27 replies to this topic

[cob_258]

Salam, and sorry for my bad english
This is a collection of anti kaspersky emualtor bugs, most of them are fixed on 2013 version
Depending on how you implement these codes, your program may be MORE detectable because of used API (you know how to hide APIs)

the 3 first sploits found by COB, the 4th is based on grzonu api replace (SuspendThread with ResumeThread)
codes by COB

1 - VirtualAlloc sploit (fixed on 2013 version)
if emualted, ECX register keep the same value after VirtualAlloc, in normal execution it changes
* note : works also against bitdefender, not tested with last one
Code :

Please Login or Register to see this Hidden Content

or

Please Login or Register to see this Hidden Content

2 - GetSystemTime sploit (fixed on 2013 version)
Tested on XP and 7, after calling GetSystemTime ecx has the value of the milliseconds, it's not the case if emulated
Code :

Please Login or Register to see this Hidden Content

3 - zFlag after exception (fixed on 2013 version)
Code :

Please Login or Register to see this Hidden Content

4 - Api replace (still working)
Idea based on grzonu API replace sploit (SuspendThread with ResumeThread), in this code I replace the ZwTerminateProcess code with "leave;leave;ret"
* Notes : The ExitProcess api doesn't save ESI,EDI and EBX values so you have to do It
Code :

Please Login or Register to see this Hidden Content

[NiTrOwow]

Really good thread. Thanks for posting this useful information Cob.

[cob_258]

You're welcome

[Game Over]

WoOoW i Hope It Work Thenx

[cob_258]

bugfix the last code

Please Login or Register to see this Hidden Content

the use following code only if you compile with MASM32

Please Login or Register to see this Hidden Content

if you use GetProcAddress to solve ZwTerminateProcess or you compile with multimateAssembler (olly plugin), use this

Please Login or Register to see this Hidden Content

[htwist]

Another trick was/is to call native API functions that use handles with the handle parameter being invalid, the return would be 0xC0000008 on a normal machine, but in the kaspersky emulator it wouldn't be.

 

Kaspersky emulator had/has trouble emulating error codes and such according to their paper (google "kaspersky dirtbox"), it's a few years old though.

[d3m]

Another trick was/is to call native API functions that use handles with the handle parameter being invalid, the return would be 0xC0000008 on a normal machine, but in the kaspersky emulator it wouldn't be.



Kaspersky emulator had/has trouble emulating error codes and such according to their paper (google "kaspersky dirtbox"), it's a few years old though.

about one year ago this trick was actual, now alone it's useless. but with some improvements of this trick, it can still work.  

[karcrack]

I'm curious on how do you find those emulation errors. How are you able to know what registers are modified by the emulator?

 

Anyway, I've noticed that on different W$ versions the registers that are saved differ. By convention (Intel ABI) ESI, EDI, EBX, EBP must be saved, the others may vary.

[d3m]

U must run api with same arguments under all ms versions and builds, checking modified registers and results

[d3m]

try to goole w32.leon

u will find some info about it there...

 

p.s. also in w32.atix was used sse2 opcode as antiemulation trick =)

[DeadlyVermilion]

Cough cough missed some SEH tricks.

[d3m]

Cough cough missed some SEH tricks

SEH tricks alone are still actually ?

[d3m]

DeadlyVermilion

 

AV's such as Kaspersky also have runtime emulation as I've found out. Pretty easy to bypass though, unknown API results + loop = win.

KAV have self sandbox (virtual environment) were he run files.unknown API results + loop still works?  

[hasan12345]

[cob_258]

I'm curious on how do you find those emulation errors. How are you able to know what registers are modified by the emulator?

I remember how I found the VirtualAlloc trick (I was lucky) :

I tried to lose time under emulator with a VirtualAlloc loop cauz Sleep seems not working, the code was like that

Please Login or Register to see this Hidden Content

Tested this with a downloader, the scan made by KAV was long but the loader is time limited (won't take years to detect a malwere) so It gived up before reaching the downloader code and report clean

 

In normal execution the download code is executed instantly, strange

I debugged the code under olly and figured out that ecx takes a value grater than 1000 after calling VirtualAlloc so the loop ends with only one call

 

And then it's easy to conclude that ecx is saved under KAV emulator

[karcrack]

I thought there was some sweet way of getting information out... kinda OutputDebugString() haha

 

A good way to track the registers will be using some semaphores (if they're are properly emulated xD) and loops... I will be researching on this topic

[d3m]

invoke VirtualAlloc,0,5000,MEM_COMMIT,40h

playing with memory not very stable bro...

 

loops alone can be not fully emulated (something like ecx will be emulated dynamicly without running all loop), u must count something into and then cmp result.. to avoid jmp from ur loop.

[htwist]

There's also more ways to take advantage of the 4th trick, some used publically and has been documented by AV people in analysis papers.

[steve10120]

Never had a problem with emulators, especially Kaspersky's. SEH, timelocks or general stack manipulation gets rid of 99% of them.

[Ravage]

Never had a problem with emulators, especially Kaspersky's. SEH, timelocks or general stack manipulation gets rid of 99% of them.

Will that get rid of KAV tags on dll injection as well for example? For example, a ring3 rootkit that need to inject into all running processes, etc.

Can this avoid KAV usual tags to the mentioned injections?

I'm not a detection expert. Reason why I am asking.