Come ti frego l’antivirus

So how does malware evade detection when starting new rogue processes? Easy—it directly attacks the operating system’s kernel […] The Windows OS internally maintains an array of callback objects with the starting address of PspCreateProcessNotifyRoutine. […] Unsurprisingly, we have discovered malware that uses this implementation by accessing the PspCreateProcessNotifyRoutine (internal pointer) in order to remove all registered callbacks. Once the malware has removed the AV security suite callbacks, it is free to create and terminate processes at will without any pesky security software interference […] And that’s it. The rest of this exploit is trivial. Just walk the PspCreateProcessNotifyRoutine pointer and NULL out all callback objects… Any enterprise or consumer security suite that uses this technique for monitoring process activity can be easily circumvented—a big win for the malware authors.

– da How Advanced Malware Bypasses Process Monitoring,