USB Pocket-Knife Development

[bitzero]

Hey guys,

I saw this package and it caught my interests... The only problem I had with it was that most everything would be caught by AV... then I remembered a video of a presentation where the presenter (forgotten your name! sorry!! was a brilliant presentation named "Pissing on your AV") detailed how to add a few instructions in the executable which (encoded the executable) and then decoded it while in memory (the actual executable was changed, as such to AV it was not the same file)

Then I decided to take a crack at it, I chose the IEPV.exe file under the SYSTEM directory and set to work

I took a virustotal.com scan before I had modified anything:

File IEPV.EXE received on 2009.09.08 07:04:02 (UTC)

Result: 28/41 (68.3%)

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.08 Riskware.PSWTool.Win32.NetPass!IK

AhnLab-V3 5.0.0.2 2009.09.07 -

AntiVir 7.9.1.12 2009.09.07 SPR/PSW.NetPass.AA

Antiy-AVL 2.0.3.7 2009.09.08 PSWTool/Win32.NetPass.gen

Authentium 5.1.2.4 2009.09.07 -

Avast 4.8.1351.0 2009.09.07 -

AVG 8.5.0.409 2009.09.07 HackTool.FAL

BitDefender 7.2 2009.09.08 Gen:Application.Heur.cmKfbuh2Hzc

CAT-QuickHeal 10.00 2009.09.08 PSWTool.NetPass.ep (Not a Virus)

ClamAV 0.94.1 2009.09.08 Trojan.PSW.IEPass-1

Comodo 2203 2009.09.08 ApplicUnsaf.Win32.PSWTool.NetPass.aa

DrWeb 5.0.0.12182 2009.09.07 Tool.PassView.34

eSafe 7.0.17.0 2009.09.06 Suspicious File

eTrust-Vet 31.6.6725 2009.09.08 -

F-Prot 4.5.1.85 2009.09.07 -

F-Secure 8.0.14470.0 2009.09.08 PSWTool.Win32.NetPass.ep

Fortinet 3.120.0.0 2009.09.08 HackerTool/NetPass

GData 19 2009.09.08 Gen:Application.Heur.cmKfbuh2Hzc

Ikarus T3.1.1.72.0 2009.09.08 not-a-virus:PSWTool.Win32.NetPass

Jiangmin 11.0.800 2009.09.08 -

K7AntiVirus 7.10.837 2009.09.05 not-a-virus:PSWTool.Win32.NetPass.aa

Kaspersky 7.0.0.125 2009.09.08 not-a-virus:PSWTool.Win32.NetPass.ep

McAfee 5734 2009.09.07 potentially unwanted program Generic PUP

McAfee+Artemis 5734 2009.09.07 potentially unwanted program Generic PUP

McAfee-GW-Edition 6.8.5 2009.09.08 Riskware.PSW.NetPass.AA

Microsoft 1.5005 2009.09.08 -

NOD32 4404 2009.09.08 Win32/PSWTool.IEPassView.NAC

Norman 6.01.09 2009.09.07 -

nProtect 2009.1.8.0 2009.09.07 Trojan/W32.Agent.35840.DD

Panda 10.0.2.2 2009.09.07 Hacktool/NetPass.D

PCTools 4.4.2.0 2009.09.07 PWSTool.generic!ct

Prevx 3.0 2009.09.08 -

Rising 21.46.11.00 2009.09.08 -

Sophos 4.45.0 2009.09.08 NirSoft

Sunbelt 3.2.1858.2 2009.09.07 PSWTool.Win32.NetPass.aa

Symantec 1.4.4.12 2009.09.08 Hacktool

TheHacker 6.3.4.3.397 2009.09.07 Trojan/NetPass.aa

TrendMicro 8.950.0.1094 2009.09.08 -

VBA32 3.12.10.10 2009.09.08 -

ViRobot 2009.9.8.1922 2009.09.08 Not_a_virus:PSWTool.NetPass.35840.A

VirusBuster 4.6.5.0 2009.09.07 -

________________________________________________________________________________

And then I took one afterwards:

File IEPV-3.exe received on 2009.09.08 08:23:16 (UTC)

Result: 14/41 (34.15%)

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.08 Riskware.PSWTool.Win32.NetPass!IK

