A recent breakthrough in cybersecurity has unveiled a technique that allows attackers to exploit antivirus software by injecting malicious code directly into its processes. This method not only facilitates evasion of detection but also undermines the very security that antivirus solutions are designed to uphold.
The technique, outlined by cybersecurity researcher Two Seven One Three on X (@TwoSevenOneT), involves cloning protected services and hijacking cryptographic providers to create a backdoor within the antivirus installation folder, effectively bypassing conventional defenses.
This innovative approach underscores a significant vulnerability in the way antivirus solutions prioritize their own stability. By injecting code into these “unkillable” processes, researchers can gain elevated privileges, enabling them to perform actions such as writing files to restricted directories while remaining undetected.
Bypassing Antivirus Defenses
Antivirus software employs a variety of strategies to shield its core processes from interference, ensuring uninterrupted protection for users. Typically, these programs operate with SYSTEM-level privileges, allowing them extensive access to monitor and neutralize threats throughout the system.
Process introspection is one such strategy, enabling the antivirus to vigilantly scan its own threads for anomalies, including unauthorized code injections from external sources. Additional safeguards involve code integrity checks that verify the authenticity of loaded modules, alongside the use of Windows’ Protected Process Light (PPL) feature, which isolates user-mode processes to prevent tampering—even by administrators.
In the kernel, antivirus drivers deploy sensors to block modifications to detection mechanisms, while self-protection routines automatically restart compromised components or alert on suspicious activities. The process of determining which components warrant protection is meticulous; developers avoid simplistic checks like process names, which attackers could easily spoof.
For instance, solutions like Bitdefender utilize a combination of verifying the process’s ImagePath—ensuring the executable resides in the correct directory—and imposing restrictions on file writes to installation folders. Digital signatures of loaded DLLs provide an additional layer of security, although attackers may still attempt to bypass these defenses through advanced evasion tactics.
Efforts to modify the Process Environment Block (PEB) or utilize the CreateProcess API often prove futile, as kernel drivers monitor initialization from the outset, maintaining a robust defense against such intrusions.
Service Cloning and Injection Methods
The ingenuity of this technique lies in its ability to leverage the antivirus’s reliance on operating system features while exploiting less-guarded auxiliary components. Modern antivirus suites often bundle additional features like firewalls, VPNs, and user interfaces, each running protected processes with installation folder write access. Given that direct termination or suspension of these processes is blocked without kernel exploits or tools like EDR-Freeze, researchers have turned to cloning as a viable alternative.
By manually exporting and importing registry keys for an antivirus service, such as Bitdefender’s BDProtSrv, a duplicate service can be created with identical configurations. Upon rebooting the system, this clone is loaded into Services.exe’s cache, resulting in the spawning of a new protected process. Testing with Process Explorer reveals the effectiveness of this method, as attempts to terminate the process yield “access denied” errors.
Injection occurs by hijacking the Windows Cryptography API, which antivirus processes utilize for encryption and signing. By modifying the registry key HKLMSOFTWAREMicrosoftCryptographyDefaultsProvider to point to a malicious DLL, the system triggers its loading during service startup. To evade signature checks, the DLL is signed using cloned certificates from legitimate Windows programs, a strategy elaborated upon in SpecterOps research.
The steps involved include creating the cloned service, altering the provider, trusting the signature, launching the service, verifying execution, and restoring the registry to maintain stability. To streamline this process, Two Seven One Three developed IAmAntimalware, an open-source tool available on GitHub. This tool automates the cloning of services, modification of cryptographic providers or COM objects, importation of certificates, and initiation of the duplication process—all through command-line parameters specifying the original service, clone name, certificate file, and DLL path.
In tests with Bitdefender, the tool successfully signed a sample DLL using CertClone, another GitHub utility that duplicates signatures. The DLL, which outputs debug strings and writes a “mark.txt” file to the installation folder, was successfully injected after execution. Similar results were observed with Trend Micro and Avast, although Avast required adjustments to target its GUI process for reliability. The implications of this method are profound: malware could embed backdoors within antivirus environments, executing undetected.
To counteract such threats, vigilant monitoring of module loads from anomalous paths, auditing of trusted certificates in the registry, and enforcement of PPL alongside behavioral analytics are essential. As penetration testing evolves, these revelations compel antivirus vendors to reinforce their defenses, ensuring that their strengths do not inadvertently become vulnerabilities.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
