Kaspersky and process hollowing?

Discussion in 'other anti-virus software' started by shmu26, Apr 27, 2016.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    241
    Is Kaspersky effective against process hollowing and malicious code injection that allows malware to perform functions without detection?

    If not, is there a solution for this?
     
  2. drakhil

    drakhil Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    15
    Kaspersky internet security has trusted application mode , if enabled allows only verified application to run, hope this helps
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    For starters, there are many different ways to perform process hollowing. You can read about a few of the techniques here: http://journeyintoir.blogspot.com/2015/02/process-hollowing-meets-cuckoo-sandbox.html . Whether a given security solution can prevent any or all of the process hollowing methods that can be employed can only be determined by testing each one against the security solution.

    That said, someone here: http://www.rohitab.com/discuss/topic/41106-kaspersky-2015-process-injection-detection/ tried a few basic process hollowing methods and Kaspersky immediately blocked them. The specific API's Kaspersky detected in this instance were:

    NtQueueApcThread - to set the shellcode entrypoint for launch
    NtSetContextThread - to change thread EIP - Detected!
    NtSetContextThread - to change EAX to shellcode entry point (EAX holds module entry point in RtlUserThreadStart) - Detected!
    NtWriteVirtualMemory - to overwrite opcodes at EIP - Detected! (any write to the process is detected).

    So it appears Kaspersky has above average detection of process memory modification.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    241
    thanks for the detailed reply. I learned a lot from it.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    241
    that feature doesn't help in this case, because the whole idea of process hollowing is that the malware appears to your AV as if it is a trusted process. It gets inside the trusted process, and hijacks it, inheriting its permissions. That is why whitelisting will not protect against process hollowing.
     
  6. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    304
    Location:
    Philippines
    In theory, TAM can be still be effective against process hollowing. It depends on the programs it protects, though. In Kaspersky's white paper about TAM, TAM implements "security corridor" on protected programs. This means that Kaspersky wouldn't allow these programs to do anything that they are not supposed to do. This is similar to the MemoryGuard of AppGuard.
    But, still, there are programs that Kaspersky won't protect with TAM. Examples are Pale Moon and Cyberfox.
    You will know about this because if TAM is enabled, you'll see two additional folders under Application Control categories. I think they are called "Control created programs" and "Additionally controlled". I'm not sure about the names, though, because I disabled TAM.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    241
    very interesting, thanks
     
Loading...