XR3X
Clicky

Jump to content


Photo

Anti kaspersky emulator collection

snippet antis

52 replies to this topic

#21 LeFF

LeFF

    Advanced Member

  • Moderator
  • Reputation: 366
    Very Good
  • 363 posts
Contributor

Posted 25 January 2013 - 06:52 AM

Will that get rid of KAV tags on dll injection as well for example?

no it wouldn't... classical injection methods are caught by proactive defence (actuall SSDT hooks in kernel mode by klif.sys driver)... there are some injection methods that are undetected with KAV/KIS though...


  • Ravage likes this

#22 steve10120

steve10120

    Member

  • Notorious
  • Reputation: 28
    Fair
  • 30 posts
  • Locationic0de.org

Posted 25 January 2013 - 04:08 PM

no it wouldn't... classical injection methods are caught by proactive defence (actuall SSDT hooks in kernel mode by klif.sys driver)... there are some injection methods that are undetected with KAV/KIS though...

 

Indeed. Emulation and proactive defense are two completely different things. Something as simple as this will confuse some AV's.

 

Please Login or Register to see this Hidden Content


  • Ravage likes this

#23 Ravage

Ravage

    Expert

  • Administrators
  • Reputation: 606
    Excellent
  • 685 posts

Posted 25 January 2013 - 07:12 PM

no it wouldn't... classical injection methods are caught by proactive defence (actuall SSDT hooks in kernel mode by klif.sys driver)... there are some injection methods that are undetected with KAV/KIS though...

now I got a bit curious about what exactly is non classical injection methods. Or you mean public injection code are usually detected?



#24 LeFF

LeFF

    Advanced Member

  • Moderator
  • Reputation: 366
    Very Good
  • 363 posts
Contributor

Posted 25 January 2013 - 07:21 PM

now I got a bit curious about what exactly is non classical injection methods. Or you mean public injection code are usually detected?

just to make it clear, I'll be talking about KAV/KIS 2012 now, as haven't yet tried 2013... in particular klif.sys hooks NtCreateThread, NtSetContextThread, NtAllocateVirtualMemory, NtWriteVirtualMemory so you won't able to use CreateRemoteThread, SetThreadContext, VirtualAllocEx, WriteProcessMemory and so on... however one can still use NtMapViewOfSection for example...


  • Ravage likes this

#25 d3m

d3m

    Intermediate Member

  • Associate
  • Reputation: 106
    Very Good
  • 190 posts

Posted 26 January 2013 - 09:48 AM

steve10120

asm
RDTSC
MOV EBX, EAX
@Loop:
RDTSC
SUB EAX, EBX
JA @Loop
end;

RDTSC like a one ~sec delay... ;) in loop it generete some time delay to confuse emulators... seems very old trick.. 

 

p.s. nowdays stopping emulator is not only single problem... if code analyser (after emulating) will get fault at strange non-sample place, av can send your code to it's sandbox (av automatic analysis system), and there is no problem to wait all your time delays or etc... U need find trick to avoid it's sandbox too... ;)

 

p.s.s. LeFF what about NtCreateSection? 



#26 cob_258

cob_258

    Member

  • Associate
  • Reputation: 88
    Good
  • 59 posts
  • Location@DZ

Posted 26 January 2013 - 11:06 AM

playing with memory not very stable bro...

I'm no more using the loop, the actual code (as posted above) uses cmp (you can use VirtualFree after the VirtualAlloc to free the memory)

 


U need find trick to avoid it's sandbox too... ;)

Please Login or Register to see this Hidden Content


 



#27 d3m

d3m

    Intermediate Member

  • Associate
  • Reputation: 106
    Very Good
  • 190 posts

Posted 26 January 2013 - 12:10 PM

cob_258 yes, like so complexly it will give good result...

anyway to make it ud for more every coder must find self trick to avoid it =)



#28 steve10120

steve10120

    Member

  • Notorious
  • Reputation: 28
    Fair
  • 30 posts
  • Locationic0de.org

Posted 26 January 2013 - 03:17 PM

steve10120

RDTSC like a one ~sec delay... ;) in loop it generete some time delay to confuse emulators... seems very old trick.. 

 

The loop can go on for half a second or 10 seconds. Regardless, it still confuses some AV's.



#29 cob_258

cob_258

    Member

  • Associate
  • Reputation: 88
    Good
  • 59 posts
  • Location@DZ

Posted 29 January 2013 - 09:08 PM

This is another code to detect kaspersky emulator (inspired from

Please Login or Register to see this Hidden Content

's topic :

Please Login or Register to see this Hidden Content

), I ignore if it's already known, I would to share it
tested with : pure 9, KIS 2013, HH scanner

 

Please Login or Register to see this Hidden Content

 

you can check this poc (a downloader)

scans (look at kaspersky) :

Please Login or Register to see this Hidden Content

/

Please Login or Register to see this Hidden Content


ps : I've posted the same poc for the first bug (old HH), replaced sploit with this one (of course)

Please Login or Register to see this Hidden Content


  • karcrack and d3m like this

#30 karcrack

karcrack

    Intermediate Member

  • Moderator
  • Reputation: 285
    Very Good
  • 268 posts

Posted 30 January 2013 - 12:39 PM

FPU is cool xD


I code for $$$

(PGP ID 0xCC050E77)

ASM, C, C++, VB6... skilled [malware] developer


#31 d3m

d3m

    Intermediate Member

  • Associate
  • Reputation: 106
    Very Good
  • 190 posts

Posted 30 January 2013 - 09:07 PM

cob_258

bro very nice trcik.. no fucking api's etc... pls tell more were did u get information about fpu opcode results... or u just looked to debugger to get before and after eax result?



