Jump to content

Recovery Console Installer....Hopefully

jwseek
 Share

Recommended Posts

jwseek Seeker

jwseek

Posted
Posted

So I am attempting to create a simple script (minimal GUI interaction, just does it and move on) that will install the Windows Recovery Console on a Windows XP computer. I'm basing my script on the Recovery Console installer built into Combofix. Now the script that sUBs wrote (in rather confusing batch files with lots of random "sed", "grep", and other much more UNIX-y commands) downloads the Windows XP Floppy Boot Disks to accomplish the task of installing the recovery console. He extracts the files from the floppy images, adds a few other files from Windows, and does some magic with boot.ini to make it usable.

Here's sUBs recovery console install code:

@IF NOT EXIST InstallRC DEL /A/F %0


IF NOT EXIST XP.mac  (
    REM NIRCMD.COM INFOBOX "Will only install the Recovery Console for Windows XP" ""
    NIRCMD LOOP 2 80 BEEP 3000 200
    NIRCMD.COM INFOBOX "%LINE51%" ""
    GOTO AbortRC
    )


:: NIRCMD infobox "Boot Partition cannot be enumerated correctly" "" && GOTO AbortRC
IF NOT DEFINED BootDir NIRCMD infobox "%LINE52%" "" && GOTO AbortRC


GREP -Eisq "^default( =|=)" %BootDir%Boot.ini ||(
    REM CALL NIRCMD.COM INFOBOX "%%BootDir%%Boot.ini is not correctly formated" ""
    NIRCMD LOOP 2 80 BEEP 3000 200
    CALL NIRCMD.COM INFOBOX "%Line53%" ""
    GOTO AbortRC
    )


IF EXIST %BootDir%cmdcons\bootsect.dat GREP -isq "CMDCONS\\BOOTSECT.DAT" %BootDir%Boot.ini &&(
    IF EXIST Rboot.dat GOTO :EOF
    NIRCMD LOOP 2 80 BEEP 3000 200
    NIRCMD.COM INFOBOX "%Line54%" ""
    GOTO AbortRC
    REM NIRCMD.COM INFOBOX "This machine already has the Recovery Console installed.~n~nAborting operations" ""
    )


SED -r "s/^.*(.:\\.*)$/\1/;s/\x22//" InstallRC >RC00

FOR /F "TOKENS=*" %%G IN ( RC00 ) DO @IF EXIST "%%G" (
    REM NIRCMD INFOBOX "Please click 'YES' in the End User License Agreement (EULA) dialog that follows ..." "Installing the Recovery Console"
    ECHO.%%~NXG>CF-RC.txt
    NIRCMD INFOBOX "%Line55%" ""
    "%%G" /c /t:"%CD%\RC"
) ELSE IF EXIST "%%~SG" (
    ECHO.%%~NXG>CF-RC.txt
    NIRCMD INFOBOX "%Line55%" ""
    "%%~SG" /c /t:"%CD%\RC"
) ELSE (
    REM CALL NIRCMD.COM INFOBOX "Installation file - %%~G - cannot be found"
    CALL NIRCMD.COM INFOBOX "%Line56%" ""
    GOTO AbortRC
    )

DEL /A/F/Q RC0? N_\*



IF NOT EXIST "%cd%\RC\cdboot1.img" (
    REM NIRCMD.COM INFOBOX "You didn't select YES~n~nInstallation is aborted" ""
    NIRCMD.COM INFOBOX "%Line57%" ""
    GOTO AbortRC
    )


IF EXIST %BootDir%cmdcons (
    IF EXIST f_system SWXCACLS %BootDir%cmdcons /RESET /Q
    RD /S/Q %BootDir%cmdcons
    )>N_\%random% 2>&1


MD %BootDir%cmdcons >N_\%random% 2>&1

EXTRACT.cfexe -ox RC\cdboot?.img %BootDir%cmdcons >N_\%random% 2>&1

COPY /Y /B %system%\autochk.exe %BootDir%cmdcons >N_\%random% 2>&1

COPY /Y /B %system%\autofmt.exe %BootDir%cmdcons >N_\%random% 2>&1

EXPAND.exe -r %BootDir%cmdcons\txtsetup.si_ >N_\%random% 2>&1

COPY /Y /B %BootDir%cmdcons\setupldr.bin %BootDir%cmldr >N_\%random% 2>&1

dd if=\\.\%bootdir:~,2% of=%BootDir%cmdcons\bootsect.dat bs=512 count=1 >N_\%random% 2>&1

