Friday 30 June 2017

'Kill switch\vaccine' for latest Petya\NotPetya ransomware found

A report on Bleeping Computer says that a way to prevent infection by the latest NotPetya ransomware is to create a read-only file at C:\Windows\perfc.

You can do this by downloading and running this file as Administrator.

I have no idea if it works, but if your organisation has un-updated/unpatched systems, this could be useful to prevent your disk from being encrypted.

As I suspected, virus developers will build in some sort of 'kill switch' to prevent their own systems from getting infected, as with WannaCry. I guess it's kinda difficult to write code and test it, only to find that the code has just encrypted all your source files and the decryption algorithm is not yet working! The Wannacry vaccine was coded to find a specific web server which meant it could be easily stopped by setting up a server of the correct name. The Petya developers obviously did not want to use the same mechanism, which was discovered and then used as a global 'kill switch', and so have used a local file instead to stop infection.

Thursday 29 June 2017

Installing 32-bit and 64-bit Windows ISOs with E2B

A user had Windows 10 32-bit and 64-bit ISO files in his \_ISO\WINDOWS\WIN10 folder.

We can make a .txt file for each .ISO file so that if the system CPU that we are booting from is a 32-bit CPU then only the 32-bit ISO will be listed in the Windows 10 menu. If the CPU is a 64-bit CPU then we can show only the 64-bit ISO file in the menu.

See here for details.

However, this user wanted to only show the 32-bit ISO if the system has <4GB of memory and only show the 64-bit ISO if the system has more than 4GB of memory.

The way around this was to create a new variable (GB4) in our \_ISO\MyE2B.cfg file:

# set 4GB variable if 4GB+ of memory present
set /a M=*0x8298 & 0xffffffff>>10+1 > nul ;; set /a M1=*0x82c0>>10+1 > nul ;; set /a M=%M% + %M1% > nul ;; if %M%>=4096 set GB4=1 ;; set M= ;; set M1=

We can now test for the existence of the variable GB4 in our .txt file:

Example:
We have a Windows10_x86.iso and a Windows10_x64.iso:
\_ISO\WINDOWS\WIN10\Windows10_x86.iso
\_ISO\WINDOWS\WIN10\Windows10_x64.iso

If a system has more than 4GB of memory, only show the 64-bit Windows ISO (it must have a 64-bit CPU if it detects >4GB). If it has less than 4GB we only show 32-bit Windows ISO.
 
Windows10_x64.txt
iftitle [if exist GB4] Win10 1703 x64\n Install 64-bit Windows 10

Windows10_x86.txt
iftitle [if not exist GB4] Win10 1703 x86\n Install 32-bit Windows 10

Note: There is a bug in E2B which causes a 'no title keyword found in xxxx.txt file' error when the Windows menu loads. This can be fixed by saving the .txt file as ANSI encoded instead of UTF-8 encoded - OR update your E2B drive with E2B v1.94a (beta) which has a bugfix for this.

Sunday 25 June 2017

MPI Tool Kit v0.077 now available

This version has two small changes:
1. Latest RMPartUSB.exe in the e2b folder
2. MakePartImage.cmd will now not  copy some 'special' files and folders when you use a USB drive as the source to make the .imgPTN file.

The excluded files/folders include $recycle.bin, pagefile.sys, hiberfil.sys, System Volume Information, etc. which often cause problems when copying under Windows.

To upgrade, download and extract the new MPI_Tool_Pack_Plus_CloverLite_077 folder to your Desktop and run CreateDesktopShortcuts.cmd. You can then delete the old MPI_Tool_Pack_Plus_CloverLite_0xx folder from your desktop.

Friday 23 June 2017

Add PeppermintOS 8 + persistence to E2B

PeppermintOS 8 is based on Ubuntu\Lubuntu, so I have modified one of the Ubuntu_Persistence Sample menu files.



I used the Peppermint-8-20170527-amd64.iso (1.2GB) with the .mnu file shown below:

Tuesday 20 June 2017

Easy2Boot v.1.93A available (to work around Win10 1703 bugs!)

