Armand Posted December 28, 2007 Posted December 28, 2007 (edited) some program is detecting my packet sniffer and exits while i'm trying to figure out if it's a melicious software or not...at start i thought it's detecting my packet sniffer becouse it's so common [wireshark] but then i've tried a less common one [PacketMon] and it was also detected so i've tried to change it's title using AU3, and changed the process name by remaning the executable... that all have failed... any other go ?PS. can this:http://www.supershareware.com/download/pac...l-edition-.htmlor this:http://www.supershareware.com/info/packet-...x-edition-.htmlhelp me make a packet sniffer in AU3 ?please help me find a solution. Edited December 28, 2007 by Armand [u]My Au3 Scripts:[/u]____________(E)Lephant, A Share download manager (RS/MU etc)Http1.1 Console, The Ez Way!Internet Reconnection Automation Suite & A Macro Recording Tool.SK's Alarm Clock, Playing '.MP3 & .Wav' Files._________________Is GOD a mistake of the Humanity Or the Humanity is a mistake of GOD ?!
dbeasy Posted December 28, 2007 Posted December 28, 2007 Not sure if autoit can help you there. It might help you continuously run "netstat -ano" and cross check the new processes that show up and what ports and ip addresses they are connecting too. Are both packet capture programs relying on winpcap, is that what's being detected? There's a site called AnalogX that has a network monitor that might not be detected. Sometimes I disconnect the Internet and start up a packet monitor on another PC and put it on the same wire (use a hub not a switch). If you're on wifi then you'll see all the traffic. I've never seen a program that doesn't like packet monitors, sounds like a suspicious program. I have heard that itunes doesn't like to be run under a debugger but a packet monitor, huh. You should also run antivirus in its strongest protection mode, make it confirm every program name change, file deletes, creates, etc. Sure it'll be annoying but once you feel the program is safe you can move it to your working PC or turn down the antivirus warnings a bit. You could also run it in a sandbox. Get some of the vmware images online to run Windows inside of a virtual machine, it might take a while to reinstall a new copy of XP inside the VM. Or try one of the virtual PC programs from Microsoft, they somewhat virtualize Windows in a different way.
Armand Posted December 28, 2007 Author Posted December 28, 2007 @dbeasy well, the point is that i want to know what is it that they are hiding in there, i mean, why would they block packet sniffers?! what info are they trying to steal from me ?! is there no packet-sniffer that is 100% undetectable ?! [u]My Au3 Scripts:[/u]____________(E)Lephant, A Share download manager (RS/MU etc)Http1.1 Console, The Ez Way!Internet Reconnection Automation Suite & A Macro Recording Tool.SK's Alarm Clock, Playing '.MP3 & .Wav' Files._________________Is GOD a mistake of the Humanity Or the Humanity is a mistake of GOD ?!
Armand Posted December 29, 2007 Author Posted December 29, 2007 no one has any suggestion ?! [u]My Au3 Scripts:[/u]____________(E)Lephant, A Share download manager (RS/MU etc)Http1.1 Console, The Ez Way!Internet Reconnection Automation Suite & A Macro Recording Tool.SK's Alarm Clock, Playing '.MP3 & .Wav' Files._________________Is GOD a mistake of the Humanity Or the Humanity is a mistake of GOD ?!
PsaltyDS Posted January 2, 2008 Posted January 2, 2008 A packet sniffer is a low-level process that gets close to the "iron" (hardware/driver level stuff). AutoIt is probably not the right language for even attempting to create one. Study up on C++, with emphasis on writing network drivers, and you'll be on the write track. AutoIt would only help you implement the use of some other packet sniffer that already had this low-level stuff worked out.As for hiding it, to the extent that can be done, I hope white-hat hackers everywhere are working feverishly to defeat that and un-hide it!Your problem is something "hidden", at least you don't know what process it is, killing your sniffers. The solution is to un-hide that process, not to hide yours.Have you performed all the standard AV/Malware/RootKit detection/removal stuff? Is your computer a managed workstation that might be detecting your sniffer as malicious and removing it? Does it happen on other workstations in the same management context? Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now