Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Welcome to the TechnoWorldInc! Community!
Recent Updates
[October 17, 2024, 05:05:06 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[August 10, 2024, 12:34:30 PM]

[August 10, 2024, 12:34:30 PM]

[August 10, 2024, 12:34:30 PM]

[August 10, 2024, 12:34:30 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Ethical Hacking / Security / Viruses
 Batch File Potential
Pages: [1]   Go Down
  Print  
Author Topic: Batch File Potential  (Read 1405 times)
Admin
Administrator
Adv. Member
*****



Karma: 208
Offline Offline

Posts: 496

TWI Admin

159511729 vatsal2002 superwebchampz
View Profile WWW
Batch File Potential
« Posted: October 15, 2006, 12:08:58 PM »


Batch File Potential
by blip

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

Disclaimer

The contents of this file are not to be and must not be used maliciously but instead simply become an intellectual curiosity and inform readers to potentially serious security problems. I hold no responsibility for what damage you or others may inflict or have damage inflicted upon; I hold responsibility for NOTHING. With that out of the way, let's begin!

Batch files are much more powerful than most may initially believe, with sufficient knowledge one could use them to introduce directly executable code into a system. I will demonstrate how this can be done with a harmless example and explore other ways to perform the same task that may or may not be better in some way.

There are two main ways one could go about doing this, the first being incredibly easier. The first method utilizes echo statements that redirect their output to a file, this file being used much like a script by using its contents for "console input" into a program instead of the default keyboard. The program used is called debug and is on every computer running windows or dos AFAIK unless the user manually deletes it, and can be used to write and execute stuff in memory among other things. The second method is more difficult to prepare, but does not require debug to be present or accessible (many school machines e.g. disallow access to it) to execute the hidden code as if it were a program they downloaded instead of the batch (it actually uses the batch to write out the program to disk). when the programs are executed, it would be a good idea to have them wipe the script and/or program file itself so undeletion attempts won't yield any clues.

The example program will be an implementation of a program that goes full screen and makes your screen flash random colors (though inevitably optimizable). First off it would be wise to be fairly familiar with x86 assembly language and how dos works in order to write your own programs to be run, but I'll try to explain how things work for those who aren't. Yes it is possible to write it in something like C++, but you must be aware that it has to run in dos (though it could use dpmi in windows) and its easiest to do with .com files. Exes have lovely headers that you must meddle with for full compatibility, mmm fun (you can't load a .exe into memory via debug enter statements and expect it to execute properly at all because the way exe headers are interpreted during loading).

The example batch file before we start:


@echo off
echo e100 B8 13 00 CD 10 E4 40 88 C3 E4 40 88 C7 F6 E3 30>\z.dbg
echo e110 DF 88 C1 BA C8 03 30 C0 EE BA DA 03 EC A8 08 75>>\z.dbg
echo e120 FB EC A8 08 74 FB BA C9 03 88 D8 EE 88 F8 EE 88>>\z.dbg
echo e130 C8 EE B4 01 CD 16 74 CD B8 03 00 CD 10 C3>>\z.dbg
echo g=100>>\z.dbg
echo q>>\z.dbg
debug <\z.dbg>nul
del \z.dbg

Basically what this does is make your monitor flash pseudo-random colors for every screen refresh until you hit a key, at which point it exits. There's a lot to be explained, however, to completely understand HOW it works from the ground up, knowing little or nothing of assembly or dos internals. Good thing I won't be explaining everything in excruciating detail.

To keep the batch file's size to a minimum, the program contained must also be as small as possible. Usually this means that you must use as many system calls as possible that are practical to do and tend not to do everything yourself. Granted, there are things you can't call the system to do for you, in which case the code should be further size optimized. In DOS, system calls are usually done by an assembly instruction mnemonic called INT, short for INTerrupt. For now, you can think of them as little black boxes that do what you want with the proper inputs and outputs until you read an assembly tutorial off somewhere where you'll realize there's really much more to it. Anyway, most software interrupts (usually used for system calls) take inputs in registers, which are like a select few speedy memory locations contained in the CPU itself. I guess I'd better explain and list the registers before I go further:

General Purpose (GP) registers:


AX - Accumulator
BX - Base
CX - Counter
DX - Displacement
BP - Base Pointer
SP - Stack Pointer
SI - Source Index
DI - Destination Index

Segment Registers (not explained here because they're not needed to understand the example, go to a tut for info):


CS - Code Segment
DS - Data Segment
ES - Extra Segment
FS - Extra Segment #2 (386+)
GS - Extra Segment #3 (386+)
SS - Stack Segment

Half of the GPregs (general purpose registers as I call them) can be broken up into byte-sized chunks and used as such. These would be the ones ending in X such as AX, its component registers being AH (Accumulator High, high byte of AX) and AL (Accumulator Low, low byte of AX). The remaining half of the group can only be accessed as 16-bit quantities. All GPregs can also be accessed as 32-bit entities, prefixed with E as in EAX for Extended Accumulator, beginning with the 386 (not like anyone cares, most people today haven't even heard of a 386).

