Hi All,
I am having some trouble with antiviruses. Nowadays almost every antivirus detects programs; like "cain.exe", "pwdump.exe" among many others and; deletes them immediately. In my last tryings on gettings some programs run they always got deletet. Till here no problem. But in the last case I am not able to disable the antivirus.

Now does anyone has an idea or comes in mind some possibilities to avoid the antivirus to delete the files before i run them?

For example writing permission denied. Or some tools to get rid of.

I don't know if you understand my problem, but I hope so. Nevertheless if you need for info or a better explanation tell me, so I will edit this post.

many thanks

I guess the main problem is that they cant get executed.
So maybe i would try some packer to make those programms undetected.
You could try a trial version of "themida" or any other exe packer/crypter.
Here is some open-source packer: http://sourceforge.net/projects/yodap/

Greets Gizmore

http://us4.samba.org/samba/ftp/pwdump/pwdump.c
obfuscate that enough to fool detection..

there is also a pwdump2 nowadays iirc

Gizmore and rhican,
thank you very much, I will try the packers and give feedback here
But I didn't understand the "obfuscation" of "pwdump.c"; (yeah, sorry I actually ment pwdump2.exe) yep, I see the source is not deleted, but I can't run it in source format (obviously).

Thanks
occasus

obfuscate, as in change the source code, in such a way that after compilation, all the binary patterns,
and heuristics that could be used to detect it, don't work.

This includes changing all strings with something encoded
including more api functions than just the one nescessary
make the file substantionally larger
don't directly import all api's needed,
but resolve some with LoadLibrary/GetProcAddress
change some of the logic, split some functions
do some things differently
interleave with stuff totally irrelevant, basically
make it a reviewers nightmare, and then well compile it with mingw and chances are it will not be detected.

==> virus solutions use blacklists, and heuristics. Blacklists are great, because there is an indefinite amount that's
not on there. heuristics are easily tricked, once you know what they are looking for.

However decent antivirus/firewall solutions will probably hook the api's involved and still try to stop it.


you might want to investigate "switchblade" google for "switchblade usb", I don't know if they tackle
this issue, but perhaps they have something interesting.

You might even be able to leverage U3 technology, by tricking the guest os into believing your .exe's are on a cd,
and hence being unwriteable

Sounds like a lot of work just to get something running.

With my antivirus software (AVG Free Edition), I can choose whether I want to scan all file extensions that are loaded into memory, or just a fixed set (with the "professional" edition you can specify exactly which files to include or exclude). So, lets say I want to run Cain.exe, but AVG wouldn't allow it...

Lets test it with CMD.EXE first, because CMD.EXE doesn't really care much about the extension. First I rename Cain.exe to Cain.xok, and then I try to run it in the command shell. Guess what, it works Well, I don't really know about Cain, but I tried it with some other proggy that triggered AVG.

If you don't want to start the command shell every time you want to run Cain, you could even put it in the registry:

[HKEY_CLASSES_ROOT\.xok]
@="AVG exclusion"
[HKEY_CLASSES_ROOT\.xok\shell\open\command]
@="CMD.EXE /C \"%1\""

But we don't really need CMD.EXE now anymore, this works too:

[HKEY_CLASSES_ROOT\.xok\shell\open\command]
@="\"%1\" %*"

Or instead of using a new "shell\open\command", you could just set the .xok root to "exefile":

[HKEY_CLASSES_ROOT\.xok]
@="exefile"

Or just copy the entire contents of .exe and/or exefile into .xor...

If your antivirus program doesn't support custom file extensions, but it does allow you to deactivate the resident scanner for a little while, you could even code your own loader, and make it deactivate your AV while your program runs. Here's some code in C to create a process:

#include <windows.h>

LPSTR skiparg0(char * s) {
char c = (s[0]=='"' ? s++[0] : ' ');
while (s[0]!=c) if ((++s)[0]==0) return s;
while ((++s)[0]==' ') if (s[0]==0) return s;
return s;
}

int WinMainCRTStartup() {
STARTUPINFOA si={sizeof(si)};
PROCESS_INFORMATION pi;
LPSTR szCmdLine=skiparg0(GetCommandLineA());
if (szCmdLine[0]!=0) CreateProcessA(0,szCmdLine,0,0,0,0,0,0,&si,&pi);
return 0;
}

In case you want to try it out, if you put this in the registry it should work (or just type "exec someproggy arguments" ofcourse):

[HKEY_CLASSES_ROOT\.xok\shell\open\command]
@="exec.exe \"%1\""

And here's a little batch script to automatically add stuff to the registry (and to automatically remove it too): [note - for the /x option you need to have sed.exe in your path and for the /s option you need exec.exe (the loader I showed you earlier) in your path]

@echo off
verify other 2>nul
setlocal enableextensions
if errorlevel 1 (
echo Can't enable command extensions!
goto :EOF
)
set xavg_opt=help
set xavg_ext=xok
set xavg_cmd=%0

