13 August 2008

Bart Plugin for Spybot 1.6

See previous post about the new version 1.6 of Spybot SD and its issues.  I've updated my Bart plugin (tested with XP SP2 code base, Bart Builder 3.1.3) to address these, and offer it here, along with .REG for control in Windows.

To use the plugin, do this:

  • Navigate into your Bart Builder plugin folder
  • Create new folder called SpybotSD and enter it
  • Copy this post's plugin files to this location
  • Create a subfolder Files within this location and enter it
  • Copy the installed Spybot 1.6 subtree contents into here

The plugin is written with these assumptions and dependencies:

  • Standard Bart PE Builder with nu2menu as shell
  • Cmdow utility in Bart included Bin folder (not essential)
  • Paraglider's RunScanner plugin in plugin\RunScanner

Cmdow

Cmdow hides windows for processors, and I use it to hide the .CMD launcher; it's purely cosmetic, so if missing, the plugin will still work.  Because Cmdow can be dropped on systems and used maliciously, many scanners will detect it as a "potentially unwanted program", and fair enough!

RunScanner

RunScanner allows registry-aware tools to run relative to an inactive set of hives, rather than those of the booted OS.  Spybot has native awareness of this situation, so theoretically doesn't need RunScanner, but I find I get better detections if I use it anyway.  If RunScanner isn't present, you'd have to revise the .INF and .XML for it else it won't work.

SpybotSD.inf

This determines how Spybot 1.6 is integrated into the Bart CDR at build time.

; spybotsd.inf
; PE Builder v3 plug-in INF file for Spybot - Search & Destroy by Safer Networking Ltd.
; Created by Patrick M. Kolla, Jochen Tösmann and modified by cquirke for Spybot 1.6

[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="Spybot - Search & Destroy"
Enable=1
Help="spybotsd.htm"

[WinntDirectories]
a="Programs\SpybotSD",2
b="Programs\SpybotSD\Dummies",2
c="Programs\SpybotSD\Excludes",2
d="Programs\SpybotSD\Help",2
e="Programs\SpybotSD\Includes",2
f="Programs\SpybotSD\Languages",2
g="Programs\SpybotSD\Plugins",2

h="Programs\SpybotSD\HelpHTML",2
i="Programs\SpybotSD\HelpHTML\css",2
j="Programs\SpybotSD\HelpHTML\html",2
k="Programs\SpybotSD\HelpHTML\images",2

[SourceDisksFiles]
*.cmd=a,,1

files\blindman.exe=a,,1
files\SDMain.exe=a,,1
files\SDUpdate.exe=a,,1
files\SDWinSec.exe=a,,1
files\SpybotSD.exe=a,,1
files\TeaTimer.exe=a,,4
files\Update.exe=a,,4
files\advcheck.dll=a,,1
files\aports.dll=a,,1
files\DelZip179.dll=a,,1
files\SDHelper.dll=a,,4
files\Tools.dll=a,,4
files\messages.zres=a,,1
files\Tools.dll=a,,1
files\sqlite3.dll=a,,4

files\Dummies\*.*=b,,1
files\Excludes\*.*=c,,4
files\Help\*.*=d,,4
files\Includes\*.*=e,,1
files\Languages\*.*=f,,4
files\Plugins\*.*=g,,1

files\HelpHTML\*.*=g,,4
files\HelpHTML\css\*.*=h,,4
files\HelpHTML\html\*.*=i,,4
files\HelpHTML\images\*.*=j,,4

[Software.AddReg]
0x4, "Safer Networking Limited\Tweaks", "DisableTempFolderCleaning", 0x1
0x1, "Paraglider\RunScanner\SpybotSD.exe", "HKLM", "Software\Safer Networking Limited\Tweaks"

[Append]
nu2menu.xml, spybotsd_nu2menu.xml

Ensure that when you copy and paste these files, that they are free of HTML tags and formatting junk, and that long lines (e.g. the two lines in the last section) are not broken.  The above differs from Safer Networking's plugin for 1.5, in that:

  • It includes new code file sqlite3.dll
  • It suppresses automatic temp file clearance
  • It persists the above setting through RunScanner

The last is useful, so you don't have to use non-zero /t parameters in an attempt to delay registry redirection until Spybot has checked for the "disable temp clearance" setting.

SpybotSD_nu2menu.xml

This integrates Spybot 1.6 into the Bart menu system, and is referenced from the .INF during build time. 

<!-- Nu2Menu entry for SpybotSD -->
<NU2MENU>
<MENU ID="Programs">
  <MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDir()\..\SpybotSD\SpybotSD.exe))" CMD="RUN" FUNC="@GetProgramDir()\..\SpybotSD\SpybotSD.exe">Spybot 1.5.2</MITEM>
</MENU>
</NU2MENU>

You may change this to strip references to RunScanner, relocate it to a different menu flyout etc. or if you're fed up with disordered menus, you may simply leave out this file (; comment it out in the .INF) and add your reference directly to plugin\nu2menu\nu2menu.xml - once again, watch out for long lines; there is in fact only one line between the MENU ID and /MENU tags.

SpybotSD.cmd

This launches Spybot 1.6 from the nu2menu entry at runtime.

