bitzero Posted September 8, 2009 Share Posted September 8, 2009 Hey guys, I saw this package and it caught my interests... The only problem I had with it was that most everything would be caught by AV... then I remembered a video of a presentation where the presenter (forgotten your name! sorry!! was a brilliant presentation named "Pissing on your AV") detailed how to add a few instructions in the executable which (encoded the executable) and then decoded it while in memory (the actual executable was changed, as such to AV it was not the same file) Then I decided to take a crack at it, I chose the IEPV.exe file under the SYSTEM directory and set to work I took a virustotal.com scan before I had modified anything: File IEPV.EXE received on 2009.09.08 07:04:02 (UTC) Result: 28/41 (68.3%) Antivirus Version Last Update Result a-squared 4.5.0.24 2009.09.08 Riskware.PSWTool.Win32.NetPass!IK AhnLab-V3 5.0.0.2 2009.09.07 - AntiVir 7.9.1.12 2009.09.07 SPR/PSW.NetPass.AA Antiy-AVL 2.0.3.7 2009.09.08 PSWTool/Win32.NetPass.gen Authentium 5.1.2.4 2009.09.07 - Avast 4.8.1351.0 2009.09.07 - AVG 8.5.0.409 2009.09.07 HackTool.FAL BitDefender 7.2 2009.09.08 Gen:Application.Heur.cmKfbuh2Hzc CAT-QuickHeal 10.00 2009.09.08 PSWTool.NetPass.ep (Not a Virus) ClamAV 0.94.1 2009.09.08 Trojan.PSW.IEPass-1 Comodo 2203 2009.09.08 ApplicUnsaf.Win32.PSWTool.NetPass.aa DrWeb 5.0.0.12182 2009.09.07 Tool.PassView.34 eSafe 7.0.17.0 2009.09.06 Suspicious File eTrust-Vet 31.6.6725 2009.09.08 - F-Prot 4.5.1.85 2009.09.07 - F-Secure 8.0.14470.0 2009.09.08 PSWTool.Win32.NetPass.ep Fortinet 3.120.0.0 2009.09.08 HackerTool/NetPass GData 19 2009.09.08 Gen:Application.Heur.cmKfbuh2Hzc Ikarus T3.1.1.72.0 2009.09.08 not-a-virus:PSWTool.Win32.NetPass Jiangmin 11.0.800 2009.09.08 - K7AntiVirus 7.10.837 2009.09.05 not-a-virus:PSWTool.Win32.NetPass.aa Kaspersky 7.0.0.125 2009.09.08 not-a-virus:PSWTool.Win32.NetPass.ep McAfee 5734 2009.09.07 potentially unwanted program Generic PUP McAfee+Artemis 5734 2009.09.07 potentially unwanted program Generic PUP McAfee-GW-Edition 6.8.5 2009.09.08 Riskware.PSW.NetPass.AA Microsoft 1.5005 2009.09.08 - NOD32 4404 2009.09.08 Win32/PSWTool.IEPassView.NAC Norman 6.01.09 2009.09.07 - nProtect 2009.1.8.0 2009.09.07 Trojan/W32.Agent.35840.DD Panda 10.0.2.2 2009.09.07 Hacktool/NetPass.D PCTools 4.4.2.0 2009.09.07 PWSTool.generic!ct Prevx 3.0 2009.09.08 - Rising 21.46.11.00 2009.09.08 - Sophos 4.45.0 2009.09.08 NirSoft Sunbelt 3.2.1858.2 2009.09.07 PSWTool.Win32.NetPass.aa Symantec 1.4.4.12 2009.09.08 Hacktool TheHacker 6.3.4.3.397 2009.09.07 Trojan/NetPass.aa TrendMicro 8.950.0.1094 2009.09.08 - VBA32 3.12.10.10 2009.09.08 - ViRobot 2009.9.8.1922 2009.09.08 Not_a_virus:PSWTool.NetPass.35840.A VirusBuster 4.6.5.0 2009.09.07 - ________________________________________________________________________________ And then I took one afterwards: File IEPV-3.exe received on 2009.09.08 08:23:16 (UTC) Result: 14/41 (34.15%) Antivirus Version Last Update Result a-squared 4.5.0.24 2009.09.08 Riskware.PSWTool.Win32.NetPass!IK AhnLab-V3 5.0.0.2 2009.09.08 - AntiVir 7.9.1.12 2009.09.08 - Antiy-AVL 2.0.3.7 2009.09.08 - Authentium 5.1.2.4 2009.09.07 W32/PassView.A.gen!Eldorado Avast 4.8.1351.0 2009.09.07 - AVG 8.5.0.409 2009.09.07 HackTool.FAL BitDefender 7.2 2009.09.08 Gen:Application.Heur.cm0@bKwwDQlO CAT-QuickHeal 10.00 2009.09.08 - ClamAV 0.94.1 2009.09.08 PUA.PwTool.NetPass-8 Comodo 2204 2009.09.08 - DrWeb 5.0.0.12182 2009.09.07 Tool.PassView.34 eSafe 7.0.17.0 2009.09.06 Suspicious File eTrust-Vet 31.6.6725 2009.09.08 Win32/Vxidl!generic F-Prot 4.5.1.85 