Someone asked this question and I vaguely remember what was said here on the forum.
When it comes to:
- dll injection
memory scraping
reflective memory injection
code injection
hollow process
does the HIPS module actually block any of these ?
* * * * *
I was of the understanding that it does not - for example, hollow process, but any malicious activity is limited to the isolated environment in which the hollow process occurs.
Also code injection, dll injection, memory scraping, RMI, etc is blocked by running programs in isolated environments.
In other words, the HIPS itself doesn't detect and block memory attacks in similar fashion to some other HIPS, but it is the built-in Windows mechanisms used by ReHIPS that prevents (isolates) or limits any damage to the isolated environment.
Inter-process attacks are blocked by virtue of their isolation from one another - and this extends to real user profile process run as NT AUTHORITY\SYSTEM. The exception is when multiple programs are run simultaneously within an isolated environment (non-recommended practice).
Finally, the isolation is two-way; SYSTEM is isolated from isolated environment and isolated environment is isolated from SYSTEM.