Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Using Bart’s PE Builder to Make an Anti-Spyware and Rescue CD

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Using Bart’s PE Builder to Make an Anti-Spyware and Rescue CD

    A better formatted version with graphics can be found at http://www.irongeek.com/i.php?page=s...uildertutorial

    Using Bart’s PE Builder to Make an Anti-Spyware and Rescue CD

    Sometimes a Windows install can get corrupted or compromised in such a way that it’s hard to correct without removing the hard drive and using another computer and Operating System to fix it. Bart’s PE Builder is a free tool that allows you to create a bootable Windows CD or DVD from an existing install CD of Windows XP or Windows Server 2003. This Windows boot CD runs a cut down version of XP, with network, gui and FAT/NTFS/CDFS file system support. Since you can run Windows applications from this boot CD it’s a useful tool for fixing various problems on Windows 2000/2003/XP/9x system that can not easily be fixed while booted from the copy of Windows on the hard drive. The company Winternals makes a similar tool called ERD Commander, but it costs $149 to $299 and lacks the third party plugin support that Bart’s PE Builder has. By using the PE Builder Plugins that others have created you can easily add software to your bootable CD to do all sorts of tasks:

    • Run Anti-Spyware tools like Ad-Aware Pro SE or HiJackThis.
    • Use MSConfig to configure what apps start on login.
    • Read and write to NTFS and FAT partitions.
    • Edit the registry on the local hard drive.
    • Copy files off of a hosed machine to another computer over the network.
    • Access USB drives.
    • Use MMC and Disk Manager to partition drives.
    • Change local passwords.
    • Defrag the hard drive with out booting from it (running defrag this way does a better job since there are no locked system files on the hard drive).
    • Load the CD with SSH, Remote Desktop Client and VNC so you can use the boot CD as a workstation.
    • Recover deleted files from slack space.
    • Perform a byte for byte wipe of the hard drive so others can’t recover deleted files.
    • Read event logs off the hard drive.
    • Undo Syskey and get password hashes for later cracking if you lost a password.
    • Use Internet Explorer and Firefox from the boot CD to surf the web.
    • Run security tools for checking your network.
    • Make a locked down web terminal for patrons. Since the CD is read only media deviant users can do little to corrupt the workstation that can’t be fixed by a quick reboot.


    One great use for a PE Builder CD is to remove spyware from a computer and that is the task that this article will focus on. A lot of spyware is hard to remove when you are running the removal tools while booted in the Windows OS from the local hard drive. Some spyware will try to reinstall itself as soon at its files or registry keys are deleted. You can get around some of these problems by running the anti-spyware tools in safe mode, but even then some spyware can find a way to keep itself alive. By booting a copy of Windows from a boot CD and running tools like Ad-Aware and HiJackThis you can eliminate this problem almost entirely.

    Things you will need

    Before you can start creating your own boot CD there are a few things you will need to collect. First, get a copy of Barts PE builder from:

    http://www.nu2.nu/pebuilder/

    The current version as of this writing is 3.1.3. For convenience download the EXE self extracting package and let it install to the default location (C:\pebuilder313).

    Next you need to copy the setup files from a Windows XP SP2 install CD to your hard drive. If you do not have an XP Pro CD integrated with Service Pack 2 just copy the files from the one you have and integrate SP2 yourself using the Source->Slipsteam menu option in PE Builder. I chose to copy the files to a folder called C:\WinXPProSP2-CD\ and will be using that path in this tutorial. Bart’s PE Builder comes with a lot of useful plugins but there are a few more you will want to download and setup before you begin creating your own boot CD.

