Hello dear guest!

Why not join our boot disk community? So do it. Life's short!

  - You get free access to our newsletter with all the interesting buzz about boot disks
  - We share publicity revenue with everyone who wishes to participate at the forums
  - Publicity is never, never, never displayed to members (along with many other cool things)
http://boot-land.net/register

15 Pages V   1 2 3 > » 

FiraDisk
joakim
Posted on: Yesterday, 02:47 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


I meant the output of;

CODE
bcdedit /store r:\boot\bcd /enum all /v


Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82547 · Replies: 150 · Views: 26,973

FiraDisk
joakim
Posted on: Yesterday, 01:10 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Hehe I guess I missed XP vs Win7. Nevermind.

Could you post your complete BCD store?

Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82536 · Replies: 150 · Views: 26,973

ScratchSpace at 1024 (ramdisk size)
joakim
Posted on: Yesterday, 12:06 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Setting the undocumented value also works on nt5 based systems prepared with the wimboot script. I just applied it to moa (bartpe based on 2003 sources), which resulted in an iso at 128 Mb and writable freespace on X:\ at 1 Gb.

Joakim
  Forum: Win7PE · Post Preview: #82534 · Replies: 9 · Views: 524

PE with memory?
joakim
Posted on: Oct 24 2009, 08:48 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


I came to think that maybe hardware profiles could be used for this.

It would mean that you somehow must modify SETUPREG.HIV (since the SYSTEM hive would be trickiest of them) in its current on-disk form, to even detect the presence of different hardware profiles.

It theoretically could involve dumping the hive in question and making a diff to the same hive on disk (which is not modified because of /minint switch), and then transform the diff into hardware profiles.

For the SOFTWARE hive, we could, again theoretically, make another registry dump and modify the registry key in
CODE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\hivelist


to let the corresponding hive point to the new one.

But as already mentioned these methods (if even possible) would necessiate a modification of the SETUPREG.HIV. If that is not possible, then I suppose only modification of the Boot Loader itself could be the way....(hardcoded redirection).

Joakim
  Forum: Development · Post Preview: #82507 · Replies: 12 · Views: 1,344

ARC-Path Quiz
joakim
Posted on: Oct 24 2009, 08:13 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


So a year has past, but do we know how cdrom(x) is generated?

Is it voodo or simply impossible to predict?


Joakim
  Forum: Development · Post Preview: #82505 · Replies: 28 · Views: 5,806

FiraDisk
joakim
Posted on: Oct 24 2009, 05:58 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


I am wondering how it is possible to make XP not fit on a 2 Gb image..

Follow diddy's guide http://www.boot-land.net/forums/index.php?showtopic=9328 and the tips given in answering posts. You should be able to make XP run with almost all services on an image at just 500 Mb. You must have the image NTFS compressed though, otherwise you should add a few hundred Mb's to the size to make it fit.

Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82500 · Replies: 150 · Views: 26,973

joakim
Posted on: Oct 24 2009, 01:45 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


A couple of things to note.

- You only need ntldr, boot.ini, ntdetect.com, image.dsk on medium you're booting from.
- You can delete ntldr, boot.ini, ntdetect.com inside the image (they are not used)
- In boot.ini you must add the offset your partition starts at. Most likely you will want to add /rdimageoffset=32256 for a standard disk image.
- If your image is created with Embedded tools (sdi image), then /rdimageoffset is 4096 for partition image and 36352 for disk image.
- The /pae in boot.ini is only a must if using the size-patched ntldr.

Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82478 · Replies: 9 · Views: 2,489

joakim
Posted on: Oct 22 2009, 09:29 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


I just noticed some weird behaviour of ramdisk.

I put xp version of ramdisk.sys on a winpe ramload based on 2003 sources with the exact registry patch as shown in post 1 (path adjusted). Result is the image being mapped to ram twice, as X: and C:, and it does not crash!! Strange.

Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82374 · Replies: 9 · Views: 2,489

joakim
Posted on: Oct 22 2009, 11:51 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


I don't think the matter is as easy as patching a conditional jump instruction. We also have to calculate how much ram we need (if at all enough) and reserve it for the ramdisk when switching mode. And possibly also more..

Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82338 · Replies: 9 · Views: 2,489

joakim
Posted on: Oct 22 2009, 04:32 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


QUOTE (MedEvil @ Oct 21 2009, 11:39 PM) *
What exactly happens when one tries to load an image bigger than 512MB?


Then ntldr/setpldr.bin will fail because of a check in them.

Part of the myth has been that the size restriction of 512 Mb also was in ramdisk.sys, which evidentally is wrong. The myth was also that xp's version of ramdisk.sys could not be booted off, which also is wrong. The myth also was that XP's ntldr/setupldr.bin could not load images to ram, which also is partly wrong (at least ntldr can do loading to ram).

