A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #1778  by EP_X0FF
 Thu Aug 05, 2010 4:03 am
187 build added NtDuplicateObject hook in SSDT :) Good, let see what they can do with next release =)
 #1779  by ssj100
 Thu Aug 05, 2010 4:11 am
Next release?
 #1780  by EP_X0FF
 Thu Aug 05, 2010 4:18 am
Sure :) Or somebody really think that hooking SSDT is really good protection?
 #1781  by ssj100
 Thu Aug 05, 2010 4:20 am
EP_X0FF wrote:Sure :) Or somebody really think that hooking SSDT is really good protection?
Oh, I thought you meant next release of Prevx (which confused me). Well, I'll look forward to testing your "next release".
 #1783  by EP_X0FF
 Thu Aug 05, 2010 4:29 am
Done, Prevx 187 successfully terminated with all it's hooks from pure user mode :) I will publish proof video today and killer soon (don't want to trash rootkit com blogs with this series too faster :)).
 #1785  by ssj100
 Thu Aug 05, 2010 4:35 am
EP_X0FF wrote:Done, Prevx 187 successfully terminated with all it's hooks from pure user mode :) I will publish proof video today and killer soon (don't want to trash rootkit com blogs with this series too faster :)).
Wow, that was fast haha. Faster than the time it took Prevx to patch their protection. I suppose once Prevx is terminated on a system, it can offer no protection whatsoever to the user. Can I ask, how come you're only targeting Prevx? Are other security products not also vulnerable to your method(s)? Thanks.
 #1786  by EP_X0FF
 Thu Aug 05, 2010 4:53 am
Any AV product without HIPS component is vulnerable and has weak self-protection.
Prevx is just have a worst self-protection I've seen for all AV products I tried.
Definitely this help them to improve. Some sort of motivation. However everything I used before and in next release - well known since ages.
It is very strange Prevx self-protection authors don't know these methods. Must be they still testing programs with APT which is total trash.

Attached swf video demo of 187 build kill.
Attachments
(668.1 KiB) Downloaded 55 times
 #1787  by ssj100
 Thu Aug 05, 2010 5:11 am
I can barely see anything in the video, but thanks anyway. I'll wait for the actual file to be released.
 #1806  by EP_X0FF
 Thu Aug 05, 2010 1:12 pm
This swf file must be played okay, at least MediaPlayerClassic plays it good.

I just finished second bypass of Prevx3 self-protection, so I've two ready to use different versions of UnPrevx.
 #1810  by EP_X0FF
 Thu Aug 05, 2010 5:23 pm
Updated UnPrevx successfully terminating Prevx3 executables (build 187 from 05 August 2010) from pure user mode.

pass: i_can_hook_O_o_i_can_hook
Attachments
(12.19 KiB) Downloaded 57 times