HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,709
    Location:
    .
    3.1 Build 334 ~ GUI access to alert logs in Windows Event Viewer :)
     
  2. MD5

    MD5 Registered Member

    Joined:
    Nov 6, 2015
    Posts:
    10
    Updated to build 334

    - Now IE11 loading and start is OK
    - Still persist the following problem after launching Chrome 64 bit

    Code:
    Mitigation   ROP
    
    Platform     6.1.7601/x64 06_5e
    PID          5364
    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description  Google Chrome 46
    
    Callee Type  LoadLibrary
    
    Branch Trace                              Opcode  To                                    
    ---------------------------------------- -------- ----------------------------------------
    BaseGetProcessDllPath +0x5c                  RET  TlsGetValue                           
    0x000007FEFDAFE77C KernelBase.dll                 0x000007FEFDB13788 KernelBase.dll     
    
    GetWindowsDirectoryW +0x1af                  RET  BaseGetProcessDllPath +0x4d           
    0x000007FEFDAFAEAF KernelBase.dll                 0x000007FEFDAFE76D KernelBase.dll     
    
    wcsncmp +0x32                                RET  GetWindowsDirectoryW +0x181           
    0x0000000077A463EA ntdll.dll                      0x000007FEFDAFAE81 KernelBase.dll     
    
    InitializeCriticalSectionEx +0xa1            RET  BaseGetProcessDllPath +0x22           
    0x000007FEFDAFDFD1 KernelBase.dll                 0x000007FEFDAFE742 KernelBase.dll     
    
    CreatePipe                                   RET  DeleteProcThreadAttributeList +0x67   
    0x000007FEFDB02450 KernelBase.dll                 0x000007FEFDB02CD7 KernelBase.dll     
    
    wcsrchr +0x2b                                RET  CreatePipe                            
    0x0000000077A46433 ntdll.dll                      0x000007FEFDB0243E KernelBase.dll     
    
    wcschr +0x1c                                 RET  CreatePipe                            
    0x0000000077A46458 ntdll.dll                      0x000007FEFDB0241F KernelBase.dll     
    
    RtlInitUnicodeStringEx +0x55                 RET  LoadLibraryExW +0x45                  
    0x0000000077A714F5 ntdll.dll                      0x000007FEFDAFAF05 KernelBase.dll     
    
    RtlAnsiStringToUnicodeString +0xcb           RET  LoadLibraryExA +0x39                  
    0x0000000077A70E2B ntdll.dll                      0x000007FEFDAFCA69 KernelBase.dll     
    
    RtlMultiByteToUnicodeN +0x74                 RET  RtlAnsiStringToUnicodeString +0x8d    
    0x0000000077A70CC4 ntdll.dll                      0x0000000077A70DED ntdll.dll          
    
    RtlAllocateHeap +0x149                       RET  RtlFreeAnsiString +0x1a3              
    0x0000000077A6FA19 ntdll.dll                      0x0000000077A718F3 ntdll.dll          
    
    RtlAnsiStringToUnicodeString                 RET  RtlAllocateHeap +0xe8                 
    0x0000000077A7120E ntdll.dll                      0x0000000077A6F9B8 ntdll.dll          
    
    RtlInitAnsiStringEx +0x4f                    RET  LoadLibraryExA +0x1e                  
    0x0000000077A7195F ntdll.dll                      0x000007FEFDAFCA4E KernelBase.dll     
    
    0x000007FEFD7C1078 profapi.dll               RET  0x000007FEFD7C2F22 profapi.dll        
    
    RtlAllocateHeap +0x149                       RET  0x000007FEFD7C1059 profapi.dll        
    0x0000000077A6FA19 ntdll.dll                                                            
    
    memset +0x69                                 RET  RtlUnicodeToMultiByteN +0x15e         
    0x0000000077A6F5E9 ntdll.dll                      0x0000000077A71ACE ntdll.dll          
    
    RtlAnsiStringToUnicodeString                 RET  RtlAllocateHeap +0xe8                 
    0x0000000077A7120E ntdll.dll                      0x0000000077A6F9B8 ntdll.dll          
    
    GetProcessHeap +0x11                         RET  0x000007FEFD7C104A profapi.dll        
    0x000007FEFDAF18A1 KernelBase.dll                                                       
    
    ImpersonateLoggedOnUser +0x109               RET  0x000007FEFD7C21F0 profapi.dll        
    0x000007FEFDB042C9 KernelBase.dll                                                       
    
    IsSandboxedProcess                           RET  ImpersonateLoggedOnUser +0xdb         
    0x000000013FB7207E chrome.exe                     0x000007FEFDB0429B KernelBase.dll     
    
