It is amaizing how often new processes are launched on your computer, all of them doing their own thing and a lot of times you have no idea they are doing it.  This can be a dangerious thing if your friends have been learning about office warfare and are startring to install things on your computer.  However it does us little good to just watch the task manager since there are a lot of processes that start when your computer starts up and it can be hard to sort it all out. 

However monitoring new processes can be quite useful since that will show you what new things are cropping up all the time.  Fortunately for all of us there is a great scripting language that comes pre built into windows machines called Windows Management Instrumentation (WMI) that when coupled with the Visual Basic Scripting language (vbs) will allow us to monitor new processes. 

Lets look at the code after the break. Read more

1 comment

So yesterday we talked about the event log, you could were you so inclined, just keep the event log open and periodically refresh it thereby keeping an ‘eye’ on the event log.  However, in the end this is impractical.  So what you do is access the event log in code and monitor the events you are interested in, then when one of them fires off you notify yourself via some mechanism that suits you.  So how, you ask, might I monitor the event log in code?  Well I am glad you asked, lets look at the code after the break. Read more

No comments

So several of the applications I have written these last two weeks have involved monitoring the keyboard for key presses in one way or another.  There are a couple of ways to go about this sort of thing, one easy way and one hard (but less resource intense).  The first way is to loop (using a timer) checking the state of the keyboard every so often.  The second way is to use a global keyboard hook, which is a little bit difficult to implement since you have to have an outside dll do some of the work. 

So obviously I am going to show you the lazy easy way since that is what I have been using.  The easy way is the only way to really do it when you are knocking out code quickly for small amusing apps. 

Lets look at the code Read more

No comments

Welcome back today we are going to talk about a hole left in yeasterdays protection of executables.  That hole lies in the fact that if you rename an executable then kill it, there is no way for a watcher processes to restart it.  So what we do to solve that problem is watch the executables to make sure their names dont change, and if they do, you just change them back.  Lets look at the code. Read more

No comments

So a common problem you may imagine when engaging in office warfare is that it is quite easy to just end task on an executable.  The problem with this is that once your program is killed it can no longer defend you or attack your friends.  So how do we handle this problem? Well there is a fairly simple way to go about it, and fortunately for you I am about to share that with you.

Here is the general idea, you create another program to go along with your application you are sending, this programs sole purpose is to watch the list of processes and if your main program gets killed it just restarts it.  Then you add a little code to your main program that does the same thing for the watcher program.  Then if either program is killed they rerun the other one before the evil killer of little cute programs has s chance to kill the other. Read more

No comments

Welcome back kiddies for the second installment in our series. Today we are going to look at another easy to use tool for interfering in the productivity of those around you.  Today’s tool brought to us by the fantastic chums over at SysInternals, is psexec.  Psexec is a step up from last article, the general principle of psexec is that it allows you to run any command line application that is on your neighbor’s computer from your computer and pass in flags.  Ok so psexec does not come preinstalled here is a link to the site where you can get it.  Come right back after you have it.

Good now that we got that out of the way if we run psexec without any flags we get the help pasted here for your blessed convenience.

PsExec v1.72 - Execute processes remotely

Copyright (C) 2001-2006 Mark Russinovich

Sysinternals - www.sysinternals.com

 

PsExec executes a program on a remote system, where remotely executed console

applications execute interactively.

 

Usage: psexec [\\computer[,computer2[,...] | @file][-u user [-p psswd]][-n s][-

][-s|-e][-x][-i][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [aruments]

     -a         Separate processors on which the application can run with

                commas where 1 is the lowest numbered CPU. For example,

                to run the application on CPU 2 and CPU 4, enter:

                “-a 2,4″

     -c         Copy the specified program to the remote system for

                execution. If you omit this option the application

                must be in the system path on the remote system.

     -d         Don’t wait for process to terminate (non-interactive).

     -e         Loads the specified account’s profile.

     -f         Copy the specified program even if the file already

                exists on the remote system.

     -i         Run the program so that it interacts with the desktop on the

                remote system.

     -l         Run process as limited user (strips the Administrators group

                and allows only priviliges assigned to the Users group).

     -n         Specifies timeout in seconds connecting to remote computers.

     -p         Specifies optional password for user name. If you omit this

                you will be prompted to enter a hidden password.

     -s         Run the remote process in the System account.

     -u         Specifies optional user name for login to remote

                computer.

     -v         Copy the specified file only if it has a higher version number

                or is newer on than the one on the remote system.

     -w         Set the working directory of the process (relative to

                remote computer).

     -x         Display the UI on the Winlogon secure desktop (local system only).

     -priority  Specifies -low, -belownormal, -abovenormal, -high or

                -realtime to run the process at a different priority.

     computer   Direct PsExec to run the application on the remote

                computer or computers specified. If you omit the computer

                name PsExec runs the application on the local system,

                and if you specify a wildcard (\\*), PsExec runs the

                command on all computers in the current domain.

     @file      PsExec will execute the command on each of the computers listed

                in the file.

     program    Name of application to execute.

     arguments  Arguments to pass (note that file paths must be

                absolute paths on the target system).

 

You can enclose applications that have spaces in their name with

quotation marks e.g. psexec \\marklap “c:\long name app.exe”.

Input is only passed to the remote system when you press the enter

key, and typing Ctrl-C terminates the remote process.

