64 bit systems and HIPS

[shmu26]

I have often seen it mentioned on MT that x64 systems present a challenge for HIPS, and most HIPS solutions don't perform 100% on such a system.
Could someone explain a little about this?
I mean, what's the problem created by x64, and are there any solutions out there, and more practically speaking, how much does this whole issue actually affect the security of a PC?

 

[Deleted member 178]

on x64 OS, MS introduced Patchguard aka Kernel Patch Protection - Wikipedia, the free encyclopedia

Most HIPS (and other security apps like Sandboxie, Zemana Anti-logger, etc...) to perform their task need to "hook" the kernel which is itself a security risk, because the kernel wasn't made to be "patched", so with this behavior , the HIPS in fact weaken the kernel. if the apps is exploited then the kernel is vulnerable.

to explain simply, imagine your anti-radiation bunker's, you want to improve your safety by adding a force field in front of it , for this the force fields system must be fixed on the bunker, hence you need to create a big holes in it to place the force field generator. Now the force field need electricity to work; but what if an evil dude decide to cut the power cable of your force field to shut it down? then the radiations get in because the hole you made...
This is called "surface attack" by adding 3rd party security, you in fact weaken the build-in one.

To prevent that abuse, MS reinforced Patchguard in Win8, so you see some of the mentioned apps above having very hard time to adjust with it; and some can't even provide 100% protection anymore as they did in x86 systems.

Not saying by patching the kernel, the HIPS create instability in the OS , remember the BSODs after installing HIPS?

 

[LabZero]

The main problem, in x64bit environment, concerns Antivirus that use hooking in the Windows kernel through the System Service Descriptor Table (SSDT) to monitor the running software.

Possible security problems are related to the possibility to take advantage of the short response times related to the operations of the switch between the processes, in order to overcome the protection of the antivirus and perform a malicious actions (install a fake device driver, change the registry keys and copy the dll in the system directory, etc.).

Many of the Antivirus are based on SSDT hooking, while other ones don't use the SSDT hooking or Kernel changes, but they use the model of the development of the mini-filter file system driver, such as Windows Defender.

But the interception of the operations of context switching (switching between two active processes in memory) requires a extremely precise timing in the execution of the payload and, in my opinion, this is not an exceptional security risk.

 

[_CyberGhosT_]

And to feed off of Umbras post ReHIPS takes a dif stance to HIPS with their "no hooks" approach
Which @Umbra can explain if he would be so kind.
But it is the best option if your considering a HIPS based software

 

[shmu26]

what about anti-exe programs like NVT ERP and Voodoo -- they don't use hooks, so they work better?

 

[_CyberGhosT_]

what about anti-exe programs like NVT ERP and Voodoo -- they don't use hooks, so they work better?

If your system is clean at the time of install VS "I think" is better, but you can't really compare non HIPS software to HIPS based software, and the reason is a very long post, I will resort to scooting out of the way and letting Umbra take over if he will because HIPS is not my strong point.
But good questions shmu26

 

[shmu26]

the HIPS in fact weaken the kernel. if the apps is exploited then the kernel is vulnerable.

I can see malware authors trying to exploit the big AVs. But would anyone waste their time writing an exploit for zemana or sandboxie??

 

[SHvFl]

Might want to check this
Using Kernel Exploits to Bypass Sandboxes for Fun and Profit

 

[Ramona]

Beside what other people here said, Windows 64 will always be vulnerable, the only way to fix this is to remove the ParchGuard made by Microsoft and let AV companies to "hook".

You need to create a handle and you can use it for any of the functions you want => ZwTerminateProcess, ZwSuspendProcess injection and it's over

 

[_CyberGhosT_]

I can see malware authors trying to exploit the big AVs. But would anyone waste their time writing an exploit for zemana or sandboxie??

Why wouldn't they ? If they can there is money to be made, and for the right price and the right level of determination anything is possible.
Nothing is 100 % perfect my friend it just boils down to finding the weak spot, and believe it or not most times the user is the "weak spot"
PeAcE

 

[DardiM]

Beside what other people here said, Windows 64 will always be vulnerable, the only way to fix this is to remove the ParchGuard made by Microsoft and let AV companies to "hook".

You need to create a handle and you can use it for any of the functions you want => ZwTerminateProcess, ZwSuspendProcess injection and it's over

How can we do that ?

 

[Ramona]

Make the driver (.sys file), use what function you want (kill, inject and so on), load the driver (osr driver loader or something like that) and done. If you need help just check msdn.

If you wanna bypass cloud scanning, there was a guy here that posted something about that, I think it's null byte. You sign the file or you add a delay, IDK if that works you can talk with him about that.

 

[DardiM]

Make the driver (.sys file), use what function you want (kill, inject and so on), load the driver (osr driver loader or something like that) and done. If you need help just check msdn.

If you wanna bypass cloud scanning, there was a guy here that posted something about that, I think it's null byte. You sign the file or you add a delay, IDK if that works you can talk with him about that.

Ok thanks will try some stuff
(@NullByte are not more member :'( )

 

[ZeroDay]

And to feed off of Umbras post ReHIPS takes a dif stance to HIPS with their "no hooks" approach
Which @Umbra can explain if he would be so kind.
But it is the best option if your considering a HIPS based software

Any idea how I can become a beta tester tp reHIPS?

 

[ZeroDay]

I'm not sure if it's still the case, but wasn't Comodo Firewall with Defense plus fully compatible with x64 systems?

 

[SHvFl]

Any idea how I can become a beta tester tp reHIPS?

How to get beta v2.2?

 

[_CyberGhosT_]

SHvFI got to you first, follow his link and message Fixer.
Thanks SHvFI

 

[shmu26]

Why wouldn't they ? If they can there is money to be made,

I can't see much money to be made in distributing malware that targets a niche product with a small usership.

something widely used, like avast or bitdefender, is a commercial target, not something that most people never even heard of.

 

[ZeroDay]

Thank's guy's.

 

[hjlbx]

I can see malware authors trying to exploit the big AVs. But would anyone waste their time writing an exploit for zemana or sandboxie??

Sandboxie employs User-Mode hooking.

Just like any other security or related soft, some malc0der - sooner or later - will try to smash it - even if only as a learning exercise which they can then apply to exploit other softs.

Sandboxie is popular enough that it is probably on some malc0der's radar.