hide batch file content

[daniel]

I have batch files that my users see, and there are some
of them who know a little about batch files and are
getting some of the content out of them that I really
don't want them to see. Can anyone tell me if and how it
is possible for me to hide content, such as file paths
and usernames and passwords.

Thanks,

Daniel

 

[Tom Lavedas]

There really is no way to do this with a batch file.
There is an ancient bat2exe.com utility out there, but it
is frought with problems, especially in conjuction with
newer OS's. The Windows Script Host can do anything a
batch file can - and a lot more besides - and it has an
encryption utility that will hide the code. However, the
learning curve is significant.

See the following, if you want to check it out:

http://msdn.microsoft.com/library/default.asp?
url=/nhp/Default.asp?contentid=28001169

http://www.microsoft.com/technet/scriptcenter/Default.asp

Tom Lavedas
===========

 

[Frank]

SUBJECT: Re: hide batch file content
Tom Lavedas <[email protected]>...

^ There really is no way to do this with a batch file.

That statement may not be true. If you mean hide it so that no one can
possibly ever see it then I don't know. I haven't spent any time on it. But
you can hide the output so that it is not likely that anyone will know where
to look. There are two ways that I can think of off hand:

WAY 1:

Run the script on another desktop, one with a random name.

If the user is able to find out that there is a script running on another
desktop then the user must peer through a list of desktops and guess which it
may be. Windows does not come with a program that lists desktops (at least
not NT4 and prior) so one must be installed.

With each guess the user must then attempt to switch to that desktop to view
the script output. Windows (at least not NT4 and prior) does not come with a
desktop switching utility so one must be installed.

WAY 2:

Set the console window status to HIDDEN. If the user is able to find out that
there is a script running in a hidden console then the user must peer through
a list of windows and guess which it may be. Windows does not come with a
program that lists windows (at least not NT4 and prior) so one must be
installed.

With each guess the user must then attempt to set that window to NORMAL to
view the script output. Windows (at least not NT4 and prior) does not come
with a program that selectively sets a windows status so one must be
installed.

RELATED PROGRAMS:
Hide console windows:
<http://fpw.static.pe.net:8080/freeware/showconsole.zip>

Run process on another desktop:
<http://fpw.static.pe.net:8080/freeware/runprocess.zip>

Enumerate desktops:
<http://fpw.static.pe.net:8080/freeware/enumdesks.zip>

Switch desktops:
<http://fpw.static.pe.net:8080/freeware/desk.zip>

Frank

 

[Brendon Rogers]

In order for user to be able to run a batch file they need to be able to
execute it, and in order to be able to execute it they need to be able to
read it and if they can read it....

Encryption is the only real way to go; another way is to create executables
of your batch files which will make "reading" them a lot more difficult.
Look up bat2exec

 

[Herb Martin]

Encryption is the only real way to go; another way is to create
executables

of your batch files which will make "reading" them a lot more difficult.
Look up bat2exec

It is actually possible to make an EXE exutable but NOT
readable. (It can be loaded to run but not as data.)
You must mess with the "Special Permissions".

There is a FUNKY way to arrange to execute a batch
while while not making it readable. You run a "file watcher"
process (under another account like system) and when it
'sees' a certain file it runs.

The user submits one batch file which causes the hidden
file to run. I have used this in the past mostly to run
batch files remotely on DOS where there was no "task
scheduler" for remote submission.

 

[Jack]

There is a program out there called Batch Compiler 5.0 and others like
it that convert your batch files into executables. (therefor denying
the user the ability to view your source) These work pretty well...

On a second note, I would strongly advise against storing user names
and passwords in batch files. Its not wise, as you have seen, your
users can look at them. That kind of defeats the whole purpose of
having passwords, eh?

Good luck,
Jack

 

[Phil Robyn]

You might find a utility to perform this, but I doubt it.
Anyone capable of writing such a tool is likely to realise the
futility of doing so. Take WSH as an example; Microsoft wrote
an encoder, one hundred 'hackers' wrote a decoder - Here's the
first one I found using google:-

http://www.virtualconspiracy.com/index.php?page=scrdec/download

You should be able to achieve your goal solely through the use of
permissions and without obfuscation. What are you ultimately
trying to achieve by this? May be someone else or myself can suggest
the 'proper' way.

Hi, Ritchie,

I agree with you that obfuscation should not be necessary. What the
original poster didn't make clear was whether these 'snoopy users'
are just sort of poking around looking at his batch files, or whether
the 'snoopy users' have to be allowed to execute these batch files.
If the former, then that should be easy enough to put a stop to.
If the latter, then I think I would try what Herb Martin suggested,
namely, have a regularly scheduled 'monitor' batch file that monitors
a queue of user requests. This 'monitor' would be set to run under
one userid, and the file paths, passwords, and other information to
be kept private would be put in that userid's registry with suitable
permissions applied to the keys so the entries can only be read by
that userid. The queue 'monitor' would then be responsible for
retrieving the private info from the registry, placing it into
environment variables, and then calling whatever batch file is
appropriate to satisfy the user request.

 

[Ritchie]

namely, have a regularly scheduled 'monitor' batch file that monitors
a queue of user requests. This 'monitor' would be set to run under
one userid, and the file paths, passwords, and other information to

I couldn't agree more:-

From: Ritchie
Subject: Re: Permission to start and stop services
Newsgroups: microsoft.public.windowsnt.misc
Date: 2002-11-06 06:34:10 PST
http://groups.google.com/[email protected]

 

[Herb Martin]

Yes, I know that storing pws isn't good, that is why I am

trying to hide these in the batch. These batch files are
not running currently because of this. I have already
tried the Batch Compiler 5.0 and it does work very well.

To make the batch compiler idea better you can consider
Permissions (Access Control List -- ACLs)

An executable is different from a batch as the latter is READ,
and then 'executed' (interpreted really) by ANOTHER executable.

An executable can be marked for execute without being made
readable.

See "Advanced Special Permision" in explorer or use XCacls
instead of Cacls from the command line.

For tougher problems (it makes it pretty tough if it isn't already)
use SetAcl.exe from SourceForge.

 

[Herb Martin]

If they 'see' these because they edit them, try removing read permission
(but

leave Execute permission. It used to work in NT.

For EXE files -- not for .Bat or CMD as they must be read.

It still works on Win2000 (and should work on all NTFS

If they see the batch while it is running, you can configure the window to be
off screen and very small (see tip 438 in the 'Tips & Tricks' at
http://www.jsiinc.com for the basic idea) or you could run them from the
scheduler in a non-logged-on-user context.

Start /separate /b should work too, put it in the background.