A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #2000  by EP_X0FF
 Mon Aug 16, 2010 3:50 am
Yet another checksum from Prevx with love. This time primitive checksum for code buffer inside application addresses that belongs to injected dll :D As in fact they calculated it only in executable range, totally primitive. I'm losing fate in Prevx abilities as AV since they even do not know how to generate signatures.

BTW long time ago ready to use few different methods for next versions of UnPrevx.

Updated version with eradicated signature. After posting source code to public I think it will be no sense to break signatures again.
Attachments
password: Signature_is_my_only_one_method
(14.09 KiB) Downloaded 60 times
 #2002  by ssj100
 Mon Aug 16, 2010 5:14 am
Well it's been about 2 hours since you released this POC, and I can confirm that Prevx still hasn't black-listed it. Again, this emphasises the poor zero-day/zero-hour capabilities of software like Prevx (despite the marketing strategies and what the "fanboys" of Prevx might say).

Anyway, tested with Prevx version 3.0.5.188 on Windows XP, 32-bit, Admin account - Prevx is terminated from the system tray. When I try to bring back its GUI, it appears for about 1 second then gets spontaneously terminated.
 #2006  by EP_X0FF
 Mon Aug 16, 2010 10:53 am
Sources have been published @ rootkit.com
Thread will be locked until something sane from the Prevx except stupid signatures.

@Prevx
"internal testings", "cannot run" - this is named Fail at failing.
 #2021  by EP_X0FF
 Tue Aug 17, 2010 4:55 am
Good news for Prevx users :)
New beta 189 is out.

They revised NtOpenProcess hook, revised NtDuplicateObject hook, added NtDebugActiveProcess hook and now think that:
http://rootkit.com/board.php?thread=140 ... disp=14079 it is kinda "The End"

No, it's not =))) Another fail from Prevx.

Trusted members can contact me to get new version.
Last edited by EP_X0FF on Tue Aug 17, 2010 5:33 am, edited 1 time in total. Reason: more info added
 #2023  by EP_X0FF
 Tue Aug 17, 2010 6:37 am
Demo of 189 successful termination, no chances for resurrection =) Played perfectly by MPC.
As now Prevx developers thinks this is "The End" I will simple use other builds of UnPrevx =)
What a problem. "The End" will only when I will tell this.
Keep failing.
Attachments
(1.42 MiB) Downloaded 45 times
 #2024  by SecConnex
 Tue Aug 17, 2010 6:41 am
If they don't keep improving their product, their product will continually be vulnerable.
 #2025  by EP_X0FF
 Tue Aug 17, 2010 6:45 am
Sure, telling "The End" is quite very naive, especially for Daniel, 30 years old developer.
 #2026  by ssj100
 Tue Aug 17, 2010 8:43 am
Tested with the latest POC (the one not released publically yet). Prevx 3.0.5.189 doesn't black-list it (again, emphasising the pathetic...sorry harsh word...the poor zero-day/zero-hour protection).

Prevx is successfully terminated. This POC seems to work much more smoothly than the previous few.

EDIT: it still doesn't work in a LUA. This once again shows the benefits of running in a LUA. You could almost say that Prevx's poor self protection becomes bullet-proof in a LUA haha.