Jump to content

Recommended Posts

Posted (edited)

System Shift v1.0 by BLuFeNiX (formerly known as HackerZer0)

Transforms ANY admin account into SYSTEM, reverts back to normal from reboot or revert script.

ONLY FOR WINDOWS XP

The first time you run the script, it will take ~1-2 minutes to set up user environment, after that, it is instantaneous.

YOU MUST HAVE TASKKILL IN SYSTEM32 DIRECTORY

#RequireAdmin

Dim $objWMIsrvc, $objItem, $objSrvc
Dim $SrvcList, $strSrvc

$objSrvcs = ObjGet("winmgmts:root\cimv2")

$objSrvc = $objSrvcs.Get ("Win32_Service")

$objParams = $objSrvc.Methods_ ("Create") .inParameters.SpawnInstance_ ()

$objParams.Properties_.item ("Name") = "SYSTEMSHIFT"
$objParams.Properties_.item ("DisplayName") = "SYSTEMSHIFT"
$objParams.Properties_.item ("PathName") = "C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\explorer.exe"
$objParams.Properties_.item ("ServiceType") = 16
$objParams.Properties_.item ("ErrorControl") = 0
$objParams.Properties_.item ("StartMode") = "Manual"
$objParams.Properties_.item ("DesktopInteract") = True

$objOutParams = $objSrvc.ExecMethod_ ("Create", $objParams)
ConsoleWrite($objOutParams)



RunWait(@ComSpec & " /c taskkill /F /IM explorer.exe", '', @SW_HIDE)


$strSrvc = "SYSTEMSHIFT"

$objWMIsrvc = ObjGet("winmgmts:root\cimv2")

$SrvcList = $objWMIsrvc.ExecQuery ("Select * from Win32_Service Where Name = '" & $strSrvc & "'")

For $objSrvc in $SrvcList
    $objSrvc.StartService()
    Sleep(100)
    $objSrvc.StopService()
    $objSrvc.Delete()
Next

Revert

While 1
If ProcessExists("explorer.exe") Then
    ProcessClose("explorer.exe")
Else
    Exit
EndIf
Wend
Edited by HackerZer0
Posted

Been looking for something like this. Thankyou

[size="1"]Please stop confusing "how to" with "how do"[/size]

  • 2 weeks later...
Posted

this is a life saver, here is an amazign example. ok so say you are infected with a virus, but you do not have permission to end the process, or access/delte the file. this program saved one of my clients computers. it actually made explorer.exe run, then agve me full acess to stop all the virus processes by running spyware/virus removing programs under SYSTEM and task manager under SYSTEM as well as allowing me ot access and delte files and folder manualy that where created by the virus. this is simply amazing, and a total life and time saver.

Spoiler

Admin Of:http://notmyspace.info [Under Development, looking for volunteers to help improve]http://PSNetCards.co.ukhttp://ZacnAndLindsey.com [Under development, not quite sure what to do with it yet]http://revelm.com------------------------------------Radio Streams:http://75.185.53.88:8000 [128kb/s 44kHz]http://75.185.53.88:8002 [22kb/s 22kHz](works on mobile phones)-----------------------------------My Server:Owned By: http://jumpline.comIP:66.84.19.220Bandwidth:200GBStorage Space:1TBNetwork Connection: 1GB/S[up and down]Operating System: Red Hat LinuxInstalled Apps:Webmail, phpBB, Majordomo, phpMyAdmin, MySQL, Active Server Pages, FrontPage Extensions 2002, GraphicsMagick, Mod Perl, Perl, PHP: Hypertext Preprocessor, Python(want cheap good webhosting, or need a place to park your domain? contact me)-----------------------------------

 

  • 4 weeks later...
Posted (edited)

Code to automate this. :(

#RequireAdmin

SplashTextOn("","Please Wait...Loading...",@DesktopWidth * .225,@DesktopHeight * .1,-1,-1,33,"Lucida Console",@DesktopHeight * .0125,600)
Do
    sleep(500)
    $varHour = @HOUR
    $varMin = @MIN
    $varSec = @SEC
Until $varSec <= 54 and $varMin <= 58

