AV SP Discussion & Bypass

Forum for discussion about user-mode development.
Post Reply
User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Tue Feb 21, 2012 7:58 am

hi
i kill kaspersky service avp.exe in user mode

and this method also work for its UI :))

http://www.mediafire.com/?e6od81xewhkoyzr
@R00tkitSMM
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Tue Feb 21, 2012 8:33 am

Hello,

are you plan to share more details about methods you used in your poc? Do they work on Vista+ systems?

Thanks.
Ring0 - the source of inspiration
User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Tue Feb 21, 2012 10:45 am

hi EP

with some change it worked Very well in windows seven :)
@R00tkitSMM
User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Tue Feb 21, 2012 3:34 pm

Hello

Any code or explanation?
Is this a PoC or the code is known?
User avatar
Vrtule
Posts: 465
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Tue Feb 21, 2012 5:38 pm

I am interested in details of the killing method too.
User avatar
Brock
Posts: 213
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Wed Feb 22, 2012 8:07 am

Why so interested? KAV is hardly invincible even from usermode :lol:
Accept nothing less than STATUS_SUCCESS
User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Wed Feb 22, 2012 8:41 am

It's not about KAV, I don't care on how is it invincible or not :D
It's only for information.
User avatar
Brock
Posts: 213
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Wed Feb 22, 2012 8:51 am

Basic rule of thumb... GUI process = more vuln to attack ;) See such non-sense as this

http://www.kernelmode.info/forum/viewto ... 67&start=0
Accept nothing less than STATUS_SUCCESS
User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Wed Feb 22, 2012 10:20 am

Yes, I know there are numerous ways to kill a process : http://wj32.wordpress.com/2009/05/10/12 ... a-process/
What I only want to know is the method the author used to do this.
User avatar
Brock
Posts: 213
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Wed Feb 22, 2012 10:39 am

Author doesn't touch on other methods, just some general methods which are more than well known to public. I think the interest lies within a method which may not be on this __list__ ?
Accept nothing less than STATUS_SUCCESS
Post Reply