Juin 172018
 

Been playing with the excellent strarc from Olof.

The basics first:
-to backup a drive/folder to an archive: strarc.exe -cd:C:\ Z:\winxpsp3.sa
-to restore a drive/folder from an archive : strarc.exe -xd:C:\ Z:\winxpsp3.sa

Then, one can backup all files from one logical drive to another (on XP) in one go with this command : strarc.exe -crjd:c:\ | strarc.exe -xd:d:\.
Note the r parameter which will take care of loaded registry hives.
Ideally, rather than backuping a « hot » logical disk (i.e in used), you would use a Volume shadow copy as source (see a discussion here).

Dont forget that when you decide to backup files (i.e not a full physical disk), you need to take care of the MBR on the target disk (hint : grub4dos) and ensure that registry hives are included.

You can also perform such a backup over the network:
-On the « server / host A » side : nc -v -l -p 9000 -e « strarc -cd:x:\my_folder\ »
-On the « client / host B » side : nc 192.168.1.1 9000 > dump.sa (update the IP obviously with your « server » IP).

 Posted by at 13 h 22 min  Tagged with:
Juin 112018
 

MakeIso will create an ISO from a source folder.

Supports multi-boot iso : x86 and EFI.
Support ISO9660, UDF, Joliet or any combination of these 3 filesystems.
Supports isolinux (checksum will be taken care of).
Tested successfully with Grub4Dos.

Mkiso is native (no external dependencies), standalone, built in on windows builtin imapi2.

MkIso is also part of CloneDisk.

Questions, feedback, requests welcome here.

Download here.

Regards,
Erwan

 Posted by at 20 h 06 min
Juin 112018
 

Updated version following up on this article : added netcat support

Download from here

RAW can be :
-A logical drive in the form of \\.\X:
-A physical drive in the form of \\.\physicaldriveX
-A volume in the form of \\?\Volume{e26e7b15-122a-11e7-82bf-806e6f6e6963}
-A volume snapshot in the form of \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
-A disk image file in the form of c:\temp\disk.img

DEVIO or NETCAT will be IP:PORT (ex: 127.0.0.1:9000)

NETCAT command line:
Use nc to dump incoming datas to a file (i.e RAW to NETCAT) -> nc.exe -v -n -l -p 9000 > c:\temp\disk.img
Use nc to send datas from a file (i.e NETCAT to RAW) -> nc -l -v -p 9000 < c:\temp\disk.img

DEVIO (RAW to DEVIO or DEVIO TO RAW) command line:
A logical drive -> devio 9000 \\.\X:
A physical drive -> devio 9000 \\.\PhysicalDriveX
A physical drive and a partition (starting a 1) -> devio 9000 \\.\PhysicalDriveX 2
A file (must exist and sized according to your needs) -> devio 9000 c:\temp\disk.img 0 0

 Posted by at 19 h 41 min
Fév 032018
 

A native app is an app that will be launched as soon as the kernel initialization is completed.

It will be launched (in user mode) by the session manager (smss.exe) thru the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute(run at every boot) or HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\setupexecute(run once only).

A native app can only use NT API functions (ntdll.dll) and not the Windows API functions.

Possible usages :
nativereg createkey \Registry\Machine\SYSTEM\Setup key1
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test0 8 REG_RND_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test1 toto REG_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test2 112233AABBCC REG_BINARY
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test3 666 REG_DWORD
nativereg deletevalue \Registry\Machine\SYSTEM\Setup\key1 test1
nativereg deletekey \Registry\Machine\SYSTEM\Setup\key1

The tool is 32 bits (a 64 bits may come later).
It works on XP and up.

Discussion here.

Regards,
Erwan

Fév 032018
 

From an offline SAM hive (could be from winpe), run the below command, reboot and log in with a blank password.
CAREFULL : make a backup of your hive first !


OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

See here for more details about setvaluebyteat details.

000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 (160) and 0xAC (170) are the offset for the LM and NTLM hash lengths: setting this to 0 effectively set the password to blank.

Use the below command line to enum accounts in your SAM db.


OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys

 Posted by at 14 h 45 min
Fév 032018
 

Lots of additions, changes, bug fixes, etc made to OfflineReg.

Discussion here.

Donwload here.

Command line

OfflineReg v1.0.3 by Erwan.L - http://erwan.labalec.fr/ - erwan2212@gmail.fr
Main Usage : OfflineReg hivepath keypath verb argument(s)
Example : OfflineReg "c:\temp\system" a_key_path getvalue a_value_name
Example : OfflineReg "c:\temp\system" a_key_path getvaluebyteat a_value_name offset
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_sz_value a_new_value
Example : OfflineReg "c:\temp\system" a_key_path setvalue " " a_new_value -> will set default key
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_dword_value a_dword_value 4
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_qword_value a_qword_value 11
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_binary_value 0a,0b,0c,0d,0e,0f 3
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_binary_value "0a 0b 0c 0d 0e 0f" 3
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_multi_sz_value "blah blah blah" 7
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_expand_sz_value "blah blah blah" 2
Example : OfflineReg "c:\temp\system" a_key_path setvaluebyteat a_reg_binary_value a_byte_value offset
Example : OfflineReg "c:\temp\system" a_key_path deletevalue a_value
Example : OfflineReg "c:\temp\system" a_key_path deletekey a_key
Example : OfflineReg "c:\temp\system" a_key_path deletekey
Example : OfflineReg "c:\temp\system" a_key_path deletekeys
Example : OfflineReg "c:\temp\system" a_key_path createkey a_key
Example : OfflineReg "c:\temp\system" a_key_path createkey
Example : OfflineReg "c:\temp\system" " " createkey a_key -> will create a key under root
Example : OfflineReg "c:\temp\system" a_key_path enumkeys
Example : OfflineReg "c:\temp\system" " " enumkeys -> will enum keys under root
Example : OfflineReg "c:\temp\system" a_key_path enumkeysR
Example : OfflineReg "c:\temp\system" a_key_path enumvalues
Example : OfflineReg "c:\temp\system" a_key_path enumvaluesall
Example : OfflineReg "c:\temp\system" a_key_path create
Example : OfflineReg "c:\temp\system" " " create
Example : OfflineReg "c:\temp\system" " " import commands.reg
Example : OfflineReg "c:\temp\system" " " run commands.txt

 Posted by at 14 h 36 min