    After you have setup PE Builder and copied the Windows XP SP2 files to the hard drive the next thing you need to do is download Sherpya’s XPE and Nu2XPE ShortCuts Converter v0.3 plugins from:

    http://oss.netfarm.it/winpe/

    When you download them choose the CAB packages because the ZIP files are just the source code. The current version of XPE as of this writing is v1.0.2. While we are downloading third party plugins we also want to get the following packages - the Ad-Aware SE Pro plugin and the Runscanner plugin (necessary to let other plugins read the registry off of the local hard drive) from:

    http://www.paraglidernc.com/

    The PE Builder package comes with an Ad-Aware Plugin, but it’s not as good as Paraglider’s. Now download the HiJackThis and MSConfig plugins from:

    http://www.irongeek.com/i.php?page=security/pebuilder


    Preparing to build the CD

    Once you have everything downloaded you need to extract all of the files into C:\pebuilder313\plugin\. Many of the plugins come as CAB archives so if you don’t have software to extract them just use the Add option when you select your plugins in PE Builder. Each of the plugins should come with an HTML file detailing how to install the plugin and what files you will need to copy from your system to the plugin directory, where to download them from, and where to put them. For example, Paraglider’s Ad-Aware SE Pro needs you to install Ad-Aware on your system and copy the files from “c:\Program Files\Lavasoft\Ad-Aware SE Plus\” into the “Files” folder inside of the Ad-Aware plugin’s directory. The HiJackThis plugin needs you to download the HiJackThis executable from http://www.spychecker.com/program/hijackthis.html and put it in the files folder in the HiJackThis plugin’s directory.

    Now that we have everything downloaded start up PE builder by running C:\pebuilder313\pebuilder.exe. Choose the path to the Windows XP Source Files (C:\WinXPProSP2-CD) which you copied to the hard drive earlier.


    Click on the “Plugins” button, add the plugins that came in CAB archives, and enable the plugins you wish to install (make sure all of the ones you downloaded above are enable). Disable the following Plugins so XPE will work properly:

    • nu2Shell v1.0
    • PE Loader 0.4
    • PENETCFG: Automatically start PE Network configurator
    • PENETCFG: PE Network configurator (theTruth)
    • Profiles folder

    You will most likely see two Ad-Aware plugins. The one labeled as “Ad-Aware SE Pro” is the one you want enabled, make sure the plugin labeled as just “Ad-Aware SE” is disabled. Once you are done enabling and disenabling plugins click the “Close” button.

    Customization

    There are a few items you will want to customize before you continue. Look in the c:\pebuilder313\plugin\xpe-1.0.2\ folder and rename “z_xpe-custom.inf.sample” to “z_xpe-custom.inf”. Open up z_xpe-custom.inf in Notepad or another text editor. By editing z_xpe-custom.inf we can change quite a few of XPE’s options. The following are some useful suggestions:

    First let’s change the name displayed on start up. Find:

    Code:
    [SetValue]
    "txtsetup.sif","SetupData","loaderprompt","""Starting Windows XPE [The Horse Power]..."""
    And change it to:

    Code:
    [SetValue]
    "txtsetup.sif","SetupData","loaderprompt","""My Rescue CD..."""
    Next you should set the default web page that Internet Explorer loads. Find:

    Code:
    ; IE Start Page
    0x1,"Software\Microsoft\Internet Explorer\Main","Start Page","about:blank"
    0x1,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL","about:blank"
    And change "about:blank" to whatever home page URL you wish IE to use.

    You will want to add some shortcuts to the Programs menu and Desktop. Find the line that reads:

    Code:
    ; XPEinit startup menu & desktop
    and right below it insert the following two lines to add shortcuts to Ad-Aware in the Programs menu and on the Desktop (make sure each entry is on only one line):

    Code:
    
    0x2,"Sherpya\XPEinit\Programs","Anti-Spyware\Run Adaware on C","%SystemDrive%\programs\adaware\Ad-AwareScan.cmd||%SystemDrive%\Programs\adaware\Ad-Aware.exe,0"
    
    0x2,"Sherpya\XPEinit\Desktop","Run Adaware on C","%SystemDrive%\programs\adaware\Ad-AwareScan.cmd||%SystemDrive%\Programs\adaware\Ad-Aware.exe,0"
    
    Finally, at the bottom of the z_xpe-custom.inf file choose where you want the TaskBar to show up. In my case I comment out:

    Code:
    ; TaskBar on Top - Autohide
    0x3,"Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2","Settings",\
      28,00,00,00,ff,ff,ff,ff,03,00,00,00,01,00,00,00,3c,00,00,00,1e,00,00,00,fe,\
      ff,ff,ff,fe,ff,ff,ff,02,04,00,00,1c,00,00,00
    using semicolons:

    Code:
    ; TaskBar on Top - Autohide
    ;0x3,"Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2","Settings",\
    ;  28,00,00,00,ff,ff,ff,ff,03,00,00,00,01,00,00,00,3c,00,00,00,1e,00,00,00,fe,\
    ;  ff,ff,ff,fe,ff,ff,ff,02,04,00,00,1c,00,00,00
    and I uncomment:

    Code:
    ; TaskBar on Bottom - No Autohide
    ;0x3,"Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2","Settings",\
    ;  28,00,00,00,ff,ff,ff,ff,02,00,00,00,03,00,00,00,3f,00,00,00,1e,00,00,00,fe,\
    ;  ff,ff,ff,e4,02,00,00,02,04,00,00,02,03,00,00
    to read:

    Code:
    ; TaskBar on Bottom - No Autohide
    0x3,"Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2","Settings",\
      28,00,00,00,ff,ff,ff,ff,02,00,00,00,03,00,00,00,3f,00,00,00,1e,00,00,00,fe,\
      ff,ff,ff,e4,02,00,00,02,04,00,00,02,03,00,00
    If all of this is too much for you just download my z_xpe-custom.inf from http://www.irongeek.com/i.php?page=security/pebuilder . Then you can just skip the customization steps above.

    Making and burning the ISO

    Once all of the customizations are done go back to the PE Builder program. If you want PE Builder to burn the CD for you check the “Burn to CD” checkbox and select your burner. I prefer to use Nero to burn the ISO myself but you can choose any CD burning software you like. I recommend using a CD-RW for your first few attempts at making a boot CD. CD-Rs are compatible with more CD drives but CD-RWs can be used over and over again for testing CD images as you construct new PE Builder CDs with different plugins and options. Check the “Create ISO image” check box then click the “Build” button to generate an ISO of your CD. Click “Yes” and “I agree” on the two windows that pop up and Bart’s PE Builder should begin to build your CD.

    Using the CD

    After you burn the ISO, test the PE Builder CD by rebooting your computer, going into the BIOS, and setting the CD-ROM as the first boot device. On some computers there’s a function key you can hit at boot up that will let you choose the drive to boot from (it’s F12 on most Dell’s made in the last few years). Once you boot from the CD you should see the Windows’s Classic Start menu interface. Assuming the proper drivers are on the CD you should be able to get a network connection and surf the web or connect to a file server. You can also try defragging, copying files to and from or partitioning the local hard drives. When you use Ad-Aware make sure you set it to do a custom scan and point it to the C: drive.

    Other useful plugins:

    Below is a list of other useful security, Anti-spyware and recovery plugins for Bart’s PE Builder I did not include above for the sake of space and simplicity. If you have any problems setting them up feel free to contact me, or better yet look at the web pages listed in the “Further Research” section at the end of this article.

    Angry-IP-Scanner
    http://www.drowaelder.de/winpe/PEIndex.htm
    Great for finding out what hosts are on your network.

    Eraser
    http://www.bootcd.us/BartPE_Plugin_Details/57/
    Great for scrubbing the hard drive clean of all data.

    Firefox-1.9 and Firefoxflash-1.1
    http://oss.netfarm.it/winpe/
    Use these plugins to run the Firefox web browser from your boot CD.

    HWPnP
    http://www.paraglidernc.com/6901.html
    Normal a PE Builder boot CD only looks for hardware on startup, but if you plug in something like a USB thumb drive after you boot, PE will fail to find it. The HWPnP plugin will allow you to plug in USB devices anytime you like.

    InsidePro Tools v1.0.0
    http://www.insidepro.com/eng/download.shtml
    Great tool for bypassing Syskey and grabbing password hashes from the SAM file. I use the older SAMInside v2.1.3.0 version because the newer demo versions disable the export to PWDUMP file option that’s useful for importing into L0phtcrack.