AhnLab-V3 5.0.0.2 2009.09.08 -

AntiVir 7.9.1.12 2009.09.08 -

Antiy-AVL 2.0.3.7 2009.09.08 -

Authentium 5.1.2.4 2009.09.07 W32/PassView.A.gen!Eldorado

Avast 4.8.1351.0 2009.09.07 -

AVG 8.5.0.409 2009.09.07 HackTool.FAL

BitDefender 7.2 2009.09.08 Gen:Application.Heur.cm0@bKwwDQlO

CAT-QuickHeal 10.00 2009.09.08 -

ClamAV 0.94.1 2009.09.08 PUA.PwTool.NetPass-8

Comodo 2204 2009.09.08 -

DrWeb 5.0.0.12182 2009.09.07 Tool.PassView.34

eSafe 7.0.17.0 2009.09.06 Suspicious File

eTrust-Vet 31.6.6725 2009.09.08 Win32/Vxidl!generic

F-Prot 4.5.1.85 2009.09.07 W32/PassView.A.gen!Eldorado

F-Secure 8.0.14470.0 2009.09.08 -

Fortinet 3.120.0.0 2009.09.08 -

GData 19 2009.09.08 Gen:Application.Heur.cm0@bKwwDQlO

Ikarus T3.1.1.72.0 2009.09.08 not-a-virus:PSWTool.Win32.NetPass

Jiangmin 11.0.800 2009.09.08 -

K7AntiVirus 7.10.837 2009.09.05 -

Kaspersky 7.0.0.125 2009.09.08 -

McAfee 5734 2009.09.07 -

McAfee+Artemis 5734 2009.09.07 -

McAfee-GW-Edition 6.8.5 2009.09.08 -

Microsoft 1.5005 2009.09.08 -

NOD32 4404 2009.09.08 Win32/PSWTool.IEPassView.NAC

Norman 6.01.09 2009.09.08 -

nProtect 2009.1.8.0 2009.09.08 Trojan/W32.Agent.35840.DD

Panda 10.0.2.2 2009.09.07 -

PCTools 4.4.2.0 2009.09.07 -

Prevx 3.0 2009.09.08 -

Rising 21.46.11.00 2009.09.08 -

Sophos 4.45.0 2009.09.08 Mal/EncPk-C

Sunbelt 3.2.1858.2 2009.09.07 -

Symantec 1.4.4.12 2009.09.08 -

TheHacker 6.3.4.3.397 2009.09.07 -

TrendMicro 8.950.0.1094 2009.09.08 -

VBA32 3.12.10.10 2009.09.08 -

ViRobot 2009.9.8.1922 2009.09.08 -

VirusBuster 4.6.5.0 2009.09.07 -

_____________________________________________________________________________

Now, it isn't fooling everything... but 14/41 is better than 28/41 :)

If anyone is keen on getting me a list of which files show up as virii and keen on trying to get this project back up and running let me know - I'm willing to put my time into setting this up for each executable neccessary :)

Those interested give me a PM!

Cheers,

bitzero

edit: attached file, feel free to check it's functionality and virus scan results vs. the original

edit2: bah, can't attach the file visit here to dl - http://rapidshare.com/files/277188423/IEPV-3.exe.html

[walts]

I would love to see this project resurrected.

I use it mostly in a "friendly" way, not to break into anyone's machine - unless they ask me to ;-) but it is annoying having to explain why their A-V has gone berserk!

Since I have XP and Windows 7 VMs with a variety of A-V products available, I would be glad to contribute in testing, but I would need someone else to do the actual coding. It's been a while, but I think I can still remember how to build a new U3 device, given all the necessary files.

Walt

[bitzero]

Hey Walt,

I don't have the know-how to code a project like this, and like the logs show there - the file was still detected on 14/41 AV programs... but it's better than over half of those detecting it for sure :P

I'm also not sure how masking some of the better known files would go down - we can always try and see though :)

If someone can put their hand up to code something like this (preferably someone who has coded one in the past) they can count me in to try and mask all of the .exe's (possibly .dll, I'll have to figure out if they can be en/decoded in the same way)

I don't really want to go ahead and mask all the current files and then release it to the public, maybe releasing them on a person by person basis via PM's would work better - that way you can check their activity/post content etc... if script kiddies want to fuck shit up that's fine, but I'd rather not make it easier on them :P What I've done took a tiny bit of research and the ability to watch that presentation, anyone who wanted to could easily do it for themselves :P

I'm kind of rambling here, but if anyone capable of coding/scripting a project wants to, count me in :)

Cheers,

bitzero

[bme2008]

hey, I dont get how to install it, for a u3 device.

Right now I have an empty flash drive, it had u3 on it, but I uninstalled it. so what do I do with the files that I downloaded? Thanks.

[walts]

bugmenot, search the forums for u3 installer - you'll learn a lot more than if I just gave you the link.

bitzero, I apologize for taking so long to get back to you. If things settle down here, computerwise, maybe we can share the load, each of us masking some files and swapping. When we are sure they work OK we can post publicly. Of course if anyone else wants to join in the effort they are welcome!

I still don't have a working environment to do this work in. I use a Mac and in the past have used my Boot Camp partition for U3 stuff, but the Boot Camp partition is now Windows 7 and I have XP in a virtual machine. I think, but have not yet proven, that the U3 installer will work in that environment. I should know within a week. The problem has been in the past that programs that like to work directly with the hardware won't run well in a virtual environment, and I'm unsure if the U3 installer fits that category. Once I finish building that VM I will know.

Walt

[bme2008]

bugmenot, search the forums for u3 installer - you'll learn a lot more than if I just gave you the link.

Well, I installed u3 on my u3 drive. So now theres the u3 launchpad and in my computer theres a CD drive AND the actual drive. But now what do I do with the files in

PocketKnife_v0880\Leapos_Payload_v0880\Leapos_Payload_U3

theres "U3.ISO", "U3 ISO Source" (which is just that iso extracted), and then "Flash Partition".

So what do I do with those files/folders?

