Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » AED Development Tradecraft » AED Development Tradecraft Home » Specific Tradecraft Techniques » Detecting and Bypassing Personal Security Products (PSPs)
Owner: User #71473
PSPs vs. DLL Injection
SECRET//NOFORN
PSPs have various levels of protections against injecting code into common processes. Most PSPs appear to have a decent level of protection against their own running processes, and some protect various windows processes as well. Here's what we have observed to date:
-
Kaspersky:
- When running as SYSTEM, Kaspersky protects several Windows system processes that are ordinarily accessible: wininit.exe, csrss.exe and lsass.exe are all locked down. Kaspersky does not appear to protect svchost.exe processes. Additional research is needed to nail down exactly which processes are open for manipulation, but most SYSTEM process that can cause an immediate bluescreen are protected.
- Kaspersky does not appear to protect user processes at all. Explorer and dwm are both open for injection. The Kaspersky sandbox, however, does appear to flag the injection of some types of payloads, so a KAV sandbox defeat prior to injection is recommended.
- AVG: AVG appears to protect explorer.exe. It may also detect injection as malicious activity via the sandbox, so a sandbox defeat prior to injection is recommended. We were able to successfully defeat the AVG sandbox with a large (100MB) malloc followed by a memset and free.
- Bitdefender: Bitdefender appears to protect explorer.exe.
- Rising: Flags injection into explorer.exe
For those processes that block injection into explorer.exe, we have had varying levels of success doing the following:
- Create a non-suspended process with a hidden window then inject into the process. Some PSPs will flag this. Others flag the hidden window. (low success)
- Create a suspended process with notepad.exe, cmd.exe or some other common binary, then inject into the suspended process. Some PSPs still block the injection and thread creation (medium success)
- Create a suspended process using the PSPs own binaries. We specifically target the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall keys for the target PSPPersonal Security Product (Anti-Virus) and identified the uninstall binary from either the DisplayIcon or UninstallString values. This was successful against AVG, Bitdefender and Rising. (great success!)
SECRET//NOFORN
Previous versions:
| 1 SECRET |