I'd like to start a discussion about how to shut off ZoneAlarm (and similar "system level") services that refuse to shut down. I am currently testing the various firewalls and ZoneAlarm is the only one so far, but basically you can't just do 'net stop vsmon' or similar. I've tried changing registry values, killing processes (including hf's process master with insane kill option), killing services (including sc.exe, and other tools), and have not yet tried dll injection or memory patching, which is what I'm working on now.
Does anyone know, and could save a huge amount of effort, how to shut down CURRENT builds of ZoneAlarm?
Just to be crystal clear so we don't get a bunch of useless responses here, the following does NOT WORK:
CODE
net stop vsmon
(vsmon is the "truevector" service that needs to be disabled. All other components can be easily killed.)
I *CAN* kill ZoneAlarm with a reboot, by changing the registry key for the service, and then rebooting, it will be disabled on the next boot.... but I'm looking for a way to kill it instantly in the same session without rebooting.
Thanks!
flashb4ck
Mar 21 2004, 06:49 AM
ähm... i would use a hook to take the rights from zonealarm so the proggi will be useluss ...
what u need?
c++
:=)
gr€€tz fl4Shb4Ck
som3aa
Mar 21 2004, 08:04 AM
this should be posted in beginner's section. Just upload pskill.exe
CODE
net stop VSMON net stop ZONEALARM net stop zlclient net stop zaplus pskill VSMOM.EXE pskill ZLCLIENT.EXE pskill ZAPLUS.EXE pskill ZAPRO.EXE pskill zapsetup3001.exe pskill ZATUTOR.EXE pskill ZAUINST.EXE pskill zonalm2601.exe pskill ZONEALARM.EXE
DiJiTooL
Mar 21 2004, 10:05 AM
"net stop VSMON" and "pskill VSMON.EXE" does not work :/
A2
Mar 21 2004, 04:33 PM
there's a popular online game called gunbound (gunbound.net) . recently in an attempt to prevent hackers from exploiting flaws in the game they incorporated a software-monitoring utility designed by nprotect (nprotect.com). i and a number of other win2k users have noticed, that the game/nprotect occasionally causes an error in truevector that causes it to shutdown. after this happens zone-alarm will ask if you'd like to restart it, and fail to restart it if requested. might be something worth looking into.
MsMittens
Mar 21 2004, 04:48 PM
QUOTE (DiJiTooL @ Mar 21 2004, 05:05 AM)
"net stop VSMON" and "pskill VSMON.EXE" does not work :/
2> You are mistaken. Whatever this program is (google does *not* have a hit for it, see #1), it doesn't kill the CURRENT ZoneAlarm. One more time just in case I wasn't clear enough --> THE CURRENT VERSION of ZoneAlarm.
All versions of ZoneAlarm as of a few months ago all the way back, could be killed instantly and easily just by killing the processes or stopping the services. The NEW version protects itself.
If you can show me wrong with this program, that it instantly kills the TrueVector component of the *CURRENT* ZoneAlarm, I'll give you root on 20 servers, at the least. Or make anything you want undetectable, or whatever service you think you might need that I can help with. Offer extends to anyone who can demonstrate working proof of concept.
Looking forward to any other input.
Again, I am already working on what I believe is the only solution, that is, memory patching, however I am posting here soliciting OTHER possible existing methods that someone might know work.
thanks!
clubfed
Mar 21 2004, 08:35 PM
Clarification to the other posts about pskill: "DUH " That does not work, as I said in my post.
Please to new users or people who are guessing -- load up the CURRENT RELEASE of ZoneAlarm Pro and run it on your computer.... then try to kill it from the command line. Not just the gui interface crap, but the actual TrueVector service.
**IF** you can do it, then you can post and boast how easy it is and beginner level or whatever but uh, heh, you're not going to be able to unless you are coding a memory patcher like I am. The longer I leave the post up and hear feedback the more I think there simply is no other way than what I'm working on. My technique will be done in a few days.
Oh there is one other way... which is to simulate user input, mouse and keyboard, to basically open the zonealarm interface and click to disable, for them, but I'm only aware of a few software that let you script simulated user input... and also that would sort of tip off the user if they saw this happening on their desktop, which is something I'm trying to avoid.
Just want to kill TrueVector. thanks!
clubfed
Mar 21 2004, 08:39 PM
A2: thanks for the tip! nprotect is probably doing the same kind of thing I am, by injecting their "protection" code into the memory space of other processes, they are doing something wrong though causing it to exit.. I'm doing the same thing only exiting is my goal! I want a clean exit though, as though requested by the user, and without it trying to start back up. I'm actively working on it.
A2
Mar 22 2004, 08:17 AM
QUOTE (clubfed @ Mar 21 2004, 08:39 PM)
A2: thanks for the tip! nprotect is probably doing the same kind of thing I am, by injecting their "protection" code into the memory space of other processes, they are doing something wrong though causing it to exit.. I'm doing the same thing only exiting is my goal! I want a clean exit though, as though requested by the user, and without it trying to start back up. I'm actively working on it.
thought that might help. if you want a quick n dirty work around to the clean exit dilemma, just get it to error itself away, then start a loop (system events must continue to be processed), use findwindow to wait for the notification window to popup, and WM_HIDE & WM_CLOSE that hoe. if its an efficient loop and the system isn't bogged the window shouldnt even flicker on
bitwild
Mar 23 2004, 09:15 PM
i think hct and pskill won't work on xp (aah btw even as user system you can't kill it)
the ugly way would be a api mouse click "simulation" (i think it isn't that easy to "find" the window handler, is it ?:))
i think it would be mutch more easier for you if you would try to find a way "around" the firewall... hey and its more stealthy :)
hint: play around with iexplorer(mod) it should be registered as "allowed" application...
good luck :)
ps. or delete it "with reboot" and replace it with a dummy tray icon :)))
clubfed
Mar 24 2004, 09:50 AM
thanks for the suggestions of bypsasing the firewall instead however I can already do that with dll injection. What I'm looking for is a way to kill the firewall without having to reboot. I have a quick/easy way to do so that involves a reboot already.
One of the problems I am having is that I can't debug these processes. If you try to attach ollydbg to the vsmon or other exe's from zonealarm then it gives an error and won't attach :/
Another problem is that vsmon doesn't have a window handle, that I can see, shows blank.
Looks like I do have SeDebug privelege, but anyway so far no luck. Still trying the memory-patcher technique, but it's not easy. I think they specifically thought of this and tried to defend against it :/ ?
Retribution
Mar 26 2004, 04:51 AM
I was going along with the 'Emulate user Shutdown Proceedure' myself , but am not sure if the user / being non Administrative has rights to shutdown this Process...
and with
