ThreatFire is behavior-based threat detection system from PC Tools. At least this claimed.
I paid attention on it only because of numerous bugs and incompatibilities it produces with any third party software (especially antirootkits).
And I was looking for a key to solve this. Like in case of AV products co-exists so-called Fake AV - mostly scareware, so obviously some sort of this must exists and in HIPS part.
ThreatFire is perfect example of FakeHIPS. And not only.
Behavior-based detection based on two layers. First driver level
TfSysMon.sys hooks usual pack of routines for covering Registry
Additionally provides standard callbacks support Process/Thread/Image/CmRegistryCallback. The only one is interested here is ProcessNotify callback.
ThreatFire uses it to inject in every starting process it's spying dll TfWah.dll. As in fact this is some sort of core component of all this HIPS.
TfWah.dll usually mapped at 0x10000000 address (not in loader list), and performs MASSIVE API hooking in user mode.
As example I will take Explorer.exe, it hooks
What's are they doing (and how)?
ThreatFire sets hooks with help of splicing without saving original instructions and then at return jumping at sizeof modification to the real function body.
here is two screenshots demonstrating how it works
As example I take TerminateThread function, this is original code (look on function prologue).
and this screenshot for the same code after ThreatFire wonderful modification
as you can see here is 6 byte length direct jump to memory region located at 0x716600XX. Let's look what is it. Here is just jump to actual code
Each hooked function has it specially allocated callgate. Here just a little list.
Each hooked function has special associated Section object
Internally in library handler code communicates with other ThreatFire components (via RPC) resulting in idiotic popups to user etc.
All these stuff is extremely slow and buggy (for example in my tests these numerous hooks caused Explorer to crash at ThreatFire application start,
in other time Explorer can't normally start after Windows reboot).
If this stuff will be installed on already infected by something rootkit alike system it will result in applications crashes because of ThreatFire lame hooking.
Guys spend so many time on this hooking nightmare, honestly I don't understand purpose of this idiocy. All this can be easily bypassed from user mode and with
current ThreatFire model it can do nothing with that. Even patches would not help. HackerDefender alike FakeHIPS. In attach Fireball v1.0 specially designed to
kill and remove ThreatFire from user mode bypassing all it's hooking idiocy. This is not behavior-based detection system, this is badly written user mode rootkit with no future.
Fireball was tested against ThreatFire v4.7 under Windows XP SP3 and Windows Vista SP2. After it working ThreatFire will require re-installation.
I'm not recommending to anyone use this ThreatTrash. Save your time and health of your OS.
Demo of Fireball vs ThreatFire v4.7 at Windows XP attached as Flash swf file (MPC can play it for example).
I paid attention on it only because of numerous bugs and incompatibilities it produces with any third party software (especially antirootkits).
And I was looking for a key to solve this. Like in case of AV products co-exists so-called Fake AV - mostly scareware, so obviously some sort of this must exists and in HIPS part.
ThreatFire is perfect example of FakeHIPS. And not only.
Behavior-based detection based on two layers. First driver level
TfSysMon.sys hooks usual pack of routines for covering Registry
NtCreateKeyand special hook on
NtDeleteKey
NtDeleteValueKey
NtOpenKey
NtSetValueKey
NtTerminateProcessto prevent ThreatFire unauthorized termination (this one hooked "to be completely sure").
Additionally provides standard callbacks support Process/Thread/Image/CmRegistryCallback. The only one is interested here is ProcessNotify callback.
ThreatFire uses it to inject in every starting process it's spying dll TfWah.dll. As in fact this is some sort of core component of all this HIPS.
TfWah.dll usually mapped at 0x10000000 address (not in loader list), and performs MASSIVE API hooking in user mode.
As example I will take Explorer.exe, it hooks
NtSuspendProcessActually this is all HIPS component.
