How to verify VoodooShield "anti-exploit protection"?

Status
Not open for further replies.
qftest

qftest

Level 1
Thread author
Nov 22, 2015
12
11
28
china
2mqmb1h.jpg


win7x64
VS 2.75
I use "hmpalert64-test.exe" test VS, did not see the interception.
How should I test is correct?
 
  • Like
Reactions: persianboy, Deleted Member 333v73x and Solarquest
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
 
  • Like
Reactions: Solarquest
Hanmin147 said:
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
Click to expand...
I can't find a Malwarebytes test tool.
Maybe should use a special web page test?
 
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
 
Last edited:
  • Like
Reactions: oldschool, Parsh, Solarquest and 2 others
cutting_edgetech said:
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
Click to expand...
It sounds like the previous ANI virus.
No testing tools, I went to the page to test.
Results VS / HMPA no response, no interceptions.
I do not know why.
Code: 
http:##//player.vodjk.com/player.swf?my_url=http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;

2nk49c5.jpg
 
Last edited by a moderator:
  • Like
Reactions: Solarquest
JFI; on VT
Code: 
http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;
= 0/66
upload_2015-11-24_0-7-44.png
upload_2015-11-24_0-7-44.png
 
Last edited by a moderator:
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
 
  • Like
Reactions: Solarquest, frogboy, qftest and 2 others
cutting_edgetech said:
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
Click to expand...
oh i see.
Thank you for your reply.
hehe,"hànzì" is correct,"kanji" is an error.
 
Status
Not open for further replies.

You may also like...