AvLock Method

Forum for announcements and questions about tools and software.
listito
Posts: 48
Joined: Fri Jan 07, 2011 6:59 pm

Tue Jun 11, 2013 7:39 am

just found out the answer of my own question, in case anyone gets interested:

"On Vista, If your .exe already have embedded manifest, the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case.. on XP, external manifest is used on this case.)"

http://social.msdn.microsoft.com/Forums ... 49f33fa944
User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Tue Jun 11, 2013 9:21 am

We can use ".config" instead of ".manifest" extension for example.
Cause and effect
listito
Posts: 48
Joined: Fri Jan 07, 2011 6:59 pm

Sat Jun 22, 2013 5:53 am

Finally i've made it work with avira doing a trick,

But i don't understand how avira protects itself from te trick(it was returning STATUS_DENIED), i've restored SSDT, ShadowSSDT, i've seen 3 notify callbacks for createprocess, createthread and loadimage, nothing hooked with ntfs major handlers or nothing like it, no hooks from ring3 or ring0 into ntcreatepagingfile and iocreatefile kernel object, tried to restore all hooks but nothing i was trying was working, then i came up an interesting idea and it worked.

Can someone please help me to understand how it protects itself from the trick?
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sat Jun 22, 2013 6:41 am

listito wrote:Can someone please help me to understand how it protects itself from the trick?
1. Why do you need this?
2. Why do you think all is hooks, hooks, hooks?

The above method was a proof-of-concept, not ready to use trojan technique (well it is already implemented in one trojan).
Ring0 - the source of inspiration
listito
Posts: 48
Joined: Fri Jan 07, 2011 6:59 pm

Sun Jun 23, 2013 7:12 am

Hey EP_X0FF

No, I don't think protection mecanisms are efective only by hooking, i'm just very curious to know how they made it, and yes it can be useful in malicious code, but it's not my case i hate malware stuff
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun Jun 23, 2013 12:30 pm

Take DevTree/WinDBG and look for drivers stack. If there is no hooks, then it if FSD filter, there is no magic.
Ring0 - the source of inspiration
User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Sun Jun 23, 2013 12:58 pm

Finally i've made it work with avira doing a trick
Where the PoC,information and etc?
But i don't understand how avira protects itself from te trick
It is a very obviosly protection,working via mini-filter driver(thus avira support start from XP sp3)
For real-time protect watching,go to FLT_REGISTRATION->FLT_OPERATION_REGISTRATION->PFLT_PRE_OPERATION_CALLBACK
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
So inside callback handler,exist simple path checker..here the "protected" path string format:

Code: Select all

\Device\HarddiskVolume1\Program Files\Avira\AntiVir Desktop\";R:w"
\Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\CONFIG\";R:w"
\Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\JOBS\";R:w"
\Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\";R:w"
\Device\HarddiskVolume1\WINDOWS\system32\drivers\avipbb.sys";R:w"
\Device\HarddiskVolume1\WINDOWS\system32\drivers\avgntflt.sys";R:w"
\Device\HarddiskVolume1\WINDOWS\system32\drivers\avkmgr.sys";R:w
Also the check skipped if PsGetCurrentProcessID < 8 [System process]
but it's not my case i hate malware stuff
:o :o :o
Cause and effect
listito
Posts: 48
Joined: Fri Jan 07, 2011 6:59 pm

Sun Jun 23, 2013 1:48 pm

Hey thanks again guys,

0x16 the trick is simple, just unload avipbb.sys from memory, and then call NtCreatePagingFile which then returns 0 gracefully

:twisted:
kaue
Posts: 1
Joined: Thu Oct 29, 2015 4:00 pm

Thu Oct 29, 2015 4:49 pm

This still works ?
the link is dead :x
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Fri Oct 30, 2015 3:54 am

kaue wrote:This still works ?
the link is dead :x
https://github.com/AlephNull314/AbsoluteZero
Ring0 - the source of inspiration
Post Reply