Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>If you can get a hold of the "System Virginity Verifier" from Joanna Rutkowska, this should give you a pretty good idea <em>where</em> they implement their hooks. Similar tools (including <a href="http://www.gmer.net/">GMER</a>) can be used to investigate what's going on in the bowels of the system. It may sound odd, but sometimes AVs use techniques also commonly found in malicious software, i.e. rootkit techniques, in an attempt to protect their software from being fooled.</p> <p>It sounds like SSDT-Hooking and similar techniques have been used to "protect" the process. My first shot at this would be to suspend all threads of the process. Most such protection mechanisms (of malware and anti-malware alike) trigger only on termination attempts. But once you suspend all the threads (Process Explorer can do that) none of them will be scheduled anymore by the scheduler (leading to no CPU usage).</p> <p>SSDT (sometimes SDT) stands for System Service Descriptor Table. It's the table with function addresses of the system services (the number of the system service being the index). When you call something like <code>CreateFile</code> from your Win32 application it will end up in NTDLL calling <a href="http://msdn.microsoft.com/en-us/library/bb432380.aspx"><code>NtCreateFile</code></a> (== <code>ZwCreateFile</code> in UM). From there the mechanism (which has changed since Windows 2000/XP) will differ in how it transitions into kernel mode (KM), aka "ring 0". Anyway, the implementation of <code>NtCreateFile</code> in NTDLL roughly does the following: it moves the index of the system service into a register and then invokes the method that is used to transition to KM (<code>sysenter</code> opcode in newer implementations). Arriving in KM, the handler will check the index, figure out the function address from the SSDT and then call that function. There is some more checking of the UM stack going on here (when you come from UM), but this is the process in simple terms. So when you hook functionality at this level, you can prevent any subsystem, including the Win32 subsystem from doing things. However, this has several problems attached (yours being the least of them). Most implementers do a bad job, which can be often seen in malware, such as the rootkit Sony chose to put on some audio CDs back in 2005. So unhooking is virtually impossible without risking a bug check and several independent pieces of code hooking the same SSDT index will also usually lead to problems due to recklessness on part of the implementers.</p> <p>So suspending the threads seems a possibility, although this question of course is kind of open-ended (without knowing the details of the ESET driver(s)). If, however, they prevent that as well you should indeed consider switching products. I wager that disadvantages to system stability of such products outweigh the additional "protection" although they (ESET) are going to tell you otherwise.</p> <p>Another possible method could be to inject code (e.g. via a DLL) and have the process itself call <code>ExitProcess</code>. This also depends on whether or not their hooks allow for this loophole.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload