[EP_X0FF]

so it hint my code is more valuable :)

Correct me if I wrong. You mean any new code? Because old does not work with v13.

[R00tKit]

Correct me if I wrong. You mean any new code? Because old does not work with v13.

0x16/7ton say it use my code

This PoC update NtClose code with some features

@0x16/7ton you used my code ? your POC is based on my code? can you share it with me? as EP say it dosnt work in 2013

[0x16/7ton]

I meant that i use code of inject and killing code from here:http://www.kernelmode.info/forum/viewto ... =20#p13915
but with some updating for support unloading new kasp :)

[EP_X0FF]

Based on previous ideas, I did some experiments and after small improvement successfully terminated ALL Kaspersky 2013 processes from user mode. No warnings from AV, nothing - just death. So currently there are several confirmed and pretty easy ways to shutdown this monstrous AV. Because this is based on previous research I will not share details - this all for above author.

[R00tKit]

yes is it too easy :lol:
0x16/7ton shared with me thank you ;)

i can't understand this type of bug patching in 2013 !

[kmd]

any list of hooked functions? i dont want install this.
maybe i know some other way to kick it out.

[EP_X0FF]

any list of hooked functions? i dont want install this.
maybe i know some other way to kick it out.

ntoskrnl.exe-->NtAdjustPrivilegesToken, Type: Address Change 0x8058D0A1-->F46BA356 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtClose, Type: Address Change 0x805678DD-->F465686A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtConnectPort, Type: Address Change 0x805879EB-->F466D5F8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateEvent, Type: Address Change 0x8056D57A-->F4656DE2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateMutant, Type: Address Change 0x80578037-->F4656CC8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreatePort, Type: Address Change 0x805975B1-->F466D91E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateProcess, Type: Address Change 0x805B135A-->F46BC2D0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateProcessEx, Type: Address Change 0x8057FC60-->F46BC4EC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateSection, Type: Address Change 0x805652B3-->F46BD3AC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateSemaphore, Type: Address Change 0x8057243B-->F4656F02 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateThread, Type: Address Change 0x8058E63F-->F46BC9B0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateWaitablePort, Type: Address Change 0x805DB124-->F466D9EC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address Change 0x8065B1CD-->F46BC176 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Address Change 0x805952BE-->F46676A0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address Change 0x80592D50-->F4668E88 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeviceIoControlFile, Type: Address Change 0x8058EFAD-->F46568AE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDuplicateObject, Type: Address Change 0x805715E0-->F46BA498 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Address Change 0x80570D64-->F4668694 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Address Change 0x8059066B-->F4669028 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Address Change 0x805A3AF1-->F46BA100 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadKey, Type: Address Change 0x805AED5D-->F46681D8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadKey2, Type: Address Change 0x805AEB9A-->F4668430 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtMapViewOfSection, Type: Address Change 0x80573B61-->F46BD1A6 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtNotifyChangeKey, Type: Address Change 0x8058A68D-->F466BDE4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenEvent, Type: Address Change 0x8057DCDD-->F4656E78 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenMutant, Type: Address Change 0x805780E5-->F4656D58 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Address Change 0x805717C7-->F46BBD1E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenSection, Type: Address Change 0x80570FD7-->F46BD658 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenSemaphore, Type: Address Change 0x8059EFC5-->F4656F98 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address Change 0x8058A1BD-->F46BC70C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryKey, Type: Address Change 0x80570A6D-->F46674D4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryMultipleValueKey, Type: Address Change 0x8064E320-->F4668C96 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryObject, Type: Address Change 0x8057F4A8-->F466BFF0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryValueKey, Type: Address Change 0x8056A1F1-->F4668A8A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueueApcThread, Type: Address Change 0x8059108B-->F46BD05A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRenameKey, Type: Address Change 0x8064E79E-->F46677B4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplaceKey, Type: Address Change 0x8064F0FA-->F4667E26 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyPort, Type: Address Change 0x8057CCDA-->F466DC2C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyWaitReceivePort, Type: Address Change 0x8056B82E-->F466DABA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyWaitReceivePortEx, Type: Address Change 0x8056B346-->F466DB70 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRequestWaitReplyPort, Type: Address Change 0x80576CE6-->F466DC9C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRestoreKey, Type: Address Change 0x8064EC91-->F466802C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtResumeThread, Type: Address Change 0x8058ECB2-->F46BCD86 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSaveKey, Type: Address Change 0x8064ED92-->F4667958 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSaveKeyEx, Type: Address Change 0x8064EE7D-->F4667AEE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSaveMergedKeys, Type: Address Change 0x8064EFAA-->F4667C8A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSecureConnectPort, Type: Address Change 0x8058F4DE-->F466D786 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetContextThread, Type: Address Change 0x8062DCDF-->F46BCEE2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetInformationToken, Type: Address Change 0x805A86F0-->F4657022 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address Change 0x805A7BDD-->F46BA20A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Address Change 0x80572889-->F4668854 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address Change 0x8062F8C1-->F46BBEBE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSuspendThread, Type: Address Change 0x805E045E-->F46BCC2E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address Change 0x80649CE3-->F4657034 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address Change 0x805822E0-->F46BC01E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address Change 0x8057B885-->F46BC8AC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Address Change 0x805736E6-->F46BD7C0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address Change 0x8057E420-->F46BD4EA [C:\WINDOWS\system32\DRIVERS\klif.sys]

