[+] Build non-injecting server.
[+] Choose to copy to ADS.
[+] HKLM/run startup.
An option to view miniature screenshots in the connection view has also been added (the size is optional).
You will now be able to administrate a computer's installed devices. As seen in the screenshot it is possible to Enable, Disable and Safe Remove a device.
Expand/Collapse tree has also been added to File Manager and Registry Manager.
[+] See ADS in file manager.
[*] Active X now starts on restricted accounts too (must first be installed on admin account).
[*] Test Connection with Key File now works.
[*] Clear Stats now doesnt remove active connections count.
[*] Client should now be able to handle more active connections (note: has nothing to do with the limit).
[*] Load/Save bug fixed in DNS/Port editor.
[*] Generate Key File had a bug causing it to generate weak passwords.
It is now possible to generate a server in the form of a shellcode.
The settings are now stored at the end of the shellcode/file (note: NOT 'end-of-file data' !), which means you can assign long (255 chars) ID and Group Names. Server size now depends on what settings you use.
The server can now hijack Internet Explorers proxy settings and connect back if it finds a Socks4 or HTTP proxy.
It is also possible to choose so that the server only tries to find/connect through proxy once before it continues like normal.
As mentioned in the site's news I've implemented a way for you to add features; plugins.
Each plugin has two parts, a client dll and a server dll. The client dll holds the window (if needed) for user interaction.
The dll that gets sent to the server will:
be stored in ADS
be automatically updated if the local plugin version is greater than the remote
be loaded in memory (not LoadLibrary) which means:
it will be encrypted on disk with the server password, which will guarantee it to be undetected
it is optional to store it on disk (for more stealth)
One plugin is already done (more or less); Remote Port Scanner (Screenshot
). It will be released open source with the SDK.
Remote Port Scanner enables you to scan hosts for open ports from an connection in Poison Ivy. The scan is threaded and the number of threads is optional.
All connections are now logged with time stamp, IP and action.
To make it easier to find certain files I have added a way to highlight files in the file manager. You can now also execute files with parameters.
Some other small bugs/fixes that has been taken care of are:
- An access violation that could occur while transfering data has been fixed.
- Autosave in audio capture now appends the "Received time" to the file name.
- Changed Uptime to Days, hours, mins, seconds (also in transfer ETA).
You can now organize your connections in groups. Viewing groups is optional and it is easily managed by draging and dropping connections
You can now also assign IDs that are longer than 7 characters (the max length is now 255 characters, same for group name).
The strenght of the password has before been limited to the keyboard output. Not anymore. Now you can create a completly random password.
The main idea with the new interface is to be able to listen on more than one port at once.
It led to alot new gadgets and tweaks. You will now be able to choose where everything will be saved etc.
You can now also choose order/visibility on columns on some ListViews (these are also saved, but it's optional).
- Choose where to save Cache, Screen/Webcam images, Audio, Notes and Downloads with the help of environment variables.
- Save and Load profiles with your favourite settings.
- HTTP proxy (you can mix http and socks4 proxies).
- Execute Third-party applications after build.
I have also added a new feature to the Process Manager: Show and Unload Modules (Screenshot
Even though I haven't updated the dev.log since version 2.2.0 I have been busy :)
Here are the additions/changes since the last entry:
- Server file (and keylog file) now hides in install folder's ADS (if FAT32 it will install like normal).
- Fixed uninstall-bug on restricted accounts when Autostart is used.
- Optimized the server code (size ~9kb).
- Uninstalling when injected into a custom process that doesnt exists (which results in default browser) now terminates the process.
- When a connection dies, the client waits for all threads to clean up before removing the connection.
- Fixed download folder for drives (was a problem with the drive name eg. D:\).
- "Test Connection" now runs in an own thread and you can cancel it by pressing OK or Cancel.
- "Test Connection" now also tests if the password is correct. (not with Socks4 DNS).
- Fixed a startup-bug that occured when explorer.exe was restarted.
But these updates are the small ones... More info and screenshots of the big ones later.
The features are: Position button in the DNS/Port-editor and Replace, Rename, Resume file transfers.
You can now resume unfinished downloads/uploads without any fuss.
I have also changed/added this:
- "Last seen" in the ping column if you select to preserve dead connections.
- Reset Stats.
- "Connection attempts" added to client stats.
