Why use batch scripts?

[excid3]

Why is everyone using batch scripts to write their payloads? I am considering using NSIS to write my own. I can incorporate everything into the exe and extract them to keep the payload much less complicated looking and include a customizable ini file to change the settings. Are there any problems with NSIS i'm not aware of?

[fretmelter66]

no not tht im aware of. but batch files are easy to make. can be altered easily, run quickly, windows doesnt see them as a threat, and can be very powerful.

[excid3]

thing is NSIS exe's can be uch more useful, take a bit of compiling, but can be MUCH more useful. I think ill see what i can come up with, and let you guys know!

[sablefoxx]

Yes, exe's can be very useful, but its a lot easeir just to write a quick .bat, i know C (still learning more like  it) but its much easier to just make the payload with a .bat then with C, sure its not the most powerful way to do it, but its fast, easy simple. :)

[beakmyn]

Because the average user doesn't know how to program using NSIS. That's why I used vbs, kinda in between your solution and batch files but I could compile it. In fact I had to Google NSIS which looks to be a Nullsoft's scriptable installer? How silent can it be made?

[excid3]

NSIS can be completely silent. You guys have heard of PortableApps.com by John Haller? Thats what he uses for EVERYTHING. I've written a copy of Dev-C++ that runs portably using NSIS.

I will see what kind of customized payload I can work out for you guys and drop the source and payload here for you guys to check out. Ive got finals coming up in a week so it might take me some time.

[sablefoxx]

I will see what kind of customized payload I can work out for you guys and drop the source and payload here for you guys to check out. Ive got finals coming up in a week so it might take me some time.

Sounds good to me, i've never used NSIS be fun to learn about it.

[mleo2003]

NSIS can be completely silent. You guys have heard of PortableApps.com by John Haller? Thats what he uses for EVERYTHING. I've written a copy of Dev-C++ that runs portably using NSIS.

You know you can do the same thing with Dev-C++ Portable just by running it with a '-c .' parameter passed to it when you run it? Make <gasp>another batch!!!11!111</gasp> :-) that just runs the "devcpp.exe -c ." command. Or better yet, tell PStart/whatever other start menu type setup you use to use that as the shortcut to it. Not as special as making your own NSIS package (which I plan on doing for Ruby someday), but it works.

My only issue with using something other than .bat's is on some systems (even XP), it prompts you and asks do you want to run this executable for exe's. I don't think that's a concern with .bat files, but I could be wrong.

[excid3]

Yeah my NSIS Dev-C++ used the -c parameter ;) Good point about the batch scripts not being asked. I'm still goign to make a payload and test it out. Ive got a VM so I'll install several copies of windows in it and see what happens.

[K1u]

windows doesnt see them as a threat, and can be very powerful.

Lol but then again, what does windows see as a threat 

[excid3]

touche. Is there any way to get around UAC in Vista? I have a feeling that is going to give my payload problems. XP and the others should be fine, however UAC will probably put a stop to mine.

[HarshReality]

The typical used uses UAC for @ 20 minutes (my previous employer was a large computer manufacturer) and 90% of the calls in the first month Vista hot was how to disable it in the MSConfig options because they were tired of it asking for every little thing.

[excid3]

Well this may turn out more as an XP targeted payload. May work on some vista comps, maybe not. We shall see. I hope to get the payload finished in a couple of weeks....stupid finals.

[mleo2003]

With Vista, you probably need to use a batch file to test for UAC some how, and if it exists, either just exit, or go old school on it, otherwise, go for the new/improved stuff. Might could even use a batch file to disable UAC, and then run the exe stuff. Just some options you have.

[HarshReality]

Per MSConfig:

Disable UAC (Requires Reboot): C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f

Enable UAC (Requires Reboot): C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f

Of course there is also a trojan method but Ive never tried it: Link

Of course there is also a "run as administrator" option but I cant validate that.

[excid3]

Interesting...the trojan might be one way of getting around that...

Do you think renaming the existing .exe and replacing the original filename with the trojan would work? I think I will wait until I get my payload working in XP before I try anything for Vista...

The only downside of turning off UAC using the msconfig line is that it will disable it completely, and if already enabled the user might notice UAC not complaining about every little thing.

[HarshReality]

Well durring initial activation/running if its shut off and the payload runs and then reenables it would seem as though nothing had happened to cause it to go off (once apps are in startup for vista and installed it doesnt really sound off constantly).

So the trick would be disable, payload, enable since one asumes the system is up and running when the drive is inserted and the user is waiting for a driver load to happen. But I have a tri-boot system here so when you get the XP side going and want a VIsta dry run I'll be more than happy to help out if I can.

[excid3]

Ok, but i thought you mentioned that disabling UAC using msconfig required a reboot...

[mleo2003]

Seeing as I have had no dealings with Vista for long, and know nothing of UAC, I must ask the following question before going on Google in the hunt for my own answer (I know, probably should hunt first).

Is the UAC a service that can be disabled with a few calls to the 'sc' command?

[HarshReality]

Service yes

[excid3]

Ok so I think the best bet is going to be executing the NSIS payload through a batch script. Since batch scripts go seemingly unnoticed, i can have it execute the NSIS payload without much worry. I've got to study for finals right now, but i'll be done by thurs of next week. Hopefully i should have a alpha version of my payload out soon after....but i've got dialup at home, so it might take a little longer :(

[HarshReality]

Exid3... got something for you to take into consideration...

http://www.securityxploded.com/vistauacmaker.php


Making Application Vista UAC Compliant 
To make any application Vista UAC compliant one has to embed a manifest file specifying the privilege required by the application. Manifest file mainly contain 2 important information, privilege required by the application and UI interaction of application with other windows.
     
There are 3 types of privileges that can be mentioned in the manifest file. 
     * requireAdministrator : Run as administrator
     * asInvoker : Run as same privilege as parent process
     * highestAvailable : Run with highest privilege available for user


Other than this, one has to specify if the application interacts with user interface of other high privilege applications. For example your application may send the message to modify the UI of other high privilege application. This is specified through following parameter


      uiAccess : TRUE/FALSE

[excid3]

Thanks for the link. I'll check it out and see what I can do with it. I'm going to install Ultimate this weekend and test some things out.

If this doesnt work, is there a way we can trick Windows into thinking that the exe (nsis script) has already been allowed by UAC?

Also some very explanatory info: http://www.autorun.com/webhelp/Introductio...ndows_Vista.htm

[HarshReality]

Well according to that link you can add a manifest to an exe that states how the program should be handled. IF a manifest could be added it would circumvent UAC and run as administrator by default.

[excid3]

I'll have to check this out and see how it goes. If this works...curcumventing UAC might be easier than i thought.