CreateRemoteThread() fails on protected AV process c++???

Pages: 12
Hi,
CreateRemoteThread() fails on protected AV process c++???
I made a code cave injector that inject into normal process and it worked (LOL!) but that failed on AvastUI.exe??? :(
Please help!
My program is running as administrator and I have SE_DEBUG_PRIVILEGE enabled.
Please help!
Thankyou everyone in advance!!!
closed account (13bSLyTq)
Hi,

The reason CreateRemoteThread() fails is because of AV processes protecting their processes from Malwares, Anti-Viruses detour:

- ZwOpenProcess
- ZwAllocateVirtualMemory
- ZwWriteVirtualMemory
- ZwCreateThreadEx
- ZwCreateThread
- ZwTerminateProcess
- ZwSuspendProcess
- NtQueueApcThread
- NtQueueApcThreadEx

- NtMapViewOfSection
- NtUnmapViewOfSection
- NtOpenSection

Many More!


These detours don't take place in Userland (Ring3 Mode) but in Windows NT Kernel Space. This means that you cannot unhook the detours as these lay in Kernel Land.

Next, Avast! also uses:

- CmRegisterCallback
- PsSetCreateProcessNotifyRoutine
- ObRegisterCallbacks

These ensure Avast! is protected from majority of the external threats, which want to exploit the Anti-Virus.

The only real way to exploit AV solutions is to find a memory corruption bug such as a Buffer Overflow or Buffer Underflow and to exploit that barrier in order to execute your code. In AV especially these bugs are patched and are barely available unless you know the internals of the Avast! which not many do as they are confidential matters.

There is not a chance for exploiting higher-tier AV softwares (like Avast! or Kaspersky).
Last edited on
So my Only worry is that will VIRUSES protect themselves like that?
I want to know how to 'fight' against those viruses! LOL!
Thankyou for the fast reply!
So how can I kill viruses that do this?
And more over I know Process Hacker that kills Avast!
I checked its source I didnt get
reliable idea...
Thankyou everyone in advance!!!
closed account (13bSLyTq)
Hi,

You can before hand install a Kernel Mode driver blocking InterLockedExchange and other modes of hooking and next slowly cut out its heart beats such as network capabilities and then black list it and such.

Not using R0 is a major mistake.
Sorry, for the late reply -LOL-!
If I could inject into CSRSS.exe/
Winlogon.exe/lsass.exe -> I could kill the Avast right? (Just a guess LOL!) .
Plz help...:/
closed account (13bSLyTq)
Hi,

These are critical processes, and even if you did inject into them you cannot Kill them keeping in mind many trojan authors would have tried this previously, besides CSRSS.exe cannot do that however only shutdown can trigger that and there is NO way to do that to a single process without touching down to the Kernel Programming.

Let me tell you how my Usermode (Ring3) AV works:

- It grabs handle from all processes via csrss.exe process with a single call to ZwOpenProcess

- Suspend and hook the process

- Limit access to:
ZwProtectVirtualMemory, ZwOpenProcess, ZwTerminateProcess, ZwSuspendProcess, ZwDuplicateObject, ZwAllocateVirtualMemory, ZwWriteVirtualMemory, ZwCreateThread, ZwQueueApcThread, ZwQueueApcThreadEx, ZwMapViewOfSection, ZwUnmapViewOfSection, ZwOpenSection, ZwDeleteFile, NtCreateKey, NtOpenKey, NtSetValueKey, ZwWriteFile, ZwtOpenFile, ZwCreateFile via KiFastSystemCall & X86SwitchTo64BitMode and LSP functions

- Block handles for by hardcoding csrss.exe & winlogon.exe, lsass.exe , explorer.exe this means they cannot disturb out important processes.

- Then I create a series of alarm based hooks so each time a suspicious suspicious is called it uses IPC to contact the AV process with a specified string, which my AV scanner interprets and stores it's data in a singly linked list with data like so:


1. Injections tried
2. Internet Connections
3. Digital Signature
4. Any attempt of Registry changes
5. UI or non-UI ...........................................<- Important
6. Files created
7. Any Anti-Dumping methods

8. Suspicious functions used


So with these I can detect most Malwares fairly easily as Injections is a fairly good sign of a malware infection
and more if so if it uses Internet Connections with websites or IRC channels. To verify our doubts I check it's Digital Signature using Windows Cryptography API

If it does not it is more or less a 70% of it being a malware then it checks if it has or tried to do any Registry based activity especially to RUN key.

But even Anti-Virus softwares perform this so to confirm our doubts we see if the process has a UI or not most of the time if they don't the AV sends a message through means of IPC to tell the thread agents to self destruct, aka kill it.

Then we suspend ALL* processes to avoid any persistence modules from acting then we write garbage to the file and fill it with 0x90 (NOPS) so the EXE has no chance and most likely messed up and will never be restored and never return. Then we call NtDeleteKey so that in case of a problem the registry will not try start a garbage file then we delete the file as well.

