Fév 032018
 

A native app is an app that will be launched as soon as the kernel initialization is completed.

It will be launched (in user mode) by the session manager (smss.exe) thru the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute(run at every boot) or HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\setupexecute(run once only).

A native app can only use NT API functions (ntdll.dll) and not the Windows API functions.

Possible usages :
nativereg createkey \Registry\Machine\SYSTEM\Setup key1
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test0 8 REG_RND_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test1 toto REG_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test2 112233AABBCC REG_BINARY
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test3 666 REG_DWORD
nativereg deletevalue \Registry\Machine\SYSTEM\Setup\key1 test1
nativereg deletekey \Registry\Machine\SYSTEM\Setup\key1

The tool is 32 bits (a 64 bits may come later).
It works on XP and up.

Discussion here.

Regards,
Erwan

Fév 032018
 

From an offline SAM hive (could be from winpe), run the below command, reboot and log in with a blank password.
CAREFULL : make your hive first !


OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 and 0xAC are the LM and NTLM hash lengths

Use the below command line to enum accounts in your SAM db.


OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys

 Posted by at 14 h 45 min
Fév 032018
 

Lots of additions, changes, bug fixes, etc made to OfflineReg.

Discussion here.

Donwload here.

Command line

OfflineReg v1.0.3 by Erwan.L - http://erwan.labalec.fr/ - erwan2212@gmail.fr
Main Usage : OfflineReg hivepath keypath verb argument(s)
Example : OfflineReg "c:\temp\system" a_key_path getvalue a_value_name
Example : OfflineReg "c:\temp\system" a_key_path getvaluebyteat a_value_name offset
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_sz_value a_new_value
Example : OfflineReg "c:\temp\system" a_key_path setvalue " " a_new_value -> will set default key
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_dword_value a_dword_value 4
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_qword_value a_qword_value 11
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_binary_value 0a,0b,0c,0d,0e,0f 3
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_binary_value "0a 0b 0c 0d 0e 0f" 3
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_multi_sz_value "blah blah blah" 7
Example : OfflineReg "c:\temp\system" a_key_path setvalue a_reg_expand_sz_value "blah blah blah" 2
Example : OfflineReg "c:\temp\system" a_key_path setvaluebyteat a_reg_binary_value a_byte_value offset
Example : OfflineReg "c:\temp\system" a_key_path deletevalue a_value
Example : OfflineReg "c:\temp\system" a_key_path deletekey a_key
Example : OfflineReg "c:\temp\system" a_key_path deletekey
Example : OfflineReg "c:\temp\system" a_key_path deletekeys
Example : OfflineReg "c:\temp\system" a_key_path createkey a_key
Example : OfflineReg "c:\temp\system" a_key_path createkey
Example : OfflineReg "c:\temp\system" " " createkey a_key -> will create a key under root
Example : OfflineReg "c:\temp\system" a_key_path enumkeys
Example : OfflineReg "c:\temp\system" " " enumkeys -> will enum keys under root
Example : OfflineReg "c:\temp\system" a_key_path enumkeysR
Example : OfflineReg "c:\temp\system" a_key_path enumvalues
Example : OfflineReg "c:\temp\system" a_key_path enumvaluesall
Example : OfflineReg "c:\temp\system" a_key_path create
Example : OfflineReg "c:\temp\system" " " create
Example : OfflineReg "c:\temp\system" " " import commands.reg
Example : OfflineReg "c:\temp\system" " " run commands.txt

 Posted by at 14 h 36 min
Jan 082018
 

Sharing a iPXE script (using wimboot) I am using these days along with Tiny PXE Server to boot winpe over the network on multiple platform : pcbios i386, pcbios x86_64, efi i386, efi x86_64.

Tiny PXE Server is serving by default pcbios ipxe.pxe and also, depending on the client architecture, serving the matching ipxe efi version.

See below my config.ini and a custom wimboot.ipxe script.

Discuss it here.


[dhcp]
proxydhcp=1
httpd=1
bind=1
root=\files
filename=ipxe.pxe
altfilename=wimboot.ipxe
[arch]
00006=ipxe-i386.efi
00007=ipxe-x86_64.efi
00009=ipxe-x86_64.efi


#!ipxe
#more about wimboot tips and tricks : http://ipxe.org/wimboot
set boot-url http://${dhcp-server}
#note : we are not going to use cpuid/arch
cpuid --ext 29 && set arch x64 || set arch x86
echo ${arch}
echo ${platform}_${buildarch}
goto ${platform}_${buildarch} || goto unknown
:pcbios_x86_64
kernel ${boot-url}/wimboot
initrd ${boot-url}/BOOTMGR.EXE bootmgr.exe
initrd ${boot-url}/BOOT/BCD BCD
initrd ${boot-url}/BOOT/BOOT.SDI BOOT.SDI
initrd ${boot-url}/SOURCES/x64/BOOT.WIM BOOT.WIM
boot
:pcbios_i386
kernel ${boot-url}/wimboot
initrd ${boot-url}/BOOTMGR.EXE bootmgr.exe
initrd ${boot-url}/BOOT/BCD BCD
initrd ${boot-url}/BOOT/BOOT.SDI BOOT.SDI
initrd ${boot-url}/SOURCES/x86/BOOT.WIM BOOT.WIM
boot
:efi_x86_64
kernel ${boot-url}/wimboot
initrd ${boot-url}/bootx64.efi bootx64.efi
initrd ${boot-url}/EFI/MICROSOFT/BOOT/BCD BCD
initrd ${boot-url}/BOOT/BOOT.SDI BOOT.SDI
initrd ${boot-url}/SOURCES/x64/BOOT.WIM BOOT.WIM
boot
:efi_i386
kernel ${boot-url}/wimboot.i386
initrd ${boot-url}/bootia32.efi bootia32.efi
initrd ${boot-url}/EFI/MICROSOFT/BOOT/BCD BCD
initrd ${boot-url}/BOOT/BOOT.SDI BOOT.SDI
initrd ${boot-url}/SOURCES/x86/BOOT.WIM BOOT.WIM
boot
:unknown
echo Unknown platform ${platform}_${buildarch}

