VoodooShield/Cyberlock

I do not believe this is possible with a macro... but I would be happy to be corrected if I am wrong. I cannot imagine that MS would let such dangerous calls happen in a macro, but I could be wrong.

For the record, I am not a paid staff member of VS either .

 

Dan I am still in your corner even though the want to get paid for bug hunters left.

 

As soon as we receive our CIA funding, I will be happy to compensate the bug hunters . Hehehe .

 

I totally understand how the CIA and DARPA operate.

 

I have installed 355b3 and so far my start menu and search is working ok.

I will report back if these essential parts of my Win 10 system fail again as was the case with 355b2.

 

I looked into it more and you can do it, in fact that is how VBA has support for things like "MsgBox", it leads back to user32.dll!MessageBoxA/W for example.

You own it? Therefore you get paid for your work? I was not "complaining", just stating that I wasn't going to spend time doing it because I do have other priorities.

Anyway if you are not sure on ObRegisterCallbacks I did write a thread here before I requested my account to be removed awhile back: https://malwaretips.com/threads/av-self-protection-process-c-c.66200/ - could be useful to you.

^^ You'll need to modify it a bit:
1. Support OB_OPERATION_HANDLE_DUPLICATE as well.
2. Support PsThreadType for both OB_OPERATION_HANDLE_CREATION and OB_OPERATION_HANDLE_DUPLICATE.
3. Fix IOCTL support to retrieve the PID sent so you can store it in a local variable and protect only your processes.

But that wouldn't take long, 30mins maximum probably. Maybe the info on that thread is useful to you, idk.

Bear in mind that ObRegisterCallbacks will protect your processes but not the driver from being unloaded.

 

No, you are not already infected, I promise .

 

Thank you for the info. I am sure everyone is just as tired of talking about this topic as I am, so I think we should move on.

 

I agree. It is pointless!

 

#15168

+1
for crying out loud, let the man do his job.

 

I just allowed a Windows Cumulative Update a short time ago.

[03-23-2017 08:16:23] [DEBUG] - DriverCommunicationService::Client disconnected
[03-23-2017 08:16:24] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\VoodooShield\Notify.exe | C:\Program Files\VoodooShield\VoodooShieldService.exe | True | False
[03-23-2017 08:16:27] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\Ruiware\WinAntiRansom\WARgk.exe | C:\Program Files\Ruiware\WinAntiRansom\WARSvc.exe | True | False
[03-23-2017 08:16:32] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\Ruiware\WinAntiRansom\WARgk.exe | C:\Program Files\Ruiware\WinAntiRansom\WARSvc.exe | True | False
[03-23-2017 08:16:32] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\Ruiware\WinAntiRansom\WARgk.exe | C:\Program Files\Ruiware\WinAntiRansom\WARSvc.exe | True | False
[03-23-2017 08:16:32] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\Ruiware\WinAntiRansom\WARgk.exe | C:\Program Files\Ruiware\WinAntiRansom\WARSvc.exe | True | False
[03-23-2017 08:16:33] [ERROR] - VoodooShield has entered self-protection mode. | C:\WINDOWS\system32\wuauclt.exe | C:\Windows\System32\svchost.exe | True | False
[03-23-2017 08:27:26] [ERROR] - VoodooShield has entered self-protection mode. | C:\WINDOWS\system32\vssvc.exe | | True | False
[03-23-2017 08:27:26] [ERROR] - VoodooShield has entered self-protection mode. | C:\WINDOWS\System32\svchost.exe | | True | False
[03-23-2017 08:27:31] [ERROR] - VoodooShield has entered self-protection mode. | C:\WINDOWS\System32\poqexec.exe | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe | True | False
[03-23-2017 08:28:05] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files (x86)\Panda Security\Panda Security Protection\PSNCSysAction.EXE | C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe | True | False
[03-23-2017 08:29:05] [INFO ] - User Log Initialized
[03-23-2017 08:29:05] [INFO ] - Snapshot file Initialized
[03-23-2017 08:29:05] [INFO ] - Service started
[03-23-2017 08:29:05] [INFO ] - Driver communication service started
[03-23-2017 08:30:11] [DEBUG] - DriverCommunicationService::Connect 10 threads
[03-23-2017 08:30:11] [DEBUG] - DriverCommunicationService::Enter main loop

 

@SHvFI: re: post 15151. It would be a dumb business move to ignore even the slightest demonstrated possibility that a software could be disabled, now and in the future. "Oh, this is so unlikely, don't worry about it" --so irresponsible. Unreal expectations of VS and its inherent limits. So there's your HIPs/behavior blocker to step in in case you allow something hidden and nasty.. Or not. The vast majority of bypasses are user-initiated. That is the user's fault. But I support the bolstering of software for targeted intrusions, even if they are extremely unlikely to occur right now to you. If anything, it's an investment in averting the possibilities.

