187 build added NtDuplicateObject hook in SSDT :) Good, let see what they can do with next release =)
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
Next release?
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Sure :) Or somebody really think that hooking SSDT is really good protection?
Ring0 - the source of inspiration
EP_X0FF wrote:Sure :) Or somebody really think that hooking SSDT is really good protection?Oh, I thought you meant next release of Prevx (which confused me). Well, I'll look forward to testing your "next release".
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Done, Prevx 187 successfully terminated with all it's hooks from pure user mode :) I will publish proof video today and killer soon (don't want to trash rootkit com blogs with this series too faster :)).
Ring0 - the source of inspiration
EP_X0FF wrote:Done, Prevx 187 successfully terminated with all it's hooks from pure user mode :) I will publish proof video today and killer soon (don't want to trash rootkit com blogs with this series too faster :)).Wow, that was fast haha. Faster than the time it took Prevx to patch their protection. I suppose once Prevx is terminated on a system, it can offer no protection whatsoever to the user. Can I ask, how come you're only targeting Prevx? Are other security products not also vulnerable to your method(s)? Thanks.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Any AV product without HIPS component is vulnerable and has weak self-protection.
Prevx is just have a worst self-protection I've seen for all AV products I tried.
Definitely this help them to improve. Some sort of motivation. However everything I used before and in next release - well known since ages.
It is very strange Prevx self-protection authors don't know these methods. Must be they still testing programs with APT which is total trash.
Attached swf video demo of 187 build kill.
Prevx is just have a worst self-protection I've seen for all AV products I tried.
Definitely this help them to improve. Some sort of motivation. However everything I used before and in next release - well known since ages.
It is very strange Prevx self-protection authors don't know these methods. Must be they still testing programs with APT which is total trash.
Attached swf video demo of 187 build kill.
Attachments
(668.1 KiB) Downloaded 54 times
Ring0 - the source of inspiration
I can barely see anything in the video, but thanks anyway. I'll wait for the actual file to be released.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
This swf file must be played okay, at least MediaPlayerClassic plays it good.
I just finished second bypass of Prevx3 self-protection, so I've two ready to use different versions of UnPrevx.
I just finished second bypass of Prevx3 self-protection, so I've two ready to use different versions of UnPrevx.
Ring0 - the source of inspiration
Updated UnPrevx successfully terminating Prevx3 executables (build 187 from 05 August 2010) from pure user mode.
pass: i_can_hook_O_o_i_can_hook
pass: i_can_hook_O_o_i_can_hook
Attachments
(12.19 KiB) Downloaded 57 times
Ring0 - the source of inspiration
