A new technique enables attackers to exploit antivirus software by injecting harmful code directly into the antivirus processes. This approach makes it easier for them to evade detection and compromise the security that antivirus software is designed to provide.
This method, detailed by cybersecurity researcher Two Seven One Three on X (@TwoSevenOneT), involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder, bypassing standard defenses.
The approach highlights a vulnerability in how antivirus solutions prioritize their own stability. By injecting code into these “unkillable” processes, researchers gain elevated privileges to perform actions like writing files to restricted directories, all while evading detection.
As antivirus programs evolve to combat sophisticated threats, such techniques underscore the delicate balance between robust security and operational reliability.
Bypassing Antivirus Defenses
Antivirus software employs multiple strategies to shield its core processes from interference, ensuring uninterrupted protection for users.
These programs typically run with SYSTEM-level privileges, granting them broad access to monitor and neutralize threats across the system.
Process introspection allows the antivirus to vigilantly scan its own threads for anomalies, such as unauthorized code injections from external sources.
Further safeguards include code integrity checks that verify the authenticity of loaded modules and the use of Windows’ Protected Process Light (PPL) feature.
This isolates user-mode processes, preventing tampering even by administrators. In the kernel, antivirus drivers deploy sensors to block alterations to detection mechanisms, while self-protection routines automatically restart compromised components or alert on suspicious activity.
Determining which processes qualify for protection is equally meticulous. Developers avoid simplistic checks like process names, which attackers could spoof by mimicking filenames.
Instead, solutions like Bitdefender combine verification of the process’s ImagePath, ensuring the executable resides in the correct directory, with restrictions on file writes to installation folders.
Digital signatures of loaded DLLs add another layer, though attackers can attempt to bypass these through advanced evasion tactics.
Modifying the Process Environment Block (PEB) or using the CreateProcess API handles proves futile, as kernel drivers monitor initialization from the outset.
Anything that seems too good to be true for malware developers: executing code within #antimalware processes.
Github: TwoSevenOneT/IAmAntimalware#redteam #pentest pic.twitter.com/kii6dpY6yQ— Two Seven One Three (@TwoSevenOneT) October 11, 2025
Service Cloning and Injection Methods
The technique’s ingenuity lies in leveraging the antivirus’s reliance on operating system features while exploiting less-guarded auxiliary components.
Modern antivirus suites bundle extras like firewalls, VPNs, and user interfaces, each running protected processes with installation folder write access. Since direct termination or suspension of these is blocked short of kernel exploits or tools like EDR-Freeze, researchers turn to cloning.
By manually exporting and importing registry keys for an antivirus service, such as Bitdefender’s BDProtSrv, a duplicate service can be created with identical configurations.
A system reboot loads this clone into Services.exe’s cache, spawning a new protected process. Testing with Process Explorer confirms protection via “access denied” errors when attempting termination.
Injection occurs by hijacking the Windows Cryptography API, which antivirus processes use for encryption and signing. Modifying the registry key HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider to point to a malicious DLL triggers loading during service startup.
To evade signature checks, the DLL is signed using cloned certificates from legitimate Windows programs, a method detailed in SpecterOps research.
Steps include creating the cloned service, altering the provider, trusting the signature, launching the service, verifying execution, and restoring the registry to avoid instability.
IAmAntimalware: A Tool for Testing and Evasion
To automate this process, Two Seven One Three developed IAmAntimalware, an open-source tool available on GitHub. It clones services, modifies cryptographic providers or COM objects, imports certificates, and starts the duplication all with command-line parameters specifying the original service, clone name, certificate file, and DLL path.
In tests with Bitdefender, the tool signed a sample DLL using CertClone, another GitHub utility that duplicates signatures. The DLL, which outputs debug strings and writes a “mark.txt” file to the installation folder, was successfully injected after execution.
Similar results emerged with Trend Micro and Avast, though Avast required tweaks to target its GUI process for reliability. This method’s implications are profound: malware could embed backdoors in antivirus environments, executing undetected.
Prevention demands vigilant monitoring of module loads from anomalous paths, auditing trusted certificates in the registry, and enforcing PPL alongside behavioral analytics.
As pentesting evolves, such disclosures push antivirus vendors to fortify against their own strengths turning into liabilities.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor appeared first on Cyber Security News.
