Hello Kernelmode :)
In this post I'll show you how to block the work of AV software, and example of the victim would be of course kaspersky :lol:
After some Research, in smss.exe I came across at the function NtCreatePagingFile.
The definition of which is as follows:
Session manager takes the parameters for this api from registry key:
\Registry\Machine\System\CurrentControlSetControl\Session Manager\Memory
PagingFiles - path to page files with initial and maximum size
In general the idea to use the swap file creation for our needs.
Using NtCreatePagingFile with PageFileName parameter equal, for example, path to drivers AV.
The result of this experiment was successful rewriting drivers av,by a swap file.
Further attempts were made swapped main dll of kaspesky,but alas NtCreatePagingFile returned STATUS_SHARING_VIOLATION.
After that, I came up with another idea to create a swap file of this type:
C:\%path_to_kaspersky_dir%\avp.exe.manifest
That is, we create a fake manifest file,in resulting after reboot Kaspersky could not run any gui or service process :twisted:
Limitations,notes:
Vulnerable:
http://www.sendspace.com/file/oyhly7
It would be cool if your test with another av this method :)
thx for reading ^_^ and very thanks EP_X0FF for help me.
In this post I'll show you how to block the work of AV software, and example of the victim would be of course kaspersky :lol:
After some Research, in smss.exe I came across at the function NtCreatePagingFile.
The definition of which is as follows:
Code: Select all
It's not a secret that smss.exe uses this feature to create a swap files in the startup process OS windows.NTSTATUS NtCreatePagingFile ( IN PUNICODE_STRING PageFileName, IN PLARGE_INTEGER InitialSize, IN PLARGE_INTEGER MaximumSize, IN ULONG Reserved );Session manager takes the parameters for this api from registry key:
\Registry\Machine\System\CurrentControlSetControl\Session Manager\Memory
PagingFiles - path to page files with initial and maximum size
In general the idea to use the swap file creation for our needs.
Using NtCreatePagingFile with PageFileName parameter equal, for example, path to drivers AV.
The result of this experiment was successful rewriting drivers av,by a swap file.
Further attempts were made swapped main dll of kaspesky,but alas NtCreatePagingFile returned STATUS_SHARING_VIOLATION.
After that, I came up with another idea to create a swap file of this type:
C:\%path_to_kaspersky_dir%\avp.exe.manifest
That is, we create a fake manifest file,in resulting after reboot Kaspersky could not run any gui or service process :twisted:
Limitations,notes:
- -NtCreatePagingFile check in start current value of pagefiles (MmNumberOfPagingFiles) with hardcoded value in function body and return STATUS_TOO_MANY_PAGING_FILES if it equall(on my windows xp it 16)
-We need SeCreatePagefilePrivilege for use function NtCreatePagingFile
-Of course locking AV software would be work after reboot
-NtCreatePagingFile extend pagefile maximum on current launched system,but after reboot our created file not be a paged.And here funny moment,if we create manifest
file in av directory,we could not delete him after reboot,because av protect their files :)
Vulnerable:
- Kaspersky
Eset
Avast
McAfee
AVG
ZoneAlarm
- panda 2013
DrWeb
http://www.sendspace.com/file/oyhly7
It would be cool if your test with another av this method :)
thx for reading ^_^ and very thanks EP_X0FF for help me.
Cause and effect
