Poison Ivy v2.1.

2
by shapeless

http://poisonivy-rat.com

Please read this document thoroughly before using Poison Ivy!

[ INTRODUCTION ]

Poison Ivy is an advanced, reverse connection, firewall-bypassing remote administration tool.

It's written in masm32(server), and Delphi7(client).

Because of the special way it works, a server update is not needed, regardless of how many features/changes are made.

The server is only 7.5 KiB long (unpacked, can reach 3.8 when packed with FSG for example), is completely stand-alone, is
independent of any runtimes, etc, and will run on all NT based Windows operating systems (even on restricted accounts),
32bit and 64bit; it doesn't drop any files, except the key logger log file (if the feature is enabled).

Please note that this document is a general guide to get users familiar with the applications, and some features might not
be described in detail here – you will you them and see how they work.

You are encouraged to visit the official website http://poisonivy-rat.com, for more screen shots, news and development log.

[ GENERAL FEATURE LIST/KEYWORDS ]

firewall bypassing, reverse connection, ARC4 encrypted communications, transparent compression of transfers and
communications, full-featured file, registry, services and process manager, relay server, view installed applications (some
support remote silent uninstallation), key logger, socks4/5 server, traffic sniffer, remote screen capture and web cam
viewing, password manager (IE cached passwords, MSN passwords, Firefox cached passwords, wireless zero configuration
passwords, LM/NTLM hashes), runs on restricted accounts.

[ GENERAL USAGE ]

You might want to know that the client (PI2.1.2.exe) does not touch the registry nor any other files outside it's folder
where you extracted it from the distribution archive.
It will save it's settings in an INI file, and all communication details (folder cache, downloaded files, etc.) will be saved in a
folder “Users”, that will contain folders named <remote_computer_name>^<remote_user_name>, where you will find
your downloaded files, etc.

This document is to be considered a general guide to get you started, you will see that the application is rather easy to use,
and you will learn it while you use it.

The general rule of thumb is that right-clicking on the right-side of the feature tree (after selecting a feature), always
reveals the options, which are self-explanatory.

To pause/resume/cancel and view transfers, the “Toggle Transfers View” button is located on top, like in the image below
(the other buttons all have tool tips):
Right-clicking on a transfer reveals various options.

[ BUILDING A SERVER ]

The first thing you will need to do if you are using the client behind a router, is to forward a port to your computer.
An extensive guide that covers most (if not all) routers is at http://portforward.com.
If you are behind a corporate firewall, you will have to ask your network administrator to forward a port for you.

Either way, remember the port number, as you will need it when building the server.

Run the application (Poison Ivy 2.1.2.exe), and go to the “Build” tab.

The first thing you need to do is add at least one DNS/Port entry, so the server will know where to connect (you will
probably also need to sign up with free DNS providers, like http://no-ip.info).

Click the “Add” button near the “DNS/Port” box, and add as many entries as possible to ensure that you will no loose
servers, should one DNS go down. After completing this, it's always a good idea to use the “Test” button to see if
everything works.

The rest is self-explanatory, but i will describe a few below.

The “Socks4” check box is when you would like the server to connect to you through a socks4 server (same configuration
method as above).

Tick the “Startup” box if you would like the server to start automatically with Windows (most of the time you wold check
that).

The “Filename” is the server filename after the installation.

“Melt” means that the initial server file will delete itself after installation.
“Persistence” means that the server file and the startup entries will generally be hard to remove.

Only change settings in the “Advanced” section if you know what they mean/what you are doing.

Finally, you can choose an icon for the server if you want (by clicking on the “Icon” square in the lower-right site), or leave
it without an icon.
You can restore the 'no-icon' by right-clicking on the same box.

Now you are ready to generate the server, by pressing the “Build” button.

[ ESTABLISHING CONNECTION ]

Assuming you have all the network-related settings configured and working properly (no firewall blocking the client, port
forwarded correctly, internet connection if needed, etc), the are a couple of things to st up in the “Settings” tab.

The essential settings here are the port and the password, the ones you chose when building the server.
Adjust the other settings as you see fit.
When you are done, press “Save” and you are ready to accept connections (they will show in the “Connections” tab).
Right clicking on a connection reveals some options.
Double-clicking on a connection opens up the management features.

If a connection is marked in red, you should restart the server in order to take advantage of the new features in the client
you're using.

When sharing a server, the same method is applied as when building a server.

Tip: you can quickly change the port the client listens on by clicking the “Port: xxxx” part in the status bar of the client.

[ FAQ ] - Please read before reporting problems/asking for help

Q: I can't extract the archive contents, or i can't execute the client.

A: You probably have an antivirus application running. Disable it and try again.

Q: The remote server is working fine, until it suddenly disappears, and i can't connect anymore.
A: The other user might be running an antivirus application, which picks up the server and deletes it.

Q: When i retrieve the key log file, parsing/displaying it takes a very long time.
A: For very long key log files (also depends on your CPU), you might want to disable 'Key log colors' in the 'Settings' tab.

Q: Sometimes it takes very long for a server to connect, even if the other computer is online.
A: This is because the interval at which the server tries to establish connection with the client is dynamic, and you probably
started the client just before the longest interval. Be patient.

Q: I played with the client file, and it will no longer run.

A: As stated above, do not modify the client application in any way.

Q: Can i pack/crypt the server?

A: Yes, but on your own responsibility. The server was tested with FSG and UPX and it worked.

Q: I packed/encrypted/scrambled the server and it doesn't seem to work.

A: Some packers trash the server. It's not a bug in Poison Ivy.

Q: I modified in some way the client and it doesn't start anymore.

A: Re-download the client and overwrite the modified version with a clean one.

[ Undetected Versions ]

You can buy an undetected, custom version of Poison Ivy.

If you do, you are entitled to another version, should your initial one get detected.

You don't have to worry about future versions either, as said above, servers need to be updated very rarely (in case of
major protocol changed), because of the special way Poison Ivy works.
If it's such a case, you will receive a new version.

For prices and other details, contact me.

[ Contact ]

The official Poison Ivy website is at http://poisonivy-rat.com

You will find updates, screen shots, development progress and other info there.

Email: support@poisonivy-rat.com
poisonivyrat@yahoo.se

Support is also available at http://chasenet.org and http://swerat.com

[ About and Credits ]

Poison Ivy is written by shapeless.

Beta Testers:
Caecigenus, Crazy Boris, Digerati, eNerGie, e-e, giuliano, Heike, hnZ^, Lord, p0ke, redlime, Th3ChaS3r.

Credits go to:
Andvare, Aphex, Billy Belceb, Caecigenus, eNerGie, Erwan, Geiger Tamás, ksv, Laszlo Toth, Mark James
(http://www.famfamfam.com), Markus Stephany, Michael Puff, p0ke, Salvatore Meschini, TM.

- Disclaimer -
Poison Ivy must only be used on your own computers or onomputers where the
owner has expressly given his/her approval. The creator of Poison Ivy will in no
way b held responsible for any damages caused by the negligent use of
this software.