mrrootsec · February 6, 2026 11:48
diff --git a/test.bat b/test.bat
 @echo off
 setlocal EnableExtensions EnableDelayedExpansion

 REM ============================
 REM Configuration
 REM ============================
 set "APP_NAME=ThickClient"
 set "TARGET_DIR=C:\Program Files\MyApp"
 set "SYSINT_DIR=C:\Program Files\SysinternalTools"

 REM ============================
 REM Timestamp without WMIC
 REM ============================
 for /f "usebackq delims=" %%i in (`powershell -NoProfile -Command "Get-Date -Format 'yyyy-MM-dd_HHmmss'"`) do set "TS=%%i"

 set "OUT_ROOT=%~dp0analysis_out"
 set "OUT_DIR=%OUT_ROOT%\%APP_NAME%_%TS%"

 set "LOG_DIR=%OUT_DIR%\logs"
 set "INV_DIR=%OUT_DIR%\inventory"
 set "PERSIST_DIR=%OUT_DIR%\persistence_user"
 set "NET_DIR=%OUT_DIR%\network"
 set "STR_DIR=%OUT_DIR%\strings"

 call :mkdir "%OUT_ROOT%" || exit /b 1
 call :mkdir "%OUT_DIR%" || exit /b 1
 call :mkdir "%LOG_DIR%" || exit /b 1
 call :mkdir "%INV_DIR%" || exit /b 1
 call :mkdir "%PERSIST_DIR%" || exit /b 1
 call :mkdir "%NET_DIR%" || exit /b 1
 call :mkdir "%STR_DIR%" || exit /b 1

 call :log "Running NON-ADMIN thick-client assessment (no WMIC)"
 call :log "TargetDir: %TARGET_DIR%"
 call :log "Sysinternals: %SYSINT_DIR%"
 call :log "OutputDir: %OUT_DIR%"

 REM ============================
 REM Pre-checks
 REM ============================
 if not exist "%TARGET_DIR%" call :die "TARGET_DIR not found: %TARGET_DIR%"

 call :need "%SYSINT_DIR%\sigcheck.exe"
 call :need "%SYSINT_DIR%\strings.exe"
 call :need "%SYSINT_DIR%\autorunsc.exe"

 REM ============================
 REM 1) Basic host context (non-admin)
 REM ============================
 call :log "Collecting context..."
 ver > "%INV_DIR%\windows_ver.txt"
 whoami /all > "%INV_DIR%\whoami_all.txt"
 powershell -NoProfile -Command "Get-Date | Out-String" > "%INV_DIR%\run_time.txt" 2>&1

 ipconfig /all > "%NET_DIR%\ipconfig_all.txt"
 route print > "%NET_DIR%\route_print.txt"
 netstat -ano > "%NET_DIR%\netstat_ano.txt"

 REM ============================
 REM 2) Inventory: file list, hashes, signatures
 REM ============================
 call :log "Collecting binary paths..."
 dir /s /b "%TARGET_DIR%\*.exe" "%TARGET_DIR%\*.dll" "%TARGET_DIR%\*.ocx" > "%INV_DIR%\binaries_paths.txt" 2> "%LOG_DIR%\dir_errors.txt"

 call :log "Sigcheck inventory (signer/version/hash where readable)..."
 "%SYSINT_DIR%\sigcheck.exe" -accepteula -q -h -i -m -e "%TARGET_DIR%" > "%INV_DIR%\sigcheck_inventory.txt" 2>&1

 call :log "Computing SHA256 hashes (certutil) where readable..."
 (
  for /f "usebackq delims=" %%F in ("%INV_DIR%\binaries_paths.txt") do (
    echo ==== %%F
    certutil -hashfile "%%F" SHA256
  )
 ) > "%INV_DIR%\certutil_sha256.txt" 2>&1

 REM ============================
 REM 3) Strings extraction + keyword triage
 REM ============================
 call :log "Extracting strings..."
 "%SYSINT_DIR%\strings.exe" -accepteula -nobanner -n 6 -s "%TARGET_DIR%" > "%STR_DIR%\strings_all.txt" 2>&1

 call :log "Keyword triage..."
 findstr /i /n /r "password secret token bearer api[_-]key authorization oauth jwt client_secret private_key BEGIN RSA http:// https:// ftp:// \\\\ " ^
  "%STR_DIR%\strings_all.txt" > "%STR_DIR%\strings_hits_keywords.txt" 2>&1

 REM ============================
 REM 4) User-level persistence (HKCU + per-user startup)
 REM ============================
 call :log "Autoruns (partial without admin, but HKCU should be present)..."
 "%SYSINT_DIR%\autorunsc.exe" -accepteula -a * -c -h -m -nobanner > "%PERSIST_DIR%\autorunsc_current_user_view.csv" 2>&1

 call :log "Export HKCU Run keys..."
 reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "%PERSIST_DIR%\HKCU_Run.reg" /y >nul 2>&1
 reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" "%PERSIST_DIR%\HKCU_RunOnce.reg" /y >nul 2>&1

 call :log "Listing per-user Startup folder..."
 dir /a /s "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" > "%PERSIST_DIR%\startup_folder_listing.txt" 2>&1

 call :log "DONE. Output: %OUT_DIR%"
 exit /b 0

 REM ============================
 REM Helpers
 REM ============================
 :mkdir
 if not exist "%~1" mkdir "%~1" >nul 2>&1
 if not exist "%~1" exit /b 1
 exit /b 0

 :need
 if not exist "%~1" (
  echo Missing required tool: %~1
  exit /b 1
 )
 exit /b 0

 :log
 echo [%date% %time%] %~1
 echo [%date% %time%] %~1>>"%LOG_DIR%\run.log"
 exit /b 0

