bypassed the AntiExecute and Shadowdefender?

Discussion in 'other anti-malware software' started by QQ2595, Jan 10, 2008.

Thread Status:
Not open for further replies.
  1. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    Hi all.

    Some guys said the Shadowfender + AntiExecute is the stablest combine.

    see this:https://www.wilderssecurity.com/showthread.php?t=195626&page=4

    I just made a test here. In 5 mins, I think I bypassed them.

    1) I made a .dll file(bypass.dll) with VC++ 6.0. The bypass.dll has a export function with the name "bypass". this function will access one sector in the disk in low level.

    2) copy this .dll to the computer which has the Shadowfender(1.0.130) + AntiExecute(2.30.1.317) installed. both of them are in protection mode.

    3)run command line like this in cmd.exe: rundll32 bypass.dll bypass.

    4)reboot, check the sector changed by bypass.dll with SectorEditor. it was saved.

    I found the AE can not prevent .sys and .dll file to run at all. There are too many way to replace the dll in system to bypass the protection of AE.

    White.
     
    QQ2595, Jan 10, 2008
    #1
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,784
    Was AE security level on high?
    Also were all protections on?
     
    LoneWolf, Jan 10, 2008
    #2
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    A very good question and I hope the OP does his test again, when AE is configured properly. :)

    The right configuration is :
    Security = High
    Network Prevention = enabled
    Delete Prevention = enabled
    Copy Prevention = enabled

    In FDISR I had to disable the "Delete Prevention", I wonder if you have to do this in ShadowDefender also.
     
    Last edited: Jan 10, 2008
    ErikAlbert, Jan 10, 2008
    #3
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If indeed shadowdefender failed email them at support@shadowdefender.com so they can fix it.

    Pete

    PS. Might also test the new Returnil Beta
     
    Peter2150, Jan 10, 2008
    #4
  5. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    WOW, so many PMs to ask for the dll today. Sorry for the dealy to reply.

    Yes, it was in low level after I installed it. :D
    I have to day, if it is in high level, I can only try .vbs,.bat to play samll game:cool: :thumb:


    Yes, I have sent it to the support email.
     
    QQ2595, Jan 10, 2008
    #5
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    is this test destructive? i want to try this in my LUA with SRP enabled.
     
    zopzop, Jan 10, 2008
    #6
  7. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    Yes, just tested with AE in low level + RVS 2008 beta, RVS 2008 can restore the changes in sector. :thumb:

    I have to say. AE is a perfect item for normal users with all the protections on. :thumb:
     
    QQ2595, Jan 11, 2008
    #7
  8. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    yes, it will wipe the sectors in low level. I can only test it in my Virtual PC.
     
    QQ2595, Jan 11, 2008
    #8
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I hold a lot of stock in my HIPS and can think of nothing more radical then to let it try to pierce thru my defense shield.
     
    EASTER, Jan 11, 2008
    #9
  10. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    sound very nice...can u try the test with DEEPFREEZE ?? wounder how this monster gona stande it ...btw AE is same company as DF :cautious:

    cheers:D
     
    demoneye, Jan 12, 2008
    #10
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi QQ2595! How one can get a sample of this dll?

    Thanks
     
    aigle, Jan 24, 2008
    #11
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Note please don't post a link to the DLL. It will be removed. Use some private method.

    Pete
     
    Peter2150, Jan 24, 2008
    #12
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I PMed him actually more than once. Unfortunately no reply. It,s just a reminder for him to check his PM box!
     
    Last edited: Jan 24, 2008
    aigle, Jan 24, 2008
    #13
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Aigle

    No problem. Thats's just something easy to forget, so a reminder is gentler than a delete.

    cheers,

    Pete
     
    Peter2150, Jan 24, 2008
    #14
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Can anyone having a sample of this dll PM me ?

    Thanks
     
    aigle, Mar 3, 2008
    #15
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...