View Single Post
Old 14-09-2007, 13:53   #194
nV 25
L'Avatar di nV 25
Iscritto dal: Jan 2003
Cittā: Lucca
Messaggi: 9119

Tra le tante cose di questo bug-case, segnalo questo passo:
Kaspersky Antivirus Self-Defense

As most of you knows, Kaspersky Antivirus activelly defend itself against malware attacks. Its processes are protected from unauthorized access and termination by malware. But how good they are protected?


Kaspersky Antivirus set up several hooks in SSDT (e.g. NtOpenProcess, NtOpenThread, NtTerminateProcess etc), several hooks in Shadow SSDT (e.g. NtUserFindWindowEx, NtUserBuildHwndList etc) additionally to protect itself from malware attacks.

Additionally it set ups itself as service with restart on errors settings. Service configuration in registry protected from access by several hooks in the SSDT. So how we can kill this AV? And do we need to kill it? If we will kill avp.exe GUI part then it will be restarted by service. If we kill service, then it will be restarted by SCM. So, how we can destroy this antivirus (in educational purposes, of course)? That's a good question.
The answer is very simple.
We should leave it alive, but make it totally unworkable. One thing that we need - load driver, after it we will be completely out of Kaspersky Antivirus interests. But previous we have to lock it, to give us this ability, yeah? Not exactly. There are exists at least three methods which can do the silent driver loading without any notice from Kaspersky Proactive Defense 7.0 I'm sure that exists and some other methods. In our case we must suspend all threads of Kaspersky processes, simple suspend, nothing more, that will be enough. We can't access threads of the Kaspersky processes directly, because SSDT is owned by PDM. So it is time to use our loved backdoor process called csrss.exe..."

Con un *HIPS serio* non si sospende proprio nulla e si ripassa dal via, agili agili...

Ultima modifica di nV 25 : 14-09-2007 alle 13:59.
nV 25 č offline   Rispondi citando il messaggio o parte di esso