SSM dll allerts are not appropriate?

Discussion in 'other anti-malware software' started by aigle, Apr 13, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have to post this thread on syssafety forums but I am also posting it here, just for the sake of discussion. I want to have ur opinions about this.I know many of SSM users are here and also those who are using other HIPS.

    I have a concern about dll alerts from SSM.

    1- Say a process A injects a dll into process B. The pop up alert from SSM in this case, does indicate dll injection by process A but it does not tell the name of process into which the dll is injected( Process B). While other HIPS like ProSecurity, ZoneAlarm Pro( and probably Kaspersky,s proactive modules) give clealy the name of the process into which the dll is being injected. See the Pics here.
     

    Attached Files:

    • ssm.jpg
      ssm.jpg
      File size:
      100.9 KB
      Views:
      13
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    2- There is no specific alert about a Global hook( dll injection into multiple processes). The alert in this case is the same as u get for a dll injection into a single process. While some other HIPS clearly mention a Global Hook. See the pic here.

    I am using free version but it is true of both free and pro version. What are ur views about this. Am i missing something here?
     

    Attached Files:

    Last edited: Apr 13, 2007
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have posted it to syssafety forums as well. It,s weired that I have login problems there since many weeks.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I am still awaiting for some reponses from HIPS users. Thanks
     
  5. wat0114

    wat0114 Guest

    Hi aigle,

    I have responded in the SSM thread you posted here

    I would say you have a valid point.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the response wat! I have uploaded ur pic locally.

    I am not sure though as in ur case it clearly states a global hook, so no question of processes as it,s a global hook. Now my conclusion is that SSM pro does differentiate global hooks from hook into a single process while free version does not.( I may have to confirm it by installing SSM Pro).
    My second point is still valid that in case of dll injection into a single process, SSM Pro and free both do not tell the name of process into which dll is injected.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      71.2 KB
      Views:
      275
    Last edited: Apr 22, 2007
  7. wat0114

    wat0114 Guest

    You are right about the global hook alert. That is an oversight on my part :oops: However, I can not reproduce the alerts you indicate in your first few posts where an application wants to attach a module into "some started processes". It is as though SSM Pro only alerts to global hooks. I even tried running the AKLT.exe that alerted you to the process hooking, but I did not get any such alerts. I have tried removing all existing dll's under Rules | Library, then tried opening/closing applications, logging off/on, but I only get the "global hook" alerts. So I'm puzzled here. If I come across "started process" dll alerts, I will let you know. I'm using the Beta: 2.4.0.618
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi wat, I am sure it is the difference of free and pro version.
     
  9. herbalist

    herbalist Guest

    Is this the alert you're asking about? This is taken from the free version.
    dll injection.gif
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, I installed SSM Pro 2.3.0.612 to see and the things are more confusing now.
    In case of RoboForm task bar icon, SSM Pro warns it as a global hook while all other HIPS like PS, ZAP and KAV PDMs and even NeovaGuard say it as a dll injection/ hook into a specific victim process( IEPLORER.EXE)). I am not aware of the dll injection etc but I am now thinking either alert from SSM is wrong or from other HIPS is wrong. BTW comodo firewall also detects global hooks into browsers and here there was no popup from comodo about a global hook into IE so I can say Comodo FW also takes it as a non-global hook( if there is such a term!).
    Unfortunately I have no other example for a specific hook into a process. Most dll alerts I get are of a global hook type. I tried to find any other process with such a behaviour but failed. Ad-Muncher dll injection screen shot that u have posted is indeed a global hook as I tried it with NeovaGuard.

    About AKLT alert, u will not get a global hook alert with SSM Pro as here they have hanged this type of global hook into keyboard hook/ low level keyboard access( that,s indeed a good feature as it allows recognition of keyloggers etc and I really like it).

