CMD is an important entry, whether it is a very important entry for some of our usual command operations or the registry, but he is also an invading computer for viruses. Entrance. Open the intrusion data on the network to see it! Most of the intrusions are done under cmd. Typically, there is a cmdshell that overflows with a system permission, and then grows a backdoor that binds cmd.exe like Tcmd. There are also exploits of web applications to get a webshell and then use the low-privileged cmdshell to enhance permissions, and finally plant backdoors … … various attacks indicate that the intrusion and cmd.exe are related, because a cmd.exe is An interface that a user interacts with the system is the primary target of the intruder entering the system. Of course, we can't sit here and wait, how to prevent others from getting your cmdshell through overflow, how to know that others have entered the system and get cmdshell, how to catch the intruder when someone logs in to our machine? Now let us create a cmd The ultimate defense line.
One of the more preventive methods on the network is to set cmd.exe permissions, which can really play a big role, but the permissions are more difficult to determine, and if someone else uploads cmd.exe If you can break through, then use cmc.exe to bind cmd.exe to a port or you can get cmdshell. Today I introduce a new method to everyone, do not need to set the permissions of cmd! First talk about the principle, or open your cmd command window, run the command cmd /?, see what you got! Figure 1.
Note the following:
If /D is not specified on the command line, when CMD.EXE starts, it looks for the following REG_SZ/REG_EXPAND_SZ registry variable. If one or both of them exist, these two variables will be executed first.
HKEY_LOCAL_MACHINESoftwareMicrosoftCommand ProcessorAutoRun
and/or
HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun
This means that if there are two key values HKEY_LOCAL_MACHINESoftwareMicrosoftCommand ProcessorAutoRun and HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun and you are not using Cmd.exe /D to start the cmd process will execute the two key-valued programs before starting cmd.exe. Hey, what do you think of, since you can execute your own program or script before cmd.exe, we can completely control the action of cmd.exe.
We have found what we can use. Now let's see how to use this feature of cmd.exe to do it! The key is to edit the contents of HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun (if you can, you can Create a new one) for your custom script location, for convenience we can use batch processing, my system is 2000 adv server. For example, you can write a batch file of cmd.bat under c:winntsystem32, the content is the command you want to run before starting the cmd.exe process, and then edit the contents of HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun as c:winntsystem32cmd.bat as shown in Figure 2. .
Assuming that your machine is not regularly patched, you can edit the contents of cmd.bat under system32 as exit, thus resisting the hacker's remote overflow attack, because the general overflow is either a rebound of a cmdshell. Either bind a cmdshell, and the overflow shellcode will run the cmd.bat content specified by cmd.bat, and the content is exit exit. Here, in order to demonstrate to everyone that the command I specified is the pause command, such as Figure III.
This kind of person who doesn't know the truth will definitely be very depressed. Even if he knows the truth, if he is a normal rookie, I think he can't do anything about it, unless he uses other shellcode.
It’s just that there’s no such thing as a precaution. We’d better catch the intruder, so let’s write this cmd.bat script! Grab the intruder or want to know what the intrusion happened. Time we can define the contents of cmd.bat as follows:
@echo off Close the command to echo @netstat -an>>c:winntsystem32net.log to get the current network connection status and output to the net.log file. Redirection with >> is to prevent the log from being flushed out later @date /t>>c:winntsystem32date.log Get the time of the intrusion @time /t>>c:winntsystem32time.log
Chinese character input method has always been an operation necessary for our Chinese users, and it
When we use XP to install or open some programs, we occasionally pop up the NSIS Error error message
Under normal circumstances, the user can open the local group policy editor by entering the “Gpedit.
Second, transfer page file Many times, in order to get faster running speed, the user set a larger
XP System No Vulnerabilities Perfect System Security Ten Tips
WinXp boot automatically pops up the "My Documents" window solution
Method for accessibility of each host in the LAN (1)
Teach you to easily and anti-drug sharing the anti-drug elite under the command line
How Windows XP will limit the use of optical drives by ordinary users
Resolving remote operations of Windows XP system
Retrieve the deleted file method summary (2)
How to deal with WMV video when playing WinXP?
Win XP can't open several ways to deal with Network Neighborhood
God does not know how to replace the Win XP user password
Solve the problem that the Windows XP keypad light is not bright
How to open hidden items in Sims 4 Sims 4 hidden items code
Refuse to crack Chinese password protected RAR file
XP system can not be installed properly. How to solve .net?
How to configure IIS under Windows XP system (graphic tutorial)
Windows7 archlinux static network configuration error even if not online how to do?
How does the navigation sound of the win7 Home Edition computer change?
Win8 install msi program prompt 2502/2503 error caused the installation failure solution
How to modify the Trustedinstaller permission file for Win7
Win7 can't verify what the publisher is doing win7 can't verify the publisher's solution