HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    641
    Location:
    USA
    Still working! ;)
     
  2. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    731
    ROP Firefox 63.0.3, Sandboxie 5.27.2 (known issue sandboxed Firefox) and HitmanPro Alert 769.
     

    Attached Files:

    • ROP.txt
      File size:
      18.2 KB
      Views:
      3
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,960
    Location:
    the Netherlands
    @deugniet,
    Perhaps better post this in the beta thread, as HMP build 769 is still RC4, not release version, yet.
     
  4. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    13
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,960
    Location:
    the Netherlands
    Thanks very much, HansF.
    The information is not mentioned on the download page, nor in the release history, not was it mentioned in the HMPA thread, but when downloaded, I see that it is 3.7.9.769.
    Do you know since when that is? Is that since only very recently?
    I suppose there will be a post here in the HMPA thread, soon, and I suppose it will be offered via auto-update.
     
  6. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    13
    You're welcome.
    For almost a week now. It was on november 28th, when I downloaded the stable version on the hitmanpro homepage and noticed that the 3.7.9.769 RC4 was already declared final. After that, i 've looked for further information here on wilders, but i didn't find anything.
     
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,960
    Location:
    the Netherlands
    Thanks. But you say "declared final", while there was no announcement.
    We might as well say that it is still RC4, but for some unknown reason it is offered for download.
    I hope that @RonnyT (or @erikloman, or @markloman) can clarify the status of 3.7.9.769.
     
  8. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    13
    I think the 3.7.9.769 RC4 was internally declared final and they just forgot to do it publicly and officially. Likewise, they seem to have forgotten to update the homepage / changelog. Maybe it has something to do with the takeover and change of the internal structures, but this is pure speculation from me.
     
  9. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,960
    Location:
    the Netherlands
    The HMPA page and release history is usually update somewhat later, that is not uncommon.
    But when a HMPA version is released, it is usually offered via auto-update the same day or in a few days.
    I can't recall I've ever seen the combination of a version that is offered for download, which no announcement, and no auto-update.
    Which is why I hope that RonnyT (or Erik, or Mark) can clarify the status of 3.7.9.769.
     
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    501
    Location:
    Hengelo
    Actually, we're finetuning some silent alerts on the backend before updating our entire user base to the new version. This takes a bit more time than usual because the silent alerts are about our new Dynamic Shellcode Mitigation (internally known as Heap Heap Hooray). This new mitigation has been patented in the meantime as well.
    We have seen some really interesting alerts, for example:

    Mitigation Shellcode

    Platform 10.0.17763/x64 v769 06_3c
    PID 6476
    Feature 00170E30000001A6
    Application C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Description Windows PowerShell 10

    Shellcode (HHP) (0x00012000 bytes)
    CALLER is inside localAlloc mem
    Owner of CALLER: (anonymous; allocated by 6096EB1A, clr.dll)
    (anonymous; clr.dll)+0x7320
    Range (0x04591000 - 0x045A3000))
    (anonymous)+0x1000
    Owner of BaseAddress: (04537322) NO MODULE ASSIGNED

    Process Trace
    1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe [6476]
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "IEX (([System.IO.File]::ReadAllText('C:\Users\***\AppData\Roaming\mkltkpfcp.log')).Replace('#',''));Start-Sleep -s 1000000;"

    This is the GandCrab 5.0.4 ransomware, running directly from a PowerShell script in the powershell.exe process (it's not dropping to the disk for AV/ML scanning). Since the PowerShell script is riddled with # characters, the need to be removed first (as included in the PowerShell command). This thwarts sandbox analysis. As you can see the static detection is very low on VirusTotal:

    GandCrab504.jpg

    The new Dynamic Shellcode Mitigation monitors memory allocation behavior and doesn't rely on signatures to detect a threat.
    CryptoGuard would also detect this ransomware of course, but it's now stopped at an earlier event - no file encryption took place whatsoever.
     
