Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > General Network Security
kbnet
Sep 22 2004, 06:17 PM
Trying to work out a way of executing a .bat file from the registry but it remains hidden. Executes ok but it runs the console window and you can see all the processes getting executed. Ive tried all types of redirection, non of which work.
Using the start command would be fantastic, because of the /B switch which allows the window to remain hidden, but because its a child process of cmd.exe you obviously see the console window.
Also, it cant be a .exe, otherwise we could do it easily, but this program will be built on systems on the fly.

There must be someway of executing the .bat file we've designed and let it remain hidden. Any kind of registry tweak we could do?

Any suggestions at all will be very much appreciated.

Cheers

crackie
Sep 22 2004, 06:58 PM
You can use the hidden32.exe to hide this little window.
kbnet
Sep 22 2004, 07:16 PM
we cant use third party tools 4 wot we need to do. cheers anyway
tstngry
Sep 22 2004, 10:30 PM
- I may just have what you are looking for. Its is a program called Tebic. Tebic takes a .bat file, or any other file and makes it so that it executes hidden. You can make the .bat file into a .exe or you can take a .bat file and make it into a stealth .bat.

-Here is a the code for a .bat that i made that makes a test.txt and then exits.
CODE

MZ
             @                                      !L!This Ps a Winis Win 32 Bit only  
$           PE  L 90            4 0       _        @                                                                                                                                                                           code                            @  text     0     .                 @  .rsrc            0              @  
.shrink0}a@H ^Y8dO| nO:.shrink1>  ve^&)^8..^%}{"/wxeEHgk[in 2002x>  ve#% *+.׾/{-  ^>Դõȶѥ  
ʤG#4`"P”  *   ^  & w+xò fUé u
