 

THX,
that did the trick.

But a standard software, like windows media player, should work without fine tuning.

Erik, do you agree?

 

But if the program/s won't open or run what else can you do?

 

With Firefox running can you click Exploit Mitigation in the advanced interface, then running applications and add Firefox using the browser template?

What do you mean by using an installer? How would that be different then how it works now?

 

hmpalert3b137.exe - Entry Point Not Found
The procedure entry point RegDeleteKeyExW could not be located in the dynamic link library ADVAPI32.dll.

Message when trying to install HMPA.

 

It looks like I've now got the same ROP alert problem with Adobe Reader.

I don't like having to disable mitigations to run these programs but for now I have no choice.

 

Can you post the ROP details?

We made af few minor changes in build. Please bear with us to fine tune the triggers.

It isnt ROP, but IAF that is the culprit here. Try disabling IAF instead of ROP.

 

Doh that is my bad. I broke XP. Will post a new build early next week. Meanwhile fallback to 131.

 

IAF? Do you mean IAT?

Here's the ROP details.

Log Name: Application
Source: HitmanPro.Alert
Date: 17/01/2015 4:24:47 PM
Event ID: 911
Task Category: (9)
Level: Error
Keywords: Classic
User: N/A
Computer: Dave-PC
Description:
Mitigation ROP

Platform 6.1.7601/x64 06_25
PID 5660
Application C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
Description Adobe Reader 11.0.10

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x013B4B48 AcroRd32.exe RET ScriptApplyDigitSubstitution +0xb883
0x74E04303 usp10.dll

GetTextMetricsW +0x8b RET 0x013B4B44 AcroRd32.exe
0x7507833D gdi32.dll

RtlLeaveCriticalSection +0x36 RET GetTextMetricsW +0x85
0x772A22B6 ntdll.dll 0x75078337 gdi32.dll

GetTextAlign +0x9b RET GetTextMetricsW +0x74
0x75078070 gdi32.dll 0x75078326 gdi32.dll

memcpy +0x162 RET GetTextAlign +0x8c
0x772A24A2 ntdll.dll 0x75078061 gdi32.dll

IntersectClipRect +0x209 RET GetTextMetricsW +0x64
0x75077FCD gdi32.dll 0x75078316 gdi32.dll

RtlEnterCriticalSection +0x37 RET GetTextMetricsW +0x53
0x772A22F7 ntdll.dll 0x75078305 gdi32.dll

0x015C0D4D (anonymous; AcroRd32.exe) * RET 0x013B4AC0 AcroRd32.exe
55 PUSH EBP
8bec MOV EBP, ESP
51 PUSH ECX
56 PUSH ESI
8b750c MOV ESI, [EBP+0xc]
85f6 TEST ESI, ESI
7470 JZ 0x13b4b3c
833d701a500100 CMP DWORD [0x1501a70], 0x0
7467 JZ 0x13b4b3c
8d450c LEA EAX, [EBP+0xc]
50 PUSH EAX
8d4dfc LEA ECX, [EBP-0x4]
51 PUSH ECX
b9681a5001 MOV ECX, 0x1501a68
89750c MOV [EBP+0xc], ESI
e8e69a0700 CALL 0x142e5d0
8b10 MOV EDX, [EAX]
3b156c1a5001 CMP EDX, [0x1501a6c]
0f95c0 SETNZ AL
84c0 TEST AL, AL
7443 JZ 0x13b4b3c
e8f2f9ffff CALL 0x13b44f0
8b10 MOV EDX, [EAX]


ScriptApplyDigitSubstitution +0x1c23 RET ScriptStringAnalyse +0x198
0x74DFA6A3 usp10.dll 0x74DF7928 usp10.dll

RtlLeaveCriticalSection +0x36 RET ScriptApplyDigitSubstitution +0x1c1f
0x772A22B6 ntdll.dll 0x74DFA69F usp10.dll

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------

1 74E04486 usp10.dll ScriptApplyDigitSubstitution +0xba06
a334c0e474 MOV [0x74e4c034], EAX
85c0 TEST EAX, EAX
750a JNZ 0x74e04499
b82044e074 MOV EAX, 0x74e04420
a334c0e474 MOV [0x74e4c034], EAX
5d POP EBP
ffe0 JMP EAX

2 74E043D6 usp10.dll ScriptApplyDigitSubstitution +0xb956
3 74DF794E usp10.dll ScriptStringAnalyse +0x1be
4 76A65465 lpk.dll LpkTabbedTextOut +0xbc5
5 76A65172 lpk.dll LpkTabbedTextOut +0x8d2
6 76A61410 lpk.dll LpkDrawTextEx +0x40
7 75B41898 user32.dll DrawTextExW +0x3fa
8 75B4351F user32.dll CalcMenuBar +0x16e
9 75B41946 user32.dll DrawTextExW +0x4a8
10 75B40E7B user32.dll SetRect +0x60

