VoodooShield/Cyberlock

Clicking Allow and calling it a bypass is a little silly. Still waiting.

 

This is a self-protection bypass, not a process monitoring or VoodoAi bypass. Therefore, it doesn't matter if you allow it or not, the point is to bypass the self-protection from user-mode.

Spoiler

You cannot bypass PsSetCreateProcessNotifyRoutineEx without having existing code execution since the callback will be invoked before the main thread to the process is started (meaning you cannot execute code before your driver's callback is executed). I am not sure what are expecting from me, a zero-day browser exploit to deploy a file-less attack through shell-code execution?

You are in denial, I see exactly what you're doing here.

 

You admitted that your recommendations could be bypassed.

But how is your code going to run if VS blocks it? You have to click Allow. Once you click Allow, it is not a bypass.

You admitted that your recommendations could be bypassed.

What am I "doing here"?

 

Yes, sent logs to Dan last night he spotted the culprit and working on it right now.
Some process is blocking VS to execute on my computer.

 

Sure, if he can run his bypass from a macro. I am talking about executables.

 

I am able to stop the voodoo service and exe in task manager and my computer does not lock up. What are you guys doing different to lock it up?

 

if you click allow on VS popup, that's not a bypass.
buf if you enable a macro and the malware acts, that's definitely a bypass

check this https://www.youtube.com/watch?v=KSbRWmpSUwo

 

What are you talking about now? My recommendations would be to register ObRegisterCallbacks, which would be most effective for protecting VoodooShieldService.exe as opposed to the GUI, but it can do both to an extent. If ObRegisterCallbacks is implemented correctly then you won't have to worry about user-mode code bypassing the protection too much, because opening a handle to the process or the process' threads would be blocked (Access Denied). Of course there are tricks here and there which might work from user-mode, you can patch these too. It's light-work.

That being said, nothing is 100% full-proof. You can bypass Kaspersky from kernel-mode, but from user-mode? Good luck with that, they pretty much patched everything up. That's an example of where you could be.

Your logic makes no sense. I will repeat myself once again, this is not a bypass for process monitoring or VoodoAi, this is a self-protection bypass. I assume you can efficiently understand English? My code will not run if VS blocks it, but once the code is running the bypass takes place.

Let me quote what I said previously:

I do not even get paid minimum wage, I'm not going to re-write my code in a completely different language. My code is written in C++, of course if you want to re-create it using the same method for use within a Macro then you can feel free to do this with your own time. It'll still work.

Here is a demonstration video of the SELF-PROTECTION bypass (yes that is right, not a process monitoring or VoodoAi bypass):
https://www.youtube.com/watch?v=OFbLk8zmmw0&feature=youtu.be

Spoiler: Mistake

According to someone who has notified me, VoodoShield should not re-alert for the same app after white-listing. Which is strange because I may have experienced a bug on the previous installation during some testing where it kept on re-notifying for the same program... My bad.

Anyway, the sample download is in the description, feel free to test it yourself if you do not believe it works due to this mistake. It will work regardless.

The self-protection has been bypassed from user-mode, you may be in denial with tears down your face but the video evidence is all there. And before you say, "Oh it's not deployed in a macro! You allowed it" - yes, for the final time, it's a self-protection bypass... Not a bypass for the process monitoring or VoodoAi.

 

It's not a bypass for the process monitoring or VoodoAi, it's for the self protection. If you want to replicate the sample based in VBA (or anyone else) then feel free to do that. I do not get paid, I am just reporting my findings. So I am not spending my time doing this.

Here is the method, is incredibly straight forward:
1. OpenSCManager
2. OpenService
3. ControlService
4. DeleteService
5. CloseServiceHandle

^^ Win32 API, very basic and straight forward.

The lock-down will be triggered if you terminate it via e.g. TaskMgr.exe... You use my method and currently no lock-down is triggered, but there is no protection.

Bear in mind the video above I did make a mistake (I was rushing), but if you test the sample from the download link in a VM you'll see it works. Even if you don't test the sample, you can see in the video after restarting that it throws an error and demands reinstallation.

Now move this to a macro (VBA) instead of being done in C++ (which is what I am comfortable with using) and it'll be a "bypass" in the eyes of the developer. I guess.

 

Can you even P/Invoke in macros? I highly, highly doubt that you can, so your argument does not hold water.

 

Let me guess, you clicked Allow too.

Guess what happens when you Allow VS's uninstaller? It uninstalls VS.

 

mWave

you are a very fast typist. You really need to use cool music like cruelsister uses. If your POC works against Voodoo it should also work against Appguard?

When you say you are not getting paid. Does that mean by Dan? We all know there are bug hunters that do get paid that frequent this forum. Won't mention any names. It sounds like other than the protection Dan is looking at, you otherwise like Voodoo? I been using computers for a lot of years and still hunt and peck.

 

Declare PtrSafe Function ControlService Lib "advapi32" Alias "ControlService" (....)....

Fill in the gaps, do it for DeleteService and OpenSCManager.

I never use VBA so I do not know myself, I am just guessing. But if people can download files via URLDownloadToFile which is exported by urlmon.dll then I am sure you can use functions exported by advapi32.dll as well (well sechost.dll actually but people use Advapi32.dll for the service functions anyway)... If I get the time then I might experiment and try convert it to an VBA version. But since it's your own project, feel free to try yourself

I am not a staff member at VoodooShield who is being paid so I don't see why I am expected to make everything perfect for him. I created a method which works and demonstrated it. What he wants to do is up to him... Doesn't change anything for me really. I actually like VoodooShield, I've only just started experimenting with it and whether it has good self protection or not I might use it temporarily myself. I don't dislike it.

 

What do you mean the whole thing breaks down? Or you are just trying to joke because you don't want to allow it, because it's a "self protection" bypass and not a process monitoring/VoodooAi bypass? hmm

 

Ok, here is a better analogy... Guess what happens when you Allow malware? The machine will become infected.

Ultimately we will probably go with ObRegisterCallbacks, but I did not like the idea of implementing a watch dog process as a backup self-protection mechanism... I think it would be much better to lock up the system if this fails. But in order to see if it even works, we had to try it first.

 

Dan Appguard locks the system down just like you do. I don't know what they use but the principal is the same. I hate to see more stress added to your life but in one way or another, I for one am sure you will get it right.

 

Peter I am guessing you did not look at Lockdowns latest posts. appguard does lock down the system and I have seen it. He says it does lock down the sys and a hard shut down is needed.

 

Thank you for pointing that out . The only difference in my method is that the user is asked to reboot the system when they are able to do so... this is so the gui can reconnect to the service properly, without the risk of a bypass. Rebooting will also close whatever web app with a malicious link / driveby that put the user in danger in the first place.

We just started on this feature 9 days ago... it is not going to be perfect immediately... this stuff takes time.