Thanks Vxk, XYZREG's article.
Beat security system (1) Kaspersky Internet Security / Kaspersky AntiVirus 6.0 May 15, 2006 Abbreviation KAV6). The products before the KIS6 / KAV6 are improved before the card. KIS6 includes file anti-virus, mail anti-virus, web pages, pre-defense (including process behavior monitoring, monitoring all kinds of code injection, installing global hooks, load driver / service, etc.); file integrity check; check all kinds of RK technology / Process / port / registry hidden; office macro protection, etc.); anti-spyware, firewall, anti-spam and other functions. KAV6 lacks a firewall module than KIS6. Overall, KIS6 is very powerful. Руткит Discussion group, we unanimously recognize that KIS6 is the strongest personal security suit. The Kaba laboratory is indeed elite, strong, and many things used by the undocuMENTED technology, which caused my last version of Windbg to enter the kernel debugging state, the collapse ~ KIS6 registry monitoring: NowinodWSApp, ShellServiceObjectdeLayload, Shellexcutehook , SharedTaskscheduler, SafeBoot, / WinLogon / Notify, Appinit_DLLS, Other Security Software for other security software, such as the shutdown script, such as other security software, other security software, he is monitored; additional KIS6 monitors all kinds of code injection, including SETTHREADCONTEXT methods; monitoring loading drivers , Service loading, through // device // physicalMemory object into Ring0 et al; monitoring the installation of global hooks; file integrity check; anti-rootkit, detection hidden file hidden process hidden port hidden registry; value is to change the PSPIDTable method The method of hiding processes KIS6 can also be checked. In addition, the control rules of the HIS6 firewall are also quite fine. Unlike domestic personal firewalls to be the minimum control unit, KIS6 has refined control strategies to a certain port of specific processes, such as the default Only Explorer.exe is allowed to access the HTTP80 port instead of fully allowing the EXPLORER.EXE process to access the network. Kiis6 is cheap, now it is said that his weakness. Oh, I really don't know how people think about Kaba laboratory. I don't say they are mentally wisdom. They are careless: about KIS6 monitoring with remote threaded code injection, he only reflects the process of injection IE, and his firewall default The control rules allow SVCHOST to access ports such as HTTP, and the Trojan can inject SVCHOST with the remote thread to inject the SVCHOST, you can finish the card, oh, really sad! (At that time, I really want to hit a tofu to try it to kill ...) ~ Let's see how to start it in KIS6. The KIS6 monitoring registry does monitoring is very monitoring, and also monitoring the services and the like, you are nowhere in your startup.
However, cute Kaspers made a low-level mistake that made me sorrow, starting the launch file in the menu, he did not monitor .... So exclusively said that this is too wretched, then say a method, because of the lovely Kaba Only the process of only IE and other processes when monitoring remote thread code, so we can inject Winlogon, we can defeat sfp after injection Winlogon, and then infected files to start, although Kaba has document integrity check, but the problem is not big, you I tried it, I understand why, huh, huh. Besides, the bottom layer, KIS6 monitoring load driver monitoring is not full, hey, use ZWSETSYSTEMINFORMATION where we can load driver ~ Can you load driver? Isn't there any? Restore the SSDT table, DKOM, MiniPort Ndis Hook, let us play, huh, huh ... ==
Vxk:
In addition to XYZREG, Kaspersky rewrite Dafa in the face of Boot.ini NToskrnl.exe (this method is shameless ~), and hotpatch (almost eating firewall ~) Dafa is fragile ~~
HotPatch can rewrite some DLLs, such as kernel32.dll, I don't have much to say it ~ You do a code inJection in kernel32.dll and then load our DLL inside the appropriate process, don't you finish it? ~ Haha ~~
Thanks to Microsoft's sharp sword hotpatch ~~
PS: Official version of Kaba 6.0 is a bit loose of IE's rules ~~ Oh, everyone will try it ~~