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,960
    Location:
    the Netherlands
    Thanks very much for the clarification, Mark. :thumb:
    However, based on your explanation, isn't build 769 still more RC than release version, currently? I'm not sure if I understand why it is available as release version on the website, when you're still finetuning.
    Anyhow, it looks like a great update. I'll see the final announcement and auto-update later.
    Thanks once more!
     
  12. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    129
    Location:
    Canada
    Very cool Mark! I think it's fair to say that those of us participating in this forum enjoy reading about some of the behind-the-scenes technologies you guys are developing. I also got a kick out of the "Heap Heap Hooray" pun. Please keep us in the loop more often.
     
  13. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,960
    Location:
    the Netherlands
    I second that. Erik and Mark did so in the earlier days, but less often nowadays. I know Erik and Mark are very busy, and probably RonnyT likewise, but as HempOil said, I would be great to see more of the behind-the-scenes info about development, like earlier.
     
  14. Bill1987

    Bill1987 Registered Member

    Joined:
    Wednesday
    Posts:
    1
    Location:
    Eastern-Europe
    Can this program replace an antivirus software or do I still need an antivirus if I buy Hitman Pro Alert?
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,160
    Location:
    Among the gum trees
    No, you will still need an AV. If you on Win8.1 or Win10 you already have Windows Defender which is fine.
     
  16. LICIL4801

    LICIL4801 Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    7
    I just updated Acronis True Image 2019 and it has a cryptomining malware blocker. Is this not needed given the features of HitManPro.ALERT?

    Thank you again.
     
  17. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    749
    Location:
    Baden Germany
    If You have AV and HMP.A running you don't need additional CMB.

    WTF:
    Ransomware and cryptomining malware blocker in imaging software...
    Acronis is going bloatware.
     
  18. LICIL4801

    LICIL4801 Registered Member

    Joined:
    Jan 1, 2016
    Posts:
    7
    Thank you very much, Hiltihome. I appreciate it.
     
  19. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    382
    Ref. this post:

    Now running build 759, tonight I found HMP.A "locked" again, but this time with three hmpa.exe processes shown as running in Task Manager. One is for "System," the other for my PC's name.

    Curiously, like the last time, this happened about three months before the license expires.

    What could be the cause of this lockup, and how do I fix it?

    UPDATE: Killing the two user processes in Task Manager, and then relaunching HMP.A from the Start menu, did the trick.

    However, I'd still be curious to know what sorts of things could have cause HMP.A to lock up in the first place.
     
    Last edited: Dec 7, 2018 at 4:27 PM
  20. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    404
    Running Win 8.1 x64, today accessing Spotify I got this FP for the first time and it keeps on recurring.
    Don't like the idea of disabling ROP, any suggestions on how to handle?
    Thanks
    Code:
    -------------------------
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          08-Dec-18 09:36:39
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Notebook
    Description:
    Mitigation   ROP
    
    Platform     6.3.9600/x64 v759 06_3d
    PID          400
    Feature      00071A341FBFB1B6
    Application  C:\Program Files (x86)\Slimjet\slimjet.exe
    Description  FlashPeak Slimjet 21.0.5
    
    Callee Type  LoadLibrary
                 ntdll.dll
    
    Branch Trace                      Opcode  To                            
    -------------------------------- -------- --------------------------------
    RtlInitUnicodeStringEx +0x4a         RET  LoadLibraryExW +0x48          
    0x7755980A ntdll.dll                      0x77004A58 KernelBase.dll      
    
    IsCharAlphaW +0xba                   RET  LoadLibraryExA +0x12          
    0x77007CFA KernelBase.dll                 0x7700F0E2 KernelBase.dll      
    
    GetTickCount +0x40                   RET  IsCharAlphaW +0xb7            
    0x76FFECC0 KernelBase.dll                 0x77007CF7 KernelBase.dll      
    
    RtlAnsiStringToUnicodeString +0xf9     RET  IsCharAlphaW +0xa1            
    0x775648C9 ntdll.dll                      0x77007CE1 KernelBase.dll      
    
