A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #16684  by EP_X0FF
 Sun Nov 18, 2012 1:02 pm
Thanks for sharing.
rinn wrote:Nod32 6.0.115.0 - nod_demo.swf
Long time ago I was researching NOD32 v4.2 self-protection. AFAIR it protects csrss from NtWriteVirtualMemory, likely to avoid injection. Few years ago this was solved by different injection method. How do you make it?
 #16685  by Alex
 Sun Nov 18, 2012 2:24 pm
Guys you should remember discussion about "Microsoft Windows Window Message Subsystem Design Error Vulnerability" commonly called Shatter Attacks. I know it was long time ago and current AV/FWs are not vulnerable to this attack anymore, but if you are talking about bypassing self-protection/killing AV's services (not GUI) this method can be re-used again. I don't remember how many AVs with SP are vulnerable but AVs like Kaspersky or Comodo have window control related to their services and simple message fuzzing or even EndTask will kill their services easily! This is quiet funny, isn't it?

Even if NOD32 protects csrss from NtWriteVirtualMemory you can use other methods to inject your code inside csrss or to duplicate needed handles from it. And how about other processes like lsass or using proxy injection (injecting code to selected trusted process and try to inject code from it to csrss/lsass)? It is a never ending story there will be always a methods to bypass AV's SP even if their are hooking masters.
 #16686  by EP_X0FF
 Sun Nov 18, 2012 3:00 pm
Alex wrote: I don't remember how many AVs with SP are vulnerable but AVs like Kaspersky or Comodo have window control related to their services and simple message fuzzing or even EndTask will kill their services easily! This is quiet funny, isn't it?
Are you sure Comodo service has associated windows? There is a lot of user32 stuff in import, but no windows observed at all. Firewall alert comes from GUI application. Maybe it need specific circumstances? And EndTask should fail, because NtTerminateProcess is hooked by cmdguard.sys as well as message flood because of NtUserPostMessage, NtUserPostThreadMessage, NtUserMessageCall hooks. I dont think this work with Kaspersky too since it hooks the same stuff. Any example?
 #16688  by rinn
 Sun Nov 18, 2012 7:30 pm
Hi.
EP_X0FF wrote:Long time ago I was researching NOD32 v4.2 self-protection. AFAIR it protects csrss from NtWriteVirtualMemory, likely to avoid injection. Few years ago this was solved by different injection method. How do you make it?
Yes indeed it blocking 'write' to the VA of the csrss, as well as lsass.

The version that I tested, intercepted a lot of important system services, for example NtQueueApcThread (must be again against inject). But as always there exists backdoor, which consists in a trusted process. So I located it and used it impudently ;) Frankly speaking I expected BSoD from Nod32, because their drivers were always subject of suspicion - 4.0 suffered from multiple BSoD's. Few years ago it was possible to uninstall this product by sending specific IO control code to their driver.
Alex wrote:It is a never ending story there will be always a methods to bypass AV's SP even if their are hooking masters.
I believe it is not 100% true. As example see DefenseWall. You can control most of the termination methods, drivers loading, but this affect user experience (multiple allow/disallow popups) and slowdowns system performance. Like any SP it only works for user mode due to obvious axiom for ring0 'rule them all'. ISV developers are mostly aware of quality of their product, what it can do in reality and what it can't. Of course no one will tell this on public.

Even if we consider that the practical benefits of Self-Defense, as well as it bypass is very low and it is doubtful, most of ISV still forced to do it due to marketing reasons. If ISV big and rich it may not pay much attention to this feature as it is mostly marketing like I said. Big corporation like Microsoft for example do not consider SP as something required because they rightly believe that if computer security already compromised and intruder running with supervisor privileges, your computer is no longer yours. Let's say, many things in modern AV's exists only because of marketing power. For example modules called 'Anti-Rootkits'. I hope this tragedy in terms of system programming will be history as soon as most of the computers will be forced to use X64 OS and the operating system will be more or less guarantee protection against the penetration of the unknown code into privileged execution levels.

But this 'terminate me' game is really enjoyable because it forces you to find a non standard approaches for solving trivial tasks ;)

Best Regards,
-rin
 #16691  by EP_X0FF
 Mon Nov 19, 2012 2:41 am
rinn wrote:Yes indeed it blocking 'write' to the VA of the csrss, as well as lsass.

The version that I tested, intercepted a lot of important system services, for example NtQueueApcThread (must be again against inject). But as always there exists backdoor, which consists in a trusted process. So I located it and used it impudently ;)
Hello,

got it, thanks. I can confirm NOD32 Security Suite v6 terminated from user mode without any chance to survive. Also service crashed on attempt to restart and after Windows reboot.

Thread renamed.

