A forum for reverse engineering, OS internals and malware analysis 

Bypass modern ARKs hidden code detection [by Cr4sh]

Forum for announcements and questions about tools and software.

Bypass modern ARKs hidden code detection [by Cr4sh]

 #4186  by Brookit
 Wed Dec 29, 2010 6:20 pm
Hi,

some probably already know, but Cr4sh posted in russian blog of esagelab about how to bypass detection of hidden executable code in a nifty way. So all credit for PoC goes to him.

Original: http://esagelab.ru/blog/tech/%D0%BE%D0% ... B#more-130

English version: http://translate.google.com/translate?h ... BB&prev=_t

Repository: https://github.com/Cr4sh/DrvHide-PoC

BTW
allive -> alive ;-)


Regards

Re: Bypass modern ARKs hidden code detection [by Cr4sh]

 #4190  by EP_X0FF
 Thu Dec 30, 2010 4:59 am
This is nice idea. However it is bit old trick (we were looking on the same idea when working on Unreals), yes by public tools this is undetectable (at present time).
However I believe this is just a question of short time, because this method is easy to detect. And some additional detection methods must be implemented because detection also can be easily compromised :)
Attachments
12.JPG
12.JPG (150.48 KiB) Viewed 594 times
Last edited by EP_X0FF on Thu Dec 30, 2010 7:39 am, edited 1 time in total. Reason: edit: added screenshot :)

Re: Bypass modern ARKs hidden code detection [by Cr4sh]

 #4228  by Alex
 Sun Jan 02, 2011 4:15 pm
Yes, it is interesting, but as EP_X0FF said it can be easily detected. For example Kernel Detective shows that the code is executing (see thread stack also) from resource section what is malicious by default.
kd.jpg
kd.jpg (19.03 KiB) Viewed 530 times
 Return to “Tools/Software”