uwxPИ;Xu7] Åt=Eo3MM@Z .5Wv`@ jaoE  pbUSVW`1ݹEVIuhrS>=rxq;P ̋].}m7"a=?]93Ee_^[]yj}Xn7>}EcuEv݀2ks TB2?O|(lxQlo #Jtb1|#<l cp3dmHh*"
%dY d\ #ۋ
e`x;{Y잋vr؝uD%ƅ@׽6>8)?={#\e9a ` `;l`p|;Z*q1i p@ f~HM Bl#'T ,g=H:  )P.!]0xX"8DžL XXf,A;@vPxe#gKBwXfX- @cuŶJ C#=է隂~rnj4Mb^ZVRM4MNJ:62*4M4"
ifڦiº֦ij71 GL
lS 1fEζa #f -ik1}ؽlȲ%l`۝>I172ٳܼ@8o! @FNd홍<A*d^/1T^%
OrPP@)6} L,eld-K*E:l;{Ktb';1d67lC ]bXdXB@8E(JY83P7dH4>Ɛ!8,W0a~E)Y82^1"3r0u1k. /u`t)4tc!lJu.00!HX,!K.`M()9($$K$  )99K)9K  K) )9K  #<CrG2%##Gr2%%#Grr22%#GGr2%##Gr2%%#Grr22%#GGr2%##Grɰ2%%#Grr22%#GGrG/%#ttg $sIv!b
X2rdX||[gSxzx1{uG}lN!:ltDFVڌk*t;]p{~j(#"$dh;h4aIc97ȝ~ ь"avtx!NGReI/],ai^Yv8!08)82^ȆS_SA
)llu,H;uB 9|>F0 nd F,,e?~C$$$$!䐓C9dH   0d@\$2 2 䇜2aC2 $ؐ !r$rɀ6$2 rC6$ݤ! ɤqrؐ n2$d]C,.$#$eCA#ِt7#6$r[ #
I\ c!#ݤA~##ˆ# !#\6d#3!
#eCW#rِq{#\6d#ė
#eC!#l8ȴ #2/#C.S!#w8䲔# ;dH:ٹ"9 K H^vLu%!E8:.
sȮH:úZ$6\@)&\3cŨL44.L/ H\2!G%lI# Vnߨ 6f..1Ѕ#`ǃF9 7˄D$DD$,PT3f|
2t=ܿ
0DWd=63h vرx
Hr65S[PؿN`K7kXX LÃ}%, u[Θ}o!= :vrIrB=,c" ugǾ /
u6M' rtM]s
t <}ck lr, @L?MS Sanserif c^x,Ër z F#xS7rts#5'[P xl"Q QL5 QUk wd _;o|=~„Y Z3336X S RKK s(N\n{Oչ߻?=" fI( ,4<&Kfg փuფ
t.f]j!f!t-
Wtf Pmf$Tƃ-߂m "
OtPfm<$
I- rA<vwo/=v.=Jos.I#r6ǧS[RGR[@rwThV?@HARDWE\DESCRIPTION\System\FloatingPorocessooer hp0Zul4\n R+4h?,$X3}s]!4̖{HnÊFG
u<ayr<zw4 À8"u
@ t` w%RPj@fZ/4'[
u-4o H}0Ҷov
EuO
\P@t$Xӷ}sgh QRTgu..01YScr!v{mÏ
P5͍v,{ZY9t,3ɇH$ PsQ< PpwSw375NYPP,-7 
(㺶}kEC
ÈBbHhOoQq 2??? @FBu+?À5h!V? ?036Jl%BHJcwoBASIC CINtcp!{{ TN,"T
  QVut5:u&)_yx;rIm (C^B0N
u5Q2$++WYX屿tRx I;sv\S|Wl
hy%O|$
hҍT֙&`.@t>+ۍ \P{ jRDCEhw?% n
vtjx$#ٛ+ ÁĤ=۱Y[
jo?)NQr=P;xdCltKG?MYQ+ˋ: br]ZK>vZ@EZ%ށ?wQABEe_rnMu6ZSPR&+ˋ5Wg?#
/5\0jo_۱UWP
s?mX<"/2Zkm-'
,Q=`Y (}_Ë}|=NHnY2cK Ht FrFG+Z
O1;r?5P`M;w#z$r
ދGB %9L@X X?
DC@,<=< u= _C/78trmG :u
7KAj42ZVS78r4F
u!7F,n;u>Q)٤Brk\[[5 XVKv`۠
NP^6.N^)lf"Ώv|laC~bQTV<RQWJZ-Nf,LF<9c+vtZ^^rL1Z&FVS=;f64E?g̣= 94cC#r.*DDC5!Jt^$ØbX635
>_wVa t&r ,Y6US=9Dž #|n~
B} c'<
t0ڪ;u-~')ޥЍENu #"(r _3,jNjFwRVM+tEq:9-2Q{TY֧u .fv@P[SU*
O2w1tk?[(zr\XT<"tm<,gfw
|x
< l><t31>7E\s% |>][+I k*Iۼ^8,dZX+gKDV ؇[ j%u
7quK*]`5
,5O4(%N3tǞC 

