Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: KAV7 vs Kernel Mode Patch
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

KAV7 vs Kernel Mode Patch
 Post Reply Post Reply
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Topic: KAV7 vs Kernel Mode Patch
    Posted: 05 September 2007 at 7:46am
This is some kind of ring3-ring0 gate perversion created by Kaspersky developers. BTW on the earlier versions of KAV it can be exploited to execute some code with highest privileges.

LOL Thanks for info! This looks indeed perverted. *LoL*
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 04 September 2007 at 8:09pm
But maybe you know the kernel32.dll hooker that RKUnhooker shows above, is that usual if KAV7 is installed?


Name of this kernel32.dll hooker - Kaspersky Antivirus. This is some kind of ring3-ring0 gate perversion created by Kaspersky developers. BTW on the earlier versions of KAV it can be exploited to execute some code with highest privileges.
Ring0 - the source of inspiration
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 04 September 2007 at 12:04pm
I only searched the root of this kernel mode memory patch because procmon seemed to be unable to show a real path. I already uninstalled KAV7 testversion. I checked all kind of security suites some days ago.

So I am not that deep Kav user. But maybe you know the kernel32.dll hooker that RKUnhooker shows above, is that usual if KAV7 is installed?


Edited by SystemPro - 04 September 2007 at 12:06pm
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 03 September 2007 at 9:49pm
So what is the question? Maybe forum.kaspersky.com can help you?
Ring0 - the source of inspiration
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 02 September 2007 at 5:21pm

Whereas 0x1 represents high likely svchost area.
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 02 September 2007 at 5:12pm
Does any one have a clue why KAV7 is not able to stop this Action?
Looks like a error in KAV.
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down