a tool
I got a nifty little tool called "Nopey" which has been done in my "naughty years" in the internet. Quite versatile and easy to use. It's basically an executable file which can be used to control the users' computer in many ways. You can also gather a lot of info from the users' system. nsExec should be used to call it. I also included a little demo which shows you some very basic functions. Here is the command list:
commands:
info, zip, list, kill, char, color, mode, sysreboot, sysdown, sysabort,
net, logoff, poweroff, reboot, shutdown, cd, winamp, monitor, vol[ume],
regdump, child, ser[vice], err[code], dump, copy, sync, pause, resume,
sleep, show, hide, nc, runas, tweak
" <commad>/? " to get help about options and details
info: system information
info system - basic system information
info os - OS information
info cpu - processor type, features, speed and other characteritics,
plus Intel and AMD cpu specific information, if available
info memory - memory usage
info snd - show basic mixer controls (left and right volume settings)
info sndtree - show mixer controls tree and current controls settings
(includes name, ID, current value and acceptable range)
info video - list video modes (win9x does not show display freqs)
for windows 9x, don't use it in text fullscreen mode
info ddraw - list DirectDraw video modes
info ide [caps] - list IDE ATA/ATAPI devices [show capabilities & timings]
note: when in 9x mode, program hacks GDT, so disable
AV-monitors and other GDT-protecting software
info cd - identify all installed CD-ROMs (9x: GDT is also used)
info part[itions]- list partition tables on fixed drives (nt only)
info disk [X:]* - info about disk(s)
zip: control ZipMagic state. this does not require ZMCMDLN.EXE
zip 0 - disable ZipMagic
zip0 - disable ZipMagic
zip 1 - enable ZipMagic
zip1 - enable ZipMagic
before enabling ZipMagic programs tries to load ZM32 or ZM32NT if they are
not loaded. on windows nt program starts ZMNTMON service and handles 'ShutDown'
key in registry for skipping message 'ZipMagic was not shutdown correctly'
list: list system objects
list - show processes
list threads [<procname>] - show threads
list dlls [<procname>] - show loaded DLLs [in specified process]
note: relocated DLLs bases displayed with '*'
list map [<procname>] - process memory map (nt: show mapped files)
list vars [<procname>] - show process variables and environment (nt)
list res [<procname>] - show used resources for process (nt)
list drivers - show loaded drivers (nt)
list objects [-r] [<root>] - list nt kernel objects [recurse]
list files [<procname>] - show opened files (9x)
list handles [-n] [-f] [-t:<obj>] [<procname>] - show used handles (nt)
list pipes - list pipes (nt)
list mailslots - show mailslots (nt)
kill: terminate process
kill <processname> - terminate process by name
(may specify only some first chars of name)
note: all instances of process.exe will be killed
kill 0x78 - terminate process by ID (hex)
kill 120 - terminate process ID (dec)
it's possible to terminate several processes in one time, ex: kill proc1.exe proc2.exe
shortcuts:
ke - kill explorer.exe
kd - kill ntvdm.exe
char: print OEM/ANSI code tables
color: print color map
mode: show/change display mode
mode - show current display mode
mode [-test] [-permanent] xx [yy [c [fq]]]
mode xx - set horizontal resolution to xx,
autodetect vertical resolution
mode xx yy - set resolution to xx*yy
mode xx yy c - set resolution to xx*yy and color depth to c bits
mode xx yy fq - set resolution, color depth and monitor frequency
examples:
mode 800 - set 800x600, leave same color depth
mode 1024 768 16 - set 1024x768, high color
mode 640 480 8 75 - set 640x480, 256 colors, 75 herz
mode -test 1280 - try 1280x1024
mode -permanent 1024 - set 1024x768 as default video mode for current user
note: see 'ws info video' to get list of supported modes
note for windows 9x: don't use it in text fullscreen mode
sysreboot: remote shutdown (NT only)
sysreboot n - reboot local machine after n seconds
sysreboot n <computer> - reboot computer after nn seconds
sysreboot n <computer> <msg> - reboot computer and display message
sysdown n - shutdown local machine after nn seconds
sysdown n <computer> - shutdown computer after nn seconds
sysdown n <computer> <msg> - shutdown computer and display message
sysabort - stop shutdown or reboot on local machine
sysabort <computer> - stop shutdown or reboot on computer
examples:
sysdown 0 - shutdown windows now
sysreboot 300 \\SERVER "you have 5 minutes, user!"