I wrote the program above in debug, although you could do it in some symbolic assembler like nasm or fasm. Remember EVERYTHING in debug is either in hex or ascii. Here is a disassembly with corresponding addresses and hex encoded machine code eqivalents preceding each instruction mnemonic:


1370:0100 B81300        MOV     AX,0013
1370:0103 CD10          INT     10
1370:0105 E440          IN      AL,40
1370:0107 88C3          MOV     BL,AL
1370:0109 E440          IN      AL,40
1370:010B 88C7          MOV     BH,AL
1370:010D F6E3          MUL     BL
1370:010F 30DF          XOR     BH,BL
1370:0111 88C1          MOV     CL,AL
1370:0113 BAC803        MOV     DX,03C8
1370:0116 30C0          XOR     AL,AL
1370:0118 EE            OUT     DX,AL
1370:0119 BADA03        MOV     DX,03DA
1370:011C EC            IN      AL,DX
1370:011D A808          TEST    AL,08
1370:011F 75FB          JNZ     011C
1370:0121 EC            IN      AL,DX
1370:0122 A808          TEST    AL,08
1370:0124 74FB          JZ      0121
1370:0126 BAC903        MOV     DX,03C9
1370:0129 88D8          MOV     AL,BL
1370:012B EE            OUT     DX,AL
1370:012C 88F8          MOV     AL,BH
1370:012E EE            OUT     DX,AL
1370:012F 88C8          MOV     AL,CL
1370:0131 EE            OUT     DX,AL
1370:0132 B401          MOV     AH,01
1370:0134 CD16          INT     16
1370:0136 74CD          JZ      0105
1370:0138 B80300        MOV     AX,0003
1370:013B CD10          INT     10
1370:013D C3            RET

The first instruction (MOV AX,0013) specifies the function number 00h in AH that sets the video mode, in this case it is mode 13h in AL which is a grainy graphics mode by today's standards of 320x200 with 256 colors. This mode is favored by some programmers because it is very convenient in ways which will not be discussed here. The mode number 13h also specifies whether or not to clear the screen according to bit7. If cleared (set to 0) as it is, the video BIOS clears the screen, otherwise it doesn't. After setting AX with the necessary parameters, it calls interrupt 10 to fulfill the video bios service request. Setting this mode in this way is a very short way of both clearing the screen and making the dos box go full screen if the program is running in windows. The next set of instructions at offsets 105h to 111h (the numbers after the colon) read two bytes from a timer port and perform simple calculations to make 3 pseudorandom bytes. The instructions at offsets 113h to 118h set the palette index to zero which starts off as black so later the palette values can be written, this is important to do every loop because after writing a palette value the index will autoincrement to index one which is not desired. Next, at offsets 119h to 124h, the program waits for a vertical retracing period to make its move. when a vertical retrace occurs, the computer can safely write to video memory, or in our case, the palette registers, without causing flickers or tearing or any other aesthetic nasties because this is one time when the video card is not actively drawing a picture to the monitor. Not every card supports this, but almost all do. There's a way to check it using some VESA calls to prevent it from looping infinitely during polling, but I opted to keep the program short and simple. After this, at offsets 126h to 131h the actual palette entry is written using the previously calculated pseudorandom numbers. Palette entries are by default six bits wide so the top two bits are ignored and each entry consists of separate red, green, and blue values that are written in that order. The bios is then called to see whether a key has been pressed, if not continue looping at offset 105h else set the video mode back to the most common text mode and exit using a RETurn instruction.

Ahh, now with that out of the way I can finally cover the second method. Beware that this is exceedingly unlikely to work if the batch file is sent using an ascii transfer instead of binary because it actually contains raw program code in segments of the batch file. For this reason and the fact that it most likely won't show up correctly on a web page I can't show the example batch file. But I can do the next best thing: guide you how to do it in the simplest editor ever. This idea was developed independently of, but later with help from, an apj9 article. As you know the dos copy command can copy files, but it can also copy to and from files and devices. In order to be able to type up a file's contents without an editor or without a picky one in dos, use copy con filename.ext and con stands for console being your keyboard or monitor depending on the direction of data flow. The program is then entered with alt+numeric keypad sequences.

