matousec kernel hook probing tool

this tool is known to crash xp.
except that with online armor it can’t even start anything to crash xp :

that’s a great exemple of defense and what i need from a FW or an AV, to prevent bad actions and block it before they even try to start anything.

Did you see any interesting alert from OA? Else I think it’s a bug of the matousec tool rather than OA protecting you.

Maybe Matousec’s gadget doesn’t work in every Windows build… ???

Well that’s what CFP3’s A-VSMART is all about, and not only defends you against actions that will end in malware calling home, but against any kind of activity.

man it’s not a bug from anything, it happens only with online armor.
i made a lot of test and when online armor is installed i got this message :
access violation at adress 76C97761 module ‘IMAGHELP.DLL’ . Read of address 00000024.
what is certainly used to run the exploits on the OS.
except that online armor blocks this action cause it knows it’s a bad code that is trying to do what the prog is coded for : crashing xp.
and if u use kaspersky with defense protactive, when u click on load the driver, u got a popup to allow stop or add to good apps.
in case you allow the driver, u will never find SSDT hookd list if online armor is installed.
just access violation error message instead.
u can try, u’ll see.
online armor is possibly the best firewall actually. except they forget the most important part : running on vista! and that is a huge miss and error they did.
yep coders, vista is not xp, but i think that with all the problems u had trying to update your apps to vista now u know for sure.

i just have to close online armor then i can access all the list of SSDT hooks that will bsod XP.

Ah then very good for OA, I’ve heard good things about it. I guess they’ll be adding Vista support as soon as they can. Anyway I’m guessing CFP would block it as well, Defense+ monitors hooks and, well everything.

I’ve been using that tool for months. It is a fuzzer maybe knowing this you’ll change your definition of features a bit.

For anyone reading this topic I wish to point out that Matousec Bsodhook is meant to test if a security products driver is implemented in a proper way.
That test is not explicitely meant to Crash a computer (BSOD). Anyway if something unexpected (from the developer standpoint) occurs a BSOD will be triggered.
Matousec buit that tool to handle those BSODs graciously (BSOD disable button) but there is no gurantee this will work in all cases.

During our security analyses of personal firewalls and other security-related software that uses SSDT hooking, we found out that many vendors simply do not implement the hooks in a proper way. This allows local Denial of Service by unprivileged users or even privilege escalations exploits to be created. 100% of tested personal firewalls that implement SSDT hooks do or did suffer from this vulnerability! This article reviews the results of our testing and describes how a proper SSDT hook handler should be implemented. We also introduce BSODhook – a handy tool for every developer that deals with SSDT hooks and a possible cure for the plague in today's Windows drivers world.