Attacking Antivirus Software's Kernel Driver

Slides:

Advertisements

Similar presentations

Fuzzing for logic and state issues

Advertisements

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

Format Scandisk Defragmentation Antivirus Compression Software

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

© 2005 Nevis Networks – Proprietary and Confidential Attacking Antivirus Feng Xue Syscan’08 HongKong.

How to maintain your computer

W INDOWS BLUE SCREEN OF DEATH AFTER CRASH DEBUGGING Alex Mclean Amy Valley Derek Visch.

ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.

What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014.

Computer Security and Penetration Testing

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems CSCI-6140 – Computer Operating Systems David Goldschmidt, Ph.D.

Engineering Secure Software. Vulnerability of the Day  Each day, we will cover a different type of code-level vulnerability Usually a demo How to avoid,

Chapter 3 Software. Learning Objectives Upon successful completion of this chapter, you will be able to: Define the term software Describe the two primary.

SQL Server Crash Dump Analysis A brief tour with WinDbg and other ugly tools Pablo Álvarez Doval Debugging & Optimization Team Lead

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

October 10, Testing USB 2.0 Devices and Drivers Scott Thompson USB Test Developer Windows Division Microsoft Corp.

Updates and Common Questions Asked by Simulation Developers Peter Shier Architect Windows Devices and Storage Technologies

Speaker: Xiaojiang Du Authors: Xiali Hei, Xiaojiang Du and Shan Lin Temple University.

Windows CE Object Store Windows CE name for persistent storage Provides storage for the –Registry –Databases –File System In a non-volatile portion of.

1 WDM (Windows Driver Model) Y.C. Hua

Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

COMPUTER SECURITY Ashesi University College Benson Wachira Julateh Mulbah.

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

Android. Android An Open Handset Alliance Project A software platform and operating system for mobile devices Based on the Linux kernel Developed by Google.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

How to Fix Bitdefender Total Security Error -1022? Support Number

FIX HP PCS – “COMPUTER DOES NOT SHUT DOWN” ISSUE.

Nat 4/5 Computing Science Software

Secure Coding Techniques

Three steps to prevent Malware infection

Kernel Design & Implementation

Protecting Memory What is there to protect in memory?

Lecture 1-Part 2: Operating-System Structures

Security Testing Methods

Dll Suite Introduction

Presented b by COD & Chicago Computers

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

Crash Dump Analysis - Santosh Kumar Singh.

Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.

Steps to Fix "Norton Antivirus Error " Base Filtering Engine.

Though there is numerous reason for the error, that is not easy to identify. Check out some of the reason for the error mentioned below-  Incomplete.

Steps to Troubleshoot Avast Error Code “41227 ”.

Steps to Fix Avast Error Code 7005 Call

How to fix QuickBooks Error Code 80029c4a Call

Steps to Fix ESET NOD32 Antivirus Error 0008 Call

Patching firmware, computers, internet of things and more

How to Fix Windows 10 Update Error 0x ?.

Fix Bitdefender Antivirus Error 2001 Give a Ring on: Bitdefender Support Number.

Fix Bitdefender Error Code 82 Give a Ring on: Bitdefender Support Number.

Fix Bitdefender Internet Security Error 217 Bitdefender Support Number Give a Ring on:

Fix Bitdefender Antivirus Error 1603? Give a Ring on: Bitdefender Support Number.

Fix Bitdefender Antivirus Error Code 5 Give a Ring on: Bitdefender Support Number.

Fix Bitdefender Error Code 2202 Give a Ring on: Bitdefender Support Number.

Fix Bitdefender Antivirus Error 1003 Give a Ring on: Bitdefender Antivirus Support Number.

Bitdefender Support will tell you how to connect to multiple computers.

Fix Bitdefender Error Code 2343 Give a Ring on: Bitdefender Antivirus Support Number.

GCED Exam Braindumps

Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools

מערכות הפעלה ערן טרומר סמסטר א' תשע"ב

Enhanced Security Testing- Do Automate Debuggers

CS703 - Advanced Operating Systems

Welcome to Fix Antivirus Activation Error Support Service.

Chapter 3 Software.

OSL150 – Get Hands on with Ivanti Endpoint Security

Presentation transcript:

Attacking Antivirus Software's Kernel Driver bee13oy of CloverSec Labs Zer0con 2017 2018/6/12

About me bee13oy of CloverSec Labs Security Vulnerabilities Researcher, interested in: Microsoft Windows Kernel Microsoft Edge Adobe Flash Player Discovered 40+ AV Kernel Vulnerabilities: ZDI-CAN-3760, ZDI-CAN-3828, ZDI-CAN-4191, ZDI-CAN-3712 ZDI-16-670, ZDI-16-530, ZDI-16-503, ZDI-16-502, ZDI-16-487, ZDI-16-484, ZDI-16-483 … 2018/6/12

Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

Motivation Reason for choosing AV Widely Used Typical and Challenging Choose my first target “Avast Free Antivirus” Free antivirus software Avast bug bounty program 2018/6/12

AV Attacking Surface IOCTL Handler Kernel Driver ActiveX Engine - SSDT Hook - IOCTL Handler ActiveX - Memory Corruption - Insecure Method | Design Error Engine - File Format Parsing(Memory Corruption, RCE) - Denial Of Service - Detection Bypass Management - Web Interface - Client/Server Management IOCTL Handler 2018/6/12

