Do you code software?

[Darren Kitchen]

We would love to support the coders in our midst so if you've been banging out a sweet app or a little utility let us know we'd love to check it out.

[kickarse]

I've got three applications that I've wrote.

DopplePrinter - A program that will backup/restore all printers (not including UNC attached printers) to/from Windows 2000, XP and 2003 boxes. First release and I don't know if it'll screw your machine up. Similar to Microsofts Print Migrator 3.1 but mine actually works without breaking your box.

http://sourceforge.net/projects/doppleprinter/

DriverForge - Installs drivers based on a location that you choose (recursively). You can also use compressed files to keep the size down. You can set it up to run automatically and silently. You can also run pre and post commands through it.

My activity for this is mainly found on msfn.org and boot-land.net forums

http://sourceforge.net/project/showfiles.php?group_id=213601

FindHWIDS - Will parse HWIDS from INF's in a location you choose (recursively). It will output the data to a CSV file, giving you version, HWID line and file name. You can also parse to the sysprep.inf file in order to support whatever MassStorage drivers you have. The sysprep option will NOT produce any duplicates.

My activity for this is mainly found on the driverpacks.net forums

http://sourceforge.net/project/showfiles.php?group_id=213601

As always, GPL licensing and there's no warranty if you machine dies or creates artificial intelligence and begins to take over the world.

[digip]

Just a question, can we combine the two threads into one. Less confusing, but you seem to have posted this twice Darren.

http://hak5.org/forums/index.php?showtopic=9771

Someone not eat their haxor flakes this morning? Maybe microshaft should market a coffe drink to wake up to cause the pwnJuice is not working. lol

[Darren Kitchen]

Just a question, can we combine the two threads into one. Less confusing, but you seem to have posted this twice Darren.

http://hak5.org/forums/index.php?showtopic=9771

Someone not eat their haxor flakes this morning? Maybe microshaft should market a coffe drink to wake up to cause the pwnJuice is not working. lol

I think I posted it in the two boards most likely to frequent programmers. I'm not sure if it's possible to symlink one thread to another but I'd like it to display under Everything Else and Coding.

@kickarse, how does DopplePrinter differ from CleanCPL from the Win2003 resource kit?

[kickarse]

I think I posted it in the two boards most likely to frequent programmers. I'm not sure if it's possible to symlink one thread to another but I'd like it to display under Everything Else and Coding.

@kickarse, how does DopplePrinter differ from CleanSPL from the Win2003 resource kit?

At the moment it doesn't do the functions of CleanSPL. It's really meant only to replace Printer Migrator from MS. All it does currently is backup the printers from one machine with the ability to restore them to another, exactly as they were. It also gives you the opportunity to migrate your old LPR printer to standard TCP/IP.

I wrote this because Printer Migrator 3.1 kept screwing up with Lexmark drivers and not connecting ports back properly when migrating from 2000 to 2003.

I might add the functionality as CleanSPL. I've had CleanSPL also screw things up to the point where I've BSOD'd. Not fun...

[Darren Kitchen]

Lexmark printers... 'nuff said

[kickarse]

You can add brother and cannon to that list too. But it wasn't the lexmark drivers that screwed everything up it was also just Printer Migrator. I used it without any lexmark drivers on the machine and it still screwed things.

Also, v2.7 of FindHWIDS is out.

[moonlit]

AntiUSB 0.5.30 (09-April-08) by Moonlit (moonlit@hak5.org)

AntiUSB: What is it?

--------------------

AntiUSB is a tool to provide basic protection against threats posed by

potentially harmful files that may be carried on removable media (USB

sticks, primarily). It isn't a catch-all solution but as with anything

it should be used in conjunction with other security measures.

Requirements

--------------------

To run this application you will require:

1) An IBM compatible PC

2) Microsoft Windows XP or Vista

3) Microsoft .net Framework 2.0

4) Visual Basic Redistributable Runtime Libraries 6.0

How do I use it?

--------------------

1) Run AntiUSB.exe

2) Change the default password. This is extremely important.

