Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking Antivirus Software's Kernel Driver

Published byEunice Dalton Modified over 6 years ago

Similar presentations

Presentation on theme: "Attacking Antivirus Software's Kernel Driver"— Presentation transcript:

1 Attacking Antivirus Software's Kernel Driver
bee13oy of CloverSec Labs Zer0con 2017 2018/6/12

2 About me bee13oy of CloverSec Labs
Security Vulnerabilities Researcher, interested in: Microsoft Windows Kernel Microsoft Edge Adobe Flash Player Discovered 40+ AV Kernel Vulnerabilities: ZDI-CAN-3760, ZDI-CAN-3828, ZDI-CAN-4191, ZDI-CAN-3712 ZDI , ZDI , ZDI , ZDI , ZDI , ZDI , ZDI 2018/6/12

3 Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities
Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

4 Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities
Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

5 Motivation Reason for choosing AV
Widely Used Typical and Challenging Choose my first target “Avast Free Antivirus” Free antivirus software Avast bug bounty program 2018/6/12

6 AV Attacking Surface IOCTL Handler Kernel Driver ActiveX Engine
- SSDT Hook - IOCTL Handler ActiveX - Memory Corruption - Insecure Method | Design Error Engine - File Format Parsing(Memory Corruption, RCE) - Denial Of Service - Detection Bypass Management - Web Interface - Client/Server Management IOCTL Handler 2018/6/12

7 AV Kernel Attacking Surface
DeviceIoControl What We Care Mostly hDevice dwIoControlCode lpInBuffer & nInBufferSize 2018/6/12

8 Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities
Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

9 How To Get hDevice CreateFile lpFileName is a SymbolicLink Device Name
\\.\TestDev \Device\TestDev 2018/6/12

10 How To Get hDevice Using PChunter Disadvantage
No command-line mode  No automation Incomplete 2018/6/12

11 How To Get hDevice Better option?
Enumerating DeviceObjects from user mode: NtOpenDirectoryObject NtQueryDirectoryObject NtOpenSymbolicLinkObject (optional) NtQuerySymbolicLinkObject (optional) hDevice ==> *.sys? Device name + .sys ?=> driver binary (aswSnx  aswSnx.sys) SymbolicLink reference (aswSP_Open  aswSP.sys) 2018/6/12

12 How To Get dwIoControlCode
But… No Source code No Symbols High complexity We have… IDA Pro Windbg Kernel Driver *.sys 2018/6/12

13 How To Get dwIoControlCode
Avast aswSnx.sys Dispatch Function ASM Code ASM code feature cmp REG, 0x mov REG, 0x sub REG, 0x 2018/6/12

14 How To Get dwIoControlCode
Avast aswSnx.sys Dispatch Function C Code C code feature case 0x vN > 0x vN < 0x vN - 0x vN = 0x vN <= 0x vN >= 0x vN == 0x vN != 0x 2018/6/12

15 How To Get dwIoControlCode
C++ std::regex to match ASM code feature C++ std::regex to match C code feature P = "((cmp)|(mov)|(sub))(( )|( )|(\\t)|(\\t\\t))((eax)|(ebx)|(ecx)|(edx) |(edi)|(esi)|(ebp)),((\\t)|(\\t\\t)|( ))(([0-9a-fA-F]{5,9}))((h)|(H))" P = "((=)|(-)|(<)|(>)|(case)) ((0x[0-9a-fA-F]{5,9})|(-?[0-9]{5,10}))" 2018/6/12

16 How To Get dwIoControlCode
Get Entire ASM Codes by IDA Command Line idaw.exe -B aswSnx.sys Get Entire C Codes by IDA Command Line idaw.exe -A aswSnx.sys 2018/6/12

17 How To Get dwIoControlCode
IOCTL_CODE Filter condition DeviceType is fixed Multiple of four Strict Dispatch Function Filter condition 2018/6/12

18 How To Get dwIoControlCode
switch & case C++ std::regex to match “switch & case” P = "(((switch) (\\( )((v|a)[0-9]{1,5}) ((\\+)|(-)))|(case)) ((0x[0-9a-fA-F]{1,9})|(-?[0-9]{1,11}))“ ioctl = N - 0xFFEFFE4 2018/6/12