g
uc`.ft9\Hm(DR]A~N(DeM<>6뱶`_$ȒlVղN<Y$cP17JF$W%r
Z-(L1 O|Au- 4
)& }uwvlnC`+ɼPm-` utEo{}lGp~URh;9>
J7[OvsO+C
:?v
IG0"UߝN+;urv'*U]6.)\an]ry_0 _H N%-r]4Э —ށ;|Kmv=v?  m49ARW]Z8WUZE[.kASӳڗnuڙm
] =ݿG16
+++"D<9X4`9@̍wCƴC7~+|;K;M ^zۙ{.ry8m zO3 -k{ Oup+@M^ۥ[TJ0;r+/fMbXVRVd%LLAI<vciCIMV
K;'4,^ EtV][j~~77 dž"B$1h[R5f
U
>3@mm-*A|f6b(D^g@5Wf63] W _u~S, s ۖN@E@Ķ`f'--8
eWfGG, _G \)b.Rpt@ @#/-
t+ 0PRwmH/uCuXTuuhDOt)@G(PP} nDPNf4*Tr]8FZOĨ>}wQz&tOEWr0-U $V:S(@DBq@4L@7
(VP;~X^P?lh[<HӃJRnRUsJRk@j%1>j@W<+-v<a\/O<
I<eTa^ tԑ
B&<:a\ں*.F*$\,~Tywŭ;,G3
VOQuJ,W8H`3&0JX!c0ʀ5uP]ȅTRZVi:%fJz2䬪<*?v[[
D8R_5,.ن~!Q<P|h5dl+X:h,$ZZ\1цo9yx3BJ++sau;{ ߄#@>T{vݣs%A->!+EsCfft [7
_1E]xQW ]pYgW1,6 $ ݆4Ycn@ 
}R,
rD9 .r4*0ar"$a1rk9uY*[c$tS
-<d?+x3'%hƲ
3Q6+*
0u{5IXrc~ҍSs+N$ɅTX H
@=󝤱WV%@J+0Wg,794=?1>(,kG_ 0ÔbitPxQQYb&6XϿ{ X=RPQRI~@YX8槻ԈRaξ-g WNSgJ*K9#bPZ`xE^X_5)[[Qcq,-V.Nߋ]t
f;Ft 6پ׸4YAY=gWOvyNG?RV}߁ (}b/^^/^VY JDj.T;tYlXElw'[c+ -ҙPiod !c
hr 7Vm355t]s챡oǭÆ ~\Kl ]Htis[tFt4t"tRu>b8#4X vrZ0LNgF
? y99A.2%4&srH'#pr
LuFFђ sK-*'O$ú@.0Q1-x-
Y.;]rt M^H<2Ia??ATk
_:G
\M}PV$N32فIE yެ3g#; |Hp;O ) {3N/f-s89ڱ YLgH v  0fފ؀\r#S#f##k++3ȑ,+{;MlK;;_! " #6X,)#'cf#ff C+ rJ 0 h $9 4AA*SB}-0i=xV >هٔ@7^Bp`8'M'^a|Nn.B;c, k:Bv5$ QF'C]`ZmZo] Z6Cb.Z>ٿ <$KuÛdHn:Z=4$=qV7quH4rvha|2K<$̗PR!
G H`Ð9Vl%QuuSZ~A?uI}$t3^F_E
# OeYtqpG.L>4nh4uPU$,z!܋nr9QP7X)NO+ˇĎ3YY=Y bIlkx4l8<3ft3Gvt.SQm\5/([s2!'L0tvqWVyxEPS ?sG{@#!".`Wzm\ʅ7W(܄pT1^+Y6DN^~
UmU]c3ar?
^Ղ m%U #\/%&Kgk; ÈmŲcњZNs ($;G83 fN }XurA@D]tlK:BƖ]g,0 <`q_Y$ v&I
sL.
T.*AP V3-O0fAqhX+C`6x,U J@NolZU`{x0"!E;]wQaxE+fv#~DT;*0)Zw.Cʩ~- CW}C+1HŶK-f$t<.f̍S ~hd2
f00l7`ŵ 0t
f_8J E]hJ<
&/=Jg]SB^<.u.o0<:rFs33CO?J.Ɍ X@]wU%xG=iW}s[B5f≅*f=Rlf}vW"$m4-?-6.sMRU+70+O2.61n).ۮ[}7('EXvͅEvW_0 PcqE6]}4RF^uߕMAfXN ^ O<5r
tO9v
0;wmuۯ
s@_Sw44ǭC ka!X%9!==?doz- }T5z.7 ־ s.=
 x F?^$Xaø`L7S5,
$mz+hң :ڨ5`!P0%tR{&1TXZxDK5LCF33 DKJ5FDG3H3HF_FFHKFK>=KQ(p'N(Kdo|=RZ>,X
ݲdT1B+ /4@p+ŝi@զIx@GA[~QCǑF[uvHM=#;AZ R`%uv:k bu:a۬#]$;s ERAG_Z9R ,J+ȩbP7pEUZ_rpTH#E׺s
U-+ f7
>6l
";sǣ-d
)!BV7*O1`}XFbt1wKjP*[0&tu@M"J]IڪWRn_;$LBY!}`۶r(οVWx(Yf-9Z)+' +% n[LEr̒^0vul'uQnfY#RRY4\ R-\2 Q
DQZ܈ BFW
_֍*wȈknj "[ӑ %Jkb,WCSK+ÄNjsQW$8m"J{0rdʭ Nu-ڭ]NOFJBiwNX1 VYV FQ*YtJB;kFJNPNJ ,\[FGI-^"DwB"uJ
ޜN,uA,WO 
* N!Jx_\BP^Iide<BiC %j#߹{w
C0ƀF 14"nymSX؃lJg#SQIiY2`YbqR30C9VH`^M-٬[ aHDcȩ%Kt=d
*px"O;<ν XUc ǵY'BÏF(&pƙn^c y.0Mm0>"v
Z~;KnM_Upw  S-~"G:, )7Y7Zw*{nS3$Kcb۷:Yp2K@eB(:SvX
xk3!w-FQ1TO|s+zC+C