The default password is simply "Password" (without quotes).

Type the default password in the password box in the main window,

then check the "Unlocked" box. This will unlock the various buttons

and boxes you'll need to configure the app. Type your new password

in the New Password box and click "Change", then Save Config.

3) Now you'll need to configure the level of protection the app provides.

Move the Protection Level slider control to your desired level of

protection. The following levels are available:

Extreme----This option will delete everything on the drive and eject

it. Useful if attacks are frequent and aggressive.

Very High--Simply eject the drive. This will prevent anything on the

drive from being read or executed. Non-destructive but

effective.

High-------This will delete everything on the drive. Again, useful

if attacks are frequent or unprotected machines will

allow use of USB drives.

Medium-----Delete only potential threats. Potential threats are

defined in the Potential Threats list, see below.

Low--------Similar to Medium but will warn before deleting. Users will

have 5 seconds from detection of the drive to remove it.

After 5 seconds, if the drive is not removed, files will be

removed.

Very Low---Scan for potential threats as described in the Potential

Threats list. Once files matching those in the list are

detected, they will be locked. This means that they will not

be usable while other, non-threatening files will be.

Useful if use of USB drives is permitted but protection is

still required.

Off--------This option will simply log the contents of each removable

drive inserted into the machine.

4) Potential Threats are files that you consider to be potentially harmful.

These may include executable files or files that may contain dangerous

scripts such as Microsoft Office files or Visual Basic scripts.

To add files to the list, enter your password into the "Password" text

box, check the "Unlocked" box and in the empty text box to the left of

the "Password" input, enter a mask to check. This mask can contain a

wildcard such as "*.exe" (this will scan for any files with the extension

"exe" or can be full filenames such as "badfile.bat" (this would scan for

any files named "badfile.bat". When you've typed in your file mask, click

"Add" or press your Return key. Choose a mask in the list and click Remove

to delete it. Click "Save Config" to save your masks.

5) Near the bottom right of the window there is a checkbox labelled "Active".

Check this to turn on the protection and uncheck it to turn it off. While

the box is unchecked, removable drives may be used with no protection.

When the protection is turned on or off, a balloon tip will appear above

the system tray icon to notify you. This is to ensure you're always

aware of when the protection is active.

6) When configuration is complete, be sure to uncheck the "Unlocked"

checkbox to clear your password and disable the configuration options.

This should be done every time you have finished configuring to prevent

other users from turning off the protection.

7) The final button to mention is "Exit". This will stop protection and

close AntiUSB entirely. Removable drives will no longer be monitored

when AntiUSB is closed.

8) To send AntiUSB to the system tray (near your clock at the end of your

Windows taskbar), simply minimise the window. You will notice that the

window will close. The application will still be running and will be

accessible from the small round icon next to your clock. This icon will

change colour according to whether the protection is active. A white

circle indicates that the protection is currently active and a black

circle means that the protection is currently inactive.

To bring back the main window, just double click the icon.

Disclaimer

--------------------

This application has been written to provide a fair level of protection

against attacks via removable USB drives but while this is the case

neither the creator(s) of the source code, the executable files or the

files accompanying them are responsible for use or misuse of the contents

of any package(s) or media containing them.

These files are to be used at your own risk and those involved in the

creation of them do not guarantee their fitness for any purpose or use in

any given environment. These files may not be suitable for use on working

systems in a home, educational or business environment.

AntiUSB / Mirror

This was written as a demonstration of potential methods to prevent USB attacks without rendering the USB capability of a machine entirely useless..

It is not demonstrative of the quality of the full product, should one eventually be made available.

Source code was, at one point, available, but due to an unfortunate lack of backups and a failing Samsung HDD, it's now not.

[digip]

AntiUSB / Mirror

This was written as a demonstration of potential methods to prevent USB attacks without rendering the USB capability of a machine entirely useless..

It is not demonstrative of the quality of the full product, should one eventually be made available.