    IsSandboxedProcess                           RET  IsSandboxedProcess                    
    0x000000013FB748A7 chrome.exe                     0x000000013FB7207A chrome.exe         
    
    IsSandboxedProcess                           RET  IsSandboxedProcess                    
    0x000000013FB5F89E chrome.exe                     0x000000013FB74877 chrome.exe         
    
    0x000000013FB242E4 chrome.exe                RET  IsSandboxedProcess                    
                                                      0x000000013FB7486F chrome.exe         
    
    IsSandboxedProcess                           RET  IsSandboxedProcess                    
    0x000000013FB5F78A chrome.exe                     0x000000013FB74865 chrome.exe         
    
    NtSetInformationThread +0xf                  RET* IsSandboxedProcess                    
    0x0000000077A6DA8F ntdll.dll                      0x000000013FB7205C chrome.exe         
                        4883ec38                 SUB          RSP, 0x38
                        44894c2420               MOV          [RSP+0x20], R9D
                        4d8bc8                   MOV          R9, R8
                        448bc2                   MOV          R8D, EDX
                        488bd1                   MOV          RDX, RCX
                        488b0dbb670400           MOV          RCX, [RIP+0x467bb]
                        e8c6270000               CALL         0x13fb74840
                        4883c438                 ADD          RSP, 0x38
                        c3                       RET       
                                             (  96F1760EB14B97)
    
    
    NtQueryInformationToken +0xa                 RET  ImpersonateLoggedOnUser +0x27         
    0x0000000077A6DBCA ntdll.dll                      0x000007FEFDB041E7 KernelBase.dll     
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  000007FEFDAFB026 KernelBase.dll           LoadLibraryExW +0x166
    2  000007FEFDAFCA81 KernelBase.dll           LoadLibraryExA +0x51
    
    3  000007FEFD7C3795 profapi.dll           
                        488bd8                   MOV          RBX, RAX
                        4885c0                   TEST         RAX, RAX
                        0f84ad1b0000             JZ           0x7fefd7c534e
                        33c0                     XOR          EAX, EAX
                        f0480fb15d00             LOCK CMPXCHG [RBP+0x0], RBX
                        488be8                   MOV          RBP, RAX
                        0f858c1b0000             JNZ          0x7fefd7c533e
                        458d4641                 LEA          R8D, [R14+0x41]
                        488d4c2428               LEA          RCX, [RSP+0x28]
                        33d2                     XOR          EDX, EDX
                        e836ffffff               CALL         0x7fefd7c36f8
                        488b054f520000           MOV          RAX, [RIP+0x524f]
                        c744242048000000         MOV          DWORD [RSP+0x20], 0x48
    
    4  000007FEFD7C3927 profapi.dll           
    5  000007FEFD7C2F3E profapi.dll           
    6  000007FEFD7C2221 profapi.dll           
    7  000007FEFD7C1F1F profapi.dll           
    8  000007FEFD7C2D39 profapi.dll           
    9  000007FEFDAC10E9 userenv.dll              ExpandEnvironmentStringsForUserW +0x9
    10 000007FEFE1B2A00 shlwapi.dll              SHDeleteKeyW +0xf8
    
    Code Injection
    0000000000060000-0000000000061000    4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4640]
    0000000000073000-0000000000074000    4KB
    0000000077A6D000-0000000077A6E000    4KB
    0000000077A6E000-0000000077A6F000    4KB
    000000013FBB8000-000000013FBB9000    4KB
    000000013FBB6000-000000013FBB7000    4KB
    1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4640]
    2  C:\Windows\explorer.exe [4428]
    3  C:\Windows\System32\userinit.exe [4376]
    
    Process Trace
    1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [5364]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="4640.0.2078622114\1099353096" --supports-dual-gpus=false --gpu-driver-bug-workarounds=2,12,20,45,55 --gpu-vendor-id=0x10de --gpu-device-id=0x13c2 --gpu-driver-vendo
    2  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4640]
    3  C:\Windows\explorer.exe [4428]
    4  C:\Windows\System32\userinit.exe [4376]
    
     
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    561
    Location:
    Hengelo
    Apart from the ROP, I see you are running a 32-bit Chrome on a 64-bit Operating System. To enhance the security of Chrome on your OS, you might want to uninstall Chrome and install the 64-bit version. Follow these steps:
    1. Uninstall Chrome
    2. Open this web page: https://www.google.com/intl/en/chrome/browser/desktop/
    3. Do *not* click on the Download Chrome button, instead click on Download Chrome for another platform
    4. Below Download for another desktop OS select Windows 10/8/8 64-bit
    5. Follow the steps provided by Google
    Enjoy and thanks!
     
