Вы находитесь на странице: 1из 12

Poison Ivy 2.1.

0 Documentation coded by shapeless

I. Introduction PI2.1.0 is a reverse connection, fwb+ remote administration tool, written in masm (server) and Delphi (client). Due to its design nature, a server update is hardly needed, regardless of how many new features are added. Also note that PI2.1.0 does not use any plugins/dlls or any other files besides the server, and does not drop any other files on the target system (except for the key logger log file). The server is only 7 KiB unpacked, is independent of any runtimes, and runs an all NT based windows systems (NT, 2000, XP, 2003, Vista), 32bit or 64bit. It also features firewall bypassing techniques. The main features are:

ARC4 encrypted communications transparent compression of transfers and communications managers: files (with search, also in file contents) registry (with search) services processes ports passwords manager (protected storage, Firefox, and MSN <= 7.5) key logger socks4 server socks5 server port redirect traffic sniffer remote screen shot remote web cam view remote cmd shell ability to share a server with 3 privilege levels

All types of users should read this document prior to using PI2.1.0.

II. Distribution of PI2.1.0 PI2.1.0 should be in a RAR file called PI2.1.0.rar, and this RAR should contain the following files: PI2.1.0.exe (692,224 bytes, MD5: F97F9DD7E60E0497AFBA2DCA02C3CE99) PI2.1.0.pdf If what you have differs from above, you probably have a back doored distribution, and you should download the original version from http://chasenet.org, or an official mirror. PI2.1.0 can be freely distributed, as long as you leave the package intact.

III.Usage Important: PI2.1.0 should be used only on systems on which you have the legal right to install a remote administration tool. Also, to prevent botnet-related usage, the maximum number of connections that the client can accept is limited. Using PI2.1.0 is pretty straight-forward for most remote administration tool users, but this document will try to explain most of the features, without being exhaustive. Note that some screenshots might look blur, this is because of the resize to keep page format resonable. The client does not touch the registry in any way, nor does it modify any files on your system; all the settings are stored in an INI file inside the application folder. This means that you can use it without any problems from a flash drive, etc.

Building a server In order to build a server, you need to go to the Build tab. You should see this (the default settings):

The first thing you would want to do is add a DNS, so the server know where to connect. You are advised to add more than one. Click on the 127.0.0.1 and add your DNS, and change the port if you need to. If you want to add more DNS, click below the first one, and so forth. It is very wise to press the Test Connections button after you added your settings. This ensures that everything is ok, and you won't have problems with connections.

Next you must assign an ID (this can be changes after an initial connection via the update server feature described later. You can have multiple servers with the same ID without problems. Choose a good password, and the encryption will be based on that password. You have the option of having the server connect to you through a socks4 server, for higher anonymity. Be warned that in case your socks server goes down or is unavailable, the server won't be able to connect to you. Only use if you have a reliable socks server. The Startup checkbox ensures that your server will start every time with windows. Press the Random button a couple of times to generate a fresh CLSID for the startup. If you checked this box, you need to enter a filename below (plus extension). The server will copy itself with this name. Right below you have the option to copy to the <system> or the <windows> folder. Your choice. If a filename with that name already exists, it will be overwritten, if possible, if not, it won't be copied. Wanting to copy the server to <windows>\explorer.exe will obviously not work, so choose something reasonable, and preferably non-obvious. If you want the server to delete itself from the initial execution path, check the Melt checkbox. The Key logger checkbox enables the server key logger (you can change this via server update described later). The Persistence checkbox will make the server harder to remove. Generally it's a good idea to check this. Important: Only change the Advanced settings if you know what they mean and you know their implications! Finally, you can choose to have an icon for your server (will increase filesize), or leave it with no icon. Click the Icon box above the Build button, on the lower-right side to choose an icon. Right click on the box again to remove it. When you're done reviewing your settings, press the Build button to have a server generated.

The output server is not packed or encrypted in any way, but due to the nature of the servers, some packers/crypters might screw it, so test first. UPX and FSG (2.05 and 2.0 at the time of this writing) work fine. Tamper with the server on your own risk, and only if you know what you are doing! Connecting to server(s) In order to connect to a server, you must set up the client first. Press the Settings tab in the lower part of the GUI. You should have this(default settings):

Notice that most of the controls have a blue i button clicking on it reveals some info. The settings are pretty much self-explanatory. Obviously in order to receive connections, you need to have the same port and password as the ones used when building the server. After you're done setting things up, press the Save button in the lower-right part of the GUI (only becomes active if there are changes).

When a server connects, you will see it in the Connections tab:

When the remote computer is idle, the little blue icon by the ID will also contain a clock. If you click on Version 2.1.0, a message box will pop up, showing the compatibility list of servers with this client version. If a connection is marked with red, you should restart the server to take advantage of any new features (not that updating to a newer version only requires a server restart). Right-clicking on a connection reveals these options, that will be discussed next:

If you click Share, the following appears:

The meaning of most settings is the same as when building the server.

You also have the option to run the shared server in a new process, or in the same one. Generally it's a good idea to have a new process, in case the other party with whom you share the server screws something up. You have 3 privilege levels, clicking in the blue i button show you what this means. Choose one depending on the person with who you want to share the server. If you click Update in the pop up menu, you will be prompted to choose a server file. If you do, the old server will be uninstalled, and the new one installed. Useful for changing ID, enabling/disabling keylogger, updating DNS list, etc. Restart performs a restart of the remote server, and Uninstall deletes the server completely (key logger log files will also be deleted, along with any autostart registry entries, and the server file itself). Administering Servers Double-click on a connection, and you will see this:

Notice that you can toggle the layout, use which one you feel more comfortable with. Throughout this documentation, i will use the default layout, but everything applies to the other one too. When auto-refresh is turned on, the feature that you click on will auto-refresh (files, processes, etc). The basic idea is that you can click anywhere on the right-side of the features tree view and self-explanatory options will appear.

Filemanager

As you can see, there are various options. Not much to explain here. If you use Download Folder, make sure the folder you want o download is selected/highlighted by left - clicking and expanding it, then selecting the option. In the files window, you also have a few options:

Note that thumbnails are available only if the thumbs.db file is present on the remote computer. You can pause, resume and cancel any transfers, by activating the transfers view, and right-clicking on the desired transfer. The transfer view also shows some information about transfers, like compression ration, speed, etc. Searching for files:

You can also search for files that contain a certain string, by entering the string in the A word in the file textbox. Registry Editor The same principles apply to the registry editor, and it also allows searching. You can edit/create any type of key (string, binary, dword, multi-string and expandable string). Process Manager This is also very simple to use, the process highlighted with red is the process that hosts the server. Service Manager You might notice that the service manager provides more features than the standard windows one. Right-click on a service for a list of options (you can start/stop/edit/install/uninstall a service).

Window Manager Again, right-clicking reveals various options. Relay This allows you to turn the remote computer into a socks4, socks5 server, or a port redirector. Just fill in the required information, and click Start. You can watch some info on the connected clients. The relay servers support a big number of concurrent connections (depends on the remote computer hardware configuration). If you started any relay servers, they will remain running, even if you disconnect from the remote computer. To stop them you obviously need to press the Stop button :) Active Ports This is an improved netstat. You can also sniff traffic on a specified connection. As usual, right-clicking reveals options. Packet Analyzer With this, you can see the traffic going through the remote computer. You have a variety of options, and filters. Just make sure you select the right interface (you will probably not want the loopback interface, 127.0.0.1). Please be aware that because Microsoft broke raw sockets support in XP SP2, you will only see one-way traffic. This feature should work fine on 2003 though (Vista is not officially out when this document is being written). Remote Shell Useful for many things. Right-click for options. Commands are piped in/out of the command interpreter that runs on the host OS. Password List Same as above. This retrieves protected storage, Firefox and MSN <= 7.5 passwords. Key Logger Just one note here if retrieving the log seems slow, try to disable they key logger colors in the Settings tab. Screen Capture This also enables mouse and keyboard to be emulated on the host computer, as well as picture size and depth in pixels. Use lower values if you're on a slow connection. The files are saved in the PI2 folder, inside <Images>. All options in here should be self-explanatory. After the first screen capture has been taken, the following capture data will contain only the changes between previous captures, thus the user will experience reasonably fast screen captures.

Webcam If you see something like this:

It means that the remote computer doesn't have a webcam. Otherwise select the interface from the list (most of the time there will be one), and you're set.

IV. About and Credits Poison Ivy is written by shapeless. Beta Testers: Caecigenus, Crazy Boris, eNerGie, giuliano, Heike, Lord, p0ke, redlime, Th3ChaS3r Credits go to: Aphex, Billy Belceb, Caecigenus, Erwan, Geiger Tams, ksv, Mark James (http://www.famfam.com), Markus Stephany, Michael Puff, p0ke, Salvatore Meschini, TM

V. Undetected Versions A custom version, not detected by any anti-virus products is available for sale. The version you purchase will be unique, and you are entitled to 3 undetected versions total, in case they get detected. For pricing and payment send an email.

VI. Contact This document should explain the basics even for novice users. If you found a bug, please report it either by email or on the forum, accompanied by a full report, that should contain server settings (when built), the OS specifications of both computers (client and server), as well as possible steps to reproduce the bug. Email: poisonsupport@gmail.com or iareretarded@gmail.com

VII. Changelog New: + New user interface and the ability to change layout + Test Connections in the DNS/Port editor + IE protected storage in Password List + Data transfers. Lets you control all data flow between client<->server + Multiple data transfers possible (on 1 socket) + Server changes its own time stamp when installed + Change mutex names when you build + Save Path To Clipboard when you right-click on the file/regedit status bar + Downloaded data is saved to: ComputerName^UserName\ + Save To File/Load From File in DNS/Port editor + Server is now smaller + Added Suspend Process in the Process Manager + Improved various things in the server + Settings in the server are no longer in plain-text Bugfixes: * XP theme display bug. * No more multiple instances when using Persistence. * Active Ports bug displaying fake UDP connections.

- Disclaimer Poison Ivy must only be used on your own computers or on computers where the owner has expressly given his/her approval. The creator of Poison Ivy will in no way b held responsible for any damages caused by the negligent use of this software.