[FAQ] Does ReHIPS use hooking?

Started by fixer, January 02, 2018, 02:31:42 PM

Previous topic - Next topic

fixer

As you probably know, we state that "ReHIPS doesn't use rootkit-technologies (kernel-mode hooks etc.)". But some may wonder "hey, what's that HookDll32/64.dll then? I saw it was injected!". So let's talk about this a bit.

Since the dawn of time antiviruses were hooking the Windows kernel to intercept critical functions and inspect program behavior. And they'd been living happily till death in the person of PatchGuard did them part. Kernel Patch Protection (also known as PatchGuard) was introduced in Windows 2003 x64 (actually in Windows XP x64, but you can say it's based on 2003 kernel). Though it didn't stop some of the vendors from hooking the kernel (using hypervisor or some other shady stuff), it became something that is not just officially discouraged, but is actively being couteracted resulting in Blue Screen Of Death.

And what about user-mode hooks? They aren't something that is promoted, but if something can't be done without them, go ahead, use them, Microsoft even has a Detours project that helps hooking user-mode functions. And according to official Detours page "Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used within nearly every product team at Microsoft." So yeah, this thing is not that bad and dangerous like kernel-mode hooking, if it's "used within nearly every product team at Microsoft".

So what about ReHIPS? ReHIPS doesn't use any kernel-mode hooks. At all. And never has. And never will. We stand true to our statements. But yes, it does use some user-mode hooking. Why? They are for usability purposes only, no security or other potentially dangerous of important feature relies on it. For example when a process being started by explorer.exe (and that is pretty much every process you start double-clicking in explorer) is blocked, explorer complains about it and shows an error window. Injected HookDll intercepts this function in other processes like explorer and convinces them that everything is OK, no need to throw error windows. So it's purely a question of usability.

Umbra


Tarnak

#2
The only thing I understand regarding the topic, is the one word "Patchguard" and how it put the kybosh on further development of Defensewall by it's developer, Ilya Rabinovich - https://gladiator-antivirus.com/forum/index.php?showtopic=105045

P.S. I am still using it on my XP desktop, 32 bit system   - I have/had a  100 year lifetime license. ;)

P.P.S.  This post has put me back in the top 10 posters list. - https://forum.rehips.com/index.php?action=stats  Probably, just temporarily.  ;D

Edit: added P.P.S