0xNOP Blog

  • entries
    3
  • comments
    11
  • views
    2,001

[PureBasic] Antivirus Grabber [Snippet]

Sign in to follow this  
Followers 0
0xNOP

2,066 views

Wrote this a while ago, to understand how trojans gets antivirus products when they request such information, turns out it works pretty good

[For Educational Purposes and Usage ONLY]

; English Forum: https://forum.tuts4you.com/
; Author: 0xNOP
; Date: 6.April.2016
; OS: Windows
; Demo: No

Global.s Dim output(0)

Procedure explodeStringArray(Array a$(1), s$, delimeter$)
  Protected count, i
  count = CountString(s$,delimeter$) + 1
  
  ;Debug Str(count) + " substrings found"
  Dim a$(count)
  For i = 1 To count
    a$(i - 1) = StringField(s$,i,delimeter$)
  Next
  ProcedureReturn count ;return count of substrings
EndProcedure

Procedure getAV(ID.i)
  Output$ = ""
  ProgID = ID
If ProgID
  While ProgramRunning(ProgID)
    If AvailableProgramOutput(ProgID)
      Output$ + ReadProgramString(ProgID)
    EndIf
  Wend
  CloseProgram(ProgID) ; Close the connection to the program
EndIf
SplittedString$ = ""
FindStr$ = Left(Output$, 12)
Occurences$ = Str(CountString(Output$, FindStr$))
If(Val(Occurences$) = 0)
  MessageRequester("Woops!", "No Antivirus Found!")
Else
  If(Val(Occurences$) >= 1)
    ;This system has more than one Antivirus!" ; Do Split for 1 antivirus <- We want this value :)
    explodeStringArray(output(), Output$, "displayName=")
    MessageRequester("We've Got a Hit!", "Installed: " + output(1))
  EndIf
EndIf
EndProcedure

; I've read that WMI changed the way it behaves from Vista SP2 and above, earlier "root\SecurityCenter" was needed, now "root\SecurityCenter2" is needed.

If OSVersion() <= #PB_OS_Windows_Vista
  ID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter Path AntiVirusProduct Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide)
  getAV(ID)
Else ;Host OS is higher than Vista. We can rest assured and run it with the new WMIC statement :D
  ID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide)
  getAV(ID)
EndIf 

Simply gets the listed Antivirus :D

Adapted for PureBasic :D

References:
WMIC Access Secuity Products https://blogs.msdn.microsoft.com/alejacma/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript/#comment-180

Explode String (Php2Pb): http://www.purebasic.fr/english/viewtopic.php?p=320348&sid=a3457eb3b08ec9dc6eb5b8ac3ee67656#p320348

 

*Updated 4/5/2016*

Added Support for earlier versions of Windows (Vista and earlier), as I've read the structure of the WMI command changed a little bit for those versions of Windows :D


2 people like this
Sign in to follow this  
Followers 0


3 Comments


Teddy Rogers

Posted

It's good to see someone else taking advantage and using this fine programming language!

Ted.

1 person likes this

Share this comment


Link to comment

What is the concept of this ? An honestly a good trojan is not written in pure basic, but other strong languages like c++ and working in kernel mode, in basic there is not much you can do...

Share this comment


Link to comment
On 10/30/2016 at 3:11 AM, Mr.Mecanik said:

What is the concept of this ? An honestly a good trojan is not written in pure basic, but other strong languages like c++ and working in kernel mode, in basic there is not much you can do...

Oh well sorry for the late reply!

 

I just wanted to do it and expose the methods malware writers use often to create their malwares, I just did in PureBasic since I was working on it and found it's a really great and fun language to work with :D

And btw you can work with kernel mode from PureBasic also, you can even create your own Drivers, there's a suit that allows you to do that:

http://www.purebasic.fr/english/viewtopic.php?p=404607

 

Thanks for writing!

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now