Windows 10 Creators update (1703) is still buggy.

As you may be aware, Windows 10 1703 now recognises all partitions on Removable USB drives and attempts to mount them.

Sometimes it will assign a drive letter to each partition (and sometimes not!).
The Disk management console however still only shows one volume and one drive letter for the Removable drive even if it has multiple partitions.
Also DiskPart only lists one volume on a multi-partition USB drive.
If Windows assigns a drive letter to the 2nd partition, the letter cannot be changed or removed.

Explorer view of Removable USB drive with two primary partitions F: and J:
Disk Management console (where is F: ???) 
Disk Management Console (Disk 4 Partition 2 has no drive letter!)
DiskPart - where is volume F: ???
E2B v1.93A includes a new version of RMPartUSB which attempts to force Windows to assign all the USB drive partitions with a drive letter.

This should prevent the format that is done by RMPartUSB from failing and then prompting you to assign a drive letter manually.

P.S. If you are having problems changing the drive letter of a volume on a Removable USB drive because the letter is not listed by Disk Management or DiskPart, I have written a ChangeLetter.cmd script which you can download here (in Alternate Downloads areas). It only works on Removable USB drives and you must run the .cmd file which then runs the .vbs script as admin.

Sunday 18 June 2017

Easy2Boot v1.93/A Full version released

E2B v1.93A full release is now available.

It will also be uploaded to the E2B website in a few days.

Changes from v1.92 are:
  1. Offline choco package support added to  SDI_CHOCO.cmd template
  2. \_ISO\docs\Chocbox\ChocBox.cmd for making offline choco packages
  3. NoSpeak.tag and NoBeep.tag now detected by SDI_CHOCO
  4. Chocolatey offline package added - version 0.10.6.1
  5. Snappy Driver Installer 'Origin version' now used
  6. QRUN.g4b changed - small change to .imgPTN so if second *. image file present it will get a partition type number of 7 if grub4dos does not give it one 
  7. Suppress suggestion prompt if *q.iso used (useful for WinBuilder ISO or other .iso files which don't work if you use the .isodefault extension)
  8. Switch_E2B.exe v1.0.16 hidden file fix
  9. OpenMandriva ISO sample mnu file added
  10. New grub4dos 0.4.6a
  11. GIFtoIMA.cmd script provided to make animations from GIf files
  12. Make_E2B.cmd will now download bootmgr from internet and add it to E2B drive
  13. \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd added
  14. New default menu wallpaper
Please feedback ASAP if you spot a problem with the new version (and give step-by-step details about how I can reproduce the problem).

Tip: You can use v1.93 to update any previous DPMS USB drive.

You may get some AV warnings but these are false positives (honest!).

Add you own background wallpaper

Place an 800x600x24bit colour .bmp or .jpg file at \_ISO\MyBackground.bmp or \_ISO\MyBackground.jpg and it will be used instead of the default E2B wallpaper.

Copyright free images can be found on www.pexels.com.

Friday 16 June 2017

MPI Tool Pack v0.076 available

I discovered a few issues in v0.075 to do with converting payloads which used isolinux/syslinux.

I have also simplified the way syslinux is installed - it now creates a \syslinux.bin file which the CSM menu can use as the boot file.

v0.076 is available on the Alternate Download sites and will also be updated on the E2B website soon.

Wednesday 14 June 2017

Easy2Boot v1.93i available

This version has these extra changes:

  • Feature for WinBuilder ISOs - if .ISO file ends in q.iso or Q.iso then auto-suggest prompt will be suppressed - use for WinBuilder ISOs which must use a .iso file extension, e.g. Gandalf_2016_x86q.iso. 
  • Make_E2B.cmd changed - Win 8.1 bootmgr is now downloaded from the internet using JFX's GWT tool and added to USB drive if no good version of bootmgr is found on Windows host drive.
  • \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd will download the Win8.1 version of bootmgr and add it to any E2B drive you have connected.
  • Latest grub4dos 0.4.6a


    I will release v1.93 as a full release soon. Please let me know if you spot a problem.

