A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #1813  by ssj100
 Thu Aug 05, 2010 11:41 pm
Prevx now identifies your tool as a threat haha - "Medium Risk Malware".

By the way, after being successfully terminated for about 5-10 seconds, Prevx loads back up. Anyway, Prevx may not be so quick to release a "fix" this time, since they've managed to (finally) "black-list" the actual file in their database.
 #1816  by EP_X0FF
 Fri Aug 06, 2010 2:42 am
By the way, after being successfully terminated for about 5-10 seconds, Prevx loads back up.
It shouldn't. This means service app of prevx wasn't terminated. UnPrevx kill both, so there is no chance for resurrection. Something goes wrong in your test. Due to method used in 187 kill (it uses csrss dll injection + the same kill method from 185 build killer) - before trying again reboot is required.
Prevx now identifies your tool as a threat haha - "Medium Risk Malware".
Oh interesting. Just like in Dr.Web case, I will look now, how they detect it.
 #1817  by EP_X0FF
 Fri Aug 06, 2010 3:00 am
Done.

Prevx identified UnPrevx by VERSION_INFO resource. Add some garbage here and http://www.virustotal.com/analisis/c39c ... 1281063519

As always nothing impressive from Prevx. They even do not used strings inside application, only version info block. It is kinda LOL for AV product.
 #1870  by USForce
 Mon Aug 09, 2010 8:50 am
I've run some tests with the new build 188 as they have released the public beta of it. Looks like the watchdog thread was present even before of this release. Anyway they have closed the csrss backdoor you are using. By the way very good work with your poc, I'm sure the technique you are using could be abused to kill almost every other security software out there
 #1872  by EP_X0FF
 Mon Aug 09, 2010 10:21 am
Yeah, I see in new 188 build some improvements were made. Service configured to auto-restart in case of error, hooks handlers slightly updated.
Successfully terminated by next version without any chance to restart itself :) I need some things to add before publishing demo.
 #1874  by EP_X0FF
 Mon Aug 09, 2010 12:27 pm
Here is UnPrevxDemo for 188 build. This is swf file and it is better played with MPC. It demonstrates realtime killing of the latest beta build of Prevx3.0 from pure user mode (188 build).
Watchdogs can't help and prevx processes has zero chances for resurrection. Sligthly extended version of this UnPrevx build can totally remove Prevx3 from machine no matter what it hooks and where.

Since Prevx started playing typical suckers game - adding UnPrevx to their malware (OMG) database (by calculating checksums for VERSION_INFO) binary files and source code will be available only for trusted people.

edit: as in fact 188 build is some sort of lol. I can terminate it by old UnPrevx (processes will be resurrected after few seconds of course).
Attachments
(2.11 MiB) Downloaded 51 times
 #1877  by EP_X0FF
 Mon Aug 09, 2010 6:31 pm
In proper time everything will be available :) For now, it is quite too much "fixes" from Prevx these days :D
Thread locked for now.

edit:

Topic unlocked. Some affiliation with ws forums trolls detected. Very funny to watch this because I'm not registered at ws.
Last edited by EP_X0FF on Thu Aug 12, 2010 4:40 am, edited 2 times in total. Reason: edit
 #1905  by EP_X0FF
 Thu Aug 12, 2010 4:41 am
This subforum is about user mode development.
Marketings, "give-me-sample" posts and other kind of typical bs posts will be deleted without any notice.
If you have technical questions - feel free to ask, however answers are not guaranteed.

All offtopic discussion moved to separate topic
AV self-protection
 #1946  by EP_X0FF
 Fri Aug 13, 2010 6:13 pm
Blovex for Prevx

Experimental destroyer for Prevx 3.0.5.188 build. Used another attack vector totally different than in UnPrevx 1.0.188.
In my tests it perfectly crash target, making it mad and unworkable :)
Since 188 build self protection is very unstable this proof-of-concept work is not guaranteed.
Because of consequences better try it on VM ;)

It needs some time to get Prevx crazy :)
Last edited by EP_X0FF on Sat Aug 14, 2010 4:59 pm, edited 1 time in total. Reason: removed attach