 Posted by at 20 h 47 min  Tagged with:
Jan 082018
 

If like me you have an old computer and dont want to install the Ubuntu update for Meltdown and Spectre ubuntu update :

  • sudo vi /etc/default/grub
  • add nopti to GRUB_CMDLINE_LINUX_DEFAULT (there should be a list of parameters already like « nomdmonddf nomdmonisw nomdmonddf nomdmonisw »)
  • sudo update-grub
  • sudo reboot

check that nopti is there with cat /proc/cmdline

Jan 032018
 

On removable medias (such as USB disks), Windows can only access one partition at a time.
This is a driver limitation (which you can actually work around by using another driver but this is not the point of this article).

Here below one way to work around this.

First, lets select our device in CloneDisk and under the disk (right) menu : (1) put it offline, (2) delete disk layout, (3) create 2 (or more) partitions, (4) put your disk online.

Note that if you disk is already multi partitioned, you can skip the above 4 tasks and go the last part of this article which is about accessing the second partition.

Create one partition, and repeat this task once.

Once done (i.e partitions are created), it should looks like this once done (2 times 2 GB partitions).

In CloneDisk main window, put your disk online : windows should detect a new volume and offer to format it (if not, remove and reinsert media).

Create a folder named ‘part1’ (this is only a witness/indicator)

Now, lets see how we can access the second partition : Go back to CloneDisk -> Disk -> Partition Editor, select your second partition and « set as partition number 1 ».

Again, windows should detect a new volume (the previous volume ‘part 1’ has disappeared) and offer to format it (if not, remve and reinsert media) – unless you have skipped the first part of this article.

Create a folder named ‘part2’.

You can now switch back and forth between your partitions on your removable media by using CloneDisk -> Disk -> Partition Editor, select your partition and « set as partition number 1 ».

 Posted by at 20 h 31 min
Déc 292017
 

2.3.7
modified : rewritten _enum_drives_lv to enumerate thru volumes not drive letters (x32)
modified : selected.caption replaced with inttostr(integer(lvdisks.Selected.data)) (x32)
modified : renamed convert to vmdk/vhd to create vmdk file descriptor
modified : added raw to vhd in disk conversion
modified : GetVolumeNameForVolumeMountPoint moved to udiskmgmt
todo : move md5 hash to disk image
added : if pos(‘:\’,path)>0 then exit; in prep_src & prep_dst
added : backup/restore in mbr editor (x32)
modified : backup will now suggest a proper filename (x32)
modified : set disk ro and rw will go offline/online if disk is online (x32)
modified : VDI2RAW,vmdk2raw,vhd2raw,restore_devio,backup_devio,EWF2Drive,Drive2EWF moved to new uconvert unit (x32)
modified : createfile_devio,getfilesize_deviowrite_devio,prep_src,prep_dst,_lockdismount_vol,_unlock_vol moved to new uconvert unit (x32)
modified : vdi,LibVMDK,libVHDI,LibEWFUnit,wsck removed from umain (x32)
removed : privilege, ntdll, fmifs units
modified : GetDriveParams moved udiskmgt
removed : int13ext unit
modified : uformat renamed to ufrmformat
fixed : result set to 0 in lib._GetDosDrives
modified : Drive2RAW,RAW2Drive moved to uconvert unit (x32)
added : mode 0 in lib._EnumerateDosDevices to list all devices
added : list volume shadow copy volumes in volumes
added : add dos device in volumes
modified : renamed createvhd to umsvirtdisk
modified : renamed main to ufrmMain
modified : replaced custom wsck unit with delphi winsock unit
midified : libewf_SetCompressionValues uses LIBEWF_COMPRESS_FLAG_USE_EMPTY_BLOCK_COMPRESSION (x32)
modified : ufrvolume, definedosdevice will try DDD_RAW_TARGET_PATH and 0 (x32)
modified : drive2raw will display the offset if reafile fails (x32)
modified : xxx2RAW will propose to delete target file (x32)
todo : consider 1mB instead of 65kB for memsize in xxx2RAW functions
added : backup/restore from popup menu (x32)
added : checkbox in disk/part/disk&part popupmenu (x32)
added : offline/online after create partition (x32)
added : refresh after format (modal form) (x32)
added : try/catch in wim_logmessage
added : makeiso improvements around boot files
added : extend volume will propose the closest max size possible

 Posted by at 14 h 17 min