    Keyfinder-PE
    http://www.drowaelder.de/winpe/PEIndex.htm
    The Keyfinder-PE plugin will extract the XP registration key from the hard drive.

    Registry Editor PE v0.9c
    http://regeditpe.sourceforge.net/
    Sometime you may need to do finer work to the registry then Ad-Aware or HiJackThis will allow. Registry Editor PE lets you load the registry hives off of the local hard drive and edit any key you like.

    Sam Spade
    http://www.gonetiq.com/winpe
    Sam Spade is a collection of useful network tools for finding out information about hosts on the Internet. Sam is quite popular with spam-fighters.

    Windows Password Renew 1.0-RC2 for WinPE
    http://www.sala.pri.ee#pass
    Password Renew lets the user change the password of the local Administrator account or create a new admin level user with a password of their choice. This is a great tool for getting into Windows boxes you don’t have an admin password for.

    I hope you have found this article useful. If you have any questions or comments please feel free to e-mail them to me at Irongeek@irongeek.com.


    Further research:

    911 Rescue CD Forums, the best place to ask questions about PE Builder and its plugins:
    http://www.911cd.net/forums/

    Adrian’s PE Builder Website:
    http://www.irongeek.com/i.php?page=security/pebuilder

    Bart’s PE Builder Homepage:
    http://www.nu2.nu/pebuilder/

    Bart’s notes on adding additional network and SCSI drivers:
    http://www.nu2.nu/pebuilder/help/drivers.htm

    Sherpya’s XPE and collection of plugins:
    http://oss.netfarm.it/winpe/

    A huge collection of PE Builder plugins:
    http://www.bootcd.us

    Another great step by step tutorial on using PE Builder and XPE:
    http://xpe.collewijn.info/index.php

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Wonderful post. I've used BartsPE as well as his Bootdisk and Network bootdisk, All his tools are very useful and free, cant beat that with a stick.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    irongeek - this is a very timely tutorial.

    here's a question: say i've got an intern that has no admin passwords or admin rights to a machine, but i need him to be able to run spyware apps on pcs for me, can i use this cd as a workaround to giving him admin passwords?

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by Tryska
    irongeek - this is a very timely tutorial.

    here's a question: say i've got an intern that has no admin passwords or admin rights to a machine, but i need him to be able to run spyware apps on pcs for me, can i use this cd as a workaround to giving him admin passwords?
    Yes, that should work. Once booted from the CD the user has admin level access (actually they are logged in as the system account) to the hard drive so they should be able to do just about anything they want to the file system. The Windows Registry is where it gets trickier, you have to use Paraglider’s Runscanner plugin to redirect calls to the registry on the hard drive (otherwise it uses the Registry loaded from the CD). Runscanner may not work with all anti-spyware apps, but I know it works with Ad-Aware.

  5. #5
    well let me play around this afternoon and see what i can come up with.


    thanks for the tutorial.

  6. #6
    Hey irongeek - i finally got to play with your tutorial a bit last week. it was great fun. I've bene trying to add osme custom stuff to my CD tho, and i'm coming up on some issues. here's whati've got so far:

    ~How do i get bginfo to launch on startup?
    ~How do i get NU2Menu to launch as well?


    I manually launched NU2menu and got it to show BGinfo's settings, but it couldn't give me the network settings.

    and finally am i missing soemthing that allows me to run HJT on the c: drive?

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    For BGinfo check the forums at http://www.911cd.net/forums/ , but the plugin I used did that automatically. I believe that Nu2MENU is not coming up because of one of the other plugins I told you to disable in my tutorial. It was the only way I could get XPE and some network cards to work right.

  8. #8
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    I guess I do not have the newest version of pe builder it has a plugin for HJT? does it scan the pe registry or the systems registry?

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Nope, I made a plugin for HijackThis, but you have to run it with XPE unless you change the INF file. It can scan the system registry using Paraglider's Runscanner plugin to redirect the calls.

  10. #10
    Senior Member
    Join Date
    Feb 2004
    Posts
    270
    this may be something usefull

    its a collection of plugins in a single archive. This will make a really fleshed out boot cd for you.

    http://www.ubcd4win.com/howto.htm
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •