공장장과 함께하는 디지털 포렌식 이야기

분석을 하다보면 경우에 따라 Registry 중에서도 이 UserAssist 항목이 정말 일종의 꿀단지 역할을 하는데

기본적으로 ROT13으로 Encoding 되어 있어서 별도의 툴이 필요합니다.

물론 EnCase의 Registry Parser 로도 가능하고 기타 여러 EnScript 들도 많이 있습니다만...

쉽고 간단한 Tool 이 있다면 더 좋겠죠.

Didier Stevens 가 최근 UserAssist Tool Version 2.4.3를 공개했습니다.

HashCheck Shell Extension은 상대적으로 최근에 개발된 프로그램입니다.

제작 : Kai Liu (刘锴).  http://www.kailiu.com/contact.xhtml (e-mail을 공개안하는걸 보니 보안에 신경쓰는 듯)

홈페이지 : http://code.kliu.org/hashcheck/

버전 : 2.1.11.1 ( July 1, 2009 )

크기 : 86,528 Bytes (MD5 : B99FF61DEF8125E2178CE6F1F7D6D8C0)

지원환경 : both x86 and native x64

다운로드 : http://code.kliu.org/hashcheck/downloads/HashCheckInstall-latest.exe


라이센스 : BSD Style Free and Open License

소스코드 : http://code.kliu.org/hashcheck/downloads/HashCheckSource-latest.7z


HashTab 과 마찬가지로 문맥메뉴에 체크섬이라는 탭이 생기며 해당 탭에서 Hash 계산 결과를 확인할 수 있습니다.

파일명, CRC-32, MD4, MD5, SHA-1 에 대한 계산값을 확인할 수 있으며

HashTab 과는 달리 현재 다른 알고리즘은 지원하지 않고 있습니다.


HashTab은 두 파일의 Hash 값 계산 비교를 위해서는 각각의 파일에 대한 문맥메뉴를 이용하거나 하나의 파일에 대한 Hash 값을 계산 한 후 다른 파일을 Drag & Drop 해야 합니다.

반면 HashCheck 는 복수개의 파일에 대한 문맥메뉴를 지원합니다.


5개의 파일에 대한 Hash 계산 결과입니다.

하단의 검색메뉴를 통해서 특정 키워드를 찾을 수 있습니다.


또한 문맥메뉴에서 바로 .SFV와 같은 체크섬 파일을 생성할 수도 있습니다.

하나의 파일에 대해 RIPEMD나 SHA-256 등으로 Hash 값을 계산하거나 두개의 파일이 동일한지 여부를 비교하려면 HashTab이, 여러개의 파일에 대해 Hash값을 계산하고 체크섬 파일을 생성하려면 HashCheck 가 유용해 보입니다.

파일 분석시 가장 기초적인 단계가 파일의 특성을 구분하는 것입니다.

간단하게는 확장자와 헤더값을 비교하는 Signature Analysis가 있겠고

그 뒤에 실행 파일 이라면 Packing 여부 및 PE 헤더의 확인, Prefetch 파일의 존재 여부 등이 있을 수 있습니다.

그 중 특정 파일의 중복 및 변조 여부를 확인하기 위해서 CRC 등의 체크섬이나 MD5, SHA1등의 Hash 값을 계산하는 방법이 있습니다.

얼마전 유출된 MS Windows 7의 경우도 각종 해적판이 난무하는 가운데 정식 유출본을 찾는데 이 Hash 값을 이용하라는 글들이 많이 올라왔습니다.

Hash 값을 계산하는 여러가지 프로그램이 있으나 (심지어는 EnCase -_-;; ) 추천하는 프로그램은

이번에 소개할 HashTab과 HashCheck 입니다.

HashTab

제작 : Cody Batt beta@beeblebrox.org

홈페이지 : http://beeblebrox.org/

버전 : 3.0.0

크기 : 799,610 Byte (MD5 : 5845F52D425C75E232B1AD5EE3B189A8)

지원환경 : Windows XP 이상, OSX 10.4 이상

다운로드 : http://beeblebrox.org/HashTab%20Setup.exe (Windows)


               http://beeblebrox.org/hashtab_10.4_universal_1.0.0.dmg.gz (MAC 이라지만 관심이 없다)

라이센스 : Free ( 설치 시 다음의 말에 동의해야 함 : Hash Tab is the coolest thing ever! )


굴러다니는(-_-) ISO 파일에 대한 HashTab 결과입니다.

탐색기 내에서 특정 파일의 문맥메뉴를 이용하면 "파일해시"라는 탭이 생기며 해당 탭에서 Hash 계산 결과를 보여줍니다.


마우스 오른쪽 버튼을 누르면 Copy All 과 설정 메뉴를 선택할 수 있습니다.

이름 그대로 Copy All을 선택하면 Hash 계산 결과가 클립보드에 저장됩니다. 물론 특정 Hash 계산값만 선택하여 따로 복사할 수 도 있습니다.



설정을 선택하면 HashTab에서 계산할 알고리즘을 선택할 수 있습니다. 초기 설정값은 CRC32, MD5, SHA-1 입니다.