\XP"NZC(uUҳq+_1^Hk
Z$SR-p5wBt.FL ZHqW0Q0)O.KrM]a`8砱V?CbjaWa1F^%ct F
%/@@k G  .tmp2K MSPERTIC 3Yv W 5{-;kn<d{ 6?S@ج/ d`p q0psf9
r<ql3 M"qc s's0`ini
sM4$2@Pdv6M4s#$:iL\ijͲiu(u{g>Nr g#|UmtTADVA  V? T E B I C*"K f<aCloseHanjdlereateFileAdm7!oDekExit >Gm
rst'ONexlush Buffer;m۷eeEnv2onmentStr1gnGlCommLea(QSize TcypLaEr3r
MlodulQFartupInfo{`skViqbmoalAlc M߾TtiBy7ToWideChanR=lodSdOf
3
tb#juASn~SepTls =u SWaioR<S1=Object撵`„/NamNѤ60gOx/bnKey f[oG+ݡmNi
UO%&Saf[0fayqybLjZ Yl Zk6
opyPE  L 901O  4MgO  *!`@ gm{ ( |g4 3F.p>1_l3.t N w {#`.d}a}u'#R'@.link>p| iTrsrc)lOZ'@loHW8ÐB'Bqu   @     a@ RW FGur   usu s1Ƀr
Fttuuu Ausu s /vBGIucwL^  G,<w?u_f)ٍ   t<_0  P  Gt܉WHU   t  `m                                                                                                                                                                                                                                                                                                                                                93                `      93          8      93          P                  93        x      93                          T E B I C  (       @                                                                                                                                                                                                                                                                                                      @                                                 L                                    "          "           "            "            $                                                                   Z7Zefj$o" n "   n "   n "   n "   ?                          <                I  $              V  ,              `  4                      l  z                          KERNEL32.DLL ADVAPI32.DLL OLE32.DLL OLEAUT32.DLL  LoadLibraryA  GetProcAddress  ExitProcess   RegCloseKey   CoInitialize  VariantCopy          b;                                                                                                                                                                                                                                                                                                                  123.bat*****             (ټEh/.u}؁r
WU9Z)2}E>


