Jump to content

[Version 1] Disabling Standard Defences


1n5aN1aC
 Share

Recommended Posts

Okay, well it's obvious to me that if you want to do things that are very nefarious, that you're going to have to disable anti-virus/firewalls. Which should be very easy since we can mimic the user. All we have to do is right-click the tray icon, click "disable," then click yes, right?

Not really, for one, you can't know where the tray icon is going to be, since it "hides tray icons" (oh i hate that....). For two, there are hundreds of anti-virus/firewall products.

I can easily write a simple script with something like AHK to view the screen and find where the "expand tray icons" button is, and even find the screen coordinates of a certain part of a picture (therefore finding out where the tray icon is, so we can click it.)

The problem is, we need to have a way to send data from an application back to the teensy, weather we tell the teensy to disable it for us (better than using a script) or we need to tell it when we're done doing something. So We need to figure out a way to send information back to the teensy from withing anything (a shell script, an AHK script, or other things.)

I'm sure it's possible, but once this is figured out, it's fairly trivial to build a database of all the anti-virus/firewall products, and what to do on the tray menu to disable them.

Here is a really simple AHK script to disable Defense+ on COMODO firewall:

DetectHiddenWindows, On

ShowComodoTrayMenu()
Sleep 500
Send {Down 3}{Right}{Up}{Enter}
TrayTip, Defense+ Security Level, Disabled
Return

ShowComodoTrayMenu() {
 WinGet, W, List, ahk_class Afx:00400000:0
 hWnd := W%W%
 PostMessage, 10045, 335,0x206,, ahk_id %hWnd% ; Right Click down
 PostMessage, 10045, 335,0x205,, ahk_id %hWnd% ; Right Click Up
}

This could easily be expanded for "all" products (although I would prefer the program just tell the teensy where to click, so the program is only viewing the screen, and not caught by anti-virus itself.)

Link to comment
Share on other sites

Why not just use the Ducky to activate the EXE script, and make the EXE script do everything?

Well, I was just thinking that this way, the script (exe) is not doing ANYTHING bad, and therefore there was no chance of it getting nuked by AV...... Anyways, even if I did do that, I would want some way to tell the teensy I'm done, do the next thing, or whatever. (at least that's my thoughts.)

Edited by 1n5aN1aC
Link to comment
Share on other sites

Should note that some of the scanners would most likely have signatures for kill-scripts like these.

Of course- That's what I'm trying to do. The script should be absolutely HARMLESS! The script should tell the teensy (duck) where to click to disable it. That way, it can't be blocked. But you need the script to tell it where to click....

So I still don't know how I would tell the teensy where to click/what to type from a script on the computer.....

Link to comment
Share on other sites

Mouse movements are problematic. First of all you have no idea where the mouse is beginning, mouse movements are relative (unless you simulate a touchscreen) and second you have no idea of the screen resolution, so if you're aiming for the bottom right corner to hit the task tray, you have a problem, unless you tell the mouse to go impossibly long distances to make sure it gets there.

Even if you get the cursor to the far bottom right of the screen, you have no idea how many icons might be in the tray, which one is which, where the expand button might be if icons are hidden (XP), where the up button is to reveal more icons, etc. Essentially there's so many variables and zero feedback, it'd be next to impossible.

Link to comment
Share on other sites

Mouse movements are problematic. First of all you have no idea where the mouse is beginning, mouse movements are relative (unless you simulate a touchscreen) and second you have no idea of the screen resolution, so if you're aiming for the bottom right corner to hit the task tray, you have a problem, unless you tell the mouse to go impossibly long distances to make sure it gets there.

Even if you get the cursor to the far bottom right of the screen, you have no idea how many icons might be in the tray, which one is which, where the expand button might be if icons are hidden (XP), where the up button is to reveal more icons, etc. Essentially there's so many variables and zero feedback, it'd be next to impossible.

THAT'S why you have a script with AHK, or some such that views the screen, searches for a specific picture (the expand icon), and it tells the teensy where to click, and which anti-virus it is (based off which icon) so the teensy knows where to click (the script tells it where) then what arrow keys to press to get to the disable.....

Link to comment
Share on other sites

How about you use win+R to bring up command prompt, and kill any processes with names in a list of known AVs?

Also, you could use /T ot terminate child processes, /F to force everything, or /FI for a filter.

taskkill /IM Mcshield.exe 
taskkill /IF Mc* 
(for McAfee processes)

I don't know if you know this, but AV like McAfee with give you annoying pop up warning when something is disabled, so it's probably better to kill it all together. Besides, I think this would be much more effective than guessing where to make mouse clicks...

Edited by Chaemelion
Link to comment
Share on other sites

While Chaemelion is right, I suppose that most AVs run on a different level / are not that easily killable and will at least display a warning. I know that AVG and Avast do so at least, not sure about Mcafee..

Seb

CONFIRMED, Most AVs are resistant to being killed, this is a feature not a bug.

If a virus is able to kill off an AV, you would be getting hacked ALL THE TIME.

Link to comment
Share on other sites

I have McAfee and I know it uses different processes for different things such as real time virus scan, and I'm not sure which ones, but you can kill some and they'll stay dead. Anyhow, It's better than shooting in the dark with the mouse. I'll look into it further then reply if I find anything. I get my teensy in a few days so I'm excited :)

Edited by Chaemelion
Link to comment
Share on other sites

I have McAfee and I know it uses different processes for different things such as real time virus scan, and I'm not sure which ones, but you can kill some and they'll stay dead. Anyhow, It's better than shooting in the dark with the mouse. I'll look into it further that reply if I find anything. I get my teensy in a few days so I'm excited :)

You have a point there. However, when I gave it a try with McAfee, after 10 minutes the program will start the processes again. That does however give us a timeframe of 10 minutes.. :)

Seb

Link to comment
Share on other sites

You have a point there. However, when I gave it a try with McAfee, after 10 minutes the program will start the processes again. That does however give us a timeframe of 10 minutes.. :)

Seb

First stop the services then kill process that wil prevent it from starting the antivir processes again.

I hate AV's especialy at work so i Kill it .

So even if you don't have the rights to adjust te AV in the menu of the AV .

You just use this workaround .

in run or cmd

net stop <service name>

net start <service name>

the list of all services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Edited by Pinni3
Link to comment
Share on other sites

First stop the services then kill process that wil prevent it from starting the antivir processes again.

I hate AV's especialy at work so i Kill it .

So even if you don't have the rights to adjust te AV in the menu of the AV .

You just use this workaround .

in run or cmd

net stop <service name>

net start <service name>

the list of all services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Didnt think of that, great :)

Ill add it to my list..should really write that up today :)

Seb

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...