  4. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    916
    Application Error build 334 beta.

    Windows 10 build 10240 x64/Norton Security with Backup v22.5.4.24
     

    Attached Files:

  5. MD5

    MD5 Registered Member

    Joined:
    Nov 6, 2015
    Posts:
    10
    Thanks for help attempt.

    I'm pretty sure I'm running the 64 bit version of Chrome, here the about screen:
    http://snag.gy/i55jl.jpg

    Could be that even by installing the 64 bit version of Chrome, the "autorun" modules Chrome and Notify are 32 bit ?

    http://snag.gy/Nj6OT.jpg
     
  6. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Is 334 beta sent out via update to those running 332? Because HMPA claims there are no updates for me with 332. I'll update manually instead but I still think the "No update available" should turn into "Check for updates" again after a while, currently it doesn't.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Can you reproduce? if so, try to get a dump.
     
  8. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    492
    Location:
    italy
    ok, first problem with TH2 (updated from 10240):

    BadUSB is disabled and i am unable to revert it back!


    Alert 3.1.334
     
    Last edited: Nov 13, 2015
  9. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    916
    No, only a WER available.
     
  10. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    916
    Does this apply to Firefox too? I'm using the 32 bits-version atm (Windows 10 x64).
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,053
    Location:
    USA
    Yes it does. See this article for info about the WoW64 bypass:

    https://www.duosecurity.com/blog/wow64-and-so-can-you

    The latest HMPA beta protects against it, but switching to 64 bit apps that are internet facing, eg browsers, is still a good idea I think.
     
  12. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    561
    Location:
    Hengelo
    As far as I know, other than a development build, there is no 64-bit version of Firefox. The Firefox web browser is 32-bit, even on 64-bit versions of Windows.
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,053
    Location:
    USA
    See here:

    https://ftp.mozilla.org/pub/firefox/releases/42.0/win64/

    This is in the release channel :)
     
  14. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    561
    Location:
    Hengelo
  15. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    492
    Location:
    italy
    may i safely delete BadUSB key entry?
     

    Attached Files:

  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes delete it. See if it enables.
     
  17. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    114
    Location:
    Netherlands
    I agree with you but I find this software actually useful as I can monitor and change certain system features from the software.
    ROP is fixed with beta 332, so I'm happy for now.
     
  18. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    492
    Location:
    italy
    no, reg key is restored as soon as i enable BadUSB function! :confused:
     
    Last edited: Nov 13, 2015
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.1 Build 335 BETA

    Changelog

    • Improved Application Lockdown
    • Improved ROP mitigation
    • Improved support for Intel Skylake processors
    Download
    http://test.hitmanpro.com/hmpalert3b335.exe

    Please let me know how this version runs on your computer :thumb:
     
  20. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    916
    No problems upgrading.

    Windows 10 build 10240 x64/Norton Security with Backup v22.5.4.24.
     
  21. alex5723

    alex5723 Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    8
    The last 4 beta versions : 329, 332,334,335 crash iTunes 12.3.1. iTunes work when "removed mitigations"
    There is also Chrome Version 47.0.2526.58 beta-m (64-bit) error.
    Windows 7 64bit.

    Mitigation ROP

    Platform 6.1.7601/x64 06_2a
    PID 10504
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 47

    Callee Type LoadLibrary

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    RtlGetCurrentUmsThread +0x4a RET SleepEx +0x52
    0x000000007773E6DA ntdll.dll 0x000007FEFD7111A2 KernelBase.dll

    GetSecurityDescriptorSacl +0x104 * RET GetHandleVerifier
    0x000007FEFD722D54 KernelBase.dll 0x000000013F2D10A0 chrome.exe
    7504 JNZ 0x13f2d10a6
    32c0 XOR AL, AL
    eb3d JMP 0x13f2d10e3


    GetCurrentThreadId +0x3d RET GetSecurityDescriptorSacl +0xf3
    0x000007FEFD7113DD KernelBase.dll 0x000007FEFD722D43 KernelBase.dll

    RtlRestoreLastWin32Error +0x20 RET GetCurrentThreadId +0x36
    0x00000000777431B0 ntdll.dll 0x000007FEFD7113D6 KernelBase.dll

    RtlNtStatusToDosError +0x27 RET GetCurrentThreadId +0x2c
    0x00000000777450D7 ntdll.dll 0x000007FEFD7113CC KernelBase.dll

