Hi , iam new in reverse engineering .
but iam trying to learn from internet sources
One of famous AV technique to monitor malware activities by injecting a DLL inside target process
then make hook in Nt functions and then check on function argument if it’s make malicious activities
My Problem .
While iam c++ developer iam trying to edit registery and exploit some windows 10 exploit to esclate privilage . using c++ :
the target key
HKEY_CURRENT_USER\SOFTWARE\Classes\ms-settings\shell\open\command
and when i make changes using NtSetValueKey
the KasperSky terminate my process after the value has been set .
so the vulnerability is exploited successfully , but the process is terminated by KasperSky Antivirus
And when iam trying to disassmble the Function if there some hoook from Av it should make
Jmp 0x000 or some thing like this .
but the problem there is no Hook on NtSetValueKey and function in dissasembler is the same in IDA.
By the way i try Direct sys calls using ASM and C++ . and KasperSky Catch me Again and again
Even there no NtFunctions to hook .
My Question .
Is this problem Becouse Of Kernal-Mode hooking or some thing like this
My operating system Windows 10 64bit so there a Patch Guard Protection.
Hi nulled thanks for you’r replay .
still process terminated after the registery edited by my exe and exploit success .
the crazy thing is tha’t i test direct sys calls no hooks no winapi no ntapi
and still process terminated .
what i think is maybe becouse of callbacks of kernal notification ,
Recently I found repo on Github which helps with evasion by generating header/ASM files implants can use to make direct system calls. Maybe it can help.
Problem solved .
The solve is : KasperSky AV use mini filter to detect malicious activities .
so the bypass is to install kernal driver to unhook the AV patch.
Finaly . thanks for every one was try to share there skills to help .