Sign in to follow this  
Followers 0
HackerZer0

System Shift

17 posts in this topic

#1 ·  Posted (edited)

System Shift v1.0 by BLuFeNiX (formerly known as HackerZer0)

Transforms ANY admin account into SYSTEM, reverts back to normal from reboot or revert script.

ONLY FOR WINDOWS XP

The first time you run the script, it will take ~1-2 minutes to set up user environment, after that, it is instantaneous.

YOU MUST HAVE TASKKILL IN SYSTEM32 DIRECTORY

#RequireAdmin

Dim $objWMIsrvc, $objItem, $objSrvc
Dim $SrvcList, $strSrvc

$objSrvcs = ObjGet("winmgmts:root\cimv2")

$objSrvc = $objSrvcs.Get ("Win32_Service")

$objParams = $objSrvc.Methods_ ("Create") .inParameters.SpawnInstance_ ()

$objParams.Properties_.item ("Name") = "SYSTEMSHIFT"
$objParams.Properties_.item ("DisplayName") = "SYSTEMSHIFT"
$objParams.Properties_.item ("PathName") = "C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\explorer.exe"
$objParams.Properties_.item ("ServiceType") = 16
$objParams.Properties_.item ("ErrorControl") = 0
$objParams.Properties_.item ("StartMode") = "Manual"
$objParams.Properties_.item ("DesktopInteract") = True

$objOutParams = $objSrvc.ExecMethod_ ("Create", $objParams)
ConsoleWrite($objOutParams)



RunWait(@ComSpec & " /c taskkill /F /IM explorer.exe", '', @SW_HIDE)


$strSrvc = "SYSTEMSHIFT"

$objWMIsrvc = ObjGet("winmgmts:root\cimv2")

$SrvcList = $objWMIsrvc.ExecQuery ("Select * from Win32_Service Where Name = '" & $strSrvc & "'")

For $objSrvc in $SrvcList
    $objSrvc.StartService()
    Sleep(100)
    $objSrvc.StopService()
    $objSrvc.Delete()
Next

Revert

While 1
If ProcessExists("explorer.exe") Then
    ProcessClose("explorer.exe")
Else
    Exit
EndIf
Wend
Edited by HackerZer0

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

not really, it's easier to edit system files without registry tweaks. you have full access to the system volume information folder in the root of the C: drive...

there's a few other things i found cool about, but i can't remember what they are.. test it out though... if you find something interesting then let us know!

Share this post


Link to post
Share on other sites

Been looking for something like this. Thankyou


[size="1"]Please stop confusing "how to" with "how do"[/size]

Share this post


Link to post
Share on other sites

That is an AMAZING script!!! If it wasn't free... I'd buy it! lol j/k (well, cause i did make it)

Share this post


Link to post
Share on other sites

can anybody give an example how can i use this ? :S


:alien: ~ Every Living Thing is a Code Snippet of World Application ~ :alien:

Share this post


Link to post
Share on other sites

Impressive!!


Só o que posso lhe dizer, bom é quando faz mal!My work:Au3Irrlicht - Irrlicht for AutoItMsAgentLib - An UDF for MSAgentAu3GlPlugin T2 - A 3D plugin for AutoIt...OpenGl Plugin - The old version of Au3GlPlugin.MAC Address Changer - Changes the MAC AddressItCopter - A dragonfly R/C helicopter simulator[center] VW Bug user[/center]Pinheiral (Pinewood) city: http://pt.wikipedia.org/wiki/Pinheiral

Share this post


Link to post
Share on other sites

Thanks for this work ...!


[center]I LOVE ALGERIA .... ;-)[/center]

Share this post


Link to post
Share on other sites

this is a life saver, here is an amazign example. ok so say you are infected with a virus, but you do not have permission to end the process, or access/delte the file. this program saved one of my clients computers. it actually made explorer.exe run, then agve me full acess to stop all the virus processes by running spyware/virus removing programs under SYSTEM and task manager under SYSTEM as well as allowing me ot access and delte files and folder manualy that where created by the virus. this is simply amazing, and a total life and time saver.


Admin Of:http://notmyspace.info [Under Development, looking for volunteers to help improve]http://PSNetCards.co.ukhttp://ZacnAndLindsey.com [Under development, not quite sure what to do with it yet]http://revelm.com------------------------------------Radio Streams:http://75.185.53.88:8000 [128kb/s 44kHz]http://75.185.53.88:8002 [22kb/s 22kHz](works on mobile phones)-----------------------------------My Server:Owned By: http://jumpline.comIP:66.84.19.220Bandwidth:200GBStorage Space:1TBNetwork Connection: 1GB/S[up and down]Operating System: Red Hat LinuxInstalled Apps:Webmail, phpBB, Majordomo, phpMyAdmin, MySQL, Active Server Pages, FrontPage Extensions 2002, GraphicsMagick, Mod Perl, Perl, PHP: Hypertext Preprocessor, Python(want cheap good webhosting, or need a place to park your domain? contact me)-----------------------------------

