Search found 162 matches

by Alex
Tue Mar 31, 2015 7:44 pm
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 427409

Re: UACMe - Defeating Windows User Account Control

Don't forget about yet another MS's gift (I didn't test it on win 8+) - http://codetastrophe.com/Larimer-VB2011.pdf This method is even easier to exploit than the first Davidson's PoC. Does anyone know malwere using it to bypass UAC?
by Alex
Wed Jun 26, 2013 4:23 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 215613

Re: AV SP Discussion & Bypass

I was using the same method to exploit an old ESET's vulnerability . So, ESET still doesn't protect access to its devices. I've never checked functionalities of available IOCTLs, but this is not first and not last time when such easy scenario can be used to disarm AVs. Other AVs should also provide ...
by Alex
Tue Apr 09, 2013 7:24 pm
Forum: Malware
Topic: Bootkit: Win32/Gapz
Replies: 23
Views: 30310

Re: Bootkit: Win32/Gapz

Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
by Alex
Sun Feb 10, 2013 6:17 pm
Forum: Kernel-Mode Development
Topic: New Patchguard in Windows 8
Replies: 9
Views: 11729

Re: New Patchguard in Windows 8

I read thie post viewtopic.php?f=14&t=1692 where the author writes that hooking of Win32k system call table is prohibited on Windows 5 (to be more precise: the Patchguard detects modifications of the driver). Does anyone know if this is true? I admit I did not expected this change because I had see...
by Alex
Sun Feb 10, 2013 1:44 pm
Forum: Tools/Software
Topic: Antirootkits
Replies: 55
Views: 71112

Re: Antirootkits

by Alex
Tue Dec 25, 2012 11:43 am
Forum: Newbie Questions
Topic: Ideas on how to detect DLL injection.
Replies: 5
Views: 10589

Re: Ideas on how to detect DLL injection.

You can also extend querying process memory by looking for pages with PAGE_EXECUTE_* protection. Some malware which inject DLLs from kernel mode may just allocate VM and do the same job as loader but manually without creating image section. Obviously this methos is slow and will give a lot of false ...
by Alex
Tue Nov 27, 2012 6:17 pm
Forum: Malware
Topic: Malware utilizing killav features
Replies: 7
Views: 4428

Re: Malware utilizing killav features

Wapomi/Guntior use blacklist. To terminate AV's processes, UM stuff send IOCTLs and terminate process's threads using PspTerminateThreadByPointer if I good remember.
by Alex
Mon Nov 26, 2012 8:07 pm
Forum: Kernel-Mode Development
Topic: Getting the PEB address through EPROCESS
Replies: 15
Views: 13872

Re: Getting the PEB address through EPROCESS

PROCESS 85dd2da0 SessionId: 0 Cid: 05a0 Peb: 7ffdf000 ParentCid: 00cc DirBase: 0c680320 ObjectTable: e2921270 HandleCount: 31. Image: livekd.exe PROCESS 85e6bda0 SessionId: 0 Cid: 0520 Peb: 7ffdd000 ParentCid: 05a0 DirBase: 0c680300 ObjectTable: e2b9dcd0 HandleCount: 168. Image: kd.exe kd> .process...
by Alex
Mon Nov 26, 2012 6:34 pm
Forum: Kernel-Mode Development
Topic: Getting the PEB address through EPROCESS
Replies: 15
Views: 13872

Re: Getting the PEB address through EPROCESS

Or try to use PsGetProcessPeb(IN PEPROCESS Process).
by Alex
Mon Nov 19, 2012 6:27 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 215613

Re: Kill kaspersky 2012/2013 from user mode :)

Are you sure Comodo service has associated windows? There is a lot of user32 stuff in import, but no windows observed at all. Firewall alert comes from GUI application. Maybe it need specific circumstances? And EndTask should fail, because NtTerminateProcess is hooked by cmdguard.sys as well as mes...