지원되는 알고리즘은 다음과 같습니다.

Adler32, CRC32, HAVAL, MD2, MD4, MD5, RIPEMD-128, RIPEMD-256, RIPEMD-320, SHA-1, SHA-256, SHA-384, SHA-512, Tiger, Whirlpool


또한 현재 파일과 다른 파일의 Hash 값을 비교할 수 있습니다.

원하는 Hash 알고리즘을 선택한 다음 비교하고자 하는 파일을 Drag & Drop 하면 됩니다.


MD5 에 맞춰놓고 하면 MD5 값 결과를 보여줍니다. 다른 파일을 비교하였더니 빨간 X 로 값이 다르다는 것을 시각적으로 보여줍니다.


CRC32에 맞춰 놓고 하면 CRC32 값에 대해서 비교를 해줍니다. 계산값이 동일하면 초록색 V 마크가 표시됩니다.

간편하게 다양한 Hash 계산을 할 수 있는 HashTab 입니다.

Windows PE + 각종 복구 프로그램

http://www.hirensbootcd.net/

Hiren's BootCD 9.9 + Keyboard Patch

All in one Dos Bootable CD which has all these utilities:

Partition Tools

- Partition Magic Pro 8.05: Best software to partition hard drive.
- Acronis Disk Director 10.0.2160: Popular disk management functions in a single suite.
- Paragon Partition Manager 7.0.1274: Universal tool for partitions.
- Partition Commander 9.01: The safe way to partition your hard drive, with undo feature.
- Ranish Partition Manager 2.44: a boot manager and hard disk partitioner.
- The Partition Resizer 1.3.4: move and resize your partitions in one step and more.
- Smart Fdisk 2.05: a simple harddisk partition manager.
- SPecial Fdisk 2000.03v: SPFDISK a partition tool.
- eXtended Fdisk 0.9.3: XFDISK allows easy partition creation and edition.
- GDisk 1.1.1: Complete replacement for the DOS FDISK utility and more.
- Super Fdisk 1.0: Create, delete, format partitions drives without destroying data.
- Partition Table Editor 8.0: Partition Table and Boot Record Editor.
- EASEUS Partition Master 3.5: Partition Resize/Move/Copy/Create/Delete/Format/Convert, Explore, etc.

Backup Tools

- ImageCenter 5.6 (Drive Image 2002): Best software to clone hard drive.
- Norton Ghost 11.5: Similar to Drive Image (with usb/scsi support).
- Acronis True Image 8.1.945: Create an exact disk image for complete system backup and disk cloning.
- Partition Saving 3.71: A tool to backup/restore partitions. (SavePart.exe).
- COPYR.DMA Build013: A Tool for making copies of hard disks with bad sectors.
- DriveImageXML 2.02: backup any drive/partition to an image file, even if the drive is currently in use.
- Drive SnapShot 1.39: creates an exact Disk Image of your system into a file while windows is running.
- Ghost Image Explorer 11.5: to add/remove/extract files from Ghost image file.
- DriveImage Explorer 5.0: to add/remove/extract files from Drive image file.
- WhitSoft File Splitter 4.5a: a Small File Split-Join Tool.
- Express Burn 4.26: CD/DVD Burner Program to create and record CDs/DVDs, also create/burn .iso and .nrg images.
- Smart Driver Backup 2.12: Easy backup of your Windows device drivers (also works from PE).
- Double Driver 1.0: Driver Backup and Restore tool.
- DriverBackup! 1.0.3: Another handy tool to backup drivers.

Recovery Tools

- Active Partition Recovery 3.0: To Recover a Deleted partition.
- Active Uneraser 3.0: To recover deleted files and folders on FAT and NTFS systems.
- Ontrack Easy Recovery Pro 6.10: To Recover data that has been deleted/virus attack.
- Winternals Disk Commander 1.1: more than just a standard deleted-file recovery utility.
- TestDisk 6.11.3: Tool to check and undelete partition.
- Lost & Found 1.06: a good old data recovery software.
- DiyDataRecovery Diskpatch 2.1.100: An excellent data recovery software.
- Prosoft Media Tools 5.0 v1.1.2.64: Another excellent data recovery software with many other options.
- PhotoRec 6.11.3: File and pictures recovery Tool.
- Winsock 2 Fix for 9x: to fix corrupted Winsock2 information by poorly written Internet programs.
- XP TCP/IP Repair 1.0: Repair your Windows XP Winsock and TCP/IP registry errors.
- Active Undelete 5.5: a tool to recover deleted files.
- Restoration 3.2.13: a tool to recover deleted files.
- GetDataBack for FAT 2.31: Data recovery software for FAT file systems.
- GetDataBack for NTFS 2.31: Data recovery software for NTFS file systems.
- Recuva 1.27.419: Restore deleted files from Hard Drive, Digital Camera Memory Card, usb mp3 player...
- Partition Find and Mount 2.3.1: Partition Find and Mount software is designed to find lost or deleted partitions.
- Unstoppable Copier 4b: Allows you to copy files from disks with problems such as bad sectors, scratches or that just give errors when reading data.

