Avast's self-defense driver (aswSP.sys) implements wrong logic to determine "is process trusted or not". This logic is based only on path to image from which process is created - if image's binary resides in product directory, then process is trusted, else untrusted. Therefore, malicious code can hollow product's binary (e.g. AvastUI.exe via Import Table infection in PoC) and act as trusted application.
Avast Antivirus’ self-defense bypass.
- Create child whitelisted process (e.g. "C:\Program Files\AVAST Software\Avast\AvastUI.exe") in a suspended state;
- Write own malicious code into child process (via hollowing or any other technique);
- Resume child process and enjoy privileges of trusted self-defensed process!
This issue fixed since Avast 20.4.
25-03-2020 Initial report sent to Avast.
26-03-2020 Initial response from Avast stating they’re being reviewed it.
23-04-2020 Avast triaged the issue reported as a valid issue and is starting work on a fix.
03-06-2020 Avast released patched version of product.