2009.09.07 W32/PassView.A.gen!Eldorado F-Secure 8.0.14470.0 2009.09.08 - Fortinet 3.120.0.0 2009.09.08 - GData 19 2009.09.08 Gen:Application.Heur.cm0@bKwwDQlO Ikarus T3.1.1.72.0 2009.09.08 not-a-virus:PSWTool.Win32.NetPass Jiangmin 11.0.800 2009.09.08 - K7AntiVirus 7.10.837 2009.09.05 - Kaspersky 7.0.0.125 2009.09.08 - McAfee 5734 2009.09.07 - McAfee+Artemis 5734 2009.09.07 - McAfee-GW-Edition 6.8.5 2009.09.08 - Microsoft 1.5005 2009.09.08 - NOD32 4404 2009.09.08 Win32/PSWTool.IEPassView.NAC Norman 6.01.09 2009.09.08 - nProtect 2009.1.8.0 2009.09.08 Trojan/W32.Agent.35840.DD Panda 10.0.2.2 2009.09.07 - PCTools 4.4.2.0 2009.09.07 - Prevx 3.0 2009.09.08 - Rising 21.46.11.00 2009.09.08 - Sophos 4.45.0 2009.09.08 Mal/EncPk-C Sunbelt 3.2.1858.2 2009.09.07 - Symantec 1.4.4.12 2009.09.08 - TheHacker 6.3.4.3.397 2009.09.07 - TrendMicro 8.950.0.1094 2009.09.08 - VBA32 3.12.10.10 2009.09.08 - ViRobot 2009.9.8.1922 2009.09.08 - VirusBuster 4.6.5.0 2009.09.07 - _____________________________________________________________________________ Now, it isn't fooling everything... but 14/41 is better than 28/41 :) If anyone is keen on getting me a list of which files show up as virii and keen on trying to get this project back up and running let me know - I'm willing to put my time into setting this up for each executable neccessary :) Those interested give me a PM! Cheers, bitzero edit: attached file, feel free to check it's functionality and virus scan results vs. the original edit2: bah, can't attach the file visit here to dl - http://rapidshare.com/files/277188423/IEPV-3.exe.html Quote Link to comment Share on other sites More sharing options...
walts Posted September 8, 2009 Share Posted September 8, 2009 I would love to see this project resurrected. I use it mostly in a "friendly" way, not to break into anyone's machine - unless they ask me to ;-) but it is annoying having to explain why their A-V has gone berserk! Since I have XP and Windows 7 VMs with a variety of A-V products available, I would be glad to contribute in testing, but I would need someone else to do the actual coding. It's been a while, but I think I can still remember how to build a new U3 device, given all the necessary files. Walt Quote Link to comment Share on other sites More sharing options...
bitzero Posted September 8, 2009 Share Posted September 8, 2009 Hey Walt, I don't have the know-how to code a project like this, and like the logs show there - the file was still detected on 14/41 AV programs... but it's better than over half of those detecting it for sure :P I'm also not sure how masking some of the better known files would go down - we can always try and see though :) If someone can put their hand up to code something like this (preferably someone who has coded one in the past) they can count me in to try and mask all of the .exe's (possibly .dll, I'll have to figure out if they can be en/decoded in the same way) I don't really want to go ahead and mask all the current files and then release it to the public, maybe releasing them on a person by person basis via PM's would work better - that way you can check their activity/post content etc... if script kiddies want to fuck shit up that's fine, but I'd rather not make it easier on them :P What I've done took a tiny bit of research and the ability to watch that presentation, anyone who wanted to could easily do it for themselves :P I'm kind of rambling here, but if anyone capable of coding/scripting a project wants to, count me in :) Cheers, bitzero Quote Link to comment Share on other sites More sharing options...