$varTime = TimerInit()
$strCmd = @ComSpec & " /C AT " & $varHour & ":" & $varMin + 1 & " /INTERACTIVE CMD.EXE"
RunWait($strCmd,"",@SW_HIDE)
_SetTime($varHour,$varMin,57)
Do
    Sleep(250)
    If TimerDiff($varTime) > 5000 Then 
        SplashTextOn("","Whoops! Failed to run. Hmmm?",@DesktopWidth * .225,@DesktopHeight * .1,-1,-1,33,"Lucida Console",@DesktopHeight * .0125,600)
        sleep(2500)
        SetError(1)
        Exit
    EndIf
Until WinExists("C:\WINDOWS\System32\svchost.exe")

$varTime = $varSec + Round(TimerDiff($varTime) / 1000)
If $varTime >= 60 Then
    $varMin += 1
    $varSec -= 60
EndIf
Exit

Func OnAutoItExit()
    _SetTime($varHour,$varMin,$varTime)
    SplashOff()
    Run(@Comspec & " /c del " & @WindowsDir & "\Tasks\At*","",@SW_HIDE)
EndFunc

Func _SetTime($iHour, $iMinute, $iSecond = 0)

    Local $iRetval, $SYSTEMTIME, $lpSystemTime

    If $iHour < 0 Or $iHour > 23 Then Return 1
    If $iMinute < 0 Or $iMinute > 59 Then Return 1
    If $iSecond < 0 Or $iSecond > 59 Then Return 1
    $SYSTEMTIME = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")
    $lpSystemTime = DllStructGetPtr($SYSTEMTIME)
    $iRetval = DllCall("kernel32.dll", "long", "GetLocalTime", "ptr", $lpSystemTime)
    DllStructSetData($SYSTEMTIME, 5, $iHour)
    DllStructSetData($SYSTEMTIME, 6, $iMinute)
    If $iSecond > 0 Then DllStructSetData($SYSTEMTIME, 7, $iSecond)
    $iRetval = DllCall("kernel32.dll", "long", "SetLocalTime", "ptr", $lpSystemTime)
    $iRetval = DllCall("kernel32.dll", "long", "SetLocalTime", "ptr", $lpSystemTime)
    If @error = 0 Then
        If $iRetval[0] = 0 Then
            Local $lastError = DllCall("kernel32.dll", "int", "GetLastError")
            SetExtended($lastError[0])
            SetError(1)
            Return 0
        Else
            Return 1
        EndIf
    Else
        SetError(1)
        Return 0
    EndIf
    
EndFunc

*edit: Whoops! Bug in code not setting time if errors out. Moved to Exit finc. muttley

Edited by spudw2k
Posted (edited)

*Bows* Brilliant work!

muttley

Not Hijacking related sort of!

Users that use the xp logon screen can also login as System from here with this simple

Reghack, which uses the screensaver ability of winlogon. Quick n dirty code but it's

saved my ass once or twice. pressing CTRL+ALT+DEL will kick you back to logon.

Wouldn't recommend using explorer as your hook program, Better to use an alternate shell

like litestep or blackbox or just a program that stays resident and can execute other programs.

#RequireAdmin
       DIM $s_Program,$i_Timer
       IF $CmdLine[0] = 2 THEN
           $s_Program = $CmdLine[1]  ; "FullPath" or Program name in %PATH% | %SystemRoot% etc
           $i_Timer = $CmdLine[2]        ; Time in seconds to wait before syslogon
           _SlogRegHak($s_Program,$i_Timer)
       ELSE
           MsgBox(64,"Slog :: Example","SLOG.au3 explorer.exe 60")
       ENDIF
       EXIT
      ;
       FUNC _SlogRegHak($s_P,$i_T)
           RegWrite("HKEY_USERS\.DEFAULT\Control Panel\Desktop","SCRNSAVE.EXE","REG_SZ",$s_P)
           RegWrite("HKEY_USERS\.DEFAULT\Control Panel\Desktop","ScreenSaveActive","REG_SZ","1")
           RegWrite("HKEY_USERS\.DEFAULT\Control Panel\Desktop","ScreenSaverTimeOut","REG_SZ",$i_T)
       ENDFUNC
Edited by MOBIUS

wtfpl-badge-1.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...