Jump to content

AntiVirus killer

moonlit

By moonlit
in Questions

 Share

Recommended Posts

moonlit Newbie

moonlit

Posted
Posted

Project on hold, my hat's getting sun-bleached...

URL Removed.

AVKill 1.0 by Moonlit 

===================== 







Description: 

============ 

This tool will kill a selection of antivirus applications. 

The antivirus application will be killed only until the next reboot, no files are modified or destroyed. 







Usage: 

===== 

Run Esc.exe either manually or via a batch or script. The AV killer (AVKill.exe) will be run under System priviledges and kill the AV software. 







Todo: 

===== 

Add tray icons to simulate the appearance of the AV being fully functional. 

One axample would be where AVG might grey out it's tray icon to show something is not working, need to make it show a coloured icon to avoid suspicion. 



Add more antivirus apps to be killed. 



Possibly add firewalls and anti-spyware apps to help avoid detection even further. 



Add options/switches to kill totally (remove AV), use tray icon(s), restart AV when done or after a certain time period.



Merge to 1 exe.





History/Fixes: 

============== 

V1.0: Fixed 100% CPU usage, removed test forms, fixed 'root dir only' bug. 



v0.5: Added AVG, Avast, NOD32 and Trend.







Greetz:

=======

Melodic, Bigbro and Kainchick for testing, #hak5 on irc.hak5.org for help & support.

Duped in Switchblade thread for relevance, here for those who don't read aforementioned thread.

Edit: Updated versions available, see wiki page for info - will be updating wiki page more regularly than here most likely so keep an eye out :)

Link to comment
Share on other sites
  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

armadaender Newbie

armadaender

Posted
Posted

I can't wait for this to be implemented into the switchblade. Having a device that would not only grab the lm hash and other passwords, but also kill the av so you could easily install/infect anything you wanted without anyone knowing. All with just the insertion of a thumbdrive.

This could be a very bad thing in the wrong hands. :twisted:

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted
Just tested the avkill 1.0 and the 1.1 on 2 computers Running

Symantech Corporate Antivirus Editon and it does nothing to it :p

Symantec (expecially Corp) isn't implemented yet, keep an eye on the wiki for future updates :)

esc doesnt seem to do anything (not even start the avkiller)

and so doesnt affect avast , running avkilled does :D

http://home.euphonynet.be/dlss/images/lv3moonlit.png

<3 ya m8

Yeah, new method in v1.11, Esc.exe isn't needed any more :)

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted

Are you on Windows 2k, XP or 2k3 w/Admin priviledges?

It relies on the AT command to escalate itself and so requires these...

If you have a bug for me to fix I'll need more info I'm afraid like what OS, which AVKill version, level of user rights, method used to run the app and what it runs as... :)

Less tasks? I'm not sure I get you, unless you're running version 1.0 in which case I'd recommend you upgrade to v1.11 which uses only 1 process.

Link to comment
Share on other sites
DLSS Newbie

DLSS

Posted
Posted
Are you on Windows 2k, XP or 2k3 w/Admin priviledges?

It relies on the AT command to escalate itself and so requires these...

If you have a bug for me to fix I'll need more info I'm afraid like what OS, which AVKill version, level of user rights, method used to run the app and what it runs as... :)

Less tasks? I'm not sure I get you, unless you're running version 1.0 in which case I'd recommend you upgrade to v1.11 which uses only 1 process.

well it still runs as the user, i am running on a xp pro 64x edition.

sorry bout that thing bout lot of task running , my system is now doing it on its own . so i'll ask wot for on another thread ...)

also when trying to incorporate it into a switchblade without nircmd it opens 3 windows for a slight second , those shudn't b visible (but i'll run it thru nircmd .... (if it still works tht way)

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted
Are you on Windows 2k, XP or 2k3 w/Admin priviledges?

It relies on the AT command to escalate itself and so requires these...

If you have a bug for me to fix I'll need more info I'm afraid like what OS, which AVKill version, level of user rights, method used to run the app and what it runs as... :)

Less tasks? I'm not sure I get you, unless you're running version 1.0 in which case I'd recommend you upgrade to v1.11 which uses only 1 process.

well it still runs as the user, i am running on a xp pro 64x edition.

sorry bout that thing bout lot of task running , my system is now doing it on its own . so i'll ask wot for on another thread ...)

also when trying to incorporate it into a switchblade without nircmd it opens 3 windows for a slight second , those shudn't b visible (but i'll run it thru nircmd .... (if it still works tht way)

Yeah it's 32-bit only which could well be why...

The 3 windows are NET STOP commands and I've not heard anyone really complain, one or two people have mentioned it but the windows don't appear for long enough to see during mine and others' testing...

Link to comment
Share on other sites
Emilml Newbie

Emilml

Posted
Posted
Just tested the avkill 1.0 and the 1.1 on 2 computers Running

Symantech Corporate Antivirus Editon and it does nothing to it :p

Symantec (expecially Corp) isn't implemented yet, keep an eye on the wiki for future updates :)

I played around whit the av killer for a bit

and i found out that the hack did something weird to my av after all

when i tried to open pwdump or anything listed as a virus or stuff like that

it just removed them but there wasn’t a big popup whit warning and stuff.

It didn’t remove the av icon from my process bar "And that’s a big Plus"

so actually if I got it to run whit fx. the Switchblade, it could copy the stuff

and then first l8ter when the computer was restarted give the warnings "when im over all hills"

But this makes it a 1 time hack caucus right afther the stuff has ran it deletes them.

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted

Yeah I do have some Symantec killer code in there but it's currently unfinished and borked, it's possible it might knock off parts of Symantec but I haven't said it supports Symantec yet since it's unlikely to really do much...

Link to comment
Share on other sites
Deveant Newbie

Deveant

Posted
Posted

T_T downloads are down, so just wondering if u want a mirror? ive got a server free atm and am happy to host small files (anythink under 50mg) if ur interested, please send me out an email to ste03_aus@hotmail.com and ill set u up FTP access. Server is 98% Uptime and hosted in Aus ^^

Link to comment
Share on other sites
moonlit Newbie

moonlit

Posted
  • Author
Posted

I actually took them down because I was concerned about misuse. The project will likely continue but I will probably make it a little more difficult (though not impossible by any means) to get hold of the laterst source/binaries.

Apologies for the downtime, hope y'all can appreciate my thoughts there and we'll be right back after this short message from our sponsors...

;)

Edit: On saying this, I will still keep the wiki updated, just so you all know that's still the place to go to find it all :)

Link to comment
Share on other sites
DLSS Newbie

DLSS

Posted
Posted
I actually took them down because I was concerned about misuse. The project will likely continue but I will probably make it a little more difficult (though not impossible by any means) to get hold of the laterst source/binaries.

Apologies for the downtime, hope y'all can appreciate my thoughts there and we'll be right back after this short message from our sponsors...

;)

Edit: On saying this, I will still keep the wiki updated, just so you all know that's still the place to go to find it all :)

k pls do keep us informed bout were to get it tho, cos i really like it .

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...