Page 2 of 13

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Wed Feb 22, 2012 10:42 am
by Tigzy
just some general methods which are more than well known to public
Agreed, That was my very first question :D
Is this a PoC or the code is known?

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Wed Feb 22, 2012 10:45 am
by Brock
@Tigzy

If this is so, I am interested too ;)

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Thu Feb 23, 2012 3:06 am
by EP_X0FF
Offtopic moved

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Tue Feb 28, 2012 1:43 am
by EP_X0FF
Hello,

I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally block Kaspersky from loading. Tested on Windows XP SP3 with Kaspersky v12.0.0.374

Plus some debug messages from kaspersky service
Version = 2.0.0.783
Unable to create DevObj for KLCR. err = c0000035

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Tue Feb 28, 2012 6:00 am
by R00tKit
thanks EP :)

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Tue Feb 28, 2012 11:49 am
by vaber
EP_X0FF wrote: I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally block Kaspersky from loading. Tested on Windows XP SP3 with Kaspersky v12.0.0.374
Неужто и тут PG? ;) (is it PG case again?)

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Tue Feb 28, 2012 2:00 pm
by EP_X0FF
You should ask author I only used his idea and slightly extended it. From my point of view this method is surprising simple and I expected exploitation of something more complicated to be honest.

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Sat Mar 17, 2012 8:29 am
by kmd
so anyone is going to publish anything?

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Sat Mar 17, 2012 6:19 pm
by Tigzy
I don't think so, It would already be done otherwise.

Re: Kill kaspersky 2012 from user mode :)

PostPosted:Thu Mar 22, 2012 4:54 am
by listito
great, any other av's vulnerable to this attack vector?

what about sharing with us a poc? :)