AV Kernel Attacking Surface DeviceIoControl What We Care Mostly hDevice dwIoControlCode lpInBuffer & nInBufferSize 2018/6/12

Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

How To Get hDevice CreateFile lpFileName is a SymbolicLink Device Name \\.\TestDev \Device\TestDev 2018/6/12

How To Get hDevice Using PChunter Disadvantage No command-line mode  No automation Incomplete 2018/6/12

How To Get hDevice Better option? Enumerating DeviceObjects from user mode: NtOpenDirectoryObject NtQueryDirectoryObject NtOpenSymbolicLinkObject (optional) NtQuerySymbolicLinkObject (optional) hDevice ==> *.sys? Device name + .sys ?=> driver binary (aswSnx  aswSnx.sys) SymbolicLink reference (aswSP_Open  aswSP.sys) 2018/6/12

How To Get dwIoControlCode But… No Source code No Symbols High complexity We have… IDA Pro Windbg Kernel Driver *.sys 2018/6/12

How To Get dwIoControlCode Avast aswSnx.sys Dispatch Function ASM Code ASM code feature cmp REG, 0x88888888 mov REG, 0x88888888 sub REG, 0x88888888 2018/6/12

How To Get dwIoControlCode Avast aswSnx.sys Dispatch Function C Code C code feature case 0x88888888 vN > 0x88888888 vN < 0x88888888 vN - 0x88888888 vN = 0x88888888 vN <= 0x88888888 vN >= 0x88888888 vN == 0x88888888 vN != 0x88888888 2018/6/12

How To Get dwIoControlCode C++ std::regex to match ASM code feature C++ std::regex to match C code feature P = "((cmp)|(mov)|(sub))(( )|( )|(\\t)|(\\t\\t))((eax)|(ebx)|(ecx)|(edx) |(edi)|(esi)|(ebp)),((\\t)|(\\t\\t)|( ))(([0-9a-fA-F]{5,9}))((h)|(H))" P = "((=)|(-)|(<)|(>)|(case)) ((0x[0-9a-fA-F]{5,9})|(-?[0-9]{5,10}))" 2018/6/12

How To Get dwIoControlCode Get Entire ASM Codes by IDA Command Line idaw.exe -Ohexx86:-errs:-mail=bee13oy@gmail.com:aswSnx.asm:ALL -B aswSnx.sys Get Entire C Codes by IDA Command Line idaw.exe -Ohexx86:-errs:-mail=bee13oy@gmail.com:aswSnx.sys.c:ALL -A aswSnx.sys 2018/6/12

How To Get dwIoControlCode IOCTL_CODE Filter condition DeviceType is fixed Multiple of four Strict Dispatch Function Filter condition 2018/6/12

How To Get dwIoControlCode switch & case C++ std::regex to match “switch & case” P = "(((switch) (\\( )((v|a)[0-9]{1,5}) ((\\+)|(-)))|(case)) ((0x[0-9a-fA-F]{1,9})|(-?[0-9]{1,11}))“ ioctl = N - 0xFFEFFE4 2018/6/12

How To Get dwIoControlCode Finally, we got IOCTL_CODEs… 2018/6/12

lpInBuffer & nInBufferSize Invalid Buffer Ptr Insert Interesting values, eg, 0, 1, 2, 0x20, 0x3f, 0x40, 0x7f, 0x80, 0xff, 0x3ffff, -1, 0x7fffffff, etc Insert Thread / Process ID Insert Thread / Process Handle Insert Another Buffer Ptr nInBufferSize Interesting values, eg, 0, 1, 2, 0x20, 0x3f, 0x40, 0x7f, 0x80, 0xff, 0x3ffff, -1, 0x7fffffff, etc Sizeof lpInBuffer Random length between 0 and sizeof lpInBuffer 2018/6/12

Make it together 2018/6/12

BSoD but... We got a broken log file. Why? 2018/6/12

BSoD but… How to Disable File System Caching? MSDN will tell you… File Buffering CreateFile with flag FILE_FLAG_NO_BUFFERING Alloc aligned memory by using VirtualAlloc or _aligned_malloc WriteFile with aligned memory and aligned sector_size length. File Caching CreateFile with flag GENERIC_WRITE WriteFile FlushFileBuffers 2018/6/12

Install AV & Run Fuzzer We tested 24 AV products from AV-TEST (February 2016) 2018/6/12

Antivirus Kernel Vulnerabilities ZDI CASES ZDI-CAN-3760 (Check Point) ZDI-CAN-3828 (AhnLab) ZDI-CAN-4191 (Trend Micro) ZDI-CAN-3712 (Avast) ZDI-16-670 (Avira) ZDI-16-530 (Trend Micro) ZDI-16-503 (Bitdefender) ZDI-16-502 (Bitdefender) ZDI-16-487 (AVG) ZDI-16-484 (AVG) ZDI-16-483 (AVG) … 2018/6/12

Avast BSoD (aswSnx.sys) 2018/6/12

Trend Micro BSoD(tmnciesc.sys) 2018/6/12

Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

Norman Security suite 11.0 EoP Vulnerability 2018/6/12

Exploit Demo 2018/6/12

Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

Conclusion Recommendations for AV Companies Audit your drivers: source code reviews & fuzzing Don’t trust the user-supplied data … 2018/6/12

Thanks ! @bee13oy bee13oy@gmail.com 2018/6/12