Advice Request Kaspersky avpui.exe (Suspend) bug?

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
W

Wave

The video you uploaded is not sufficient enough to actually know what is really the cause, however I am going to assume that Process Hacker used it's kernel-mode driver (kprocesshacker.sys) to obtain a handle to the Kaspersky process (via ObOpenObjectByPointer - bypasses the access checks, sadly) and then utilised this for the process suspension. This appears to be the most logical explanation, and in this case it would not be a bug.

Process Hacker would have either enumerated all the threads within the target process and called SuspendThread for each handle of the enumerated threads, or it would have just utilised ZwSuspendProcess (I am not sure but either one), using the acquired handle to the process.

In the case of Process Hacker using it's kernel-mode driver, it would not be a bug, since there is nothing Kaspersky themselves can do to protect their processes from kernel-mode attacks like they can with user-mode attacks - especially on x64 systems due to the additional limitations being brought in by Microsoft - and once an attacker gains kernel-mode code execution, it's game over for the most cases.

However, as I said previously, the video is not sufficient enough to know what is really the cause... Therefore, it could just be a bug of the process protection not working correctly (e.g. not registering due to a problem).

Please follow the steps I've laid out below:
1. Check if the Process Hacker service has been created (and is running) when you perform the suspend attack - let me know if it is.
2. Open up Task Manager and attempt to terminate the same process you demonstrated the suspend attack for within this video - does it cause Access Denied (0xC0000022) or does it successfully terminate?
3. If step 1 is a no and step 2 is a success then please reboot the system and see if the results are the same.

Let me know, and thank you for your time.
 
Last edited by a moderator:
  • Like
Reactions: aliali, tim one, XhenEd and 2 others
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
Seems like a bug if they provide protection from other processes.
I doubt that such a protection would be "in the process" as @Wave described it. That would be very silly. This is usually done by a process responsible with intrusion detection feature (which usually makes use of kernel mode) .. although I'm not really that familiar with Kaspersky.
 
  • Like
Reactions: aliali, XhenEd and DardiM
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Wave said:
The video you uploaded is not sufficient enough to actually know what is really the cause, however I am going to assume that Process Hacker used it's kernel-mode driver (kprocesshacker.sys) to obtain a handle to the Kaspersky process (via ObOpenObjectByPointer - bypasses the access checks, sadly) and then utilised this for the process suspension. This appears to be the most logical explanation, and in this case it would not be a bug.

Process Hacker would have either enumerated all the threads within the target process and called SuspendThread for each handle of the enumerated threads, or it would have just utilised ZwSuspendProcess (I am not sure but either one), using the acquired handle to the process.

In the case of Process Hacker using it's kernel-mode driver, it would not be a bug, since there is nothing Kaspersky themselves can do to protect their processes from kernel-mode attacks like they can with user-mode attacks - especially on x64 systems due to the additional limitations being brought in by Microsoft - and once an attacker gains kernel-mode code execution, it's game over for the most cases.

However, as I said previously, the video is not sufficient enough to know what is really the cause... Therefore, it could just be a bug of the process protection not working correctly (e.g. not registering due to a problem).

Please follow the steps I've laid out below:
1. Check if the Process Hacker service has been created (and is running) when you perform the suspend attack - let me know if it is.
2. Open up Task Manager and attempt to terminate the same process you demonstrated the suspend attack for within this video - does it cause Access Denied (0xC0000022) or does it successfully terminate?
3. If step 1 is a no and step 2 is a success then please reboot the system and see if the results are the same.

Let me know, and thank you for your time.
Click to expand...
Wave, you must finally accept to work for them, I think Wave@kaspersky.com would be a nice new e-mail !
 
  • Like
Reactions: shmu26, aliali, tim one and 4 others
W

Wave

vivid said:
Seems like a bug if they provide protection from other processes.
I doubt that such a protection would be "in the process" as @Wave described it. That would be very silly. This is usually done by a process responsible with intrusion detection feature (which usually makes use of kernel mode) .. although I'm not really that familiar with Kaspersky.
Click to expand...
I do not know what you are referring too when you mention about "in the process" protection, please elaborate. I went back and re-read my first response, however I really do not know what you mean.

During the video we didn't see him attempt to suspend the other processes; we only saw him trying to suspend the avpui.exe process and if I recall correctly back to when I was doing some work towards their bug bounty programme, it was a protected process (protected by a kernel-mode callback, ObRegisterCallbacks, registered by one of their kernel-mode drivers which is started as a service at boot).

