HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    No, default settings. Have just seen Peter2150 post above. Will try that to see if it makes any difference when I get time. Only had this problem since Bld 125 if that helps.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,085
    Location:
    The Netherlands
    An answer on this question would be nice. But anyway, I installed the latest HMPA, and have not tested it extensively yet. How can I get a license-key? I did test the AKLT (key-logging tool) against IE, and HMPA stopped them all. I also see the fly out when IE is running sandboxed. So for now, no conflicts with Sandboxie and SpyShelter.
     
  3. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,031
    Nothing to report from my system yet; IE11 is working fine here, with EIS installed (and being unaware of a special hotfix, so probably not installed).
     
  4. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,304
    Location:
    Kent. UK by the sea
    Hi Tarnak
    The RC Builds do not update automatically.

    Take Care
    TheQuest :cool:
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,579
    Location:
    South Wales, UK
    Latest RC installed here and as far as I can see working with with IE, Chrome, FF, Palemoon, Waterfox, Aviator, & Maxthon...but it is early days yet...;)

    Baldrick
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    Erik,

    With default settings I am still getting ROP alert from Windows Media Player and now with build 137 I'm getting a ROP alert from Windows Live Mail. I never had any problem with WLM with earlier builds.

    Disabling Control-Flow Integrity allows both programs to open normally.

    Thanks,
    Krusty
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,085
    Location:
    The Netherlands
    I haven't used HMPA for months, so certain things might already be mentioned, but here are a couple of things I noticed:

    - I do not get any fly-out with Opera 12 and Firefox 34 when sandboxed by Sandboxie. With IE there is no problem.
    - No ability to add apps to the protection list, Firefox is not picked up by HMPA.

    And why isn't it possible to install HMPA on the system, with an installer? I also noticed that there is no way to exit the GUI and quit all protection. Right now you must disable the service and you can even disable the drivers manually. There seems to be no self protection.

    I also wonder about "keystroke encryption", it does not seem to protect all apps, so why not make a list of apps that it can protect automatically, sort of like KeyScrambler? I know you need to add apps to exploit mitigations, but if you will use the free version that won't work.
     
  8. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Win 8.1. | HitmanPro Alert Build 137 | Firefox 36 Beta 1

    When trying to watch a youtube video Alert crashes Firefox (reports IAF)

    Code:
    Mitigation  IAF
    
    Platform  6.3.9600/x64 06_3a
    PID  4904
    Application  C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Description  Firefox 36
    
    Violation  1C0DA8A9 is calling MSAudDecMFT.dll IAT funcptr KernelBase.dll!GetProcAddress
    
    
    Branch Trace  Opcode  To  
    -------------------------------- -------- --------------------------------
    DllCanUnloadNow +0x51ce  0x1C0DA894 (anonymous; mozglue.dll)
    0x69C1284E MSAudDecMFT.dll  
    
    DllGetClassObject +0x10ae8  RET DllCanUnloadNow +0x51cb  
    0x69C2E5E8 MSAudDecMFT.dll  0x69C1284B MSAudDecMFT.dll  
    
    DllCanUnloadNow +0x4042  RET DllCanUnloadNow +0x4d45  
    0x69C116C2 MSAudDecMFT.dll  0x69C123C5 MSAudDecMFT.dll  
    
    GetModuleHandleExW +0x35  0x1C0DAC11 (anonymous; mozglue.dll)
    0x75AA0E75 KernelBase.dll  
    
    GetCPInfo +0x1c8  RET GetModuleHandleExW +0x2f  
    0x75AA0E38 KernelBase.dll  0x75AA0E6F KernelBase.dll  
    
    LdrAddRefDll +0x52  RET GetCPInfo +0x1a6  
    0x77E13FC2 ntdll.dll  0x75AA0E16 KernelBase.dll  
    
    RtlSizeHeap +0x14e  RET LdrAddRefDll +0x4b  
    0x77E050FE ntdll.dll  0x77E13FBB ntdll.dll  
    
    RtlCreateHeap +0xa29  RET RtlInitializeResource +0xc0  
    0x77E0D809 ntdll.dll  0x77E1AF60 ntdll.dll  
    
    RtlUnicodeStringToAnsiString +0x3cf  RET LdrAddRefDll +0x28  
    0x77E064BF ntdll.dll  0x77E13F98 ntdll.dll  
    
    LdrGetDllHandle +0x19  RET GetModuleHandleExW +0x55  
    0x77E10AB9 ntdll.dll  0x75AA0E95 KernelBase.dll  
    
