Using Direct sys calls and AV still detecting the malicious by exe

Hi , iam new in reverse engineering .
but iam trying to learn from internet sources
One of famous AV technique to monitor malware activities by injecting a DLL inside target process
then make hook in Nt functions and then check on function argument if it’s make malicious activities

My Problem .
While iam c++ developer iam trying to edit registery and exploit some windows 10 exploit to esclate privilage . using c++ :
the target key
HKEY_CURRENT_USER\SOFTWARE\Classes\ms-settings\shell\open\command

and when i make changes using NtSetValueKey

the KasperSky terminate my process after the value has been set .
so the vulnerability is exploited successfully , but the process is terminated by KasperSky Antivirus

And when iam trying to disassmble the Function if there some hoook from Av it should make
Jmp 0x000 or some thing like this .

but the problem there is no Hook on NtSetValueKey and function in dissasembler is the same in IDA.

By the way i try Direct sys calls using ASM and C++ . and KasperSky Catch me Again and again

Even there no NtFunctions to hook .

My Question .
Is this problem Becouse Of Kernal-Mode hooking or some thing like this

My operating system Windows 10 64bit so there a Patch Guard Protection.

thanks in advanced .

You can try to set mitigation policies to block non-microsoft DLLs from hooking.

PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY sp = {};
sp.MicrosoftSignedOnly = 1;
SetProcessMitigationPolicy(ProcessSignaturePolicy, &sp, sizeof(sp));

Edit:
I’m not sure if this will work with Kaspersky, but you can still try this and see.

1 Like

Hi nulled thanks for you’r replay .
still process terminated after the registery edited by my exe and exploit success .
the crazy thing is tha’t i test direct sys calls no hooks no winapi no ntapi
and still process terminated .
what i think is maybe becouse of callbacks of kernal notification ,

Bro can you please provide that internet source from which you are learning…?

Yes of course i read blogs from https://www.ired.team .

1 Like

Thanks for sharing bro

1 Like

Recently I found repo on Github which helps with evasion by generating header/ASM files implants can use to make direct system calls. Maybe it can help.

1 Like

Thanks for sharing and help .
problem solved i will replay the solve

Problem solved .
The solve is : KasperSky AV use mini filter to detect malicious activities .
so the bypass is to install kernal driver to unhook the AV patch.

Finaly . thanks for every one was try to share there skills to help .