64 bit systems and HIPS

K

koletz

Level 1
Aug 26, 2011
18
hjlbx said:
That alert is for code injection into svchost - and not for hollow process.

Code injection and hollow process are two different things. In a nutshell, hollow process is when a child process is launched in a suspended state by a parent process, and then the parent process replaces the child process with a different process.

SpyShelter HIPS does not detect nor prevent hollow process. You can confirm this directly with developer - Datpol. It is known issue on 64 bit system.
Click to expand...


No, I have confirmed sth other.
I know what's the difference but I'm afraid you are not a system programmer and you don't know detials?
You should know that one action named process injection or memory modification which sounds the same in HIPS "A" software
could not be the same done in other let's say HIPS "B", there is sth like code quality + tricks so the same name mean not the same.
In this case injection could mean sth more.

I analzed it more deeply
mem dumps of explorer and svchost, compared before and after malware run.
Did on CTB Locker one of latest edition. Svchost was blocked from modification. WIthout SpS it was hollowed.

There is no sense to discuss without proof which everybody could check.
Can you simply show one example which will proove your words,
Just ONE simple to verify no 5 or 10...
I analyze then and could confirm so then can make suggestions about improvements.
 
Last edited:
  • Like
Reactions: shmu26
K

koletz

Level 1
Aug 26, 2011
18
BTW: Ms decisions with windows 8 and 10 and protection of win32k.sys code is usless practically regarding fight with rootkits.
Strange at least and smashing balls for HIPS software vendors
 
D

Deleted member 178

koletz said:
You should know that one action named process injection or memory modification which sounds the same in HIPS "A" software
could not be the same done in other let's say HIPS "B", there is sth like code quality + tricks so the same name mean not the same.
In this case injection could mean sth more.
Click to expand...

there is no thousands of explanation about what is a Process Hollowing aka Dynamic Forking:

Process hollowing is a technique used by some malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. At launch, the legitimate code is deallocated and replaced with malicious code. The advantage is that this helps the process hide amongst normal processes better. If you inspect the process and its imports using conventional tools, they all look legit. The PEB is untouched, but the actual code and data of the process have been changed.
Click to expand...

https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-Malware-Hollow-Processes/

 
Last edited by a moderator:
  • Like
Reactions: askmark, LabZero and silversurfer
K

koletz

Level 1
Aug 26, 2011
18
@Umbra, indeed you are right, but there is enough also to show one example possible to verify...
and I did not found any security leak so far in SpS regarding process hollowing.
 
H

hjlbx

Ask Datpol. They have previously acknowledged SpS does not detect hollow process on 64 bit systems.

Test SpS against process hollow ransomware. When you select block in the alert, the process hollow still occurs. That's because the process being hollwed is a trusted process - eg Windows explorer.exe.
 
  • Like
Reactions: askmark and _CyberGhosT_
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
hjlbx said:
Ask Datpol. They have previously acknowledged SpS does not detect hollow process on 64 bit systems.

Test SpS against process hollow ransomware. When you select block in the alert, the process hollow still occurs. That's because the process being hollwed is a trusted process - eg Windows explorer.exe.
Click to expand...
they don't acknowledge it any more. I discussed it with them today and they deny the whole thing
 
  • Like
Reactions: askmark and _CyberGhosT_
H

hjlbx

koletz said:
No, I have confirmed sth other.
I know what's the difference but I'm afraid you are not a system programmer and you don't know detials?
You should know that one action named process injection or memory modification which sounds the same in HIPS "A" software
could not be the same done in other let's say HIPS "B", there is sth like code quality + tricks so the same name mean not the same.
In this case injection could mean sth more.

I analzed it more deeply
mem dumps of explorer and svchost, compared before and after malware run.
Did on CTB Locker one of latest edition. Svchost was blocked from modification. WIthout SpS it was hollowed.

There is no sense to discuss without proof which everybody could check.
Can you simply show one example which will proove your words,
Just ONE simple to verify no 5 or 10...
I analyze then and could confirm so then can make suggestions about improvements.
Click to expand...

I've tested SpSFW against many hollow process malware - and was one of the very first to report to Datpol the fact that it did not detect nor prevent hollow process on 64 bit systems.

I supplied Datpol with all the samples - and they confirmed it.

