In this post I'll show you how to block the work of AV software, and example of the victim would be of course kaspersky
After some Research, in smss.exe I came across at the function NtCreatePagingFile.
The definition of which is as follows:
Code: Select all
NTSTATUS NtCreatePagingFile ( IN PUNICODE_STRING PageFileName, IN PLARGE_INTEGER InitialSize, IN PLARGE_INTEGER MaximumSize, IN ULONG Reserved );
Session manager takes the parameters for this api from registry key:
PagingFiles - path to page files with initial and maximum size
In general the idea to use the swap file creation for our needs.
Using NtCreatePagingFile with PageFileName parameter equal, for example, path to drivers AV.
The result of this experiment was successful rewriting drivers av,by a swap file.
Further attempts were made swapped main dll of kaspesky,but alas NtCreatePagingFile returned STATUS_SHARING_VIOLATION.
After that, I came up with another idea to create a swap file of this type:
That is, we create a fake manifest file,in resulting after reboot Kaspersky could not run any gui or service process
- -NtCreatePagingFile check in start current value of pagefiles (MmNumberOfPagingFiles) with hardcoded value in function body and return STATUS_TOO_MANY_PAGING_FILES if it equall(on my windows xp it 16)
-We need SeCreatePagefilePrivilege for use function NtCreatePagingFile
-Of course locking AV software would be work after reboot
-NtCreatePagingFile extend pagefile maximum on current launched system,but after reboot our created file not be a paged.And here funny moment,if we create manifest
file in av directory,we could not delete him after reboot,because av protect their files
- panda 2013
It would be cool if your test with another av this method
thx for reading ^_^ and very thanks EP_X0FF for help me.