IF EXIST f_system Type BootSect.dll >>%BootDir%cmdcons\bootsect.dat

IF NOT EXIST f_system GSAR -o -sNTLDR:x20:x20 -rCMLDR:x20:x20 %BootDir%cmdcons\bootsect.dat >N_\%random% 2>&1

REGT /a /s MountedDevices.reg "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices"


@>%BootDir%cmdcons\migrate.inf (
ECHO.[Version]
ECHO.Signature = "$Windows NT$"
ECHO.
ECHO.[Addreg]
)



SED "1,3d" MountedDevices.reg |(
    SED -r "s/\\\\/\\/g;:a;/\\$/N; s/\\\n  //; ta" | sed "/hex:5c/I!d; s/=hex:5c,/,0x00030001,\\\n  /;/^\x22/s/./HKLM,\x22SYSTEM\\MountedDevices\x22,&/" |(
    SED -r "/^  /s/[^\\ ]{72}/&\\\n  /g"
    ))>>%BootDir%cmdcons\migrate.inf



@>%BootDir%cmdcons\winnt.sif (
ECHO.[data]
ECHO.msdosinitiated="1"
ECHO.floppyless="1"
ECHO.CmdCons="1"
ECHO.LocalSourceOnCD="1"
ECHO.AutoPartition="0"
ECHO.UseSignatures="yes"
ECHO.InstallDir="%systemroot:~2%"
ECHO.EulaComplete="1"
ECHO.winntupgrade="no"
ECHO.win9xupgrade="no"
ECHO.[regionalsettings]
SWREG QUERY "hklm\system\currentcontrolset\control\nls\locale" /v "(default)" | sed "/.*    /!d;s///;s/.*/Language=&/"
ECHO.LanguageGroup=1
ECHO.[setupparams]
ECHO.DynamicUpdatesWorkingDir=%systemroot%\setupupd
ECHO.[unattended]
ECHO.unused=unused
ECHO.[userdata]
ECHO.productid=""
ECHO.productkey=""
ECHO.[OobeProxy]
ECHO.Enable=1
ECHO.Flags=1
ECHO.Autodiscovery_Flag=4
)


DEL /A/F %BootDir%cmdcons\txtsetup.si_ MountedDevices.reg >N_\%random% 2>&1


PEV -rtf %BootDir%cmdcons\VGA.SY_ >N_\%random% 2>&1 ||(
    REM CALL START NIRCMD.COM INFOBOX "Contents of %%BootDir%%cmdcons are not in order.~n~nPlease disable your security programs before trying again" ""
    CALL START NIRCMD.COM INFOBOX "%Line58%" ""
    RD /S/Q %BootDir%cmdcons
    GOTO AbortRC
    )>N_\%random% 2>&1



IF EXIST %BootDir%Boot.bak DEL /A/F %BootDir%Boot.bak >N_\%random% 2>&1

ATTRIB -H -R -S -A %BootDir%Boot.ini

COPY /Y %BootDir%Boot.ini %BootDir%Boot.bak >N_\%random% 2>&1

SET "bootsect=\n%BootDir%\CMDCONS\\BOOTSECT.DAT=\x22Microsoft Windows Recovery Console\x22 \/cmdcons"

SED G %BootDir%Boot.bak | SED -r "/cmdcons\\bootsect.dat|^$/Id; s/^\s*//; s/\s*$//" >BootIni00

SED "/^timeout=/Is/=.*/=2/; s/^\[operating systems\]$/&%bootsect%/I" BootIni00 >%BootDir%Boot.ini

DEL /A/F BootIni00 >N_\%random% 2>&1

ATTRIB +H +S +A +R %BootDir%Boot.ini

SET bootsect=

TYPE myNul.dat >RcRdy

TYPE %BootDir%Boot.ini >>CF-RC.txt

@ATTRIB +H +S +A +R %BootDir%cmdcons  /S /D

@IF EXIST f_system SWXCACLS %BootDir%cmdcons /DE:;A732/I /Q

TYPE myNul.dat >AbortC

:: NIRCMD.COM QBOXCOMTOP "The Recovery Console was successfully installed.~n~nClick 'Yes' to continue scanning for malware~n~nClick 'No' to exit" "What's next ?" RETURNVAL 1 || GOTO :EOF
NIRCMD.COM QBOXCOMTOP "%Line59%" "" FILLDELETE AbortC