However, the numbers you enter must be in decimal, not hex, and some characters aren't allowed for various reasons, and this includes also not being able to use them in the batch file. The disallowed characters are 0, 3, 6, 8, 10 (0Ah), 13 (0Dh), 16 (10h), 19 (13h), 26 (1Ah), and 27 (1Bh); the first is the null character and e.g. notepad with convert it to a space (32, 20h) if resaved, 3 is Ctrl-C which would exit the "editor", 6 I don't know, 8 is backspace, 13 and 10 can only be used together in that order by hitting enter, 16 and 19 I don't know, 26 tells the editor you're done, and 27 I don't know (my reference says so, so I'll take their word for it). Just by looking at the machine code dump you can see already that some of these are present, especially character 3. Moving some things around, doing some "unnecessary" calculations, and doing things in completely different ways can remove all instances of these illegal characters. Here's the code I've come up with, and it's almost 1.5 times as large as the previous code (I could have done better, but oh well):


1370:0100 30E4          XOR     AH,AH
1370:0102 1F            POP     DS
1370:0103 B012          MOV     AL,12
1370:0105 BB01FF        MOV     BX,FF01
1370:0108 9C            PUSHF
1370:0109 40            INC     AX
1370:010A FF9F3F01      CALL    FAR [BX+013F]
1370:010E E440          IN      AL,40
1370:0110 88C3          MOV     BL,AL
1370:0112 E440          IN      AL,40
1370:0114 88C7          MOV     BH,AL
1370:0116 F6E3          MUL     BL
1370:0118 30DF          XOR     BH,BL
1370:011A 88C1          MOV     CL,AL
1370:011C BAC802        MOV     DX,02C8
1370:011F FEC6          INC     DH
1370:0121 30C0          XOR     AL,AL
1370:0123 EE            OUT     DX,AL
1370:0124 BADA02        MOV     DX,02DA
1370:0127 FEC6          INC     DH
1370:0129 EC            IN      AL,DX
1370:012A D0E8          SHR     AL,1
1370:012C A804          TEST    AL,04
1370:012E 75F9          JNZ     0129
1370:0130 EC            IN      AL,DX
1370:0131 D0E8          SHR     AL,1
1370:0133 A804          TEST    AL,04
1370:0135 74F9          JZ      0130
1370:0137 BAC902        MOV     DX,02C9
1370:013A FEC6          INC     DH
1370:013C 88D8          MOV     AL,BL
1370:013E EE            OUT     DX,AL
1370:013F 88F8          MOV     AL,BH
1370:0141 EE            OUT     DX,AL
1370:0142 88C8          MOV     AL,CL
1370:0144 EE            OUT     DX,AL
1370:0145 B401          MOV     AH,01
1370:0147 CD16          INT     16
1370:0149 74C3          JZ      010E
1370:014B 30E4          XOR     AH,AH
1370:014D B002          MOV     AL,02
1370:014F 40            INC     AX
1370:0150 BB01FF        MOV     BX,FF01
1370:0153 9C            PUSHF
1370:0154 FF9F3F01      CALL    FAR [BX+013F]
1370:0158 CD20          INT     20

To make the batch file, type copy con vret.bat at the prompt and hit enter, then type the following except spaces unless it says :

@echo off
echo 0 ALT+228 ALT+31 ALT+176 ALT+18 ALT+187 ALT+1 ALT+255 ALT+156 @ ALT+255 ALT+159 ? ALT+1 ALT+228 @ ALT+136 ALT+195 ALT+228 @ ALT+136 ALT+199 ALT+246 ALT+227 0 ALT+223 ALT+136 ALT+193 ALT+186 ALT+200 ALT+2 ALT+254 ALT+198 0 ALT+192 ALT+238 ALT+186 ALT+218 ALT+2 ALT+254 ALT+198 ALT+236 ALT+208 ALT+232 ALT+168 ALT+4 u ALT+249 ALT+236 ALT+208 ALT+232 ALT+168 ALT+4 t ALT+249 ALT+186 ALT+201 ALT+2 ALT+254 ALT+198 ALT+136 ALT+216 ALT+238 ALT+136 ALT+248 ALT+238 ALT+136 ALT+200 ALT+238 ALT+180 ALT+1 ALT+205 ALT+22 t ALT+195 0 ALT+228 ALT+176 ALT+2 @ ALT+187 ALT+1 ALT+255 ALT+156 ALT+255 ALT+159 ? ALT+1 ALT+205 > blah.com
blah
del blah.com

Now hit F6 or Ctrl-Z or Alt-26 (all do the same thing) and then hit enter.

Yes, that is one long echo statement so don't start others or hit enter until you're done entering the sequence. And there you have it!

Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Page created in 0.153 seconds with 23 queries.