Jump to content











Photo
- - - - -

Scripts

creating scripts starting out help tutorial advice p.e pre-environment pre environment

  • Please log in to reply
7 replies to this topic

#1 morronic

morronic
  • Members
  • 4 posts
  •  
    United States

Posted 28 July 2013 - 03:47 AM

Hey guys try not to hate me too badly. But I need help mounting scripts for p.e. I created a program in just basic that I was able to start automatically in windows aik by editing the winpeshl.ini. However when I try to scan with malwarebytes, I can not get it to scan the remote registry. I made a batch file that starts up and mounts the offline registry and auto chooses the windows directory however I haven't found a good way to make malwarebytes scan a registry that I mounted. Any advice?

 

p.s. It scans files but it doesn't scan the mounted registry that I mounted as

 

REG LOAD HKLM\TempHive "C:\windows\system32\Config\SYSTEMprofile\ntuser.dat"
REG LOAD HKLM\TempSoftware "C:\Windows\System32\Config\SOFTWARE"
REG LOAD HKLM\TempSystem "C:\Windows\System32\Config\SYSTEM"
REG LOAD HKLM\TempSecurity "C:\Windows\System32\Config\SECURITY"
REG LOAD HKLM\TempComponents "C:\Windows\System32\Config\COMPONENTS"
REG LOAD HKLM\TempSam "C:\Windows\System32\Config\SAM"
REG LOAD HKLM\TempDefault "C:\Windows\System32\Config\DEFAULT"

 

If not how do I make the scripts that this http://reboot.pro/to...s-anti-malware/ topic talks about work with my p.e? I am not totally sure how to make "scripts" work in windows aik. Thanks for everyones time.

 

-Morronic



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 July 2013 - 02:47 PM

It seems to me that you are attempting to use a tool outside it's intended usage paradigm.

 

AFAIK/AFAICR Malware Bytes has NO provisions to scan an "offline registry" (and NO provisions for an "offline registry mounted temporarily to HKLM").

See (example):

http://forums.malwar...showtopic=64547

 

Otherwise there are already tools to do that kind of "temporary mounting, namely Runscanner:

http://www.paraglide.../runscanner.htm

 

 

:cheers:

Wonko



#3 morronic

morronic
  • Members
  • 4 posts
  •  
    United States

Posted 29 July 2013 - 01:35 AM

Oh okay thank you. I'm not trying to cause any copyright issues with Malwarebytes and I'm not going to distribute this in any way. I was just curious to why it wasn't scanning. But this was definitely insightful. How does it scan it in normal mode then? I use malwarebytes pro on my desktop and it scans registry, files, everything. And can you tell it to scan different registry values with a script file maybe?

 

Just trying to clear up any ideas lol Thanks.

 

-Morronic



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 29 July 2013 - 01:12 PM

No prob :), I see no possible issues with Copyright or unauthorized distribution.  :dubbio:

 

The point is that the Registry does NOT exist :w00t:.

On a booted system the Registry "exists" (as it is "assembled from the Registry backing files on-the-fly) but not on a offline system.

 

There are a number of Registry backing files (the ones you mentioned plus, in the case of Vista :ph34r: and later, the \boot\BCD) but no actual "Registry" exists if not on the booted system).

 

A number of "structures" as you see them in Regedit or similar Registry viewers/editors are not "real" but are "redirections" or "hard links" to other structures.

 

The most re-known is CurrentControlSet which is a redirection of either ControlSet001 or ControlSet002 (or more generally ControlSetnnn),

 

A software tool designed to access a "live system" will most probably want to check/view/correct/whatever the actual CurrentControlSet, and it won't simply find it in a non-live Registry (i.e. on the Registry backing files).

 

It is of course possible to "replicate" via software a similar behaviour, after all it is just a matter of establishing that (say) "HKLM\Myofflinereg\" is an alias for "root" and - to remain in the same example for CurrentControlSet - parsing the "Select" key and then "decide" which ControlSetnnn is to be established as "alias" of CurrentControlSet, etc.,  but seemingly the MBAM Authors have not (yet) considered this approach or they considered it but found it ineffective/not convenient/whatever.

 

And, just to confuse you a bit :w00t: :ph34r:, the Registry is actually a filesystem, as a matter of fact a cross-breed between NTFS and something *like* UnionFS:

http://reboot.pro/to...s-a-filesystem/

 

And can be accessed while offline allright (of course only the "real" hives, not the redirections/hard links):

http://reboot.pro/to...gistry-library/

http://reboot.pro/to...fline-registry/

BUT the nice tool by erwan.l :worship: has some built-in "aliases" (cannot say if ALL of them).

 

 

:cheers:

Wonko


  • morronic likes this

#5 homes32

homes32

    Gold Member

  • .script developer
  • 1035 posts
  • Location:Minnesota
  •  
    United States

Posted 29 July 2013 - 02:48 PM

It seems to me that you are attempting to use a tool outside it's intended usage paradigm.

 

AFAIK/AFAICR Malware Bytes has NO provisions to scan an "offline registry" (and NO provisions for an "offline registry mounted temporarily to HKLM").

See (example):

http://forums.malwar...showtopic=64547

 

Otherwise there are already tools to do that kind of "temporary mounting, namely Runscanner:

http://www.paraglide.../runscanner.htm

 

 

:cheers:

Wonko

 

Wonko is correct. you need to use a tool like paraglider's runscanner. In my mbam script that you reference above I use the following code to launch Mbam and autoload hives to accomplish offline registry scanning.

Runscanner.exe /t 5000 /m+ /sv /sd /ac /y /v /x Mbam.exe

  • morronic likes this

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 29 July 2013 - 03:49 PM

 

Wonko is correct. you need to use a tool like paraglider's runscanner. In my mbam script that you reference above I use the following code to launch Mbam and autoload hives to accomplish offline registry scanning.



Runscanner.exe /t 5000 /m+ /sv /sd /ac /y /v /x Mbam.exe

But still, and AFAICU, MBAM does not "scan" those with the same "efficiency/effects" that it would do on a "live" Registry.

 

:cheers:

Wonko



#7 homes32

homes32

    Gold Member

  • .script developer
  • 1035 posts
  • Location:Minnesota
  •  
    United States

Posted 29 July 2013 - 06:00 PM

But still, and AFAICU, MBAM does not "scan" those with the same "efficiency/effects" that it would do on a "live" Registry.

 

:cheers:

Wonko

 

also true! scanning is much much less effective and one of the big reasons Malwarebytes' doesn't officially support running MBAM from anything but a "live" windows installation.



#8 morronic

morronic
  • Members
  • 4 posts
  •  
    United States

Posted 29 July 2013 - 11:51 PM

Thank you very much Wonko and Homes32! I think I've been trying to create or do something before I truly understand what it is i'm doing. I will definitely read up on how the windows registry actually works and hopefully in a couple of weeks I will understand how the live windows system works versus P.E. I was under the impression that in P.E, if I mounted registry hives from a remote system it makes it think it's live but I can see where that wouldn't work. Thanks again everyone :clapping:

 

-Morronic







Also tagged with one or more of these keywords: creating, scripts, starting out, help, tutorial, advice, p.e, pre-environment, pre environment

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users