NtLoadDriver
DeviceIoControl
CreateFileA
VirtualProtectEx
VirtualProtect
LoadLibraryExW
LoadLibraryA
TerminateProcess
WriteProcessMemory
CreateProcessW
CreateProcessA
VirtualAlloc
MultiByteToWideChar
LoadResource
WideCharToMultiByte
GetProcAddress
LoadLibraryW
CreateMutexW
CreateMutexA
OpenMutexW
OpenMutexA
GetVolumeInformationW
CreateRemoteThread
CreateThread
CreateFileW
WriteFile
TerminateThread
MoveFileW
CreateDirectoryA
GetVolumeInformationA
CopyFileExW
CopyFileA
CopyFileW
OpenProcess
DeleteFileA
DeleteFileW
CreateDirectoryW
MoveFileExW
MoveFileA
DebugActiveProcess
MoveFileExA
CopyFileExA
WinExec
SetThreadContext
CreateToolhelp32Snapshot
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW
RegOpenKeyExA
RegOpenKeyW
OpenProcessToken
RegQueryValueExA
RegSetValueExW
RegQueryValueW
RegCreateKeyExA
RegSetValueExA
RegOpenKeyA
AdjustTokenPrivileges
RegDeleteKeyA
RegDeleteKeyW
OpenSCManagerW
OpenSCManagerA
LookupPrivilegeValueW
RegCreateKeyW
RegQueryValueA
RegCreateKeyA
LookupPrivilegeValueA
LsaRemoveAccountRights
CreateServiceA
CreateServiceW
SetWindowsHookExW
SetWindowTextW
GetKeyState
GetWindowTextW
GetAsyncKeyState
ShowWindow
CreateWindowExW
GetKeyboardState
DrawTextW
CreateWindowExA
SetWindowTextA
SetWindowsHookExA
SetWinEventHook
GetWindowTextA
DrawTextA
DdeConnect
EndTask
RegisterRawInputDevices
ShellExecuteExW
Shell_NotifyIcon
Shell_NotifyIconW
ShellExecuteEx
ShellExecuteA
ShellExecuteW
InternetOpenUrlA
InternetOpenUrlW
What's are they doing (and how)?
ThreatFire sets hooks with help of splicing without saving original instructions and then at return jumping at sizeof modification to the real function body.
here is two screenshots demonstrating how it works
As example I take TerminateThread function, this is original code (look on function prologue).
and this screenshot for the same code after ThreatFire wonderful modification
as you can see here is 6 byte length direct jump to memory region located at 0x716600XX. Let's look what is it. Here is just jump to actual code
Each hooked function has it specially allocated callgate. Here just a little list.
Each hooked function has special associated Section object
Internally in library handler code communicates with other ThreatFire components (via RPC) resulting in idiotic popups to user etc.
All these stuff is extremely slow and buggy (for example in my tests these numerous hooks caused Explorer to crash at ThreatFire application start,
in other time Explorer can't normally start after Windows reboot).
If this stuff will be installed on already infected by something rootkit alike system it will result in applications crashes because of ThreatFire lame hooking.
Guys spend so many time on this hooking nightmare, honestly I don't understand purpose of this idiocy. All this can be easily bypassed from user mode and with
current ThreatFire model it can do nothing with that. Even patches would not help. HackerDefender alike FakeHIPS. In attach Fireball v1.0 specially designed to
kill and remove ThreatFire from user mode bypassing all it's hooking idiocy. This is not behavior-based detection system, this is badly written user mode rootkit with no future.
Fireball was tested against ThreatFire v4.7 under Windows XP SP3 and Windows Vista SP2. After it working ThreatFire will require re-installation.
I'm not recommending to anyone use this ThreatTrash. Save your time and health of your OS.
Demo of Fireball vs ThreatFire v4.7 at Windows XP attached as Flash swf file (MPC can play it for example).
Attachments
pass: fireball
(6.47 KiB) Downloaded 57 times
(6.47 KiB) Downloaded 57 times
pass: fireball
(1.23 MiB) Downloaded 157 times
(1.23 MiB) Downloaded 157 times
Ring0 - the source of inspiration