Source code was, at one point, available, but due to an unfortunate lack of backups and a failing Samsung HDD, it's now not.

Um, this sounds like a good defense but what if someone reboots? Will the program start up right where it left off? Also, my SATA are listed as removable drives. I alwyas have the option to disconnect them like I do sd cards and USB drives, so would it detect them and erase my HDD's, or can you set drive letters to ignore?

[kickarse]

You could always run the app as a service. Also, I wrote something similar that I never released called USBeSafe. It pretty much does the same thing except that you can turn access completely off for any USB drives so you don't have to even worry about the OS seeing any files.

[moonlit]

Um, this sounds like a good defense but what if someone reboots? Will the program start up right where it left off? Also, my SATA are listed as removable drives. I alwyas have the option to disconnect them like I do sd cards and USB drives, so would it detect them and erase my HDD's, or can you set drive letters to ignore?

You could add it as a service (as kickarse said) or use another method (startup folder, registry) to make it start with the machine. As for the SATA, It would probably check those drives too, but much like an antivirus it would 1) only deal with files that are known to be malicious (that is, the files you've told it are malicious) and 2) would deal with any "infection" your SATA drive(s) may have on it. Exceptions were a feature I had planned, though I didn't get around to implementing it before I lost the source, so I'm just keeping this up as a demo really.

[Steve8x]

Well whats to keep your program running? anyone could just go task manager and end your process, then what? You would need some way of preventing terminating of the program ;)

I know just the thing but it only works on an administrator account and only on Windows NT 4.0, Windows 2000, Windows XP SP1+SP2, and Windows Server 2003, maybe more, but definitely not Vista! as they have changed things around so much particularly kernel mode ;)

kernel mode driver anyone?

basically the idea is to have your program load a driver, and pass it the processID of your program, along with the correct offsets for your windows version, and it will hide that process from task manager and anything else!

see every process has an EPROCESS structure, and every EPROCESS structure has an ActiveProcessLinks entry.

Thats how programs like task manager know what processes are running, by all the processes that are linked together in ActiveProcessLinks!

here's a little drawing I made to make this easier to understand:

say your Anti-USB hacks program is in the middle

here's how the processes are linked together normally

FLINK means Forward Link I'm pretty sure, and BLINK is Backward Link ;)

FLINK points to the next process, and that process's FLINK points to the next process after that, and so on and so forth

BLINK points to the previous process, and that previous process points to you guessed it, the process before that...

Ok so now what do you think will happen if we make process 1's FLINK skip your process, and point directly to process 3, then make process 3's BLINK point to process 1?

Then you've successfully hidden your process from task managers! :) Your making it appear as though your app does not even exist, by removing its link!

then so you don't blue screen when you terminate your program you make your apps FLINK and BLINK point to itself

So then its like this:

That is the best way I know so far of preventing my apps from being terminated! by removing them from task managers so they appear as if they aren't running when they actually are! there is no "end task" button for my apps ;)

However if they know your app is running even though its hidden you cannot allow them to obtain your processID, with your processID they could inject some code into the app to make it crash, etc... So creating a window for your app is a no-no as anyone could use GetWindowThreadProcessID, passing your window handle and get your processID! If you must have a window, make it a separate program, so like with your Anti-USB app, you could have the separate program manage the malicious files list + exceptions list + any other options but require an password or something... This way it doesn't matter if they terminate the settings app, as your functional app is still running...

I've tested this out with my brother, Made an annoying app that would start with windows and he wasn't able to find a way to terminate the process! although he did eventually figure out how to remove the entry from the registry, so that once he restarted the computer the app would no longer run!

So that being said, a better way to make it start with windows is needed, one that somebody can't just remove easily... maybe modify a system process to make it run your app? that way an average user looking in the registry and the startup folder will draw a blank as to whats making the process run and probably just give up :)

[digip]

There should be a way to hook a password for mounting ANY device, so no one can load external media of any kind. Kill shell hardware detection and make any plug and play device require admin approval.

[kickarse]

There is it's called Safend Protector, lol.