Jump to content











Photo
- - - - -

NTFS Security

Started by pscEx , May 06 2010 10:27 AM

  • Please log in to reply
12 replies to this topic

#1 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 06 May 2010 - 10:27 AM

Try this:

Have a nativeEx_barebone project on a NTFS formatted drive.

Download
http://livexp.boot-l...derunEx_x86.exe
http://livexp.boot-l...derunEx_x64.exe
to any NTFS folder.

Copy the two files to %Tools%\nativeEx\x86 / x64 resp.

Build the project with Finish > 2 Create Image > Boot from RAM checked.

When booting, you'll see about 10 times the popup:
hiderun.gif
(unless you uncheck 'show again')

Next part of test:

Copy the downloaded files to any NON NTFS folder, and copy from there to %Tools%.

Rebuild the project.

The PE boots without any popup.

Result: Anywhere in the file's NTFS attributes there is the information that the file is downloaded from a non - secure place in the Internet. This attribute is lost by copying to non NTFS folder.

My question to the community:

Is there a way to remove the NTFS attributes programmatically? Not every user has a non-NTFS drive to 'clean' the downloaded files.

Peter

#2 Galapo

Galapo

    Platinum Member

  • .script developer
  • 3841 posts
  •  
    Australia

Posted 06 May 2010 - 11:28 AM

Hmmm, I'm not sure how to remove the attributes. But in the meantime, try adding these entries somewhere in your project:

RegHiveLoad,WB-DEFAULT,%target_sys%\CONFIG\DEFAULT

RegWrite,HKLM,0x1,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,CheckExeSignatures,no

RegWrite,HKLM,0x4,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,RunInvalidSignatures,1

RegHiveUnLoad,WB-DEFAULT

Regards,
Galapo.

#3 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 06 May 2010 - 11:33 AM

Hmmm, I'm not sure how to remove the attributes. But in the meantime, try adding these entries somewhere in your project:

RegHiveLoad,WB-DEFAULT,%target_sys%\CONFIG\DEFAULT

RegWrite,HKLM,0x1,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,CheckExeSignatures,no

RegWrite,HKLM,0x4,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,RunInvalidSignatures,1

RegHiveUnLoad,WB-DEFAULT

Regards,
Galapo.

Thanks, Galapo, but that I already tried, and it did not help.
(I finally copied everything suitable of my host's registry, including the internet zones, to the PE).

Currently the only way for me seems really to be 'strip the NTFS attributes'

Peter

#4 dog

dog

    Frequent Member

  • Expert
  • 236 posts

Posted 06 May 2010 - 11:48 AM

There are some options here:
http://www.boot-land...?...c=7594&st=0

#5 Galapo

Galapo

    Platinum Member

  • .script developer
  • 3841 posts
  •  
    Australia

Posted 06 May 2010 - 12:18 PM

So what's the idea -- run an unblocking app on %tools% folder?

Thanks,
Galapo.

#6 Sha0

Sha0

    WinVBlock Dev

  • Developer
  • 1682 posts
  • Location:reboot.pro Forums
  • Interests:Booting
  •  
    Canada

Posted 06 May 2010 - 12:49 PM

I believe that you are after the NTFS stream which contains Zone metadata for a "secure experience."

From the command line, try:
echo.>foo.exe:Zone.Identifier
Or simply look into using Microsoft's SysInternals' Streams.exe or look at the MS articles concerning NTFS streams. While the command I gave doesn't delete the stream, it empties it.

To re-block a file, you could do:
echo [ZoneTransfer]>foo.exe:Zone.Identifier

echo ZoneId=3 >> foo.exe:Zone.Identifier
Pay attention to the space before >>.

Another alternative is to copy the file's primary data with:
ren foo.exe foo.orig

type foo.orig > foo.exe

#7 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 06 May 2010 - 12:59 PM

Thanks to all!

doq's links lead to something I could use.
@Sha0: I just unblocked hiderun.exe with
echo "" > "\\?\V:\wb\wb debug !\Projects\Tools\nativeEx\x86\hiderunEx_x86.exe:Zone.Identifier"
(before reading your post, So this solution is at least 'double-based')

Peter

#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 06 May 2010 - 01:51 PM

Just for the record, talks about NTFS ALTERNATE DATA STREAMS are here:
http://www.boot-land...?showtopic=7594

:cheers:
Wonko

#9 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 06 May 2010 - 01:54 PM

Just for the record, talks about NTFS ALTERNATE DATA STREAMS are here:
http://www.boot-land...?showtopic=7594

:cheers:
Wonko

Any difference to the post #4 by doq? :cheers:

Peter :huh:

#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 06 May 2010 - 05:57 PM

Any difference to the post #4 by doq? :P


Possible reasons:
  • More explicit reference? :cheers:
  • More dependable source for the link? :P
  • Wonko getting older and failing to notice the link by dog? :huh:

I would vote for #3 :cheers:

:cheers:
Wonko

#11 Galapo

Galapo

    Platinum Member

  • .script developer
  • 3841 posts
  •  
    Australia

Posted 06 May 2010 - 11:51 PM

So is the issue with the uploaded files themselves, or with them once they are downloaded.

That is, do I need to do something to the files before uploading, or does a project need to do something after downloading?

Thanks,
Galapo.

#12 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 07 May 2010 - 06:39 AM

So is the issue with the uploaded files themselves, or with them once they are downloaded.

That is, do I need to do something to the files before uploading, or does a project need to do something after downloading?

Thanks,
Galapo.

No need to do anything before upload.

And to do something after download can also be skipped.

There are only some rare cases like here:
  • The file to be copied to %TargetDir% is downloaded
  • The %TargetDir% is formatted NTFS
In this rare cases, like here with hiderun.exe a special treatment before final ISO build etc. can be done.

Peter

#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 07 May 2010 - 08:36 AM

Small correction: File needs to be downloaded by Internet Explorer or by a similar way, it doesn't apply to "all" downloaded files.

The presence of a stream can be detected calling a Windows API:
http://www.codeproje...torarticle.aspx
(maybe useful)

nirsoft has a tool to check for them:
http://www.nirsoft.n...ta_streams.html

:lol:
Wonko
Back to Development


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. reboot.pro
  2. Boot methods & tools
  3. WinBuilder
  4. Development
  5. Privacy Policy
  6. Site policies ·