Paraglider BartPE Plugins

RunScanner Plugin

This is a pebuilder plugin for the RunScanner registry redirector plugin developed by Paraglider. It is used for launching spyware detector programs and has been tested with SpySweeper, Ad-Aware,HiJack This, Super AntiSpyware. Spybot 1.4 has built in support for PE environments so must not be run with runscanner 

By default on startup the program will scan all drives looking for boot.ini files. The directory of the windows installation will be found from the default entry in any found boot.ini files. It will be assumed to be on the same drive as the boot.ini file. If multiple such directories are found then you will be prompted to choose one of them. If only one is found then that will be assumed to hold the registry hives. If none are found then you will be prompted to select a directory from the list of drives. Finally you will be asked if you want to load a user profile. If so a list of user directories will be shown and you will need to select the ntuser.dat file from the appropriate user. See below for the parameter options that allow the default behavior to be overridden.

After the registry hives have been loaded the selected program will be launched and the RunScannerDLL dll will be attached to the process. After the default timeout of 10 seconds all registry access will be redirected to the loaded hives as appropriate. The timeout period is to allow the application to initialize using the Bart PE registry. Webroot Spysweeper appears to be very sensitive to this timeout period. Without it the program either crashed or was inoperative.

The program is launched as follows:


RunScanner {/ac}
           {/cp}
           {/d}
           {/ec}
           {/f}
           {/ll}
           {/lu}
           {/lw}
	   {/m}
           {/m+}
           {/max}
	   {/n}
	   {/ns}
           {/s}
           {/sd}
           {/sv}
           {/t <timeout>}
	   {/q}
           {/u <User Profile registry hive>}
           {/v}
           {/w <windows directory>}
           {/x}
           {/xe}
           {/xn}
           {/xs}
           {/xw}
           {/y}
           <Program To Launch>

If /ac is specified then if only one real user profile is found then this will automatically set to the HKCU hive without showing the select user dialog. If the current user profile could not be autoselected then the /ec parameter can be specified to force the showing of the select user dialog.

If /cp is specified then any processes launched directly by the target process will have their registry redirected.

If /d is specified then debug information will be output from the target process.

If /ec is specified and if /u or /ac or /ll is specified to autoselect the current user profile and the profile is not found then this will force the showing of the select user dialog.

If /f is specified then when runscanner exits all remote hives are unloaded regardless of if runscanner loaded them.

If /ll is specified then last logged on user will be read from the remote registry and automatically set as HKCU. Acess to the remote SAM hive is required for this to work. Hence runscanner must be run as the SYSTEM user ( SAM subkeys have reigstry permissions set which only permit access by the SYSTEM user). This happens automatically when run from PE. If the current user profile could not be autoselected then the /ec parameter can be specified to force the showing of the select user dialog.

If /lu is specified then load the user hive from the previous run of runscanner as HKCU. This information is saved in the registry at [HKLM\Software\Paraglider\Runscanner] when runscanner exits.

If /lw is specified then load the target windows installation from the directory from the previous run of runscanner. This information is saved in the registry at [HKLM\Software\Paraglider\Runscanner] when runscanner exits.

If /m is specified then after either prompting for a user profile or autoselecting a user profile for HKCU redirection then a multiple selection dialog is shown which allows any or all of the remaining user profiles to be loaded. Note that its first user profile selected to which the HKCU registry access is redirected. There is only any point in using this option for Spyware programs like ad-aware se that scans all user profiles loaded in the HKEY_USERS key.

If /m+ is specified then after either prompting for a user profile or autoselecting a user profile for HKCU redirection then all remaining remote user profiles are loaded.

If /max is specified the target process is run maximized.

If /n is specified then the controlled program will be launched without asking for a user profile.

If /ns is specified then if the boot drive is not the drive containing runscanner then the target program will be executed without registry redirection.

If /s is specified then the automatic scanning for boot.ini files will be suppressed and the program will present a dialog asking for the windows installation directory to be selected.

If /sd is specified then scan all root directories on all drives looking for windows installations.

If /sv is specified then use bcdedit.exe to scan vista boot manager files for windows installations.

If /t is specified then this allows the default timeout of 10 seconds to be overridden. The value is the timeout in milliseconds.

If /q is specified then runscanner will ask if you want to load the remote registry before it attempts to do so. If you respond no then the target program will be launched without registry redirection.

If /u is specified then this allows the full path of the user registry hive to be specified. This will suppress the dialogs asking for the file to be chosen. If the current user profile could not be autoselected then the /ec parameter can be specified to force the showing of the select user dialog.

If /v is specified then when the timeout period expires all environment variables from the target registry are set to the environment of the target process.

If /w is specified then this allows the full path of the windows directory to be specified. This will suppress the dialog asking for the directory to be chosen.

If /x is specified then in the ExpandEnvironmentStrings intercept if the string starts with <driveletter>: the drive letter is replaced with the drive letter that corresponds to the drive letter it would have used in the target OS. Also if the string starts with a relative path or no drive information then the path is expanded to make the path relative to the target windows directory. This is mainly to fix problems with the Sysinternals autoruns program. It is entirely possible this option could cause program crashes or other strange behaviour with other programs.

If /xe is specified then RegEnumX functions are not intercepted.

If /xn is specified then RunScanner will exit without prompting for a windows installation to be manually selected if no windows installation is found by the automatic scans.

If /xs is specified then %SystemRoot%\System32\shell32.dll is expanded to the boot drive not the target drive.

If /xw is specified then GetWindowsDirectory is not intercepted.

If /y is specified then the dialog asking for the user profile registry hive to be selected will be presented without asking the question if you want to load the hive.

