The author demonstrates a technique to inject code into antivirus-protected processes by cloning protected services and replacing a Cryptographic Provider with a malicious, digitally-signed DLL to load during service initialization. The proof-of-concept tool IAmAntimalware (with CertClone for signing) successfully injected SampleDll.dll into Bitdefender, Trend Micro, and Avast processes, allowing file writes in their installation folders. #IAmAntimalware #CertClone #Bitdefender #TrendMicro #Avast
Keypoints
- Antivirus products protect processes using elevated privileges, process introspection, code integrity checks, Protected Process Light (PPL), and kernel-mode sensors.
- Protection decisions are based on process name, file signature, and ImagePath; Antivirus monitors process initialization from the kernel to prevent spoofing.
- Attack technique: clone an antivirus service, change the Windows Cryptographic Provider registry to point to a controlled DLL, and start the cloned service to force the loading of the malicious module.
- The attacker can bypass signature checks by trusting a self-signed certificate or cloning signatures of legitimate Windows programs to conceal the malicious DLL.
- IAmAntimalware automates cloning a service, modifying the Cryptographic Provider, importing the certificate, and starting the cloned service to inject code.
- Proof-of-concept: SampleDll.dll (signed with CertClone) was injected and verified by writing mark.txt into antivirus installation folders; tested on Bitdefender, Trend Micro, and Avast (GUI process for Avast).
- Mitigations include monitoring unusual module load paths, detecting added trusted certificates in the registry, and leveraging Protected Process Light (PPL) to harden protection.
MITRE Techniques
- [T1547 ] Boot or Logon Autostart Execution – Cloning and creating a new Windows service with the same configuration as the antivirus service to run a malicious executable during service initialization. Quote: ‘Create a Protected Service: Clone a service that matches the configuration of the Antivirus service.’
- [T1218 ] Signed Binary Proxy Execution – Using a digitally-signed DLL (self-signed or cloned signature) and trusting/importing the certificate so the AV loads the malicious provider. Quote: ‘Trust Self-Signed Signature: Either trust your self-signed digital signature or clone the digital signature of legitimate programs.’
- [T1055 ] Process Injection – Injecting SampleDll.dll into antivirus processes by modifying what is loaded during service initialization and having the process execute the malicious DLL. Quote: ‘After successfully running, I was able to inject SampleDll.dll into the Antivirus process.’
- [T1105 ] Ingress Tool Transfer – Transferring signed PE and certificate files (SampleDll.dll and sysmon_Clone.cer) to the target machine to facilitate the injection. Quote: ‘copy the file “sysmon_Clone.cer” and the signed PE file “SampleDll.dll” to the target machine.’
- [T1215 ] Kernel Modules and Extensions – Relying on kernel-mode protections and discussion of kernel driver monitoring; bypassing kernel-level checks by exploiting initialization or trusted-loading mechanisms. Quote: ‘Don’t even consider spoofing the ImagePath by modifying the PEB of the process. Antivirus software typically monitors your process right from its initialization using a kernel driver.’
Indicators of Compromise
- [File Name ] proof-of-concept artifacts – SampleDll.dll (signed test DLL that writes mark.txt), sysmon_Clone.cer (certificate exported for signing)
- [Tool / Repository ] attacker tools – IAmAntimalware.exe (https://github.com/TwoSevenOneT/IAmAntimalware), CertClone (https://github.com/TwoSevenOneT/CertClone)
- [Service Names ] cloned service identifiers – BDProtSrv (original Bitdefender service), BDProtSrv02 (cloned service name used in example)
- [Filesystem ] malicious artifact behavior – mark.txt written inside antivirus installation folder as proof of injection
Read more: https://www.zerosalarium.com/2025/10/IAmAntimalware-Inject-Code-Into-Antivirus.html