:args_1
if not "%1"=="/i" goto args_2
set xavg_opt=reg
set xavg_typ=AVG exclusion
set xavg_cmd=\"%%1\" %%*
goto next_arg
:args_2
if not "%1"=="/s" goto args_3
set xavg_opt=reg
set xavg_typ=AVG exclusion
set xavg_cmd=\"exec.exe\" \"%%1\" %%*
goto next_arg
:args_3
if not "%1"=="/c" goto args_4
set xavg_opt=reg
set xavg_typ=AVG exclusion
set xavg_cmd=\"CMD.EXE\" /C \"%%1\" %%*
goto next_arg
:args_4
if not "%1"=="/x" goto args_5
set xavg_opt=reg
set xavg_typ=AVG exclusion
set xavg_cmd=exe
goto next_arg
:args_5
if not "%1"=="/u" goto args_6
set xavg_opt=unreg
goto next_arg
:args_6
set xavg_ext=%~1
if not "%xavg_ext:~0,1%"=="." goto next_arg
set xavg_ext=%xavg_ext:~1%
:next_arg
shift
if not "%1"=="" goto args_1

goto %xavg_opt%

:reg
regedit /e "%xavg_ext%.reg" "HKEY_CLASSES_ROOT\.%xavg_ext%"
if exist "%xavg_ext%.reg" (
echo ".%xavg_ext%" is already in use!
goto clean
)
set /p xavg_con=Register ".%xavg_ext%"? [y/n]
if not "%xavg_con%"=="y" goto :EOF
echo REGEDIT4>"%xavg_ext%.reg"
echo [HKEY_CLASSES_ROOT\.%xavg_ext%]>>"%xavg_ext%.reg"
echo @="%xavg_typ%">>"%xavg_ext%.reg"
if defined xavg_cmd (
if "%xavg_cmd%"=="exe" (
regedit /e "%xavg_ext%.tmp" "HKEY_CLASSES_ROOT\.exe"
if exist "%xavg_ext%.tmp" (
type "%xavg_ext%.tmp"|sed -r "s/^(\[HKEY_CLASSES_ROOT\\\.)exe/\1%xavg_ext%/g" >>"%xavg_ext%.reg"
del "%xavg_ext%.tmp"
) else echo Error: HKEY_CLASSES_ROOT\.exe couldn't be exported!
regedit /e "%xavg_ext%.tmp" "HKEY_CLASSES_ROOT\exefile"
if exist "%xavg_ext%.tmp" (
type "%xavg_ext%.tmp"|sed -r "s/^(\[HKEY_CLASSES_ROOT\\)exefile/\1.%xavg_ext%/g" >>"%xavg_ext%.reg"
del "%xavg_ext%.tmp"
) else echo Error: HKEY_CLASSES_ROOT\exefile couldn't be exported!
) else (
echo [HKEY_CLASSES_ROOT\.%xavg_ext%\shell\open\command]>>"%xavg_ext%.reg"
echo @="%xavg_cmd%">>"%xavg_ext%.reg"
))
regedit /s "%xavg_ext%.reg"
echo ".%xavg_ext%" was registered
goto clean

:unreg
if "%xavg_ext%"=="exe" (
echo Removing 'exe' as an executable extension is not a good idea!
) else (
regedit /e "%xavg_ext%.reg" "HKEY_CLASSES_ROOT\.%xavg_ext%"
if exist "%xavg_ext%.reg" (
for /F "usebackq tokens=*" %%i IN (`type "%xavg_ext%.reg"`) do (
if %%i==@="exefile" goto remove
if %%i==@="AVG exclusion" goto remove
)))
echo ".%xavg_ext%" does not appear to be a registered "exefile" or "AVG exclusion" file!
goto clean

:remove
set /p xavg_con=Remove ".%xavg_ext%"? [y/n]
if not "%xavg_con%"=="y" goto clean
echo REGEDIT4>"%xavg_ext%.reg"
echo [-HKEY_CLASSES_ROOT\.%xavg_ext%]>>"%xavg_ext%.reg"
regedit /s "%xavg_ext%.reg"
echo ".%xavg_ext%" was removed from the registry

:clean
if exist "%xavg_ext%.reg" del "%xavg_ext%.reg"
goto :EOF

:help
cls
echo Usage: %xavg_cmd% /i [ext] - registers [ext], open as itself ("%%1" %%*)
echo %xavg_cmd% /s [ext] - registers [ext], open with CreateProcess stub
echo %xavg_cmd% /c [ext] - registers [ext], open with CMD.EXE
echo %xavg_cmd% /x [ext] - registers [ext], copy .exe and exefind (needs sed)
echo %xavg_cmd% /u [ext] - removes [ext] from the registry
echo.
echo [ext] defaults to "xok" if omitted
echo if you use the /x option, you probably have to remove it manually


Hope this helps... good luck with it

i was under the impression it was in the situation where it isn't "your" firewall to get passed
rather just a computer you have physical access to, and you want to test it's security
without upsetting "the guy who's keeping an eye on things"

ah right... yeah I get how that would complicate things a bit. I was wondering what he meant with that USB stuff . In that case, an exe packer/crypter sounds like your best bet there. Some "open source" viruses also have some nice generic code to temporarily bypass lots of AV software, you might be able to use some of it. Although I doubt they're very readable, let alone GPL'ed