 :die
 call :log "FATAL: %~1"
 exit /b 2
	@echo off
	setlocal EnableExtensions EnableDelayedExpansion

	REM ============================
	REM Configuration
	REM ============================
	set "APP_NAME=ThickClient"
	set "TARGET_DIR=C:\Program Files\MyApp"
	set "SYSINT_DIR=C:\Program Files\SysinternalTools"

	REM ============================
	REM Timestamp without WMIC
	REM ============================
	for /f "usebackq delims=" %%i in (`powershell -NoProfile -Command "Get-Date -Format 'yyyy-MM-dd_HHmmss'"`) do set "TS=%%i"

	set "OUT_ROOT=%~dp0analysis_out"
	set "OUT_DIR=%OUT_ROOT%\%APP_NAME%_%TS%"

	set "LOG_DIR=%OUT_DIR%\logs"
	set "INV_DIR=%OUT_DIR%\inventory"
	set "PERSIST_DIR=%OUT_DIR%\persistence_user"
	set "NET_DIR=%OUT_DIR%\network"
	set "STR_DIR=%OUT_DIR%\strings"

	call :mkdir "%OUT_ROOT%" \|\| exit /b 1
	call :mkdir "%OUT_DIR%" \|\| exit /b 1
	call :mkdir "%LOG_DIR%" \|\| exit /b 1
	call :mkdir "%INV_DIR%" \|\| exit /b 1
	call :mkdir "%PERSIST_DIR%" \|\| exit /b 1
	call :mkdir "%NET_DIR%" \|\| exit /b 1
	call :mkdir "%STR_DIR%" \|\| exit /b 1

	call :log "Running NON-ADMIN thick-client assessment (no WMIC)"
	call :log "TargetDir: %TARGET_DIR%"
	call :log "Sysinternals: %SYSINT_DIR%"
	call :log "OutputDir: %OUT_DIR%"

	REM ============================
	REM Pre-checks
	REM ============================
	if not exist "%TARGET_DIR%" call :die "TARGET_DIR not found: %TARGET_DIR%"

	call :need "%SYSINT_DIR%\sigcheck.exe"
	call :need "%SYSINT_DIR%\strings.exe"
	call :need "%SYSINT_DIR%\autorunsc.exe"

	REM ============================
	REM 1) Basic host context (non-admin)
	REM ============================
	call :log "Collecting context..."
	ver > "%INV_DIR%\windows_ver.txt"
	whoami /all > "%INV_DIR%\whoami_all.txt"
	powershell -NoProfile -Command "Get-Date \| Out-String" > "%INV_DIR%\run_time.txt" 2>&1

	ipconfig /all > "%NET_DIR%\ipconfig_all.txt"
	route print > "%NET_DIR%\route_print.txt"
	netstat -ano > "%NET_DIR%\netstat_ano.txt"

	REM ============================
	REM 2) Inventory: file list, hashes, signatures
	REM ============================
	call :log "Collecting binary paths..."
	dir /s /b "%TARGET_DIR%\.exe" "%TARGET_DIR%\.dll" "%TARGET_DIR%\*.ocx" > "%INV_DIR%\binaries_paths.txt" 2> "%LOG_DIR%\dir_errors.txt"

	call :log "Sigcheck inventory (signer/version/hash where readable)..."
	"%SYSINT_DIR%\sigcheck.exe" -accepteula -q -h -i -m -e "%TARGET_DIR%" > "%INV_DIR%\sigcheck_inventory.txt" 2>&1

	call :log "Computing SHA256 hashes (certutil) where readable..."
	(
	for /f "usebackq delims=" %%F in ("%INV_DIR%\binaries_paths.txt") do (
	echo ==== %%F
	certutil -hashfile "%%F" SHA256
	)
	) > "%INV_DIR%\certutil_sha256.txt" 2>&1

	REM ============================
	REM 3) Strings extraction + keyword triage
	REM ============================
	call :log "Extracting strings..."
	"%SYSINT_DIR%\strings.exe" -accepteula -nobanner -n 6 -s "%TARGET_DIR%" > "%STR_DIR%\strings_all.txt" 2>&1

	call :log "Keyword triage..."
	findstr /i /n /r "password secret token bearer api[_-]key authorization oauth jwt client_secret private_key BEGIN RSA http:// https:// ftp:// \\\\ " ^
	"%STR_DIR%\strings_all.txt" > "%STR_DIR%\strings_hits_keywords.txt" 2>&1

	REM ============================
	REM 4) User-level persistence (HKCU + per-user startup)
	REM ============================
	call :log "Autoruns (partial without admin, but HKCU should be present)..."
	"%SYSINT_DIR%\autorunsc.exe" -accepteula -a * -c -h -m -nobanner > "%PERSIST_DIR%\autorunsc_current_user_view.csv" 2>&1

	call :log "Export HKCU Run keys..."
	reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "%PERSIST_DIR%\HKCU_Run.reg" /y >nul 2>&1
	reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" "%PERSIST_DIR%\HKCU_RunOnce.reg" /y >nul 2>&1

	call :log "Listing per-user Startup folder..."
	dir /a /s "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" > "%PERSIST_DIR%\startup_folder_listing.txt" 2>&1

	call :log "DONE. Output: %OUT_DIR%"
	exit /b 0

	REM ============================
	REM Helpers
	REM ============================
	:mkdir
	if not exist "%~1" mkdir "%~1" >nul 2>&1
	if not exist "%~1" exit /b 1
	exit /b 0

	:need
	if not exist "%~1" (
	echo Missing required tool: %~1
	exit /b 1
	)
	exit /b 0

	:log
	echo [%date% %time%] %~1
	echo [%date% %time%] %~1>>"%LOG_DIR%\run.log"
	exit /b 0

	:die
	call :log "FATAL: %~1"
	exit /b 2
No results found