win32k.sys-->NtGdiAlphaBlend, Type: Address Change 0xBF83B4CD-->F465DEC8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiBitBlt, Type: Address Change 0xBF809FDF-->F465D640 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiGetPixel, Type: Address Change 0xBF87882D-->F465DE82 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address Change 0xBF838560-->F465D716 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiPlgBlt, Type: Address Change 0xBF9438F8-->F465D786 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiStretchBlt, Type: Address Change 0xBF873983-->F465D6AA [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiTransparentBlt, Type: Address Change 0xBF857D74-->F465E016 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserAttachThreadInput, Type: Address Change 0xBF8F4FC9-->F465DBBE [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserCallOneParam, Type: Address Change 0xBF8010E7-->F465D60C [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address Change 0xBF8B1369-->F465D374 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address Change 0xBF84928E-->F465D168 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address Change 0xBF852720-->F465D56A [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetKeyState, Type: Address Change 0xBF820E6C-->F465D1B8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserMessageCall, Type: Address Change 0xBF80EE6B-->F465D2BC [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserPostMessage, Type: Address Change 0xBF8089B4-->F465D208 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address Change 0xBF8B3D3D-->F465D260 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserRegisterHotKey, Type: Address Change 0xBF8ADD61-->F465DC78 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address Change 0xBF915BA7-->F465D4EA [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSendInput, Type: Address Change 0xBF8C31E7-->F465D320 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetParent, Type: Address Change 0xBF879695-->F465DA4A [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWindowLong, Type: Address Change 0xBF832BEC-->F465CFBE [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address Change 0xBF8527E0-->F465D018 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address Change 0xBF8ED991-->F465D0C0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserUnregisterHotKey, Type: Address Change 0xBF9128BE-->F465DD90 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserWindowFromPoint, Type: Address Change 0xBF8213A9-->F465D474 [C:\WINDOWS\system32\DRIVERS\klif.sys]

[kmd]

ty

my guess was about how really are they handled. as u see kav didnt handle such trivial and old method which means there is no penetration testing at all except marketing bs tests), may be some of handlers vulnerable too example to RC bugs.

[0x16/7ton]

i am found another weakness in him security
Standard path to kaspersky looks like this:
\\??\\C:\%PROGRAMFILES%\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\avp.exe
And here security flaw,green color it's protected directory,red it is not a protected.
How it use?
I quickly wrote PoC,using technic like in ZeroAccess dropper:
-Opening stream in directory (for example Kaspersky Lab:SummaryInformation)
-Set random reparse point with open stream handle
Conclusion:
After reboot ,no gui,no services,no access to her directory.

Link to video working PoC:
http://www.sendspace.com/file/qsa1qg

[EP_X0FF]

To summarise - four vulnerabilities in 2013 version self-defense which are results in product shutdown/deactivation:

- Job object method
- ShimEngine based attack
- PageFile based attack
- ReparsePoint based attack