    0x775526EC ntdll.dll                 RET  RtlAnsiStringToUnicodeString +0xf6
                                              0x775648C6 ntdll.dll          
    
    RtlAnsiStringToUnicodeString +0x133     RET  RtlAnsiStringToUnicodeString +0xdc
    0x77564903 ntdll.dll                      0x775648AC ntdll.dll          
    
    RtlMultiByteToUnicodeN +0x77         RET  RtlAnsiStringToUnicodeString +0xad
    0x77564767 ntdll.dll                      0x7756487D ntdll.dll          
    
    RtlInitUnicodeStringEx +0x79         RET  RtlQueryPerformanceCounter +0x79
    0x77559839 ntdll.dll                      0x775716F9 ntdll.dll          
    
    RtlAllocateHeap +0xfd                RET  RtlInitUnicodeStringEx +0x78  
    0x77550FDD ntdll.dll                      0x77559838 ntdll.dll          
    
    0x7755353B ntdll.dll                 RET  RtlAllocateHeap +0xc9          
                                              0x77550FA9 ntdll.dll          
    
    0x7753A6DD ntdll.dll                 RET  IsCharAlphaW +0x9f            
                                              0x77007CDF KernelBase.dll      
    
    RtlInitAnsiStringEx +0x39            RET  IsCharAlphaW +0x82            
    0x77571749 ntdll.dll                      0x77007CC2 KernelBase.dll      
    
    _strcmpi +0x5d                       RET  LoadLibraryA +0x1b            
    0x77528A0D ntdll.dll                      0x76CB8F9B kernel32.dll        
    
    0x1028D2B6 widevinecdm.dll         ~ RET* LoadLibraryA()                
                                              0x76CB8F80 kernel32.dll        
                8bff                     MOV          EDI, EDI
                55                       PUSH         EBP
                8bec                     MOV          EBP, ESP
                837d0800                 CMP          DWORD [EBP+0x8], 0x0
                53                       PUSH         EBX
                56                       PUSH         ESI
                7418                     JZ           0x76cb8fa5
                6884acd476               PUSH         DWORD 0x76d4ac84
                ff7508                   PUSH         DWORD [EBP+0x8]
                ff15fc0ed276             CALL         DWORD [0x76d20efc]
                59                       POP          ECX
                59                       POP          ECX
                85c0                     TEST         EAX, EAX
                0f84b38f0100             JZ           0x76cd1f58
                6a00                     PUSH         0x0
                6a00                     PUSH         0x0
                                     ( E4260D90FAFB5B6)
    
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  77004AD6 KernelBase.dll           LoadLibraryExW +0xc6
    2  7700F0F5 KernelBase.dll           LoadLibraryExA +0x25
    3  76CB8FB2 kernel32.dll             LoadLibraryA +0x32
    
    4  1026FAED widevinecdm.dll        
                8945e8                   MOV          [EBP-0x18], EAX
                837de800                 CMP          DWORD [EBP-0x18], 0x0
                68f309e30f               PUSH         DWORD 0xfe309f3
                895424fc                 MOV          [ESP-0x4], EDX
                8d6424fc                 LEA          ESP, [ESP-0x4]
                895c24fc                 MOV          [ESP-0x4], EBX
                8d6424fc                 LEA          ESP, [ESP-0x4]
                8b542408                 MOV          EDX, [ESP+0x8]
                bb73ea2710               MOV          EBX, 0x1027ea73
                0f45d3                   CMOVNZ       EDX, EBX
                89542408                 MOV          [ESP+0x8], EDX
                8b1c24                   MOV          EBX, [ESP]
                8d642404                 LEA          ESP, [ESP+0x4]
                8b1424                   MOV          EDX, [ESP]
                8d642404                 LEA          ESP, [ESP+0x4]
                8d642404                 LEA          ESP, [ESP+0x4]
    
