DosTips.com

A Forum all about DOS Batch
https://www.dostips.com/forum/

abusing iexpress - creating pop-ups, starting hidden process

https://www.dostips.com/forum/viewtopic.php?f=3&t=5901

Page 1 of 1

abusing iexpress - creating pop-ups, starting hidden process

Posted: 09 Sep 2014 08:02
by npocmaka_
If you start the iexpress it will offer you to create a selfextractable installer ( or a cab file or something like that).

If you point out and .exe to be compressed you'll have some interesting options "Prompt" , "Package Title" , "display license" , "Install Program" , "Post install command" , "Hidden Winow" ,"Finished Message".

In brief - iexpress creates installation file with possibility of 3 pop-up messages - confirmation,license agreement,and one for the final.
Also - it allows you to run one of the executables at the end with custom parameters ,and more importantly in background hidden mod.

Iexpress also has command line interface - it accepts an .ini (it's called sed) file with the options available in the UI.

So JFF I've created two scripts one that provides pop-up messages and one that starts a hidden process.As it's part of windows for a long time it will work every machine from XP and above


1.Pop-up messages - as it wants to run an executable after the installation I've choose subst without parameters and in hidden mode - it will do nothing ,and will do it fast so you'll see only the pop-ups:


Code: Select all

;@echo off
;set message1=message1
;set message1_title=message1_title
;set "license_file=%~f0"
;set ppopup_executable=popupe.exe
;set message2=message2
;
;copy /y "%~f0" "%temp%\popup.sed"
;(echo(InstallPrompt=%message1%)>>"%temp%\popup.sed"
;(echo(DisplayLicense=%license_file%)>>"%temp%\popup.sed"
;(echo(FinishMessage=%message2%)>>"%temp%\popup.sed";
;(echo(TargetName=%cd%\%ppopup_executable%)>>"%temp%\popup.sed";
;(echo(FriendlyName=%message1_title%)>>"%temp%\popup.sed"
;
;iexpress /n /q /m %temp%\popup.sed
;popupe.exe
;for /d %%# in ("%tmp%\ixp???.tmp") do rd /s /q "%%#"
;del /q /f "%temp%\popup.sed"
;exit /b 0


[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=


[Strings]
AppLaunched=subst.exe
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="subst.exe"




2.Starting a hidden process - this time there are no pop-ups .And the packed executable is the cmd.exe itself - It will be ran after the installation with some arguments (in this case pause) .You'll be able to see the new cmd instance in the task manager:

Code: Select all

;@echo off
;set "hidden.starter=hiddener.exe"
;set "hidden.command=/c pause"

;
;copy /y "%~f0" "%temp%\hid.sed"
;(echo(PostInstallCmd=%hidden.command%)>>"%temp%\hid.sed"
;(echo(TargetName=%cd%\%hidden.starter%)>>"%temp%\hid.sed"
;
;iexpress /n /q /m %temp%\hid.sed
;hiddener.exe
;for /d %%# in ("%tmp%\ixp???.tmp") do rd /s /q "%%#"
;del /q /f "%temp%\hid.sed"
;exit /b 0


[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles

[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=
[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=

FriendlyName=hidden
AppLaunched=cmd.exe

AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="cmd.exe"

;PostInstallCmd=/c pause
;TargetName=


Edit - Every run of created exe files creates a folder like %tmp%\ixp???.tmp and now I've added a code for deletion.

EDIT - Starting a hidden process in fact does not work as expected .PostInstallCmd= concerns actions after the installation.Can be worked as it should be with additional .inf file and I'm working on it.

Re: abusing iexpress - creating pop-ups, start hidden proces

Posted: 09 Sep 2014 18:26
by npocmaka_
here's some documentation by micosoft: http://support.microsoft.com/kb/191900

It appeared that I don't need .inf file. UI is a little bit misleading .In AppLaunched= you can put any executable in the %PATH%.Still iexpress.exe needs a valid executable for pakaging.And %tmp%\ixp???.tmp folders stayed undeleted only in case the iexpress application is interrupted.
Here are a little bit more sensible examples - two button pop-ups now can detect what button was pressed.And there's a check of how the hidden process was executed:


1. start hidden application (in this case cmd /c "echo.^>%tmp%\zzz"):

Code: Select all

;@echo off
;setlocal
;set hid_executable=hid.exe
;
;set "app_to_launch=cmd /c "echo.^>%tmp%\zzz""
;
;del /q /f %tmp%\yes >nul 2>&1
;
;copy /y "%~f0" "%temp%\hid.sed" >nul 2>&1
;(echo(AppLaunched=%app_to_launch%)>>"%temp%\hid.sed"
;(echo(TargetName=%cd%\%hid_executable%)>>"%temp%\hid.sed";

;
;iexpress /n /q /m %temp%\hid.sed
;%hid_executable%
;del /q /f %hid_executable% >nul 2>&1
;if exist "%tmp%\zzz" (set check=executed) else (set check=not_executed)
;echo %check%
;pause

;endlocal
;exit /b 0
[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles

FILE0="subst.exe"

[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=

[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
FriendlyName=.
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=

FILE0="subst.exe"



2.Yes/No pop-up with detection of the button:

Code: Select all

;@echo off
;setlocal
;set "message1=yes/no"
;set "message1_title=Are you agree?"