    RtlNtStatusToDosErrorNoTeb +0xd3 RET RtlNtStatusToDosError +0x23
    0x00000000777451B3 ntdll.dll 0x00000000777450D3 ntdll.dll

    NtOpenSection +0xa RET OpenFileMappingW +0x89
    0x000000007774162A ntdll.dll 0x000007FEFD721ED9 KernelBase.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 000007FEFD719059 KernelBase.dll LoadLibraryExW +0x169
    2 000007FEFD71C021 KernelBase.dll LoadLibraryExA +0x51

    3 000007FEDA426C3A chrome_child.dll IsSandboxedProcess
    488bf8 MOV RDI, RAX
    4885c0 TEST RAX, RAX
    754c JNZ 0x7feda426c8e
    ff15384f6f00 CALL QWORD [RIP+0x6f4f38]
    8945e8 MOV [RBP-0x18], EAX
    488b05f6b34401 MOV RAX, [RIP+0x144b3f6]
    4885c0 TEST RAX, RAX
    7411 JZ 0x7feda426c68
    488d55a8 LEA RDX, [RBP-0x58]
    8d4f03 LEA ECX, [RDI+0x3]
    ffd0 CALL RAX
    488bf8 MOV RDI, RAX
    4885c0 TEST RAX, RAX
    7526 JNZ 0x7feda426c8e
    33d2 XOR EDX, EDX
    488d45a8 LEA RAX, [RBP-0x58]

    4 000007FED953E428 chrome_child.dll ChromeMain
    5 000007FED84EBFC3 chrome_child.dll _ovly_debug_event
    6 000007FED95E5FA6 chrome_child.dll ChromeMain
    7 000007FED95E61D4 chrome_child.dll ChromeMain
    8 000007FED95E68A9 chrome_child.dll ChromeMain
    9 000007FED95E5358 chrome_child.dll ChromeMain
    10 000007FED95E5318 chrome_child.dll ChromeMain

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10504]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --force-fieldtrials="*AffiliationBasedMatching/Enabled/AppBannerTriggering/Conservative/AudioProcessing48kHzSupport/Enabled/*AutofillClassifier/Control/*AutomaticTab

    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10104]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-new-menu-style --ssl-version-min=tls1

    3 C:\Windows\explorer.exe [2188]
    4 C:\Windows\System32\userinit.exe [2052]



    Mitigation DEP

    Platform 6.1.7601/x64 06_2a
    PID 8012
    Application C:\Program Files (x86)\iTunes\iTunes.exe
    Description iTunes 12.3

    EIP = 0EA0590E, State = 0x1000, Type = 0x20000, Protect = 0x4

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 7554A71D ole32.dll CoRegisterMessageFilter
    8b4604 MOV EAX, [ESI+0x4]
    f7d0 NOT EAX
    a801 TEST AL, 0x1
    7411 JZ 0x7554a737
    8b4610 MOV EAX, [ESI+0x10]
    f680ac00000008 TEST BYTE [EAX+0xac], 0x8
    7505 JNZ 0x7554a737
    e86be30000 CALL 0x75558aa2
    8bce MOV ECX, ESI
    e87c020000 CALL 0x7554a9ba
    395df4 CMP [EBP-0xc], EBX
    0f8520940600 JNZ 0x755b3b67
    8b4dec MOV ECX, [EBP-0x14]
    5e POP ESI
    3bcb CMP ECX, EBX
    5b POP EBX

    2 75525D00 ole32.dll StgOpenStorage
    3 75525CE1 ole32.dll StgOpenStorage
    4 75525D3F ole32.dll StgOpenStorage
    5 75558F82 ole32.dll SetErrorInfo
    6 75558EC3 ole32.dll SetErrorInfo
    7 75559652 ole32.dll SetErrorInfo
    8 755588E8 ole32.dll SetErrorInfo +0x75
    9 56E2C8E1 QuickTime.qts DllMain

    Process Trace
    1 C:\Program Files (x86)\iTunes\iTunes.exe [8012]
    2 C:\Windows\explorer.exe [2188]
    3 C:\Windows\System32\userinit.exe [2052]
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,709
    Location:
    .
    3.1 build 335 ~
    W8.1x64 + Firefox42x64 + IE11 + Chrome46 :)
     
    Last edited: Nov 13, 2015
  23. miguelgrado

    miguelgrado Registered Member

    Joined:
    May 25, 2014
    Posts:
    35
    Location:
    Asturias-España
    Hitman Pro alert 3.1.335 Beta, problem with Foxit reader Updater...

    Sin título.png
     
  24. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    any lifetime deal ?
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Please click Technical Details and then Copy/Paste in a post here. Thanks :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.