Recent Posts

31

Developers' Blog / [BUG] WTSFreeMemoryExA and memory leak

« Last post by fixer on December 06, 2018, 10:38:39 am »

WTSFreeMemoryExA API function is supposed to free allocated memory. And one of the parameters it receives is WTSTypeClass, it indicates the types of structures this function should free. It can be WTSTypeProcessInfoLevel0, WTSTypeProcessInfoLevel1 or WTSTypeSessionInfoLevel1. But sanity checking inside this function accepts only the first two and returns ERROR_INVALID_PARAMETER on the third one without freeing anything. And hence it leads to memory leaks.

Any solutions? Looks like WTSFreeMemoryExW doesn't have this bug.

This issue was found several months ago, it wasn't fixed then. I haven't checked it since, but I suspect it to remain broken for many years to come.

32

Developers' Blog / [FAQ] ReHIPS files (part 2)

« Last post by fixer on November 26, 2018, 08:51:05 am »

-default.rdb (RulesManager database of xml format with initial rules for programs);

-settings.xml (file with global settings, more about local and global settings here https://forum.rehips.com/index.php?topic=11745.0);

-opengl32sw.dll, Qt5Core.dll, Qt5Gui.dll, Qt5Network.dll, Qt5Qml.dll, Qt5Quick.dll, Qt5Widgets.dll and Qt5WinExtras.dll files and platforms, QtGraphicalEffects, QtQuick and QtQuick.2 folders (Qt framework libraries and stuff, used in GUI parts DeployHelper, HIPSGui and RulesManager);

-api-ms-win-*, concrt140.dll, msvcp140.dll, ucrtbase.dll and vcruntime140.dll (C++ runtime libraries, used by almost everything);

-Help folder (help files for GUI parts);

-Translations folder (localization files for GUI parts).

-%SystemDrive%\ReHIPS (folder for files exchange with isolated programs, separate blogpost about it here https://forum.rehips.com/index.php?topic=9487.0);

-%SystemRoot%\System32\winevt\Logs\ReHIPS.evtx (saved Event Log file);

-%UserProfile%\AppData\Roaming\ReHIPS\ReHIPS.ini (file with user-specific local settings, more about local and global settings here https://forum.rehips.com/index.php?topic=11745.0).

33

Developers' Blog / [FAQ] ReHIPS files (part 1)

« Last post by fixer on November 16, 2018, 08:37:40 am »

If you take a look into the folder ReHIPS was installed into, you'll see quite a bunch of files. For the ones curious what they are for, this blogpost is.

-DeployHelper32.exe/DeployHelper64.exe (help install software straight into isolated environment, seperate blogpost about it here https://forum.rehips.com/index.php?topic=11675.0);

-DesktopTools32.exe/DesktopTools64.exe (show keyboard layout indicator and help set hooks on isolated desktops);

-EmptyStub32.exe/EmptyStub64.exe (just an empty stub that does nothing; when a process is blocked, execution of this empty stub is simulated so no error message is shown);

-FileManager32.exe/FileManager64.exe (ReHIPS file manager as explorer doesn't browse folders for isolated programs, separate blogpost about this bug here https://forum.rehips.com/index.php?topic=9515.0);

-HIPS32.sys/HIPS64.sys (driver to monitor processes creation and termination, also filters file system and registry access operations);

-HIPSAgent32.exe/HIPSAgent64.exe (agent helps working with programs in different sessions, also shows desktops widget and all bells and whistles like taskbar for isolated desktops);

-HIPSGui32.exe/HIPSGui64.exe (main graphical user interface or ReHIPS Control Center, implemented as thin client);

-HIPSService32.exe/HIPSService64.exe (heart and core of ReHIPS, contains all the major stuff, can work in head-less mode, also operates as middle-ware between driver and Control Center);

-HookDll32.dll/HookDll64.dll (library to inject into other processes and perform usability tasks like suppressing error window when a process is blocked);

-ReHIPS.xml (database with program rules);

-RulesManager32.exe/RulesManager64.exe (separate graphical user interface for rules management, seperate blogpost about it here https://forum.rehips.com/index.php?topic=9530.0);

-RunElevated32.exe/RunElevated64.exe (used by DeployHelper to start elevated installer process);

-RunLimited32.exe/RunLimited64.exe (starts in isolation processes that require administrator privileges);

-RunRestricted32.exe/RunRestricted64.exe (starts files in isolation from explorer context menu, there is a trick with it described here https://forum.rehips.com/index.php?topic=9574.0).

