Batniki against exploits (version for Windows XP)

Somehow I came across a publication on Habré - "Batniki against exploits . " It told how to launch a browser from under a specially created user, who does not have rights to run applications. According to the author, this can protect against exploits and Drive-by attacks.

This undoubtedly useful article had one flaw - it was written for Windows 7 (which was honestly written about in it).

After Windows XP was removed from support, I had a netbook with pigs and the idea to enhance the security of the system by adapting the solution seemed completely natural.

I wore a magic hat and cast a 10th level billgates

Attempts to adapt the batch file for the existing Russian pig revealed the following flaws in the code:

• The author is sure that all user profiles are in the c: \ users folder;
• The author is sure that the desktop folder is always called Desktop;
• The author constantly forgets that the system folders can contain spaces, so very often forgets to quote the path;
• The author apparently does not know how to get from the batch file the directory where the profiles are located;
• The author did not take into account that in the Russian Windows baht files are executed in the 866th code page, and VBS scripts - in the 1251st. Therefore, Russian letters from batch files are turned into a pumpkin in the scripts.

')
After revision, I got the following code batch file:

ATTENTION! The code will work only on WinXP. For the seven - see the original article.

:: Writed by: Sergey.Golovanov at kaspersky.com for habrahabr.ru (enchanted by Alexey Girin - vk.com/alexey.girin)
@ echo on
If you want to get access to this file from the Internet files.
Pause
:: Setup new user ::
set safeusername = saferun_user_% random%
set safepassword =% random% Ai% random%
echo Login:% safeusername%
echo Password:% safepassword%
net user% safeusername% / delete
del Browserlist4saferun.txt
net user% safeusername%% safepassword% / add

:: init new user profile ::
echo Option explicit> init_new_user_profile.vbs
echo Dim oShell >> init_new_user_profile.vbs
echo set oShell = Wscript.CreateObject ("WScript.Shell") >> init_new_user_profile.vbs
echo oShell.Run "RunAs / profile / user:% safeusername% ping" >> init_new_user_profile.vbs
echo WScript.Sleep 1000 >> init_new_user_profile.vbs
echo oShell.Sendkeys "% safepassword%" >> init_new_user_profile.vbs
echo oShell.Sendkeys "{ENTER}" >> init_new_user_profile.vbs
echo Wscript.Quit >> init_new_user_profile.vbs
call cscript init_new_user_profile.vbs
ping -n 10 localhost >> nul
del init_new_user_profile.vbs

:: Setup privileges for new user ::
net localgroup users% safeusername% / delete
cscript "% Programfiles% \ Windows Resource Kits \ Tools \ XCACLS.vbs" "% USERPROFILE% \ .. \% safeusername% \" / D% safeusername% :( OI) (IO) (WDAC, WO, X)

