- Sep 7, 2016
- 76
Kaspersky avpui.exe (Suspend) bug?
- Thread starter aliali
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
The video you uploaded is not sufficient enough to actually know what is really the cause, however I am going to assume that Process Hacker used it's kernel-mode driver (kprocesshacker.sys) to obtain a handle to the Kaspersky process (via ObOpenObjectByPointer - bypasses the access checks, sadly) and then utilised this for the process suspension. This appears to be the most logical explanation, and in this case it would not be a bug.
Process Hacker would have either enumerated all the threads within the target process and called SuspendThread for each handle of the enumerated threads, or it would have just utilised ZwSuspendProcess (I am not sure but either one), using the acquired handle to the process.
In the case of Process Hacker using it's kernel-mode driver, it would not be a bug, since there is nothing Kaspersky themselves can do to protect their processes from kernel-mode attacks like they can with user-mode attacks - especially on x64 systems due to the additional limitations being brought in by Microsoft - and once an attacker gains kernel-mode code execution, it's game over for the most cases.
However, as I said previously, the video is not sufficient enough to know what is really the cause... Therefore, it could just be a bug of the process protection not working correctly (e.g. not registering due to a problem).
Please follow the steps I've laid out below:
1. Check if the Process Hacker service has been created (and is running) when you perform the suspend attack - let me know if it is.
2. Open up Task Manager and attempt to terminate the same process you demonstrated the suspend attack for within this video - does it cause Access Denied (0xC0000022) or does it successfully terminate?
3. If step 1 is a no and step 2 is a success then please reboot the system and see if the results are the same.
Let me know, and thank you for your time.
Process Hacker would have either enumerated all the threads within the target process and called SuspendThread for each handle of the enumerated threads, or it would have just utilised ZwSuspendProcess (I am not sure but either one), using the acquired handle to the process.
In the case of Process Hacker using it's kernel-mode driver, it would not be a bug, since there is nothing Kaspersky themselves can do to protect their processes from kernel-mode attacks like they can with user-mode attacks - especially on x64 systems due to the additional limitations being brought in by Microsoft - and once an attacker gains kernel-mode code execution, it's game over for the most cases.
However, as I said previously, the video is not sufficient enough to know what is really the cause... Therefore, it could just be a bug of the process protection not working correctly (e.g. not registering due to a problem).
Please follow the steps I've laid out below:
1. Check if the Process Hacker service has been created (and is running) when you perform the suspend attack - let me know if it is.
2. Open up Task Manager and attempt to terminate the same process you demonstrated the suspend attack for within this video - does it cause Access Denied (0xC0000022) or does it successfully terminate?
3. If step 1 is a no and step 2 is a success then please reboot the system and see if the results are the same.
Let me know, and thank you for your time.
Last edited by a moderator:
- Dec 8, 2014
- 206
Seems like a bug if they provide protection from other processes.
I doubt that such a protection would be "in the process" as @Wave described it. That would be very silly. This is usually done by a process responsible with intrusion detection feature (which usually makes use of kernel mode) .. although I'm not really that familiar with Kaspersky.
I doubt that such a protection would be "in the process" as @Wave described it. That would be very silly. This is usually done by a process responsible with intrusion detection feature (which usually makes use of kernel mode) .. although I'm not really that familiar with Kaspersky.
- May 14, 2016
- 1,597
Wave, you must finally accept to work for them, I think Wave@kaspersky.com would be a nice new e-mail !
I do not know what you are referring too when you mention about "in the process" protection, please elaborate. I went back and re-read my first response, however I really do not know what you mean.
During the video we didn't see him attempt to suspend the other processes; we only saw him trying to suspend the avpui.exe process and if I recall correctly back to when I was doing some work towards their bug bounty programme, it was a protected process (protected by a kernel-mode callback, ObRegisterCallbacks, registered by one of their kernel-mode drivers which is started as a service at boot).
The GUI processes are usually important to leave protected because it would be silly not to do so; the last thing you want is for Kaspersky to attempt to show an alert to ask you for your decision, but to then find out that there is malicious code being executed within the GUI process to prevent the alert from being shown, or even simulate the replies... Since Process Hacker was able to suspend the avpui.exe process, this tells us that a handle was acquired (you cannot suspend the process without first obtaining a handle to the process), therefore this handle can be used for many other things such as DLL injection and termination as well - Kaspersky are not stupid enough to leave any processes vulnerable, they will want all of them as protected as can be against attacks.
This takes me back to my original response, @aliali please see the following:
If Task Manager fails to terminate the process (due to the handle not being able to be acquired) but Process Hacker succeeds (whilst it's service is active) then it confirms it is not a bug.
If Task Manager does fail to terminate the process, then read the following part:
Thanks.
Last edited by a moderator:
- Dec 8, 2014
- 206
You answered to what I meant in your 2nd paragraph. UI process alone does not usually have that kind of protection.
I'm also unsure if PH driver would be loaded before Kaspersky's one (as then it would be invalid bug and I would agree). This could be improved even so (note: if they claim such protection).
Unless you are referring to protection by process that makes use of kernel mode, I wouldn't worry about UI protection if everything else is rigorously tested and appropriate integrity levels are used and so on. Do note that protection against injection, sending message, etc is also done with process that makes use of kernel mode but like I said I'm not very familiar with Kaspersky. Truth is that most vendors do not even do a mouse clicking test.
I'm also unsure if PH driver would be loaded before Kaspersky's one (as then it would be invalid bug and I would agree). This could be improved even so (note: if they claim such protection).
Unless you are referring to protection by process that makes use of kernel mode, I wouldn't worry about UI protection if everything else is rigorously tested and appropriate integrity levels are used and so on. Do note that protection against injection, sending message, etc is also done with process that makes use of kernel mode but like I said I'm not very familiar with Kaspersky. Truth is that most vendors do not even do a mouse clicking test.
- Sep 7, 2016
- 76
Your almost 8 minutes long video which you uploaded is useless.hi
thanks
video:
7.45 min
I've already given you the answers in my previous response and I even installed Kaspersky Anti-Virus on my host machine just to double check that I was correct. Open up Task Manager, go to the Details tab and attempt to terminate avpui.exe... If the result given is Access Denied then it means that the Kaspersky self-protection is indeed working correctly - then attempt to suspend avpui.exe in Process Hacker without giving it administrative rights, and you should get the same result.
If you grant Process Hacker administrative rights then it is able to load it's device driver (kprocesshacker.sys - present in the binaries folder which was seen in your first video, the x64 folder) which supports using a kernel-mode only function known as ObOpenObjectByPointer to bypass the access checks which occur when you attempt to open a handle to a process via NtOpenProcess, meaning the handle will be acquired from within kernel-mode regardless of the kernel-mode callback being used to protect the Kaspersky processes. From there on, this handle can be utilised for process termination, suspension, injection, etc.
The only thing Kaspersky can do to protect against such attacks would be kernel-mode patching techniques, however this cannot be ethically done on x64 versions of Windows since Windows Vista due to PatchGuard/Kernel Patch Protection. On x64 systems you cannot perform SSDT hooking (for example) since the table is not exported and due to BugCheck; if it could be done without a bypass of the Windows protection mechanisms then of course Kaspersky could hook these functions and have a much better secure self-protection. I've written a thread about PatchGuard/Kernel Patch Protection before (last section of the thread), you can find it here: Windows built-in protection mechanisms
I am going to assume that you already knew that Process Hacker (when running as administrator) was capable of suspending the Kaspersky processes. Try it with the others and it should work too... In fact, it should work for other AV products as well. If Process Hacker is capable of loading that device driver and connecting to it then it can do whatever it wants since it can have the actions performed from kernel-mode, bypassing the security protection being put in place - if all you want is a Like then do not hesitate to ask, I'll give you a Like for all your posts in this thread, better?
I don't understand what you expect to be done about this, clearly you are just trying to embarrass them, and I am not sure why. Maybe you think it is cool? Nothing can be done about these kernel-mode attacks by the vendors, and they already know about them. Once code execution is granted in kernel-mode then it's pretty much game over because then an attacker can circumvent and do whatever they want, it's as close to the OS kernel as you can get.
Feel free to speak to Kaspersky, I can already guess they will tell you something along the lines of: you need SeLoadDriverPrivilege to load a device driver (granted if you are running as admin) and that they cannot protect against these kernel-mode attacks, just like every other vendor cannot, especially for x64.
If you don't want to believe what I have said then don't, but a fact is a fact.
Thanks for understanding.
- Apr 28, 2015
- 8,664
- Dec 8, 2014
- 206
CIS seems to protect against it quite well with HIPS enabled even after PH driver was loaded. Default settings.
- Aug 18, 2016
- 561
I tried this on Kaspersky 18 Beta it says i have no permission to suspend
- Sep 7, 2016
- 76
Use a portable version??
only Version 2.37.214 Portable can suspend Kaspersky
Installer Version can not suspend Kaspersky
The question is, did Process Hacker really try to use it's driver or not? Also, the driver being loaded with the service and the driver actually being utilised are two very different things. As for the Comodo HIPS, did it block the PH driver from being loaded (or block PH user-mode process from talking to the driver)?
If you are on an x64 system and the driver is utilised for the attack, then Comodo Internet Security cannot do anything. Period.
I really hope that I don't have to re-explain myself... No, actually, I refuse to re-explain myself. I am going to Unwatch this thread and you can all continue to discuss or ignore me however you want, but I've told you how it is so I don't need to stay on this thread any longer.
Thanks for understanding.
- Oct 23, 2012
- 12,527
Thread closed.
If you cannot have a civil conversation an accept another members reply then do not post one.
This is a two way street as pushing someones buttons is just the same.
If you cannot have a civil conversation an accept another members reply then do not post one.
This is a two way street as pushing someones buttons is just the same.
- Status
