1n5aN1aC Posted April 19, 2010 Share Posted April 19, 2010 Okay, well it's obvious to me that if you want to do things that are very nefarious, that you're going to have to disable anti-virus/firewalls. Which should be very easy since we can mimic the user. All we have to do is right-click the tray icon, click "disable," then click yes, right? Not really, for one, you can't know where the tray icon is going to be, since it "hides tray icons" (oh i hate that....). For two, there are hundreds of anti-virus/firewall products. I can easily write a simple script with something like AHK to view the screen and find where the "expand tray icons" button is, and even find the screen coordinates of a certain part of a picture (therefore finding out where the tray icon is, so we can click it.) The problem is, we need to have a way to send data from an application back to the teensy, weather we tell the teensy to disable it for us (better than using a script) or we need to tell it when we're done doing something. So We need to figure out a way to send information back to the teensy from withing anything (a shell script, an AHK script, or other things.) I'm sure it's possible, but once this is figured out, it's fairly trivial to build a database of all the anti-virus/firewall products, and what to do on the tray menu to disable them. Here is a really simple AHK script to disable Defense+ on COMODO firewall: DetectHiddenWindows, On ShowComodoTrayMenu() Sleep 500 Send {Down 3}{Right}{Up}{Enter} TrayTip, Defense+ Security Level, Disabled Return ShowComodoTrayMenu() { WinGet, W, List, ahk_class Afx:00400000:0 hWnd := W%W% PostMessage, 10045, 335,0x206,, ahk_id %hWnd% ; Right Click down PostMessage, 10045, 335,0x205,, ahk_id %hWnd% ; Right Click Up } This could easily be expanded for "all" products (although I would prefer the program just tell the teensy where to click, so the program is only viewing the screen, and not caught by anti-virus itself.) Quote Link to comment Share on other sites More sharing options...
shadowpwner Posted April 19, 2010 Share Posted April 19, 2010 Why not just use the Ducky to activate the EXE script, and make the EXE script do everything? Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 19, 2010 Author Share Posted April 19, 2010 (edited) Why not just use the Ducky to activate the EXE script, and make the EXE script do everything? Well, I was just thinking that this way, the script (exe) is not doing ANYTHING bad, and therefore there was no chance of it getting nuked by AV...... Anyways, even if I did do that, I would want some way to tell the teensy I'm done, do the next thing, or whatever. (at least that's my thoughts.) Edited April 19, 2010 by 1n5aN1aC Quote Link to comment Share on other sites More sharing options...
Spaztikdude Posted April 19, 2010 Share Posted April 19, 2010 Should probably make it grab the process list and launch the appropriate script to kill whichever antivirus is running. Should note that some of the scanners would most likely have signatures for kill-scripts like these. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 19, 2010 Author Share Posted April 19, 2010 Should note that some of the scanners would most likely have signatures for kill-scripts like these. Of course- That's what I'm trying to do. The script should be absolutely HARMLESS! The script should tell the teensy (duck) where to click to disable it. That way, it can't be blocked. But you need the script to tell it where to click.... So I still don't know how I would tell the teensy where to click/what to type from a script on the computer..... Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 19, 2010 Share Posted April 19, 2010 Mouse movements are problematic. First of all you have no idea where the mouse is beginning, mouse movements are relative (unless you simulate a touchscreen) and second you have no idea of the screen resolution, so if you're aiming for the bottom right corner to hit the task tray, you have a problem, unless you tell the mouse to go impossibly long distances to make sure it gets there. Even if you get the cursor to the far bottom right of the screen, you have no idea how many icons might be in the tray, which one is which, where the expand button might be if icons are hidden (XP), where the up button is to reveal more icons, etc. Essentially there's so many variables and zero feedback, it'd be next to impossible. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 19, 2010 Author Share Posted April 19, 2010 Mouse movements are problematic. First of all you have no idea where the mouse is beginning, mouse movements are relative (unless you simulate a touchscreen) and second you have no idea of the screen resolution, so if you're aiming for the bottom right corner to hit the task tray, you have a problem, unless you tell the mouse to go impossibly long distances to make sure it gets there. Even if you get the cursor to the far bottom right of the screen, you have no idea how many icons might be in the tray, which one is which, where the expand button might be if icons are hidden (XP), where the up button is to reveal more icons, etc. Essentially there's so many variables and zero feedback, it'd be next to impossible. THAT'S why you have a script with AHK, or some such that views the screen, searches for a specific picture (the expand icon), and it tells the teensy where to click, and which anti-virus it is (based off which icon) so the teensy knows where to click (the script tells it where) then what arrow keys to press to get to the disable..... Quote Link to comment Share on other sites More sharing options...
moonlit Posted April 20, 2010 Share Posted April 20, 2010 If you have acces to the machine to run that, why would you need a Teensy? Quote Link to comment Share on other sites More sharing options...
Chaemelion Posted April 21, 2010 Share Posted April 21, 2010 (edited) How about you use win+R to bring up command prompt, and kill any processes with names in a list of known AVs? Also, you could use /T ot terminate child processes, /F to force everything, or /FI for a filter. taskkill /IM Mcshield.exe taskkill /IF Mc* (for McAfee processes) I don't know if you know this, but AV like McAfee with give you annoying pop up warning when something is disabled, so it's probably better to kill it all together. Besides, I think this would be much more effective than guessing where to make mouse clicks... Edited April 21, 2010 by Chaemelion Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 21, 2010 Share Posted April 21, 2010 While Chaemelion is right, I suppose that most AVs run on a different level / are not that easily killable and will at least display a warning. I know that AVG and Avast do so at least, not sure about Mcafee.. Seb Quote Link to comment Share on other sites More sharing options...
nxt471 Posted April 21, 2010 Share Posted April 21, 2010 While Chaemelion is right, I suppose that most AVs run on a different level / are not that easily killable and will at least display a warning. I know that AVG and Avast do so at least, not sure about Mcafee.. Seb CONFIRMED, Most AVs are resistant to being killed, this is a feature not a bug. If a virus is able to kill off an AV, you would be getting hacked ALL THE TIME. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 21, 2010 Share Posted April 21, 2010 ^- Exactly. Quote Link to comment Share on other sites More sharing options...
Chaemelion Posted April 22, 2010 Share Posted April 22, 2010 (edited) I have McAfee and I know it uses different processes for different things such as real time virus scan, and I'm not sure which ones, but you can kill some and they'll stay dead. Anyhow, It's better than shooting in the dark with the mouse. I'll look into it further then reply if I find anything. I get my teensy in a few days so I'm excited :) Edited April 22, 2010 by Chaemelion Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 22, 2010 Share Posted April 22, 2010 I have McAfee and I know it uses different processes for different things such as real time virus scan, and I'm not sure which ones, but you can kill some and they'll stay dead. Anyhow, It's better than shooting in the dark with the mouse. I'll look into it further that reply if I find anything. I get my teensy in a few days so I'm excited :) You have a point there. However, when I gave it a try with McAfee, after 10 minutes the program will start the processes again. That does however give us a timeframe of 10 minutes.. :) Seb Quote Link to comment Share on other sites More sharing options...
Pinni3 Posted April 22, 2010 Share Posted April 22, 2010 (edited) You have a point there. However, when I gave it a try with McAfee, after 10 minutes the program will start the processes again. That does however give us a timeframe of 10 minutes.. :) Seb First stop the services then kill process that wil prevent it from starting the antivir processes again. I hate AV's especialy at work so i Kill it . So even if you don't have the rights to adjust te AV in the menu of the AV . You just use this workaround . in run or cmd net stop <service name> net start <service name> the list of all services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Edited April 22, 2010 by Pinni3 Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 22, 2010 Share Posted April 22, 2010 First stop the services then kill process that wil prevent it from starting the antivir processes again. I hate AV's especialy at work so i Kill it . So even if you don't have the rights to adjust te AV in the menu of the AV . You just use this workaround . in run or cmd net stop <service name> net start <service name> the list of all services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Didnt think of that, great :) Ill add it to my list..should really write that up today :) Seb Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.