HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    This is normal for the CTPs as there are no updates, don't worry about it.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,540
    Location:
    Outer space
    CTP3 still crashes Cyberfox 31(32 bit AMD version) with LoadLibrary, even if I uncheck Load Library migitation. Win7x86, other sec software: EMET 5 TP3, WSA 8.0.4.123, Defensewall 3.24


    Code:
    Mitigation  ROP
    PID  1200
    Application  C:\Program Files\Cyberfox\Cyberfox.exe
    Description  Cyberfox 31
    Callee Type  LoadLibrary
    Stack Trace
    #  Address  Module  Location
    -- -------- ------------------------ ----------------------------------------
    1  375B1593 (anonymous; EMET.dll)  
    2  0057005C (anonymous)  
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
      0000  ADD  [EAX], AL
    
     
  3. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    59
    Location:
    Bury, Lancashire
    CPT3 isn't compatible with EMET5, i was having major problems with IE11 when i had EMET5 & CPT3 installed together, uninstalling EMET5 fixed it for me.
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
  5. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    I recently found out that EMET can very well block the VirtualProtect via CALL gadget test if Simulate execution flow is increased to a higher count say 25, forgive my ignorance but I didn't think blocking this test is possible without hardware support, is this known to you?
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I think the SimExecFlow detection by EMET is not on the actual exploit but its tripping over an EMET-incompatible hooking engine. What other security tools are you running? Perhaps MBAE?
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,540
    Location:
    Outer space
    Ah, unchecking EAF in EMET fixed the Cyberfox crash. I thought Alert was only incompatible with 5.0 final release, not the TP's.
     
  8. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    No other security software only EMET.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,422
    Location:
    The Netherlands
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    In computer programming, code injection generally means that an attacker introduces its own code into a running legitimate application to alter the course of code execution, not intended by the software vendor. Typically, code injection also happens during an exploit attack, where only small parts of a running application is altered to gain control over the computer for arbitrary code execution.

    Even though it seems similar, a hollow process involves code _unmapping_ of an application's process. The attacker starts a legitimate application but immediately after it was loaded in memory, the entire code of the legitimate process is unmapped and the attacker maps his malicious program in its place. After this, the legitimate process is now running a totally different program. In the Windows Task Manager the process is visible under the initially started application (process name) - with all the properties of the legitimate application - but the running contents are completely different. Not on disk, only in memory. So the legitimate process serves solely as a container to run hostile code. And to be able to do this the attacker already has a foothold on the computer.
    This technique is often used by Remote Access Trojans (RAT) to hide itself for the user and many antivirus products.

    Without using virus signatures, HitmanPro.Alert 3 will block any malware or attacks that rely on this technique. So Hollow Process is another layer of defense to stop attackers.
    Our Exploit Test Tool can perform a hollow process attack, see paragraph 3.16 of the Exploit Test Tool Manual.
     
    Last edited: Sep 12, 2014
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi markloman

    Where can I download the test tool

    Thanks,

    Pete
     
  12. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    The Exploit Test Tool and Manual are included in the HitmanPro.Alert 3 CTP3 download: http://test.hitmanpro.com/hmpalert3ctp3.zip
    If you have any questions, be sure to consult the Manual first. It offers a lot of details and other useful information.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thank you sir.
     
  14. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    982
    No problems CTP3 and Firefox 32.0.1/Sandboxie beta 4.13.4 (W7 64 bits).
     
  15. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    No problems on Windows 7 Ultimate with Chrome 37.0.2062.120 m (64-bit).
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I have two questions:

    1. Can additional applications be added to the ones already listed. It is finding stuff I have on board, but not some newer things like SMPlayer.

    2. I see protection doesn't activate until I activate the trial, which seems to be for Hitman Pro. How are the two linked, and does this mean one has to purchase Hitman Pro to use alert?
     
  17. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    2) Yes, you get both programs for the cost of Hitman Pro. Whenever HMP.A encounters an exploit, it will ask the user to run Hitman Pro. You can also use Hitman Pro as an on-demand scanner as usual without going via HMP.A.
     
  18. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Yes,you can add other applications.For example,i have added 'ccleaner64.exe' to HMPA using 'Other Mitigations' Template :)

    Run the application you want to protected by HMPA.

    Then go to Exploit mitigations>Running applications>NOT PROTECTED

    Click that application,choose the Template which applies to the application like Media Player for SMPlayer.

    Click Restart that application.

    Now the application would be protected by HMPA.
    a.jpg
    1.jpg
    2.jpg
    3.jpg
    4.jpg
     
    Last edited: Sep 13, 2014
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    HI WSFfan

    Thank you so much for that clear and illustrated explanation. Greatly appreciated.

    Pete
     
  20. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Now you can see CCleaner in PROTECTED APPS,added to Exploit mitigations :)
    5.jpg
    6.jpg
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,084
    Location:
    USA
    Any thoughts about which apps to add that are not automatically included?
     
  22. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    779
    Media Players, IMs.
     
  23. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Any internet facing apps like Browsers,Download Managers,Email-clients,etc
     
  24. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    You are welcome.:)
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,422
    Location:
    The Netherlands
    OK thanks, so in fact it is a bit different compared to standard "code injection". I do know that a lot of legitimate tools inject code, so it's a bit tricky to protect (non-expert users) against this without breaking stuff. I will try to test if other HIPS can spot this attack. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.