hexlax Posted December 24, 2007 Share Posted December 24, 2007 This package has been updated, please scroll down to view the latest development notes... Currently, you can take a look at a snapshot: http://rapidshare.com/files/92198408/scancomp.7z.html or the source: http://rapidshare.com/files/92198966/scanComp-src.7z.html Both of these files require 7zip for extracting. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 24, 2007 Share Posted December 24, 2007 Spybot Search and Destroy 1.4 (TeaTimer): teatime.exe Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 25, 2007 Share Posted December 25, 2007 - Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 25, 2007 Author Share Posted December 25, 2007 here's my list of av processes. I've also PMed you with the text file Here is the batch file which is used with pskill [download it from sysinternals]: http://www.mediafire.com/?ettn2ygez9z Here is the just the list: http://www.mediafire.com/?40lxeoj1fol Great! I'll code this up. I'm going to be using this paradigm: -ensure admin privs http://support.microsoft.com/kb/q118626/ -load all processes into an array with pslist -check our known AV processes against the array -kill the process Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 30, 2007 Author Share Posted December 30, 2007 Just an update: I implemented the AVkill side of the house. I just need to implement the user interface with all the different command line options. Should be completed shortly. From here, we need to test this beast out. So, feel free to hack the source and distribute the executable, but just give me some feedback on what AV's you've tested them on. I know discretion is too much to ask for regarding this program; however, let's try to keep it out of the AV signatures at least for a little while. The next step is to port for Vista and XP 64. Does anyone have experience with porting code from 32bit to 64? Quote Link to comment Share on other sites More sharing options...
hexlax Posted January 23, 2008 Author Share Posted January 23, 2008 The current snapshot does the following: -Encrypted Package to thwart AV signatures -Determines if AV is running, if it is, executes a clean scanning package. *AV killing is no longer supported, don't ask why, drink bud dry. Current package includes: ipconfig /all* produkey* net user* psloggedon* tracert -h 2* net view* cports* iehv* iepv mspass netcat winvnc netpass pspv *denotes programs that will run if AV is found; ofcourse this can be all controlled from the config file. ToDo: -create U3 image -implement keylogger service and log mailer Please give me feedback! Quote Link to comment Share on other sites More sharing options...
trustme Posted January 24, 2008 Share Posted January 24, 2008 Just add whatever special thing you did in the config settings to the wikis 'package' page and point people there (regarding your post in another thread). Honestly I don't see a lot of 'new' ideas in the payload, maybe you should try and find something unique, something that has never been done before. A lot of payloads now seem to have one minor change, and that's it. Look at all the other recent 'payloads'. You have the usbdumper payload, which is really a package, the keylogger payload, again just a package, and then you have payloads built around nothing new at all. The 7zip payload just seems to be an alternate form of already done ideas, encrypting the files, much like the pocket knife payload did. People need to learn when they only have a package, and are simply wrapping it around or sticking it in a vanilla generic switchblade payload. I'm not saying that anyone should stop working on their own personal payload, they can do whatever they want, and I'm sure someone will learn something along the way, however, it might be worth it to think about whats been done already before cloning off already existing payloads. Sorry about all the commas/run on sentences.... Quote Link to comment Share on other sites More sharing options...
hexlax Posted January 24, 2008 Author Share Posted January 24, 2008 Just add whatever special thing you did in the config settings to the wikis 'package' page and point people there (regarding your post in another thread). Honestly I don't see a lot of 'new' ideas in the payload, maybe you should try and find something unique, something that has never been done before. A lot of payloads now seem to have one minor change, and that's it. Look at all the other recent 'payloads'. You have the usbdumper payload, which is really a package, the keylogger payload, again just a package, and then you have payloads built around nothing new at all. The 7zip payload just seems to be an alternate form of already done ideas, encrypting the files, much like the pocket knife payload did. People need to learn when they only have a package, and are simply wrapping it around or sticking it in a vanilla generic switchblade payload. I'm not saying that anyone should stop working on their own personal payload, they can do whatever they want, and I'm sure someone will learn something along the way, however, it might be worth it to think about whats been done already before cloning off already existing payloads. Sorry about all the commas/run on sentences.... Did you actually look at the source? It's not something that I can just post because the AV detection is c++ coded. As for the payload, I agree with you that it's not new. But this package addresses the issue that people have brought up time and time again: -AV detection -package encryption Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted January 24, 2008 Share Posted January 24, 2008 h0t :-P Quote Link to comment Share on other sites More sharing options...
trustme Posted January 24, 2008 Share Posted January 24, 2008 Did you actually look at the source? It's not something that I can just post because the AV detection is c++ coded. As for the payload, I agree with you that it's not new. Post the C++? Or an example of what the C++ contains? Quote Link to comment Share on other sites More sharing options...
hexlax Posted January 25, 2008 Author Share Posted January 25, 2008 Post the C++? Or an example of what the C++ contains? Sure if we want to dissect the whole code, but as the first post indicates you can grab the source from here: http://mywebpages.comcast.net/dissoluten/scanComp-src.7z As far as the mechanics behind the AV detection: -inputs a list of known AV processes from config.txt (sorted) -grabs a list of current system processes using sysinternals pslist -takes the current process list and binary searches for each against our known AV list (since logarithmic time is better than linear) -if nothing is found, executes the full payload -if not, executes a payload that scans cleans -the payload switch is determined in the config.txt file as Y/N, converted to boolean on input Does that answer your question? What I might do, based on feedback, is code a 'light' version of the AV detection for other packages - if other's are interested. But please have a look at the source - I commented the hell out of it. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted January 25, 2008 Share Posted January 25, 2008 With reguard to 64 bit conversion... not really needed as 32 bit applications run fine for the most part (unless they are some form of system process). If its of interest I have Vista 64 bit running on my... 3 rd partition I'd be happy to run anything you'd like by it. Just drop me a PM with the method you'd like it ran and where to get it. Quote Link to comment Share on other sites More sharing options...
hexlax Posted January 29, 2008 Author Share Posted January 29, 2008 With reguard to 64 bit conversion... not really needed as 32 bit applications run fine for the most part (unless they are some form of system process). If its of interest I have Vista 64 bit running on my... 3 rd partition I'd be happy to run anything you'd like by it. Just drop me a PM with the method you'd like it ran and where to get it. I would greatly appreciate it! Here is the executable: http://mywebpages.comcast.net/dissoluten/scancomp.7z And just run scancomp after you 7zip extract. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted January 30, 2008 Share Posted January 30, 2008 Ran on Vista Business 64 bit and AVG with no flags. Although I think some of the packages (such as Produkey) are not vista compatible so we might need to look there before going further. Quote Link to comment Share on other sites More sharing options...
beakmyn Posted January 31, 2008 Share Posted January 31, 2008 Post the C++? Or an example of what the C++ contains? Sure if we want to dissect the whole code, but as the first post indicates you can grab the source from here: http://mywebpages.comcast.net/dissoluten/scanComp-src.7z As far as the mechanics behind the AV detection: -inputs a list of known AV processes from config.txt (sorted) -grabs a list of current system processes using sysinternals pslist -takes the current process list and binary searches for each against our known AV list (since logarithmic time is better than linear) -if nothing is found, executes the full payload -if not, executes a payload that scans cleans -the payload switch is determined in the config.txt file as Y/N, converted to boolean on input Does that answer your question? What I might do, based on feedback, is code a 'light' version of the AV detection for other packages - if other's are interested. But please have a look at the source - I commented the hell out of it. Why go through all that? I already do something similar in my vbs script of the payload. I have a watchdog timer that looks for a certain process using WMI and kills it. I'll code up a new option to disable AV based on process name and add it to my payload script. I do like the encryption aspect. But if the files are on a read only partition on a U3 drive the AV can't delete it and since you're killing the AV the encryption is a moot point. Quote Link to comment Share on other sites More sharing options...
FlaRG* Posted February 15, 2008 Share Posted February 15, 2008 Hey Hexlax, Please can you get those links working. When accessed the pages says: "Sorry, the page you were looking for could not be found. Suggested Actions: Check the URL that you have typed and retry." Thanks. Quote Link to comment Share on other sites More sharing options...
hexlax Posted February 15, 2008 Author Share Posted February 15, 2008 Hey Hexlax, Please can you get those links working. When accessed the pages says: "Sorry, the page you were looking for could not be found. Suggested Actions: Check the URL that you have typed and retry." Thanks. Done... Thanks for the heads up. Oh, and F*** Comcast for dropping the link. Quote Link to comment Share on other sites More sharing options...
FlaRG* Posted February 16, 2008 Share Posted February 16, 2008 Done... ... You are wonderful!! Quote Link to comment Share on other sites More sharing options...
