Why Usermode Hooking Sucks – Bypassing Comodo Internet Security

I just found some interesting article in Internet. Looks like there is a way of overcoming HIPS in Comodo products. Author has contacted Comodo representatives already (about 5 months ago) and looks like there is no any reaction.

Is it possible to get some answer from authorities here?


To conclude with, we’d like to stress that we do not hate the Comodo HIPS product. The bypassing method presented in this post is rather remote and applies only on SysWoW64 ( 32bit ) applications running on a 64bit Windows version. Attached you will find a proof of concept application that automates the process of generating executable that can bypass the installation of hooks throughout the process address space. Thank you for reading.

Only question here is, does this also include “Enhanced protection mode” (in Defense+) or only without it?

The article includes compiled PoC and sources. You can check everything at your system and respond with results here.

Sorry - cannot help: have no x64 at home.

I’ll test this out and let you know what I find.

It looks like enhanced protection was introduced in Version 5.8, which was released on October 11, 2011.

Thus it was at least present in the program at the time.

Well, present yes, but is disabled by default.

I can’t reproduce it, sorry

Do you mean that even under default settings you can’t reproduce the bypass?

yup, they did not include the keylogger to test with so I can’t get it to work.

What do you mean “keylogger”? For what? The video was included in the article to present how to get process address space.

This is the example POC program in action. sswhk.exe is a simple keylogger program. First run is the original program which gets detected by the paranoid security settings of Comodo. Next, the AddTLSSection.exe program is executed to generate the code required to bypass comodo. [b]A new program is created and executed sswhk_.exe and is successfully capturing keystrokes without comodo detecting it[/b].

Description of the video on YouTube. We would need sswhk.exe to test with, it is not included.

You can use any malware for this test. If you want a keylogger, you can try a trial of Refog as an instance.

[QUOTE=blacknight]I’m not sure to have understood, Comodo HIPS doesn’t install itself at the kernel level ? As EqSesure done.

[QUOTE=tomazyk]Not on 64 bit Windows. MS does not allow it. On 32 bit it does.


Is this the reason of the “enhanced protection mode”?

Not on 64 bit Windows. MS does not allow it. On 32 bit it does.
Very interesting. So it means TDL4 installs itself in kernelmode at x64 in some mysterious way that none of vendors knows? Or possibly none of vendors can sign drivers in a correct way so Wx64 will allow to load it?

Will anybody from developers respond here or we still continue discussing nonsense?

Unfortunately he is right. Perhaps the forum needs an advanced section where such issues can be discussed with a lower noise to signal ratio.

Hi Guys,

The discussion of user space hooks is not new. Actually, the leak tests of www.matousec.com, always bypass user space hooks while doing intended operations. Hence almost everyone fails in Windows x64 in their tests( Except CIS ofcourse).

In the article, i dont see any bypass. The author just unhooked user space hooks which are used for various purposes however failed to demonstrate what sort of security leak is caused by this. What is bypassed i.e. what security leak did this unhooking cause? Did it allow the attacker to change a protected file? Protected key? etc. As i explained above, there are MANY counter defenses implemented in D+ which copes with these user space hooking issues.

The most significant of them is enhanced mode for example. The author intentionally or unknowingly, didn’t mention Enhanced protection mode which is automatic when one switches to paranoid mode. They could not mention perhabs othrwise there would be nothing left to discuss.

Architecturally, user space hooks in CIS are used for compatibility and not for security as much as possible. As of today, CIS even in 64 bit operating systems offers full kernel based protection.

Thank your for stepping in and explaining this in more detail.

As of today, CIS even in 64 bit operating systems offers full kernel based protection.
What does this mean for the 64 bit platform? Does it mean kernel hooking is used even though prevented by design? Or are there other techniques being used?

It means its almost as good as 32 bit OSs. However i do not want to disclose further details about this.

egemen, thanks for explanation.
Could you please comment video also? How is it possible that blocked on every action, sandboxed application was able to monitor mouse and keyboard events, to log them and even write down them into the file? Why the obvious keylogger activity wasn’t blocked?

Keylogging is possible within the sandbox. It is by design. It has nothing to do with bypass. You see CIS rigt now doesnt block non-infectious actions of sandboxed applications in order to improve the compatibility. Infectious actions are the ones that can change the computer permanently and let malware persist after a restart.