This is how I programmed my AV, you should get a good idea of how it works & how to incorporate heuristics into your AV.

Hope I helped.
Thankyou very much for the reply, and GREAT explanation LOL!!! :D
BTW, can you give me a good assembly tutorial?
I couldnt get a reliable one on the internet, and if I did, sorry to say, I didnt understand :(
GL
closed account (13bSLyTq)
Hi,

If you do not understand YouTube videos or such I suggest you read:

http://efytimes.com/e1/fullnews.asp?edid=117964

15 Free Assembly Ebooks
Hi,
Long time back you gave me a function to hook NtTerminateProcess, right?
Well, now I understood what it did!
Will this callback be correct:
1
2
3
4
5
6
7
8
9
10
11
12
13
//
// This is the callback for OpenProcess
//
HANDLE Callback(DWORD daccess, BOOL tf, DWORD pid)
{
     if(pid==GetCurrentProcessId())
{    
        return false;
}else{
     //Call original function and do stuff...
//
}
}

GL
! LOL!
closed account (13bSLyTq)
Hi,

The callback is for NtTerminateProcess and not for OpenProcess, therefore it is fair to say the callback should have the parameters of NtTerminateProcess. That being said it is extremely important you copy exactly the same parameters of NtTerminateProcess in terms of data types.

The Callback would not work as the Callback looks like OpenProcess and NOT like NtTerminateProcess. Furthermore, unless you are planning on making this hook local, which I see no point from security perspective, GetCurrentProcessId() will never work but crash the process it is injected in as VS uses call gates instead of direct CALL's into the address of the function.

Then the code snippet:
 
return false; 


Would not be the correct way to inform the user that the termination attempt failed, you must return STATUS_ACCESS_DENIED rather than a false. As if the function really failed you would expect it to give a suitable error value not 1 or 0 so all you are doing is messing up the developers time and making them annoyed either remove your AV.

There is a lot of work to be dones here as the callback mechanism is all wrong and the entire indentation is wrong as you could have just done:

if(pid==GetCurrentProcessId()) return false;

Next, you need to get used to using assembly routines rather than using large C\C++ code here especially with handling System Calls. The reason it is easier to use Assembly is because you need to assign values to the callback and to return you need to patch in the return address.

When handling callbacks you need to be 100% sure that you don't use any functions as the entire address space changes and trying to access functions from 3rd party processes will lead to a process collapse due to Access Violation.
I also suggest you delete the thread on Rohitab about the terminating AV processes as it is making me think you are blackhat and if I see thread like that which are influencing black hats I sorry to say I cannot help.

GL
Last edited on
@OrionMaster: Now I want to know of heuristic file scanning,
NOT heuristic realtime scanning, LOL!
closed account (13bSLyTq)
Hi,

That would means you need to learn PE file format and resource editing and viewing and file algorithms.
I think you need to slow down, you are still not up to the level yet.
Okay,
back to API hooking...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
DWORD NtHookInstall(LPVOID
lpTargetAddress,LPVOID
lpCallbackAddress)
{
if(lpTargetAddress == 0 ||
lpCallbackAddress == 0) return 0; //
Misc. Check
             DWORD dwOldProtection = 0;
if(VirtualProtect
(lpTargetAddress,7,PAGE_EXECUTE_
READWRITE,&dwOldProtection) == 0)
return 0;
*(BYTE*)(lpTargetAddress)=
0xE9; // Opcode for JMP
*(long*)((LPBYTE)
lpTargetAddress+1) = ((DWORD)
lpCallbackAddress - ((DWORD)
lpTargetAddress + 5));
             VirtualProtect
(lpTargetAddress,7,dwOldProtection,&
dwOldProtection); //reinstate original
protection
return 1; // SUCCESS
}

The above code is for hooking
the one you gave me.
It replaces 29h with jmp Callback.
Now I can use this for my own
process and prevent it being killed.
How will I unhook?
Last edited on
^^Read the above, please.
Now since Avast prevents me from how do I make a driver to kill Avast?
and how to make the driver to communicate with my userland process.
closed account (13bSLyTq)
Hi,

The code is for local hooking but you need to change it into a global hook unlike a local hook you need to change the main aspects of this into a machine code then inject it and redirect it to a injected callback.

As for unhooking (locally) check CodeEmpire (My Blog):

http://adf.ly/bfCSS

But if you say globally, you will never need because you need your hooks to stay.
Last edited on
I want to know how you all know that NOP is 0x90, jmp is 0xe9 and so on.
Can you give me a table for Assembly key word to hex translation?
closed account (13bSLyTq)
Hi,

There is not such dictionary or table of such kind but I know these because I am used to programming using Shellcode and such.

To find the meaning is pretty straightforward convert and view bytes using type-casting. It's pretty easy.
@WindowsProgrammer777 http://ref.x86asm.net/coder32.html
Last edited on
@Null: Thankyou very much...!
Pages: 12