A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #11856  by EP_X0FF
 Tue Feb 28, 2012 1:43 am
Hello,

I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally block Kaspersky from loading. Tested on Windows XP SP3 with Kaspersky v12.0.0.374

Plus some debug messages from kaspersky service
Version = 2.0.0.783
Unable to create DevObj for KLCR. err = c0000035
 #11868  by vaber
 Tue Feb 28, 2012 11:49 am
EP_X0FF wrote: I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally block Kaspersky from loading. Tested on Windows XP SP3 with Kaspersky v12.0.0.374
Неужто и тут PG? ;) (is it PG case again?)
 #11869  by EP_X0FF
 Tue Feb 28, 2012 2:00 pm
You should ask author I only used his idea and slightly extended it. From my point of view this method is surprising simple and I expected exploitation of something more complicated to be honest.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13