FlaRG* Posted February 18, 2008 Share Posted February 18, 2008 I have a querry... Take a non-U3 USB Stick. All of the contents of hexlax's sanComp.rar file have been extracted within (logs, payload, tools, config.txt, scanComp.exe) plus another file, named icons with a hdsymbol.ico, in the root of the usb stick. I created an autorun file as follows: [autorun] action=Open Folder icon=iconshdsymbol.ico shellexecute=scancomp.exe label=MyPortableHDD shellOwn This Computercommand=scancomp.exe All works according to plan, however is there a way that I can get the explorer to come up too? Instead/aswell as the console window? Many thanks in advance. Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted February 18, 2008 Share Posted February 18, 2008 I have a querry... Take a non-U3 USB Stick. All of the contents of hexlax's sanComp.rar file have been extracted within (logs, payload, tools, config.txt, scanComp.exe) plus another file, named icons with a hdsymbol.ico, in the root of the usb stick. I created an autorun file as follows: [autorun] action=Open Folder icon=iconshdsymbol.ico shellexecute=scancomp.exe label=MyPortableHDD shellOwn This Computercommand=scancomp.exe All works according to plan, however is there a way that I can get the explorer to come up too? Instead/aswell as the console window? Many thanks in advance. Haven't actually tried this, but according to spektormax, this should do it. Of course, this is assuming that you are trying to pop up the explorer window of the drive. [shadow=red,left]ping -n 5 localhost > NUL start nircmd.exe win max ititle "Removeable"[/shadow] Quote Link to comment Share on other sites More sharing options...
hexlax Posted February 21, 2008 Author Share Posted February 21, 2008 All works according to plan, however is there a way that I can get the explorer to come up too? Instead/aswell as the console window? This becomes tricky because you never know what drive letter will be assigned on a foreign computer, but you can call explorer with any directory of your choosing: ::test.bat explorer C:WindowsSystem32 ::end However, there are some vbs scripts floating around (check the hacksaw package) that, given a file that exists on the usb drive, iterates the drive letters until it exists. I am currently cleaning this project up and will post the U3 ISO and nonU3 images soon... Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted February 21, 2008 Share Posted February 21, 2008 Include this "code" into your switchblade [go.bat I think] It outputs the name of the drive [which has just been inserted] into a batch file which is then run, popping up the explorer window. No vbscripts are necessary. ::[open.bat] echo explorer "%~d0" >"c:driveletter.bat" "c:driveletter.bat" ping -n 5 localhost > NUL del "c:driveletter.bat" Hope this helps. Quote Link to comment Share on other sites More sharing options...
hexlax Posted February 21, 2008 Author Share Posted February 21, 2008 Include this "code" into your switchblade [go.bat I think] It outputs the name of the drive [which has just been inserted] into a batch file which is then run, popping up the explorer window. No vbscripts are necessary. ::[open.bat] echo explorer "%~d0" >"c:driveletter.bat" "c:driveletter.bat" ping -n 5 localhost > NUL del "c:driveletter.bat" I couldn't recreate the process above. What does the piping to NUL accomplish? I think a simple prog is in order that given a known filename on our USB stick will output the drive letter associated, like: Input: C:> findDrive go.bat Output: G: Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted February 22, 2008 Share Posted February 22, 2008 Include this "code" into your switchblade [go.bat I think] It outputs the name of the drive [which has just been inserted] into a batch file which is then run, popping up the explorer window. No vbscripts are necessary. ::[open.bat] echo explorer "%~d0" >"c:driveletter.bat" "c:driveletter.bat" ping -n 5 localhost > NUL del "c:driveletter.bat" I couldn't recreate the process above. What does the piping to NUL accomplish? I think a simple prog is in order that given a known filename on our USB stick will output the drive letter associated, like: Input: C:> findDrive go.bat Output: G: Forget the NUL completely. Will not affect it whatsoever. By all means, take it out! As for the %~d0 wild card, that merely represents the letter the drive letter the program is running off. Whatever driveletter the program is run off, that's what that will be. It is piped out to a file which then opens the root directory of the drive Quote Link to comment Share on other sites More sharing options...
GonZor Posted February 25, 2008 Share Posted February 25, 2008 I think alot of people have asked the question "How do I detect which drive letter is the USB?" I settled on the VBS version, I originally tried a bat version but it can create a lot of errors the only disadvantage to VBS is the target computer may have the WSH disabled. Checkout my payload for my script. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.