Search found 50 matches

by 0x16/7ton
Sun Oct 28, 2012 3:47 am
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 37998

AvLock Method

Hello Kernelmode :) In this post I'll show you how to block the work of AV software, and example of the victim would be of course kaspersky :lol: After some Research, in smss.exe I came across at the function NtCreatePagingFile . The definition of which is as follows: NTSTATUS NtCreatePagingFile ( I...
by 0x16/7ton
Sun Oct 21, 2012 9:38 am
Forum: Malware
Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)
Replies: 149
Views: 162869

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

That's what I call a good analysis: http://stratsec.blogspot.com/2012/10/analysis-of-tdl4-dropper-our-lab-has.html Now if you think it's just another patchwork analysis, I don't think so. It is detailed and seems to be written for some time past. Unfortunately some people always want to be first to...
by 0x16/7ton
Wed Oct 17, 2012 12:39 pm
Forum: Malware
Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)
Replies: 149
Views: 162869

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

add info about sst_c dropper: after manipulation with file path,file name he (step by step): -dropp from resources in temp directory dll sclient.dll(32-bit image),and sqmapi.dll(32-bit or 64-bit image) -create cmd.exe process(32-bit image) with parametrs like that: "C:\Windows\System32\cmd.exe" "C:\...
by 0x16/7ton
Tue Oct 16, 2012 7:35 pm
Forum: Malware
Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)
Replies: 149
Views: 162869

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

Isn't working for me on VM. Will try tomorrow on a live machine. Isn't working for me, even on live machine. Tried Win 7 x 64. Dropper goes into a temp folder as something like A3.tmp but disappears after a reboot. Because malware check: -the path to filename must contain temp directory -compares f...
by 0x16/7ton
Fri Oct 05, 2012 9:42 am
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: Kill kaspersky 2012 from user mode :)

I meant that i use code of inject and killing code from here:http://www.kernelmode.info/forum/viewto ... =20#p13915
but with some updating for support unloading new kasp :)
by 0x16/7ton
Fri Oct 05, 2012 7:10 am
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: Kill kaspersky 2012 from user mode :)

NtCl0$e wrote:@0x16/7ton
hi amigo
what version of kaspersky?
if it is 2012 so what difference compare with my Code make this code beneficial ? i think nothing

thanks
Of course it is Kaspersky v13.0.1.4190 .

my regards :)
by 0x16/7ton
Thu Oct 04, 2012 7:12 pm
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 219993

Re: Kill kaspersky 2012 from user mode :)

Hello again:)
So as promised, I wrote a PoC specifically for creation of av Kaspersky.
This PoC update NtClose code with some features ..But now unloading only service avp.
And okay look it here video:
http://www.sendspace.com/file/6k2ooy
:lol: :lol: :lol: :lol: very funny kasp :)
by 0x16/7ton
Tue Oct 02, 2012 7:02 pm
Forum: Tools/Software
Topic: PoC Tool AVkill
Replies: 14
Views: 33071

Re: PoC Tool AVkill

Tigzy wrote:Hello

Nice PoC!
What if we register a DLL that not exists in a process's database?
Will this leads to a crash of the process?
As a result, you cannot use shims to bypass any security mechanisms present in Windows
Uh, wait...
process would be work without crash)
by 0x16/7ton
Tue Oct 02, 2012 6:28 pm
Forum: Tools/Software
Topic: PoC Tool AVkill
Replies: 14
Views: 33071

Re: PoC Tool AVkill

So the best method would be 1) send an infected file 2) target opens file 3) av killed 4) wait until reboot of target 5) exploit and gain admin priv. 6) establish permanent backdoor. What if we could include a simple set of commands that after alerting the user of a (fake) problem then it reboots t...