[EP_X0FF]

Pure usermode Prevx3 self-protection total bypass.

Main post http://www.rootkit.com/blog.php?newsid=1032

KernelMode.Info exclusive.

Full version, including partial source code (without rtl's and resources).

Tested with latest available Prevx3 under Windows XP, however this method will work anywhere on x86-32.

Note: this version is for 3.0.5.179 version of Prevx, for newest see next in the thread.

pass for source: kernelmode.info

[__Genius__]

Interesting stuff, I didn't try prevx till now, but if it's free or have an evaluation I will try & test your code .
I think, it's not limited to prevx, there's bunch of other Security products that is trying to implement self-defenses mechanism with messy hooks as you mentioned in attached paper, therefore, trying your ideas with regarding to the PoCs for XueTr & now prevx could help & try to terminate these self-defenses from pure user-mode .
As you better know it & you're at deep in details of prevx protection, Can this code consider for a killer for other products with some modification or try to add another better ideas to it ?

regards.

[EP_X0FF]

Hello,

slightly modified this method will work against Dr.Web (Platinum self-protection award).
What about everything else, I doubt this can kill all of them or most. However this is not mean they have a perfect self-protection, no, you need just use other methods or their combination.

Regards.

[__Genius__]

Hi,
Thanks for information.
I don't know what's going on but I downloaded a free version of prevx & running unprevx , see message box & nothing after that, nothing going to kill ... .

[EP_X0FF]

Windows version? Prevx3 version?

edit:
of yes I see, guys seems to be updated it :) It was designed to 179 build and currently they have 185.
I will update killer :)

[EP_X0FF]

Prevx3 185 build successfully terminated from pure user mode by UnPrevx with just a little small addition. Updated version will be posted soon.

In 185 build, compiled 3 August 2010 they have used "dirty fix". As in fact they simple denied termination of prevx application through even valid/full rights handle.
And as always hooked functions returns crap instead of real status code. "Very professional" lol.

Done, should work with 185 build, probably will be fixed by Prevx in near future.
password: i_swear_i_will_read_msdn_to_fix_my_bugs

[LeastPrivilege]

The Prevx boys should be thanking you EP for making their software stronger, but I'll bet they won't. You actually helped Kaspersky out too with their buggy klif.sys. They owe you their thanks as well.

[__Genius__]

Most of anti-virus software developers never want to write effective code & actually they don't want to learn!

[Dreg]

haha! nice read like ever :twisted:

[ssj100]

New version fixes the vulnerability (187).