标题: [系统相关] 【已解决】求助批处理隐藏克隆guest帐户问题与检测 [打印本页]
作者: NETSECURE 时间: 2009-3-13 20:31 标题: 【已解决】求助批处理隐藏克隆guest帐户问题与检测
大家好!发问一些问题..希望高手们多指导一下
相似帖详见:http://bbs.bathome.net/thread-3642-1-1.html 并求相关的检测代码
给定两SAM注册表文件
000001F4.REG-
- Windows Registry Editor Version 5.00
-
- [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4]
- "F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
- 00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\
- f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\
- 00,00,00,00,00,00,00
- "V"=hex:00,00,00,00,bc,00,00,00,02,00,01,00,bc,00,00,00,1a,00,00,00,00,00,00,\
- 00,d8,00,00,00,00,00,00,00,00,00,00,00,d8,00,00,00,1a,00,00,00,00,00,00,00,\
- f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,\
- 00,00,00,00,00,00,00,00,00,00,00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,\
- 00,00,00,00,00,00,00,00,00,00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,00,\
- 00,00,00,00,00,00,00,00,00,f4,00,00,00,15,00,00,00,a8,00,00,00,0c,01,00,00,\
- 08,00,00,00,01,00,00,00,14,01,00,00,04,00,00,00,00,00,00,00,18,01,00,00,14,\
- 00,00,00,00,00,00,00,2c,01,00,00,04,00,00,00,00,00,00,00,30,01,00,00,04,00,\
- 00,00,00,00,00,00,01,00,14,80,9c,00,00,00,ac,00,00,00,14,00,00,00,44,00,00,\
- 00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\
- 00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\
- 00,58,00,03,00,00,00,00,00,14,00,5b,03,02,00,01,01,00,00,00,00,00,01,00,00,\
- 00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
- 00,00,00,24,00,44,00,02,00,01,05,00,00,00,00,00,05,15,00,00,00,a1,f4,04,62,\
- b4,7b,73,34,75,b9,75,54,f4,01,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
- 02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,41,00,64,00,6d,00,\
- 69,00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,00,00,a1,7b,06,\
- 74,a1,8b,97,7b,3a,67,28,00,df,57,29,00,84,76,85,51,6e,7f,10,5e,37,62,00,00,\
- ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ee,e3,41,01,\
- 02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,37,b1,53,a9,4e,aa,94,4b,b9,2b,\
- ff,46,22,e8,47,73,01,00,01,00,01,00,01,00
复制代码
000001F5.REG-
- Windows Registry Editor Version 5.00
-
- [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]
- "F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
- 00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,00,00,00,00,00,\
- f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
- 00,00,00,00,00,00,00
- "V"=hex:00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,0a,00,00,00,00,00,00,\
- 00,bc,00,00,00,00,00,00,00,00,00,00,00,bc,00,00,00,22,00,00,00,00,00,00,00,\
- e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,\
- 00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,\
- 00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,\
- 00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,\
- 08,00,00,00,01,00,00,00,e8,00,00,00,04,00,00,00,00,00,00,00,ec,00,00,00,04,\
- 00,00,00,00,00,00,00,f0,00,00,00,04,00,00,00,00,00,00,00,f4,00,00,00,04,00,\
- 00,00,00,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,\
- 00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\
- 00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\
- 00,4c,00,03,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\
- 00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
- 00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\
- 01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,\
- 00,00,00,20,02,00,00,47,00,75,00,65,00,73,00,74,00,00,00,9b,4f,65,67,be,5b,\
- bf,8b,ee,95,a1,8b,97,7b,3a,67,16,62,bf,8b,ee,95,df,57,84,76,85,51,6e,7f,10,\
- 5e,37,62,00,00,01,02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,01,00,01,00,\
- 01,00,01,00
复制代码