-This probably wont work if you copy and paste it as a .bat, but i dont know i havent tried. I have attached tebic and the test.bat that i made. The useage for tebic is:
tebic.exe filetostealth.bat, ,nametoextractas.bat, ,stealthbatname.bat

-For example to make the test batch file i have included called test.bat i used the command.
tebic.exe test.bat, ,stealth.bat, ,123.bat
This will take test.bat and make stealth.bat. When you execute stealth.bat it will extract your original .bat file as 123.bat but hidden. The last file name is not important because it will be extracted and then delted when it is done executing.
-If you dont understand this tell me i will try to explain it better.
-BTW i dont know who made this program or where i got it from. Hope it is still ok to share.
heroin
Sep 22 2004, 10:34 PM
Put this line in an txtfile, rename it to whatever.vbs

CODE
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False


and run your bat with it from the commandline:

CODE
whatever.vbs mynonharmful.bat


your batfile gets "hidden" executed, no window will popup!

-h
Yorn
Sep 22 2004, 11:32 PM
then, after making the .vbs file, use screnc.exe available from Microsoft to encrypt it, renaming the file to .vbe

That way your virusscan won't complain.

SkullSplitter
Sep 23 2004, 12:42 AM
@Yorn

VBE decoder

Decode all files encoded with screnc.exe
This script give you a decoded listing from an encoded file.
Supports *,je, ,vbe, .asp, .hta, .htm, .html…
If used under cscript, puts the result to stdout.
The file can be multi-encoded (many scripts in the file, for ex. in an html file)
Used under wscript, pops up the decoded file in a message box.

File Name : decovbe.vbs
Requirement : none
Author : Jean-Luc Antoine
Submitted : 05/09/2001
Updated : 09/12/2001
Category : 4K

CODE

option explicit
Dim oArgs, NomFichier
'Optional argument : the encoded filename
NomFichier=""
Set oArgs = WScript.Arguments
Select Case oArgs.Count
Case 0 'No Arg, popup a dialog box to choose the file
NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011)
Case 1
If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide
NomFichier=oArgs(0)
End If
Case Else
WScript.Echo "Too many parameters"
End Select
Set oArgs = Nothing

If NomFichier<>"" Then
Dim fso
Set fso=WScript.CreateObject("Scripting.FileSystemObject")
If fso.FileExists(NomFichier) Then
Dim fic,contenu
Set fic = fso.OpenTextFile(NomFichier, 1)
Contenu=fic.readAll
fic.close
Set fic=Nothing

Const TagInit="#@~^" '#@~^awQAAA==
Const TagFin="==^#~@" '& chr(0)
Dim DebutCode, FinCode
Do
FinCode=0
DebutCode=Instr(Contenu,TagInit)
If DebutCode>0 Then
If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then 'If "==" follows the tag
FinCode=Instr(DebutCode,Contenu,TagFin)
If FinCode>0 Then
Contenu=Left(Contenu,DebutCode-1) & _
Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
Mid(Contenu,FinCode+6)
End If
End If
End If
Loop Until FinCode=0
WScript.Echo Contenu
Else
WScript.Echo Nomfichier & " not found"
End If
Set fso=Nothing
Else
WScript.Echo "Please give a filename"
WScript.Echo "Usage : " & wscript.fullname & " " & WScript.ScriptFullName & " <filename>"
End If

Function Decode(Chaine)
Dim se,i,c,j,index,ChaineTemp
Dim tDecode(127)
Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"

Set se=WSCript.CreateObject("Scripting.Encoder")
For i=9 to 127
tDecode(i)="JLA"
Next
For i=9 to 127
ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
For j=1 to 3
c=Asc(Mid(ChaineTemp,j,1))
tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
Next
Next
'Next line we correct a bug, otherwise a ")" could be decoded to a ">"
tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
Set se=Nothing

Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
Chaine=Replace(Chaine,"@$","@")
index=-1
For i=1 to Len(Chaine)
c=asc(Mid(Chaine,i,1))
If c<128 Then index=index+1
If (c=9) or ((c>31) and (c<128)) Then
If (c<>60) and (c<>62) and (c<>64) Then
Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1)
End If
End If
Next
Decode=Chaine
End Function

Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation)
Dim ShellObject, pstrTempFolder, x
Set ShellObject=WScript.CreateObject("Shell.Application")
On Error Resume Next
Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation)
BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path
If Err.Number<>0 Then BrowseForFolder=""
Set pstrTempFolder=Nothing
Set ShellObject=Nothing
End Function


Cheers

SkullSplitter

Edit: @Yorn, sorry, missunderstand your reply wink.gif .. but the decoder is fine biggrin.gif
heroin
Sep 23 2004, 03:31 PM
never noticed a complain by kaspersky about this line in a vbscript. does other av-software identify it as an "harmful script"?

-h
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.