The GUI processes are usually important to leave protected because it would be silly not to do so; the last thing you want is for Kaspersky to attempt to show an alert to ask you for your decision, but to then find out that there is malicious code being executed within the GUI process to prevent the alert from being shown, or even simulate the replies... Since Process Hacker was able to suspend the avpui.exe process, this tells us that a handle was acquired (you cannot suspend the process without first obtaining a handle to the process), therefore this handle can be used for many other things such as DLL injection and termination as well - Kaspersky are not stupid enough to leave any processes vulnerable, they will want all of them as protected as can be against attacks.

This takes me back to my original response, @aliali please see the following:
Wave said:
Please follow the steps I've laid out below:
1. Check if the Process Hacker service has been created (and is running) when you perform the suspend attack - let me know if it is.
2. Open up Task Manager and attempt to terminate the same process you demonstrated the suspend attack for within this video - does it cause Access Denied (0xC0000022) or does it successfully terminate?
3. If step 1 is a no and step 2 is a success then please reboot the system and see if the results are the same.
Click to expand...

If Task Manager fails to terminate the process (due to the handle not being able to be acquired) but Process Hacker succeeds (whilst it's service is active) then it confirms it is not a bug.

If Task Manager does fail to terminate the process, then read the following part:
Wave said:
there is nothing Kaspersky themselves can do to protect their processes from kernel-mode attacks like they can with user-mode attacks
Click to expand...


Thanks.
 
Last edited by a moderator:
  • Like
Reactions: aliali, harlan4096, tim one and 3 others
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
You answered to what I meant in your 2nd paragraph. UI process alone does not usually have that kind of protection.
I'm also unsure if PH driver would be loaded before Kaspersky's one (as then it would be invalid bug and I would agree). This could be improved even so (note: if they claim such protection).

Unless you are referring to protection by process that makes use of kernel mode, I wouldn't worry about UI protection if everything else is rigorously tested and appropriate integrity levels are used and so on. Do note that protection against injection, sending message, etc is also done with process that makes use of kernel mode but like I said I'm not very familiar with Kaspersky. Truth is that most vendors do not even do a mouse clicking test.
 
  • Like
Reactions: aliali and XhenEd
aliali

aliali

Level 2
Thread author
Verified
Sep 7, 2016
77
Wave said:
The video you uploaded is not sufficient enough to actually know what is really the cause, however I am going to assume that Process Hacker used it's kernel-mode driver (kprocesshacker.sys) to obtain a handle to the Kaspersky process (via ObOpenObjectByPointer - bypasses the access checks, sadly) and then utilised this for the process suspension. This appears to be the most logical explanation, and in this case it would not be a bug.

Process Hacker would have either enumerated all the threads within the target process and called SuspendThread for each handle of the enumerated threads, or it would have just utilised ZwSuspendProcess (I am not sure but either one), using the acquired handle to the process.

In the case of Process Hacker using it's kernel-mode driver, it would not be a bug, since there is nothing Kaspersky themselves can do to protect their processes from kernel-mode attacks like they can with user-mode attacks - especially on x64 systems due to the additional limitations being brought in by Microsoft - and once an attacker gains kernel-mode code execution, it's game over for the most cases.

However, as I said previously, the video is not sufficient enough to know what is really the cause... Therefore, it could just be a bug of the process protection not working correctly (e.g. not registering due to a problem).

Please follow the steps I've laid out below:
1. Check if the Process Hacker service has been created (and is running) when you perform the suspend attack - let me know if it is.
2. Open up Task Manager and attempt to terminate the same process you demonstrated the suspend attack for within this video - does it cause Access Denied (0xC0000022) or does it successfully terminate?
3. If step 1 is a no and step 2 is a success then please reboot the system and see if the results are the same.

Let me know, and thank you for your time.
Click to expand...

hi
thanks
video:
7.45 min:confused:
 
  • Like
Reactions: Wave, vivid and DardiM
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
Just noticed.. what's with the sound in the videos? Something seems to be introducing latency to your OS. Is that caused by Kaspersky? o_O
 
  • Like
Reactions: aliali
W

Wave

aliali said:
hi
thanks
video:
7.45 min:confused:
Click to expand...
Your almost 8 minutes long video which you uploaded is useless.

I've already given you the answers in my previous response and I even installed Kaspersky Anti-Virus on my host machine just to double check that I was correct. Open up Task Manager, go to the Details tab and attempt to terminate avpui.exe... If the result given is Access Denied then it means that the Kaspersky self-protection is indeed working correctly - then attempt to suspend avpui.exe in Process Hacker without giving it administrative rights, and you should get the same result.