    5  10288A47 widevinecdm.dll        
    6  5102BDD2 chrome_child.dll      
    7  5102B443 chrome_child.dll      
    8  5102B363 chrome_child.dll      
    9  51024AC4 chrome_child.dll      
    10 510245DA chrome_child.dll      
    
    Loaded Modules
    -----------------------------------------------------------------------------
    00340000-004CB000 slimjet.exe (FlashPeak Inc.),
                      version: 21.0.5.0
    77510000-7767F000 ntdll.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    76CA0000-76DE0000 KERNEL32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74BB0000-74C8F000 hmpalert.dll (SurfRight B.V.),
                      version: 3.7.9.759
    76FF0000-770C7000 KERNELBASE.dll (Microsoft Corporation),
                      version: 6.3.9600.19178 (winblue_ltsb_escrow.1810
    76C20000-76C9C000 ADVAPI32.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    77170000-77233000 msvcrt.dll (Microsoft Corporation),
                      version: 7.0.9600.17415 (winblue_r4.141028-1500)
    75540000-75581000 sechost.dll (Microsoft Corporation),
                      version: 6.3.9600.17734 (winblue_r9.150319-1700)
    75770000-7582A000 RPCRT4.dll (Microsoft Corporation),
                      version: 6.3.9600.19176 (winblue_ltsb.181006-0600
    75590000-755AE000 SspiCli.dll (Microsoft Corporation),
                      version: 6.3.9600.18454 (winblue_ltsb.160820-0600
    74CF0000-74CFA000 CRYPTBASE.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74C90000-74CE4000 bcryptPrimitives.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    58560000-585E1000 chrome_elf.dll (FlashPeak Inc.),
                      version: 21.0.5.0
    75930000-76BEB000 SHELL32.dll (Microsoft Corporation),
                      version: 6.3.9600.19125 (winblue_ltsb.180812-0703
    76E40000-76F93000 USER32.dll (Microsoft Corporation),
                      version: 6.3.9600.18535 (winblue_ltsb.161109-0600
    741F0000-74213000 WINMM.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74AE0000-74AE8000 VERSION.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    76DE0000-76E25000 SHLWAPI.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    76E30000-76E36000 PSAPI.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    75640000-75769000 ole32.dll (Microsoft Corporation),
                      version: 6.3.9600.19178 (winblue_ltsb_escrow.1810
    75250000-753CD000 combase.dll (Microsoft Corporation),
                      version: 6.3.9600.19178 (winblue_ltsb_escrow.1810
    74F80000-7508C000 GDI32.dll (Microsoft Corporation),
                      version: 6.3.9600.19153 (winblue_ltsb.180908-0600
    741C0000-741E3000 WINMMBASE.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    755B0000-755EC000 cfgmgr32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    746E0000-74701000 DEVOBJ.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    76BF0000-76C17000 IMM32.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74D90000-74EA2000 MSCTF.dll (Microsoft Corporation),
                      version: 6.3.9600.18819 (winblue_ltsb.170909-0600
    74B20000-74BAB000 shcore.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    50FE0000-552B6000 chrome_child.dll (FlashPeak Inc.),
                      version: 21.0.5.0
    76FA0000-76FEF000 WS2_32.dll (Microsoft Corporation),
                      version: 6.3.9600.18340 (winblue_ltsb.160513-1153
    749B0000-749D0000 IPHLPAPI.DLL (Microsoft Corporation),
                      version: 6.3.9600.18264 (winblue_ltsb.160310-0600
    6AB70000-6AB7B000 msdmo.dll (Microsoft Corporation),
                      version: 6.6.9600.17415 (winblue_r4.141028-1500)
    75830000-758C7000 OLEAUT32.dll (Microsoft Corporation),
                      version: 6.3.9600.18666
    74F40000-74F7D000 WINTRUST.dll (Microsoft Corporation),
                      version: 6.3.9600.18508 (winblue_ltsb.161004-0600
    770D0000-7716B000 COMDLG32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74AF0000-74B0B000 USERENV.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    72760000-728E1000 DWrite.dll (Microsoft Corporation),
                      version: 6.3.9600.18696 (winblue_ltsb.170511-1554
    74370000-743D5000 WINSPOOL.DRV (Microsoft Corporation),
                      version: 6.3.9600.18467 (winblue_ltsb.160903-0600
    72A80000-72BC1000 dbghelp.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    64300000-64316000 USP10.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    5B0D0000-5B139000 dxgi.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    772B0000-77438000 CRYPT32.dll (Microsoft Corporation),
                      version: 6.3.9600.18653 (winblue_ltsb.170331-0600
    73CC0000-73E10000 urlmon.dll (Microsoft Corporation),
                      version: 11.00.9600.19178 (winblue_ltsb_escrow.18
    746D0000-746DA000 Secur32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    749D0000-74A6E000 WINHTTP.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    74960000-74974000 dhcpcsvc.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    75600000-75607000 NSI.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    749A0000-749A8000 WINNSI.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    75610000-7561E000 MSASN1.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    743F0000-745F6000 COMCTL32.dll (Microsoft Corporation),
                      version: 6.10 (winblue_r11.150424-0600)
    74B10000-74B1F000 profapi.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    73A80000-73CB6000 iertutil.dll (Microsoft Corporation),
                      version: 11.00.9600.19178 (winblue_ltsb_escrow.18
    73640000-73A77000 WININET.dll (Microsoft Corporation),
                      version: 11.00.9600.19178 (winblue_ltsb_escrow.18
    0FD90000-10462800 widevinecdm.dll (Google Inc.),
                      version: 4.10.1196.0
    71F10000-71F2E000 dxva2.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    
    Code Injection
    044D0000-044D1000    4KB C:\Program Files (x86)\Slimjet\slimjet.exe [8452]
    044E2000-044E3000    4KB
    7754C000-7754D000    4KB
    7754D000-7754E000    4KB
    0048D000-0048E000    4KB
    0048C000-0048D000    4KB
    044F0000-044F1000    4KB
    00487000-00488000    4KB
    1  C:\Program Files (x86)\Slimjet\slimjet.exe [8452]
    2  C:\Windows\explorer.exe [2252]
    3  C:\Windows\System32\userinit.exe [920]
    
