2013/07/24

windows 修改 registry 的方法

程式化的方法就不說了,命令列的方式可以如下:

cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
或是匯入的
Cmd /c reg import c:\test.reg
當然,也可以用檔案總管來執行 .reg 檔

2013/07/22

windows undocumented secret 不傳之秘

請參考這兒....話說,怎麼會跑回來看這種秘技?常常灌了不知道什麼東西,讓瀏覽器動作怪怪的,也許在底下可以找到原因!

1. 當使用者登入系統時,在這個機碼(key)下的的程式或Script會被自動執行起來:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\
HKCU\Software\Policies\Microsoft\Windows\System\Scripts

參考:
How to Modify the List of Programs that Run When You Start Windows XP (http://support.microsoft.com/kb/314488).
A definition of the Run keys in the Windows XP registry (http://support.microsoft.com/kb/314866/EN-US/).
INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (http://support.microsoft.com/kb/179365/EN-US/).
Definition of the RunOnce Keys in the Registry (http://support.microsoft.com/kb/137367).
Description of the RunOnceEx Registry Key (http://support.microsoft.com/kb/310593/EN-US/).
Programs Automatically Start When User Logs on to Windows (http://support.microsoft.com/kb/147369).
Script Policy Is Not Run When a Slow Link Is Detected (http://support.microsoft.com/default.aspx?scid=kb;en-us;328991).
To assign user logoff scripts (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/gptext_logoffscripts.mspx?mfr=true).

2. 當IE啟動時,在這個機碼下的元件(in-process COM components)每次都會被IE載入,這就是在IE上看到的工具列:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

參考:
How to disable third-party tool bands and Browser Helper Objects (http://support.microsoft.com/default.aspx?scid=kb;en-us;298931).
Browser Helper Objects: The Browser the Way You Want It (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp).

3. 預設值為'"%1" %*'(沒有單引號)。有些惡意程式會把它修改為'"FileName "%1" %*',當執行可執行檔(.exe)時,檔案"FileName"也會被執行起來:
HKLM\Software\Classes\exefile\shell\open\command\
HKEY_CLASSES_ROOT\vbsfile\shell\open\command\ (差別在於它是Visual Basic Script檔(.vbs))
HKEY_CLASSES_ROOT\vbefile\shell\open\command\ (差別在於它是編碼過的Visual Basic Script檔(.vbe))
HKEY_CLASSES_ROOT\jsfile\shell\open\command\ (差別在於它是JavaScript檔(.js))
HKEY_CLASSES_ROOT\jsefile\shell\open\command\ (差別在於它是編碼過的JavaScript檔(.jse))
HKEY_CLASSES_ROOT\wshfile\shell\open\command\ (差別在於它是Windows Scripting Host檔(.wsh))
HKEY_CLASSES_ROOT\wsffile\shell\open\command\ (差別在於它是Windows Scripting File檔(.wsf))
HKEY_CLASSES_ROOT\comfile\shell\open\command\ (差別在於它是COM檔(.com))
HKEY_CLASSES_ROOT\batfile\shell\open\command\ (差別在於它是批次檔(.bat))
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (差別在於它是螢幕保護檔(.scr))
HKEY_CLASSES_ROOT\piffile\shell\open\command\ (差別在於它是Portable Interchange Format檔(.bat))

參考:
You Are Unable to Start a Program with an .exe File Extension (http://support.microsoft.com/default.aspx?scid=kb;en-us;310585).
You receive an error message when you try to start a program that has an .exe file name extension (http://support.microsoft.com/kb/837334/en-us).

4. 每次啟動CMD.exe時,在這個機碼下的命令會被執行:
HKLM\Software\Microsoft\Command Processor\AutoRun\
HKCU\Software\Microsoft\Command Processor\AutoRun\

參考:
WORM_SWEN.A (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSWEN%2EA&VSect=T)
Cmd (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cmd.mspx?mfr=true).
AutoRun (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/942.asp).

5. 在這機碼下的CLSID會對應到HKLM\Software\Classes\CLSID\{GUID}\InProcServer。每當IE啟動時,它們會被IE載入:
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

參考:
TROJ_YABE.H (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_YABE.H&VSect=Sn).
Download.Ject Payload Detection and Removal Tool (http://support.microsoft.com/default.aspx?scid=kb;en-us;873018).

6. 可以自訂不同的使用者介面:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell\

參考:
Shell (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/93488.asp).

7. 包含被允許的Shell Extensions表列:
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

8. 當使用者登入系統時,在這個機碼裡的DLLs會被Windows-based應用程式載入(DLL Injection的一種方法):
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

參考:
Working with the AppInit_DLLs registry value (http://support.microsoft.com/default.aspx?scid=kb;en-us;197571).

