Sopyan Posted October 8, 2017 Posted October 8, 2017 Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe. i plug it in. It's detected... nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up) Quote
Just_a_User Posted October 8, 2017 Posted October 8, 2017 20 minutes ago, Sopyan said: Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe. i plug it in. It's detected... nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up) Possibly need to change the VID/PID of the ducky, Maybe even a rename. Quote
Sopyan Posted October 10, 2017 Author Posted October 10, 2017 On 10/8/2017 at 12:04 PM, Just_a_User said: Possibly need to change the VID/PID of the ducky, Maybe even a rename. I did that, generated the vidpid.bin file and placed it in the sd. But somehow it doesn't run.. What am I doing wrong, is there any firmware update? Quote
Just_a_User Posted October 10, 2017 Posted October 10, 2017 6 hours ago, Sopyan said: is there any firmware update? Im not sure which firmware your running, Maybe try a reflash with c_duck_v2.1.hex. From memory the 2.1's have the part that looks for the vidpid.bin. Alternativly there was a way to edit the vidpid directly on the firmware using a hex editor but i haven't done this myself. Quote
0phoi5 Posted November 3, 2017 Posted November 3, 2017 On 08/10/2017 at 10:41 AM, Sopyan said: Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe. i plug it in. It's detected... nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up) From what you're saying here, I'm guessing you have firmware installed that allows the ducky to be read as a storage device as well as a HID. Windows Defender is either finding your malicious exe on the ducky, or if it's not on the ducky then it recognises the URL that the malicious exe is being downloaded from as being potentially dodgy (if you've run it once before successfully, and then it started getting picked up after this, this is probably the case). I'd set your ducky back to the original firmware and re-flash. If it still finds something malicious, try changing the URL the exe is located via. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.