I. STARTER
When conducting penetration testing on target machines, our actions will be
ruthlessly monitored and judged by Antivirus. If deemed dangerous, our payload
will be removed from the system, or worse, we may lose access to the target
machine entirely.
However, there are always processes considered exceptions. These are the
processes of the Antivirus itself. Suppose you are an Antivirus software
developer, you cannot risk terminating a process or deleting files related to
your software in a live environment, right? This would compromise the
functionality of the Antivirus and could lead to instability. All of this
would significantly affect the user experience.
In this article, I will experiment with the technique of injecting code into
the protected processes of several Antivirus programs. After a successful
injection, I can perform actions that are not permitted for regular processes
(regardless of the user permissions). The simplest example is writing a
backdoor into the installation folder of the Antivirus.
Find me on X to get the latest pentest and red team tricks that I’ve been
researching: Two Seven One Three (@TwoSevenOneT) / X
II. MAIN SECTION
1. How Antivirus Protects Its Processes
Antivirus programs protect their own processes from being killed or accessed
by using several methods, including running with high-level privileges, using
process introspection to monitor for tampering, and employing self-protection
mechanisms like automatically restarting or triggering alerts when attacks are
detected.
-
Elevated privileges: Antivirus software is granted high-level permissions to
perform its functions (usually with SYSTEM privileges) -
Process introspection: This technique involves the antivirus monitoring its
own processes for suspicious activities, such as the creation of new threads
or the injection of code by an external process. -
Code integrity checks: The antivirus performs checks on its own code and
modules to ensure that they have not been tampered with. -
Run as System-protected process: Antivirus uses the Protected Process Light
(PPL) feature of Windows to keep its user-mode processes separate from other
processes. -
Kernel-mode protection: To protect the core of the operating system,
antivirus solutions deploy sensors to detect and block third-party
components from altering their detection capabilities within the
kernel.
2. How Antivirus Determines Which Processes Need To Be Protected
Put yourself in the shoes of an Antivirus developer. When coding this
self-protection feature, how would you determine which processes belong to the
protected list?
-
Based on the process name: attackers will create a file with a
similar name and execute that file. -
Based on the file signature: threat actors will copy your original
file and perform DLL hijacking. -
Based on the process ImagePath: ensuring the executable file is
placed correctly will make it very difficult for attackers to spoof it.
In practice, Antivirus software combines checks on the process
ImagePath with preventing file writing operations in its installation
folder. Additionally, it may include signature verification of DLLs loaded
into the processes on the protected list (as seen in Bitdefender).
Don’t even consider spoofing the ImagePath by modifying the
PEB of the process. Antivirus software typically monitors your process
right from its initialization using a kernel driver.
And don’t think about calling CreateProcess to create a protected
process, then using the handle obtained from the CreateProcess API to
manipulate it. Because when a process is initialized and identified by the
Antivirus as being on the protected list, your handle will have no power
anymore.
3. Ideas For Injecting Code Into Processes Protected By Antivirus
Antivirus developers are often very intelligent individuals with strong
programming skills. Their weakness lies in the necessity to develop software
that operates based on the operating system while balancing user experience,
performance, and the effectiveness of the Antivirus.
An antivirus product typically comes with many features. For example, modern
antivirus solutions often include modules for firewall management, browser
monitoring, VPN (Virtual Private Network), and user interface(For example,
with Avast Antivirus, instead of injecting into the processes of the Antivirus
services, I can inject into the GUI process, which is also protected) handling
for user interaction.
Naturally, the processes that perform the functions of these modules will also
be included in the protected list and granted privileges such as writing files
to the Antivirus installation folder and being classified as non-threat
processes.
For protected processes, we cannot kill or restart them, nor can we modify the
services/tasks configuration to disable them. At most, we can only suspend
them using
EDR-Freeze. Of course, if you have an exploit that escalates privileges to the kernel,
everything becomes much simpler.
In fact, there is a way to restart these processes, which is to reboot the
machine. However, during pentesting activities, restarting the target
machine is a last resort.
If I cannot Start/Stop the protected processes, I would attempt to create a
new Windows service with the exact same configuration information as the
Antivirus service to see what happens.
Since you’re performing a manual service clone operation
(exporting-importing the registry key), you’ll need to restart the test
machine so that Services.exe can load the newly created service into the
cache.