However, what remains unsolved, is how to force xp's setupldr.bin to read winnt.sif.

Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82325 · Replies: 9 · Views: 2,489

joakim
Posted on: Oct 21 2009, 09:59 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Rambooting is not limited to binaries from server 2003 or XP Embedded. It works on XP sp2 and sp3 too (don't know about sp1). When I mean works, I refer to booting a real non-pe system from ramdisk with the osloader(Boot Loader)/ntldr (pretty much like diskless XP Embedded systems) and boot.ini. Booting WinPE from ramdisk must be done with setupldr.bin (Setup Loader) and winnt.sif, and maybe only with the 2003 version of it. Note that ntdetect.com can be from XP. Trying to load ramdisk images with the xp version of setupldr.bin gives I/O errors, and cannot read winnt.sif properly. The xp version of ramdisk.sys requires a registry patch (because otherwise it will not start at boot). Therefore ramloading works with XP sources too, and the only time you need 1 2003 binary, setupldr.bin, is when ramloading in PE-mode.

Sample registry patch (inf taken from 2003 but also works with xp one;

CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Control\Class\{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}]
"Class"="Ramdisk"
@="Ramdisk"
"Icon"="-5"

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Control\Class\{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\0000]
"InfPath"="ramdisk.inf"
"InfSection"="BusInstall"
"InfSectionExt"=".NT"
"ProviderName"="Microsoft"
"DriverDateData"=hex:00,40,2a,7c,dd,68,c2,01
"DriverDate"="10-1-2002"
"DriverVersion"="5.2.3790.3959"
"MatchingDeviceId"="ramdisk"
"DriverDesc"="Windows RAM Disk Controller"

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Control\Class\{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\0001]
"InfPath"="ramdisk.inf"
"InfSection"="VolumeInstall"
"InfSectionExt"=".NT"
"ProviderName"="Microsoft"
"DriverDateData"=hex:00,40,2a,7c,dd,68,c2,01
"DriverDate"="10-1-2002"
"DriverVersion"="5.2.3790.3959"
"MatchingDeviceId"="ramdisk\\ramvolume"
"DriverDesc"="Windows RAM Disk Device (volume)"

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN]

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0000]
"ClassGUID"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}"
"ConfigFlags"=dword:00000004
"Driver"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\\0000"
"Class"="Ramdisk"
"Mfg"="Microsoft"
"HardwareID"=hex(7):72,00,61,00,6d,00,64,00,69,00,73,00,6b,00,00,00,00,00
"CompatibleIDs"=hex(7):64,00,65,00,74,00,65,00,63,00,74,00,65,00,64,00,69,00,\
  6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,5c,00,72,00,61,00,6d,00,64,00,69,\
  00,73,00,6b,00,00,00,64,00,65,00,74,00,65,00,63,00,74,00,65,00,64,00,5c,00,\
  72,00,61,00,6d,00,64,00,69,00,73,00,6b,00,00,00,00,00
"Service"="Ramdisk"
"DeviceDesc"="Windows RAM Disk Controller"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0000\LogConf]

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0000\Control]
"ActiveService"="Ramdisk"

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0001]
"ClassGUID"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}"
"Class"="Ramdisk"
"ConfigFlags"=dword:00000004
"Driver"="{9D6D66A6-0B0C-4563-9077-A0E9A7955AE4}\\0001"
"Mfg"="Microsoft"
"HardwareID"=hex(7):72,00,61,00,6d,00,64,00,69,00,73,00,6b,00,5c,00,72,00,61,\
  00,6d,00,76,00,6f,00,6c,00,75,00,6d,00,65,00,00,00,00,00
"DeviceDesc"="Windows RAM Disk Device (volume)"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0001\LogConf]

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Enum\Root\UNKNOWN\0001\Control]

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"ImagePath"="\\??\\C:\\WINDOWS\\SYSTEM32\\DRIVERS\\ramdisk.sys"
"DisplayName"="Windows RAM Disk Driver"

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk\Debug]
"DebugComponents"=dword:7fffffff
"DebugLevel"=dword:00000005

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\sys\ControlSet001\Services\Ramdisk\Enum]
"0"="Root\\UNKNOWN\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Adjust the path for winpe usage.