 

Thank you for letting me know... see we are getting there!!! BTW, the [ERROR] does not mean anything at all... I can change that, it is supposed to say [INFO ]. But that looks great!

 

I completely agree... besides, the difficult part is over. Now all we have to do is find the last couple of blocks of vital processes that need to be excluded, assuming that there are anymore. And they are super easy to add. If you ask me, if we can wrap this entire feature up in the matter of 2 weeks, I think we did alright .

 

Dan, it is all gobbledygook to me...But, as long you are happy, I am happy.

 

Has there been any reports of conflicts w/ Hitman Pro.Alert...Since I've installed Voodoo Shield I can no longer run scans w/ Hitman Pro.Alert,scans fail to run. Tx

G Data Internet Security..Fire Wall high security,Key Logger and Exploit protection turned off.
Hitman Pro. Alert
VoodooShield

 

With my Sig-free config, HMP.A is a staple as is VoodooShield and I have never had an issue.
Something else is the cause, but you cay try uninstalling VS to test your theory.

 

If the GUI could just restart, that would be the preferred solution IMO.

 

Come on Dan...are you serious with this comment? of course he clicked "allow" to "simulate" a bypass of VS monitoring (which may happen)...so he could test the self-protection.
People advised you some methods to implement properly the S-P (self-protection), you don't like the method; it is fine but don't throw them "the malware must bypass VS first" , you started S-P implementation especially because the video.

100% agree on this point. Self-protection is about accepting the idea that the product can be bypassed; If not, so basically 10 pages for nothing , lot of work for you for nothing, wasted time for everybody.
So just drop the S-P concept and rather focus on something else worth your time.

There is not much to say, either you implement it, which is good for the product (if made properly based on the feedbacks you received) , or you don't do it, which will change nothing from a average user-point of view.

 

MY 2p - form an alpha test team (10 should be enough) out of some the people who know (not me) and pass ideas and beta software to them before releasing to the rest of Wilders. I admire Dan for making his views public and being very open but sometimes this works against you. The 'rest' should confirm suitability for mass-market and the version's listing on the web-site.

 

I totally agree, closed beta testers should be created.
Btw, by discussing about self-protection details on a public forum, is like telling attackers how to do to bypass it

 

Yeah, I am dead serious about that comment. If you want to test VS’s self-protection properly, you would test it with a bypass that does not require you to click Allow… such as the macro, which does not require you to click Allow in order to demonstrate the bypass. It really is that simple.

Adam first told me about the macro vulnerability 10 or so months ago, but VS needed to be stable before we could implement self-protection, but it has always been on my to do list. The signature for our KMD is going to expire in a couple of months, and we will be able to implement ObRegisterCallbacks in the new driver, and have it signed… so now seemed to be the right time to work on this.

Sure, Adam’s video had something to do with me starting on this feature a little sooner then I was wanting to… but are you saying that you personally would prefer that I just bury my head in the sand and not do anything about it?

I simply did not like the watch dog process method, so I wanted to create something better. You said “People advised you some methods to implement properly the S-P (self-protection), you don't like the method”. If you are implying that this method is not proper, I hope you feel compelled to publicly notify all software companies who are utilizing similar methods. I am really tired of people picking on VS, while giving other companies a pass.

There are a lot of moving parts in VS, and it would be impossible to explain every single obstacle we need to overcome and decision we need to make on wilders. And it is extremely easy for you to be the Monday morning quarterback, not having to experience all of the hard work, dedication and tough decisions that I have to experience on a daily basis.

Ultimately, I have not let anyone down yet, and I do not plan to let anyone down now.

https://malwaretips.com/threads/com...emana-am-novirusthanks-or-voodooshield.67755/

https://malwaretips.com/threads/clyance-home-vs-sophos-home-vs-voodoshield.61167/

https://malwaretips.com/threads/voo...us-vs-comodo-firewall-vs-nvt-exe-radar.61917/

https://malwaretips.com/threads/zemana-antilogger-pro-vs-voodooshield-premium.62083/

https://malwaretips.com/threads/whi...inion-appguard-nvt-erp-or-voodooshield.47984/

https://malwaretips.com/threads/what-is-the-most-underrated-free-security-application.67096/

https://malwaretips.com/threads/which-default-deny-solution-wins-and-why.69287/page-4#post-606917

I must be doing something right.

 

No issues with HMPA scans here, running alongside VS.

 

I agree, but the thing is, in order for a user to actually have to reboot their computer, several things need to happen. When this feature is finished, the odds that a user will actually see a prompt that asks them to reboot their computer, is slim and none.

A few people commented that this is not user-friendly. Even Windows asks the user to reboot Windows from time to time, and everyone handles it just fine.

 

I am in favor of the lockdown. If an attacker has an attack in memory, he would want to disable VS in order to write something to the HD in order to achieve persistence. A reboot would take care of that.