AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Zemana antimalware11/25/2023 The function itself is nothing special it checks that the process being terminated is not a critical process, then it retrieves a handle to the process and calls the ZwTerminateProcess() API to kill the target process. IOCTL code 0x80002048 calls the ZmnPhTerminateProcessById() function, passing the PID of a running process as a parameter. Let’s explore the functionality abused by the Spybot TA to terminate AV and EDR processes. PoC unsigned int pid = GetCurrentProcessId() ĭeviceIoControl(hDevice, 0x80002010, &pid, sizeof(pid), NULL, 0, NULL, NULL) Terminating a Process Here the driver fails to verify if the process issuing the IOCTL request is already present in the allowlist, granting any process to become “trusted” and capable of issuing privileged commands to the driver. If it wasn’t already registered within the AuthenticationManager, it retrieves the session ID and the Image Name of the process and adds an entry in the allowlist. The function takes as a parameter a PID of a running process. Investigating the IOCTL code 0x80002010, we’ll discover that the ZmnAuthRegisterProcess() function is called. Each entries in the allowlist (in blue) contain the following information: The allowlist array can contain up to 100 entries (each element’s size is of 0x980 bytes). Allowlist enabled/disabled flag (in red 1 means enabled).If not, the function returns 0, and the “Access Denied” message is returned by the driver to the process issuing the IOCTL request.īefore the allowlist, there is a global data structure, checked by the check_whitelist_enabled() function, maintaining the status of the AuthenticationManager: It checks if the received PID is among the allowed ones in the allowlist data structure. The ZmnAuthIsRegisteredProcessId() function “consumes” the PID of the process issuing the IOCTL request as a parameter. The first function checks a global variable, determining if the allowlist is enabled. Unless the received IOCTL code is 0x80002010, the check_whitelist_enabled() and ZmnAuthIsRegisteredProcessId() functions are called. "ProcessID %d is not authorised to send IOCTLs ", If ( (unsigned int)check_allowlist_enabled() & !(unsigned int)ZmnAuthIsRegisteredProcessId(CurrentPID, 1) ) Enable/Disable ZAM Guard & Real-Time Protection.Note: if you like to explore the reverse-engineered driver or just follow along with this blog post, IDA’s DB, as well as the vulnerable driver, are present on GitHub □ While I’ve seen a lot of material from the defensive community (they were fast on this one) about the detection mechanism, IOCs, prevention policies and intelligence, I feel some other, perhaps more interesting vulnerable code paths in this driver were not explored nor discussed.ĭespite the different names, the drivers are the same (they also share the same hash) let’s dive into the Zemana’s ( zam64.sys) driver. On top of that, if the attacker is already a local admin on a machine, no security boundary can’t be crossed as that’s always a GAME OVER the possibilities are unlimited from that attack perspective. This technique requires administrative privileges and User Account Controls (UAC) acceptance in order to function properly, and it is not one of the stealthiest. IMHO, all the hype behind this announcement was utterly unjustified as it is just another instance of the well-known Bring Your Own Vulnerable Driver ( BYOVD) attack technique: where a legitimate signed driver is dropped on victims’ machine and later used to disable security solutions and/or deliver additional payloads. Zemana AntiMalware has been configured so that anyone can use it without needing to tinker around with confusing settings - it is ready to go right after you download it.Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. It will also work seamlessly with other security software installed on your PC without known conflicts. It boasts an easy-to-use UI equipped with a one-click rescue for removing all unwanted apps, toolbars, browser add-ons, and quickly neutralizing viruses, trojans, rootkits, worms, spyware, and adware. Zemana AntiMalware is an all-in-one anti-malware solution that can help clean badly infected computers effortlessly.
0 Comments
Read More
Leave a Reply. |