Author Topic: Can comodo HIPS detect this malware technique?  (Read 1084 times)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722

Online futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5137
Re: Can comodo HIPS detect this malware technique?
« Reply #1 on: March 15, 2017, 10:26:14 AM »
Let me first say that the PoC only launches a messagebox thus no alert by a HIPS would be shown. However, if it were modified to say execute another process or make changes to the file system, etc. then it would be picked up. This technique just dynamically changes the memory page permissions of where the code resides from being executable to non-executeable and back again. Where executable code is located in memory makes no difference for a HIPS or sandbox because the code still resides in the address space of the application and thus any actions carried out will be shown as coming from the application.

The only way to evade a HIPS, sandbox, or other type of security software is to get code execution in the kernel. Once you're in kernel land its game over.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek