Jump to content

Protecting UACD ! -Some Insight


Recommended Posts


2Moon: Sorry, you misunderstood me - all I need is command with which I will call from script.

Implementation of what should be inside the encrypted archive will be the based on implementator request.

So final implementation of ProtectUA will be this:

a.) run AnalyzeUA.vbs - it will show you the identificator of computer (BIOS release date + product)

b.) Copy&Paste this value to ProcectUA.vbs.

c.) Create encrypted archive with predefined name (for example ProtectUA.zip)

d.) encrypt ProtectUA.vbs (final file will be named ProtectUA.vbe)

e.) add

cscript //nologo ProtectUA.vbe

to cmdlines.txt

f.) add unpacker to $OEM$

Link to comment
Share on other sites

@Martin,

Arrived, little bit late... seen your post.. what a difference between what you said and what i sent to you. Like our posts, our mind too not synchronizing at all!

BTW, have you seen bit.exe, a lot of questions right now boiling in my mind. want to discuss.. please post ...

-MOON

Link to comment
Share on other sites

The problem is you didnt post the most important thing - what utility with what syntax would you like to use to decompress the archive.

Like I would like to use utility XXX (URL) and the syntax will be XXX ProtectUA.zip /password:YYY.

About bit, it is using DMI (Desktop Management Instrumentation) and I am using WMI (Windows Management Instrumentation). What informations are you interested about in this topic?

Link to comment
Share on other sites

2Martin

I would like to use PKUNZIP.EXE to decompress the archive. It follows the follwing syntax:

PKUNZIP -e -d -spassw0rd C:\ProtectUA.zip C:\

where passw0rd, for example, is the password with which it decrypts the archive(-s is the option to include for extracting encrypted archive; there's no space between -s and PASSWORD, please note.)

-e for extraction and -d for replicating folder structure found inside the archive to the destination. hope i described properly for your understanding.

Regarding. bit.exe, i've some thought, please read on:

1. can we not be able to implement bit's DMI method of extracting bios info

? if, yes, it has the advantage of finding serial number for MoBo and also bios version+date+time. i understand that it uses DMI while our script is follwing WMI. this idea came to my mind just because BIT does all this things in WIN-32 console mode which as an idea close to our unattended philosophy.

2. If your response is no, from our strem of thinking it is not possible to apply BIT.EXE type gathering of info, then, Martin, i've 1 last idea in this conrext. Idea is:

From CMDLINES.TXT let us allow BIT.EXE to run in background and it will generate it's .DAT report inside the directory from where we ran it [i wish we can put BIT.EXE inside $OEM$\$$\system32, so that it goes inside HDD during installation]

Our VB Script will do no WMI query at all, what it'll do, i wish, is some sort of string checking between BITREPORT.DAT and our arrayAllowedHosts section . If that's possible, then,i hope, we achieved what we wanted all through these interactions. arrayAllowedHosts section is static information based and we can input either MoBo serial no. or BIOS date+time or both . Method of encryption, method of passing authentication check and method deleting NTLDR just remain same all along as you pricelessly suggested all allong. We can pack BIT.EXE into an archive which will be encrypted along with all the other files you suggested before. If it's possible then UACD projects of all the members of this forum will be 100% Protected from both normal users and Advanced users.

What's your take on it, Sir, I wait..

Now, i'm again leaving forum, i'll come back in 1 hour.

Thanks from MOON.

Edited by MOONLIGHT SONATA
Link to comment
Share on other sites

Well, the problem is I dont understand why you want you want to use DMI instead of WMI. DMI was older standart not accepted by majority of product, instead WMI was "forced" by Microsoft, so most major HW players accepted this standart and provided informations to WMI classes.

Link to comment
Share on other sites

Here we go, today release of codes:

AnalyzeUA.vbs

Option Explicit
'On Error Resume Next

Dim objWMIService : Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Dim colItemsBios : Set colItemsBios = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Dim colItemsBaseBoard : Set colItemsBaseBoard = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Dim strItemBios, strItemBaseBoard, strAllowedValue
Dim objItemBios, objItemBaseboard

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20

 
For Each objItemBios In colItemsBios
   For Each objItemBaseboard In colItemsBaseboard
     strItemBios = Trim(LCase(objItemBios.ReleaseDate))
     strItemBaseboard = Trim(LCase(objItemBaseBoard.Product))
   strAllowedValue = InputBox ("BIOS Release identificator","BIOS Release",strItemBios & strItemBaseboard)
   Next  
Next
 
Set objWMIService = Nothing
Set colItemsBios = Nothing
Set colItemsBaseboard = Nothing
Set objItemBios = Nothing
Set objItemBaseboard = Nothing

ProtectUA.vbs coming soon...

Link to comment
Share on other sites

2All: Please try AnalyzeUA.vbs and let me know if it is working...

ProtectUA.vbs (this is working version, didnt have a chance to try it, so be extremely careful!)

Option Explicit

Dim objWMIService, arrayBIOS, objBIOS, strAllowedHost, strYouAreWelcome
Dim strOperatingSystem, colOperatingSystems
Dim objFSO, objShell, strSystemDrive
Dim objBaseboard, arrayBaseboard, strComputerHost, strPassword

Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Const wmiRestartForce = 4

strPassword = "Passw0rd"
Dim arrayAllowedHosts(1)
arrayAllowedHosts(0) = "20030716000000.000000+0000x1078"
arrayAllowedHosts(1) = "20030814******.******+***virtual machine"

Set objShell = CreateObject("Wscript.Shell")

Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set arrayBIOS = objWMIService.ExecQuery("SELECT * FROM Win32_BIOS", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Set arrayBaseBoard = objWMIService.ExecQuery("SELECT * FROM Win32_BaseBoard", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objBIOS In arrayBIOS
For Each objBaseboard In arrayBaseBoard
 strComputerHost = objBios.ReleaseDate & objBaseboard.Product
 For Each strAllowedHost in arrayAllowedHosts
 If Trim(LCase(strComputerHost)) = Trim(LCase(strAllowedHost)) Then strYouAreWelcome = 1
 Next
Next
Next

If strYouAreWelcome <> 1 Then  
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set colOperatingSystems = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
strSystemDrive = objShell.ExpandEnvironmentStrings("%SystemDrive%")
 objFSO.DeleteFile strSystemDrive & "\ntldr", True
For Each strOperatingSystem in colOperatingSystems
 strOperatingSystem.Reboot()
Next
Else If strYouAreWelcome = 1 Then
 ObjShell.Run ("PKUNZIP -e -d -s" & strPassword & " C:\ProtectUA.zip C:\", 0, True)  
End If
End If

BTW about array - I decided to change it little bit. As you can see, you must add arrayAllowedHost(X) for each new computer. Also you must increase the Dim arrayAllowedHost value.

Waiting for your feedback guys

Link to comment
Share on other sites

@Martin,

I'm indebted to you for these nice scripts. AnalyzeUA.VBS works fine.

On the way towards applying ProtectUA.VBS. Let's see what happens..

a few clarifications i expect from you.

<i> Dim arrayAllowedHosts(1)

arrayAllowedHosts(0) = "20030716000000.000000+0000x1078"

arrayAllowedHosts(1) = "20030814******.******+***virtual machine"

here,as i understood, script is instructed to check arrayAllowedHosts(1) and,

arrayAllowedHosts(0) = "20030716000000.000000+0000x1078", is just to show us how

to add multiple computers into AllowedHosts list. Now, if we have another true

AllowedHosts numbered 0, then we would have to change Dim arrayAllowedHosts(1).

is the needed change is like Dim arrayAllowedHosts(2) or Dim arrayAllowedHosts(0,1)?

<ii> ProtectUA.zip is loaded into C:\ during copying of $OEM$\$1 folder. Now, if a

machine don't pass authentication, then although NTLDR gets deleted, still

ProtectUA.zip remains at the root of C:\. Although, because of encryption,

nobody can extract ProtectUA.zip, but, i opine, it should be deleted as well.

Now, can i add objFSO.DeleteFile strSystemDrive & "\ProtectUA.zip", True line

after objFSO.DeleteFile strSystemDrive & "\ntldr", True ?

I'll be obliged if you provide your valuable suggestions.

----MOON

Link to comment
Share on other sites

Nope...

Dim arrayAllowedHosts(1) means arrayAllowedHosts will have two members (it is counted from 0, not from one).

arrayAllowedHosts(0) and arrayAllowedHosts(1) are these two members.

So if you want to add another member, you must add +1 to Dim arrayAllowedHosts (so it will be arrayAllowedHosts(2)) AND create new value arrayAllowedHosts(2) = "blablabla"

If you want to delete ProtectUA.zip, you cant use

objFSO.DeleteFile strSystemDrive & "\ntldr", True

it would try to delete ProtectUA.zip from %windir%. Instead you must use

objFSO.DeleteFile "C:\ProtectUA.zip", True

Link to comment
Share on other sites

@Martin,

I've tested ProtectUA.VBS . Not working to the extent of decompressing the ZIP archive. My ProtectUA.ZIP is under $OEM$\$1 so that it gets copied to C:\ as because from the script it has been instructed, as per my wish, of course, to decompressed by PKUNZIP.EXE from C:\. But it's not working. My cmdlines.txt has entry like :

[COMMANDS]

"cscript //nologo ProtectUA.vbs"

i still not applied encoding...

what's wrong? is the command line syntax as given by me is followed as noted. for clarity, there's no space between -s and password in the PKUNZIP syntax.

Please reply.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...