A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1826  by wealllbe20
 Fri Aug 06, 2010 1:17 pm
EP_X0FF wrote:They always carried about self-protection bypass. No matter what company and what they speak on public. Of course on official forums and maybe blogs they will tell "no problem" and "who need AV termination" and other kind of 'see no evil'. It is typical marketing lie. There are a lot of malwares successfully terminating AV while its work. So having enough strength and armored self-protection is required option for any modern AV product. What about "thanks" etc, I don't care :) Prevx self-protection is weak and requires a lot of work to fix numerous termination possibilities.
Some AV Vendors just need to learn how to run simple tools.

about two years ago I tested some av tools using this simple process termination tool.

in fact the older versions of rku were disabled by this tool.

I believe the command was spt rkupid 10 -f
check it:
Attachments
Simple Process Termination(command line)
(26.69 KiB) Downloaded 56 times
 #1827  by EP_X0FF
 Fri Aug 06, 2010 1:51 pm
Method 10 sends WM_CLOSE to window of specified by id process.

It can't kill v3.8.342.554 and can't kill 3.8.388.590.
C:\>spt 1696 10 -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 10...
Test failed
Option -f shall only be used with tests 1-7
As in fact SPT fails with any test i tried with 2 years old rku.
 #1830  by wealllbe20
 Fri Aug 06, 2010 4:04 pm
EP_XOFF love your rku application.

So this is nothing personal.

But I also love winning arguments.

test 10 didn't work. I WAS wrong but...

RKU LE V. 3.8.383.585 11/27/2009 killed stage 1
RKU LE v. 3.8.386.589 05/2/2010 killed stage 1

RKU LE SR2 3.8.388.590 05/2/0210 killed stage 15 in loop
RKU LE V. 3.7.300.509 4/10/2008 killed stage 15

some of the time the driver was still loaded in memory.
Attachments
rku killer and useful for testing other products
(52.83 KiB) Downloaded 46 times
 #1831  by EP_X0FF
 Fri Aug 06, 2010 4:11 pm
Ok, I understand your point, but... It wasn't killed :) SPT (nor APT) can't kill it by design no matter how many loops it will do.
RKU LE SR2 3.8.388.590 05/2/0210 killed stage 15 in loop
What it is doing - closing RkU window (by sending specific command). However after less then 1 second rku window will be restored back, because it contains self-protection against this kind of attack since 2008. Actual process stays alive. Yes this loop making work impossible, but with same success window can be moved outside desktop coordinates, but this does not mean killing or bypassing.
 #1836  by wealllbe20
 Fri Aug 06, 2010 6:01 pm
it is very interesting, because your protection against the test 15 does work.

but in very few cases looping simulation of normal process exit; does actually kill the process.

sometimes it makes the rku gui disappear and it start running very high cpu usuage.

But most of the time it does it's job protecting itself.

Is this some kind of windows bug?
 #1841  by EP_X0FF
 Sat Aug 07, 2010 3:31 am
Maybe messages queue is too big, so window gets crazy. However I can't reproduce that behavior. I started bat file for SR2 and waited almost 5 minutes looking on closing/restoring rku window.