Why Usermode Hooking Sucks – Bypassing Comodo Internet Security

[Guest]

[gjf]

I just found some interesting article in Internet. Looks like there is a way of overcoming HIPS in Comodo products. Author has contacted Comodo representatives already (about 5 months ago) and looks like there is no any reaction.

Is it possible to get some answer from authorities here?

Conclusions

To conclude with, we’d like to stress that we do not hate the Comodo HIPS product. The bypassing method presented in this post is rather remote and applies only on SysWoW64 ( 32bit ) applications running on a 64bit Windows version. Attached you will find a proof of concept application that automates the process of generating executable that can bypass the installation of hooks throughout the process address space. Thank you for reading.

[RejZoR]

Only question here is, does this also include "Enhanced protection mode" (in Defense+) or only without it?

[gjf]

The article includes compiled PoC and sources. You can check everything at your system and respond with results here.

Sorry  - cannot help: have no x64 at home.

[languy99]

I'll test this out and let you know what I find.

[Chiron]

Only question here is, does this also include "Enhanced protection mode" (in Defense+) or only without it?

It looks like enhanced protection was introduced in Version 5.8, which was released on October 11, 2011.

Thus it was at least present in the program at the time.

[RejZoR]

Well, present yes, but is disabled by default.

[languy99]

I can't reproduce it, sorry

[Chiron]

I can't reproduce it, sorry

Do you mean that even under default settings you can't reproduce the bypass?

[languy99]

Do you mean that even under default settings you can't reproduce the bypass?

yup, they did not include the keylogger to test with so I can't get it to work.

[gjf]

What do you mean "keylogger"? For what? The video was included in the article to present how to get process address space.

http://www.youtube.com/watch?v=Ar1SXYbKlm0

[OmeletGuy]

What do you mean "keylogger"? For what? The video was included in the article to present how to get process address space.

http://www.youtube.com/watch?v=Ar1SXYbKlm0

This is the example POC program in action. sswhk.exe is a simple keylogger program. First run is the original program which gets detected by the paranoid security settings of Comodo. Next, the AddTLSSection.exe program is executed to generate the code required to bypass comodo. A new program is created and executed sswhk_.exe and is successfully capturing keystrokes without comodo detecting it.

Description of the video on YouTube. We would need sswhk.exe to test with, it is not included.

[gjf]

You can use any malware for this test. If you want a keylogger, you can try a trial of Refog as an instance.

[loverboy]

I'm not sure to have understood, Comodo HIPS doesn't install itself at the kernel level ? As EqSesure done.

Not on 64 bit Windows. MS does not allow it. On 32 bit it does.

http://www.wilderssecurity.com/showthread.php?p=2055870#post2055870

Is this the reason of the "enhanced protection mode"?

[gjf]

Not on 64 bit Windows. MS does not allow it. On 32 bit it does.

Very interesting. So it means TDL4 installs itself in kernelmode at x64 in some mysterious way that none of vendors knows? Or possibly none of vendors can sign drivers in a correct way so Wx64 will allow to load it?

Will anybody from developers respond here or we still continue discussing nonsense?

[vix123]

Will anybody from developers respond here or we still continue discussing nonsense?

Unfortunately he is right. Perhaps the forum needs an advanced section where such issues can be discussed with a lower noise to signal ratio.

[Tags:]