LiatLevontin wrote:So for example for Kaspersky, why an attacker doesn't try to open Kaspersky driver handle, send an IOCTL to kill a process, unprotect a process, etc. etc. for bypassing Kaspersky itself? I'm sure they have a function in kernel for such stuff, like terminating process, killing a file, etc. etc.coz kaspersky make this complicated and why do you think vulnerabilities in his driver wasn't exploited before? afair kaspersky removal tool was exploited by malware earlier http://forum.kaspersky.com/index.php?sh ... 65476&st=0, http://cracklab.ru/f/index.php?action=v ... opic=11664, this tool doing exactly what you said.
What do you think?
A forum for reverse engineering, OS internals and malware analysis
First of all, thanks to all replies, I learned a lot from you. Finally it seems there isn't a good way of achieving this end, right? All users can reverse the driver IOCTL and use our driver, right?
All users can reverse the driver IOCTL and use our driver, right?Not all. And it is not necessary to use only IOCTL's. This thread well described many methods how to complicate work for supposed attackers.
Ring0 - the source of inspiration
i would considered commercial pe file protector like VmProtect, it works with drivers
not adv :)
not adv :)
Even with heavy obfuscation techniques like in VMProtect/CodeVirtualizer, data could be sniffed easily from IO process if it's not protected by other method.
Once IO data got sniffed and it's structure defined, it can be simulated easily ...
Once IO data got sniffed and it's structure defined, it can be simulated easily ...
GamingMasteR wrote:Even with heavy obfuscation techniques like in VMProtect/CodeVirtualizer, data could be sniffed easily from IO process if it's not protected by other method.True. Simply hook IopXxxControlFile, and dumping of data from choice device.... is how I RCE most of GameGuard driver structures.
Once IO data got sniffed and it's structure defined, it can be simulated easily ...
-Fyyre