bme2008 Posted October 4, 2009 Share Posted October 4, 2009 hey, I dont get how to install it, for a u3 device. Right now I have an empty flash drive, it had u3 on it, but I uninstalled it. so what do I do with the files that I downloaded? Thanks. Quote Link to comment Share on other sites More sharing options...
walts Posted October 4, 2009 Share Posted October 4, 2009 bugmenot, search the forums for u3 installer - you'll learn a lot more than if I just gave you the link. bitzero, I apologize for taking so long to get back to you. If things settle down here, computerwise, maybe we can share the load, each of us masking some files and swapping. When we are sure they work OK we can post publicly. Of course if anyone else wants to join in the effort they are welcome! I still don't have a working environment to do this work in. I use a Mac and in the past have used my Boot Camp partition for U3 stuff, but the Boot Camp partition is now Windows 7 and I have XP in a virtual machine. I think, but have not yet proven, that the U3 installer will work in that environment. I should know within a week. The problem has been in the past that programs that like to work directly with the hardware won't run well in a virtual environment, and I'm unsure if the U3 installer fits that category. Once I finish building that VM I will know. Walt Quote Link to comment Share on other sites More sharing options...
bme2008 Posted October 4, 2009 Share Posted October 4, 2009 bugmenot, search the forums for u3 installer - you'll learn a lot more than if I just gave you the link. Well, I installed u3 on my u3 drive. So now theres the u3 launchpad and in my computer theres a CD drive AND the actual drive. But now what do I do with the files in PocketKnife_v0880\Leapos_Payload_v0880\Leapos_Payload_U3 theres "U3.ISO", "U3 ISO Source" (which is just that iso extracted), and then "Flash Partition". So what do I do with those files/folders? Quote Link to comment Share on other sites More sharing options...
walts Posted October 5, 2009 Share Posted October 5, 2009 Well, I installed u3 on my u3 drive. So now theres the u3 launchpad and in my computer theres a CD drive AND the actual drive. But now what do I do with the files in PocketKnife_v0880\Leapos_Payload_v0880\Leapos_Payload_U3 theres "U3.ISO", "U3 ISO Source" (which is just that iso extracted), and then "Flash Partition". So what do I do with those files/folders? http://wiki.hak5.org/wiki/Universal_U3_LaunchPad_Hacker Quote Link to comment Share on other sites More sharing options...
catchyanow Posted November 5, 2009 Share Posted November 5, 2009 Can someone please post the most recent download link......... Please can we also get this project back up on its feet again. I only discovered it yesterday and it seems awesome! Quote Link to comment Share on other sites More sharing options...
Daedalus317 Posted November 11, 2009 Share Posted November 11, 2009 Can someone please post the most recent download link......... Please can we also get this project back up on its feet again. I only discovered it yesterday and it seems awesome! I too would like to see this thread back alive, but the answer to your question it's First page 4th post. Daedalus Quote Link to comment Share on other sites More sharing options...
catchyanow Posted November 15, 2009 Share Posted November 15, 2009 I too would like to see this thread back alive, but the answer to your question it's First page 4th post. Daedalus thanks man :D Quote Link to comment Share on other sites More sharing options...
MtwStark Posted November 18, 2009 Share Posted November 18, 2009 Hi everybody, I have a USB flash drive and I'm not able to access it anymore. I'm not sure this is the right thread, please address me to the right one if needed. it is identified as a USBest USB2FlashStorage Vid:Pid 1307:0163 but inside I found a UT165 chip, one 12Mhz quartz and 2 SAMSUNG RAM chip It is loaded as removable disk but inaccessible, windows says "Insert disk" when opening it. ChipGenius sent me to UT163 MP Tool, I have tried many versions up to UT165 MP Tool 1.65.25 I have tried UT165_rescue_v1.0.3.1 and Super Stick Recovery Tool V1.0.2.19 I really need to recover data on it, any chance? Quote Link to comment Share on other sites More sharing options...
catchyanow Posted November 19, 2009 Share Posted November 19, 2009 Hi everybody, I have a USB flash drive and I'm not able to access it anymore. I'm not sure this is the right thread, please address me to the right one if needed. it is identified as a USBest USB2FlashStorage Vid:Pid 1307:0163 but inside I found a UT165 chip, one 12Mhz quartz and 2 SAMSUNG RAM chip It is loaded as removable disk but inaccessible, windows says "Insert disk" when opening it. ChipGenius sent me to UT163 MP Tool, I have tried many versions up to UT165 MP Tool 1.65.25 I have tried UT165_rescue_v1.0.3.1 and Super Stick Recovery Tool V1.0.2.19 I really need to recover data on it, any chance? This is the right forum HERE Hope this helped Quote Link to comment Share on other sites More sharing options...
