Publié le par Kareldjag

FIRST PART based on the behaviour (more screenshots here)

1a.Execution protection

-with the TaskManager launched via Ctrl+Alt+Del

-via start and execute menu

-with srip32 launched by explorer.exe

-with shellcode for running notepad.exe:

and calc.exe  (2 toolls used for this test)

- browser hiacking: we just run cmd.exe and press the first key before "A"


a.Process termination

-with the Task Manager

-with APT (kernel method)

-if not enough, with IceSword

b.Service interruption/termination

-with CMD (net stop)

-with Osrloader

-if not enough, with IceSword

c.Driver manipulation

-with Drvloader (stop the driver):

-with STDRestore

2.Kernel protection

a. crashing the computer (kernel driver loading/hooking)

-with Bang:
This OSR tool laods a kernel driver and crashes and rebbots the computer in 1sec.

-with Regtest2

-with CMD (shutdown -r -t 01)

-hooking Service.exe with Kapimon:

b.physical memory access with SDTRestore and Physmem

c.Ring0 Injection:

d.service/driver installation with OSRloader and calcdrv test

We register and strat the service:

3.Integrity Protection

a.integrate new dlls in System32 folder

-with BoWall:

Most malwares loads their files like dll in this important folder.

BoWall is an hardening tool by Andrey Kolishack and designed to harden the system (dlls) against buffer overflows.

-with PrivBar

PrivBar is a little toolbarfor IE by Aaron Margosis which shows level of privileges.

We just register the dll in System 32 and launch Internet Explorer.

b.load and unload a dll in Internet Explorer with APM:

c.dll injection:

- in IE with Copycat (leaktest)
- in Firefox with kareldjagdll (R)
- in HIPS.exe or TCPView.exe with Zapass

d.Hooking and hijacking IE with Kapimon:

e.Process Modification via API with Apiguard

Apiguard is tool designed to protect processes integrity.
It is currently only an experimental tool, and not recommended due to some instability.
Example with service.exe:

But if we try to install a service (stealth in this example), the system crashes:

The goal of this test is to note if the protection can be installed on service.exe and hips process.

4.Registry protection

-with Scoundrel Simulator (Run Keys)

-with RegTest1

-with RegHide (hidden key called 'can't touch me")

5.Message Hooks protection:

-with keyhook

-with ExecuteHook:

-with Keyboardhook

-with HookDump

-with Keylog (simple keylogger demonstration coded in visual basic):

6.Malware simulation with Hookdemo and DFK-Threat Simulator


This tool illustrates the toctou problem: it installs kernel service/driver and registry keys that can't be opened by regedit (access denied): the goal here is to note if these actions are detected and prevented by the HIPS.

b.with Geswall script test

c.DFKThreat Simulator is an exhaustive tool which simulates various malware's behaviours (spyware, rootkit etc):




METHODOLOGY Part 2: in the wild with malwares


Commenter cet article