Posted: 4/14/2009 11:50:42 AM EDT
|
Sc config nod32krn start= disabled
Sc config nod32drv start= disabled @echo off rem set up phase 2 batch file to %windir%\temp rem Clear autologin echo reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >%windir%\temp\phase2.cmd echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d Spardom /f >>%windir%\temp\phase2.cmd echo reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >>%windir%\temp\phase2.cmd echo reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >>%windir%\temp\phase2.cmd echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f >>%windir%\temp\phase2.cmd rem uninstall nod32 echo sc delete nod32krn >>%windir%\temp\phase2.cmd echo sc delete nod32drv >>%windir%\temp\phase2.cmd echo reg delete hklm\SYSTEM\CurrentControlSet\Services\nod32drv /f >>%windir%\temp\phase2.cmd echo reg delete hklm\SOFTWARE\Eset /f >>%windir%\temp\phase2.cmd echo reg delete hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v nod32kui /f >>%windir%\temp\phase2.cmd echo rd /s /q "C:\Program Files\Eset" >>%windir%\temp\phase2.cmd echo del /f "C:\WINDOWS\system32\drivers\nod32drv.sys" >>%windir%\temp\phase2.cmd echo del /f "C:\WINDOWS\system32\drivers\amon.sys" >>%windir%\temp\phase2.cmd echo del /f "C:\WINDOWS\system32\imon.dll" >>%windir%\temp\phase2.cmd echo rd /s /q "%allusersprofile%\STARTM~1\Programs\Eset" >>%windir%\temp\phase2.cmd echo rd /s /q "%ProgramFiles%\Eset" >>%windir%\temp\phase2.cmd rem install Vipre echo start /w %windir%\system32\msiexec.exe /i %windir%\temp\SBEAgent-Workstation_Default.msi /q >>%windir%\temp\phase2.cmd echo del %windir%\temp\SBEAgent-Workstation_Default.msi >>%windir%\temp\phase2.cmd rem Reboot echo Shutdown -f -r -t 0 >>%windir%\temp\phase2.cmd rem end of phase2.cmd ==================================== @echo on rem copy VIPRE msi to local drive copy \\{removed}.com\dfs\install\SBEAgent-Workstation_Default.msi %windir%\temp rem Set up autologin reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d "" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d administrator /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "my local admin password" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f rem set up to run phase2.cmd on reboot reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f rem Reboot Shutdown -f -r -t 0 |
|
1. Much of the first section won't happen due to "REM and "ECHO" (didn't read much of it as it won't happen) 2. the copy of "SBEAgent-Workstation_Default.msi" may not happen without a "/Y" (if the file is already in place) 3. You may want to change the reg key for the defaultdomainname to %computername% for local auto login What am I missing? EDIT: I see what you're doing there with the echos......stand by. |
|
The only issue I see is that this registry addition should be of REG_EXPAND_SZ type.
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f However, I have been taking lots of medication today so.... 
|
|
Quoted:
The only issue I see is that this registry addition should be of REG_EXPAND_SZ type. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f However, I have been taking lots of medication today so....
This. Do I look smart now? 
|
|
Quoted: Quoted: 10 PRINT "Fuck Obama!" 20 GOTO 10 R-Basic.  I bet most of the kids here don't even know what that is .Dunno about R-Basic, but those commands work on the Commodore-64 I've got buried somewhere out in the garage. It's probably right next to the Atari 2600. 
|
|
Quoted:
The only issue I see is that this registry addition should be of REG_EXPAND_SZ type. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f However, I have been taking lots of medication today so....
A quick test showed me that %windir% gets expanded during the reg add so it is a full path in the registry and REG_EXPAND_SZ wouldn't be necessary in that case. Unfortunately nothing else is jumping out at me as a problem. Is this one of those "spot the defect" brainteasers? |
|
Quoted:
Quoted:
The only issue I see is that this registry addition should be of REG_EXPAND_SZ type. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f However, I have been taking lots of medication today so....
A quick test showed me that %windir% gets expanded during the reg add so it is a full path in the registry and REG_EXPAND_SZ wouldn't be necessary in that case. Unfortunately nothing else is jumping out at me as a problem. Is this one of those "spot the defect" brainteasers? No, it's a file where my manager said "I did some cool things and made a couple mistakes. Can you find the errors?" I was like sure, I'll see what I can find. I didn't find any errors. (Like a knew wtf I was looking at) |
|
Quoted:
Quoted:
The only issue I see is that this registry addition should be of REG_EXPAND_SZ type. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f However, I have been taking lots of medication today so....
A quick test showed me that %windir% gets expanded during the reg add so it is a full path in the registry and REG_EXPAND_SZ wouldn't be necessary in that case. My thoughts exactly. |
|
Quoted:
Quoted:
The only issue I see is that this registry addition should be of REG_EXPAND_SZ type. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" /v phase2 /t REG_SZ /d "%windir%\temp\phase2.cmd" /f However, I have been taking lots of medication today so....