- reboot \\SERVER after 300 seconds
note: you must have enough access rights to computers in network
hint1: NOBODY can start new shutdown, if there is active one
hint2: almost all users have privileges to start/stop local shutdowns
net: network commands
net view - view network resources
note: this command is under development for now
exit windows:
logoff | reboot | shutdown | poweroff [-force]
logoff - end windows session
reboot - reboot the computer
shutdown - shutdown the computer
poweroff - shutdown and turn power off
use flag -force to terminate programs without notifications
cd: control CD-ROM
cd - show disk info and tracklist (uses cdplayer.ini)
cd driveinfo - show drive low-level info
cd speed <n> [-k[h]] - set maximum spindle speed (and keep [hide console])
cd play - play audio CD
cd play <nn> - play audio CD from track nn
cd play <nn:mm:ss> - play audio CD from track nn and time mm:ss
cd pause - pause CD-Audio
cd resume - resume CD-Audio from pause (win2k only)
cd stop - stop playing, stop disk in drive
cd eject | open - open drive door and eject disk
cd load | close - load disk and close drive door
cd grab - grab cd audio (nt) 'ws cd grab /?' for more help
note: you can append CD-ROM drive letter after command 'cd', ex:
cd D: - show info about disk in drive D:
cd E: eject - eject disk from CD-ROM drive E:
winamp: console interface for winamp
winamp - show winamp version, status and song information
winamp clear - clear winamp playlist
winamp list - show playlist. current song is highlighted
winamp play - play current song
winamp play NN - play song number NN
winamp stop - stop playing
winamp pause - pause/unpause winamp
winamp next - play next song
winamp prev - play previous song
winamp restart - restart from first song
winamp fadeout - smooth stop
winamp last - stop after finishing current song
winamp close - unload winamp, save settings and playlist
winamp volume - set sound volume (in percents)
winamp file <file|dir>+ - add files or directories to playlist
winamp playfile<file|dir>+ - add files to playlist and play them
monitor: switch monitor to low power consuming mode
monitor suspend - suspend mode
monitor doze | standby - standby mode
monitor on - normal mode
monitor poweroff - switch power off (not supported by most monitors)
volume: change sound volume and mixer controls settings
volume - display master volume
volume master=<nn> - set master output volume (in percents)
volume midi=<nn> - set midi output volume
volume wave=<nn> - set wave output volume
volume <control_ID>=nn - set volume control state (see 'ws info sndtree'
for acceptable IDs and values)
examples:
vol master=100 - set full master volume
volume midi=50 - set volume for midi0 device to 50%
volume midi2=0 - mute second midi device
volume 0001=1 - mute all sounds
regdump: dump registry to files, use it to defragment registry
note. if you can't access some hives, try this:
ws child -u winlogon.exe ws regdump
D:\haxor>mel child /?
