Interesting HIPS test:restore SSDT hooks

http://bbs.kafan.cn/viewthread.php?tid=233954

You can download this program from the folowing url.

http://www.divshare.com/download/4237917-764

 

Defensewall wouldn't let it run.

 

Another piece of crap BSOD generator. Didn't dislodge a single driver from the table.

Script Kiddie wannabe garbage.

Running Comodo D+ with EQS 4.0 Beta 2

Sorry no cigar, try again later.

 

oh, Mj0011 is a famous chinese hacker.

 

I dunno who compile this funnyness MFC file but the only thing it does is generate a BSOD.

Certainly no hacker with any real skills would have conceived this junk file.

 

Needs some work. Just crashes here according to Dr. Watson after giving xx.exe permission to Simulate Keyboard/Mouse via ProSecurity 1.42. No PS hooks are removed. Tested on XP SP2, with and without the Microsoft Security Bulletin MS08-025 (KB941693) patch applied.

Nick

 

I highly doubt a compiled MFC file is going to have any muscle to dislodge simple HIPS hooking as it requires some choice MS core mathmatics to pull off such a feat to opening Device\Physical Memory where theres a table sys in place to detect it.

It would take more then this piece of kiddie mud to force such a dispacement that extreme.

 

This MJ011 character is a famous one, I can vouch for that. Unfortunately, it appears that his/her credentials are more amusing than they are impressive.

 

Uuuhm.. How does this bypass HIPS?
Run it... ZA OS firewall warned about and killed it...
No BSOD

Missing something?

Cheers,
Fax

 

Yez ! This iz da bomB ! It will bypass **** HiPS !!! Ya Men !

 

hmm,

the program crashes with defensewall, or at least it does on my machine.

is this what is supposed to happen, stop that program from running?

at least i dont get the BSOD.

 

Hi YankinNCrankin

Interested in your post comments.

I did not know that Returnil had a HIPS. Is it a separate product, or is it included in the Virtual System software?

If its the latter is it included in the free version?

Thanks for your help

TerryWood

 

OA 127, default mode



First alert - block (we don't want this nastie to tamper csrss.exe)
Second - block (just in case of attempt to infect entry point)

Then xx crashed. No BSOD

 

At mine one too.

DW just stopped this program from SSDT unhooking- this caused GPF.

Yep, me too.

 

It should be stopped before BSOD. BSOD does mean it tauched SSDT, which is fail.

 

Hi,

Could someone explain me what is the goal of this test : interception of the unhook attempt or test if a driver still hook after this attack ?

Thank you for your answer

regards,

MaB

 

Preamble: I write without having had a look at this PoC yet.

Ok, this software should be able to restore SSDT. And what with it?

It's obvious it could. It makes use of Win32k.sys vulnerability to execute code in kernel mode.

I mean, a previous test has been done to show some poor implementations of HIPS softwares that, under specified events, weren't blocking drivers loading. And this is ok, how to bypass HIPS softwares.

This one makes use of a Windows vulnerability (already patched, btw).

What does this test want to prove?

 

I think this test is about ability to prevent unhooking. Once unhooking happened no technique can guarantee stability. Every code that has access to SSDT can modify it and cannot prevent others from modifying it. And once unhooking happened unhooker knows the real addresses of functions and can use them without SSDT. So even in case HIPS restores SSDT it is bypassed by maliciouse code.

 

It's definitely a joke file, come on and be real.

Oh, BTY, since i research on a regular basis far worse system file modifiers it doesn't matter if it sneaks in a remote thread or handle here or there.

The main premise is that IT FAILED! Period! Although i will admit nothing alerted at the time (At Least Not Comodo D+) because at the time i been fine tuning SuRun and not even relly sure EQS was active when this gunker come up in post but i tried it just for the giggles i knew it would be.

So to refute, it DID NOT dislodge either of Comodo's D+ or EQS Table Hooks if that ever was the intention in the first place.

It just immediately BSOD and SSDT Hooks remained unmoved. I checked with RKU and other table viewers. LoL

SDTRestore for one is a true coded unhooker as is a number of other foul unhookers i keep samples of, and none of them Blue Screen but quietly either displace hooks or return them to defaults.

So this only remind me of an old April's Fool joke.

And so solcroft is spot on because he's right, it's more amusing then anything else.

 

Never heard of this guy his fame seems to be pretty limited.

 

OK, you may regard it this way. But actully BSOD does mean that code was injected and SSDT was modified. BSOD is a result of wrong code either in xx or in HIPS. But HIPS that allows usermode program to cause BSOD is not HIPS actually in case it is "by design" behaviour. In any case and under any criteria this is at least definite DOS. And you could see that other HIPS prevented xx from touching SSDT, so this is possible and not too difficult.

 

Code was not injected my friend but REJECTED!, hence the Windows purpose of fatal exception error or BSOD.

To put it mildly, when it touched the sys driver in the table that interaction was immediately interpreted by i assume Windows itself, so while a case might be made that the HIPS didn't force the exception, certainly Windows did and rightly so.

To inject or insert directly would mean to REPLACE or DISPLACE the item or even add to the sys file already in position if even the default Windows ntoskerl.exe

Neither happened as it was immediately reflected on attempt = BSOD = Safe!

 

Seems you do not understand some basic things. Usermode code (ring 3) cannot produce BSOD by definition. Only kernel code (ring 0) can. This example was able to modify the data or inject a code that affected either SSDT or was executed in ring 0. In the both cases this a fail of HIPS (and also OS, but HIPS are there to fix OS holes).

As for BSOD == Safe. I strongly deny this idea. BSOD has unpredictable results, it may corrupt the whole system.

 

Allowed 1st Alert and got the 2nd Alert I blocked and nothing got loaded Returnil V 2.1.0.5826 passes. Returnils HIPS is pretty cool, nice and simple.

Allowing the program to run completely without blocking results in BSOD for me, I guess that would be the intended result,
I have yet to come across a test that can bypass a HIPS Alert silently mainly the 1st stage which is obvious execution allowed.

 

Returnil has HIPS