IAmAntimalware: Inject Malicious Code Into Antivirus

Posted by on

IAmAntimalware post logo

 

I. STARTER

When conducting penetration testing on target machines, our actions will be ruthlessly monitored and judged by Antivirus. If deemed dangerous, our payload will be removed from the system, or worse, we may lose access to the target machine entirely.

However, there are always processes considered exceptions. These are the processes of the Antivirus itself. Suppose you are an Antivirus software developer, you cannot risk terminating a process or deleting files related to your software in a live environment, right? This would compromise the functionality of the Antivirus and could lead to instability. All of this would significantly affect the user experience.

In this article, I will experiment with the technique of injecting code into the protected processes of several Antivirus programs. After a successful injection, I can perform actions that are not permitted for regular processes (regardless of the user permissions). The simplest example is writing a backdoor into the installation folder of the Antivirus.

Find me on X to get the latest pentest and red team tricks that I've been researching: Two Seven One Three (@TwoSevenOneT) / X


II. MAIN SECTION

1. How Antivirus Protects Its Processes

Antivirus programs protect their own processes from being killed or accessed by using several methods, including running with high-level privileges, using process introspection to monitor for tampering, and employing self-protection mechanisms like automatically restarting or triggering alerts when attacks are detected.

  • Elevated privileges: Antivirus software is granted high-level permissions to perform its functions (usually with SYSTEM privileges)
  • Process introspection: This technique involves the antivirus monitoring its own processes for suspicious activities, such as the creation of new threads or the injection of code by an external process.
  • Code integrity checks: The antivirus performs checks on its own code and modules to ensure that they have not been tampered with.
  • Run as System-protected process: Antivirus uses the Protected Process Light (PPL) feature of Windows to keep its user-mode processes separate from other processes.
  • Kernel-mode protection: To protect the core of the operating system, antivirus solutions deploy sensors to detect and block third-party components from altering their detection capabilities within the kernel. 

2. How Antivirus Determines Which Processes Need To Be Protected

Put yourself in the shoes of an Antivirus developer. When coding this self-protection feature, how would you determine which processes belong to the protected list?

  • Based on the process name: attackers will create a file with a similar name and execute that file.
  • Based on the file signature: threat actors will copy your original file and perform DLL hijacking.
  • Based on the process ImagePath: ensuring the executable file is placed correctly will make it very difficult for attackers to spoof it.

In practice, Antivirus software combines checks on the process ImagePath with preventing file writing operations in its installation folder. Additionally, it may include signature verification of DLLs loaded into the processes on the protected list (as seen in Bitdefender).

Don't even consider spoofing the ImagePath by modifying the PEB of the process. Antivirus software typically monitors your process right from its initialization using a kernel driver.

And don't think about calling CreateProcess to create a protected process, then using the handle obtained from the CreateProcess API to manipulate it. Because when a process is initialized and identified by the Antivirus as being on the protected list, your handle will have no power anymore.


3. Ideas For Injecting Code Into Processes Protected By Antivirus

Antivirus developers are often very intelligent individuals with strong programming skills. Their weakness lies in the necessity to develop software that operates based on the operating system while balancing user experience, performance, and the effectiveness of the Antivirus.

An antivirus product typically comes with many features. For example, modern antivirus solutions often include modules for firewall management, browser monitoring, VPN (Virtual Private Network), and user interface(For example, with Avast Antivirus, instead of injecting into the processes of the Antivirus services, I can inject into the GUI process, which is also protected) handling for user interaction.

Naturally, the processes that perform the functions of these modules will also be included in the protected list and granted privileges such as writing files to the Antivirus installation folder and being classified as non-threat processes.

For protected processes, we cannot kill or restart them, nor can we modify the services/tasks configuration to disable them. At most, we can only suspend them using EDR-Freeze. Of course, if you have an exploit that escalates privileges to the kernel, everything becomes much simpler.

In fact, there is a way to restart these processes, which is to reboot the machine. However, during pentesting activities, restarting the target machine is a last resort.

If I cannot Start/Stop the protected processes, I would attempt to create a new Windows service with the exact same configuration information as the Antivirus service to see what happens.

Since you're performing a manual service clone operation (exporting-importing the registry key), you'll need to restart the test machine so that Services.exe can load the newly created service into the cache.