Regards.
 #16701  by rinn
 Mon Nov 19, 2012 4:52 pm
Hi, EP_X0FF.

I have a proposal to you :)

Can you share with me sources of your latest Spidie? I don't remember exactly it must be something like 2.0 for Dr.Web 6.0 dwprot. In exchange I will do Dr.Web 8.0 termination poc based on this code, let's say Spidie EX and share it with you in a memories of old good rootkit.com times ;)

I been playing a little today with their latest version and I found this KGB antivirus pretty much vulnerable despite numerous kernel modifications it doing, well, you know how dwprot.sys works.

It now setups few more interceptors in SSDT. Again against injection and syscall table restoration.

Syscalls
Code: Select all
0011   0006  HOOK-> dwprot+0x1d560 (f8490560) ##### Original -> nt!NtAllocateVirtualMemory (805a8aba)
0035   0008  HOOK-> dwprot+0x1fcec (f8492cec) ##### Original -> nt!NtCreateThread (805d1018)
0053   0004  HOOK-> dwprot+0x1d8de (f84908de) ##### Original -> nt!NtFreeVirtualMemory (805b2fb2)
007D   0003  HOOK-> dwprot+0x1d284 (f8490284) ##### Original -> nt!NtOpenSection (805aa3ec)
00B4   0005  HOOK-> dwprot+0x1fe7e (f8492e7e) ##### Original -> nt!NtQueueApcThread (805d1276)
00D5   0002  HOOK-> dwprot+0x1ff1e (f8492f1e) ##### Original -> nt!NtSetContextThread (805d173a)
00FF   0006  HOOK-> dwprot+0x1d13a (f849013a) ##### Original -> nt!NtSystemDebugControl (806180ba)
0115   0005  HOOK-> dwprot+0x1da22 (f8490a22) ##### Original -> nt!NtWriteVirtualMemory (805b43cc)
Objects (DKOH)
Code: Select all
lkd> !object \ObjectTypes\Process
Object: 825c6e70  Type: (825eb578) Type
    ObjectHeader: 825c6e58 (old version)
    HandleCount: 0  PointerCount: 2
    Directory Object: e1009b28  Name: Process
lkd> dt _OBJECT_TYPE 825c6e70 TypeInfo.
ntdll!_OBJECT_TYPE
   +0x060 TypeInfo  : 
      +0x000 Length    : 0x4c
      +0x002 UseDefaultObject : 0 ''
      +0x003 CaseInsensitive : 0 ''
      +0x004 InvalidAttributes : 0xb0
      +0x008 GenericMapping : _GENERIC_MAPPING
      +0x018 ValidAccessMask : 0x1f0fff
      +0x01c SecurityRequired : 0x1 ''
      +0x01d MaintainHandleCount : 0 ''
      +0x01e MaintainTypeList : 0x1 ''
      +0x020 PoolType  : 0 ( NonPagedPool )
      +0x024 DefaultPagedPoolCharge : 0x1000
      +0x028 DefaultNonPagedPoolCharge : 0x290
      +0x02c DumpProcedure : (null) 
      +0x030 OpenProcedure : 0xf848da6e        long  +0
      +0x034 CloseProcedure : (null) 
      +0x038 DeleteProcedure : 0xf848dfe4        void  +0
      +0x03c ParseProcedure : (null) 
      +0x040 SecurityProcedure : 0x805f8a98        long  nt!SeDefaultObjectMethod+0
      +0x044 QueryNameProcedure : (null) 
      +0x048 OkayToCloseProcedure : (null) 
lkd> u 0xf848da6e        
dwprot+0x1aa6e:
f848da6e 8bff            mov     edi,edi
f848da70 55              push    ebp
f848da71 8bec            mov     ebp,esp
f848da73 837d0c00        cmp     dword ptr [ebp+0Ch],0
f848da77 7405            je      dwprot+0x1aa7e (f848da7e)
f848da79 8b450c          mov     eax,dword ptr [ebp+0Ch]
f848da7c eb06            jmp     dwprot+0x1aa84 (f848da84)
f848da7e ff15a46c47f8    call    dword ptr [dwprot+0x3ca4 (f8476ca4)]