    Process Trace
    1  C:\Program Files (x86)\Slimjet\slimjet.exe [400]
    "C:\Program Files (x86)\Slimjet\slimjet.exe" --type=utility --field-trial-handle=1388,9760386617617898224,15067139679740473213,131072 --lang=en-US --service-sandbox-type=cdm --service-request-channel-token=8543669812659115685 --mojo-platform-channel-handle
    2  C:\Program Files (x86)\Slimjet\slimjet.exe [8452]
    3  C:\Windows\explorer.exe [2252]
    4  C:\Windows\System32\userinit.exe [920]
    
    Thumbprint
    cbcb351b231f797c1ed902aa13d0f8199a51c0be69cb69bdec00ef9be61dd229
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-12-08T08:36:39.000000000Z" />
        <EventRecordID>207427</EventRecordID>
        <Channel>Application</Channel>
        <Computer>NotebookDaniele</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files (x86)\Slimjet\slimjet.exe</Data>
        <Data>ROP</Data>
        <Data>Mitigation   ROP
    
    Platform     6.3.9600/x64 v759 06_3d
    PID          400
    Feature      00071A341FBFB1B6
    Application  C:\Program Files (x86)\Slimjet\slimjet.exe
    Description  FlashPeak Slimjet 21.0.5
    
    Callee Type  LoadLibrary
                 ntdll.dll
    
    Branch Trace                      Opcode  To                            
    -------------------------------- -------- --------------------------------
    RtlInitUnicodeStringEx +0x4a         RET  LoadLibraryExW +0x48          
    0x7755980A ntdll.dll                      0x77004A58 KernelBase.dll      
    