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-17T05:24:47.000000000Z" />
<EventRecordID>9994</EventRecordID>
<Channel>Application</Channel>
<Computer>Dave-PC</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe</Data>
<Data>ROP</Data>
<Data>Mitigation ROP

Platform 6.1.7601/x64 06_25
PID 5660
Application C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
Description Adobe Reader 11.0.10

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x013B4B48 AcroRd32.exe RET ScriptApplyDigitSubstitution +0xb883
0x74E04303 usp10.dll

GetTextMetricsW +0x8b RET 0x013B4B44 AcroRd32.exe
0x7507833D gdi32.dll

RtlLeaveCriticalSection +0x36 RET GetTextMetricsW +0x85
0x772A22B6 ntdll.dll 0x75078337 gdi32.dll

GetTextAlign +0x9b RET GetTextMetricsW +0x74
0x75078070 gdi32.dll 0x75078326 gdi32.dll

memcpy +0x162 RET GetTextAlign +0x8c
0x772A24A2 ntdll.dll 0x75078061 gdi32.dll

IntersectClipRect +0x209 RET GetTextMetricsW +0x64
0x75077FCD gdi32.dll 0x75078316 gdi32.dll

RtlEnterCriticalSection +0x37 RET GetTextMetricsW +0x53
0x772A22F7 ntdll.dll 0x75078305 gdi32.dll

0x015C0D4D (anonymous; AcroRd32.exe) * RET 0x013B4AC0 AcroRd32.exe
55 PUSH EBP
8bec MOV EBP, ESP
51 PUSH ECX
56 PUSH ESI
8b750c MOV ESI, [EBP+0xc]
85f6 TEST ESI, ESI
7470 JZ 0x13b4b3c
833d701a500100 CMP DWORD [0x1501a70], 0x0
7467 JZ 0x13b4b3c
8d450c LEA EAX, [EBP+0xc]
50 PUSH EAX
8d4dfc LEA ECX, [EBP-0x4]
51 PUSH ECX
b9681a5001 MOV ECX, 0x1501a68
89750c MOV [EBP+0xc], ESI
e8e69a0700 CALL 0x142e5d0
8b10 MOV EDX, [EAX]
3b156c1a5001 CMP EDX, [0x1501a6c]
0f95c0 SETNZ AL
84c0 TEST AL, AL
7443 JZ 0x13b4b3c
e8f2f9ffff CALL 0x13b44f0
8b10 MOV EDX, [EAX]


ScriptApplyDigitSubstitution +0x1c23 RET ScriptStringAnalyse +0x198
0x74DFA6A3 usp10.dll 0x74DF7928 usp10.dll

RtlLeaveCriticalSection +0x36 RET ScriptApplyDigitSubstitution +0x1c1f
0x772A22B6 ntdll.dll 0x74DFA69F usp10.dll

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------

1 74E04486 usp10.dll ScriptApplyDigitSubstitution +0xba06
a334c0e474 MOV [0x74e4c034], EAX
85c0 TEST EAX, EAX
750a JNZ 0x74e04499
b82044e074 MOV EAX, 0x74e04420
a334c0e474 MOV [0x74e4c034], EAX
5d POP EBP
ffe0 JMP EAX

2 74E043D6 usp10.dll ScriptApplyDigitSubstitution +0xb956
3 74DF794E usp10.dll ScriptStringAnalyse +0x1be
4 76A65465 lpk.dll LpkTabbedTextOut +0xbc5
5 76A65172 lpk.dll LpkTabbedTextOut +0x8d2
6 76A61410 lpk.dll LpkDrawTextEx +0x40
7 75B41898 user32.dll DrawTextExW +0x3fa
8 75B4351F user32.dll CalcMenuBar +0x16e
9 75B41946 user32.dll DrawTextExW +0x4a8
10 75B40E7B user32.dll SetRect +0x60
</Data>
</EventData>
</Event>

Does that help?

 

Please add the required line to Sandboxie. It is mentioned here in this thread.

Switch into Advanced Interface via the gear icon next to minimize button. Click on blue tile, choose Running Applications.

Alert has its own installer embedded inside the executable. Whats wrong with the installer?

That is a feature after 3.0 gets final.

Correct. That is how it is meant to work. May change in the future.

 

Yes that helps.

I did mean IAT Filtering. If you disable that, does it solve the above ROP? Keep ROP enabled.

 

Yes, Adobe Reader and Windows Live Mail with IAT Filtering disabled ROP enabled opened, but Windows Media Player caused a ROP alert.

Thanks.

 

This is an IAF alert. So disable IAT Filtering until we get this solved.