- Feb 25, 2017
- 2,504
Terminator Malware | The PC Security Channel
- Thread starter Kongo
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Feb 7, 2023
- 1,737
Yeah, when the Zemana Anti-Malware driver (zam64.sys and zamguard64.sys essentially the same) were composed, proper checks were not implemented in the driver to verify the processes that are about to be terminated. The function is rather simple and since the driver is not obfuscated, it probably hasn’t been too difficult to reverse-engineer.
The driver contains one function related to the EDR termination, namely this:
All calls that start with Zw can only come from trusted and signed kernel drivers, programmes operating solely in user mode should perform Nt calls instead and this will be subject to additional validation. Using Zw routines allows to tamper with code running in kernel mode (such as anti-malware products).
According to Voidsec, the driver can also be used in privilege escalation as well as full disk encryption.
voidsec.com
The driver contains one function related to the EDR termination, namely this:
And this function takes one parameter - the process ID. This function gets a process handle and passes it to a Windows native API, namely
(Part of ntddk.h) With the handle as a parameter. The native Windows API terminates the process.
All calls that start with Zw can only come from trusted and signed kernel drivers, programmes operating solely in user mode should perform Nt calls instead and this will be subject to additional validation. Using Zw routines allows to tamper with code running in kernel mode (such as anti-malware products).
Using Nt and Zw Versions of the Native System Services Routines - Windows drivers
Using Nt and Zw Versions of the Native System Services Routines
learn.microsoft.com
According to Voidsec, the driver can also be used in privilege escalation as well as full disk encryption.
Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver - VoidSec
Reverse engineering Spybot's Terminator tool (Zemana Antimalware driver) to achieve LPE as SYSTEM and unrestricted raw SCSI disk read/write.
voidsec.com
Last edited:
- Feb 7, 2023
- 1,737
Yeah, it is old Zemana real-time protection driver (registers as such) and this process killing functionality has been implemented in order to be able to terminate malware. Problem is, according to Voidsec (I’ve not seen the whole driver source but only what they show) only checks if a process is critical Windows process and nothing else.
Additional checks could have been implemented to avoid terminating processes belonging to anti-malware applications, but Zemana did not implement these.
Later on (because the driver is already in kernel mode) it can call ZwTerminateProcess and that by default automatically searches other processes in kernel mode (without the driver it will be impossible).
So yeah, that’s long story short.
piquiteco
Level 14
- Oct 16, 2022
- 626
I understood your explanation well. It's as if the spell turned against the sorcerer? My goodness, they do everything to fool the security products. I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol
- Feb 7, 2023
- 1,737
This is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol
The following command on elevated PowerShell adds exclusions:
Add-MpPreference -ExclusionPath “<Folder Path>”
Add-MpPreference -ExclusionExtension “<File Extension>”
Microsoft Defender for Business automatically ignores these exclusions but the home version doesn't.
piquiteco
Level 14
- Oct 16, 2022
- 626
and rest
piquiteco
Level 14
- Oct 16, 2022
- 626
And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real
- Mar 16, 2019
- 3,635
No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real
piquiteco
Level 14
- Oct 16, 2022
- 626
Got it, maybe blocking PowerShell and everything you have the right to by H_C as shown in this setup of a screenshot below in the spoiler and using SUA account might help. Unless you exploit some vulnerability or some bypass that does not use any locked script interpreter, in which case there is nothing to do, the truth is, they will always find a way around the security suites.
- Mar 29, 2018
- 7,114
Malware News - Trojanized Super Mario game used to install Windows malware
This one checks all the boxes for causing havoc.
This one checks all the boxes for causing havoc.
Similar threads
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}