## 13 August 2008

### Bart Plugin for Spybot 1.6

See previous post about the new version 1.6 of Spybot SD and its issues.  I've updated my Bart plugin (tested with XP SP2 code base, Bart Builder 3.1.3) to address these, and offer it here, along with .REG for control in Windows.

To use the plugin, do this:

• Navigate into your Bart Builder plugin folder
• Create new folder called SpybotSD and enter it
• Copy this post's plugin files to this location
• Create a subfolder Files within this location and enter it
• Copy the installed Spybot 1.6 subtree contents into here

The plugin is written with these assumptions and dependencies:

• Standard Bart PE Builder with nu2menu as shell
• Cmdow utility in Bart included Bin folder (not essential)
• Paraglider's RunScanner plugin in plugin\RunScanner

Cmdow

Cmdow hides windows for processors, and I use it to hide the .CMD launcher; it's purely cosmetic, so if missing, the plugin will still work.  Because Cmdow can be dropped on systems and used maliciously, many scanners will detect it as a "potentially unwanted program", and fair enough!

RunScanner

RunScanner allows registry-aware tools to run relative to an inactive set of hives, rather than those of the booted OS.  Spybot has native awareness of this situation, so theoretically doesn't need RunScanner, but I find I get better detections if I use it anyway.  If RunScanner isn't present, you'd have to revise the .INF and .XML for it else it won't work.

SpybotSD.inf

This determines how Spybot 1.6 is integrated into the Bart CDR at build time.

; spybotsd.inf
; PE Builder v3 plug-in INF file for Spybot - Search & Destroy by Safer Networking Ltd.
; Created by Patrick M. Kolla, Jochen Tösmann and modified by cquirke for Spybot 1.6

[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="Spybot - Search & Destroy"
Enable=1
Help="spybotsd.htm"

[WinntDirectories]
a="Programs\SpybotSD",2
b="Programs\SpybotSD\Dummies",2
c="Programs\SpybotSD\Excludes",2
d="Programs\SpybotSD\Help",2
e="Programs\SpybotSD\Includes",2
f="Programs\SpybotSD\Languages",2
g="Programs\SpybotSD\Plugins",2

h="Programs\SpybotSD\HelpHTML",2
i="Programs\SpybotSD\HelpHTML\css",2
j="Programs\SpybotSD\HelpHTML\html",2
k="Programs\SpybotSD\HelpHTML\images",2

[SourceDisksFiles]
*.cmd=a,,1

files\blindman.exe=a,,1
files\SDMain.exe=a,,1
files\SDUpdate.exe=a,,1
files\SDWinSec.exe=a,,1
files\SpybotSD.exe=a,,1
files\TeaTimer.exe=a,,4
files\Update.exe=a,,4
files\advcheck.dll=a,,1
files\aports.dll=a,,1
files\DelZip179.dll=a,,1
files\SDHelper.dll=a,,4
files\Tools.dll=a,,4
files\messages.zres=a,,1
files\Tools.dll=a,,1
files\sqlite3.dll=a,,4

files\Dummies\*.*=b,,1
files\Excludes\*.*=c,,4
files\Help\*.*=d,,4
files\Includes\*.*=e,,1
files\Languages\*.*=f,,4
files\Plugins\*.*=g,,1

files\HelpHTML\*.*=g,,4
files\HelpHTML\css\*.*=h,,4
files\HelpHTML\html\*.*=i,,4
files\HelpHTML\images\*.*=j,,4

[Software.AddReg]
0x4, "Safer Networking Limited\Tweaks", "DisableTempFolderCleaning", 0x1
0x1, "Paraglider\RunScanner\SpybotSD.exe", "HKLM", "Software\Safer Networking Limited\Tweaks"

[Append]
nu2menu.xml, spybotsd_nu2menu.xml

Ensure that when you copy and paste these files, that they are free of HTML tags and formatting junk, and that long lines (e.g. the two lines in the last section) are not broken.  The above differs from Safer Networking's plugin for 1.5, in that:

• It includes new code file sqlite3.dll
• It suppresses automatic temp file clearance
• It persists the above setting through RunScanner

The last is useful, so you don't have to use non-zero /t parameters in an attempt to delay registry redirection until Spybot has checked for the "disable temp clearance" setting.

SpybotSD_nu2menu.xml

This integrates Spybot 1.6 into the Bart menu system, and is referenced from the .INF during build time.

<!-- Nu2Menu entry for SpybotSD -->
<NU2MENU>
<MENU ID="Programs">
<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDir()\..\SpybotSD\SpybotSD.exe))" CMD="RUN" FUNC="@GetProgramDir()\..\SpybotSD\SpybotSD.exe">Spybot 1.5.2</MITEM>
</MENU>
</NU2MENU>

You may change this to strip references to RunScanner, relocate it to a different menu flyout etc. or if you're fed up with disordered menus, you may simply leave out this file (; comment it out in the .INF) and add your reference directly to plugin\nu2menu\nu2menu.xml - once again, watch out for long lines; there is in fact only one line between the MENU ID and /MENU tags.

SpybotSD.cmd

This launches Spybot 1.6 from the nu2menu entry at runtime.

