Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

HJLBX

Is\Are there any fundamental processes on the system that can\will ignore restricted privileges ?

For example,


  • lsass
    csrss
    smss
    spoolsvc

These processes can be abused to write code... so some security vendors recommend running them with limited privileges.

?

fixer

Only ReHIPS processes are hardcoded, thus rules for them are applied though these processes are absent in ReHIPS database. All other processes obey corresponding rules in database.
lsass, csrss, smss-are usually privileged processes, so no isolated process will have access to them.

shmu26

XlbGameSave.Task.exe
this process needs to be allowed to run child processes, or it gets blocked.
see attached screenshot of log

fixer


shmu26

C:\WINDOWS\system32\igfxHK.exe
this intel process needs to be allowed to start child processes

fixer


aDVll

Is multi language in the plans for the next stable release and if yes what languages are coming?

Also can rehips block code injection and hollow process for isolated processes? Pretty sure it does both because they can't access other processes but just a confirmation so we can have an official answer i can post in the malwaretips topic that people were wondering about.
Btw what about not isolated application. Will it detect the change?

fixer

Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Quote from: aDVll on September 20, 2016, 12:07:16 PM
Btw what about not isolated application. Will it detect the change?
I don't quite follow. What do you mean?

aDVll

Quote from: fixer on September 20, 2016, 05:37:59 PM
Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Quote from: aDVll on September 20, 2016, 12:07:16 PM
Btw what about not isolated application. Will it detect the change?
I don't quite follow. What do you mean?
About translation any plans for other languages or not atm?

If i run an application not isolated does it prevent/notify about code injection and hollow process method to other not isolated applications?

fixer

Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers ;)
Non-isolated programs are unrestricted, so they're free to inject in each other.

aDVll

Quote from: fixer on September 20, 2016, 08:20:16 PM
Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers ;)
Non-isolated programs are unrestricted, so they're free to inject in each other.
Maybe you can check oneskyapp to setup a translation project. It's pretty easy to use and if you keep the collaborators at 5 only it's free. I doubt at start you will need/have more.
https://www.oneskyapp.com/

fixer

Thanks for the hint, sounds interesting, we'll think about it.

HJLBX

Someone asked this question and I vaguely remember what was said here on the forum.

When it comes to:


  • dll injection
    memory scraping
    reflective memory injection
    code injection
    hollow process

does the HIPS module actually block any of these ?

* * * * *

I was of the understanding that it does not - for example, hollow process, but any malicious activity is limited to the isolated environment in which the hollow process occurs.

Also code injection, dll injection, memory scraping, RMI, etc is blocked by running programs in isolated environments.

In other words, the HIPS itself doesn't detect and block memory attacks in similar fashion to some other HIPS, but it is the built-in Windows mechanisms used by ReHIPS that prevents (isolates) or limits any damage to the isolated environment.

Inter-process attacks are blocked by virtue of their isolation from one another - and this extends to real user profile process run as NT AUTHORITY\SYSTEM.  The exception is when multiple programs are run simultaneously within an isolated environment (non-recommended practice).

Finally, the isolation is two-way; SYSTEM is isolated from isolated environment and isolated environment is isolated from SYSTEM.

aDVll

@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

HJLBX

Quote from: aDVll on September 21, 2016, 02:58:50 PM
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.