A forum for reverse engineering, OS internals and malware analysis 

Search found 162 matches

 Go to advanced search

Re: UACMe - Defeating Windows User Account Control

 by Alex ¦  Tue Mar 31, 2015 7:44 pm ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 441520

Don't forget about yet another MS's gift (I didn't test it on win 8+) - http://codetastrophe.com/Larimer-VB2011.pdf This method is even easier to exploit than the first Davidson's PoC. Does anyone know malwere using it to bypass UAC?

Re: AV SP Discussion & Bypass

 by Alex ¦  Wed Jun 26, 2013 4:23 pm ¦  Forum: User-Mode Development ¦  Topic: AV SP Discussion & Bypass ¦  Replies: 121 ¦  Views: 222534

I was using the same method to exploit an old ESET's vulnerability . So, ESET still doesn't protect access to its devices. I've never checked functionalities of available IOCTLs, but this is not first and not last time when such easy scenario can be used to disarm AVs. Other AVs should also provide ...

Re: Bootkit: Win32/Gapz

 by Alex ¦  Tue Apr 09, 2013 7:24 pm ¦  Forum: Malware ¦  Topic: Bootkit: Win32/Gapz ¦  Replies: 24 ¦  Views: 31429

Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).

Re: New Patchguard in Windows 8

 by Alex ¦  Sun Feb 10, 2013 6:17 pm ¦  Forum: Kernel-Mode Development ¦  Topic: New Patchguard in Windows 8 ¦  Replies: 9 ¦  Views: 12034

I read thie post viewtopic.php?f=14&t=1692 where the author writes that hooking of Win32k system call table is prohibited on Windows 5 (to be more precise: the Patchguard detects modifications of the driver). Does anyone know if this is true? I admit I did not expected this change because I had see...

Re: Antirootkits

 by Alex ¦  Sun Feb 10, 2013 1:44 pm ¦  Forum: Tools/Software ¦  Topic: Antirootkits ¦  Replies: 55 ¦  Views: 71920

Re: Ideas on how to detect DLL injection.

 by Alex ¦  Tue Dec 25, 2012 11:43 am ¦  Forum: Newbie Questions ¦  Topic: Ideas on how to detect DLL injection. ¦  Replies: 5 ¦  Views: 10714

You can also extend querying process memory by looking for pages with PAGE_EXECUTE_* protection. Some malware which inject DLLs from kernel mode may just allocate VM and do the same job as loader but manually without creating image section. Obviously this methos is slow and will give a lot of false ...

Re: Malware utilizing killav features

 by Alex ¦  Tue Nov 27, 2012 6:17 pm ¦  Forum: Malware ¦  Topic: Malware utilizing killav features ¦  Replies: 7 ¦  Views: 4709

Wapomi/Guntior use blacklist. To terminate AV's processes, UM stuff send IOCTLs and terminate process's threads using PspTerminateThreadByPointer if I good remember.

Re: Getting the PEB address through EPROCESS

 by Alex ¦  Mon Nov 26, 2012 8:07 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Getting the PEB address through EPROCESS ¦  Replies: 15 ¦  Views: 14120

PROCESS 85dd2da0 SessionId: 0 Cid: 05a0 Peb: 7ffdf000 ParentCid: 00cc DirBase: 0c680320 ObjectTable: e2921270 HandleCount: 31. Image: livekd.exe PROCESS 85e6bda0 SessionId: 0 Cid: 0520 Peb: 7ffdd000 ParentCid: 05a0 DirBase: 0c680300 ObjectTable: e2b9dcd0 HandleCount: 168. Image: kd.exe kd> .process...

Re: Getting the PEB address through EPROCESS

 by Alex ¦  Mon Nov 26, 2012 6:34 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Getting the PEB address through EPROCESS ¦  Replies: 15 ¦  Views: 14120

Or try to use PsGetProcessPeb(IN PEPROCESS Process).

Re: Kill kaspersky 2012/2013 from user mode :)

 by Alex ¦  Mon Nov 19, 2012 6:27 pm ¦  Forum: User-Mode Development ¦  Topic: AV SP Discussion & Bypass ¦  Replies: 121 ¦  Views: 222534

Are you sure Comodo service has associated windows? There is a lot of user32 stuff in import, but no windows observed at all. Firewall alert comes from GUI application. Maybe it need specific circumstances? And EndTask should fail, because NtTerminateProcess is hooked by cmdguard.sys as well as mes...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 17