A fix for hollow process is not mentioned in the change logs for any of the builds since the hollow process issue was reported; that's not to say it wasn't fixed - but it would be highly unlike Datpol not to mention it in their change log.

Based on the very recent information that I have the issue has yet to be fixed.
 
Last edited by a moderator:
  • Like
Reactions: askmark, Solarquest and _CyberGhosT_
H

hjlbx

shmu26 said:
they don't acknowledge it any more. I discussed it with them today and they deny the whole thing
Click to expand...

It's easy enough to confirm; execute a hollow process ransomware with SpS installed.

Allow the ransomware to execute, but block the hollow process (you have to know the malware behavior beforehand to know which alert you need to select block at the very point of hollow process; if you select wrong alert, then test is invalid).

End result = if SpS blocks encryption, then hollow process has been prevented; if encryption occurs, then hollow process has not been prevented.

There are many hollow process malware samples to be had in MT's Malware Hub.
 
Last edited by a moderator:
  • Like
Reactions: askmark, silversurfer and _CyberGhosT_
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
@koletz
Your dodging and weaving, and skirting the issue.
There are plenty that do know details here, it's you that seems to be out in the cold where
knowledge is concerned. I would get to know this community before you judge this community.
If your associated with this software I am glad to have never
had the misfortune of installing it on my systems. ;)
 
  • Like
Reactions: askmark, shukla44, LabZero and 1 other person
H

hjlbx

SpS versus CTB Locker on 64 bit system. It is only version 9.X, but my SpS contacts state the issue still has not been fixed; there are limitations on 64 bit systems.


Everyone who so chooses can clearly see the CTB sample hash number early in the video. Copy it down, search for it online at Malwr or other, download the sample, run it against SpS 10.8.X and -- guess what ?

This is not difficult...
 
  • Like
Reactions: askmark, shukla44, LabZero and 3 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
hjlbx said:
Datpol already has had samples for a long time.
Click to expand...
this is what they told me yesterday about the samples they were shown, along with some sage advice not to believe what I read on "forums":

Thanks for your words but I guess you don't know what are you talking about there were already some "experts" trying to tell us the same but still 0 proofs only words.
Can you show me example of this "process hollow" ?
 
K

koletz

Level 1
Aug 26, 2011
18
hjlbx said:
SpS versus CTB Locker on 64 bit system. It is only version 9.X, but my SpS contacts state the issue still has not been fixed; there are limitations on 64 bit systems.


Everyone who so chooses can clearly see the CTB sample hash number early in the video. Copy it down, search for it online at Malwr or other, download the sample, run it against SpS 10.8.X and -- guess what ?

This is not difficult...
Click to expand...


Not sure why you posting video which proofs nothing.
So dangerous wallpaper, really.
wall.png



I told the same in this thread before.
I confirmed on newest released tested CTB Locker, files were really encrypted but file encryption isn't something that any HIPS should protect it uses general windows processor and compiler instructions.
Still no process hollow proof.
On my sample process modifications were blocked.
Moreover as I mentioned you can protect files with files protection feature and nothing will be encrypted

Maybe HIPS software isn't best for such viruses for average user, this is probably truth but I did not found any malfunction or serious security leaks.
 
Last edited:
K

koletz

Level 1
Aug 26, 2011
18
_CyberGhosT_ said:
@koletz
Your dodging and weaving, and skirting the issue.
There are plenty that do know details here, it's you that seems to be out in the cold where
knowledge is concerned. I would get to know this community before you judge this community.
If your associated with this software I am glad to have never
had the misfortune of installing it on my systems. ;)
Click to expand...

I never seriously judge anyone or this community, even it that sounds personal.
I can judge words not people.
really don't care bro what are you going to install on your system.
No I am not associated in financial way, found through years few issues and helped to solve.
 
You must log in or register to reply here.

Similar threads

vtqhtr413
    • +Reputation
    • Like
    • Sad
The Quiet Rise of RTCC's, Critics Warn of Creeping Surveillance
Replies
0
Views
931
News Archive
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • Applause
    • Thanks
AV-Comparatives Mac Security Test & Review 2023
Replies
5
Views
921
Security Statistics and Reports
MuzzMelbourne
MuzzMelbourne
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,029
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top