:: Setup browsers ::
: FindOpera
if exist "% APPDATA% \ Opera \" xcopy / E / I / C / Y / Q / H / R "% APPDATA% \ Opera \ *" "% USERPROFILE% \ .. \% safeusername% \ AppData \ Roaming \ Opera \ "
if exist "% Programfiles% \ Opera \ Opera.exe" goto run4opera
if exist "% Programfiles (x86)% \ Opera \ Opera.exe" goto run4operax86
Goto FindFireFox
: run4opera
echo Opera ^ |% Programfiles% \ Opera >> Browserlist4saferun.txt
Goto FindFireFox
: run4operax86
Set Browsername = Opera
echo Opera ^ |% Programfiles (x86)% \ Opera >> Browserlist4saferun.txt
Goto FindFireFox
: FindFireFox
if exist "% APPDATA% \ Mozilla \" xcopy / E / I / C / Y / Q / H / R "% APPDATA% \ Mozilla \ *" "% USERPROFILE% \ .. \% safeusername% \ AppData \ Roaming \ Mozilla \ "
if exist "% Programfiles% \ Mozilla Firefox \ Firefox.exe" goto run4Firefox
if exist "% Programfiles (x86)% \ Mozilla Firefox \ Firefox.exe" goto run4Firefoxx86
Goto FindChrome
: run4Firefox
echo Firefox ^ |% Programfiles% \ Mozilla Firefox >> Browserlist4saferun.txt
Goto FindChrome
: run4Firefoxx86
echo Firefox ^ |% Programfiles (x86)% \ Mozilla Firefox >> Browserlist4saferun.txt
Goto FindChrome
: FindChrome
If exist "% LOCALAPPDATA% \ Google \ Chrome \ Application \ chrome.exe" goto run4chrome
Goto findie
: run4chrome
:: // Chrome by not stable. Dissabled for performance.
:: xcopy / E / I / C / Y / Q / H / R "% LOCALAPPDATA% \ Google \ Chrome \ *" "% USERPROFILE% \ .. \% safeusername% \ AppData \ Local \ Google \ Chrome \"
:: for / r "% USERPROFILE% \ .. \% safeusername% \ AppData \ Local \ Google \ Chrome \" %% C in (* .exe) do icacls %% C / grant% safeusername% :( X)
:: for / r "% USERPROFILE% \ .. \% safeusername% \ AppData \ Local \ Google \ Chrome \" %% C in (* .dll) do icacls %% C / grant% safeusername% :( X)
:: echo Chrome ^ | "% USERPROFILE% \ .. \% safeusername% \ AppData \ Local \ Google \ Chrome \ Application \" >> Browserlist4saferun.txt
Goto findie
: FindIE
:: // TODO A lot of XCOPYs
if exist "% LOCALAPPDATA% \ Microsoft \ Internet Explorer" (
xcopy / E / I / C / Y / Q / H / R "% USERPROFILE% \ Favorites \ *" "% USERPROFILE% \ .. \% safeusername% \ Favorites \"
xcopy / E / I / C / Y / Q / H / R "% LOCALAPPDATA% \ Microsoft \ Internet Explorer \ *" "% USERPROFILE% \ .. \% safeusername% \ AppData \ Local \ Microsoft \ Internet Explorer \"
xcopy / E / I / C / Y / Q / H / R "% LOCALAPPDATA% \ Microsoft \ Windows \ History \ *" "% USERPROFILE% \ .. \% safeusername% \ AppData \ Local \ Windows \ History"
xcopy / E / I / C / Y / Q / H / R "% APPDATA% \ Roaming \ Microsoft \ Windows \ Cookies \ *" "% USERPROFILE% \ .. \% safeusername% \ AppData \ Roaming \ Microsoft \ Windows \ Cookies \ "
)
if exist "% Programfiles (x86)% \ Internet Explorer \ iexplore.exe" goto run4iex86
if exist "% Programfiles% \ Internet Explorer \ iexplore.exe" goto run4ie
: run4iex86
echo IExplore ^ |% Programfiles (x86)% \ Internet Explorer >> Browserlist4saferun.txt
goto MakeLinks
: run4ie
echo IExplore ^ |% Programfiles% \ Internet Explorer >> Browserlist4saferun.txt

