A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #16789  by kareldjag/michk
 Fri Nov 23, 2012 1:23 pm
hi
I attach pdf papers about AV bypass (pwn2kill) contest launched by the French engineer school ESIEA (IAWACS.zip)
As a simple pdf, an overview of the results (even imperfect, DrWeb self-protection was the less vulnerable http://www.docstoc.com/docs/89374475/An ... ge-Results , but i guess that the students have used known methods and had only a few minutes to do it).
According to kamarade lieutenant colonel Eric Filiol, another kill contest will occur at the end of this month, but i doubt that foreigners are admitted
http://cvo-lab.blogspot.fr/2012/08/pers ... lable.html

If it is permitted, a few words about the right terminology.
An antivirus is often evaded, sometimes eluded, the same for an Network based IDS
A firewall and an HIPS are often bypassed...
Now if the challenge is the self-protection and not the pattern file detection (polymorphism, oligomorphysm etc) then the HIPS terminology (Bypass) can also be used.
The easiest way to deactivate an AV is to add a routine that change system date, as most of them do not restrict some privileges.
As a challenge, HIPS (mostly Sandboxie and DefenseWall for the personal market) appears more interesting.
Regarding the test environment, i do not see the need of a VM, i prefer disk imaging, or reborn PCI card http://www.juzt-reboot.com/
As the GIGN special French police who practise the Trust Shoot against each other to have real training conditions (http://www.gign-historique.com/wp-conte ... 994-02.jpg ), testing must also be done in real life environments (does the average user run the OS in a VM? )...

rgds
Attachments
a summary of the av kill contest
(702.12 KiB) Downloaded 70 times
several pdf files related to AV evasion methods
(5.13 MiB) Downloaded 96 times
 #16817  by kmd
 Sat Nov 24, 2012 3:29 pm
hi kareldjag/michk.

i dont see anything except some old 2009 year doc about self-protection bypass (with drweb5)
all rest they are testing av preventive protection not self-protection
EP_X0FF wrote:They took the bait, and added two first dwprot SSDT hooks - NtOpenSection + NtSystemDebugControl. But they did it really lame (one of their hook is still lame - can be used for another bypass even now in 2012).
what do u mean? there are another ways to bypass dwprot?
 #16820  by EP_X0FF
 Sat Nov 24, 2012 3:39 pm
kmd wrote:
EP_X0FF wrote:They took the bait, and added two first dwprot SSDT hooks - NtOpenSection + NtSystemDebugControl. But they did it really lame (one of their hook is still lame - can be used for another bypass even now in 2012).
what do u mean? there are another ways to bypass dwprot?
Yes and they are multiple. Developers of this comedy section driver are not professionals and looks like a students.
 #16841  by EP_X0FF
 Mon Nov 26, 2012 6:28 am
kmd wrote:http://www.kernelmode.info/forum/./view ... f=15&t=249

u guys forgot about this one =) its old but was entertaining,, latest prevx still vulnerable btw?
This legalized fakeav faded into obscurity few years ago when was purchased by webroot. As I see from their site the last build number is 220 (2 years old). So yes, all latest UnPrevx builds from old thread will be killng it without any problems. As in fact all their attempts to fix their crapware were ridiculous and please me very well. Unfortunatelly they stopped entertain me with their crafts.
 #16851  by 0x16/7ton
 Mon Nov 26, 2012 11:20 pm
I am test shims engine method with DrWeb 8.0
status: vulnerable
They know about this hole,and released product with multiple vulnerabilities in self protection.
No comments.
 #16878  by kmd
 Wed Nov 28, 2012 7:03 am
0x16/7ton wrote:I am test shims engine method with DrWeb 8.0
status: vulnerable
They know about this hole,and released product with multiple vulnerabilities in self protection.
No comments.
i dont think they are know about this :mrgreen:
 #16884  by rinn
 Wed Nov 28, 2012 12:16 pm
Hi.

Attached another demo of Dr.Web 8 termination. Password is "test" without quotes. This time used last available AV version and old SpiDiE v1.5 code (thanks to EP_X0FF for giving me sources) updated to work with it. No drivers usage however.

With it help I was able to disable dwprot by removing most significant DKOH hooks it used for Process object type and Key object type, disable all Dr.Web services and kill all AV processes.

For Process object type it is enough to zero OpenProcedure, because it is not used by Windows prior to Vista and initially contains NULL.
For Key object type task is little complicated, however, it took around 15 minutes to make it work. Dwprot sets Key--->ParseProcedure own handler and restricting unauthorized access to product keys. The difficulties here are:

1. Key object type CmpKeyObjectType is not exported because it is not intended to be used by 3rd party software. This pointer required to find where we will deliver our kernel memory patch.

2. Key--->ParseProcedure by default != NULL, but CmpParseKey. This routine of course also not exported by ntos. You have to find it yourself.

To disable the registry monitoring required to find these two pointers and restore Key->ParseProcedure with original value. Dwprot is not controlling presence of own hooks as well as code integrity (this is hint for another theoretical bypass). Well to be honest KGB AV turned to be indeed lame. To find these pointers I used simple and stable signature patterns. They both can be found inside CmInitSystem1 ---> CmpCreateObjectTypes routine (use symbols they are unexported). Because Dr.Web do not control driver loading and even in "Paranoid" mode can easily be tricked, that 'unhooking' can be used in driver too. As it was used in SpiDiE 2.x. Be sure to disable \ reconfigure services SFA first because they are re-spawn each other in pure love.

I think it is enough for current Dr.Web version and maybe even little boring so I stop here.

Best Regards,
-rin
Attachments
(716.55 KiB) Downloaded 65 times
 #16893  by kmd
 Thu Nov 29, 2012 4:35 am
NtCl0$e wrote:they know
have u contacted them? what did they told u? can u share?
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13