    Summary of changes from v1.92:
    • Offline choco package support for SDI_CHOCO function
    • \_ISO\docs\Chocbox\ChocBox.cmd for making offline choco packages
    • NoSpeak.tag and NoBeep.tag detection for SDI_CHOCO
    • New Chocolatey version 0.10.6.1
    • GIFtoIMA script to make animations easily
    • Snappy Driver Installer Origin version now used
    • QRUN.g4b changed - small change to .imgPTN so if second *. image file present it will get a partition type number of 7 if grub4dos does not give it one 
    • Switch_E2B.exe v1.0.16 hidden file fix
    • OpenMandriva ISO sample mnu file added
    • New grub4dos 0.4.6a
    • Make_E2B will download bootmgr from internet and add it to E2B drive
    • \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd
    • Suppress suggestion prompt/text if *q.iso used (for WinBuilder ISO or other .iso files)

    Sunday 11 June 2017

    Add bootmgr to your E2B drive

    As you may know, E2B does not include bootmgr for legal reasons.

    The Make_E2B.exe and the 'make' scripts look for the correct Win 8.1 version of bootmgr on your Windows system and will copy it to the E2B drive for you.

    If you don't have the correct version, the E2B 'make' script will warn you that, in order to boot Windows .VHD and .WIM files, you will need to add it.

    Note: E2B v1.93+ now will download the bootmgr file automatically when you run Make_E2B.exe.

    Add_Bootmgr_to_E2B_drives

    \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd will automatically add bootmgr to the \_ISO\e2b\grub\DPMS\NTBOOT.MOD folder of any E2B drive that you have connected when you run it. Internet access is required.

    It takes just a second or so to run.


    Note: The new Make_E2B script will automatically download bootmgr for you and put it on the E2B USB drive in the correct folder.

    See here for more details on GWT.

    E2B v1.93h available

    v.1.93h has just a few small tweaks + latest grub4dos. + bug in ChocBox.cmd fixed.

    One small change in SDI_CHOCO is that you now do not need to edit the SDI_CHOCO.cmd file when you copy it, to change the name of the configuration folder that you want it to use.

    For example: if you want to make a new configuration called 'NEW', then you just copy and rename the SDI_CHOCO.cmd file and the SDI_CHOCO folder to NEW.cmd and NEW (folder).

    The code in NEW.cmd will automatically look for a configuration folder of the same name as the .cmd file.

    So your modified XML file will call NEW.CMD which will automatically use the NEW folder as the configuration folder. The files in the NEW folder:

    • MySpecialize.cmd             - runs after Snappy driver installer before reboot
    • MySetupComplete.cmd     - runs before OOBE
    • MyStartup.cmd                  - runs after OOBE on first user login (which can be automatic)

    will control the installation of additional drivers and apps, etc. and the .TAG files will control other
    features:
    • NoInternet.TAG - Internet connectivity will not be checked, msoobe will not be called to initialize n/w during Specialize
    • NoChoco.TAG - choco will not be downloaded from internet (but can still be installed Offline)
    • NoSDI.TAG - The Snappy Driver Installer will not run (useful if you install your own drivers)
    • NoWSUS.TAG - WSUS Offline Updater will not run
    • OfflineChoco.TAG - \_ISO\WINDOWS\INSTALLS\CHOCBOX folder is copied to C:\DRIVERS\CHOCBOX and Chocolatey is installed directly from E2B drive
    • NoBeep.TAG - do not beep the speaker (v1.93+)
    • NoSpeak.TAG - don't tell me what you are doing (v1.93+)

    Read more: http://www.easy2boot.com/add-payload-files/windows-install-isos/sdi-choco/

    Removable v. Fixed 

    I have added a new page to the E2B site  here  about why the type of USB drive you use for E2B matters.