0xNOP Blog

  • entries
    3
  • comments
    12
  • views
    2,262

[PureBasic] Antivirus Grabber [Snippet]

Sign in to follow this  
Followers 0
0xNOP

2,723 views

Wrote this a while ago, to understand how trojans gets antivirus products when they request such information, turns out it works pretty good

[For Educational Purposes and Usage ONLY]

;==================== GLOBAL VARIABLES ==================
Global.s Dim output(0)
Global.s AntiVirus = "AntiVirusProduct"
Global.s FireWall = "FirewallProduct"
Global.s AntiSpyware = "AntiSpywareProduct"
;==================== GLOBAL VARIABLES ==================



;#===========================================================================================#
;# Function: explodeStringArray(_Out_ Array, _In_ s, _In_ delimiter)                         #
;#===========================================================================================#
;# Brief: Similar to the PHP Function explode(), this function helps you 'explode' a _       #
;# string by string.                                                                         #
;#===========================================================================================#
;# _Out_ Array = An array that will store the things you split.                              #
;# _In_ s = String that contains the stuff you wanna split.                                  #
;# _In_ delimiter = a delimiter used to split the string.                                    #
;#===========================================================================================#
Procedure explodeStringArray(Array a$(1), s$, delimiter$)
  Protected count, i
  count = CountString(s$,delimiter$) + 1
  
  ;Debug Str(count) + " substrings found"
  Dim a$(count)
  For i = 1 To count
    a$(i - 1) = StringField(s$,i,delimiter$)
  Next
  ProcedureReturn count ;return count of substrings
EndProcedure

;#===========================================================================================#
;# Function: getProduct(_In_ ProgID, _In_ Product)                                           #
;#===========================================================================================#
;# Brief: This function does the actual search for the product(s) you specify.               #
;#===========================================================================================#
;# _In_ ProgID = Valid program handle from WMI Query                                         #
;# _In_ ProductType = "AV" or "FW" or "SPY"                                                  #
;#===========================================================================================#
Procedure getProduct(ProgID, Product.s)
  Output$ = ""
If ProgID
  While ProgramRunning(ProgID)
    If AvailableProgramOutput(ProgID)
      Output$ + ReadProgramString(ProgID)
    EndIf
  Wend
  CloseProgram(ProgID) ; *Let's prevent some leakage* Close the connection to the program.
  Debug Output$
EndIf
SplittedString$ = ""
FindStr$ = Left(Output$, 12)
Occurences$ = Str(CountString(Output$, FindStr$))
If(Val(Occurences$) = 0)
    MessageRequester("Woops!", "No Security Product(s) Found!")
Else
  If(Val(Occurences$) >= 1)
    ;This system has more than one Antivirus!" ; Do Split for 1 Security Product <- We want this value :)
    explodeStringArray(output(), Output$, "displayName=")
    If(Product.s = "AV")
      MessageRequester("We've Found an AntiVirus!", output(1))
    EndIf
    
    If(Product.s = "SPY")
      MessageRequester("We've Found an AntiSpyWare!", output(1))
    EndIf
    
    If(Product.s = "FW")
      MessageRequester("We've Found a FireWall!", output(1))
    EndIf
    
  EndIf
EndIf
EndProcedure

;#===========================================================================================#
;# Function: GetSecurityProduct(_In_ Product, _In_ ProductType)                              #
;#===========================================================================================#
;# Brief: This function just an WMIC instance in a hidden console, the return is a valid _   #
;# Used in getProduct() in order to do the other operations to hunt for security products.   #
;#===========================================================================================#
;# _In_ Product = "AntiVirusProduct" OR "AntiSpywareProduct" OR "FirewallProduct"            #
;# _In_ ProductType = "AV" or "FW" or "SPY"                                                  #
;#===========================================================================================#
Procedure GetSecurityProduct(Product.s, ProductType.s)
  ; WMI CHANGED THE WAY IT BEHAVES FROM VISTA SP2 AND ABOVE, EARLIER "ROOT\SECURITYCENTER" WAS NEEDED, NOW "ROOT\SECURITYCENTER2" IS NEEDED.
  
  If OSVersion() <= #PB_OS_Windows_Vista
    ProgID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter Path " + Product +  " Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide)
    getProduct(ProgID, ProductType)
  Else ;Host OS is higher than Vista. We can rest assured and run it with the new WMIC statement :D
    ProgID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter2 Path " + Product + " Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide)
    getProduct(ProgID, ProductType)
EndIf
EndProcedure

;==================== MAIN ==================
GetSecurityProduct(AntiVirus, "AV")
GetSecurityProduct(AntiSpyware, "SPY")
GetSecurityProduct(FireWall, "FW")
;==================== MAIN ==================

Simply gets the listed Antivirus :D

Adapted for PureBasic :D

References:
WMIC Access Secuity Products https://blogs.msdn.microsoft.com/alejacma/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript/#comment-180

Explode String (Php2Pb): http://www.purebasic.fr/english/viewtopic.php?p=320348&sid=a3457eb3b08ec9dc6eb5b8ac3ee67656#p320348

 

*Updated 4/5/2016*

Added Support for earlier versions of Windows (Vista and earlier), as I've read the structure of the WMI command changed a little bit for those versions of Windows :D

 

*Updated 3/6/2017*

Added Support to detect three major security products, some little things in the code like `getAv()` is now `getProduct()`.

 

*Updated 3/7/2016*

Just cleaned the code a tad more, documented the functions and added overall comments and also did some minor refactoring. :)


2 people like this
Sign in to follow this  
Followers 0


4 Comments


Teddy Rogers

Posted

It's good to see someone else taking advantage and using this fine programming language!

Ted.

1 person likes this

Share this comment


Link to comment

What is the concept of this ? An honestly a good trojan is not written in pure basic, but other strong languages like c++ and working in kernel mode, in basic there is not much you can do...

Share this comment


Link to comment
On 10/30/2016 at 3:11 AM, Mr.Mecanik said:

What is the concept of this ? An honestly a good trojan is not written in pure basic, but other strong languages like c++ and working in kernel mode, in basic there is not much you can do...

Oh well sorry for the late reply!

 

I just wanted to do it and expose the methods malware writers use often to create their malwares, I just did in PureBasic since I was working on it and found it's a really great and fun language to work with :D

And btw you can work with kernel mode from PureBasic also, you can even create your own Drivers, there's a suit that allows you to do that:

http://www.purebasic.fr/english/viewtopic.php?p=404607

 

Thanks for writing!

Share this comment


Link to comment
0xNOP

Posted

*Updated 3/6/2017*

Added Support to detect three major security products, some little things in the code like `getAv()` is now `getProduct()`.

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now