Written by Jun Yong Kang - HAURI Virus Lab.

Self-protection of Anti-Virus programs have been consistently demanded for protecting itself against malicious threats. Then, how's looked like the typical malicious codes that attack Anti-Virus programs?

1. It ends Anti-Virus process forcibly.

The typical way of attacking Anti-Virus programs is ending Anti-Virus process forcibly. If an Anti-Virus program is not executable, malicious codes can cause harm to user's computer.
There are many ways to end Anti-Virus process forcibly. In user mode, if a malicious process calls TerminateProces() function or ends all Anti-Virus process' threads by calling TerminateThread(), Anti-Virus process will be ended finally. In kernel mode, it is possible to end Anti-Virus process powerfully by using ZwTerminateProcess() function. (The Anti-Rootkit tools like gmer or iceword are not a malicious code, but when they end processes forcibly, they take the ZwTerminateProcess()  function's original address separately and end the process by using the address.)

2. DLL Injection attack for Anti-Virus process

(1) Hook Settings for range of operation

a. Hook settings for range of operation by registry key configuration

If registry set DLL file's path like below for injecting DLL file, Windows OS loads the DLL to executed process space automatically.

Path: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs

b. Hook Settings for range of operation by SetWindowsHookEx() function

Windows OS provides SetWindowsHookEx() which is a Windows API function for hook settings for range of operation. User can get information about the message by setting and calling the message types(WH_KEYBOARD, WH_GETMESSAGE, WH_CALLWNDPROC, etc) that they want to set to function's first factor.

(2) DLL Injection by CreateRemoteThread() function

After presetting for DLL Injection, if malicious code calls CreateRemoteThread() function, it can infect and incapacitate the Anti-Virus program by loading DLL injection.

3. Create/Modify/Delete registry key for Anti-Virus program

Anti-Virus program is also a program that runs in Windows, so it refers to registry. By using this point, malicious code does create/modify/delete the related registry data and incapacitates the Anti-Virus programs.


As we mentioned, there are many kinds of method to attack Anti-Virus process. Then, let's learn more about how to prevent those attacks.

(1) There are many ways to prevent "Forced end Anti-Virus" problem.

In user mode, it is possible to modify Kernel32.dll module's TerminateProcess() function, and through the modification, blocking the malicious code's Anti-Virus program forced end is available by unloading the routine. In kernel mode, it is possible to modify kernel mode's function when TerminateProcess() is called, and in case malicious code tries to end Anti-Virus process forcibly, it can be prevented by unloading the routine. (The same way can be applied on malicious code's forced end trials for Anti-Virus process' threads.)

(2) How to prevent "DLL Injection to Anti-Virus process"?

a. "Hook settings for range of operation by registry key configuration" does real-time monitoring Anti-Virus program's access to registry key data. Through the settings, user can check a DLL that other process want to access, and in case of malicious code access, it is possible to prevent "DLL Injection to Anti-Virus process" by registry data's creation/modification/deletion or module deletion.

b. In case of "Hook settings for range of operation by SetWindowsHookEx() function", it is quite particular about deleting and blocking the malicious code access. If hook is already set for range of operation by using the function, it is possible to delete the hook settings by referring to a protective process' thread. There is a particular structure inside of Windows' protective threads. In the structure, there is much information about which process set for message hooking, and etc. such as (Hooking type, Hooking On/Off, Hook installing thread information, next pointer). By taking advantage of the information, user can check which process is a malicious code and delete it.

The way to prevent hook settings in advance is like below.

If malicious code calls SetWindowsHookEx() function in user mode, user can modify kernel mode's function which is used for DLL Injection, then DLL Injection can be blocked by unloading the routine.

c. There are many prevent ways for "DLL Injection by CreateRemoteThread() function". In user mode, it is possible to modify Kernel32.dll module's CreateRemoteThread() function, and through the modification, blocking the malicious code's Anti-Virus program forced end is available by unloading the routine.

In kernel mode, it is possible to modify kernel mode's function, and in case malicious code tries to do DLL Injection forcibly, it can be blocked by unloading the routine.

(3) How to prevent if malicious code tries to create/modify/delete Anti-Virus program's registry key?

After modifying all kernel mode's functions which related to registry key creation/modification/deletion, it is possible to block when the malicious code tries to create/modify/delete the registry data.


Many kinds of Anti-Viruses have their own self-protection system against malicious code attack, but as we learned so far, malicious code's Anti-Virus attack could be in many ways like unloading Anti-Virus driver, Controlling Anti-Virus by IOCTL, detouring update, incapacitating self-protection by SSDT vulnerability, and etc. Therefore, the Anti-Virus program should keep studying and being developed for protecting itself against malicious code attack.