@Echo Off

SetLocal

Set Debug=
Set Prog=SpybotSD.exe
Set Launch=%~dp0..\RunScanner\RunScanner.exe
Set Opt=/t 0

If Not Defined Debug (
  Cmdow @ /HID
  %~dp0..\..\Bin\Cmdow @ /HID
) Else (
  Title Debug
  Echo.
  Echo ProgDir  %~dp0
  Echo Prog     %Prog%
  Echo Launch   %Launch%
  Echo Opt      %Opt%
  Echo.
  Pause
  Title %~dp0%Prog%
)

If Exist "%~dp0Files\%Prog%" Set ProgDir=%~dp0Files\
If Exist "%~dp0%Prog%"       Set ProgDir=%~dp0
If Defined ProgDir (
  If "%SystemDrive%"=="%~d0" (
    Start %Launch% %Opt% %ProgDir%%Prog%
  ) Else (
    Start %ProgDir%%Prog%
  )
) Else (
  Title Error - target executable not found!
  Echo "%Prog%" not found in %~dp0 or %~dp0Files\ - abort!
  Pause
  EndLocal
  Exit /b 1
)

If Defined Debug (
  Echo.
  Echo Done!
  Echo.
  Pause
)

EndLocal

Exit /b 0

You can edit this to strip out the "debug" part (define the Debug variable to enable it), as well as references to Cmdow and RunScanner.  By changing the variables, you can use this for other "easy" tool plugins (e.g. HiJackThis).

The logic goes as follows; if boot drive is same as where we are, then we're Bart-booted and need to apply RunScanner redirection, else we're not, and can run the tool directly.  This logic will also not use RunScanner if run from a WinPE 2.0 boot disk, which is OK with me as I don't know how safe RunScanner is for Vista hives.

An extra bit of logic is applied to deriving the path to the tool, so that the .CMD will work when run from the pre-build subtree.  This is also why the .XML uses relative "GetProgramDir()\..\" paths, rather than the more commonly used "GetProgramDrive()\Programs\" paths that break in the pre-build or pre-iso environments.

Windows .REG

You can also control some of Spybot's potentially unwanted behaviours via .REG in Windows, similar to the Software.AddReg section in the .INF above:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Safer Networking Limited\Tweaks]
"DisableTempFolderCleaning"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Paraglider\RunScanner\SpybotSD.exe]
"HKLM"="Software\\Safer Networking Limited\\Tweaks"

The second part of the above will pre-load appropriate settings for a Bart session using RunScanner, in case the RunScanner's parameters cause it to read its settings from the hard drive's hives.

Some settings can be changed interactively, e.g. disabling the intrusive Tea Timer feature, while others have to be excluded at the time of installation.  One of the latter, is the right-click context menu action to scan using Spybot, which annoyed these folks who offer this fix:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\*\Shell\sdfiles]

[-HKEY_CLASSES_ROOT\Folder\shell\sdfiles]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Shell\sdfiles]

The * association is applied to all things, hence all things can be right-clicked and scanned.  There's an Undo .REG in the same post in that thread.

6 comments:

sanjoo said...

searhing for an issue i landed to here. i am trying to add a spybot plugin, i downloaded the latest peplugin16.zip file from spybot site, and after doing the suggested method, the plugin cannot be loaded, and the error i get is :

error plugincheck failed.
plugin: spybot search & destroy
missing files: \files\sdwinsec.exe

in my installation of spybot this file is missing. can u suggest where i can find this ?

any help shall be appreciated. thanks in advance

sanjay mehta

Chris Quirke said...

Hi, Sanjoo!

I do find a sdwinsec.exe in my Bart output build subtree, within the Spybot plugin.

If I right-click it, I see it's related to "Security Center integration".

My guess is that you de-selected this component when you installed the Spybot that you harvested for the plugin - understandable, as those sort of integrations aren't relevant to Bart and could just cause unwanted dependencies.

You could either re-install and re-harvest Spybot so as to include the file, or de-reference it in the plugin's .inf, if that reference is explicit.

Let's check that .inf (well, my one; YMMV)... yep, there's this line...

files\SDWinSec.exe=a,,1

...which you could ; comment out...

; files\SDWinSec.exe=a,,1

...and then try recompiling Bart; perhaps that will work, too.

llturbini said...

Very good stuff, fancy batch scripting. I a bit new to this and trying to figure out runscanner and barts pe reg keys. This is not related to spybot but you seem to know what your doing.

I am trying to use net user commnad to script setup of a temp user on the local PC with barts PE. Does runscanner automically load\redircet the local sam database ro does that need to be added to barts pe runscanner reg keys?

Chris Quirke said...

Hi, Ilturbini!

User admin and networking is my shortest suit, so I can't answer your question directly.

The first thing to do is to check details on RunScanner, here:

http://www.paraglidernc.com/plugins/runscanner.htm

You can also ask Paraglider about whether RunScanner redirects or ignores the SAM hive, etc.

The second thing to do, would be to concoct a test case. If it is possible to create arbitrary content within the SAM hive (either directly via RegEdit, or obliquely by crafting a user account of certain name etc.) then add a unique key, search for it in local Regedit (to verify it's findable) then repeat the search from a Bart boot and RunScanner'd Regedit.

That's to determine whether SAM is redirected - as I understand your comment, this is a prerequisite for what you want to do, and if it isn't (and can't be made to) then your quest ends, albeit badly.

Next you'd have to determine whether the services, APIs etc, required to create user accounts are active in Bart. Then to test if it works!

The other approach is to cast about with suitable Google searches to see whether others have tried this, and either succeeded or bounced off. Bart's own forums may be a good place to ask, if the net comes up empty.

John B Dougherty said...

works like a charm with version 1.6.2

I did have to comment SpybotSD.inf -

; files\SDUpdate.exe=a,,1
; files\SDWinSec.exe=a,,1

thanks Chris!!

Mart said...

Hi Chris,

you should mention that to be able to see and copy SpybotSD.exe from the program folder, you need to disable "Hide protected operating system files" in your folder options.

Regards