IF NOT EXIST AbortC GOTO :EOF

IF EXIST Gateway FOR /F %%G IN ( gateway ) DO ROUTE ADD 0.0.0.0 MASK 0.0.0.0 %%G

COPY /Y CF-RC.txt \ >N_\%random% 2>&1

START Notepad.exe \CF-RC.txt

@GOTO :EOF

:AbortRC
:: NIRCMD.COM QBOXCOMTOP "Click 'Yes' to continue scanning for malware~n~nClick 'No' to exit" "What's next ?" RETURNVAL 1 && ECHO.>AbortC

@ECHO.>AbortC

NIRCMD.COM QBOXCOMTOP "%Line60%" "" FILLDELETE AbortC

IF NOT EXIST AbortC GOTO :EOF

@GOTO :EOF

Now there are a few things in there that don't make any sense, but most of them have to do with other portions of his program.

As an example, here is my (similar) program:

#include <Process.au3>

Dim $destinationDrive = StringLeft(@WindowsDir, 2)
Dim $destinationDir = $destinationDrive & "\cmdcons"

DirCreate($destinationDir)
DirCopy(".\files", $destinationDir, 1)
FileCopy($destinationDir & "\setupldr.bin", $destinationDrive & "\cmldr", 1)
_RunDOS("dd.exe if=\\.\" & $destinationDrive & " of=" & $destinationDir & "\bootsect.dat bs=512 count=1")
;_RunDOS("type.exe BootSect.dll >>" & $destinationDir & "\bootsect.dat")
;_RunDOS("GSAR.exe -o -sNTLDR:x20:x20 -rCMLDR:x20:x20 " & $destinationDir & "\bootsect.dat")

IniWrite($destinationDir & "\migrate.inf", "Version", "Signature", "$Windows NT$")
;write all data from HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices to migrate.inf section [Addreg]

;write winnt.sif file
IniWrite($destinationDir & "\winnt.sif", "data", "msdosinitiated", "1")
IniWrite($destinationDir & "\winnt.sif", "data", "floppyless", "1")
IniWrite($destinationDir & "\winnt.sif", "data", "CmdCons", "1")
IniWrite($destinationDir & "\winnt.sif", "data", "LocalSourceOnCD", "1")
IniWrite($destinationDir & "\winnt.sif", "data", "AutoPartition", "0")
IniWrite($destinationDir & "\winnt.sif", "data", "UseSignatures", "yes")
IniWrite($destinationDir & "\winnt.sif", "data", "InstallDir", $destinationDrive)
IniWrite($destinationDir & "\winnt.sif", "data", "EulaComplete", "1")
IniWrite($destinationDir & "\winnt.sif", "data", "winntupgrade", "no")
IniWrite($destinationDir & "\winnt.sif", "data", "win9xupgrade", "no")
IniWrite($destinationDir & "\winnt.sif", "regionalsettings", RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Locale\", "(Default)"))
IniWrite($destinationDir & "\winnt.sif", "regionalsettings", "LanguageGroup", "1")
IniWrite($destinationDir & "\winnt.sif", "setupparams", "DynamicUpdatesWorkingDir", @WindowsDir & "\setupupd")
IniWrite($destinationDir & "\winnt.sif", "unattended", "unused", "unused")
IniWrite($destinationDir & "\winnt.sif", "userdata", "productid", "")
IniWrite($destinationDir & "\winnt.sif", "userdata", "productkey", "")
IniWrite($destinationDir & "\winnt.sif", "OobeProxy", "Enable", "1")
IniWrite($destinationDir & "\winnt.sif", "OobeProxy", "Flags", "1")
IniWrite($destinationDir & "\winnt.sif", "OobeProxy", "Autodiscovery_Flag", "4")

FileSetAttrib($destinationDir & "\boot.ini", "-HRSA")
IniWrite($destinationDrive & "\boot.ini", "boot loader", "timeout", 3)
IniWrite($destinationDrive & "\boot.ini", "operating systems", "C:\CMDCONS\BOOTSECT.DAT", '"Microsoft Windows Recovery Console" /cmdcons')
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\", "SecurityLevel", "REG_DWORD", 00000001)
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\", "SetCommand", "REG_DWORD", 00000001)
FileSetAttrib($destinationDir & "\boot.ini", "+HRSA")
_RunDOS("attrib +H +R +S " & $destinationDir & " /S /D")

(Obviously, sUBs should consider writing his stuff in AutoIT, it's much clearer.)

Anyway, I extracted all the files and added them to the ".\files" directory beforehand, so I didn't need to download and extract things every time I ran the program. I think I have most of the code copied over properly (with a few small modifications). There are two things in sUBs code that confuse me:

1)

REGT /a /s MountedDevices.reg "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices"

Here he enumerates every key in the HKLM\SYSTEM\MountedDevices folder and then outputs them to an .ini file in a manner similar to this:

[Version]
Signature = "$Windows NT$"

[Addreg]
HKLM,"SYSTEM\MountedDevices",,0x00000010
HKLM,"SYSTEM\MountedDevices","\??\Volume{865af030-acd9-11dd-a9eb-806d6172696f}",0x00030001,\
     5c,00,3f,00,3f,00,5c,00,46,00,44,00,43,00,23,00,47,00,45,00,4e,00,45,00,52,\
     00,49,00,43,00,5f,00,46,00,4c,00,4f,00,50,00,50,00,59,00,5f,00,44,00,52,00,\
     49,00,56,00,45,00,23,00,35,00,26,00,33,00,34,00,39,00,32,00,33,00,34,00,30,\
     00,31,00,26,00,30,00,26,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,\
     33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,\
     00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,\
     31,00,65,00,66,00,62,00,38,00,62,00,7d,00
HKLM,"SYSTEM\MountedDevices","\??\Volume{865af031-acd9-11dd-a9eb-806d6172696f}",0x00030001,\
     5c,00,3f,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,64,00,52,00,6f,00,6d,\
     00,56,00,42,00,4f,00,58,00,5f,00,43,00,44,00,2d,00,52,00,4f,00,4d,00,5f,00,\
     5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
     00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,\
     5f,00,5f,00,5f,00,31,00,2e,00,30,00,5f,00,5f,00,5f,00,5f,00,5f,00,23,00,34,\
     00,32,00,35,00,36,00,32,00,64,00,33,00,32,00,33,00,31,00,33,00,30,00,33,00,\
     30,00,33,00,37,00,33,00,33,00,33,00,30,00,33,00,36,00,33,00,37,00,32,00,30,\
     00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,\
     32,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,\
     00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,\
     66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,\
     00,38,00,62,00,7d,00

I think this shouldn't be too hard to reproduce in AutoIT, but I can't really wrap my head around how.

2)

IF EXIST f_system Type BootSect.dll >>%BootDir%cmdcons\bootsect.dat

IF NOT EXIST f_system GSAR -o -sNTLDR:x20:x20 -rCMLDR:x20:x20 %BootDir%cmdcons\bootsect.dat >N_\%random% 2>&1

These two lines don't really make any sense to me. You can see I reproduced them in my code, but I'm wary of using them until I know that they'll actually do something useful.

So...can anyone help me with my weird problems? If there's more information needed (or you just want to know what some of the obscure code that I didn't talk about does) please let me know. Thanks.

jwseek Seeker

jwseek

Posted
  • Author
Posted

Well, it's been almost a week and nobody's replied to this. I guess I won't be getting any help on this one. Oh well. Thanks anyway.

  • 3 weeks later...
cpox Seeker

cpox

Posted
Posted

These two lines don't really make any sense to me. You can see I reproduced them in my code, but I'm wary of using them until I know that they'll actually do something useful.

Within ComboFix, there is a batch file named c.bat. Have you read line 19 yet?

  • 2 weeks later...
jwseek Seeker

jwseek

Posted
  • Author
Posted

I had read line 19 and I suppose maybe I shouldn't be doing this, but the idea was to not have to run ComboFix every time I wanted to install the Recovery Console on a machine and to also avoid a rather large download to install it or finding a CD.

Anyway, I "copied" what sUBs did because I wanted to understand how s/he did what s/he did. At that point, I can write my own (or recreate rather than copy) Recovery Console installer. I'm certainly not going to use a program like this until I completely understand what it does. That's why I was asking. And if I could just ask sUBs directly, I'd do that instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...