WindSLIC boot CD

Discussion in 'MDL Projects and Applications' started by nononsence, Sep 3, 2009.

  1. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #1 nononsence, Sep 3, 2009
    Last edited: Jul 15, 2011
  2. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    bug fix, code cleanup
     
  3. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    Hi there nononsence,

    I had a look at your first script a couple of days ago and i thought it was very functional. Definitely unprecedented speed as far as drive-finding goes as the right drive is being found instantly after code execution.

    However, with this latest package i get a virus warning for Form1.vb upon unpacking:

    HTML/ADODB.Exploit.Gen

    I assume this is because of this line:

    Dim objOStream = CreateObject("ADODB.Stream")

    Since the same will obviously happen on other peoples computers you might want to use some other method here, otherwise they might think its actually malware...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
  5. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    changes to a wait cursor durring key install, progress bar works better now.
     
  6. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    Maybe try declare "ADODB.Stream" as a string variable and pass that variable to create object line. That may alter the heuristics (or it may not). Obviously the laziness at that particular Virus company is just to assume all ADODB connections are bad.

    Dim strADO = "ADODB.Stream"
    Dim objOStream = CreateObject(strADO)

    Be curious for know if they catch that.
     
  7. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #7 nononsence, Sep 4, 2009
    Last edited: Sep 4, 2009
    (OP)

    we have a winner, that one passed virus total.

    Edit

    when I uploaded the the whole form1.vb it got 2 hits again.
     
  8. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    It seems if you create a text, gif, tiff, jpg file which exceeds a certain buffer size and import via Server.CreateObject("ADODB.Stream") you gain administrator rights over IE6,7,8. AKA the buffer exploit.
     
  9. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    so its a server side thing, that explains why when I name it to form1.txt
    it passes.
     
  10. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    #10 Phazor, Sep 4, 2009
    Last edited by a moderator: Apr 20, 2017
    I did some checking; for the ADODB-Alarm to be triggered these codebits have to be present in the script:

    Code:
    Dim CreateObject("ADODB.Stream")
    
    file.exe
    
    .Open
    
    .SaveToFile
    If any of these lines/parameters are removed then the alarm is not being triggered anymore...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #11 nononsence, Sep 4, 2009
    Last edited by a moderator: Apr 20, 2017
    (OP)
    I changed the first one, as Mr Jinie sugested and it passed VT
    changeing the rest would break things, Ill see if Visual Studio will
    let me change the extension to .txt

    It looks like removing the three instances of .exe allows it to pass VT
    I dont think any thing broke thanks.
     
  12. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    #12 Phazor, Sep 4, 2009
    Last edited by a moderator: Apr 20, 2017
    Unfortunately this doesnt work either because it still contains:

    Code:
    Dim "ADODB.Stream"
    
    CreateObject
    
    file.exe
    
    .Open
    
    .SaveToFile
    As long as these codebits are present, no matter if mixed with other code or not, the alarm will be triggered. Only removing at least one of these parameters will stop the alarm from going off.

    Annoying, i know, but i think the only way to fix this for good is to convert to a different method altogether...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Phazor

    Phazor MDL Expert

    Sep 1, 2009
    1,145
    517
    60
    Ah, i didnt see your edit.

    Well in that case ignore my last reply. Good to hear you already figured out a way...:)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,088
    60
    Cool, if you have a fix, otherwise, ADODB-Stream is not the only method for reading text file into a blob. Maybe try FSO OpenAsTextStream method instead
     
  15. Alphawaves

    Alphawaves Super Moderator/Developer
    Staff Member

    Aug 11, 2008
    5,891
    20,335
    180
    very good, but product key remains the same when changed, it displays the same key in textbox1:confused:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    this is the code to make GRLDR and it has to cannotate the files in binary,
    its kinda ugly to do with VB. when I finly got it to work I was stunned and
    wont mess with it anymore
     
  17. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    Im still debating weather to make the key and the cert, slic match up
    automaticly, it doesnt seem to matter which key you install.
     
  18. Alphawaves

    Alphawaves Super Moderator/Developer
    Staff Member

    Aug 11, 2008
    5,891
    20,335
    180
    #18 Alphawaves, Sep 4, 2009
    Last edited: Sep 4, 2009
    Ok thats cool, but when a key is installed from this it would be good to see the change in textbox1;)
    also have you thought about using grldr for mac pc's
    Excellent work tho bro;):)
    Alfa;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    809
    806
    30
    #19 nononsence, Sep 4, 2009
    Last edited: Sep 4, 2009
    (OP)
    I dont intend on deveolping this very far, and I dont want to compete with
    Daz, my intention is to help people move past the batch script with a working
    code example. VB is just about as easy as Batch programming, if someone
    were intrested they could look at the code and start customizing add logo
    install, spam their user name all over it whatever

    I dont understand the key thing, the textbox shows which key will be installed
    do you want it to show the same key after it is installed? if slmger returns
    with out error the key is installed.
     
  20. k2wl

    k2wl MDL Novice

    Jun 25, 2009
    7
    0
    0
    thanks !!!! this works gr8!!!!