119 - Boot HitManPro KickStart from a grub4dos multiboot USB Flash drive

Introduction

Surfright's HitManPro is one of the most popular anti-malware solutions (.e.g Ransomware). It allows you to make a bootable USB Flash drive which you can use to clean your computer even if the infestation is so bad that you cannot run HitManPro or any other AntiVirus program manually from the Windows Desktop.

When you make a HitManPro USB drive, it puts some special data in certain sectors near the end of the USB drive. These sectors are not in a file and so they cannot be easily copied to another USB drive.

Furthermore, a Removable Flash drive must be used (check the type using RMPrepUSB) - a USB HDD will not work!

It was not easy to add HitManPro to a multiboot USB drive, until now...

Note: As of 2017, KickStarter has been dropped from HitMan Pro by Surfright.

Equipment Required

    • HitManPro executable (does not need to be installed)

    • USB Flash drive of the 'Removable' type (a USB HDD or a 'WindowsToGo' certified USB flash drive will not work)

    • A Windows system and RMPrepUSB

    • HitManPro Kickstart ISO file

Method

First we make a HitManPro USB drive (this adds the special sectors) - then we can make it grub4dos bootable.

HitManPro can be booted from a grub4dos multiboot or Easy2Boot USB flash drive as follows:

1. If your multiboot USB Flash drive already contains files, you will need to back these up by copying the entire contents of the USB Flash drive to an empty temporary folder on your hard disk.

2. Run the HitManPro USB utility and install HitManPro to the USB Flash drive (click for video). This will reformat the entire drive and you will lose all previous contents of the USB drive!

Note: This 'format' process also writes data to some sectors at the very end of the drive. This is why it has to be the same drive that you are going to use for your multiboot drive.

3. Unplug and re-insert the USB drive (it will be dismounted by the HitManPro installation program).

4. Copy the KickStarter.exe, HitManPro.exe and HitManPro_x64.exe files from the USB drive to a temporary folder on your hard drive.

5. Use RMPrepUSB (or your favourite USB format utility) to prepare the USB Flash drive as if you were preparing it as a fresh drive. If you use Easy2Boot, just follow the Easy2Boot drive preparation instructions. It is safest to reduce the size of the last partition on the drive by 10MB to avoid overwriting the last 60 or so sectors that are used by HitManPro. In practice though, these are probably fairly safe.

6. Install grub4dos to the USB drive (MBR or PBR or both) in your usual way (grubinst.exe, bootice or RMPrepUSB, etc.).

7. Copy back the original files that you backed-up in Step 1 and Step 4.

8. Download KickStartSidekick.iso from the HitManPro website and copy it to the root of your USB Flash drive (the menu file will assume it is in the root but it can be in a different folder if you wish).

9. To your grub4dos menu.lst menu file add the following entry:

title HitManPro \n Choose option 3 for a Windows XP system

map /KickstartSidekick.ISO (0xff)

map --hook

root (0xff)

chainloader (0xff)

Your Flash drive will now contain (at least) these files in the root of the drive:

\grldr

\Kickstarter.exe

\HitmanPro.exe

\HitmanPro_x64.exe

\KickstartSidekick.ISO (can be moved to a folder if the menu.lst is changed)

\menu.lst

That's it.

If you want to make another, different multiboot USB flash drive, you must repeat these steps on the new drive so that the special sectors are written by HitManPro to the end of the USB Flash drive.

As very few utilities write to the extreme end of the drive, the special HitManPro sectors are likely to survive any subsequent formatting.

HitManPro seems to work by introducing code to Windows which runs when Windows boots. This code is continuously looking for the special sectors at the end of a Flash drive. If you prepare a USB Flash drive as above but omit step 2, then the KickstartSidekick.iso will still introduce this code into Windows when it boots to the Windows Desktop. If you then insert ANY removable USB Flash drive which contains these special sectors at the end of the drive, it will automatically run HitManPro.exe (if it is also in the root of the USB drive). Presumably this is to allow Windows enough time to mount all the USB Flash drives once it has booted and reached the Desktop.

Easy2Boot and HitManPro

If you want to add HitManPro to your Easy2Boot USB drive, simply copy the KickstartSidekick.ISO file to the \_ISO\MAINMENU folder.

The E2B drive must be a Removable type of USB flash drive - an E2B USB HDD will not work!

The E2B drive needs to contain the special sectors, so you also need to prepare the drive first using HitManPro USB installer so that the special sectors are added (see blog post here or see below).

Alternatively, follow the instructions above to extract the HitManPro files and then add a .mnu file containing the same menu as detailed above (e.g. \_ISO\MAINMENU\HitMan.mnu).

If you wish, you can change the location of the KickstartSidekick.ISO file and edit the menu to match. The USB drive still needs to contain the special sectors however.

Directly adding the sectors to your grub4dos multiboot drive

At your own risk, you can add the special HitManPro sectors to the end of your USB drive using RMPrepUSB v2.1.716 or later as follows (note v2.1.714 has a bug so don't use it for this!):

1. Use the HitManPro utility to create a working USB HitManPro drive (with the special sectors) using a spare USB Flash drive.

2. Now use the grub4dos batch file to automatically transfer the special sectors to your Easy2Boot Removable flash drive - for more details read my blog post here.

To run the batch file, just exit from the E2B menu to the grub4dos console (press SHIFT+P enter the password 'easy2boot. and then type SHIFT+C) and then type: HitmanXfer

Alternatively, you can do it the hard way by following steps 3-5...

In RMPrepUSB v2.1.716 or later use the Drive Info button and enter 0 for the start sector - get the last sector of the HitManPro USB drive from the listing in Notepad - e.g.:

Reported size 8,011,120,640 bytes (7.4609GiB) Last LBA 15,646,719

3. Use the Drive->File button in RMPrepUSB, filename=Hitman.bin, Start sector = (Last_LBA + 1 - 60), Length=0, FileStart=0 - this will make file containing the last 60 sectors of the drive (e.g. Start sector = 15646719 + 1 = 15646720 - 60 = 15646660).

4. Insert your target grub4dos multiboot or Easy2Boot drive and use the Drive Info button to get the Last_LBA of your multiboot drive (e.g. Last LBA 16,203,775)

5. Use the File->Drive button in RMPrepUSB, filename=Hitman.bin, StartofFile=0, USBStart=(Last_LBA + 1 - 60), length=0 to write the sectors to the end of your multiboot USB drive (e.g. Start sector = 16203775 + 1 - 60 = 16203716)

Note that this will corrupt the last 60 sectors on your multiboot drive which may or may not affect the data or partitions on your drive. If this does not work, try copying 100 sectors instead of 60 (in case the code has got larger in a newer version).

An alternative is to use a grub4dos batch file to automatically transfer the special sectors to another Removable Flash drive (e.g. an Easy2Boot Removable flash drive) - for details read my blog post here.