- Fixed "Goto site" in cache passwords.
- Keylog file is now always deleted when you uninstall.
- Fixed Vista compatibility.
- Added so that the client remembers column sizes in the main window.
- New "fast button": Monitor CPU/memory status.
- "Workgroup" added in Information.
- Copy WAN IP in the connection list.
- "Hide password" checkbox next to passwords.
- Made the Secure Delete much better (now overwrites with random data!).
- The server now removes all active-x entries that have the same file path as it self. (this should solve all startup problems).
- Fixed the known bug that occured when you showed the 'data transfers' for the first time while transfering something.
- Changed so that it only requires one click on the trayicon to show/hide the main window.
- Fixed the "JPEG bug #53" when viewing thumbnails.
- When the client reaches the connection limit it will not prune all connections when it pings.
The encryption and handshake method has been completly changed. The new encryption is Camellia with 256 bits key
(read more about it here
). The handshake is also much more secure than before.
Due to these changes older servers wont be compatible with the new client.
I have also corrected some of the bugs reported to me, they are:
- A small bug that occured when you captured screencaps/webcampics and changed autosave-name (the saved files didn't have a extension).
- A Socks5 crash bug that occured when you used "Resolve names remotely" in the connecting client.
- A bug that occured when you choose "No" on "uninstall applications".
The relay code has been looked over and made better. It can now handle multiple servers of the same type (see screenshot).
Also when a server that has been injected into a custom process gets restarted it will kill its relay servers (making the ports available again!).
I have also fixed a couple of bugs:
- A rare crash-bug when refreshing wireless pws (only occured for some).
- Some minor things in the Audio capture.
Been working on this for the last couple of weeks now and it's soon done (layout and names may change).
Here are the capabilites so far:
- Choose device and up to twelve different formats/combinations.
- Choose buffer size.
- Autoplay received data.
- Automatically save and remove data.
- Set microphone volume (the volume meter in the client changes if/when the user changes the volume locally).
- Detect sound levels; The server only sends back data that contains "noises".
- Save/Play/Delete selected/all.
- Made the webcam code better (nothing noticeable i think).
- Double click on keys in regedit search doesnt crash the server anymore.
- Uninstall removes restricted autostart entries.
I've finally fixed so that the server installs without problems on restricted accounts. It will copy the file to
"Application Data" if 'Copy To' is used, and write to "HKEY_CURRENT_USER" if 'Startup' is used.
I have also fixed so that the server processes doesn't get killed if its uninstalled when injected into a custom process.
With some help from ksv I think I have managed to fix some problems caused by the key logger.
It is now possible to write apostrophes (`), such as é, ú, í etc.
I still don't really know how it handles special keys like "Volume up/down/mute" etc. I'll edit this page when I know :)
Now you will be able to choose what process to inject into. The server will try to locate and injcet into the specified process four times with
a seven second sleep interval before it creates a default browser process to inject into. You can also use this feature when you share a server.
Added an option that lets you preserve dead connections (it auto-removes them by default).
These dead connections are marked with a blue text color in the connections list, to remove them right click and choose "Remove".
Just completed the nt/ntlm hash dumper! It will retrieve the password hashes from all accounts
without dropping anything to the harddrive.
Cached passwords will no longer show "One or more APIs couldn''t be mapped!" when executed on
windows 2000, it will try to retrieve as many passwords possible.
I stumbled upon a known (for me unkown) way to enumerate the saved WEP keys while googling some days ago.
I translated the code (and added some parts I found on MSDN) and voila! Credits to Laszlo Toth, Eric Heitzman and Neelay Shaw.
I have also started coding on a NT/NTLM hash dumper (also translating from C).
Fixed so that the 'Keyboard' feature sends all sorts of keys, for example: ctrl, alt, Home, End, F1-12,
Tab, Esc, etc etc (the list can be made long :)).
Also fixed a bug that caused old (dead) connections to stay as active when servers disconnected.
Added a new feature called 'Installed Applications'. It gives you a list of installed applications,
and the ability to uninstall them ('quiet' if possible).
I have also fixed a bug with the Edit ID-feature (clearing the key log made it use the original ID).
- Made the thumbnail view better and faster.
- The file manager and regedit cache rebuilds the content automaticly. (Screenshot
- Browse for folders (Keys in regedit) in the search. (Screenshot
- Check for new updates online.