The size restriction on 512 Mb is in ntldr/setupldr.bin only. Ramdisk.sys can handle larger images, and some have said there is an absolute restriction on 2 Gb, with an actual user limit at around 1 Gb (some chineese users have reported success with around 1.7 Gb. See good explanation here; link1 and here; link2

Verification of this can be done with a modified ntldr found here (thank you JFX for pointing out); link3 and here; link4
This patched sample is the debug version of ntldr_dbg 5.2.3790.0. I'm currently trying to find the original ntldr_dbg 5.2.3790.0 to locate the patch and hopefully produce a custom patch for setupldr.bin too. For other interested souls, you may want to strip off the 16-bit stub in the beginning of ntldr/setupldr.bin. That way your favourite disassembler will produce much more friendly output. A good link about reversing ntldr; http://www.reteam.org/board/archive/index.php/t-323.html

Important to remember is to add /pae to boot.ini. The author of the patch have mentioned /nodebug is a must too, but I have done it without that entry.

If i get some time, I may create a performance report with comparisons of ramdisk/firadisk/winvblock/disklessangel.


Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #82318 · Replies: 9 · Views: 2,489

ntldr_dbg version 5.2.3790.0?
joakim
Posted on: Oct 21 2009, 09:17 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


QUOTE (JFX @ Oct 21 2009, 08:19 PM) *
I think I've read somewhere, that there was no success applying that patch to SP1 Version, what may is a problem cause this version would be much better for us.

Well see about when we can compare what this patch actually change.


There is really no point in transforming the patch to fit sp1 or sp2 versions as they work mostly the same. I was more interested in the original debug version of ntldr (sp0) so as to compare and locate the patch. Then, when located, see if it was possible to make it fit onto setupldr.bin. That way the benefit (breaking the 512 limit) could also be enjoyed for PE-builds.

Still don't know where to get this original debug version...

Joakim
  Forum: Development · Post Preview: #82317 · Replies: 7 · Views: 258

ntldr_dbg version 5.2.3790.0?
joakim
Posted on: Oct 21 2009, 02:47 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


The problem is that the oldest available kit is version 5.2.3790.1830 (sp1). I need the version before that one, which is 5.2.3790.0.

And yes I have signed up, and see a total of 4 ddk (wdk) packages.

Is there something I have missed in the Connection Directory or Dashboard?

Joakim
  Forum: Development · Post Preview: #82292 · Replies: 7 · Views: 258

ntldr_dbg version 5.2.3790.0?
joakim
Posted on: Oct 21 2009, 11:34 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Yes it's from the DDK dating back to 2003.

Well, then let's forget about WinPE ramloading past 512 Mb with ramdisk.sys.


Joakim
  Forum: Development · Post Preview: #82279 · Replies: 7 · Views: 258

Boot SDI.img
joakim
Posted on: Oct 21 2009, 10:52 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


It is also possible to boot from ramdisks created with the XP version of ramdisk.sys. XP's ramdisk.sys can even work on images larger than 512 Mb. I will post some notes later today, about some research.

Joakim
  Forum: LiveXP · Post Preview: #82274 · Replies: 5 · Views: 298

ntldr_dbg version 5.2.3790.0?
joakim
Posted on: Oct 21 2009, 05:58 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


I working on a patch for setupldr.bin, adapted from the size-patched ntldr that is floating around on the chineese sites. That patched version is the debug version and I don't have that specific version of it (5.2.3790.0), which makes the job a little harder than necessary.

I hate asking for this, but it seems rather hard to get this version.

Does anybody have the ntldr_dbg version 5.2.3790.0 from 2003, and willing to share it?


Joakim
  Forum: Development · Post Preview: #82256 · Replies: 7 · Views: 258

[LODR-U] VMware Converter Standalone 4.0.1
joakim
Posted on: Oct 18 2009, 10:22 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


The converter 4 package only works on 2003 sources, and confirmed working on MOA. If you have built another 2003-based PE with another engine, that might be good enough.

Since you mentioned having problems with drivers and detection of local disk, then VSS might fail because no ntfs formatted partitions are visible. You also need write permission on X:\. What kind of PE-build did you try this on?

This converter 4 package is not recommended to start with and I would suggest version 3.0.3 which is easier to get running.

Joakim
  Forum: LODR Universal & Portable Apps · Post Preview: #82085 · Replies: 2 · Views: 503

[LODR - U] VMware Converter 3.0.3 (coldclone)
joakim
Posted on: Oct 18 2009, 01:35 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


See answer at the sanbarrow forum.

Could you also tell your directory structure from where the LODR package is placed and the path to the loader. Is the loader put inside the directory as generated by the preparation tool?

In any way, it will not work if executed from a network share.

Joakim
  Forum: LODR Universal & Portable Apps · Post Preview: #82053 · Replies: 3 · Views: 526

Universal XP
joakim
Posted on: Oct 17 2009, 09:51 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


About the usb vs non-usb bootable systems;

Is it correct that standard usb-bootable xp can also boot in non-usb environment, but not the other way around?