 

If you omit a user name the process will run in the context of your

account on the remote system, but will not have access to network

resources (because it is impersonating). Specify a valid user name

in the Domain\User syntax if the remote process requires access

to network resources or to run in a different account. Note that

the password is transmitted in clear text to the remote system.

 

Error codes returned by PsExec are specific to the applications you

execute, not PsExec.

Ok now as I said this is a step up so bear with me.  The important command line switches (in order of appearance) are

/c as you can see (if you can read) /c copies the command in question over to the destination computer.  This is useful in case the program is not already stored on the destination.  However in most instances the command we are running will already be there so this will not be needed.

/f is related to /c and basically forces a copy even if the file already exists.  I recommend using this every time you use /c

/i is one of the most important switches.  This causes the application to show itself to the user that is currently logged in.  Why is this important you ask? Because one of the main ways we will use psexec is to pop up windows on the remote computer that annoy the user visually.

Those three switches make up the really important set; other ones can be used but are not necessary.  So let’s put it together and see about doing something annoying to our friends next door.  Lets run a RUNDLL32 command on a computer that will switch the mouse buttons.  Quick side note, rundll32 is basically a program that allows you to call functions in dlls. Anyways we will have a full article on rundll32 later down the road but for now lets try.

Psexec /i \\hr-JanetLee RunDll32.exe USER32.DLL,SwapMouseButton

So to break this one down, we are using psexec (obviously since the article is about psexec) and we want the command to run interactively. We are doing this to the imaginary remote computer hr-JannetLee and the command we want to run is RunDll32.exe USER32.DLL,SwapMouseButton.

The net effect is that Janet will have no idea that anything has happened until she tries to click on things and keeps getting context menus.  That about sums it up for psexec for this week, try to think of other great uses for this application and we will give you some more as we go along too.  Look forward to the rundll32 article as it will be chock full of fun toys we can use with psexec.

1 comment

Well this is my first article in what I hope is going to be a series teaching you how to fight the good fight, digital office warfare.  In this article we are going to start out with the basics of offence because a good offence is … well a good offence.  Basic offence includes using built in tools (or easily downloadable power tools) to attack your neighbors whose computers you have admin privileges on.

Let’s get started, I hope you have read the Geneva Convention of office warfare. The first tool we are going to look at is shutdown.

C:\Users\joshp>shutdown /?

Usage: shutdown [/i | /l | /s | /r | /g | /a | /p | /h | /e] [/f]

    [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

 

    No args    Display help. This is the same as typing /?.

    /?         Display help. This is the same as not typing any options.

    /i         Display the graphical user interface (GUI).

               This must be the first option.

    /l         Log off. This cannot be used with /m or /d options.

    /s         Shutdown the computer.

    /r         Shutdown and restart the computer.

    /g         Shutdown and restart the computer. After the system is

               rebooted, restart any registered applications.

    /a         Abort a system shutdown.

               This can only be used during the time-out period.

    /p         Turn off the local computer with no time-out or warning.

               Can be used with /d and /f options.

    /h         Hibernate the local computer.

               Can be used with the /f option.

    /e         Document the reason for an unexpected shutdown of a computer.

    /m \\computer Specify the target computer.

    /t xxx     Set the time-out period before shutdown to xxx seconds.

               The valid range is 0-600, with a default of 30.

               Using /t xxx implies the /f option.

    /c “comment” Comment on the reason for the restart or shutdown.

               Maximum of 512 characters allowed.

    /f         Force running applications to close without forewarning users.

               /f is automatically set when used in conjunction with /t xxx.

    /d [p|u:]xx:yy  Provide the reason for the restart or shutdown.

               p indicates that the restart or shutdown is planned.

               u indicates that the reason is user defined.

                 if neither p nor u is specified the restart or shutdown is unplanned.

               xx is the major reason number (positive integer less than 256).

               yy is the minor reason number (positive integer less than 65536).

 

Shutdown has a fairly obvious use.  Basically using the parameters available to us we can shutdown the computers of those poor souls around us.  Here is the general use for that.

Shutdown /f /r /m \\enemycomp /t 30

So what are we doing here?  The first flag we see if /f.  This is force, what this means is that your coworkers apps will be closed forcefully if they don’t close nicely.   The second flag /r is reboot, you can also use /s which will shut the computer down and not start it back, this makes little difference.  The next flag is an important one /m. This is where we give the computer name of our target.  Syntax is /m \\computername. The final flag we show above is /t.  This flag is a way of throwing your coworkers a bone, it is the countdown timer.  If left out the shutdown happens right away but if you put it in they get a countdown timer first allowing them a little time to try to either save stuff or abort the shutdown if they know what they are doing (link to defense article).  The only other flag that you may be interested in at this point is /c.  /c allows you to add a comment to the shutdown timer dialog, this is mostly used to taunt your coworkers and the syntax is /c “Haha, I pwns ju kthxbye”. So all put together you can use a command like this to shutdown the imaginary computer dev-BobHunington giving Bob a 10 second chance to save his day with the taunting message “Don’t Mess With TESTERS BOB!” like this.

Shutdown /f /s /m \\dev-BobHunington  /t 10 /c “Don’t Mess With TESTERS BOB!”

 

That is all we have for this week, go forth and reboot! Remember kids save your work, you never know if the person next to you is reading this same article right now.

No comments