    I will wait and see what is the opinion of some experts here. Anyone with a real explanation?
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      84.4 KB
      Views:
      4
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, here is another example of dll injection/ hook into a specific process. It,s Toshiba Power Saver on my laptop. Again SSM Pro labels it a global hook while Neova Guard labels it as a specific hook into explorer.exe( I can,t take snapshot of NG alerts). As before, SSM free alerts just as a dll injection into some started processes.
     

    Attached Files:

    • 2.jpg
      2.jpg
      File size:
      88.5 KB
      Views:
      4
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Pls see my posts above.
    BTW when do u get this alert? I have got it but don,t remember now.
     
  13. herbalist

    herbalist Guest

    Both windows explorer and Internet Explorer use that dll whenever you use the file menu. You can cause that particular alert to appear a couple of different ways.
    If you have a separate library rule for browseUI.dll, (I'm assuming that XP uses that file for the same things 98 does) on the advanced screen, set the default actions source to "Ask" and leave question marks in the boxes (uses default setting) for explorer.exe and iexplore.exe.
    browseUI.dll rule.gif
    You can accomplish the same thing by opening the advanced properties screen for explorer.exe, libraries tab. Set the default action to "ask" and leave a question mark for browseUI.dll.
    explorer libraries.gif
    If you don't have a separate library rule for browseUI.dll, set the default library setting for explorer.exe to "ask" and you'll be prompted to make one soon enough. I allow both explorer.exe and Iexplore to use this library as the file menus won't work otherwise. Everything else has to ask. On my box, nothing else has wanted to.
    Rick
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    SSM does not stop/block an application from being injected into (such as global hook) it will only intercept an application that is attempting to do this.

    From the help file:
    inject.JPG

    If protection was in place to prevent "global hook(injection)" into a process/application, then there would be a popup for each application that the dll was attempting to be injected into (as with some other HIPS)
     
    Last edited: Apr 23, 2007
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Stem, that is correct. I am not complaining thais, as it is OK wth global hook.
    My complaints are:
    SSM Pro: Does not differentiate between global and non-global hooks, it takes non-global hooks as global.( hoook/ dll injection into a single process-- see snapshot of Roboform taskbar icon injecting into IEXPLORE.EXE-- it takes it as global hook while it is not!) When it takes it as global hk, there is no question of telling the victim process name.

    SSM Free: Does not diferentiate between global and non-global hooks( all popups are same--" dll injection into some processes"). It too does not tell the victim process name in case of non-global hook( again probably due to the fact that it takes all hooks as global though it does not state that in the popup).

    I hope I am able to make my point clear. If u see the snapshots it will be easily understood.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I will cheack it later and then tell u about my findings especially comapring NG and SSM.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I removed the rules for browesui.dll, explorer.exe and iexplore.exe, executed IE and used file menue, I replied all popups as allow once but inspite of that while using file menue I don,t get any dll alert from SSM free. Seems another bug, very strange. I even tried by adding browseui.dll and changed its rule to ask user( for all applications) and specifically for IE.( BTW by default SSM free allows browseui.dll injection).

    So I am not getting at all any bowseui.dll alert about with SSM free and that seems a new bug! ProSecurity is giving the alert about this. Do I need another thread on their forums? I am using XP SP2. Can some body confirm it on XP SP 2?
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      117.5 KB
      Views:
      4
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi aigle,
    I can see your point, but as I see this, it is an injection(hook) of a library file, if this library injection is global or to single process, the protection/option avalable is the same. Although I agree that the info should be more acurate, I do not think this will be possible by SSM untill it takes more control of the loading/monitor of dll`s into process. (I am still awaiting this from their "todo" list (possible addition))

    default rules of SSM do allow windows libraries to be injected. This was explained as "it reduces popups" if I remember correctly.
    I personally have never been a fan of default "Allow rules" or "hard_coded rules", as you may of seen,
     
