Search found 50 matches

by 0x16/7ton
Wed Mar 06, 2013 9:07 pm
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 37998

Re: AvLock Method

Just hate when people discuss without any facts shown.
Last version Avast 8.0.1482 still vulnerable with this trick:
http://www.sendspace.com/file/ixk9eh
You question it is total offtop,all what you need in first post.
by 0x16/7ton
Tue Mar 05, 2013 8:54 am
Forum: Malware
Topic: Bootkit: Win32/Gapz
Replies: 23
Views: 30674

Re: Bootkit: Win32/Gapz

Hello :)
Yes maybe it is a bad article ,but i wrote her:
http://inresearching.blogspot.ru/2013/0 ... yload.html
by 0x16/7ton
Thu Jan 03, 2013 8:07 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: AV SP Discussion & Bypass

I want share about some interesting bypassing SP method in avast and avira ,for x86 arch model. In both antivirus SP based on hooking in SSDT NtOpenProcess function,to prevent terminating protecting process. For example avast just return STATUS_ACCESS_DENIED ,or avira changing access mask for openin...
by 0x16/7ton
Tue Dec 18, 2012 9:13 am
Forum: Reverse Engineering and Debugging
Topic: Sandboxie vulnerability exploitation(admin->ring0)
Replies: 4
Views: 16833

Re: Sandboxie vulnerability exploitation(admin->ring0)

First:
We have 2 bytes to zero value,so it is hard (or impossible?)overwrite address in HAL_DISPATCH pointer to our shellcode.
Second:
"...i am do this only for fun and learning".
If u need not "useless" content in exploitation 3d party drivers i am not help u.
by 0x16/7ton
Thu Dec 13, 2012 9:03 pm
Forum: Reverse Engineering and Debugging
Topic: Sandboxie vulnerability exploitation(admin->ring0)
Replies: 4
Views: 16833

Sandboxie vulnerability exploitation(admin->ring0)

Hello again :) After some research in sandboxie driver i found in them vulnerability "write zero (2 bytes) where",which get to us ability disable driver signing (admin->ring0) by overwriting bool value g_CiEnabled . To begin let's talk a little about the general concept in Sandboxie: Sandboxie archi...
by 0x16/7ton
Mon Nov 26, 2012 11:20 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: AV SP Discussion & Bypass

I am test shims engine method with DrWeb 8.0
status: vulnerable
They know about this hole,and released product with multiple vulnerabilities in self protection.
No comments.
by 0x16/7ton
Tue Nov 20, 2012 9:15 am
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: AV SP Discussion & Bypass

List IOCTL that we use:

Code: Select all

*******************************
DwProtSetControlState
8A000
8A008
8A038
8A0C8
8A074
8A040
8A048
8A010
8A098
8A06C
8A0A0
8A090
8A0C0
8A060
8A018
8A0D0
8A050
8A0E8
860EC
860E4
*******************************
Input buffer boolean type,setting them in false.
by 0x16/7ton
Thu Nov 08, 2012 7:01 pm
Forum: Malware
Topic: Georgian CERT vs Russian FSB spies
Replies: 12
Views: 9199

Re: Georgian CERT vs Russian FSB spies

Totally agree with EP_X0FF. I am also analyzed this sample...searching rootkits,super technics and ...no comment. Now I feel like a fool and have depression. :cry: I am wrote some deobfuscation script for ida python.It's based on hex rays findInstruction script(he decrypt string,have list of api-has...
by 0x16/7ton
Wed Oct 31, 2012 10:36 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: Kill kaspersky 2012/2013 from user mode :)

i am found another weakness in him security Standard path to kaspersky looks like this: \\??\\C:\%PROGRAMFILES%\\ Kaspersky Lab \\ Kaspersky Anti-Virus 2013 \\avp.exe And here security flaw,green color it's protected directory,red it is not a protected. How it use? I quickly wrote PoC,using technic ...