A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4229  by EP_X0FF
 Sun Jan 02, 2011 6:53 pm
ThreatFire is behavior-based threat detection system from PC Tools. At least this claimed.

I paid attention on it only because of numerous bugs and incompatibilities it produces with any third party software (especially antirootkits).
And I was looking for a key to solve this. Like in case of AV products co-exists so-called Fake AV - mostly scareware, so obviously some sort of this must exists and in HIPS part.
ThreatFire is perfect example of FakeHIPS. And not only.

Behavior-based detection based on two layers. First driver level

TfSysMon.sys hooks usual pack of routines for covering Registry
NtCreateKey
NtDeleteKey
NtDeleteValueKey
NtOpenKey
NtSetValueKey
and special hook on
NtTerminateProcess
to prevent ThreatFire unauthorized termination (this one hooked "to be completely sure").

Additionally provides standard callbacks support Process/Thread/Image/CmRegistryCallback. The only one is interested here is ProcessNotify callback.
ThreatFire uses it to inject in every starting process it's spying dll TfWah.dll. As in fact this is some sort of core component of all this HIPS.

TfWah.dll usually mapped at 0x10000000 address (not in loader list), and performs MASSIVE API hooking in user mode.
As example I will take Explorer.exe, it hooks
NtSuspendProcess
NtLoadDriver
DeviceIoControl
CreateFileA
VirtualProtectEx
VirtualProtect
LoadLibraryExW
LoadLibraryA
TerminateProcess
WriteProcessMemory
CreateProcessW
CreateProcessA
VirtualAlloc
MultiByteToWideChar
LoadResource
WideCharToMultiByte
GetProcAddress
LoadLibraryW
CreateMutexW
CreateMutexA
OpenMutexW
OpenMutexA
GetVolumeInformationW
CreateRemoteThread
CreateThread
CreateFileW
WriteFile
TerminateThread
MoveFileW
CreateDirectoryA
GetVolumeInformationA
CopyFileExW
CopyFileA
CopyFileW
OpenProcess
DeleteFileA
DeleteFileW
CreateDirectoryW
MoveFileExW
MoveFileA
DebugActiveProcess
MoveFileExA
CopyFileExA
WinExec
SetThreadContext
CreateToolhelp32Snapshot
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW
RegOpenKeyExA
RegOpenKeyW
OpenProcessToken
RegQueryValueExA
RegSetValueExW
RegQueryValueW
RegCreateKeyExA
RegSetValueExA
RegOpenKeyA
AdjustTokenPrivileges
RegDeleteKeyA
RegDeleteKeyW
OpenSCManagerW
OpenSCManagerA
LookupPrivilegeValueW
RegCreateKeyW
RegQueryValueA
RegCreateKeyA
LookupPrivilegeValueA
LsaRemoveAccountRights
CreateServiceA
CreateServiceW
SetWindowsHookExW
SetWindowTextW
GetKeyState
GetWindowTextW
GetAsyncKeyState
ShowWindow
CreateWindowExW
GetKeyboardState
DrawTextW
CreateWindowExA
SetWindowTextA
SetWindowsHookExA
SetWinEventHook
GetWindowTextA
DrawTextA
DdeConnect
EndTask
RegisterRawInputDevices
ShellExecuteExW
Shell_NotifyIcon
Shell_NotifyIconW
ShellExecuteEx
ShellExecuteA
ShellExecuteW
InternetOpenUrlA
InternetOpenUrlW
Actually this is all HIPS component.
What's are they doing (and how)?

ThreatFire sets hooks with help of splicing without saving original instructions and then at return jumping at sizeof modification to the real function body.

here is two screenshots demonstrating how it works
As example I take TerminateThread function, this is original code (look on function prologue).

Image

and this screenshot for the same code after ThreatFire wonderful modification

Image

as you can see here is 6 byte length direct jump to memory region located at 0x716600XX. Let's look what is it. Here is just jump to actual code

Image

Each hooked function has it specially allocated callgate. Here just a little list.

Image

Each hooked function has special associated Section object

Image

Internally in library handler code communicates with other ThreatFire components (via RPC) resulting in idiotic popups to user etc.

All these stuff is extremely slow and buggy (for example in my tests these numerous hooks caused Explorer to crash at ThreatFire application start,
in other time Explorer can't normally start after Windows reboot).

If this stuff will be installed on already infected by something rootkit alike system it will result in applications crashes because of ThreatFire lame hooking.

Guys spend so many time on this hooking nightmare, honestly I don't understand purpose of this idiocy. All this can be easily bypassed from user mode and with
current ThreatFire model it can do nothing with that. Even patches would not help. HackerDefender alike FakeHIPS. In attach Fireball v1.0 specially designed to
kill and remove ThreatFire from user mode bypassing all it's hooking idiocy. This is not behavior-based detection system, this is badly written user mode rootkit with no future.
Fireball was tested against ThreatFire v4.7 under Windows XP SP3 and Windows Vista SP2. After it working ThreatFire will require re-installation.

I'm not recommending to anyone use this ThreatTrash. Save your time and health of your OS.

Demo of Fireball vs ThreatFire v4.7 at Windows XP attached as Flash swf file (MPC can play it for example).
Attachments
pass: fireball
(6.47 KiB) Downloaded 57 times
pass: fireball
(1.23 MiB) Downloaded 157 times
 #5016  by wealllbe20
 Fri Feb 11, 2011 4:29 pm
I Wish their were more antimalware reviews like this 1.

:D

can you image something like this being in pcworld.

All they ever really talk about is how good the detection rate is with old malware samples.
 #5028  by shaheen
 Sat Feb 12, 2011 11:38 pm
Hi EP! thanks for this detailed analysis though most of it is over my head but I can grab verdit that TF is badly coded and designed. What do you think of HIPS module in Comodo FireWall and Sandboxes like GesWall, DefenceWall and Sandboxie?

Thanks a lot