child: make child process from a given process (nt only)
(new process inherits security context of old process)
child [-u] [-d:Desktop] <hostprocess> <newprocess> [parameters]
switches:
-u - use alternative method (undocumented functions)
-d:<Desktop> - run process on specified desktop (inherited from hostprocess
by default, use -d to set 'WinSta0\Default')
example:
child -d winlogon cmd.exe - start shell with system privileges
note: you need SeDebugPrivilege, so it's not an exploit
note: you may use PID for hostprocess like as in 'kill' command
service: control windows nt services
service list [<options>*] - list services
service start <service><args> - start service
service stop <service> - stop service
service pause <service> - pause running service
service cont[inue] <service> - resume paused service
service remove <service> - remove service
service install [<service>] <fullpath> - install service
options for list:
-k - include kernel drivers
-fs - include filesystem drivers
-w32 - include win32 services
-r - list running services
-s - list stopped services
-p - list paused services
-n - disable color output
<name> - show details about service
* - details about all services
note: you can add computer name, username and password before subcommand:
service \\test Administrator * start ntice - query password
service \\ws12 Test 123 list - use account of 'Test'
errcode: display error message corresponding to win32 error code
errcode <errcode> - message corresonding win32 error code
errcode nt:<errcode> - message corresonding NTSTATUS code
examples:
errcode 0x20 - hex error code
errcode 32 - decimal error code
errcode 4D5 - hex error code
errcode nt:0x8000002 - NTSTATUS code
dump: save process memory to disk (rip decrunched data)
dump [<options>*] <process_name> - save process data
options:
-r - save readonly data too (default: only read/write)
-s - save to single file (for automatic rippers)
-i - save data belongs to images too (default: private and mapped only)
(this flag is always set in 9x)
copy: copy file or object (nt only)
copy [switches] <source-names> <destination>
switches:
-block=nnnn - buffer size
-max=nnnn - copy not more then nnnn bytes from each file
-so=nnnn - read source from specified offset (<4Gb)
-do=nnnn - write to destination from specified offset (<4Gb)
-a - append source to destination
-r - no read caching
-w - no write caching
-k - any key stops copy
-t - truncate destination at end of data
special names for source and destination:
hd0, hd1, ... - physical drives
pt0, pt1, ... - partition table of physical drive
a: b: ... - logical drives
bta, btb, ... - boot sector of drive
cd0, cd1, ... - cd-roms
zero - /dev/zero (source)
rnd - pseudo-random data (source)
sync: flush disk write cache
sync - flush all fixed disks
sync [drive:]* - flush specified drives
pause: pause process or thread (nt)
pause [processname|pid]* - pause all threads of process
pause -t:<tid>* - pause thread
resume: resume process or thread (nt)
resume [processname|pid]* - resume all threads of process
resume -t:<tid>* - resume thread
sleep: do pause
sleep <nn> - pause for <nn> msec
show: show top-level windows
show -p <processname> - show all process windows
show <windowtitle_substring> - show windows with certain title
hide: hide top-level windows
hide -p <processname> - hide all process windows
hide <windowtitle_substring> - hide windows with certain title
nc: netcat utility
nc [<switches>] [host][:port] [<switches>]
switches:
-r - reconnect/relisten after closing connection
-hi - hide input stream
-ho - hide output stream
-l:<file> - log to file
-c<nnnn> - use codepage nnnn
when no hostname given, program goes to listen mode
runas: create process in another security context (nt only)
runas [-a] [domain\]user[:password] process [params]*
switch -a means 'use alternative (NT4 style for 2k, 2k style for NT4) method'
when no password specified, it's queried
for windows NT4, you need a SeDebugPrivilege
tweak: change various hidden configuration settings
tweak cpu [wa:0|1] [dp:0|1] [ewbe:0|1|2|3] - set cpu mode for K6,K6-2,K6-3
wa: write allocation, dp: data prefetch,
ewbe: write ordering (0-compatible, ..., 3-fastest)
default is max performance (wa:1 dp:1 ewbe:3)
tweak vdm [<low> <hi>] - allow DOS VDM to access ports range (win 2000 only)
default is 0x388 0x38F (adlib ports) - dos progs can play adlib music
As this App can also do a lot of damage the a system I would like to add, that I am in no way responsible for anything you do with it. Some functions might reboot your computer or even worse, if used in the wrong way, so be warned. Aside of this,if you do use its' potential in a non-harming way, it saves you a lot of headaches and script fumbling :)
get it here:
http://doberlec.freeyellow.com/files/
have fun,
doberlec
P.s. The cmd-list given here is all you get from me documentation-wise.