克隆方法:拷贝000001F4.REG的f键值区块
即为:
"F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\
f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\
00,00,00,00,00,00,00
取代000001F5.REG的F键值区块
即把:
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,00,00,00,00,00,\
f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00
替换为:
"F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\
f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\
00,00,00,00,00,00,00
而000001F5.REG的V值保持不变
最後处理完的000001F5.REG的信息如下:- Windows Registry Editor Version 5.00
- [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]
- "F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
- 00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\
- f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\
- 00,00,00,00,00,00,00
- "V"=hex:00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,0a,00,00,00,00,00,00,\
- 00,bc,00,00,00,00,00,00,00,00,00,00,00,bc,00,00,00,22,00,00,00,00,00,00,00,\
- e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,\
- 00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,\
- 00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,\
- 00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,\
- 08,00,00,00,01,00,00,00,e8,00,00,00,04,00,00,00,00,00,00,00,ec,00,00,00,04,\
- 00,00,00,00,00,00,00,f0,00,00,00,04,00,00,00,00,00,00,00,f4,00,00,00,04,00,\
- 00,00,00,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,\
- 00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\
- 00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\
- 00,4c,00,03,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\
- 00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
- 00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\
- 01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,\
- 00,00,00,20,02,00,00,47,00,75,00,65,00,73,00,74,00,00,00,9b,4f,65,67,be,5b,\
- bf,8b,ee,95,a1,8b,97,7b,3a,67,16,62,bf,8b,ee,95,df,57,84,76,85,51,6e,7f,10,\
- 5e,37,62,00,00,01,02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,01,00,01,00,\
- 01,00,01,00
复制代码
[ 本帖最后由 NETSECURE 于 2009-3-13 22:55 编辑 ]
作者: Batcher 时间: 2009-3-13 20:37
http://bbs.bathome.net/thread-3642-1-1.html这个帖子里给的方法不行么?哪里不行?
作者: NETSECURE 时间: 2009-3-13 20:54 标题: 回复 2楼 的帖子
无法输出000001F5.reg的F与V的键值..
- (echo Windows Registry Editor Version 5.00&echo.
- for /f "skip=2" %%a in (000001F5.REG) do (
- echo %%a
- for /f "skip=3 delims=" %%a in (000001F4.REG) do (
- if /i "%%a" lss ""V"" (echo %%a) else more +7 000001F5.REG & goto next
- )
- ))>000001F5_New.REG
- :next
- move 000001F5_New.REG 000001F5.REG
复制代码
[ 本帖最后由 NETSECURE 于 2009-3-13 21:10 编辑 ]
作者: Batcher 时间: 2009-3-13 21:18 标题: 回复 3楼 的帖子
- @echo off
- (echo Windows Registry Editor Version 5.00
- echo.
- for /f "skip=2" %%a in ('type 000001F5.REG') do (
- echo.%%a
- for /f "skip=3 delims=" %%a in ('type 000001F4.REG') do (
- if /i "%%a" lss ""V"" (
- echo.%%a
- ) else (
- more +7 000001F5.REG
- )
- goto :next
- )
- ))>000001F5_New.REG
- :next
- move 000001F5_New.REG 000001F5.REG
复制代码
作者: NETSECURE 时间: 2009-3-13 21:36 标题: 回复 4楼 的帖子
代码有点小缺陷..键值不全
- Windows Registry Editor Version 5.00
-
- [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]
- "F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
复制代码
作者: Batcher 时间: 2009-3-13 22:23 标题: 回复 5楼 的帖子
- @echo off
- (echo Windows Registry Editor Version 5.00
- echo.
- for /f "skip=2" %%a in ('type 000001F5.REG') do (
- echo.%%a
- for /f "skip=3 delims=" %%a in ('type 000001F4.REG') do (
- if /i "%%a" lss ""V"" (
- echo.%%a
- ) else (
- more +7 000001F5.REG
- goto :next
- )
- )
- ))>000001F5_New.REG
- :next
- move 000001F5_New.REG 000001F5.REG
复制代码
欢迎光临 批处理之家 (http://www.bathome.net/) |
Powered by Discuz! 7.2 |