Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 14 subscribers
  • Views 7275 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Test with HitmanPro Tool

MichaelD

I have been running hmpalert.exe and run the entire test. I wonder why this tests below not being stopped, all the other tests was stopped. Do 4 and 5 only check for VMware or can it also check for other VM’s, if not that’s why this is not working.

  1. Unpivot Stack (Executes ROP-chain on both pivoted and native stack)
  2. ROP – system() in msvcrt (Runs calculator via Return-oriented programming)
  3. Anti-VM – VMware (Checks if this process is running in a virtual machine )
  4. Anti-VM - Virtual PC (Checks if this process is running in a virtual machine )
  5. Keyboard logger (not an exploit) (Captures keystroke from other applications )


This thread was automatically locked due to age.
  • 0

    Hi !

    Thank you for your questions. Below the answers:

    1. The Unpivot Stack technique can only be stopped by Sophos Intercept when run physical (Intel) hardware (thus not in a virtual machine or VM).
    2. During the development of Sophos Intercept, we temporarily disabled, improved and re-enabled many mitigations, build by build. If you run the test again against the latest build of Sophos Intercept (version 0.7 or higher), the ROP - system() in msvcrt test should be intercepted again.
    3. Sophos Intercept currently does not include the Vaccination feature of HitmanPro.Alert.
    4. Sophos Intercept currently does not include the Vaccination feature of HitmanPro.Alert.
    5. Sophos Intercept currently does not include the Keyboard Encryption feature of HitmanPro.Alert.

    Hope this helps. Best, Mark

Unfiltered HTML