How to verify VoodooShield "anti-exploit protection"?

Status
Not open for further replies.

qftest

Level 1
Thread author
Nov 22, 2015
12
2mqmb1h.jpg


win7x64
VS 2.75
I use "hmpalert64-test.exe" test VS, did not see the interception.
How should I test is correct?
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
 
  • Like
Reactions: Solarquest

qftest

Level 1
Thread author
Nov 22, 2015
12
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
I can't find a Malwarebytes test tool.
Maybe should use a special web page test?
 

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
 
Last edited:

qftest

Level 1
Thread author
Nov 22, 2015
12
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
It sounds like the previous ANI virus.
No testing tools, I went to the page to test.
Results VS / HMPA no response, no interceptions.
I do not know why.
Code:
http:##//player.vodjk.com/player.swf?my_url=http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;

2nk49c5.jpg
 
Last edited by a moderator:
  • Like
Reactions: Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
JFI; on VT
Code:
http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;
= 0/66
upload_2015-11-24_0-7-44.png
upload_2015-11-24_0-7-44.png
 
Last edited by a moderator:

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
 

qftest

Level 1
Thread author
Nov 22, 2015
12
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
oh i see.
Thank you for your reply.
hehe,"hànzì" is correct,"kanji" is an error.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top