VoodooShield/Cyberlock

v4.3 with default settings, not valid anymore with v4.4.xx. Powershell is now guarded but it was worth the reminder. Next version will be even tighter (can't tell details for obvious reasons)

 

Yes, that video is quite outdated, so I guessed that bug may be solved now.
I just posted it because many people compare AppGuard and VooDooShield as "bulletproof" products, so I was astonished to see the same guy bypassing both of them...

 

He bypassed AG because he used Powershell (which wasn't guarded at that time) on admin account without UAC i guess .
Powershell should be blocked by default by any security apps. Problem is that MS will put it as cmd replacement...

 

Interesting there...Not a good thing on MS. I'll put it as blocked process in NVT_SOB.

 

Your gonna make me dust off PhotoShop arent you
I will Email you come concepts in the near future.
Stay frosty Dan.

 

Thank you, I appreciate that! Well, self-protection is not as easy as it sounds, since there are no official Microsoft supported methods.

Here is Microsoft's take on this: https://blogs.msdn.microsoft.com/oldnewthing/20040216-00/?p=40603/

But obviously it can be done because a lot of security products have self-protection... and some do not. But doing so, involves a hack of sorts, but Alex and I are looking into it as we speak, and we are trying to figure out the best method to use. It is has not been a high priority item for us, because there is only one very specific, unique targeted script that is an issue. It is all a matter of priorities. If I thought for one second that this script would show up in the wild and that the blackhats would be using this script in their malware, then we would have already implemented self-protection.

 

That would be cool, thank you! We probably will not be updating the graphics anytime soon, but if you want to send me some concepts, that would be cool!

 

Hey Dan,

How can I figure out what is producing this Command Line?

Code:

rundll32.exe streamci,streamingdevicesetup {eeab7790-c514-11d1-b42b-00805fc1270e},asyncmac,{ad498944-762f-11d0-8dcb-00c04fc3358c}

I've been prompted twice for this now and have no idea what it is so I've blocked it but it would be good to know what is producing it.

Thanks,
Krusty

 

Hey Krusty, there does not seem to be much info on streamci.dll, but here is what I found:

Streamci.dll is required by windows and is used when working with media streaming devices, such as a DVD player or CD rom. If streamci.dll is unavailable, windows will not function correctly.

Does it only run on Windows startup? It looks like it is safe to me.

 

Hey Dan,

No, I've been prompted when opening Cyberfox both times now. I'm just restoring that machine from a backup for another reason now or I would send you the logs.

... I wonder if it could be related to my HP printer software which starts a few minutes after booting?

 

Hi @VoodooShield

Can you increase the number of characters displayed in VS per prompt? In the attached example. I can only view the file path/file name by hovering the mouse but it would be nice if the path/file name was visible (running v3.5.3)

 

Of course, hackers would target the most widely used security SW, because they wanna make as much damage as possible.
Since VS market share is minimal (no offense on this, sometimes the less, the better ), it wouldn't make sense to target VS. The same is true for Comodo, for example

 

Hi Krusty - At least in my box, that UID (?) is an "RAS Async Adapter" found in ...\ControlSet\...\Class\... lists. These devices can be generically found in your box's Device Manager or similar. One day I must find out what they do for a living.

But it would be good to know why RAS is used by a browser... RSS maybe?

 

100% agree with you.

 

From the video of the bypass, I imagine the script would target voodooshield.exe and force it to close, maybe masking itself as it was a user's input

 

We might be able to add another line, but I think if you mouse over the "...", it will give you the full path. Let me know what you think, thank you!

 

Is this something that you just realized, or were you aware of this when you first posted the youtube video? Why even bring up non-issues?

 

Technically it is not a bypass... the user had to manually allow the macro.

 

The macro does not spawn a child process to kill VS... it is all done in the macro... then once VS is no longer running, it spawns the payload. So this has absolutely nothing to do with VS's Parent Process feature... which I am not sure if you are aware or not, can be disabled in VS's settings.

 

Yes there are, there has been since Windows Vista (or XP with Service Packs). It's called kernel-mode callbacks which were implemented as an alternate to patching of the Windows Kernel (since Microsoft did not like it) when PatchGuard/Kernel Patch Protection was introduced. Microsoft knew that developers in the security industry relied on hooking, so they created callbacks.

For process protection you will be looking for ObRegisterCallbacks (kernel-mode callback), and for file (on disk) and registry protection, you'll be looking for FltRegisterFilter and CmRegisterCallbackEx. With ObRegisterCallbacks Make sure you protect both for OB_OPERATION_HANDLE_CREATE and OB_OPERATION_HANDLE_DUPLICATE otherwise using ZwDuplicateHandle will bypass this.

However, you also need to ensure you handle the WM_DESTROY message in the message queue of the window (and others) to prevent that as a method of closing down VoodoShield (the GUI, not the service). Threads are also important to protect, and PsSetLoadImageNotifyRoutine might be useful for you too.

All of it is documented, and this is the same method that top AV vendors like Avast, AVG, Kaspersky, and Trend-Micro etc., use.

Look here bro https://malwaretips.com/threads/av-self-protection-process-c-c.66200/

 

hi Dan, I didn't have any hidden meaning, I just wanted to learn as much as possible about VS before using it

 

only on the pro version or in the free version too?