    IsCharAlphaW +0xba                   RET  LoadLibraryExA +0x12          
    0x77007CFA KernelBase.dll                 0x7700F0E2 KernelBase.dll      
    
    GetTickCount +0x40                   RET  IsCharAlphaW +0xb7            
    0x76FFECC0 KernelBase.dll                 0x77007CF7 KernelBase.dll      
    
    RtlAnsiStringToUnicodeString +0xf9     RET  IsCharAlphaW +0xa1            
    0x775648C9 ntdll.dll                      0x77007CE1 KernelBase.dll      
    
    0x775526EC ntdll.dll                 RET  RtlAnsiStringToUnicodeString +0xf6
                                              0x775648C6 ntdll.dll          
    
    RtlAnsiStringToUnicodeString +0x133     RET  RtlAnsiStringToUnicodeString +0xdc
    0x77564903 ntdll.dll                      0x775648AC ntdll.dll          
    
    RtlMultiByteToUnicodeN +0x77         RET  RtlAnsiStringToUnicodeString +0xad
    0x77564767 ntdll.dll                      0x7756487D ntdll.dll          
    
    RtlInitUnicodeStringEx +0x79         RET  RtlQueryPerformanceCounter +0x79
    0x77559839 ntdll.dll                      0x775716F9 ntdll.dll          
    
    RtlAllocateHeap +0xfd                RET  RtlInitUnicodeStringEx +0x78  
    0x77550FDD ntdll.dll                      0x77559838 ntdll.dll          
    
    0x7755353B ntdll.dll                 RET  RtlAllocateHeap +0xc9          
                                              0x77550FA9 ntdll.dll          
    
    0x7753A6DD ntdll.dll                 RET  IsCharAlphaW +0x9f            
                                              0x77007CDF KernelBase.dll      
    
    RtlInitAnsiStringEx +0x39            RET  IsCharAlphaW +0x82            
    0x77571749 ntdll.dll                      0x77007CC2 KernelBase.dll      
    
    _strcmpi +0x5d                       RET  LoadLibraryA +0x1b            
    0x77528A0D ntdll.dll                      0x76CB8F9B kernel32.dll        
    
    0x1028D2B6 widevinecdm.dll         ~ RET* LoadLibraryA()                
                                              0x76CB8F80 kernel32.dll        
                8bff                     MOV          EDI, EDI
                55                       PUSH         EBP
                8bec                     MOV          EBP, ESP
                837d0800                 CMP          DWORD [EBP+0x8], 0x0
                53                       PUSH         EBX
                56                       PUSH         ESI
                7418                     JZ           0x76cb8fa5
                6884acd476               PUSH         DWORD 0x76d4ac84
                ff7508                   PUSH         DWORD [EBP+0x8]
                ff15fc0ed276             CALL         DWORD [0x76d20efc]
                59                       POP          ECX
                59                       POP          ECX
                85c0                     TEST         EAX, EAX
                0f84b38f0100             JZ           0x76cd1f58
                6a00                     PUSH         0x0
                6a00                     PUSH         0x0
                                     ( E4260D90FAFB5B6)
    
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  77004AD6 KernelBase.dll           LoadLibraryExW +0xc6
    2  7700F0F5 KernelBase.dll           LoadLibraryExA +0x25
    3  76CB8FB2 kernel32.dll             LoadLibraryA +0x32
    
    4  1026FAED widevinecdm.dll        
                8945e8                   MOV          [EBP-0x18], EAX
                837de800                 CMP          DWORD [EBP-0x18], 0x0
                68f309e30f               PUSH         DWORD 0xfe309f3
                895424fc                 MOV          [ESP-0x4], EDX
                8d6424fc                 LEA          ESP, [ESP-0x4]
                895c24fc                 MOV          [ESP-0x4], EBX
                8d6424fc                 LEA          ESP, [ESP-0x4]
                8b542408                 MOV          EDX, [ESP+0x8]
                bb73ea2710               MOV          EBX, 0x1027ea73
                0f45d3                   CMOVNZ       EDX, EBX
                89542408                 MOV          [ESP+0x8], EDX
                8b1c24                   MOV          EBX, [ESP]
                8d642404                 LEA          ESP, [ESP+0x4]
                8b1424                   MOV          EDX, [ESP]
                8d642404                 LEA          ESP, [ESP+0x4]
                8d642404                 LEA          ESP, [ESP+0x4]
    
    5  10288A47 widevinecdm.dll        
    6  5102BDD2 chrome_child.dll      
    7  5102B443 chrome_child.dll      
    8  5102B363 chrome_child.dll      
    9  51024AC4 chrome_child.dll      
    10 510245DA chrome_child.dll      
    
    Loaded Modules
    -----------------------------------------------------------------------------
    00340000-004CB000 slimjet.exe (FlashPeak Inc.),
                      version: 21.0.5.0
    77510000-7767F000 ntdll.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    76CA0000-76DE0000 KERNEL32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74BB0000-74C8F000 hmpalert.dll (SurfRight B.V.),
                      version: 3.7.9.759
    76FF0000-770C7000 KERNELBASE.dll (Microsoft Corporation),
                      version: 6.3.9600.19178 (winblue_ltsb_escrow.1810
    76C20000-76C9C000 ADVAPI32.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    77170000-77233000 msvcrt.dll (Microsoft Corporation),
                      version: 7.0.9600.17415 (winblue_r4.141028-1500)
    75540000-75581000 sechost.dll (Microsoft Corporation),
                      version: 6.3.9600.17734 (winblue_r9.150319-1700)
    75770000-7582A000 RPCRT4.dll (Microsoft Corporation),
                      version: 6.3.9600.19176 (winblue_ltsb.181006-0600
    75590000-755AE000 SspiCli.dll (Microsoft Corporation),
                      version: 6.3.9600.18454 (winblue_ltsb.160820-0600
    74CF0000-74CFA000 CRYPTBASE.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74C90000-74CE4000 bcryptPrimitives.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    58560000-585E1000 chrome_elf.dll (FlashPeak Inc.),
                      version: 21.0.5.0
    75930000-76BEB000 SHELL32.dll (Microsoft Corporation),
                      version: 6.3.9600.19125 (winblue_ltsb.180812-0703
    76E40000-76F93000 USER32.dll (Microsoft Corporation),
                      version: 6.3.9600.18535 (winblue_ltsb.161109-0600
    741F0000-74213000 WINMM.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74AE0000-74AE8000 VERSION.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    76DE0000-76E25000 SHLWAPI.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    76E30000-76E36000 PSAPI.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    75640000-75769000 ole32.dll (Microsoft Corporation),
                      version: 6.3.9600.19178 (winblue_ltsb_escrow.1810
    75250000-753CD000 combase.dll (Microsoft Corporation),
                      version: 6.3.9600.19178 (winblue_ltsb_escrow.1810
    74F80000-7508C000 GDI32.dll (Microsoft Corporation),
                      version: 6.3.9600.19153 (winblue_ltsb.180908-0600
    741C0000-741E3000 WINMMBASE.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    755B0000-755EC000 cfgmgr32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    746E0000-74701000 DEVOBJ.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    76BF0000-76C17000 IMM32.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74D90000-74EA2000 MSCTF.dll (Microsoft Corporation),
                      version: 6.3.9600.18819 (winblue_ltsb.170909-0600
    74B20000-74BAB000 shcore.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    50FE0000-552B6000 chrome_child.dll (FlashPeak Inc.),
                      version: 21.0.5.0
    76FA0000-76FEF000 WS2_32.dll (Microsoft Corporation),
                      version: 6.3.9600.18340 (winblue_ltsb.160513-1153
    749B0000-749D0000 IPHLPAPI.DLL (Microsoft Corporation),
                      version: 6.3.9600.18264 (winblue_ltsb.160310-0600
    6AB70000-6AB7B000 msdmo.dll (Microsoft Corporation),
                      version: 6.6.9600.17415 (winblue_r4.141028-1500)
    75830000-758C7000 OLEAUT32.dll (Microsoft Corporation),
                      version: 6.3.9600.18666
    74F40000-74F7D000 WINTRUST.dll (Microsoft Corporation),
                      version: 6.3.9600.18508 (winblue_ltsb.161004-0600
    770D0000-7716B000 COMDLG32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    74AF0000-74B0B000 USERENV.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    72760000-728E1000 DWrite.dll (Microsoft Corporation),
                      version: 6.3.9600.18696 (winblue_ltsb.170511-1554
    74370000-743D5000 WINSPOOL.DRV (Microsoft Corporation),
                      version: 6.3.9600.18467 (winblue_ltsb.160903-0600
    72A80000-72BC1000 dbghelp.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    64300000-64316000 USP10.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    5B0D0000-5B139000 dxgi.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    772B0000-77438000 CRYPT32.dll (Microsoft Corporation),
                      version: 6.3.9600.18653 (winblue_ltsb.170331-0600
    73CC0000-73E10000 urlmon.dll (Microsoft Corporation),
                      version: 11.00.9600.19178 (winblue_ltsb_escrow.18
    746D0000-746DA000 Secur32.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    749D0000-74A6E000 WINHTTP.dll (Microsoft Corporation),
                      version: 6.3.9600.18895 (winblue_ltsb.180101-1800
    74960000-74974000 dhcpcsvc.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    75600000-75607000 NSI.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    749A0000-749A8000 WINNSI.DLL (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    75610000-7561E000 MSASN1.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    743F0000-745F6000 COMCTL32.dll (Microsoft Corporation),
                      version: 6.10 (winblue_r11.150424-0600)
    74B10000-74B1F000 profapi.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    73A80000-73CB6000 iertutil.dll (Microsoft Corporation),
                      version: 11.00.9600.19178 (winblue_ltsb_escrow.18
    73640000-73A77000 WININET.dll (Microsoft Corporation),
                      version: 11.00.9600.19178 (winblue_ltsb_escrow.18
    0FD90000-10462800 widevinecdm.dll (Google Inc.),
                      version: 4.10.1196.0
    71F10000-71F2E000 dxva2.dll (Microsoft Corporation),
                      version: 6.3.9600.17415 (winblue_r4.141028-1500)
    