#32 cob_258

cob_258

    Member

  • Associate
  • Reputation: 88
    Good
  • 59 posts
  • Location@DZ

Posted 31 January 2013 - 01:47 PM

do someone can check these snippets, they works in my PC and VM, the second one has a strange behavior (read comments below)

detect kaspersky emulator

Please Login or Register to see this Hidden Content


the following code seems to detect VMware, tested in VMware® Workstation 8.0.4 build-744019 - winXP sp3

Please Login or Register to see this Hidden Content

-------------------------------------------------
 

cob_258

bro very nice trcik.. no fucking api's etc... pls tell more were did u get information about fpu opcode results... or u just looked to debugger to get before and after eax result?

 

after reading karcrack's code, I said : "I didn't knew that fpu and mmx are linked, does kaspersky emulator know this?" (I really had no fpu knowledge so thanks to karcrack)

the idea was taken from the following line, debugged with olly and tested with the POC

Please Login or Register to see this Hidden Content


  • ComeBack likes this

#33 d3m

d3m

    Intermediate Member

  • Associate
  • Reputation: 106
    Very Good
  • 190 posts

Posted 31 January 2013 - 09:56 PM

karcrack pls provide us with some information about fpu opcodes... =)

#34 karcrack

karcrack

    Intermediate Member

  • Moderator
  • Reputation: 285
    Very Good
  • 268 posts

Posted 31 January 2013 - 10:14 PM

Please Login or Register to see this Hidden Content

 

:)


  • Ravage and cob_258 like this

I code for $$$

(PGP ID 0xCC050E77)

ASM, C, C++, VB6... skilled [malware] developer


#35 cob_258

cob_258

    Member

  • Associate
  • Reputation: 88
    Good
  • 59 posts
  • Location@DZ

Posted 05 February 2013 - 02:02 PM

Please Login or Register to see this Hidden Content

 

:)

I checked these values and I got this

D9EB           FLDLN2        MM7-> B172 17F7 D1CF 79AC
D9E9           FLDLG2       MM7-> 9A20 9A84 FBCF F799
D9EA           FLDL2E       MM7-> B8AA 3B29 5C17 F0BC
D9EC           FLDL2T       MM7-> D49A 784B CD1B 8AFE
D9ED           FLDPI       MM7-> C90F DAA2 2168 C235



#36 karcrack

karcrack

    Intermediate Member

  • Moderator
  • Reputation: 285
    Very Good
  • 268 posts

Posted 05 February 2013 - 08:11 PM

I  pasted the opcodes in reverse order haha

 

Thanks for poiting that out :P


I code for $$$

(PGP ID 0xCC050E77)

ASM, C, C++, VB6... skilled [malware] developer


#37 Simon-Benyo

Simon-Benyo

    Intermediate Member

  • Associate
  • Reputation: 131
    Very Good
  • 141 posts
  • LocationSyria - Aleppo
Contributor

Posted 06 February 2013 - 10:17 PM

so is there any working way to get registers values when application is being emulated ??? ,,, thanks cob :)



#38 d3m

d3m

    Intermediate Member

  • Associate
  • Reputation: 106
    Very Good
  • 190 posts

Posted 07 February 2013 - 09:50 AM

so is there any working way to get registers values when application is being emulated ??? 
the trick's purpose is to get values on real machine and then compare them... emulators can't emulate some of them


#39 cob_258

cob_258

    Member

  • Associate
  • Reputation: 88
    Good
  • 59 posts
  • Location@DZ

Posted 07 February 2013 - 04:36 PM

I don't know a direct method to get values from virtual machine, my method is to put a check before the malware code, like in the POC there's a check for some values then execute a downloader code that's detected only by emulator (using GetProcAddress)

example :

Please Login or Register to see this Hidden Content



#40 ComeBack

ComeBack

    Intermediate Member

  • Associate
  • Reputation: 67
    Good
  • 103 posts
Contributor

Posted 14 February 2013 - 06:41 PM

Anyway, I've noticed that on different W$ versions the registers that are saved differ. By convention (Intel ABI) ESI, EDI, EBX, EBP must be saved, the others may vary.

 

Yes thats right. Each Windows Version have a different Windows loader. So on my XP SP3 loadup i have the adress value 7C91E514 in my EDX Register (linked to ntdll.fastsystemcall) and in fact that the Register are different on each WinVersion so AV´s have a big problem to emulate simple things like that

 

Please Login or Register to see this Hidden Content


 







Also tagged with one or more of these keywords: snippet, antis