;set ppopup_executable=popupe.exe
;
;del /q /f %tmp%\yes >nul 2>&1
;
;copy /y "%~f0" "%temp%\popup.sed" >nul 2>&1
;(echo(InstallPrompt=%message1%)>>"%temp%\popup.sed"
;(echo(TargetName=%cd%\%ppopup_executable%)>>"%temp%\popup.sed";
;(echo(FriendlyName=%message1_title%)>>"%temp%\popup.sed"
;
;iexpress /n /q /m %temp%\popup.sed
;%ppopup_executable%
;del /q /f %ppopup_executable% >nul 2>&1
;if exist "%tmp%\yes" (set ans=yes) else (set ans=no)
;echo %ans%
;pause

;endlocal
;exit /b 0


[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=


[Strings]
AppLaunched=cmd.exe /c "break>%tmp%\yes"
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="subst.exe"
DisplayLicense=
FinishMessage=


;InstallPrompt=messagee1
;DisplayLicense=F:\scriptests\sysinf
;FinishMessage=message2
;TargetName=F:\scriptests\popup1.exe
;FriendlyName=popuppkg



3.License agreement (vs. %windir%\win.ini file)

Code: Select all

;@echo off
;setlocal

;set "message1_title=Are you agree?"
;set "license_file=%windir%\win.ini"
;set ppopup_executable=popupe.exe

;
;del /q /f %tmp%\yes >nul 2>&1
;
;copy /y "%~f0" "%temp%\popup.sed" >nul 2>&1
;(echo(DisplayLicense=%license_file%)>>"%temp%\popup.sed"
;(echo(TargetName=%cd%\%ppopup_executable%)>>"%temp%\popup.sed";
;(echo(FriendlyName=%message1_title%)>>"%temp%\popup.sed"
;
;iexpress /n /q /m %temp%\popup.sed
;%ppopup_executable%
;del /q /f %ppopup_executable% >nul 2>&1

;if exist "%tmp%\yes" (set ans=yes) else (set ans=no)
;echo %ans%
;pause

;endlocal
;exit /b 0


[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=


[Strings]
AppLaunched=cmd.exe /c "break>%tmp%\yes"
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="subst.exe"
InstallPrompt=
FinishMessage=


4.One button message:

Code: Select all

;@echo off
;setlocal

;set ppopup_executable=popupe.exe
;set "message2=click OK to continue"
;
;del /q /f %tmp%\yes >nul 2>&1
;
;copy /y "%~f0" "%temp%\popup.sed" >nul 2>&1

;(echo(FinishMessage=%message2%)>>"%temp%\popup.sed";
;(echo(TargetName=%cd%\%ppopup_executable%)>>"%temp%\popup.sed";
;(echo(FriendlyName=%message1_title%)>>"%temp%\popup.sed"
;
;iexpress /n /q /m %temp%\popup.sed
;%ppopup_executable%
;del /q /f %ppopup_executable% >nul 2>&1

;pause

;endlocal
;exit /b 0


[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=


[Strings]
AppLaunched=subst.exe
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="subst.exe"
DisplayLicense=
InstallPrompt=


I think this is a pretty funny way to create hidden process or pop-up message :-)

Re: abusing iexpress - creating pop-ups, starting hidden pro

Posted: 10 Sep 2014 06:41
by npocmaka_
The start of the hidden process in this way is far from perfect.

E.g this will start the notepad.exe as background process but will leave a one small .exe (the one created by IExpress) undeleted:

Code: Select all

;@echo off
;setlocal
;set hid_executable=hid.exe
;echo %hid_executable:~0,-4%
;
;set "app_to_launch="%windir%\notepad.exe""
;
;del /q /f %tmp%\yes >nul 2>&1
; 
;copy /y "%~f0" "%temp%\hid.sed" >nul 2>&1
;setlocal enableDelayedExpansion
;(echo(AppLaunched=!app_to_launch!)>>"%temp%\hid.sed"
;
;(echo(TargetName=%cd%\%hid_executable%)>>"%temp%\hid.sed";
;
;
;iexpress /n /q /m %temp%\hid.sed
;start %hid_executable%
;endlocal
;exit /b 0

[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles

FILE0="subst.exe"

[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=

[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
FriendlyName=.
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=

FILE0="subst.exe"


This will start the notepad in background mode and will delete the temporary executable but will leave one instance of command prompt working until notepad is killed:

Code: Select all

;@echo off
;setlocal
;set hid_executable=hid.exe
;echo %hid_executable:~0,-4%
;
;set "app_to_launch="%windir%\notepad.exe""
;
;del /q /f %tmp%\yes >nul 2>&1
; 
;copy /y "%~f0" "%temp%\hid.sed" >nul 2>&1
;setlocal enableDelayedExpansion
;(echo(AppLaunched=!app_to_launch!)>>"%temp%\hid.sed"
;
;(echo(TargetName=%cd%\%hid_executable%)>>"%temp%\hid.sed";
;
;
;iexpress /n /q /m %temp%\hid.sed
;%hid_executable%
;del /q /f %hid_executable% >nul 2>&1
;rem if exist "%tmp%\zzz" (set check=executed) else (set check=not_executed)
;rem echo %check%
;pause

;endlocal
;exit /b 0
[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles

FILE0="subst.exe"

[SourceFiles]
SourceFiles0=C:\Windows\System32\
[SourceFiles0]
%FILE0%=

[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
FriendlyName=.
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=

FILE0="subst.exe"




I've tried to kill the wrapper executable but also kills the notepad. On a plus side this does not require admin permissions is (almost) pure batch and works on even on the home editions of XP without service packs .
All times are UTC-06:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/