rony1434 Posted November 22, 2009 Share Posted November 22, 2009 Hi. Hey man thanks for sharing such a nice post. Its really very useful for increasing our knowledge. Quote Link to comment Share on other sites More sharing options...
screw_ball69 Posted December 9, 2009 Share Posted December 9, 2009 I would be willing to help get this working on Vista and Windows 7 Quote Link to comment Share on other sites More sharing options...
catchyanow Posted December 10, 2009 Share Posted December 10, 2009 I would be willing to help get this working on Vista and Windows 7 if u have't noticed this program is dead.... :( Quote Link to comment Share on other sites More sharing options...
echoblack Posted December 11, 2009 Share Posted December 11, 2009 I would be willing to help get this working on Vista and Windows 7 I too would like to see this project back on track. I don't have a lot of money to spend on this but maybe someone ells will jump in and pledge to pay the Dev some money for his/her time. I make a pledge to pay $10 a Bug-Fix/or new/or/improved Feature I will pay in what ever form you would like. (Max $60 For each 60 day period. New version must be posted on a public server for all to download for FREE) ( I am easily excited so I may just pay you the $60 even if you only fix a couple cool things) You can contact me at >> CodeBounty@gmail.com ---------------------------------- Things I would really like to see fixed. ->Key-logger >to> email (Fix this for XP and Take all $60 and doesn't count toward the 60day Budget) ->Get working on windows 7 - or vista. ->Troublesome payloads that get caught by AV... Change the signature of the code. Quote Link to comment Share on other sites More sharing options...
confulity Posted January 2, 2010 Share Posted January 2, 2010 Yayks.. Just finished reading the whole 40 pages of this thread and it seems that this project is indeed DEAD.. Quote Link to comment Share on other sites More sharing options...
okey32 Posted January 11, 2010 Share Posted January 11, 2010 This project [was] great. :( Quote Link to comment Share on other sites More sharing options...
red shadow Posted January 16, 2010 Share Posted January 16, 2010 OMG I'm sooooooooo getting this! Quote Link to comment Share on other sites More sharing options...
wackedoutofmyhead Posted March 2, 2010 Share Posted March 2, 2010 hey i managed to modify a u3 updater to install the pocketknife u3 iso by renaming it u3custom and so on now i got the Leapos_Payload_U3 u3.iso installed on the u3 disc partition and an empty f drive i am confused about the configurationand setup of the files as well as what to do with the flash partion files and the u3 source files any would be very helpful im quite new to this stuff Quote Link to comment Share on other sites More sharing options...
wackedoutofmyhead Posted March 2, 2010 Share Posted March 2, 2010 nevermind silly mistake just was wondering if key logger had been fixed yet to mail to email and was wondering stunnel config for hotmail or live.ca accounts Quote Link to comment Share on other sites More sharing options...
lamer Posted March 27, 2010 Share Posted March 27, 2010 Hi i arrive too late to know about this beautiful beautiful tool, i think is a shame no one is aporting more stuff to this, i will post a few things if anyone is still interested in this, i have been reading all the post of leapos PK, and i think i have found the solution for the no disk problem, well kind of the problem will still but at least it wont apear, To workaround the problem we did employ Microsoft’s registry hack. Click Start, then Run and type regedit. Click OK. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\ and change the value of the ErrorMode key to 2. so i think making a regedit entrace will solve this Quote Link to comment Share on other sites More sharing options...
Deevd Posted March 29, 2010 Share Posted March 29, 2010 (edited) Dude this is sick !! Really nice work... Edit: Ooh heck, didn't see further that this project was dead... it's a pity... Edited March 29, 2010 by Deevd Quote Link to comment Share on other sites More sharing options...
V3NG3NC3 Posted June 22, 2010 Share Posted June 22, 2010 (edited) Yo why is this monster dead? damn,.. time for a resurrection asap.. Edited June 22, 2010 by V3NG3NC3 Quote Link to comment Share on other sites More sharing options...
Mr. Stuky Posted July 29, 2010 Share Posted July 29, 2010 We got to revive it! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.