:: Make links ::
: MakeLinks
rd / s / q "% USERPROFILE% \ Downloads \ Browser"
rd / s / q "% USERPROFILE% \ ђ Ў bv" \ SafeLinks "
"% Programfiles% \ Windows Resource Kits \ Tools \ linkd.exe" / d "% USERPROFILE% \ Downloads \ Browser" "% USERPROFILE% \ .. \% safeusername% \ Downloads"
mkdir "% USERPROFILE% \ ђ Ў bv" \ SafeLinks "
echo on
For / f "tokens = 1,2 delims = |" %% A in (Browserlist4saferun.txt) do (
echo Option explicit> "%% B \ %% A.vbs"
echo Dim oShell >> "%% B \ %% A.vbs"
echo set oShell = Wscript.CreateObject ^ ("WScript.Shell" ^) >> "%% B \ %% A.vbs"
echo oShell.Run "RunAs / user:% safeusername% %% A.exe" >> "%% B \ %% A.vbs"
echo WScript.Sleep 1000 >> "%% B \ %% A.vbs"
echo oShell.Sendkeys "% safepassword%" >> "%% B \ %% A.vbs"
echo oShell.Sendkeys "{ENTER}" >> "%% B \ %% A.vbs"
echo Wscript.Quit >> "%% B \ %% A.vbs"
echo Set oWS = WScript.CreateObject ^ ("WScript.Shell" ^)> "% USERPROFILE% \ ђ WYE bv" \ SafeLinks \ %% A.lnk.vbs "
echo sLinkFile = "% USERPROFILE% \ Desktop \ SafeLinks \ %% A_saferun.LNK" >> "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ %% A.lnk.vbs "
echo Set oLink = oWS.CreateShortcut ^ (sLinkFile ^) >> "% USERPROFILE% \ ђ WYE bv" \ SafeLinks \ %% A.lnk.vbs "
echo oLink.
echo oLink.IconLocation = "%% B \ %% A.exe, 0" >> "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ %% A.lnk.vbs "
echo oLink.WorkingDirectory = "%% B \" >> "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ %% A.lnk.vbs "
echo oLink.Save >> "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ %% A.lnk.vbs "
)
for / r "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ "%% p in (* .vbs) do cscript %% p
for / r "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ "%% v in (* .vbs) do del %% v
:: Open Explorer with links ::
explorer "% USERPROFILE% \ ђ Ў bv" \ SafeLinks \ "

:: Create Uninstall ::
echo @ echo off> uninstall_% ~ n0.bat
echo net user% safeusername% / del >> uninstall_% ~ n0.bat
echo rd / s / q "% USERPROFILE% \ Downloads \ Browser" >> uninstall_% ~ n0.bat
echo rd / s / q "% USERPROFILE% \ ђ Ў bv" \ SafeLinks ">> uninstall_% ~ n0.bat
echo rd / s / q "% USERPROFILE% \ .. \% safeusername% \" >> uninstall_% ~ n0.bat
echo For / f "tokens = 1,2 delims = |" %%%% A in (Browserlist4saferun.txt) del "%%%% B \ %%%% A.vbs" >> uninstall_% ~ n0.bat
echo del Browserlist4saferun.txt >> uninstall_% ~ n0.bat
echo del %% 0 >> uninstall_% ~ n0.bat

: Exit

This text should be copied to notepad , save it as SaveRun.bat.

ATTENTION! If you plan to run on an English Windows, it is necessary in the code to replicate all the substrings " Ў« bv "and" Desktop "(without quotes) on the substring Desktop (well, or just the name of the directory where you have the desktop). Otherwise, this code will work correctly only in Russian Windows.

In addition, you need to download and put on the machine:

1. Windows Server 2003 Resource Kit Tools ;
2. Extended Change Access Control List Tool (Xcacls) .

ATTENTION! Both must be placed in the default directory where the resource is set -% Programfiles% \ Windows Resource Kits \ Tools \

Or correct this line in the code.

Now - you can run.

The system works very simple. She is:

1. It creates a random user, who does not have rights to run applications from the profile, where, according to the author's plan, all viruses will tend to get to start from there;
2. It scans the default paths that all the main browsers — fox, chrome, donkey, opera — are put on, and if it finds them, it creates a script for each VBS browser that (if launched) generates a link to launch the browser. If this link is then launched, the browser will start up with the rights of that neutered user;
3. Creates a SafeLinks folder on the desktop where all VBS scripts are put.
   There will also get links generated by these scripts to launch browsers;
4. Creates an uninstall_% ~ n0.bat file next to the source batch file. This batch file (if run) will remove both the castrated user and the scripts and directory. And myself too.

All this economy was tested by me on Russian Windows with installed Firefox 33.0.

Works.