AV SP Discussion & Bypass

Forum for discussion about user-mode development.
cuttingedge
Posts: 3
Joined: Mon Jul 02, 2012 5:17 am

Re: AV SP Discussion & Bypass

Post by cuttingedge » Tue Nov 03, 2015 1:53 pm

Hi these ones:
Postby R00tKit » Tue Feb 21, 2012 7:58 am
hi
i kill kaspersky service avp.exe in user mode

and this method also work for its UI :))

http://www.mediafire.com/?e6od81xewhkoyzr
Re: Kill kaspersky 2012 from user mode :)

Postby 0x16/7ton » Thu Oct 04, 2012 7:12 pm
Hello again:)
So as promised, I wrote a PoC specifically for creation of av Kaspersky.
This PoC update NtClose code with some features ..But now unloading only service avp.
And okay look it here video:
http://www.sendspace.com/file/6k2ooy
:lol: :lol: :lol: :lol: very funny kasp :)
Re: AV SP Discussion & Bypass

Postby R00tKit » Tue Nov 20, 2012 9:10 am
Ok ha ha ha

just another AV killer

we ( me and my good friend 0x16/7ton ) write POC that can be able kill AV

Securuty flaw allowed total manipulation with av soft. with this trick we able to inject code inside AV processes and for test we target Dr.web , As payload we choose injecting code into the original GUI process and sending special IOCTL to it driver and disable it self-protection ( for fun :mrgreen: we select sending ioctl , although killing it is simple without send anything )

we say this is universal method fro injection code inside AV process but need test over AV's

demo :
http://www.sendspace.com/file/bm7a8i
regard
Re: AV SP Discussion & Bypass

Postby rinn » Tue Nov 20, 2012 9:54 am
Hi.

Yet another Dr.Web 8 termination, which differs from the above posted.

Link to download.
http://www.sendspace.com/file/cicteh

Pasword for archive is "test" without quotes.
Last edited by EP_X0FF on Wed Nov 04, 2015 4:48 am, edited 2 times in total.
Reason: quote added

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: AV SP Discussion & Bypass

Post by EP_X0FF » Wed Nov 04, 2015 4:47 am

They all are just videos without any kind of additional information. All about "av working in backgroud, we start some tool - av terminated".

This one
Re: AV SP Discussion & Bypass

Postby R00tKit » Tue Nov 20, 2012 9:10 am
Ok ha ha ha

just another AV killer

we ( me and my good friend 0x16/7ton ) write POC that can be able kill AV
use memory mapping to inject a proxy code to the manually started AV process and from inside of it terminate other AV components (as AV itself whitelisted).
Postby rinn » Tue Nov 20, 2012 9:54 am
Hi.

Yet another Dr.Web 8 termination, which differs from the above posted.

Link to download.
http://www.sendspace.com/file/cicteh

Pasword for archive is "test" without quotes.
This one uses fake service to get inside of svchost.exe and from there terminate DrWeb processes as svchost was whitelisted by AV self-protection.
Ring0 - the source of inspiration

Post Reply