Joakim
  Forum: FileDisks/RamDisks: Firadisk, etc. · Post Preview: #81999 · Replies: 61 · Views: 3,211

Here, XP Debugger, like BSOD problem
joakim
Posted on: Oct 15 2009, 10:37 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


And doing it in vmware works great and fast. wink.gif

Joakim
  Forum: LiveXP · Post Preview: #81839 · Replies: 2 · Views: 163

VistaPE-Leopard, no WMI
joakim
Posted on: Oct 14 2009, 08:50 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Sure, I can provide a link later today.

But it is simply a matter of copying files, registering services through some dll and exe, and finally restarting a couple of services.

Joakim
  Forum: VistaPE · Post Preview: #81758 · Replies: 14 · Views: 571

VistaPE-Leopard, no WMI
joakim
Posted on: Oct 14 2009, 08:06 AM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Could someone post a link to the wmi script?

How is wmi implemented in Leopard?

I am wondering because I can add it the LODR-way, ie after boot up.

Joakim
  Forum: VistaPE · Post Preview: #81753 · Replies: 14 · Views: 571

how to add dll's to system32?
joakim
Posted on: Oct 11 2009, 04:27 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


Have you tried copying these files into X:\Windows\system32\?
Have you checked you are not mixing beta and RC1 files?
How about posting the exact error message?

Joakim
  Forum: Win7PE · Post Preview: #81491 · Replies: 3 · Views: 214

Safeboot 4.2 plugin for bartPE
joakim
Posted on: Oct 10 2009, 10:58 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


As promised and requested, here is a 12 min video of the complete procedure.

Remove_encryption.zip

Important things (assumptions);
- Disk is encrypted and you know user and password
- You don't know ANY user/password to log into Windows (or system error prevents it)
- There exist no winpe based plugins for the encrypting program and booting from any other media (usb, floppy, cd, pxe) will only let you see encrypted garbage on disk (as raw).
- There is absolutely no way of interrupting windows boot process or modify any system file offline (because of encryption)
- Your Windows copy is not patched for a vulnerability for which there exist an exploit for Metasploit (if you're good enough you make it all yourself)

Now what did I do?
In this specific example a copy Windows XP SP2 was used together with McAfee Endpoint Encryption. The exploit used was ms08_067_netapi which is on the server service. Note that XP SP3 is also vulnerable, but SP2 was used because I did not have a copy of SP3 at hand. It therefore assumes that port 445 is open. The reverse shell was used as payload, because it is most handy.. We get remote access with SYSTEM priviliges and add a new user to the local administrators group. We log into Windows with new user and make a disk image of the encrypted disk and save it to network share. We then reboot into a recovery environment where we can restore the image on top of the encrypted disk and also write a standard nt5 mbr. When restore is finished we reboot again from local harddisk and voila, no encryption! The removed encryption is verified with the encryption client when fully booted.

Success rate?
Highly depends on whether your Windows copy is exploitable.

Has encryption been cracked?
No. We are taking advantage of a Windows flaw.


A general workaround or only specific to SafeBoot (McAfee Endpoint Encryption)?
It works as a general workaround for similar issues where disk encryption is present. It also opens the possibility to remove encryption from a McAfee Endpoint Encrypted disk without the Authorisation Code.

Joakim
  Forum: LAN and any other methods · Post Preview: #81434 · Replies: 33 · Views: 1,461

Safeboot 4.2 plugin for bartPE
joakim
Posted on: Oct 9 2009, 10:50 PM


Frequent Member
***

Group: Members
Posts: 364
Joined: 18-April 08
From: Bergen
Member No.: 14,583


QUOTE (joakim @ Oct 9 2009, 09:44 PM) *
You, jaclaz, make no sense and you are a terrible liar.

Re-reading this, I see it sounds very bad. I did not mean to call you a liar. I am sorry for that.

What I meant, and that did not come through very clear, was;

- a "terrible liar" was supposed to mean something like "stubborn enough to admit" (just as I am, and in a humoristic sense).

You said:
QUOTE
on a topic for which (at least on my side) there is not any particular interest

and that I did not fully believe.

Neither way, you are definitely not a liar because of that. character32.gif

Joakim
  Forum: LAN and any other methods · Post Preview: #81370 · Replies: 33 · Views: 1,461

15 Pages V   1 2 3 > » 

New Posts  New Replies
No New Posts  No New Replies
Hot topic  Hot Topic (New)
No new  Hot Topic (No New)
Poll  Poll (New)
No new votes  Poll (No New)
Closed  Locked Topic
Moved  Moved Topic