119 - Boot HitManPro KickStart from a grub4dos multiboot USB Flash drive

website statistics

Introduction

Surfright's HitManPro is one of the most popular anti-malware solutions (.e.g Ransomware). It allows you to make a bootable USB Flash drive which you can use to clean your computer even if the infestation is so bad that you cannot run HitManPro or any other AntiVirus program manually from the Windows Desktop. The problem is, it was not easy to add HitManPro to a multiboot USB drive, until now...

Equipment Required

  • HitManPro executable (does not need to be installed)
  • USB Flash drive of the 'Removable' type (a USB HDD or a 'WindowsToGo' certified USB flash drive will not work)
  • A Windows system and RMPrepUSB
  • HitManPro Kickstart ISO file

Method

HitManPro can be booted from a grub4dos multiboot or Easy2Boot USB flash drive as follows:

1. If your multiboot USB Flash drive already contains files, you will need to back these up by copying the entire contents of the USB Flash drive to an empty temporary folder on your hard disk.

2. Run the
HitManPro USB utility and install HitManPro to the USB Flash drive (click for video). This will reformat the entire drive and you will lose all previous contents of the USB drive!


Note: This 'format' process also writes data to some sectors at the very end of the drive. This is why it has to be the same drive that you are going to use for your multiboot drive.

3. Unplug and re-insert the USB drive (it will be dismounted by the HitManPro installation program).

4. Copy the KickStarter.exe, HitManPro.exe and HitManPro_x64.exe files from the USB drive to a temporary folder on your hard drive.

5. Use RMPrepUSB (or your favourite USB format utility) to prepare the USB Flash drive as if you were preparing it as a fresh drive. If you use Easy2Boot, just follow the Easy2Boot drive preparation instructions. It is safest to reduce the size of the last partition on the drive by 10MB to avoid overwriting the last 60 or so sectors that are used by HitManPro. In practice though, these are probably fairly safe.

6. Install grub4dos to the USB drive (MBR or PBR or both) in your usual way (grubinst.exe, bootice or RMPrepUSB, etc.).

7. Copy back the original files that you backed-up in Step 1 and Step 4.

8. Download KickStartSidekick.iso from the HitManPro website and copy it to the root of your USB Flash drive (the menu file will assume it is in the root but it can be in a different folder if you wish).

9. To your grub4dos menu.lst menu file add the following entry:

title HitManPro \n Choose option 3 for a Windows XP system
map /KickstartSidekick.ISO (0xff)
map --hook
root (0xff)
chainloader (0xff)

Your Flash drive will now contain (at least) these files in the root of the drive:

\grldr
\Kickstarter.exe
\HitmanPro.exe
\HitmanPro_x64.exe
\KickstartSidekick.ISO (can be moved to a folder if the menu.lst is changed)
\menu.lst

That's it.


If you want to make another, different multiboot USB flash drive, you must repeat these steps on the new drive so that the special sectors are written by HitManPro to the end of the USB Flash drive.

As very few utilities write to the extreme end of the drive, the special HitManPro sectors are likely to survive any subsequent formatting.

HitManPro seems to work by introducing code to Windows which runs when Windows boots. This code is continuously looking for the special sectors at the end of a Flash drive. If you prepare a USB Flash drive as above but omit step 2, then the KickstartSidekick.iso will still introduce this code into Windows when it boots to the Windows Desktop. If you then insert ANY removable USB Flash drive which contains these special sectors at the end of the drive, it will automatically run HitManPro.exe (if it is also in the root of the USB drive). Presumably this is to allow Windows enough time to mount all the USB Flash drives once it has booted and reached the Desktop.

If you want to add HitManPro to your Easy2Boot USB drive, simply copy the KickstartSidekick.ISO file to the \_ISO\MAINMENU folder. You also need to prepare the drive first using HitManPro USb installer so that the special sectors are added (or see below).

Alternatively, follow the instructions above but add a .mnu file containing the same menu as detailed above (e.g. \_ISO\MAINMENU\HitMan.mnu). If you wish, you can change the location of the KickstartSidekick.ISO file and edit the menu to match.

Directly adding the sectors to your grub4dos multiboot drive

At your own risk, you can add the special HitManPro sectors to the end of your USB drive using RMPrepUSB v2.1.716 or later as follows (note v2.1.714 has a bug so don't use it for this!):

1. Use the HitManPro utility to create a working USB HitManPro drive using a spare USB Flash drive.

2. In RMPrepUSB v2.1.716 or later use the Drive Info button and enter 0 for the start sector - get the last sector of the HitManPro USB drive from the listing in Notepad - e.g.:
Reported size 8,011,120,640 bytes (7.4609GiB) Last LBA 15,646,719

3. Use the Drive->File button in RMPrepUSB, filename=Hitman.bin, Start sector = (Last_LBA + 1 - 60), Length=0, FileStart=0 - this will make file containing the last 60 sectors of the drive (e.g. Start sector = 15646719 + 1 = 15646720 - 60 = 15646660).

4. Insert your target grub4dos multiboot or Easy2Boot drive and use the Drive Info button to get the Last_LBA of your multiboot drive (e.g. Last LBA 16,203,775)

5. Use the File->Drive button in RMPrepUSB, filename=Hitman.bin, StartofFile=0, USBStart=(Last_LBA + 1 - 60), length=0 to write the sectors to the end of your multiboot USB drive (e.g. Start sector = 16203775 + 1 - 60 = 16203716)

Note that this will corrupt the last 60 sectors on your multiboot drive which may or may not affect the data or partitions on your drive. If this does not work, try copying 100 sectors instead of 60 (in case the code has got larger in a newer version).

An alternative is to use a grub4dos batch file to automatically transfer the special sectors to another Removable Flash drive (e.g. an Easy2Boot Removable flash drive) - for details read my blog post here.

Share
Additional Info