If you grant Process Hacker administrative rights then it is able to load it's device driver (kprocesshacker.sys - present in the binaries folder which was seen in your first video, the x64 folder) which supports using a kernel-mode only function known as ObOpenObjectByPointer to bypass the access checks which occur when you attempt to open a handle to a process via NtOpenProcess, meaning the handle will be acquired from within kernel-mode regardless of the kernel-mode callback being used to protect the Kaspersky processes. From there on, this handle can be utilised for process termination, suspension, injection, etc.

The only thing Kaspersky can do to protect against such attacks would be kernel-mode patching techniques, however this cannot be ethically done on x64 versions of Windows since Windows Vista due to PatchGuard/Kernel Patch Protection. On x64 systems you cannot perform SSDT hooking (for example) since the table is not exported and due to BugCheck; if it could be done without a bypass of the Windows protection mechanisms then of course Kaspersky could hook these functions and have a much better secure self-protection. I've written a thread about PatchGuard/Kernel Patch Protection before (last section of the thread), you can find it here: Windows built-in protection mechanisms

I am going to assume that you already knew that Process Hacker (when running as administrator) was capable of suspending the Kaspersky processes. Try it with the others and it should work too... In fact, it should work for other AV products as well. If Process Hacker is capable of loading that device driver and connecting to it then it can do whatever it wants since it can have the actions performed from kernel-mode, bypassing the security protection being put in place - if all you want is a Like then do not hesitate to ask, I'll give you a Like for all your posts in this thread, better?

I don't understand what you expect to be done about this, clearly you are just trying to embarrass them, and I am not sure why. Maybe you think it is cool? Nothing can be done about these kernel-mode attacks by the vendors, and they already know about them. Once code execution is granted in kernel-mode then it's pretty much game over because then an attacker can circumvent and do whatever they want, it's as close to the OS kernel as you can get.

Feel free to speak to Kaspersky, I can already guess they will tell you something along the lines of: you need SeLoadDriverPrivilege to load a device driver (granted if you are running as admin) and that they cannot protect against these kernel-mode attacks, just like every other vendor cannot, especially for x64.

If you don't want to believe what I have said then don't, but a fact is a fact.

Thanks for understanding.
 
  • Like
Reactions: Evjl's Rain, aliali, DardiM and 1 other person
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
9,085
This is very interesting because from some time ago (I don't know from when exactly) Kaspersky is flagging "Proccess Hacker" as:
not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen
Click to expand...
and I had to create an exclusion...
 
  • Like
Reactions: aliali
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
Wave said:
I am going to assume that you already knew that Process Hacker (when running as administrator) was capable of suspending the Kaspersky processes. Try it with the others and it should work too... In fact, it should work for other AV products as well. If Process Hacker is capable of loading that device driver and connecting to it then it can do whatever it wants since it can have the actions performed from kernel-mode, bypassing the security protection being put in place - if all you want is a Like then do not hesitate to ask, I'll give you a Like for all your posts in this thread, better?
Click to expand...

CIS seems to protect against it quite well with HIPS enabled even after PH driver was loaded. Default settings.
 
  • Like
Reactions: aliali
W

Wave

vivid said:
CIS seems to protect against it quite well with HIPS enabled even after PH driver was loaded. Default settings.
Click to expand...
The question is, did Process Hacker really try to use it's driver or not? Also, the driver being loaded with the service and the driver actually being utilised are two very different things. As for the Comodo HIPS, did it block the PH driver from being loaded (or block PH user-mode process from talking to the driver)?

If you are on an x64 system and the driver is utilised for the attack, then Comodo Internet Security cannot do anything. Period.

I really hope that I don't have to re-explain myself... No, actually, I refuse to re-explain myself. I am going to Unwatch this thread and you can all continue to discuss or ignore me however you want, but I've told you how it is so I don't need to stay on this thread any longer.

Thanks for understanding.
 
  • Like
Reactions: Evjl's Rain, DardiM, aragornnnn and 1 other person
Exterminator

Exterminator

Level 85
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Thread closed.
If you cannot have a civil conversation an accept another members reply then do not post one.
This is a two way street as pushing someones buttons is just the same.
 
Status
Not open for further replies.

Similar threads

lokamoka820
    • Like
    • Hundred Points
    • +Reputation
New Update XnView MP Upatedes Thread
Replies
7
Views
958
Office, email and business apps
lokamoka820
lokamoka820
gfgtkitkat34
Advice Request How to get 100% cyber protection with two computers. Need recommendations.
Replies
7
Views
983
Kaspersky
HarborFront
H
Brownie2019
    • Like
Security News Google Paid Out $12 Million via Bug Bounty Programs in 2024
Replies
1
Views
699
Security News
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top