    Code Injection
    044D0000-044D1000    4KB C:\Program Files (x86)\Slimjet\slimjet.exe [8452]
    044E2000-044E3000    4KB
    7754C000-7754D000    4KB
    7754D000-7754E000    4KB
    0048D000-0048E000    4KB
    0048C000-0048D000    4KB
    044F0000-044F1000    4KB
    00487000-00488000    4KB
    1  C:\Program Files (x86)\Slimjet\slimjet.exe [8452]
    2  C:\Windows\explorer.exe [2252]
    3  C:\Windows\System32\userinit.exe [920]
    
    Process Trace
    1  C:\Program Files (x86)\Slimjet\slimjet.exe [400]
    "C:\Program Files (x86)\Slimjet\slimjet.exe" --type=utility --field-trial-handle=1388,9760386617617898224,15067139679740473213,131072 --lang=en-US --service-sandbox-type=cdm --service-request-channel-token=8543669812659115685 --mojo-platform-channel-handle
    2  C:\Program Files (x86)\Slimjet\slimjet.exe [8452]
    3  C:\Windows\explorer.exe [2252]
    4  C:\Windows\System32\userinit.exe [920]
    
    Thumbprint
    cbcb351b231f797c1ed902aa13d0f8199a51c0be69cb69bdec00ef9be61dd229</Data>
      </EventData>
    </Event>
     
    Last edited by a moderator: Dec 8, 2018 at 11:20 AM
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,027
    Location:
    The Netherlands
    Wow this is pretty cool. But can you actually patent this stuff? What if others want to implement this mitigation? :)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.