Thread: Best AV/FW Killer + Startup!

After reading 8 books about Windows/Processes/Threads/APIs i've found something interessting...
In the Registrypart of a paper about Windows something about the "Image File Execution Options" Regkey was written. After reading what this regkey is good for(Debugging) i noticed that this is the ULTIMATIVE Processkiller...
NOW let me explain what this Regkey does:
User starts exe(unnamed.exe)----->Windows checks for Debuggers in the IMAGE FILE EXECUTION OPTIONS Regkey:
If found .exename in this Regkey its starts the Debugger... else it starts the .exe!
So for example avp.exe is going to be started you could add a regkey with avp.exe and the path to your Backdoor/RAT/Trojan! Everytime avp.exe is started your server will be started and not avp.exe .
Now how can we implement this:
We need a list of AV/FW processes and a list of Processses of Windows which are not "useful".
We add all this .exenames to the Registry:
HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Image File Execution Options/"your .exe name" and we create a key named "Debugger" and set the Path to our Server.exe !
When you wish I could code it Opensource, but i think big guys here (Krip/Steve/Binary/Syntax/Akama/Silent etc.) should understand what i am trying to explain!

So if i understand this right: we just create a registry key with the name Debugger and point it to our server? Shouldn't be so hard to do.

Great find also, i might use this as an option in my crypter ill give credits.

Comodo Firewall defense+ asks user if allow writing into that place though, and i think kaspersky might give "access denied" unless it only protects its own keys.

aahh yes... plz gimme Credits
@SMZ: Yes its so simple

hey slayer616 , great idea but :

1st im not one of the big guys
2nd a learned that move 4m TuneUp Processes viewer when u check replace with Windows taskmgr , i found the reg path 4m that ..


any way , u could replace it with any app and set that app as an arrgement so the user won't know , like this taskmgr.exe-->server.exe -tsk ,
and if the command = -tsk then u execute the taskmanager , or just but the path

but :@ i think KAV/KIS's proactive defence detect that :@ i don't remmember , and i don't have KAV these days to check

any way , keep working and have a nice day


pm to -silent- :@ allow more than 4 smilies :@

unhook APIs and then Write it to Registry

btw- i remmemberd an old trick , detected but may help ppl and i deloped it to be undetected 4m KAV :@

i saw a virus make him self the parent or the opreator of exe files , like when u opened txt file , its path moved to notepad , so u make the exe's moved to ur app and then execute them , and don't execute AV's

Code:

HKEY_CLASSES_ROOT\exefile\shell\open\command

but KAV family detect any modifing on the open key :S and u can't do the trick with out the open key , so :

make ur own key like "Syntax" , make the Key Defult value = Open , and make the "HKEY_CLASSES_ROOT\exefile\shell" key value = "Syntax" so the defult Open key will be ur , not the detected one , and it's text will be "Open"

have a nice c0d3 ,,,

but the problem could be: explorer.exe f.e. wont be executed right?

use : "urServer.exe explorer.exe" as a value , so u can execute the explorer.exe by ur self

and btw- could u tell me , how can i unhook KAV hooks ?

note : NtLoadDriver , NtOpenSection and CreateService is hooked

i cant unhook the hooks too....
but it should be possible...

thats wht im talking about

any way , change computer time , do ur fucking detected things (injection , copying , registry editing , keys hooking ), and then restore the old time , notice that KAV diabled after 10 secs , so be pations ,

have a nice code