Interesting HIPS test:restore SSDT hooks

Discussion in 'other anti-malware software' started by a256886572008, Apr 12, 2008.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103

    Attached Files:

    Last edited: Apr 12, 2008
  2. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Defensewall wouldn't let it run. :D
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Another piece of crap BSOD generator. Didn't dislodge a single driver from the table.

    Script Kiddie wannabe garbage.

    Running Comodo D+ with EQS 4.0 Beta 2

    Sorry no cigar, try again later.
     
  4. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    oh, Mj0011 is a famous chinese hacker.:D
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I dunno who compile this funnyness MFC file but the only thing it does is generate a BSOD.

    Certainly no hacker with any real skills would have conceived this junk file.
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Needs some work. Just crashes here according to Dr. Watson after giving xx.exe permission to Simulate Keyboard/Mouse via ProSecurity 1.42. No PS hooks are removed. Tested on XP SP2, with and without the Microsoft Security Bulletin MS08-025 (KB941693) patch applied.

    Nick
     
    Last edited: Apr 13, 2008
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I highly doubt a compiled MFC file is going to have any muscle to dislodge simple HIPS hooking as it requires some choice MS core mathmatics to pull off such a feat to opening Device\Physical Memory where theres a table sys in place to detect it.

    It would take more then this piece of kiddie mud to force such a dispacement that extreme.
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This MJ011 character is a famous one, I can vouch for that. Unfortunately, it appears that his/her credentials are more amusing than they are impressive. :D
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Last edited: Apr 13, 2008
  10. Huberti

    Huberti Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    2
    Yez ! This iz da bomB ! It will bypass **** HiPS !!! Ya Men !
     
  11. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    hmm,

    the program crashes with defensewall, or at least it does on my machine.

    is this what is supposed to happen, stop that program from running?

    at least i dont get the BSOD.
     
  12. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi YankinNCrankin

    Interested in your post comments.

    I did not know that Returnil had a HIPS. Is it a separate product, or is it included in the Virtual System software?

    If its the latter is it included in the free version?

    Thanks for your help

    TerryWood
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OA 127, default mode



    First alert - block (we don't want this nastie to tamper csrss.exe)
    Second - block (just in case of attempt to infect entry point)

    Then xx crashed. No BSOD
     

    Attached Files:

    • 1.gif
      1.gif
      File size:
      12.8 KB
      Views:
      1,080
    • 2.gif
      2.gif
      File size:
      12.8 KB
      Views:
      1,069
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    At mine one too.

    DW just stopped this program from SSDT unhooking- this caused GPF.

    Yep, me too.
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    It should be stopped before BSOD. BSOD does mean it tauched SSDT, which is fail.
     
  16. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    Could someone explain me what is the goal of this test : interception of the unhook attempt or test if a driver still hook after this attack ?

    Thank you for your answer

    regards,

    MaB
     
  17. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Preamble: I write without having had a look at this PoC yet.

    Ok, this software should be able to restore SSDT. And what with it?

    It's obvious it could. It makes use of Win32k.sys vulnerability to execute code in kernel mode.

    I mean, a previous test has been done to show some poor implementations of HIPS softwares that, under specified events, weren't blocking drivers loading. And this is ok, how to bypass HIPS softwares.

    This one makes use of a Windows vulnerability (already patched, btw).

    What does this test want to prove?
     
    Last edited: Apr 13, 2008
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I think this test is about ability to prevent unhooking. Once unhooking happened no technique can guarantee stability. Every code that has access to SSDT can modify it and cannot prevent others from modifying it. And once unhooking happened unhooker knows the real addresses of functions and can use them without SSDT. So even in case HIPS restores SSDT it is bypassed by maliciouse code.
     
    Last edited: Apr 13, 2008
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    It's definitely a joke file, come on and be real.

    Oh, BTY, since i research on a regular basis far worse system file modifiers it doesn't matter if it sneaks in a remote thread or handle here or there.

    The main premise is that IT FAILED! Period! Although i will admit nothing alerted at the time (At Least Not Comodo D+) because at the time i been fine tuning SuRun and not even relly sure EQS was active when this gunker come up in post but i tried it just for the giggles i knew it would be.

    So to refute, it DID NOT dislodge either of Comodo's D+ or EQS Table Hooks if that ever was the intention in the first place.

    It just immediately BSOD and SSDT Hooks remained unmoved. I checked with RKU and other table viewers. LoL

    SDTRestore for one is a true coded unhooker as is a number of other foul unhookers i keep samples of, and none of them Blue Screen but quietly either displace hooks or return them to defaults.

    So this only remind me of an old April's Fool joke.

    And so solcroft is spot on because he's right, it's more amusing then anything else.
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Never heard of this guy his fame seems to be pretty limited. :D
     
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OK, you may regard it this way. But actully BSOD does mean that code was injected and SSDT was modified. BSOD is a result of wrong code either in xx or in HIPS. But HIPS that allows usermode program to cause BSOD is not HIPS actually in case it is "by design" behaviour. In any case and under any criteria this is at least definite DOS. And you could see that other HIPS prevented xx from touching SSDT, so this is possible and not too difficult.
     
    Last edited: Apr 13, 2008
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Code was not injected my friend but REJECTED!, hence the Windows purpose of fatal exception error or BSOD.

    To put it mildly, when it touched the sys driver in the table that interaction was immediately interpreted by i assume Windows itself, so while a case might be made that the HIPS didn't force the exception, certainly Windows did and rightly so.

    To inject or insert directly would mean to REPLACE or DISPLACE the item or even add to the sys file already in position if even the default Windows ntoskerl.exe

    Neither happened as it was immediately reflected on attempt = BSOD = Safe!
     
  23. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Seems you do not understand some basic things. Usermode code (ring 3) cannot produce BSOD by definition. Only kernel code (ring 0) can. This example was able to modify the data or inject a code that affected either SSDT or was executed in ring 0. In the both cases this a fail of HIPS (and also OS, but HIPS are there to fix OS holes).

    As for BSOD == Safe. I strongly deny this idea. BSOD has unpredictable results, it may corrupt the whole system.
     
    Last edited: Apr 13, 2008
  24. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Allowed 1st Alert and got the 2nd Alert I blocked and nothing got loaded Returnil V 2.1.0.5826 passes. Returnils HIPS is pretty cool, nice and simple.

    Allowing the program to run completely without blocking results in BSOD for me, I guess that would be the intended result,
    I have yet to come across a test that can bypass a HIPS Alert silently mainly the 1st stage which is obvious execution allowed.
     

    Attached Files:

    Last edited: Apr 14, 2008
  25. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Returnil has HIPSo_O
     
Loading...
Thread Status:
Not open for further replies.