BitDefender BdProtSrv service clone registry

BitDefender BdProtSrv service clone running

So now I can proactively run a service with the executable file as the Antivirus service file. Next, I need to check if the newly launched service is protected or not.

can not kill clone protected process

A simple way to check is to use Process Explorer to kill the newly created process. If it is protected, you will receive an "access denied" message.

When we successfully create a protected service, it means we can monitor the initialization process of this service, providing more opportunities to exploit this initialization.

Windows Cryptography API (CryptoAPI) Infrastructure:

Antivirus programs often need to perform operations such as encryption, decryption, hashing, and digital signature verification. Therefore, I would exploit this position to inject code into the processes of the Antivirus.

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider

For example, with Bitdefender that I am currently testing, it uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" during startup. If I change the registry value to point to a different DLL, I could inject into this process.

bitdefender service use Microsoft Enhanced RSA and AES Cryptographic Provider

The next issue is that Bitdefender will check the digital signatures of the loaded modules. We can bypass this by trusting our self-signed digital signature. However, I have a better idea, we can clone the digital signatures of legitimate programs on Windows to conceal ourselves more effectively.

Here are the steps to inject code into the process of Antivirus:

  1. Create a Protected Service: Clone a service that matches the configuration of the Antivirus service.
  2. Modify Cryptographic Provider: Change the registry value to point to a custom DLL that you control.
  3. Trust Self-Signed Signature: Either trust your self-signed digital signature or clone the digital signature of legitimate Windows programs for better concealment.
  4. Run the newly cloned service: activate this service so that the initialization process loads the malicious Cryptographic Provider. 
  5. Verify Injection: Confirm that your code is running.
  6. Restore the modified Cryptographic Provider registry to its original value to ensure the system operates normally.

4. Introducing The IAmAntimalware Tool

To carry out the above steps, I have created a tool called IAmAntimalware. This tool will clone a service by name, modify the Cryptographic Provider, import the certificate, and start the cloned service.

You can download this tool at the link:

https://github.com/TwoSevenOneT/IAmAntimalware

I will experiment with the IAmAntimalware tool alongside Bitdefender Antivirus.

First, I will use the CertClone tool to sign my DLL.

CertClone run output

You can download CertClone tool at the link:

https://github.com/TwoSevenOneT/CertClone

Next, I will copy the file "sysmon_Clone.cer" and the signed PE file "SampleDll.dll" to the target machine.

"SampleDll.dll" is a simple test file that calls OutputDebugString and writes a file named "mark.txt" in the installation folder of the Antivirus.

I will execute IAmAntimalware with the following parameters:

IAmAntimalware.exe BDProtSrv BDProtSrv02 sysmon_Clone.cer C:\TMP\SampleDll.dll

BDProtSrv and BDProtSrv02 are the names of the original service and the clone to be created. sysmon_Clone.cer is the file exported from the CertClone tool. Finally, the path to the DLL file that needs to be injected must be specified, with an absolute path requirement.

Besides the Cryptographic Provider, the IAmAntimalware tool also supports hijacking via COM objects. You can try experimenting with this in practice.

IAmAntimalware running console

IAmAntimalware running successfully

After successfully running, I was able to inject SampleDll.dll into the Antivirus process. Evidence of this is that I was able to successfully write a file in its installation folder.

I also successfully tested with Trend Micro Antivirus and Avast. For Avast, the most stable method is to trigger the GUI process, so you need to modify IAmAntimalware to be compatible with this antivirus.

III. ENDING

Antivirus programs always have a self-protection feature for their service processes. Simply put, these processes are unkillable.

If it is possible to execute code within these processes, malware could bypass antivirus programs and carry out dangerous activities without being stopped. This creates a condition that is too good to be true for malware developers.

IAmAntimalware takes advantage of cloning a protected service, along with a digitally signed certificate that is force-trusted, to inject code into the processes of the Antivirus.

To prevent this technique, it's essential to monitor module loading for unusual paths, check for added trusted certificates in the Windows registry, and combine this with the use of the Protected Processes Light (PPL) feature.

IV. READING

Here are some books you should read to beef up your knowledge about cybersecurity:

Hacking: The Art of Exploitation, 2nd Edition

Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and Disarm Scammers

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks


Author of the article: Two Seven One Three

Comments

Post a Comment