34

Developers' Blog / Re: [FAQ] Lock-Down Mode

« Last post by Umbra on November 13, 2018, 03:11:46 am »

The best way to use Lockdown Mode is (on a obviously clean system), to restart the system in learning mode 2-3 times, then set Lockdown Mode.
Critical processes should be whitelisted then Lockdown mode shouldnt causes issues. Of course,  this should be done after every Windows umulative updates.

35

Developers' Blog / [FAQ] Can ReHIPS be registered in Windows Security Center?

« Last post by fixer on November 05, 2018, 12:04:24 pm »

You probably heard about Windows Security Center. Among other things it controls whether your PC is firewalled and protected with an antivirus and an antispyware and either nags you that you're in danger or enables something default like Windows Defender. It allows other software to register there, in other words to interface with it to report that the software is responsible for example for antivirus protection. So can ReHIPS do it? Yes it can and it did register as antivirus and antispyware, but later (from version 2.2.0) this functionality was removed. Why, it doesn't protect from viruses? No, ReHIPS does provide antivirus and antispyware protection, the reason behind this is different. When a third-party software is registered in Windows Security Center and reports that it's OK and running, default built-in Windows Defender is disabled. This was done most likely for performance considerations for their functions not to overlap, maybe to avoid possible conflicts. But ReHIPS doesn't have any signatures, it doesn't scan files for malware, it operates in a different way, so it's OK to have ReHIPS and Windows Defender at the same time, they operate differently and nothing overlaps. So we decided to simply remove ReHIPS registration, this way Windows Defender stays working.

36

ReHIPS / Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?

« Last post by fixer on November 04, 2018, 06:35:38 pm »

Yup, that's the answer.
Let's take a closer look: cmd.exe starts sc.exe with parameters. So:
-parent: cmd.exe
-process: sc.exe
Parameters are checked for the process, it's sc.exe. So you don't have any alerts.

37

ReHIPS / Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?

« Last post by shmu26 on November 04, 2018, 01:46:09 pm »

cmd.exe, like it is in default settings.
So that's the answer, I guess. The way I did it, sc.exe would need to have the Sub-Programs Alert rule. In other words, it is the executed program that counts, not the executor.

38

ReHIPS / Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?

« Last post by fixer on November 04, 2018, 01:25:32 pm »

What program you have Sub-Programs Alert rule for? cmd or sc?
And just in case make sure you set it for the correct real user, the one you test from.

39

ReHIPS / Can execute Sub-Programs: Alert -- what command lines does it monitor?

« Last post by shmu26 on November 04, 2018, 08:45:17 am »

I am trying to understand "Can execute Sub-Programs: Alert" .
I opened an elevated command prompt and entered the command:
sc delete ProcLoggerSvc
The command was executed.
If cmd.exe called sub-program sc.exe and passed it a command, why was there no alert?

40

Developers' Blog / [FAQ] ReHIPS network control

« Last post by fixer on October 29, 2018, 02:17:17 pm »

If you've been following ReHIPS since early versions, you probably remember there was network control for programs at first and then it migrated to isolated environment. From ReHIPS 2.4.0 network control is possible for both isolated environments and programs. So what's the deal with all these changes?

At first each program had its own isolated environment, so having this program blocked from network access basically meant having the network access blocked for the corresponding isolated environment. But later we enabled each isolated environment to have multiple programs. And then network control was moved to isolated environment. Why? Because it's a security boundary. A program can't escape isolated environment, the isolated environment doesn't have network access, so the program is guaranteed to be blocked from the network. But later we received multiple requests to return network control on a program-wise basis. And so we did. But keep in mind, that it's only for well-behaving programs, it's not a security boundary! In other words, if a program is benevolent, tries to make a network connection and obediently agrees if it's not given, then it remains offline. But if a program is malicious, doesn't agree and starts misbehaving like injecting into other programs running is the same isolated environment (it can do this as they're in the same isolated environment) and these other programs along with the isolated environment are allowed to have network access, the program will also access network through them. So keep this in mind, program-wise network control is not for strong security, it's for convenience and usability.