    LdrGetDllHandleEx +0x273  RET LdrGetDllHandle +0x18  
    0x77E10D43 ntdll.dll  0x77E10AB8 ntdll.dll  
    
    RtlFreeHeap +0x2788  RET LdrGetDllHandleEx +0x273  
    0x77DF4978 ntdll.dll  0x77E10D43 ntdll.dll  
    
    Stack Trace
    #  Address  Module  Location
    -- -------- ------------------------ ----------------------------------------
    
    1  1C0DA8A9 (anonymous; mozglue.dll)
      898528eeffff  MOV  [EBP-0x11d8], EAX
      83bd28eeffff00  CMP  DWORD [EBP-0x11d8], 0x0
      7569  JNZ  0x1c0da921
      8b8618400f00  MOV  EAX, [ESI+0xf4018]
      ffd0  CALL  EAX
      898530eeffff  MOV  [EBP-0x11d0], EAX
      83bd30eeffff00  CMP  DWORD [EBP-0x11d0], 0x0
      7f0e  JG  0x1c0da8dd
      8b8530eeffff  MOV  EAX, [EBP-0x11d0]
      898550e6ffff  MOV  [EBP-0x19b0], EAX
      eb1b  JMP  0x1c0da8f8
    
    2  1C0D9BD1 (anonymous; mozglue.dll)
    3  1C0D4EA9 (anonymous; mozglue.dll)
    4  1C0D0791 (anonymous; mozglue.dll)
    5  69C1D511 MSAudDecMFT.dll  DllCanUnloadNow +0xfe91
    6  69C1D451 MSAudDecMFT.dll  DllCanUnloadNow +0xfdd1
    7  69C1D3BA MSAudDecMFT.dll  DllCanUnloadNow +0xfd3a
    8  756837F0 combase.dll  ObjectStublessClient24 +0x4b60
    9  756822C4 combase.dll  ObjectStublessClient24 +0x3634
    10 75683A4E combase.dll  ObjectStublessClient24 +0x4dbe
    
     
  9. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,015
    Location:
    Baden Germany
    Tonight I inserted a video DVD, to get me a kick from Patricia Kaas... ;-)

    Windows media player 12 started, but Build 137 stopped me with an alert.
    The same thing happend with an audio CD.

    I usually play everything with mediaplayer classic home-cinema, but this time I didn't.

    See picture:
    http://abload.de/img/hmpalert-alertskj30.jpg
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    If you disable Control-Flow Integrity for Windows Media Player it will work normally.
     
  11. guest

    guest Guest

    One little detail: CFI is the mitigation that will stop your average ROP attack. Otherwise you would have to fall back to things like Stack Exec and Application Lockdown.
     
  12. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,015
    Location:
    Baden Germany
    THX,
    that did the trick.

    But a standard software, like windows media player, should work without fine tuning.

    Erik, do you agree?
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    But if the program/s won't open or run what else can you do?
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Do you have the HMPA line in Sandboxie
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    I ran into a bit of a snaffle tonight. Kinda makes me still want an option to kill protection temporarily.

    I was trying to run a bat file at elevation privilege, and HMPA alerted and stopped it The mitigation was application lock down, and the applicaton was explorer.exe I couldn't find anything in the app to stop it, so I ended up stopping the service. Event viewer log is attached.

    Pete

    *file removed
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,081
    Location:
    USA
    With Firefox running can you click Exploit Mitigation in the advanced interface, then running applications and add Firefox using the browser template?

    What do you mean by using an installer? How would that be different then how it works now?
     
    Last edited: Jan 16, 2015
  17. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,239
    hmpalert3b137.exe - Entry Point Not Found
    The procedure entry point RegDeleteKeyExW could not be located in the dynamic link library ADVAPI32.dll.

    Message when trying to install HMPA.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    It looks like I've now got the same ROP alert problem with Adobe Reader. :(

    I don't like having to disable mitigations to run these programs but for now I have no choice. :doubt:
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Can you post the ROP details?

    We made af few minor changes in build. Please bear with us to fine tune the triggers.

    It isnt ROP, but IAF that is the culprit here. Try disabling IAF instead of ROP.
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Doh that is my bad. I broke XP. Will post a new build early next week. Meanwhile fallback to 131.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    IAF? Do you mean IAT?

    Here's the ROP details.


    Log Name: Application
    Source: HitmanPro.Alert
    Date: 17/01/2015 4:24:47 PM
    Event ID: 911
    Task Category: (9)
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: Dave-PC
    Description:
    Mitigation ROP

    Platform 6.1.7601/x64 06_25
    PID 5660
    Application C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
    Description Adobe Reader 11.0.10

    Branch Trace Opcode To
    -------------------------------- -------- --------------------------------
    0x013B4B48 AcroRd32.exe RET ScriptApplyDigitSubstitution +0xb883
    0x74E04303 usp10.dll

    GetTextMetricsW +0x8b RET 0x013B4B44 AcroRd32.exe
    0x7507833D gdi32.dll

    RtlLeaveCriticalSection +0x36 RET GetTextMetricsW +0x85
    0x772A22B6 ntdll.dll 0x75078337 gdi32.dll

    GetTextAlign +0x9b RET GetTextMetricsW +0x74
    0x75078070 gdi32.dll 0x75078326 gdi32.dll

    memcpy +0x162 RET GetTextAlign +0x8c
    0x772A24A2 ntdll.dll 0x75078061 gdi32.dll

    IntersectClipRect +0x209 RET GetTextMetricsW +0x64
    0x75077FCD gdi32.dll 0x75078316 gdi32.dll

    RtlEnterCriticalSection +0x37 RET GetTextMetricsW +0x53
    0x772A22F7 ntdll.dll 0x75078305 gdi32.dll

    0x015C0D4D (anonymous; AcroRd32.exe) * RET 0x013B4AC0 AcroRd32.exe
    55 PUSH EBP
    8bec MOV EBP, ESP
    51 PUSH ECX
    56 PUSH ESI
    8b750c MOV ESI, [EBP+0xc]
    85f6 TEST ESI, ESI
    7470 JZ 0x13b4b3c
    833d701a500100 CMP DWORD [0x1501a70], 0x0
    7467 JZ 0x13b4b3c
    8d450c LEA EAX, [EBP+0xc]
    50 PUSH EAX
    8d4dfc LEA ECX, [EBP-0x4]
    51 PUSH ECX
    b9681a5001 MOV ECX, 0x1501a68
    89750c MOV [EBP+0xc], ESI
    e8e69a0700 CALL 0x142e5d0
    8b10 MOV EDX, [EAX]
    3b156c1a5001 CMP EDX, [0x1501a6c]
    0f95c0 SETNZ AL
    84c0 TEST AL, AL
    7443 JZ 0x13b4b3c
    e8f2f9ffff CALL 0x13b44f0
    8b10 MOV EDX, [EAX]


    ScriptApplyDigitSubstitution +0x1c23 RET ScriptStringAnalyse +0x198
    0x74DFA6A3 usp10.dll 0x74DF7928 usp10.dll

    RtlLeaveCriticalSection +0x36 RET ScriptApplyDigitSubstitution +0x1c1f
    0x772A22B6 ntdll.dll 0x74DFA69F usp10.dll

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------

    1 74E04486 usp10.dll ScriptApplyDigitSubstitution +0xba06
    a334c0e474 MOV [0x74e4c034], EAX
    85c0 TEST EAX, EAX
    750a JNZ 0x74e04499
    b82044e074 MOV EAX, 0x74e04420
    a334c0e474 MOV [0x74e4c034], EAX
    5d POP EBP
    ffe0 JMP EAX

    2 74E043D6 usp10.dll ScriptApplyDigitSubstitution +0xb956
    3 74DF794E usp10.dll ScriptStringAnalyse +0x1be
    4 76A65465 lpk.dll LpkTabbedTextOut +0xbc5
    5 76A65172 lpk.dll LpkTabbedTextOut +0x8d2
    6 76A61410 lpk.dll LpkDrawTextEx +0x40
    7 75B41898 user32.dll DrawTextExW +0x3fa
    8 75B4351F user32.dll CalcMenuBar +0x16e
    9 75B41946 user32.dll DrawTextExW +0x4a8
    10 75B40E7B user32.dll SetRect +0x60

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-17T05:24:47.000000000Z" />
    <EventRecordID>9994</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Dave-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe</Data>
    <Data>ROP</Data>
    <Data>Mitigation ROP

    Platform 6.1.7601/x64 06_25
    PID 5660
    Application C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
    Description Adobe Reader 11.0.10

    Branch Trace Opcode To
    -------------------------------- -------- --------------------------------
    0x013B4B48 AcroRd32.exe RET ScriptApplyDigitSubstitution +0xb883
    0x74E04303 usp10.dll

    GetTextMetricsW +0x8b RET 0x013B4B44 AcroRd32.exe
    0x7507833D gdi32.dll

    RtlLeaveCriticalSection +0x36 RET GetTextMetricsW +0x85
    0x772A22B6 ntdll.dll 0x75078337 gdi32.dll

    GetTextAlign +0x9b RET GetTextMetricsW +0x74
    0x75078070 gdi32.dll 0x75078326 gdi32.dll

    memcpy +0x162 RET GetTextAlign +0x8c
    0x772A24A2 ntdll.dll 0x75078061 gdi32.dll

    IntersectClipRect +0x209 RET GetTextMetricsW +0x64
    0x75077FCD gdi32.dll 0x75078316 gdi32.dll

    RtlEnterCriticalSection +0x37 RET GetTextMetricsW +0x53
    0x772A22F7 ntdll.dll 0x75078305 gdi32.dll

    0x015C0D4D (anonymous; AcroRd32.exe) * RET 0x013B4AC0 AcroRd32.exe
    55 PUSH EBP
    8bec MOV EBP, ESP
    51 PUSH ECX
    56 PUSH ESI
    8b750c MOV ESI, [EBP+0xc]
    85f6 TEST ESI, ESI
    7470 JZ 0x13b4b3c
    833d701a500100 CMP DWORD [0x1501a70], 0x0
    7467 JZ 0x13b4b3c
    8d450c LEA EAX, [EBP+0xc]
    50 PUSH EAX
    8d4dfc LEA ECX, [EBP-0x4]
    51 PUSH ECX
    b9681a5001 MOV ECX, 0x1501a68
    89750c MOV [EBP+0xc], ESI
    e8e69a0700 CALL 0x142e5d0
    8b10 MOV EDX, [EAX]
    3b156c1a5001 CMP EDX, [0x1501a6c]
    0f95c0 SETNZ AL
    84c0 TEST AL, AL
    7443 JZ 0x13b4b3c
    e8f2f9ffff CALL 0x13b44f0
    8b10 MOV EDX, [EAX]


    ScriptApplyDigitSubstitution +0x1c23 RET ScriptStringAnalyse +0x198
    0x74DFA6A3 usp10.dll 0x74DF7928 usp10.dll

    RtlLeaveCriticalSection +0x36 RET ScriptApplyDigitSubstitution +0x1c1f
    0x772A22B6 ntdll.dll 0x74DFA69F usp10.dll

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------

    1 74E04486 usp10.dll ScriptApplyDigitSubstitution +0xba06
    a334c0e474 MOV [0x74e4c034], EAX
    85c0 TEST EAX, EAX
    750a JNZ 0x74e04499
    b82044e074 MOV EAX, 0x74e04420
    a334c0e474 MOV [0x74e4c034], EAX
    5d POP EBP
    ffe0 JMP EAX

    2 74E043D6 usp10.dll ScriptApplyDigitSubstitution +0xb956
    3 74DF794E usp10.dll ScriptStringAnalyse +0x1be
    4 76A65465 lpk.dll LpkTabbedTextOut +0xbc5
    5 76A65172 lpk.dll LpkTabbedTextOut +0x8d2
    6 76A61410 lpk.dll LpkDrawTextEx +0x40
    7 75B41898 user32.dll DrawTextExW +0x3fa
    8 75B4351F user32.dll CalcMenuBar +0x16e
    9 75B41946 user32.dll DrawTextExW +0x4a8
    10 75B40E7B user32.dll SetRect +0x60
    </Data>
    </EventData>
    </Event>

    Does that help?
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Please add the required line to Sandboxie. It is mentioned here in this thread.

    Switch into Advanced Interface via the gear icon next to minimize button. Click on blue tile, choose Running Applications.

    Alert has its own installer embedded inside the executable. Whats wrong with the installer?

    That is a feature after 3.0 gets final.

    Correct. That is how it is meant to work. May change in the future.
     
    Last edited: Jan 17, 2015
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes that helps.

    I did mean IAT Filtering. If you disable that, does it solve the above ROP? Keep ROP enabled.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,801
    Location:
    Among the gum trees
    Yes, Adobe Reader and Windows Live Mail with IAT Filtering disabled ROP enabled opened, but Windows Media Player caused a ROP alert.

    Thanks.
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This is an IAF alert. So disable IAT Filtering until we get this solved.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.