9. 當Windows NT會執行標準的GINA DLL(MSGina.d)。當GinaDLL機碼存在時,在這機碼下面的DLL會被Winlogon在載入:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL\

參考:
Windows NT loads and executes the standard Microsoft GINA DLL (MSGina.dll). If the GinaDLL key value is present, it must contain the name of a GINA DLL, which Winlogon will load and use.
Loading and Running a GINA DLL (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/loading_and_running_a_gina_dll.asp).

10. 這個機碼可以更改原來的SHell(explorer.exe)且在這機碼下的執行檔會被Userinit.exe啟動:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

參考:
Shells Other Than Explorer.exe Replaced on Installation or Upgrade (http://support.microsoft.com/default.aspx?scid=kb;en-us;228309).

11. 在這機碼下的程式會在System Mode被啟動:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System

參考:
System (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58543.asp).

12. 可以定義系統所使用的工作管理員:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan

參考:
TaskMan (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58543.asp).

13. 當使用者登入系統時,在這機碼下的程式會被Winlogon執行。預設是Userinit.exe:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

14. 在這機碼下的DLLs會接收和處理由Winlogon產生的事件(event):
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

參考:
Winlogon Notification Packages (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/registry_entries.asp).

15. 當系統啟動時,在這個機碼裡的程式會被執行:
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

參考:
BootExecute (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/46697.asp).

16. 在這機碼下的服務,大部份會以LocalSystem的權限啟動:
HKLM\System\CurrentControlSet\Services\

17. 微軟使用這個機碼來設定已經安裝的視窗元件(Windows component):
HKLM\Software\Microsoft\Active Setup\Installed Components\

參考:
TROJ_SMALL.AZX (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSMALL%2EAZX&VSect=T).
Backdoor.Plux (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.plux.html).
Monitoring of the Active Setup Registry Key (http://www.greatis.com/webhelp/regrunhelp.htm#regrun___detailed_instructions/start_control/active_setup_registry_key.htm).

18. 這個機碼記錄現行使用者(Current User)的啟動目錄(「開始」功能表=>程式集=>啟動,亦即,%USERPROFILE%\「開始」功能表\程式集\啟動):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup (如果上一列機碼不存在,它會用這個機碼)

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup (這個機碼記錄所有使用者的啟動目錄(「開始」功能表=>程式集=>啟動,亦即,%ALLUSERSPROFILE%\「開始」功能表\程式集\啟動))
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup (如果上一列機碼不存在,它會用這個機碼)

19. 在這機碼下的子機碼記載每個程式的路徑和完整的執行路徑名稱:
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\

20. 這是用來檢查應用程式的問題,但惡意程式會利用它,以達到執行的目的:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

參考:
Inside 'Image File Execution Options' debugging (http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx).
How to Enable Kerberos Debugging in Windows 2000 (http://support.microsoft.com/default.aspx?scid=kb;en-us;892894;http://support.microsoft.com/default.aspx?scid=kb;en-us;216052).

21. 在這機碼下COM Objects會記錄執行的命令。預設值是shell32.dll:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

參考:
Logging the Shell Activity (http://www.codeguru.com/Cpp/COM-Tech/shell/article.php/c4515/#more).
Windows Core (http://www.greatis.com/webhelp/regrun___detailed_instructions/start_control/windows_core.htm).
Creating a shell extension with C# (http://www.codeproject.com/csharp/dateparser.asp).

  * Folder Autostart Locations



1. %USERPROFILE%\「開始」功能表\程式集\啟動
2. %ALLUSERSPROFILE%\「開始」功能表\程式集\啟動
3. %SystemRoot\Tasks (排程工作的目錄)

  * File AutoStart Locations



1. %SystemDrive%\explorer.exe:EXPLORER.EXE是Windows的檔案總管程式,正常位置是在%SystemRoot %目錄內。某些人會使用的一個技巧,就是在C:\目錄底下產生一個同樣取名為explorer.exe。當Windows在開機時,並未指定 explorer.exe應該在哪個目錄底下,所以,開機時會從根目錄開始尋找該檔案來執行。

2. %SystemDrive%\autoexec.bat

參考:
http://en.wikipedia.org/wiki/AUTOEXEC.BAT

3. %SystemDrive%\config.sys

參考:
http://en.wikipedia.org/wiki/CONFIG.SYS

4. wininit.ini: 是Windows在開機時用來預先載入某些應用程式的方法。
舉例說明:

shell=explorer.exe virusfile.exe

5. winstart.bat

6. win.ini: 是載入系統設定,例如驅動程式、桌布畫面等等。
舉例說明:

load=virusfile.exe
run=virusfile.exe

7. hosts

參考:
http://en.wikipedia.org/wiki/Hosts

2013/07/12

windows 8 登入馬上用傳統桌面

出處請見這兒

簡單講就是,利用 schtasks 也就是 Windows 的排程,讓它在登入時執行以下程式,將之存成 C:\ShowDesktop.scf
[Shell]
Command=2
IconFile=Explorer.exe,3
[Taskbar]
Command=ToggleDesktop