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Code to automate this. :(

#RequireAdmin

SplashTextOn("","Please Wait...Loading...",@DesktopWidth * .225,@DesktopHeight * .1,-1,-1,33,"Lucida Console",@DesktopHeight * .0125,600)
Do
    sleep(500)
    $varHour = @HOUR
    $varMin = @MIN
    $varSec = @SEC
Until $varSec <= 54 and $varMin <= 58

$varTime = TimerInit()
$strCmd = @ComSpec & " /C AT " & $varHour & ":" & $varMin + 1 & " /INTERACTIVE CMD.EXE"
RunWait($strCmd,"",@SW_HIDE)
_SetTime($varHour,$varMin,57)
Do
    Sleep(250)
    If TimerDiff($varTime) > 5000 Then 
        SplashTextOn("","Whoops! Failed to run. Hmmm?",@DesktopWidth * .225,@DesktopHeight * .1,-1,-1,33,"Lucida Console",@DesktopHeight * .0125,600)
        sleep(2500)
        SetError(1)
        Exit
    EndIf
Until WinExists("C:\WINDOWS\System32\svchost.exe")

$varTime = $varSec + Round(TimerDiff($varTime) / 1000)
If $varTime >= 60 Then
    $varMin += 1
    $varSec -= 60
EndIf
Exit

Func OnAutoItExit()
    _SetTime($varHour,$varMin,$varTime)
    SplashOff()
    Run(@Comspec & " /c del " & @WindowsDir & "\Tasks\At*","",@SW_HIDE)
EndFunc

Func _SetTime($iHour, $iMinute, $iSecond = 0)

    Local $iRetval, $SYSTEMTIME, $lpSystemTime

    If $iHour < 0 Or $iHour > 23 Then Return 1
    If $iMinute < 0 Or $iMinute > 59 Then Return 1
    If $iSecond < 0 Or $iSecond > 59 Then Return 1
    $SYSTEMTIME = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")
    $lpSystemTime = DllStructGetPtr($SYSTEMTIME)
    $iRetval = DllCall("kernel32.dll", "long", "GetLocalTime", "ptr", $lpSystemTime)
    DllStructSetData($SYSTEMTIME, 5, $iHour)
    DllStructSetData($SYSTEMTIME, 6, $iMinute)
    If $iSecond > 0 Then DllStructSetData($SYSTEMTIME, 7, $iSecond)
    $iRetval = DllCall("kernel32.dll", "long", "SetLocalTime", "ptr", $lpSystemTime)
    $iRetval = DllCall("kernel32.dll", "long", "SetLocalTime", "ptr", $lpSystemTime)
    If @error = 0 Then
        If $iRetval[0] = 0 Then
            Local $lastError = DllCall("kernel32.dll", "int", "GetLastError")
            SetExtended($lastError[0])
            SetError(1)
            Return 0
        Else
            Return 1
        EndIf
    Else
        SetError(1)
        Return 0
    EndIf
    
EndFunc

*edit: Whoops! Bug in code not setting time if errors out. Moved to Exit finc. muttley

Edited by spudw2k

Share this post


Link to post
Share on other sites

man, i can think of about 20 billion uses for this. great idea!

Share this post


Link to post
Share on other sites

Man this little ditty is brilliant! Thank you very much.

Share this post


Link to post
Share on other sites

Nice One ! muttley


-= [font="Verdana"]A Men Who believes in himself and not circumstances is the real Winner =-[/font]

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

*Bows* Brilliant work!

muttley

Not Hijacking related sort of!

Users that use the xp logon screen can also login as System from here with this simple

Reghack, which uses the screensaver ability of winlogon. Quick n dirty code but it's

saved my ass once or twice. pressing CTRL+ALT+DEL will kick you back to logon.

Wouldn't recommend using explorer as your hook program, Better to use an alternate shell

like litestep or blackbox or just a program that stays resident and can execute other programs.

#RequireAdmin
       DIM $s_Program,$i_Timer
       IF $CmdLine[0] = 2 THEN
           $s_Program = $CmdLine[1]  ; "FullPath" or Program name in %PATH% | %SystemRoot% etc
           $i_Timer = $CmdLine[2]        ; Time in seconds to wait before syslogon
           _SlogRegHak($s_Program,$i_Timer)
       ELSE
           MsgBox(64,"Slog :: Example","SLOG.au3 explorer.exe 60")
       ENDIF
       EXIT
      ;
       FUNC _SlogRegHak($s_P,$i_T)
           RegWrite("HKEY_USERS\.DEFAULT\Control Panel\Desktop","SCRNSAVE.EXE","REG_SZ",$s_P)
           RegWrite("HKEY_USERS\.DEFAULT\Control Panel\Desktop","ScreenSaveActive","REG_SZ","1")
           RegWrite("HKEY_USERS\.DEFAULT\Control Panel\Desktop","ScreenSaverTimeOut","REG_SZ",$i_T)
       ENDFUNC
Edited by MOBIUS

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0