So now I can proactively run a service with the executable file as the
Antivirus service file. Next, I need to check if the newly launched service is
protected or not.
A simple way to check is to use Process Explorer to kill the newly
created process. If it is protected, you will receive an “access denied” message.
When we successfully create a protected service, it means we can monitor the
initialization process of this service, providing more opportunities to
exploit this initialization.
Windows Cryptography API (CryptoAPI) Infrastructure:
Antivirus programs often need to perform operations such as encryption,
decryption, hashing, and digital signature verification. Therefore, I would
exploit this position to inject code into the processes of the Antivirus.
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
For example, with Bitdefender that I am currently testing, it uses the “Microsoft Enhanced RSA and AES Cryptographic Provider” during startup. If I change the registry value to point to a different DLL,
I could inject into this process.
The next issue is that Bitdefender will check the digital signatures of the
loaded modules. We can bypass this by trusting our self-signed digital
signature. However, I have a better idea, we can
clone the digital signatures of legitimate programs
on Windows to conceal ourselves more effectively.
Here are the steps to inject code into the process of Antivirus:
-
Create a Protected Service: Clone a service that matches the configuration
of the Antivirus service. -
Modify Cryptographic Provider: Change the registry value to point to a
custom DLL that you control. -
Trust Self-Signed Signature: Either trust your self-signed digital signature
or clone the digital signature of legitimate Windows programs for better
concealment. -
Run the newly cloned service: activate this service so that the
initialization process loads the malicious Cryptographic Provider. - Verify Injection: Confirm that your code is running.
-
Restore the modified Cryptographic Provider registry to its original value
to ensure the system operates normally.
4. Introducing The IAmAntimalware Tool
To carry out the above steps, I have created a tool called
IAmAntimalware. This tool will clone a service by name, modify the
Cryptographic Provider, import the certificate, and start the cloned
service.
You can download this tool at the link:
https://github.com/TwoSevenOneT/IAmAntimalware
I will experiment with the IAmAntimalware tool alongside
Bitdefender Antivirus.
First, I will use the CertClone tool to sign my DLL.
You can download CertClone tool at the link:
https://github.com/TwoSevenOneT/CertClone
Next, I will copy the file “sysmon_Clone.cer” and the signed PE file
“SampleDll.dll” to the target machine.
“SampleDll.dll” is a simple test file that calls
OutputDebugString and writes a file named “mark.txt” in the
installation folder of the Antivirus.
I will execute IAmAntimalware with the following parameters:
IAmAntimalware.exe BDProtSrv BDProtSrv02 sysmon_Clone.cer
C:\TMP\SampleDll.dll
BDProtSrv and BDProtSrv02 are the names of the original service
and the clone to be created. sysmon_Clone.cer is the file exported from
the CertClone tool. Finally, the path to the DLL file that needs to be
injected must be specified, with an absolute path requirement.
Besides the Cryptographic Provider, the IAmAntimalware tool also
supports hijacking via COM objects. You can try experimenting with this in
practice.
After successfully running, I was able to inject SampleDll.dll into the
Antivirus process. Evidence of this is that I was able to successfully write a
file in its installation folder.
I also successfully tested with Trend Micro Antivirus and Avast. For Avast,
the most stable method is to trigger the GUI process, so you need to modify
IAmAntimalware to be compatible with this antivirus.
III. ENDING
Antivirus programs always have a self-protection feature for their service
processes. Simply put, these processes are unkillable.
If it is possible to execute code within these processes, malware could bypass
antivirus programs and carry out dangerous activities without being stopped.
This creates a condition that is too good to be true for malware developers.
IAmAntimalware takes advantage of cloning a protected service, along
with a digitally signed certificate that is force-trusted, to inject code into
the processes of the Antivirus.
To prevent this technique, it’s essential to monitor module loading for
unusual paths, check for added trusted certificates in the Windows registry,
and combine this with the use of the
Protected Processes Light (PPL) feature.
IV. READING
Here are some books you should read to beef up your knowledge about
cybersecurity:
Hacking: The Art of Exploitation, 2nd Edition
Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and
Disarm Scammers
Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five
Extraordinary Hacks
Author of the article: Two Seven One Three
