64 bit systems and HIPS

H

hjlbx

Hooking to detect and prevent malicious actions on 64 bit systems is not the problem that it once was...

For example, Emsisoft, ESET, Threat Track (Vipre), etc have found ways to detect and prevent actions on 64 bit systems - whether they are using their own proprietary or licensed drop-in modules from another vendor.

Some vendor HIPS are behind in their capabilities on 64-bit systems - for just a single example Datpol (SpyShelter).

Finding full technical infos that explain a specific vendor's HIPS capabilities on 64 bit systems is no easy task.
 
  • Like
Reactions: shukla44, _CyberGhosT_, Overkill and 7 others
H

hjlbx

FleischmannTV said:
It does but are you sure as to what purpose this hooking occurs? It could also be to enable the isolated application to function at all, because at integrity level untrusted they wouldn't be able to anything, hence removing the hooks wouldn't do an attacker any good.
Click to expand...

There have been documented cases (in the past... 2013 or so) whereby a sandboxed application was still able to bypass Sandboxie:
  • OS Kernel Exploits
  • OS User-Mode Exploits
Running inside a restricted privilege sandbox is not guaranteed to prevent an OS exploit from obtaining Shell. User-Mode hooking exploit can be part of that OS exploit process.

Without hooks, if the OS can be exploited it really makes no difference either; the presence or absence of hooks might not be an issue. Use of hooking is only relevant when exploiting the hook gets you further along to Shell.

What's a security soft vendor supposed to do when the underlying OS is about as secure as a 10 lb block of Swiss Cheese ? Can't put that block into your pocket and walk away with it, but with some fore-planning and a different tactic - you'll manage to abscond with that block.
 
  • Like
Reactions: DardiM, shukla44, _CyberGhosT_ and 5 others
FleischmannTV

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
I was not talking about whether Sandboxie was penetrable (it is much more penetrable than its users think, I suppose) or not, but rather specifically about as to what purpose the hooking occurs. Do you know that in detail? So once again, if the hooking exists to prevent stuff, it's a weakness, I completely agree, especially in the case of user-mode hooks. Yet if its only purpose is to make the restricted process function at all, then removing the hooks probably won't make things easier for an attacker.
 
  • Like
Reactions: DardiM, _CyberGhosT_, Cats-4_Owners-2 and 2 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@hjblx, I noticed a post you made, mentioning the processes
  • lsass
    csrss
    smss
    spoolsvc
are these processes being actively abused to write code? Or is it just a potential for abuse?
 
  • Like
Reactions: ZeroDay, DardiM, _CyberGhosT_ and 1 other person
K

koletz

Level 1
Aug 26, 2011
18
hjlbx said:
SpyShelter does not detect hollow process on 64 bit systems - this is a known issue. It has been reported repeatedly to Datpol.
Click to expand...

Do you have even single proof of that?
I have other opinion information basing on my debugging knowledge, for example based on CTBLocker it perfectly detect attempt scvhost modification (tested in Ask User mode)
So this ransomware can "only" compromise users files
(But user can protect his any Files with spyshelter using option Settings - Security - User defined protected files)
+ change wallpaper (nothing really dangerous) then after blocking all actions virus crashes

Point is that it detect attempt to hollowing svchost similar to for example ESET do.
 
Last edited:
  • Like
Reactions: DardiM
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
koletz said:
Do you have even single proof of that?
I have other opinion information basing on my debugging knowledge, for example based on CTBLocker it perfectly detect attempt scvhost modification (tested in Ask User mode)
So this ransomware can "only" protect Users' files
(But user can protect his any Files with spyshelter using option Settings - Security - User defined protected files)
+ change wallpaper (nothing really dangerous) then after blocking all actions virus crashes

Point is that it detect attempt to hollowing svchost similar to for example ESET do.
Click to expand...
process hollowing is not ordinary file modification, it is a kind of exploit of a process in memory
 
  • Like
Reactions: shukla44 and _CyberGhosT_
You must log in or register to reply here.

Similar threads

oldschool
    • Like
    • +Reputation
New Update Brave Unveils New Privacy-Focused AI Answer Engine, Set to Handle Nearly 10 Billion Annual Queries
Replies
1
Views
182
Brave
oldschool
oldschool
vtqhtr413
    • +Reputation
    • Like
    • Sad
The Quiet Rise of RTCC's, Critics Warn of Creeping Surveillance
Replies
0
Views
939
News Archive
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • Applause
    • Thanks
AV-Comparatives Mac Security Test & Review 2023
Replies
5
Views
941
Security Statistics and Reports
MuzzMelbourne
MuzzMelbourne

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top