@Echo Off

SetLocal

Set Debug=
Set Prog=SpybotSD.exe
Set Launch=%~dp0..\RunScanner\RunScanner.exe
Set Opt=/t 0

If Not Defined Debug (
Cmdow @ /HID
%~dp0..\..\Bin\Cmdow @ /HID
) Else (
Title Debug
Echo.
Echo ProgDir  %~dp0
Echo Prog     %Prog%
Echo Launch   %Launch%
Echo Opt      %Opt%
Echo.
Pause
Title %~dp0%Prog%
)

If Exist "%~dp0Files\%Prog%" Set ProgDir=%~dp0Files\
If Exist "%~dp0%Prog%"       Set ProgDir=%~dp0
If Defined ProgDir (
If "%SystemDrive%"=="%~d0" (
Start %Launch% %Opt% %ProgDir%%Prog%
) Else (
Start %ProgDir%%Prog%
)
) Else (
Title Error - target executable not found!
Echo "%Prog%" not found in %~dp0 or %~dp0Files\ - abort!
Pause
EndLocal
Exit /b 1
)

If Defined Debug (
Echo.
Echo Done!
Echo.
Pause
)

EndLocal

Exit /b 0

You can edit this to strip out the "debug" part (define the Debug variable to enable it), as well as references to Cmdow and RunScanner.  By changing the variables, you can use this for other "easy" tool plugins (e.g. HiJackThis).

The logic goes as follows; if boot drive is same as where we are, then we're Bart-booted and need to apply RunScanner redirection, else we're not, and can run the tool directly.  This logic will also not use RunScanner if run from a WinPE 2.0 boot disk, which is OK with me as I don't know how safe RunScanner is for Vista hives.

An extra bit of logic is applied to deriving the path to the tool, so that the .CMD will work when run from the pre-build subtree.  This is also why the .XML uses relative "GetProgramDir()\..\" paths, rather than the more commonly used "GetProgramDrive()\Programs\" paths that break in the pre-build or pre-iso environments.

Windows .REG

You can also control some of Spybot's potentially unwanted behaviours via .REG in Windows, similar to the Software.AddReg section in the .INF above:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Safer Networking Limited\Tweaks]
"DisableTempFolderCleaning"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Paraglider\RunScanner\SpybotSD.exe]
"HKLM"="Software\\Safer Networking Limited\\Tweaks"

The second part of the above will pre-load appropriate settings for a Bart session using RunScanner, in case the RunScanner's parameters cause it to read its settings from the hard drive's hives.

Some settings can be changed interactively, e.g. disabling the intrusive Tea Timer feature, while others have to be excluded at the time of installation.  One of the latter, is the right-click context menu action to scan using Spybot, which annoyed these folks who offer this fix:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\*\Shell\sdfiles]

[-HKEY_CLASSES_ROOT\Folder\shell\sdfiles]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Shell\sdfiles]

The * association is applied to all things, hence all things can be right-clicked and scanned.  There's an Undo .REG in the same post in that thread.

## 12 August 2008

### Spybot 1.6 and Bart PE

Technorati tags: , ,

Malware scanners tend to focus on resident protection rather than intervention and clean-up, but Spybot has always had a clue there.  Not only does Spybot explicitly support Bart PE as a formal scanning platform, it can also be aware of inactive registry hives, e.g. if you were to drop an ?infected hard drive into a Windows host system to clean it from there.

Bart has a plugin facility to integrate tools, and whenever there's a new version of a plugged-in tool, there may be changes required, or new unwanted behaviours to work around.  Such is the case with the new Spybot 1.6

Spybot 1.6 plugin changes

A Bart plugin is a set of files that control how a program is integrated into a Bart CDR.  Build-time instructions are defined in an .inf, menu integration via an nu2menu.xml, runtime control via a .cmd (if needed), and human documentation via an HTML file.

The .inf defines what files are to be copied to the CDR and where they are to be located, in the SourceDisksFiles and SourceDisksFolders sections.  If you've used SourceDisksFiles to explicitly name every file from within Spybot 1.4 or 1.5 to be copied to CDR, and you then drop in the Spybot 1.6 file set and build a new Bart disk, then you'll find Spybot will fail to launch from the disk.

If so, you can fix this by adding a line to include sqlite3.dll, which is a new file not present in earlier versions of Spybot SD.  Or you can use wildcard syntax to include all dll files, i.e. *.dll as files to be included.

Unwanted behaviour

Spybot 1.6 has a controversial new feature; it deletes Temp files when it starts up.  This is "controlled" by a 6-second dialog box that appears as Spybot starts up (so if you start it and walk away, you'll miss it) and defaults to "Yes, delete temp files".

This is a bigger problem within the Bart environment, which often has troublesome graphics due to unrecognised display chipsets.  In my first Bart session with Spybot 1.6, I expected the dialog, but it appeared with blank buttons.  By the time I checked out what button was what, testing on another PC, the 6 seconds were up, and I'd lost material I'd have preferred to include in further malware scans.

There is a rather obscure fix for this, which I will add to my Bart plugin's .inf file, using one of the registry modification sections.  If using the RunScanner plugin to launch Spybot (should not be required, as Spybot "knows" about such needs), then you'd want to delay the RunScanner redirection until this value had been read by Spybot after starting up - else it will look for it in the inactive (target) hives instead.

## 9 August 2008

### Lazarus of Bad Hard Drives

Technorati tags: ,

Here's a failure pattern worth keeping in mind:

• Unbootable OS
• Attempts to access hard drive lock up or fail
• Hardware diagnostics show or imply bad sectors
• You image the raw partition to a good hard drive
• Data access and even OS bootability miraculously OK

This is Lazarus of Bad Hard drives, as opposed to Lazarus of Bethany.

What's happening here, is that effects from deeper abstraction layers are creating what appears to be unfixable problems in higher layers.  What is counter-intuitive is that fixing the underlying layer can fix the upper layers too, i.e. that the state of these layers may not be irreparably botched by the lower-layer failure.

So don't give up hope, if you hit the first three items in the list above.