  19. wat0114

    wat0114 Guest

    Hi aigle,

    try the same thing with shell32.dll, then open IE and go to File | Menu. I'm using SSM Pro and I'm alerted but only that it's a global hook. It does look as though SSM states everything as a global hook and does not specify the target process, only the source process trying to inject the dll, as Stem describes.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is another windows library
    I think is it basically because SSM intercepts the applications attempt to do this, not a block against the app being injected (so SSM simply does not check/know the app(s) being (attempted) injection)
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No problem with shell32.dll. It,s injection is allowed by default as well I think( not sure). I removed its rule and I do get alert about it from SSM. It,s indeed a global hook as confirmed by NeovaGuard and ProSecurity.
    That,s not a good thing in my opinion. Why it,s lagging behind PS, NG, KAV PDM and ZAP in this regard.

    Wat! Are u able to get alert about browseui.dll? I am going to post it there as well.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am happy that I was able to clear my point. I am insisting on this due to two reasons. First, it gives u a good info what is going on ur system. Secondly, I think there is some thing in my sub-concious, it was long ago when one of my friends PC was full of spywares and despite using few scanners and cleaning multiple malwares, IE home page was still hijacked and brwosing was impossible. I installed ZAP and it instantly gave a popup that something was trying to inject code into IE( I was a real nobe that time but a popup that something is injecting code into a hijacked browser looked nasty to me, I ofcourse disallowed it and all of sudden the browser was free of hijack. So I have a feeling that dll injection into a specific process( say browser) must be differentiated from global dll injections.
    In that case I will say that it,s rather srange. SSM is under development long before SP and still lags behind it atleast in this regard.
    I personally don,t mind this but problem is that I am not getting popup about browseui.dll injection even after changing default rules.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmmm.... Stem, I am not sure as I have no real knowledge about these things.
    Only syssafety team or some other HIPS developer can confirm it.

    Still there is no official response on their forums.
     
  24. herbalist

    herbalist Guest

    Found this at the Delphi programming library.
    FYI, global hooks don't always require a DLL. Example.
    A good explanation of DLL injection at Wikipedia.
    There are differences in the alerts the free version of SSM displays. I definitely agree they could have done better, especially with their loose usage of the term "global hook". The available options in the drop box changes. A couple of examples with drop boxes expanded.
    View attachment 189321 View attachment 189322 View attachment 189323
    On the options tab, for applications-program behavior, which setting are you using, "Block process creation" or "Block everything"? I'm pretty sure that SSM doesn't automatically make library rules in the "block process creation" behavior as they're allowed by default on that setting. I'm checking on a clients XP box tomorrow that has SSM free installed on it, using the paranoiac setting. I'll see if that one has rules for those DLLs.

    The approach of intercepting the injection/hooking at the source instead of the target is the same one used in the parent-child settings in paranoiac setting. The default parent setting is "Ask" while the default child setting is "Allow", the source of the injection being the equivalent of the parent process. Personally, I'd like to be able to specify what can use each DLL individually, but this would be more of a control preference than an actual security enhancement. IMO, having control over the potential targets of injection/hooking wouldn't add much more protection when you already have control over the sources. It definitely would increase the probability of a user mis-configuring something and causing themselves major problems.
    Rick
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi herablist, these options of SM free are only for disconnected GUI and not for normal or learning mode. It is clear from the GUI( see the snapashot). It has been confirmed by syssafety here, if u can remember

    https://www.syssafety.com/forum/viewtopic.php?t=407&sid=korfuf8hjrgpkkgpn7onfvhol6

    U can confirm it- if u only opt for Block process creation and disconnect GUI, SSM will not stop other actions except new process creations but if u opt for Block everything, it will stop every action that is not in the rules.( It needs a separate discussion thread).

    Anyway I used both options and resluts are same.

    Ok, now I have tried my best but could never got a popup for browseui.dll injection for IE or explorer.exe on XP SP2. So I assume that SSM free allows this dll injection by default irrespective of the rules u make for it.
     

    Attached Files:

    • a.jpg
      a.jpg
      File size:
      81.2 KB
      Views:
      146
Thread Status:
Not open for further replies.