Vba32arkit (always SIGNED )

#4335 by STRELiTZIA
Fri Jan 07, 2011 6:18 pm

Hello,
Just for fun... :mrgreen:

Tests:
1- Uses fake "vba32w.dll" to Hijacking "Vba32Arkit.exe".
2- Uncheck Use AntiVirus kernel before testing.

User-mode hook (WinVerifyTrust proc) performed to returns valid value for no signed application.

Attached fake "vba32w.dll"

Regards.

Attachments

vba32w.rar

(7.67 KiB) Downloaded 34 times

Username

STRELiTZIA

Posts

104

Joined

Sun Mar 14, 2010 7:02 am

Re: Vba32arkit (always SIGNED )

#4336 by EP_X0FF
Fri Jan 07, 2011 6:20 pm

Hi,

Does it not check it's own dlls before working?

Regards.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Vba32arkit (always SIGNED )

#4337 by STRELiTZIA
Fri Jan 07, 2011 6:23 pm

Does it not check it's own dlls before working?

Yes

Username

STRELiTZIA

Posts

104

Joined

Sun Mar 14, 2010 7:02 am

Re: Vba32arkit (always SIGNED )

#4338 by EP_X0FF
Fri Jan 07, 2011 6:26 pm

So as in fact you can put any malicious code inside this dll and VBA app will execute it. I suppose it runs only with admin privileges.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Vba32arkit (always SIGNED )

#4349 by STRELiTZIA
Sat Jan 08, 2011 10:55 am

Hello,
Flash demo attached.

Vba32arkit (VirusBlokAda Ltd)
Process Explorer (Sysinternals)
sigcheck (Sysinternals)

Regards.

Attachments

WinVerifyTrustHookDemo.rar

(611.41 KiB) Downloaded 43 times

Username

STRELiTZIA

Posts

104

Joined

Sun Mar 14, 2010 7:02 am

Re: Vba32arkit (always SIGNED )

#4940 by sergey ulasen
Mon Feb 07, 2011 4:25 pm

Hi,

STRELiTZIA, thx!

We will work on the self-protection more closely.

You can send your researches to support@anti-virus.by .

Username

sergey ulasen

Posts

13

Joined

Tue Aug 31, 2010 9:49 am