Makin - Reveal Anti-Debugging Tricks

makin is to make initial malware assessment little bit easier, It helps to reveal a debugger detection techniques used by a sample. Supports x64 and x86 How does it work? makin opens a sample as a debuggee and injects asho.dll, asho.dll hooks several functions at ntdll.dll library and after...

Kill IceSword-vulnerability warning-the black bar safety net

Posted By Inking This article is a study of the Rootkit... and the SSDT Hook magical－against ring0 inline hook after the results. According to the SSDT Hook magical－against ring0 inline hook said, IceSword inline Hook the NtOpenProcess function, but when I wrote out the code when how also unable ...

Code injection

BitDefender Antivirus 2008 20080118 and earlier allows local users to cause a denial of service system crash via an invalid pointer to the CLIENTID structure in a call to the NtOpenProcess hooked System Service Descriptor Table SSDT function...

Code injection

Rising Antivirus 2008 before 20.38.20 allows local users to cause a denial of service system crash via an invalid pointer to the CLIENTID structure in a call to the NtOpenProcess hooked System Service Descriptor Table SSDT function...

CVE-2008-1738

Rising Antivirus 2008 before 20.38.20 allows local users to cause a denial of service system crash via an invalid pointer to the CLIENTID structure in a call to the NtOpenProcess hooked System Service Descriptor Table SSDT function...

瑞星杀毒软件SSDT NtOpenProcess()钩子本地拒绝服务漏洞

BUGTRAQ ID: 28744 CVECAN ID: CVE-2008-1738 瑞星是中国的一家非常著名的杀毒软件厂商。 瑞星的驱动实现上存在漏洞，本地攻击者可能利用此漏洞导致系统崩溃。 瑞星杀毒软件的NtOpenProcess钩子没有验证以下结构的指针： /----------- typedef struct CLIENTID HANDLE UniqueProcess; HANDLE UniqueThread; - -----------/ 是否指向了所映射的内存，当代码试图引用指针检查CLIENTID-UniqueProcess值时，如果指向了无效的内存，系统就会崩溃。...

CVE-2008-1738

CVE-2008-1738 is a kernel‑mode vulnerability involving insufficient argument validation of hooked SSDT functions in multiple antivirus products. The CoreLabs CORE-2008-0320 advisory documents an invalid memory reference vulnerability that can cause local DoS (system crash) and, in some cases, may...

CVE-2008-1735

BitDefender Antivirus 2008 20080118 and earlier allows local users to cause a denial of service system crash via an invalid pointer to the CLIENTID structure in a call to the NtOpenProcess hooked System Service Descriptor Table SSDT function...

CVE-2007-5086

CVE-2007-5086 concerns Kaspersky Anti-Virus/Internet Security 7.0.0.125 where SSDT and Shadow SSDT parameter validation is insufficient, enabling local users to trigger a crash (DoS) via kernel hooks in kylif.sys (NtUserSendInput, LoadLibraryA, NtOpenProcess, NtOpenThread, NtTerminateProcess, NtU...

Design/Logic Flaw

G DATA InternetSecurity 2007 does not properly validate certain parameters to System Service Descriptor Table SSDT function handlers, which allows local users to cause a denial of service crash and possibly gain privileges via the 1 NtCreateKey and 2 NtOpenProcess kernel SSDT hooks...

CVE-2007-5041

CVE-2007-5041 : G DATA InternetSecurity 2007 reportedly does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, enabling local users to trigger a crash (DoS) and potentially gain privileges via the (1) NtCreateKey and (2) NtOpenProcess kernel SSD...

CVE-2007-4967

Online Armor Personal Firewall 2.0.1.215 does not properly validate certain parameters to System Service Descriptor Table SSDT function handlers, which allows local users to cause a denial of service crash and possibly gain privileges via unspecified kernel SSDT hooks for Windows Native API...

Code injection

Privatefirewall 5.0.14.2 does not properly validate certain parameters to System Service Descriptor Table SSDT function handlers, which allows local users to cause a denial of service crash and possibly gain privileges via kernel SSDT hooks for 1 NtOpenProcess and 2 NtOpenThread...

CVE-2007-4968

CVE-2007-4968 – Normal mode \n\nAffected product: Privatefirewall 5.0.14.2.\nWhat is vulnerable: the system service descriptor table (SSDT) function handlers are not properly validated for certain parameters, enabling an attacker with local access to trigger a denial of service (crash) and potent...

kav/kis 6/7 vulnerabilities-vulnerability warning-the black bar safety net

Foreign famous Rootkit research site rootkit. com published an article: "Exploiting Kaspersky Antivirus 6.0-7.0" the author as EPXOFF/UG North,is famous for its anti-Rootkit tool Rootkit Unhooker,Process walker developers. The article said that Kaspersky Anti-virus software from 6. 0 to the curre...

Code injection

cmdmon.sys in Comodo Firewall Pro formerly Comodo Personal Firewall 2.4.16.174 and earlier does not validate arguments that originate in user mode for the 1 NtCreateSection, 2 NtOpenProcess, 3 NtOpenSection, 4 NtOpenThread, and 5 NtSetValueKey hooked SSDT functions, which allows local users to...

[Full-disclosure] Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability

Hello, We would like to inform you about a vulnerability in Comodo Firewall Pro. Description: Comodo Firewall Pro former Comodo Personal Firewall hooks many functions in SSDT and in at least seven cases it fails to validate arguments that come from the user mode. User calls to NtConnectPort CFP...

Breakthrough IceSword process itself protection method-vulnerability warning-the black bar safety net

IceSword drive on its own process to do the protection, so that the malicious program is terminated not him. IceSword did not use HOOK the SSDT method, but is also useless what is too perverted method, but the Inline Hook the NtOpenProcess And NtTerminateProcess several functions, namely to modif...

Breakthrough IceSword own process protection-vulnerability warning-the black bar safety net

IceSword drive on its own process to do the protection, so that the malicious program is terminated not him. IceSword did not use HOOK the SSDT method, but is also useless what too BT method, but the Inline Hook the NtOpenProcess And NtTerminateProcess several functions, namely to modify the...

CVE-2006-3074

klif.sys in Kaspersky Internet Security 6.0 and 7.0, Kaspersky Anti-Virus KAV 6.0 and 7.0, KAV 6.0 for Windows Workstations, and KAV 6.0 for Windows Servers does not validate certain parameters to the 1 NtCreateKey, 2 NtCreateProcess, 3 NtCreateProcessEx, 4 NtCreateSection, 5...