[walts]

Well, I installed u3 on my u3 drive. So now theres the u3 launchpad and in my computer theres a CD drive AND the actual drive. But now what do I do with the files in

PocketKnife_v0880\Leapos_Payload_v0880\Leapos_Payload_U3

theres "U3.ISO", "U3 ISO Source" (which is just that iso extracted), and then "Flash Partition".

So what do I do with those files/folders?

http://wiki.hak5.org/wiki/Universal_U3_LaunchPad_Hacker

[catchyanow]

Can someone please post the most recent download link.........

Please can we also get this project back up on its feet again. I only discovered it yesterday and it seems awesome!

[Daedalus317]

Can someone please post the most recent download link.........

Please can we also get this project back up on its feet again. I only discovered it yesterday and it seems awesome!

I too would like to see this thread back alive, but the answer to your question it's First page 4th post.

Daedalus

[catchyanow]

I too would like to see this thread back alive, but the answer to your question it's First page 4th post.

Daedalus

thanks man :D

[MtwStark]

Hi everybody, I have a USB flash drive and I'm not able to access it anymore.

I'm not sure this is the right thread, please address me to the right one if needed.

it is identified as a USBest USB2FlashStorage Vid:Pid 1307:0163 but inside I found a UT165 chip, one 12Mhz quartz and 2 SAMSUNG RAM chip

It is loaded as removable disk but inaccessible, windows says "Insert disk" when opening it.

ChipGenius sent me to UT163 MP Tool, I have tried many versions up to UT165 MP Tool 1.65.25

I have tried UT165_rescue_v1.0.3.1 and Super Stick Recovery Tool V1.0.2.19

I really need to recover data on it, any chance?

[catchyanow]

Hi everybody, I have a USB flash drive and I'm not able to access it anymore.

I'm not sure this is the right thread, please address me to the right one if needed.

it is identified as a USBest USB2FlashStorage Vid:Pid 1307:0163 but inside I found a UT165 chip, one 12Mhz quartz and 2 SAMSUNG RAM chip

It is loaded as removable disk but inaccessible, windows says "Insert disk" when opening it.

ChipGenius sent me to UT163 MP Tool, I have tried many versions up to UT165 MP Tool 1.65.25

I have tried UT165_rescue_v1.0.3.1 and Super Stick Recovery Tool V1.0.2.19

I really need to recover data on it, any chance?

This is the right forum HERE

Hope this helped

[rony1434]

Hi.

Hey man thanks for sharing such a nice post.

Its really very useful for increasing our knowledge.

[screw_ball69]

I would be willing to help get this working on Vista and Windows 7

[catchyanow]

I would be willing to help get this working on Vista and Windows 7

if u have't noticed this program is dead.... :(

[echoblack]

I would be willing to help get this working on Vista and Windows 7

I too would like to see this project back on track. I don't have a lot of money to spend on this but maybe someone ells will jump in and pledge to pay the Dev some money for his/her time.

I make a pledge to pay $10 a Bug-Fix/or new/or/improved Feature

I will pay in what ever form you would like.

(Max $60 For each 60 day period. New version must be posted on a public server for all to download for FREE)

( I am easily excited so I may just pay you the $60 even if you only fix a couple cool things)

You can contact me at >> CodeBounty@gmail.com

----------------------------------

Things I would really like to see fixed.

->Key-logger >to> email (Fix this for XP and Take all $60 and doesn't count toward the 60day Budget)

->Get working on windows 7 - or vista.

->Troublesome payloads that get caught by AV... Change the signature of the code.

[confulity]

Yayks.. Just finished reading the whole 40 pages of this thread and it seems that this project is indeed DEAD..

[okey32]

This project [was] great. :(

[red shadow]

OMG I'm sooooooooo getting this!

[wackedoutofmyhead]

hey i managed to modify a u3 updater to install the pocketknife u3 iso by renaming it u3custom and so on now i got the Leapos_Payload_U3 u3.iso installed on the u3 disc partition and an empty f drive i am confused about the configurationand setup of the files as well as what to do with the flash partion files and the u3 source files any would be very helpful im quite new to this stuff

[wackedoutofmyhead]

nevermind silly mistake just was wondering if key logger had been fixed yet to mail to email and was wondering stunnel config for hotmail or live.ca accounts

[lamer]

Hi i arrive too late to know about this beautiful beautiful tool, i think is a shame no one is aporting more stuff to this, i will post a few things if anyone is still interested in this, i have been reading all the post of leapos PK, and i think i have found the solution for the no disk problem, well kind of the problem will still but at least it wont apear,

To workaround the problem we did employ Microsoft’s registry hack. Click Start, then Run and type regedit. Click OK.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\ and change the value of the ErrorMode key to 2.

so i think making a regedit entrace will solve this

[Deevd]

Dude this is sick !! Really nice work...

Edit: Ooh heck, didn't see further that this project was dead... it's a pity...

Edited March 29, 2010 by Deevd

[V3NG3NC3]

Yo why is this monster dead? damn,.. time for a resurrection asap..

Edited June 22, 2010 by V3NG3NC3

[Mr. Stuky]

We got to revive it!