Welcome back today we are going to talk about a hole left in yeasterdays protection of executables.  That hole lies in the fact that if you rename an executable then kill it, there is no way for a watcher processes to restart it.  So what we do to solve that problem is watch the executables to make sure their names dont change, and if they do, you just change them back.  Lets look at the code. Read more

No comments

So a common problem you may imagine when engaging in office warfare is that it is quite easy to just end task on an executable.  The problem with this is that once your program is killed it can no longer defend you or attack your friends.  So how do we handle this problem? Well there is a fairly simple way to go about it, and fortunately for you I am about to share that with you.

Here is the general idea, you create another program to go along with your application you are sending, this programs sole purpose is to watch the list of processes and if your main program gets killed it just restarts it.  Then you add a little code to your main program that does the same thing for the watcher program.  Then if either program is killed they rerun the other one before the evil killer of little cute programs has s chance to kill the other. Read more

No comments

This is a fun ploy; you jump on your co-workers computer and find a shortcut on their desktop to Word or something.  You right click on it and change the target to something more amusing.  A few things come to mind like

Shutdown –f –s –t 0
Which will shutdown the computer right after they click it.

Or try choosing any of the rundll32 command from http://www.dx21.com/SCRIPTING/INDEX.ASP a great site for reference when you are doing any scripting.  A couple of my favorite rundll32 commands are

RunDll32.exe user32.dll,LockWorkStation
which locks the workstation or

RunDll32.exe USER32.DLL,SwapMouseButton
which will swap their mouse buttons (effectively making their mouse left handed)

Use your imagination on this one, you can run any program on the computer, if you come up with a clever one make sure you post it to the comments.  Also if you have any office warfare ideas you think should be posted on the site send them to tips@officewarfare.net.

  

1 comment

So I wrote this app a little while back with the intention of giving it to you good folks here at officewarfare.  The program basically stems from the need to defend yourself against the attacks of your co-workers.  This program mainly (at the moment) defends against the shutdown command. 

What this app does is monitor the event log for an event indicating that a shutdown has been initiated and when it detects one it aborts said shutdown.  Then to make it not just a wussy defensive app it attempts to shutdown the computer  made the feeble attack against you.  Anyways the app requires .net 2.0 and minimizes to to task bar.  Have fun.

Download Here

No comments

So I was reading hackaday.com recently and saw this article http://www.hackaday.com/2008/04/01/random-usb-caps-locker/ about a usb interface that randomly sets caps lock to annoy your co-workers.  The idea fit in with office warfare so well I had to post about it.  But to top just posting I decided to write a software version for those of us that are less hardware tech savvy but can manage to download an app and install it on our co-workers comp.  So here it is, this app is .net 2.0 and hides itself on run.  30% of the time the poor victim presses the left shift key it will toggle caps lock.  Thus making them think it they are misclicking.

Download Here

No comments

Welcome back kiddies for the second installment in our series. Today we are going to look at another easy to use tool for interfering in the productivity of those around you.  Today’s tool brought to us by the fantastic chums over at SysInternals, is psexec.  Psexec is a step up from last article, the general principle of psexec is that it allows you to run any command line application that is on your neighbor’s computer from your computer and pass in flags.  Ok so psexec does not come preinstalled here is a link to the site where you can get it.  Come right back after you have it.

Good now that we got that out of the way if we run psexec without any flags we get the help pasted here for your blessed convenience.

PsExec v1.72 - Execute processes remotely

Copyright (C) 2001-2006 Mark Russinovich

Sysinternals - www.sysinternals.com

 

PsExec executes a program on a remote system, where remotely executed console

applications execute interactively.

 

Usage: psexec [\\computer[,computer2[,...] | @file][-u user [-p psswd]][-n s][-

][-s|-e][-x][-i][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [aruments]

     -a         Separate processors on which the application can run with

                commas where 1 is the lowest numbered CPU. For example,

                to run the application on CPU 2 and CPU 4, enter:

                “-a 2,4″

     -c         Copy the specified program to the remote system for

                execution. If you omit this option the application

                must be in the system path on the remote system.

     -d         Don’t wait for process to terminate (non-interactive).

     -e         Loads the specified account’s profile.

     -f         Copy the specified program even if the file already

                exists on the remote system.

     -i         Run the program so that it interacts with the desktop on the

                remote system.

     -l         Run process as limited user (strips the Administrators group

                and allows only priviliges assigned to the Users group).

     -n         Specifies timeout in seconds connecting to remote computers.

     -p         Specifies optional password for user name. If you omit this

                you will be prompted to enter a hidden password.

     -s         Run the remote process in the System account.

     -u         Specifies optional user name for login to remote

                computer.

     -v         Copy the specified file only if it has a higher version number

                or is newer on than the one on the remote system.

     -w         Set the working directory of the process (relative to

                remote computer).

     -x         Display the UI on the Winlogon secure desktop (local system only).

     -priority  Specifies -low, -belownormal, -abovenormal, -high or

                -realtime to run the process at a different priority.

     computer   Direct PsExec to run the application on the remote

                computer or computers specified. If you omit the computer

                name PsExec runs the application on the local system,

                and if you specify a wildcard (\\*), PsExec runs the

                command on all computers in the current domain.

     @file      PsExec will execute the command on each of the computers listed

                in the file.

     program    Name of application to execute.

     arguments  Arguments to pass (note that file paths must be

                absolute paths on the target system).

 

You can enclose applications that have spaces in their name with

quotation marks e.g. psexec \\marklap “c:\long name app.exe”.

Input is only passed to the remote system when you press the enter

key, and typing Ctrl-C terminates the remote process.

 

If you omit a user name the process will run in the context of your

account on the remote system, but will not have access to network

resources (because it is impersonating). Specify a valid user name

in the Domain\User syntax if the remote process requires access

to network resources or to run in a different account. Note that

the password is transmitted in clear text to the remote system.

 

Error codes returned by PsExec are specific to the applications you

execute, not PsExec.

Ok now as I said this is a step up so bear with me.  The important command line switches (in order of appearance) are

/c as you can see (if you can read) /c copies the command in question over to the destination computer.  This is useful in case the program is not already stored on the destination.  However in most instances the command we are running will already be there so this will not be needed.

/f is related to /c and basically forces a copy even if the file already exists.  I recommend using this every time you use /c

/i is one of the most important switches.  This causes the application to show itself to the user that is currently logged in.  Why is this important you ask? Because one of the main ways we will use psexec is to pop up windows on the remote computer that annoy the user visually.

Those three switches make up the really important set; other ones can be used but are not necessary.  So let’s put it together and see about doing something annoying to our friends next door.  Lets run a RUNDLL32 command on a computer that will switch the mouse buttons.  Quick side note, rundll32 is basically a program that allows you to call functions in dlls. Anyways we will have a full article on rundll32 later down the road but for now lets try.

Psexec /i \\hr-JanetLee RunDll32.exe USER32.DLL,SwapMouseButton

So to break this one down, we are using psexec (obviously since the article is about psexec) and we want the command to run interactively. We are doing this to the imaginary remote computer hr-JannetLee and the command we want to run is RunDll32.exe USER32.DLL,SwapMouseButton.

The net effect is that Janet will have no idea that anything has happened until she tries to click on things and keeps getting context menus.  That about sums it up for psexec for this week, try to think of other great uses for this application and we will give you some more as we go along too.  Look forward to the rundll32 article as it will be chock full of fun toys we can use with psexec.

1 comment