A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #19601  by listito
 Tue Jun 11, 2013 7:39 am
just found out the answer of my own question, in case anyone gets interested:

"On Vista, If your .exe already have embedded manifest, the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case.. on XP, external manifest is used on this case.)"

http://social.msdn.microsoft.com/Forums ... 49f33fa944
 #19602  by 0x16/7ton
 Tue Jun 11, 2013 9:21 am
We can use ".config" instead of ".manifest" extension for example.
 #19720  by listito
 Sat Jun 22, 2013 5:53 am
Finally i've made it work with avira doing a trick,

But i don't understand how avira protects itself from te trick(it was returning STATUS_DENIED), i've restored SSDT, ShadowSSDT, i've seen 3 notify callbacks for createprocess, createthread and loadimage, nothing hooked with ntfs major handlers or nothing like it, no hooks from ring3 or ring0 into ntcreatepagingfile and iocreatefile kernel object, tried to restore all hooks but nothing i was trying was working, then i came up an interesting idea and it worked.

Can someone please help me to understand how it protects itself from the trick?
 #19721  by EP_X0FF
 Sat Jun 22, 2013 6:41 am
listito wrote:Can someone please help me to understand how it protects itself from the trick?
1. Why do you need this?
2. Why do you think all is hooks, hooks, hooks?

The above method was a proof-of-concept, not ready to use trojan technique (well it is already implemented in one trojan).
 #19737  by listito
 Sun Jun 23, 2013 7:12 am
Hey EP_X0FF

No, I don't think protection mecanisms are efective only by hooking, i'm just very curious to know how they made it, and yes it can be useful in malicious code, but it's not my case i hate malware stuff
 #19745  by EP_X0FF
 Sun Jun 23, 2013 12:30 pm
Take DevTree/WinDBG and look for drivers stack. If there is no hooks, then it if FSD filter, there is no magic.
 #19746  by 0x16/7ton
 Sun Jun 23, 2013 12:58 pm
Finally i've made it work with avira doing a trick
Where the PoC,information and etc?
But i don't understand how avira protects itself from te trick
It is a very obviosly protection,working via mini-filter driver(thus avira support start from XP sp3)
For real-time protect watching,go to FLT_REGISTRATION->FLT_OPERATION_REGISTRATION->PFLT_PRE_OPERATION_CALLBACK
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
So inside callback handler,exist simple path checker..here the "protected" path string format:
Code: Select all
\Device\HarddiskVolume1\Program Files\Avira\AntiVir Desktop\";R:w"
\Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\CONFIG\";R:w"
\Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\JOBS\";R:w"
\Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\";R:w"
\Device\HarddiskVolume1\WINDOWS\system32\drivers\avipbb.sys";R:w"
\Device\HarddiskVolume1\WINDOWS\system32\drivers\avgntflt.sys";R:w"
\Device\HarddiskVolume1\WINDOWS\system32\drivers\avkmgr.sys";R:w
Also the check skipped if PsGetCurrentProcessID < 8 [System process]
but it's not my case i hate malware stuff
:o :o :o
 #19748  by listito
 Sun Jun 23, 2013 1:48 pm
Hey thanks again guys,

0x16 the trick is simple, just unload avipbb.sys from memory, and then call NtCreatePagingFile which then returns 0 gracefully

:twisted:
 #27103  by kaue
 Thu Oct 29, 2015 4:49 pm
This still works ?
the link is dead :x