lkd> !object \ObjectTypes\Thread
Object: 825c6ca0  Type: (825eb578) Type
    ObjectHeader: 825c6c88 (old version)
    HandleCount: 0  PointerCount: 2
    Directory Object: e1009b28  Name: Thread
lkd> dt _OBJECT_TYPE 825c6ca0 TypeInfo.
ntdll!_OBJECT_TYPE
   +0x060 TypeInfo  : 
      +0x000 Length    : 0x4c
      +0x002 UseDefaultObject : 0 ''
      +0x003 CaseInsensitive : 0 ''
      +0x004 InvalidAttributes : 0xb0
      +0x008 GenericMapping : _GENERIC_MAPPING
      +0x018 ValidAccessMask : 0x1f03ff
      +0x01c SecurityRequired : 0x1 ''
      +0x01d MaintainHandleCount : 0 ''
      +0x01e MaintainTypeList : 0x1 ''
      +0x020 PoolType  : 0 ( NonPagedPool )
      +0x024 DefaultPagedPoolCharge : 0
      +0x028 DefaultNonPagedPoolCharge : 0x288
      +0x02c DumpProcedure : (null) 
      +0x030 OpenProcedure : 0xf848e012        long  +0
      +0x034 CloseProcedure : (null) 
      +0x038 DeleteProcedure : 0x805d1e9c        void  nt!PspThreadDelete+0
      +0x03c ParseProcedure : (null) 
      +0x040 SecurityProcedure : 0x805f8a98        long  nt!SeDefaultObjectMethod+0
      +0x044 QueryNameProcedure : (null) 
      +0x048 OkayToCloseProcedure : (null) 
lkd> u 0xf848e012
dwprot+0x1b012:
f848e012 8bff            mov     edi,edi
f848e014 55              push    ebp
f848e015 8bec            mov     ebp,esp
f848e017 837d0c00        cmp     dword ptr [ebp+0Ch],0
f848e01b 7405            je      dwprot+0x1b022 (f848e022)
f848e01d 8b450c          mov     eax,dword ptr [ebp+0Ch]
f848e020 eb06            jmp     dwprot+0x1b028 (f848e028)
f848e022 ff15a46c47f8    call    dword ptr [dwprot+0x3ca4 (f8476ca4)]
Best Regards,
-rin
 #16702  by EP_X0FF
 Mon Nov 19, 2012 5:06 pm
Hello,

Yes final version was 2.2 dated 09/08/2010.

PM sent. Everything else via ICQ :)

Regards.
 #16704  by Alex
 Mon Nov 19, 2012 6:27 pm
EP_X0FF wrote:Are you sure Comodo service has associated windows? There is a lot of user32 stuff in import, but no windows observed at all. Firewall alert comes from GUI application. Maybe it need specific circumstances? And EndTask should fail, because NtTerminateProcess is hooked by cmdguard.sys as well as message flood because of NtUserPostMessage, NtUserPostThreadMessage, NtUserMessageCall hooks. I dont think this work with Kaspersky too since it hooks the same stuff. Any example?
These windows I am talking about mostly are not created by AVs directly, they are created by OLE or something like that, I am not sure. I've also observed that not always they are created. For example when you will install KIS 2013 on win XP SP3 (tested), there should be one window related to KIS service, after reboot this window was gone. Please correct me guys If I am wrong, but after installation KIS should be fully protected - isn't it? You can't terminate it (service process) by using for example ProcessExplorer, but you can terminate it by simple EndTask using this magic window - don't ask me why because I don't know. I couldn't test EndTask after reboot, so I don't know is this works always. I can only confirm that after reboot I couldn't kill Comodo's service using EndTask. Also in both cases even if Kaspersky and Comodo hook NtUserPostMessage, NtUserPostThreadMessage, NtUserMessageCall it is possible send to their GUIs malframed messages which will terminate (unhandled exceptions) them. But this is nothing special.
As far as I remember NOD32 didn't fully restrict access to its processes/threads, so it should be possible to play with it's VM - am I right?
rinn wrote:I believe it is not 100% true. As example see DefenseWall.
I didn't use DefenseWall, so I don't know how good protection it provides. Is it immune to mentioned in this topic attacks?
rinn wrote:But this 'terminate me' game is really enjoyable because it forces you to find a non standard approaches for solving trivial tasks ;)
I agree with this.
 #16710  by kmd
 Tue Nov 20, 2012 4:07 am
Alex wrote:As far as I remember NOD32 didn't fully restrict access to its processes/threads, so it should be possible to play with it's VM - am I right?
if u mean egui.exe then it useless to do inject. This gui-client cost nothing.

drweb & kaspersky
http://www.anti-malware.ru/antivirus_se ... _test_2010

platinum awards :D
 #16711  by EP_X0FF
 Tue Nov 20, 2012 4:24 am
kmd wrote:drweb & kaspersky
http://www.anti-malware.ru/antivirus_se ... _test_2010

platinum awards :D
Collection of out-of-date methods used for marketing purposes. You should perfectly understand the simple fact - if malware really want to be AV killer, it will use a targeted attack on a given product not facepalm TerminateProcess/TerminateThread and other methods ripped from ancient DiamondCS APT (Advanced Process Termination).
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 13