A quick test showed me that %windir% gets expanded during the reg add so it is a full path in the registry and REG_EXPAND_SZ wouldn't be necessary in that case. Double tap. |
|
No, it's a file where my manager said "I did some cool things and made a couple mistakes. Can you find the errors?" I was like sure, I'll see what I can find. I didn't find any errors. (Like a knew wtf I was looking at)
Ah, nice. It's these "mind sharpening" puzzles that float around at work that have me thinking every piece of code I see is a trick question. Now that I think about it, it's probably building paranoia more than anything else. |
|
You are forgetting this:
public static string Encrypt (string originalString) { if (string.IsNullOrEmpty (originalString)) { throw new ArgumentNullException ( "originalString", "The string which needs to be encrypted can not be null."); } using (var cryptoProvider = new RijndaelManaged ()) using (var memoryStream = new MemoryStream ()) using (var cryptoStream = new CryptoStream ( memoryStream, cryptoProvider.CreateEncryptor (rgbKey, rgbIV), CryptoStreamMode.Write)) using (var writer = new StreamWriter (cryptoStream)) { writer.Write (originalString); writer.Flush (); cryptoStream.FlushFinalBlock (); writer.Flush (); return Convert.ToBase64String (memoryStream.GetBuffer (), 0, (int) memoryStream.Length); } } public static string Decrypt (string cryptedString) { if (string.IsNullOrEmpty (cryptedString)) { throw new ArgumentNullException ( "cryptedString", "The string which needs to be decrypted can not be null."); } using (var cryptoProvider = new RijndaelManaged ()) using (var memoryStream = new MemoryStream ( Convert.FromBase64String (cryptedString))) using (var cryptoStream = new CryptoStream ( memoryStream, cryptoProvider.CreateDecryptor (rgbKey, rgbIV), CryptoStreamMode.Read)) using (var reader = new StreamReader (cryptoStream)) { return reader.ReadToEnd (); } } private static byte [] rgbKey = ASCIIEncoding.ASCII.GetBytes ("Ni=9OE=$i+62eprIuDr@ewOu5I9r34Ro"); // change to your own secure key private static byte [] rgbIV = ASCIIEncoding.ASCII.GetBytes ("to$eO_e!maI*o3ut"); // change to your own secure initialization vector ....one must encrypt their scripts/code, the zombies are getting smarter...... |
|
Quoted:
You are forgetting this: public static string Encrypt (string originalString) { if (string.IsNullOrEmpty (originalString)) { throw new ArgumentNullException ( "originalString", "The string which needs to be encrypted can not be null."); } using (var cryptoProvider = new RijndaelManaged ()) using (var memoryStream = new MemoryStream ()) using (var cryptoStream = new CryptoStream ( memoryStream, cryptoProvider.CreateEncryptor (rgbKey, rgbIV), CryptoStreamMode.Write)) using (var writer = new StreamWriter (cryptoStream)) { writer.Write (originalString); writer.Flush (); cryptoStream.FlushFinalBlock (); writer.Flush (); return Convert.ToBase64String (memoryStream.GetBuffer (), 0, (int) memoryStream.Length); } } public static string Decrypt (string cryptedString) { if (string.IsNullOrEmpty (cryptedString)) { throw new ArgumentNullException ( "cryptedString", "The string which needs to be decrypted can not be null."); } using (var cryptoProvider = new RijndaelManaged ()) using (var memoryStream = new MemoryStream ( Convert.FromBase64String (cryptedString))) using (var cryptoStream = new CryptoStream ( memoryStream, cryptoProvider.CreateDecryptor (rgbKey, rgbIV), CryptoStreamMode.Read)) using (var reader = new StreamReader (cryptoStream)) { return reader.ReadToEnd (); } } private static byte [] rgbKey = ASCIIEncoding.ASCII.GetBytes ("Ni=9OE=$i+62eprIuDr@ewOu5I9r34Ro"); // change to your own secure key private static byte [] rgbIV = ASCIIEncoding.ASCII.GetBytes ("to$eO_e!maI*o3ut"); // change to your own secure initialization vector ....one must encrypt their scripts/code, the zombies are getting smarter...... And obviously obfuscate their code, as well... |
|
Quoted:
Quoted:
You are forgetting this: public static string Encrypt (string originalString) { if (string.IsNullOrEmpty (originalString)) { throw new ArgumentNullException ( "originalString", "The string which needs to be encrypted can not be null."); } using (var cryptoProvider = new RijndaelManaged ()) using (var memoryStream = new MemoryStream ()) using (var cryptoStream = new CryptoStream ( memoryStream, cryptoProvider.CreateEncryptor (rgbKey, rgbIV), CryptoStreamMode.Write)) using (var writer = new StreamWriter (cryptoStream)) { writer.Write (originalString); writer.Flush (); cryptoStream.FlushFinalBlock (); writer.Flush (); return Convert.ToBase64String (memoryStream.GetBuffer (), 0, (int) memoryStream.Length); } } public static string Decrypt (string cryptedString) { if (string.IsNullOrEmpty (cryptedString)) { throw new ArgumentNullException ( "cryptedString", "The string which needs to be decrypted can not be null."); } using (var cryptoProvider = new RijndaelManaged ()) using (var memoryStream = new MemoryStream ( Convert.FromBase64String (cryptedString))) using (var cryptoStream = new CryptoStream ( memoryStream, cryptoProvider.CreateDecryptor (rgbKey, rgbIV), CryptoStreamMode.Read)) using (var reader = new StreamReader (cryptoStream)) { return reader.ReadToEnd (); } } private static byte [] rgbKey = ASCIIEncoding.ASCII.GetBytes ("Ni=9OE=$i+62eprIuDr@ewOu5I9r34Ro"); // change to your own secure key private static byte [] rgbIV = ASCIIEncoding.ASCII.GetBytes ("to$eO_e!maI*o3ut"); // change to your own secure initialization vector ....one must encrypt their scripts/code, the zombies are getting smarter...... And obviously obfuscate their code, as well... Yeah....I didn't want to take up a whole page on the site just to syntactically display my code. [I'm not a zombie........yet] 
|