Note that for the /t, /u and /w parameters that one of more spaces can separate the option and the option value. If the option value contains spaces then it should be enclosed in double quotes.

Example use:

RunScanner  /t 5000 /u "C:\Documents and Settings\Administrator\NTUSER.DAT" /w c:\windows Ad-Aware.exe

 

Runscanner also allows other options to be specified via the BartPE registry. The following registry settings are currently supported:

[Software.AddReg] 
0x1,"Paraglider\RunScanner","Software","%s_ON_%c"
0x1,"Paraglider\RunScanner","System","%s_ON_%c"
0x1,"Paraglider\RunScanner","Security","%s_ON_%c"
0x1,"Paraglider\RunScanner","Sam","%s_ON_%c"
0x1,"Paraglider\RunScanner","Default","%s_ON_%c"
0x1,"Paraglider\RunScanner","User0","%s_ON_%c"
0x1,"Paraglider\RunScanner","User1","%s_ON_%c"
0x1,"Paraglider\RunScanner","User2","%s_ON_%c"
0x1,"Paraglider\RunScanner","User3","%s_ON_%c"
The following control what registry keys do not get redirected for a particular target program ::
[Software.AddReg]
0x1, "Paraglider\RunScanner\<Program Name>", _
     "HKCU","<Registry Key 0>"
0x1, "Paraglider\RunScanner\<Program Name>", _
     "HKLM","<Registry Key 0>"

0x1, "Paraglider\RunScanner\<Program Name>\HKLM", _
     "<Registry Key 0>",""

...


0x1,
"Paraglider\RunScanner\<Program Name>\HKLM", _ "<Registy Key N>",""
0x1, "Paraglider\RunScanner\<Program Name>\HKCR", _
     "<Registry Key 0>",""

...


0x1,
"Paraglider\RunScanner\<Program Name>\HKCR", _ "<Registy Key N>",""
The following is how you could stop SpySweeper registry settings being updated in the target registry:

0x1,"Paraglider\RunScanner\SpySweeper.exe","HKCU","Software\WebRoot"
0x1,"Paraglider\RunScanner\SpySweeper.exe","HKLM","Software\WebRoot"

and / or

0x1,"Paraglider\RunScanner\SpySweeper.exe\HKLM","Software\WebRoot",""
0x1,"Paraglider\RunScanner\SpySweeper.exe\HKLM", _
      "System\CurrentControlSet\Services\svcWRSSSDK",""

Thus this specifies that the registry keys:

1) HKEY_LOCAL_MACHINE\Software\WebRoot
2) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\svcWRSSSDK
3) HKEY_CURRENT_USER\Software\WebRoot will not be redirected for SpySweeper.exe

The registry values directly under RunScanner allow the names of the loaded registry hives to be renamed. All these values are optional. If the value is specified then it defines the format of the name of the loaded registry hive. Each format can have up to two substitution values %s and or %c ( must be lower case).

  • %s is replaced with the hive type ( SOFTWARE, SYSTEM, SECURITY, SAM, DEFAULT or <User Name 0> ..... <User Name N> ).
  • %c is replaced with the drive letter of the hive file.

The default value for any format is %s_ON_%c e.g. for the remote software hive this will be SOFTWARE_ON_E. Thus if you wanted to load the remote software hive into a hive named FRED then you would define the registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Paraglider\RunScanner]
"Software"="FRED"
 

If you wanted to load it as "DRIVE_C_SOFTWARE" then you would use "DRIVE_%c_%s" etc.

Each controlled program also has the option to allow a specified registry key and its sub keys to not be redirected to the remote hive. You are allowed to specify one HKEY_LOCAL_MACHINE key and one HKEY_CURRENT_USER key to not be redirected. The program name ( including extension ) is used to select the registry values used to control this feature.

The HKLM value defines the key in HKEY_LOCAL_MACHINE that is not redirected.

The HKCU value defines the key in HKEY_CURRENT_USER that is not redirected.

If its required to override multiple HKLM keys then the HKLM subkey of the program subkey can be used to list the names of the sub keys that will not be redirected. The value name is the name of the subkey not to be redirected. If the HKLM sub-key is used then these values replace any redirection exception specified in the HKLM value.

Some programs start a service. As the runscanner debugger is not notified when a service starts then its not normally possible to redirect the registry for the service. A new facility is now available to monitor one specified service for starting and attach the redirection dll to that service when the service starts. This is configured by the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Paraglider\RunScanner\<Program Name>]
"Monitor"="<Service Name>"
"<Service Name>"=dword:<MonitorType>
"MonitorTimeout"="<TimeoutInMilliSeconds>"

Note that <Service Name> is the name of the program that appears in the Performance manager which is probably the same as the name of the program that appears in Task Manager without the file extension.

<MonitorType> defines the mechanism used to monitor a service. It can take one of 3 values:

0: Start the target process first then monitor for the service starting
1: Wait for the service to be running and runscannerdll attached before starting the target process
2: Use CreateRemoteThread to attach runscannerdll to the service

The MonitorTimeout value specifies the delay in milliseconds between attaching runscannerdll to the service and enabling registry redirection.

This is how you monitor for the spysweeper service in Spysweeper 4.X:

[HKEY_LOCAL_MACHINE\SOFTWARE\Paraglider\RunScanner\SpySweeper.exe]
"Monitor"="WRSSSDK"

This is how you monitor the Adaware-2007 service:

[Software.AddReg]
0x1, "Paraglider\RunScanner\ad-aware2007.exe","Monitor","aawservice"
0x4, "Paraglider\RunScanner\ad-aware2007.exe","aawservice", 0x00000002
0x1, "Paraglider\RunScanner\ad-aware2007.exe","MonitorTimeout", "0"