64 bit systems and HIPS

[hjlbx]

Hooking to detect and prevent malicious actions on 64 bit systems is not the problem that it once was...

For example, Emsisoft, ESET, Threat Track (Vipre), etc have found ways to detect and prevent actions on 64 bit systems - whether they are using their own proprietary or licensed drop-in modules from another vendor.

Some vendor HIPS are behind in their capabilities on 64-bit systems - for just a single example Datpol (SpyShelter).

Finding full technical infos that explain a specific vendor's HIPS capabilities on 64 bit systems is no easy task.

 

[FleischmannTV]

Sandboxie employs User-Mode hooking.

It does but are you sure as to what purpose this hooking occurs? It could also be to enable the isolated application to function at all, because at integrity level untrusted they wouldn't be able to anything, hence removing the hooks wouldn't do an attacker any good.

 

[mamamia]

Kaspersky work with restrictions on 64-bit-systems.
I don't know what happen with other antivirus.

 

[hjlbx]

It does but are you sure as to what purpose this hooking occurs? It could also be to enable the isolated application to function at all, because at integrity level untrusted they wouldn't be able to anything, hence removing the hooks wouldn't do an attacker any good.

There have been documented cases (in the past... 2013 or so) whereby a sandboxed application was still able to bypass Sandboxie:

• OS Kernel Exploits
• OS User-Mode Exploits

Running inside a restricted privilege sandbox is not guaranteed to prevent an OS exploit from obtaining Shell. User-Mode hooking exploit can be part of that OS exploit process.

Without hooks, if the OS can be exploited it really makes no difference either; the presence or absence of hooks might not be an issue. Use of hooking is only relevant when exploiting the hook gets you further along to Shell.

What's a security soft vendor supposed to do when the underlying OS is about as secure as a 10 lb block of Swiss Cheese ? Can't put that block into your pocket and walk away with it, but with some fore-planning and a different tactic - you'll manage to abscond with that block.

 

[FleischmannTV]

I was not talking about whether Sandboxie was penetrable (it is much more penetrable than its users think, I suppose) or not, but rather specifically about as to what purpose the hooking occurs. Do you know that in detail? So once again, if the hooking exists to prevent stuff, it's a weakness, I completely agree, especially in the case of user-mode hooks. Yet if its only purpose is to make the restricted process function at all, then removing the hooks probably won't make things easier for an attacker.

 

[FleischmannTV]

On a second note user-mode hooks inside an integrity level untrusted process could open doors for an attacker which would be closed otherwise

 

[Deleted member 178]

On a second note user-mode hooks inside an integrity level untrusted process could open doors for an attacker which would be closed otherwise

indeed, it is why i privileged softwares using Windows Mechanisms instead of those using hooks.

 

[shmu26]

Some vendor HIPS are behind in their capabilities on 64-bit systems - for just a single example Datpol (SpyShelter).

Does that mean it will do its job erratically, or that certain kinds of protection (process hollowing?) are beyond its ability, or what?

 

[hjlbx]

Does that mean it will do its job erratically, or that certain kinds of protection (process hollowing?) are beyond its ability, or what?

Some HIPS cannot detect process hollowing on 64 bit system - like SpyShelter.

 

[shmu26]

Some HIPS cannot detect process hollowing on 64 bit system - like SpyShelter.

do you happen to know whether kaspersky can detect it?

 

[Deleted member 178]

on Win10 x64 i won't even use Kaspersky, they had too many troubles to handle it.

 

[mamamia]

on Windows 10 x64 i won't even use Kaspersky, they had too many troubles to handle it.

So, What antivirus can we use on x64?.

 

[Deleted member 178]

i don't use any 3rd party AV , but before buying an AV , do some researches to be sure it is fully compatible.

 

[shmu26]

despite the honorable Umbra's caveats about running Kaspersky on win10 x64, Kaspersky does very well in MT testing...

 

[shmu26]

@hjblx, I noticed a post you made, mentioning the processes

• lsass
  csrss
  smss
  spoolsvc

are these processes being actively abused to write code? Or is it just a potential for abuse?

 

[koletz]

Some HIPS cannot detect process hollowing on 64 bit system - like SpyShelter.

I guess you don't know what are you talking about,
SpyShelter perfectly detect and can stop it.

 

[hjlbx]

I guess you don't know what are you talking about,
SpyShelter perfectly detect and can stop it.

SpyShelter does not detect hollow process on 64 bit systems - this is a known issue. It has been reported repeatedly to Datpol.

 

[koletz]

SpyShelter does not detect hollow process on 64 bit systems - this is a known issue. It has been reported repeatedly to Datpol.

Do you have even single proof of that?
I have other opinion information basing on my debugging knowledge, for example based on CTBLocker it perfectly detect attempt scvhost modification (tested in Ask User mode)
So this ransomware can "only" compromise users files
(But user can protect his any Files with spyshelter using option Settings - Security - User defined protected files)
+ change wallpaper (nothing really dangerous) then after blocking all actions virus crashes

Point is that it detect attempt to hollowing svchost similar to for example ESET do.

 

[shmu26]

Do you have even single proof of that?
I have other opinion information basing on my debugging knowledge, for example based on CTBLocker it perfectly detect attempt scvhost modification (tested in Ask User mode)
So this ransomware can "only" protect Users' files
(But user can protect his any Files with spyshelter using option Settings - Security - User defined protected files)
+ change wallpaper (nothing really dangerous) then after blocking all actions virus crashes

Point is that it detect attempt to hollowing svchost similar to for example ESET do.

process hollowing is not ordinary file modification, it is a kind of exploit of a process in memory

 

[koletz]

I did not wrote anything about file modification...I wrote that it procect perfectly according to my tests exploit svchost in memory.