AV SP Discussion & Bypass

Forum for discussion about user-mode development.
User avatar
kareldjag/michk
Posts: 91
Joined: Sun Jul 04, 2010 6:57 pm
Location: FRANCE

Re: AV SP Discussion & Bypass

Post by kareldjag/michk » Fri Nov 23, 2012 1:23 pm

hi
I attach pdf papers about AV bypass (pwn2kill) contest launched by the French engineer school ESIEA (IAWACS.zip)
As a simple pdf, an overview of the results (even imperfect, DrWeb self-protection was the less vulnerable http://www.docstoc.com/docs/89374475/An ... ge-Results , but i guess that the students have used known methods and had only a few minutes to do it).
According to kamarade lieutenant colonel Eric Filiol, another kill contest will occur at the end of this month, but i doubt that foreigners are admitted
http://cvo-lab.blogspot.fr/2012/08/pers ... lable.html

If it is permitted, a few words about the right terminology.
An antivirus is often evaded, sometimes eluded, the same for an Network based IDS
A firewall and an HIPS are often bypassed...
Now if the challenge is the self-protection and not the pattern file detection (polymorphism, oligomorphysm etc) then the HIPS terminology (Bypass) can also be used.
The easiest way to deactivate an AV is to add a routine that change system date, as most of them do not restrict some privileges.
As a challenge, HIPS (mostly Sandboxie and DefenseWall for the personal market) appears more interesting.
Regarding the test environment, i do not see the need of a VM, i prefer disk imaging, or reborn PCI card http://www.juzt-reboot.com/
As the GIGN special French police who practise the Trust Shoot against each other to have real training conditions (http://www.gign-historique.com/wp-conte ... 994-02.jpg ), testing must also be done in real life environments (does the average user run the OS in a VM? )...

rgds
You do not have the required permissions to view the files attached to this post.
Security? Yeah But Well: http://www.ouaismaisbon.ch/ )

User avatar
kmd
Posts: 271
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: AV SP Discussion & Bypass

Post by kmd » Sat Nov 24, 2012 3:29 pm

hi kareldjag/michk.

i dont see anything except some old 2009 year doc about self-protection bypass (with drweb5)
all rest they are testing av preventive protection not self-protection
EP_X0FF wrote:They took the bait, and added two first dwprot SSDT hooks - NtOpenSection + NtSystemDebugControl. But they did it really lame (one of their hook is still lame - can be used for another bypass even now in 2012).
what do u mean? there are another ways to bypass dwprot?

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Sat Nov 24, 2012 3:39 pm

kmd wrote:
EP_X0FF wrote:They took the bait, and added two first dwprot SSDT hooks - NtOpenSection + NtSystemDebugControl. But they did it really lame (one of their hook is still lame - can be used for another bypass even now in 2012).
what do u mean? there are another ways to bypass dwprot?
Yes and they are multiple. Developers of this comedy section driver are not professionals and looks like a students.
Ring0 - the source of inspiration

User avatar
kmd
Posts: 271
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: AV SP Discussion & Bypass

Post by kmd » Mon Nov 26, 2012 4:52 am

http://www.kernelmode.info/forum/./view ... f=15&t=249

u guys forgot about this one =) its old but was entertaining,, latest prevx still vulnerable btw?

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Mon Nov 26, 2012 6:28 am

kmd wrote:http://www.kernelmode.info/forum/./view ... f=15&t=249

u guys forgot about this one =) its old but was entertaining,, latest prevx still vulnerable btw?
This legalized fakeav faded into obscurity few years ago when was purchased by webroot. As I see from their site the last build number is 220 (2 years old). So yes, all latest UnPrevx builds from old thread will be killng it without any problems. As in fact all their attempts to fix their crapware were ridiculous and please me very well. Unfortunatelly they stopped entertain me with their crafts.
Ring0 - the source of inspiration

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Mon Nov 26, 2012 11:20 pm

I am test shims engine method with DrWeb 8.0
status: vulnerable
They know about this hole,and released product with multiple vulnerabilities in self protection.
No comments.
Cause and effect

User avatar
kmd
Posts: 271
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: AV SP Discussion & Bypass

Post by kmd » Wed Nov 28, 2012 7:03 am

0x16/7ton wrote:I am test shims engine method with DrWeb 8.0
status: vulnerable
They know about this hole,and released product with multiple vulnerabilities in self protection.
No comments.
i dont think they are know about this :mrgreen:

User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: AV SP Discussion & Bypass

Post by R00tKit » Wed Nov 28, 2012 11:06 am

they know
@R00tkitSMM

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: AV SP Discussion & Bypass

Post by rinn » Wed Nov 28, 2012 12:16 pm

Hi.

Attached another demo of Dr.Web 8 termination. Password is "test" without quotes. This time used last available AV version and old SpiDiE v1.5 code (thanks to EP_X0FF for giving me sources) updated to work with it. No drivers usage however.

With it help I was able to disable dwprot by removing most significant DKOH hooks it used for Process object type and Key object type, disable all Dr.Web services and kill all AV processes.

For Process object type it is enough to zero OpenProcedure, because it is not used by Windows prior to Vista and initially contains NULL.
For Key object type task is little complicated, however, it took around 15 minutes to make it work. Dwprot sets Key--->ParseProcedure own handler and restricting unauthorized access to product keys. The difficulties here are:

1. Key object type CmpKeyObjectType is not exported because it is not intended to be used by 3rd party software. This pointer required to find where we will deliver our kernel memory patch.

2. Key--->ParseProcedure by default != NULL, but CmpParseKey. This routine of course also not exported by ntos. You have to find it yourself.

To disable the registry monitoring required to find these two pointers and restore Key->ParseProcedure with original value. Dwprot is not controlling presence of own hooks as well as code integrity (this is hint for another theoretical bypass). Well to be honest KGB AV turned to be indeed lame. To find these pointers I used simple and stable signature patterns. They both can be found inside CmInitSystem1 ---> CmpCreateObjectTypes routine (use symbols they are unexported). Because Dr.Web do not control driver loading and even in "Paranoid" mode can easily be tricked, that 'unhooking' can be used in driver too. As it was used in SpiDiE 2.x. Be sure to disable \ reconfigure services SFA first because they are re-spawn each other in pure love.

I think it is enough for current Dr.Web version and maybe even little boring so I stop here.

Best Regards,
-rin
You do not have the required permissions to view the files attached to this post.

User avatar
kmd
Posts: 271
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: AV SP Discussion & Bypass

Post by kmd » Thu Nov 29, 2012 4:35 am

NtCl0$e wrote:they know
have u contacted them? what did they told u? can u share?

Post Reply