Jump to content
Tuts 4 You

0xNOP Blog

  • entries
    3
  • comments
    12
  • views
    10,769

About this blog

My Blog is miscellaneous & random, things I find cool I'll be posting them here, like snippets, etc, etc.

Entries in this blog

 

[PureBasic] Antivirus Grabber [Snippet]

Wrote this a while ago, to understand how trojans gets antivirus products when they request such information, turns out it works pretty good [For Educational Purposes and Usage ONLY] ; English Forum: https://forum.tuts4you.com/ ; Author: 0xNOP ; Date: 6.April.2016 ; OS: Windows ; Output Demo: ;==================== GLOBAL VARIABLES ================== Global.s Dim output(0) Global.s AntiVirus = "AntiVirusProduct" Global.s FireWall = "FirewallProduct" Global.s AntiSpyware = "AntiSpywareProduct" ;==================== GLOBAL VARIABLES ================== ;#===========================================================================================# ;# Function: explodeStringArray(_Out_ Array, _In_ s, _In_ delimiter) # ;#===========================================================================================# ;# Brief: Similar to the PHP Function explode(), this function helps you 'explode' a _ # ;# string by string. # ;#===========================================================================================# ;# _Out_ Array = An array that will store the things you split. # ;# _In_ s = String that contains the stuff you wanna split. # ;# _In_ delimiter = a delimiter used to split the string. # ;#===========================================================================================# Procedure explodeStringArray(Array a$(1), s$, delimiter$) Protected count, i count = CountString(s$,delimiter$) + 1 ;Debug Str(count) + " substrings found" Dim a$(count) For i = 1 To count a$(i - 1) = StringField(s$,i,delimiter$) Next ProcedureReturn count ;return count of substrings EndProcedure ;#===========================================================================================# ;# Function: getProduct(_In_ ProgID, _In_ Product) # ;#===========================================================================================# ;# Brief: This function does the actual search for the product(s) you specify. # ;#===========================================================================================# ;# _In_ ProgID = Valid program handle from WMI Query # ;# _In_ ProductType = "AV" or "FW" or "SPY" # ;#===========================================================================================# Procedure getProduct(ProgID, Product.s) Output$ = "" If ProgID While ProgramRunning(ProgID) If AvailableProgramOutput(ProgID) Output$ + ReadProgramString(ProgID) EndIf Wend CloseProgram(ProgID) ; *Let's prevent some leakage* Close the connection to the program. Debug Output$ EndIf SplittedString$ = "" FindStr$ = Left(Output$, 12) Occurences$ = Str(CountString(Output$, FindStr$)) If(Val(Occurences$) = 0) MessageRequester("Woops!", "No Security Product(s) Found!") Else If(Val(Occurences$) >= 1) ;This system has more than one Antivirus!" ; Do Split for 1 Security Product <- We want this value :) explodeStringArray(output(), Output$, "displayName=") If(Product.s = "AV") MessageRequester("We've Found an AntiVirus!", output(1)) EndIf If(Product.s = "SPY") MessageRequester("We've Found an AntiSpyWare!", output(1)) EndIf If(Product.s = "FW") MessageRequester("We've Found a FireWall!", output(1)) EndIf EndIf EndIf EndProcedure ;#===========================================================================================# ;# Function: GetSecurityProduct(_In_ Product, _In_ ProductType) # ;#===========================================================================================# ;# Brief: This function just an WMIC instance in a hidden console, the return is a valid _ # ;# Used in getProduct() in order to do the other operations to hunt for security products. # ;#===========================================================================================# ;# _In_ Product = "AntiVirusProduct" OR "AntiSpywareProduct" OR "FirewallProduct" # ;# _In_ ProductType = "AV" or "FW" or "SPY" # ;#===========================================================================================# Procedure GetSecurityProduct(Product.s, ProductType.s) ; WMI CHANGED THE WAY IT BEHAVES FROM VISTA SP2 AND ABOVE, EARLIER "ROOT\SECURITYCENTER" WAS NEEDED, NOW "ROOT\SECURITYCENTER2" IS NEEDED. If OSVersion() <= #PB_OS_Windows_Vista ProgID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter Path " + Product + " Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide) getProduct(ProgID, ProductType) Else ;Host OS is higher than Vista. We can rest assured and run it with the new WMIC statement :D ProgID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter2 Path " + Product + " Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide) getProduct(ProgID, ProductType) EndIf EndProcedure ;==================== MAIN ================== GetSecurityProduct(AntiVirus, "AV") GetSecurityProduct(AntiSpyware, "SPY") GetSecurityProduct(FireWall, "FW") ;==================== MAIN ================== Simply gets the listed Antivirus Adapted for PureBasic References:
WMIC Access Secuity Products https://blogs.msdn.microsoft.com/alejacma/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript/#comment-180 Explode String (Php2Pb): http://www.purebasic.fr/english/viewtopic.php?p=320348&sid=a3457eb3b08ec9dc6eb5b8ac3ee67656#p320348   *Updated 4/5/2016* Added Support for earlier versions of Windows (Vista and earlier), as I've read the structure of the WMI command changed a little bit for those versions of Windows   *Updated 3/6/2017* Added Support to detect three major security products, some little things in the code like `getAv()` is now `getProduct()`.   *Updated 3/7/2016* Just cleaned the code a tad more, documented the functions and added overall comments and also did some minor refactoring.

0xNOP

0xNOP

 

Quick & Dirty Way to Bypass Themida Anti-Attach!

[ATTENTION ! - BEFORE YOU READ ANYTHING!]
The following article you're about to read, have been written with the mentality to help other fellow members that currently have a job as Malware Analyst and
are working hard everyday against Malwares in the wild, given that this forum is publicly available to anyone, this article is intended to be
used only as an educational resource and should NOT BE put to the test with any kind of Commerical Programs / Applications / Softwares
protected by Themida, Breaking / Circumventing the protection of Themida -itself- or by any kind of Commercial Program / Application / Software is something
totally unlawful and you could be hold accountable for your actions in a court.  The author of this article ('0xNOP') and/or the hosters of this Blog ('www.tuts4you.com') does not takes
any kind of responsibility towards anything that, you ('the reader'), might do with such content.
Given this term of agreement, you are the sole and only person responsible of your own actions. If you agree with this, you may continue reading, if not, I advise you to discontinue reading,
close this page and continue browsing the forums as usual. If you continue reading it means you are automatically accepting this terms of agreement. Don't Speak English? - Translate HERE!  - No Eres Bueno en Ingles? - Traduce AQUI! - 不会说英语吗 - 英語を話すことはありません - Не говорить по-английски?  

0xNOP

0xNOP

 

[PureBasic] OS Grabber [Snippet]

Here we go guys! Yet another snippet! I keep digging with WMI and it's interface WMIC, and I find it pretty useful with all the things you can get, this time I've made this little nice snippet code which grabs the OS Name / Version ! Hope you like it and find it useful   ; English Forum: https://forum.tuts4you.com/ ; Author: 0xNOP ; Date: 6.April.2016 ; OS: Windows ; Output Demo: http://i.imgur.com/u37a35H.png ProgID = RunProgram("wmic", "os get caption", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide) Output$ = "" If ProgID While ProgramRunning(ProgID) If AvailableProgramOutput(ProgID) Output$ + Trim(ReadProgramString(ProgID)) Output$ = ReplaceString(Output$, "Caption", "") EndIf Wend MessageRequester("OS", Output$) CloseProgram(ProgID) ; Close the connection to the program EndIf   +1

0xNOP

0xNOP

×