Author Topic: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security  (Read 14962 times)

Offline gjf

  • Comodo Loves me
  • ****
  • Posts: 115
  • Fuimus - non sumus... Carpe diem!
I just found some interesting article in Internet. Looks like there is a way of overcoming HIPS in Comodo products. Author has contacted Comodo representatives already (about 5 months ago) and looks like there is no any reaction.

Is it possible to get some answer from authorities here?

Quote
Conclusions

To conclude with, we’d like to stress that we do not hate the Comodo HIPS product. The bypassing method presented in this post is rather remote and applies only on SysWoW64 ( 32bit ) applications running on a 64bit Windows version. Attached you will find a proof of concept application that automates the process of generating executable that can bypass the installation of hooks throughout the process address space. Thank you for reading.

Offline RejZoR

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #1 on: May 13, 2012, 10:30:21 AM »
Only question here is, does this also include "Enhanced protection mode" (in Defense+) or only without it?

Offline gjf

  • Comodo Loves me
  • ****
  • Posts: 115
  • Fuimus - non sumus... Carpe diem!
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #2 on: May 13, 2012, 10:37:32 AM »
The article includes compiled PoC and sources. You can check everything at your system and respond with results here.

Sorry  - cannot help: have no x64 at home.

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #3 on: May 13, 2012, 12:00:25 PM »
I'll test this out and let you know what I find.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #4 on: May 13, 2012, 01:42:25 PM »
Only question here is, does this also include "Enhanced protection mode" (in Defense+) or only without it?
It looks like enhanced protection was introduced in Version 5.8, which was released on October 11, 2011.

Thus it was at least present in the program at the time.

Offline RejZoR

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #5 on: May 13, 2012, 02:42:03 PM »
Well, present yes, but is disabled by default.

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #6 on: May 13, 2012, 03:24:06 PM »
I can't reproduce it, sorry
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #7 on: May 13, 2012, 03:37:53 PM »
I can't reproduce it, sorry
Do you mean that even under default settings you can't reproduce the bypass?

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #8 on: May 13, 2012, 03:42:22 PM »
Do you mean that even under default settings you can't reproduce the bypass?

yup, they did not include the keylogger to test with so I can't get it to work.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline gjf

  • Comodo Loves me
  • ****
  • Posts: 115
  • Fuimus - non sumus... Carpe diem!
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #9 on: May 13, 2012, 05:16:32 PM »
What do you mean "keylogger"? For what? The video was included in the article to present how to get process address space.

http://www.youtube.com/watch?v=Ar1SXYbKlm0

Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2918
  • Dragon Theme Maker
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #10 on: May 13, 2012, 06:12:10 PM »
What do you mean "keylogger"? For what? The video was included in the article to present how to get process address space.

http://www.youtube.com/watch?v=Ar1SXYbKlm0

Quote
This is the example POC program in action. sswhk.exe is a simple keylogger program. First run is the original program which gets detected by the paranoid security settings of Comodo. Next, the AddTLSSection.exe program is executed to generate the code required to bypass comodo. A new program is created and executed sswhk_.exe and is successfully capturing keystrokes without comodo detecting it.

Description of the video on YouTube. We would need sswhk.exe to test with, it is not included.
System Details: W8.1-64bit | 16GB DDR3 | Intel Core I7-4710MQ[at]2.5Ghz to 3.5Ghz | CIS 8.2 | Geforce 840M

Offline gjf

  • Comodo Loves me
  • ****
  • Posts: 115
  • Fuimus - non sumus... Carpe diem!
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #11 on: May 13, 2012, 06:22:11 PM »
You can use any malware for this test. If you want a keylogger, you can try a trial of Refog as an instance.

Offline loverboy

  • Comodo's Hero
  • *****
  • Posts: 427
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #12 on: May 14, 2012, 02:15:32 PM »
Quote from: blacknight
I'm not sure to have understood, Comodo HIPS doesn't install itself at the kernel level ? As EqSesure done.
Quote from: tomazyk
Not on 64 bit Windows. MS does not allow it. On 32 bit it does.
http://www.wilderssecurity.com/showthread.php?p=2055870#post2055870

Is this the reason of the "enhanced protection mode"?
Windows 7 Home Premium 64bit SP1
NOD32 Antivirus 8.0.319.0
COMODO CIS 8.4.0.5165
Configuration: Proactive Security
Firewall: Custom Ruleset
HIPS: Clean PC Mode
Auto-Sandbox: Disabled

Offline gjf

  • Comodo Loves me
  • ****
  • Posts: 115
  • Fuimus - non sumus... Carpe diem!
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #13 on: May 14, 2012, 02:49:04 PM »
Quote
Not on 64 bit Windows. MS does not allow it. On 32 bit it does.
Very interesting. So it means TDL4 installs itself in kernelmode at x64 in some mysterious way that none of vendors knows? Or possibly none of vendors can sign drivers in a correct way so Wx64 will allow to load it?

Will anybody from developers respond here or we still continue discussing nonsense?

Offline vix123

  • Comodo Loves me
  • ****
  • Posts: 123
  • I don't use an antivirus that doesn't pass VB100
Re: Why Usermode Hooking Sucks – Bypassing Comodo Internet Security
« Reply #14 on: May 15, 2012, 12:59:59 PM »
Will anybody from developers respond here or we still continue discussing nonsense?

Unfortunately he is right. Perhaps the forum needs an advanced section where such issues can be discussed with a lower noise to signal ratio.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek