Jump to content

Archived

This topic is now archived and is closed to further replies.

1n5aN1aC

[Version 1] Disabling Standard Defences

Recommended Posts

Okay, well it's obvious to me that if you want to do things that are very nefarious, that you're going to have to disable anti-virus/firewalls. Which should be very easy since we can mimic the user. All we have to do is right-click the tray icon, click "disable," then click yes, right?

Not really, for one, you can't know where the tray icon is going to be, since it "hides tray icons" (oh i hate that....). For two, there are hundreds of anti-virus/firewall products.

I can easily write a simple script with something like AHK to view the screen and find where the "expand tray icons" button is, and even find the screen coordinates of a certain part of a picture (therefore finding out where the tray icon is, so we can click it.)

The problem is, we need to have a way to send data from an application back to the teensy, weather we tell the teensy to disable it for us (better than using a script) or we need to tell it when we're done doing something. So We need to figure out a way to send information back to the teensy from withing anything (a shell script, an AHK script, or other things.)

I'm sure it's possible, but once this is figured out, it's fairly trivial to build a database of all the anti-virus/firewall products, and what to do on the tray menu to disable them.

Here is a really simple AHK script to disable Defense+ on COMODO firewall:

DetectHiddenWindows, On

ShowComodoTrayMenu()
Sleep 500
Send {Down 3}{Right}{Up}{Enter}
TrayTip, Defense+ Security Level, Disabled
Return

ShowComodoTrayMenu() {
 WinGet, W, List, ahk_class Afx:00400000:0
 hWnd := W%W%
 PostMessage, 10045, 335,0x206,, ahk_id %hWnd% ; Right Click down
 PostMessage, 10045, 335,0x205,, ahk_id %hWnd% ; Right Click Up
}

This could easily be expanded for "all" products (although I would prefer the program just tell the teensy where to click, so the program is only viewing the screen, and not caught by anti-virus itself.)

Share this post


Link to post
Share on other sites
Why not just use the Ducky to activate the EXE script, and make the EXE script do everything?

Well, I was just thinking that this way, the script (exe) is not doing ANYTHING bad, and therefore there was no chance of it getting nuked by AV...... Anyways, even if I did do that, I would want some way to tell the teensy I'm done, do the next thing, or whatever. (at least that's my thoughts.)

Share this post


Link to post
Share on other sites

Should probably make it grab the process list and launch the appropriate script to kill whichever antivirus is running.

Should note that some of the scanners would most likely have signatures for kill-scripts like these.

Share this post


Link to post
Share on other sites
Should note that some of the scanners would most likely have signatures for kill-scripts like these.

Of course- That's what I'm trying to do. The script should be absolutely HARMLESS! The script should tell the teensy (duck) where to click to disable it. That way, it can't be blocked. But you need the script to tell it where to click....

So I still don't know how I would tell the teensy where to click/what to type from a script on the computer.....

Share this post


Link to post
Share on other sites

Mouse movements are problematic. First of all you have no idea where the mouse is beginning, mouse movements are relative (unless you simulate a touchscreen) and second you have no idea of the screen resolution, so if you're aiming for the bottom right corner to hit the task tray, you have a problem, unless you tell the mouse to go impossibly long distances to make sure it gets there.

Even if you get the cursor to the far bottom right of the screen, you have no idea how many icons might be in the tray, which one is which, where the expand button might be if icons are hidden (XP), where the up button is to reveal more icons, etc. Essentially there's so many variables and zero feedback, it'd be next to impossible.

Share this post


Link to post
Share on other sites
Mouse movements are problematic. First of all you have no idea where the mouse is beginning, mouse movements are relative (unless you simulate a touchscreen) and second you have no idea of the screen resolution, so if you're aiming for the bottom right corner to hit the task tray, you have a problem, unless you tell the mouse to go impossibly long distances to make sure it gets there.

Even if you get the cursor to the far bottom right of the screen, you have no idea how many icons might be in the tray, which one is which, where the expand button might be if icons are hidden (XP), where the up button is to reveal more icons, etc. Essentially there's so many variables and zero feedback, it'd be next to impossible.

THAT'S why you have a script with AHK, or some such that views the screen, searches for a specific picture (the expand icon), and it tells the teensy where to click, and which anti-virus it is (based off which icon) so the teensy knows where to click (the script tells it where) then what arrow keys to press to get to the disable.....

Share this post


Link to post
Share on other sites

If you have acces to the machine to run that, why would you need a Teensy?

Share this post


Link to post
Share on other sites

How about you use win+R to bring up command prompt, and kill any processes with names in a list of known AVs?

Also, you could use /T ot terminate child processes, /F to force everything, or /FI for a filter.

taskkill /IM Mcshield.exe 
taskkill /IF Mc* 
(for McAfee processes)

I don't know if you know this, but AV like McAfee with give you annoying pop up warning when something is disabled, so it's probably better to kill it all together. Besides, I think this would be much more effective than guessing where to make mouse clicks...

Share this post


Link to post
Share on other sites

While Chaemelion is right, I suppose that most AVs run on a different level / are not that easily killable and will at least display a warning. I know that AVG and Avast do so at least, not sure about Mcafee..

Seb

Share this post


Link to post
Share on other sites
While Chaemelion is right, I suppose that most AVs run on a different level / are not that easily killable and will at least display a warning. I know that AVG and Avast do so at least, not sure about Mcafee..

Seb

CONFIRMED, Most AVs are resistant to being killed, this is a feature not a bug.

If a virus is able to kill off an AV, you would be getting hacked ALL THE TIME.

Share this post


Link to post
Share on other sites

I have McAfee and I know it uses different processes for different things such as real time virus scan, and I'm not sure which ones, but you can kill some and they'll stay dead. Anyhow, It's better than shooting in the dark with the mouse. I'll look into it further then reply if I find anything. I get my teensy in a few days so I'm excited :)

Share this post


Link to post
Share on other sites
I have McAfee and I know it uses different processes for different things such as real time virus scan, and I'm not sure which ones, but you can kill some and they'll stay dead. Anyhow, It's better than shooting in the dark with the mouse. I'll look into it further that reply if I find anything. I get my teensy in a few days so I'm excited :)

You have a point there. However, when I gave it a try with McAfee, after 10 minutes the program will start the processes again. That does however give us a timeframe of 10 minutes.. :)

Seb

Share this post


Link to post
Share on other sites
You have a point there. However, when I gave it a try with McAfee, after 10 minutes the program will start the processes again. That does however give us a timeframe of 10 minutes.. :)

Seb

First stop the services then kill process that wil prevent it from starting the antivir processes again.

I hate AV's especialy at work so i Kill it .

So even if you don't have the rights to adjust te AV in the menu of the AV .

You just use this workaround .

in run or cmd

net stop <service name>

net start <service name>

the list of all services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Share this post


Link to post
Share on other sites
First stop the services then kill process that wil prevent it from starting the antivir processes again.

I hate AV's especialy at work so i Kill it .

So even if you don't have the rights to adjust te AV in the menu of the AV .

You just use this workaround .

in run or cmd

net stop <service name>

net start <service name>

the list of all services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Didnt think of that, great :)

Ill add it to my list..should really write that up today :)

Seb

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...