幾個注意事項:
1. trigger 在登入時
2. 在條件中,取消勾選「只有在電腦是使用 AC 電源時才啟動」

2013/07/02

利用 curl 來存取 appengine

這邊有一篇不錯的文章: Authenticating Google App Engine apps using curl

我以目前正在寫的 device-mgm 為例, 密碼假設是 Iamwade,其餘都沒改:

Step 1:
Getting auth key:
curl -f -s --output myAuthFile.txt -d Email=wade.fs@gmail.com -d Passwd=Iamwade -d accountType=GOOGLE -d service=ah -d source=device-mgm https://www.google.com/accounts/ClientLogin
PS1: 用 -d 或是用 --data-urlencode 都行,因為沒特殊字元, 若密碼有特殊字元,就要把 Passwd 那段改成 --data-urlencode Passwd=YOUR_PASSWORD
PS2: service 是 "ah", 這一點是我一直沒試出來的部份, 另外就是 source=device-mgm 是與 APP ID 一樣
PS3: 因為我一直都是用 gmail account, 所以 accountType 選 GOOGLE

Step 2:
Getting application cookie:
curl -c cookiefile "http://device-mgm.appspot.com/_ah/login?auth=`cat myAuthFile.txt | grep ^Auth= | cut -d= -f2`" > /dev/null
PS1: 若沒有導向 > /dev/null 會看到類似錯誤訊息,可以忽略
PS2: 會把 cookie 存到 cookiefile 中,這個檔跟原文作者貼的格式不一樣, 所以後面的命令要修

Step 3:
Calling our application service, getAllData:
curl -f -s -H "Cookie: ACSID=`awk '/./{line=$0} END{print line}' cookiefile | cut -f7`" http://device-mgm.appspot.com/help

PS1: 我是直接取最後一個非空白行,然後取第7欄,那就是 ACSID
PS2: 同一個應用(device-mgm)的不同服務,事實上也都可以適用,例如底下是 query:
curl -f -s -H "Cookie: ACSID=`awk '/./{line=$0} END{print line}' cookiefile | cut -f7`" http://device-mgm.appspot.com/query



利用 curl 上傳檔案到 google drive

看到一篇 google.sh 的文章討論「利用 curl  上傳檔案到  google drive」這件事,裡面的回應改良了 script 的寫法,把帳號密碼跟 script 分開是比較優良的寫法,因此在此跟大家分享。

該回應中的 script 有點 bug, 修正如下:

===============================================
if [ ! -f $1 ];then
        echo "please provide a file in arg"
        exit -1
fi
creditFile=~/bin/credits.ini
if [ ! -f $creditFile ];then
        echo "please fill $creditFile (file has just been created)"
        echo "username=$login
password=$pass">$creditFile
        exit -1
fi

file="$1"
browser="Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1"
. $creditFile

accountype="GOOGLE" #gooApps = HOSTED , gmail=GOOGLE
mime_type=`file -b --mime-type $file`

/usr/bin/curl -v --data-urlencode Email=$username --data-urlencode Passwd=$password -d accountType=$accountype -d service=writely -d source=cURL "https://www.google.com/accounts/ClientLogin" > /tmp/login.txt

token=`cat /tmp/login.txt | grep Auth | cut -d \= -f 2`

uploadlink=`/usr/bin/curl -Sv -k --request POST -H "Content-Length: 0" -H "Authorization: GoogleLogin auth=${token}" -H "GData-Version: 3.0" -H "Content-Type: $mime_type" -H "Slug: $file" "https://docs.google.com/feeds/upload/create-session/default/private/full?convert=false" -D /dev/stdout | grep "Location:" | sed s/"Location: "//`

/usr/bin/curl -Sv -k --request POST --data-binary "@$file" -H "Authorization: GoogleLogin auth=${token}" -H "GData-Version: 3.0" -H "Content-Type: $mime_type" -H "Slug: $file" "$uploadlink" > /tmp/google-log.upload.txt

============
第一次執行時,會產生 credits.ini 然後就離開了, 請自行填滿它,存檔後再次執行即可,用法如下:

google-drive.sh UPLOAD.FILE

譬如:
google-drive.sh google-drive.sh  # 把自己上傳