19 How To Get dwIoControlCode
Finally, we got IOCTL_CODEs… 2018/6/12

20 lpInBuffer & nInBufferSize
Invalid Buffer Ptr Insert Interesting values, eg, 0, 1, 2, 0x20, 0x3f, 0x40, 0x7f, 0x80, 0xff, 0x3ffff, -1, 0x7fffffff, etc Insert Thread / Process ID Insert Thread / Process Handle Insert Another Buffer Ptr nInBufferSize Interesting values, eg, 0, 1, 2, 0x20, 0x3f, 0x40, 0x7f, 0x80, 0xff, 0x3ffff, -1, 0x7fffffff, etc Sizeof lpInBuffer Random length between 0 and sizeof lpInBuffer 2018/6/12

21 Make it together 2018/6/12

22 BSoD but... We got a broken log file. Why? 2018/6/12

23 BSoD but… How to Disable File System Caching? MSDN will tell you…
File Buffering CreateFile with flag FILE_FLAG_NO_BUFFERING Alloc aligned memory by using VirtualAlloc or _aligned_malloc WriteFile with aligned memory and aligned sector_size length. File Caching CreateFile with flag GENERIC_WRITE WriteFile FlushFileBuffers 2018/6/12

24 Install AV & Run Fuzzer We tested 24 AV products from AV-TEST (February 2016) 2018/6/12

25 Antivirus Kernel Vulnerabilities
ZDI CASES ZDI-CAN-3760 (Check Point) ZDI-CAN-3828 (AhnLab) ZDI-CAN-4191 (Trend Micro) ZDI-CAN-3712 (Avast) ZDI (Avira) ZDI (Trend Micro) ZDI (Bitdefender) ZDI (Bitdefender) ZDI (AVG) ZDI (AVG) ZDI (AVG) 2018/6/12

26 Avast BSoD (aswSnx.sys)
2018/6/12

27 Trend Micro BSoD(tmnciesc.sys)
2018/6/12

28 Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities
Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

29 Norman Security suite 11.0 EoP Vulnerability
2018/6/12

30 Exploit Demo 2018/6/12

31 Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities
Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion 2018/6/12

32 Conclusion Recommendations for AV Companies
Audit your drivers: source code reviews & fuzzing Don’t trust the user-supplied data 2018/6/12

33 Thanks ! @bee13oy 2018/6/12

Download ppt "Attacking Antivirus Software's Kernel Driver"

Similar presentations

Fuzzing for logic and state issues

Fuzzing for logic and state issues
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Format Scandisk Defragmentation Antivirus Compression Software

Format Scandisk Defragmentation Antivirus Compression Software
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
© 2005 Nevis Networks – Proprietary and Confidential 1 2015-8-21 Attacking Antivirus Feng Xue Syscan’08 HongKong.

© 2005 Nevis Networks – Proprietary and Confidential Attacking Antivirus Feng Xue Syscan’08 HongKong.
How to maintain your computer

How to maintain your computer
W INDOWS BLUE SCREEN OF DEATH AFTER CRASH DEBUGGING Alex Mclean Amy Valley Derek Visch.

W INDOWS BLUE SCREEN OF DEATH AFTER CRASH DEBUGGING Alex Mclean Amy Valley Derek Visch.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.

ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014.

What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems CSCI-6140 – Computer Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems CSCI-6140 – Computer Operating Systems David Goldschmidt, Ph.D.
Engineering Secure Software. Vulnerability of the Day  Each day, we will cover a different type of code-level vulnerability Usually a demo How to avoid,

Engineering Secure Software. Vulnerability of the Day  Each day, we will cover a different type of code-level vulnerability Usually a demo How to avoid,
Chapter 3 Software. Learning Objectives Upon successful completion of this chapter, you will be able to: Define the term software Describe the two primary.

Chapter 3 Software. Learning Objectives Upon successful completion of this chapter, you will be able to: Define the term software Describe the two primary.
SQL Server Crash Dump Analysis A brief tour with WinDbg and other ugly tools Pablo Álvarez Doval Debugging & Optimization Team Lead

SQL Server Crash Dump Analysis A brief tour with WinDbg and other ugly tools Pablo Álvarez Doval Debugging & Optimization Team Lead
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.
October 10, 20001. 2 Testing USB 2.0 Devices and Drivers Scott Thompson USB Test Developer Windows Division Microsoft Corp.

October 10, Testing USB 2.0 Devices and Drivers Scott Thompson USB Test Developer Windows Division Microsoft Corp.
Updates and Common Questions Asked by Simulation Developers Peter Shier Architect Windows Devices and Storage Technologies

Updates and Common Questions Asked by Simulation Developers Peter Shier Architect Windows Devices and Storage Technologies

Similar presentations

Ads by Google