Uncategorized – Page 3

Grub4Dos repository

Juin 152018

Because I always have to google when I look for it … here it is.

NativeReg

Fév 032018

A native app is an app that will be launched as soon as the kernel initialization is completed.

It will be launched (in user mode) by the session manager (smss.exe) thru the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute(run at every boot) or HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\setupexecute(run once only).

A native app can only use NT API functions (ntdll.dll) and not the Windows API functions.

Possible usages :
nativereg createkey \Registry\Machine\SYSTEM\Setup key1
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test0 8 REG_RND_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test1 toto REG_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test2 112233AABBCC REG_BINARY
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test3 666 REG_DWORD
nativereg deletevalue \Registry\Machine\SYSTEM\Setup\key1 test1
nativereg deletekey \Registry\Machine\SYSTEM\Setup\key1

The tool is 32 bits (a 64 bits may come later).
It works on XP and up.

Discussion here.

Regards,
Erwan

Meltdown and Spectre ubuntu update

Uncategorized No Responses »

Jan 082018

If like me you have an old computer and dont want to install the Ubuntu update for Meltdown and Spectre ubuntu update :

sudo vi /etc/default/grub
add nopti to GRUB_CMDLINE_LINUX_DEFAULT (there should be a list of parameters already like « nomdmonddf nomdmonisw nomdmonddf nomdmonisw »)
sudo update-grub
sudo reboot

check that nopti is there with cat /proc/cmdline

Microsoft update for Meltdown & Spectre (KB4056894)

Uncategorized No Responses »

Jan 082018

If you have an old computer like me, you may want to disable latest MS Windows update for Meltdown and Spectre.

To do so:

Download and install PSWindowsUpdate (Windows Update PowerShell Module)
Launch powershell (as local admin)
run Hide-WUUpdate -UpdateID KB4056894

RunAsSys

Uncategorized No Responses »

Mai 062017

Under some specific circumstances, it might be handy to run as system.
RunAsSys will launch a process as the local system account.
This require local admin rights.

Download it here.

VMDK to RAW converter

Uncategorized No Responses »

Déc 282016

Been a while since last article.

A quick one to post a tool I have been using lately to quickly convert VMDK to raw disks.
Indeed it is sometimes easier/quicker to install an operating system in a virtual environement but afterwards you may want to convert the vmware disk (vmdk) to a raw disk so that you can write it to another physical media (usb, hard drive, etc).

Thanks to libvmdk, a library written by Joachim Metz, it is easy to write a quick graphical frontend that will read a vmdk and write it back to a raw image.

VMDK2RAW can be downloaded here.

Erwan

Apply a diff patch under windows

Uncategorized No Responses »

Juil 212014

Can be handy under windows : TortoiseSVNDiff.

Ext2/3/4 Filesystem under Windows

Uncategorized No Responses »

Juil 142014

For years I have been using Ext2fsd to read (and possibly write) ext2 (or ext3 / ext4) filesystem.
I would usually mount the image with ImDisk.

Today I stumbled upon a nice little (and free) utility from diskinternals : Linux Reader.
The tool can mount the image or read an existing logical drive.

ImgMount goes command line

Uncategorized No Responses »

Mai 042014

A few months ago I wrote an article about Olof’s Arsenal driver.

Now is time for a command line version of ImgMount GUI named ImgMountCMD.
Exe is about 50 kb and can do as much as the GUI version.
Moreover, both the GUI and the command line version have been tested in WinPE and work fine including installing the driver.

Discuss/download it here.

The syntax for the command line is the following :

ImgMountCMD file add path ImgMountCMD file new path size(MB) ImgMountCMD file shm name ImgMountCMD file remove id ImgMountCMD vm add path ImgMountCMD vm new size(MB) ImgMountCMD vm remove id ImgMountCMD pm add path ImgMountCMD pm new size(MB) ImgMountCMD pm remove id ImgMountCMD list ImgMountCMD removall ImgMountCMD driver check ImgMountCMD driver install driver.inf ImgMountCMD driver remove

Dump Extents

Uncategorized 2 Responses »

Mar 152014

This is a simple GUI to FSCTL_GET_RETRIEVAL_POINTERS Microsoft API.

The idea is to read all clusters belonging to a file, then map these clusters on the logical drive where this file is located, and from there re assemble all clusters and save them to a new destination file.

Thanks to this method, one can save/copy a file which is in use since we « raw » read clusters from a logical drive.

This has been tested with success on \boot\bcd and \windows\system32\config\sam, files which you cannot copy in a « normal » mode.

Beware that using this method, you could end up with a corrupted dump since the file could be modified while you are reading it.

Get it on github here.

Older Entries Newer Entries