Testing Tools

- System Speed Test 4.78: it tests CPU, harddrive, etc.
- PC-Check 6.5: Easy to use hardware tests.
- Ontrack Data Advisor 5.0: Powerful diagnostic tool for assessing the condition of your computer.
- The Troubleshooter 7.02: all kind of hardware testing tool.
- PC Doctor 2004: a benchmarking and information tool.
- CPU/Video/Disk Performance Test 5.7: a tool to test cpu, video, and disk.
- Test Hard Disk Drive 1.0: a tool to test Hard Disk Drive.
- Disk Speed1.0: Hard Disk Drive Speed Testing Tool.
- S&M Stress Test 1.9.1: cpu/hdd/memory benchmarking and information tool, including temperatures/fan speeds/voltages.
- IsMyLcdOK (Monitor Test) 1.01: Allows you to test CRT/LCD/TFT screens for dead pixels and diffective screens.

RAM (Memory) Testing Tools

- GoldMemory 5.07: RAM Test utility.
- Memtest86+ 2.11: PC Memory Test.
- MemTest 1.0: a Memory Testing Tool.
- Video Memory Stress Test 1.7.116: a tool to thoroughly test your video RAM for errors and faults.

Hard Disk Tools

- Seagate Seatools Graphical v2.13b
- SeaTools for Dos 1.10
- Western Digital Data Lifeguard Tools 11.2
- Western Digital Diagnostics (DLGDIAG) 5.04f
- Maxtor PowerMax 4.23
- Maxtor amset utility 4.0
- Maxtor(or any Hdd) Low Level Formatter 1.1
- Fujitsu HDD Diagnostic Tool 7.00
- Fujitsu IDE Low Level Format 1.0
- Samsung HDD Utility(HUTIL) 2.10
- Samsung Disk Diagnose (SHDIAG) 1.28
- Samsung The Drive Diagnostic Utility (ESTOOL) 2.12a
- IBM/Hitachi Drive Fitness Test 4.14
- IBM/Hitachi Feature Tool 2.13
- Gateway GwScan 5.12
- ExcelStor's ESTest 4.50
- MHDD 4.6
- WDClear 1.30
- Toshiba Hard Disk Diagnostic 2.00b
- HDD Regenerator 1.61: to recover a bad hard drive.
- HDAT2 4.53: main function is testing and repair (regenerates) bad sectors for detected devices.
- Ontrack Disk Manager 9.57: Disk Test/Format/Maintenance tool.
- Norton Disk Doctor 2002: a tool to repair a damaged disk, or to diagnose your hard drive.
- Norton Disk Editor 2002: a powerful disk editing, manual data recovery tool.
- Hard Disk Sentinel 0.04: Hard Disk health, performance and temperature monitoring tool.
- Active Kill Disk 4.1: Securely overwrites and destroys all data on physical drive.
- SmartUDM 2.00: Hard Disk Drive S.M.A.R.T. Viewer.
- Victoria 3.33e and 3.52rus: a freeware program for low-level HDD diagnostics.
- HDD Erase 4.0: Secure erase using a special feature built into most newer hard drives.
- HDD Scan 3.1: This is a Low-level HDD diagnostic tool, it scans surface find bad sectors etc.
- HDTune 2.55: Hard disk benchmarking and information tool.
- Data Shredder 1.0: A tool to Erase disk and files (also wipe free space) securely.

System Information Tools

- PCI and AGP info Tool (0906): The PCI System information & Exploration tool.
- System Analyser 5.3v: View extensive information about your hardware.
- Navratil Software System Information 0.60.32: High-end professional system information tool.
- Astra 5.42: Advanced System info Tool and Reporting Assistant.
- HWiNFO 5.2.7: a powerful system information utility.
- PC-Config 9.33: Complete hardware detection of your computer.
- SysChk 2.46: Find out exactly what is under the hood of your PC.
- CPU Identification utility 1.16: Detailed information on CPU (CHKCPU.EXE).
- CTIA CPU Information 2.7: another CPU information tool.
- Drive Temperature 1.0: Hard Disk Drive temperature meter.
- PC Wizard 2008.1.871: Powerful system information/benchmark utility designed especially for detection of hardware.
- SIW 2009-05-12: Gathers detailed information about your system properties and settings.
- CPU-Z 1.51: It gathers information on some of the main devices of your system.
- PCI 32 Sniffer 1.4 (0906): device information tool (similar to unknown devices).
- Unknown Devices 1.2 (0906): helps you find what those unknown devices in Device Manager really are.

MBR (Master Boot Record) Tools

- MBRWork 1.07b: a utility to perform some common and uncommon MBR functions.
- MBR Tool 2.2.100: backup, verify, restore, edit, refresh, remove, display, re-write...
- DiskMan4: all in one tool for cmos, bios, bootrecord and more.
- BootFix Utility: Run this utility if you get 'Invalid system disk'.
- MBR SAVE / RESTORE 2.1: BootSave and BootRest tools to save / restore MBR.
- Boot Partition 2.60: add Partition in the Windows NT/2000/XP Multi-boot loader.
- Partition Table Doctor 3.5: a tool to repair/modify mbr, bootsector, partition table.
- Smart Boot Manager 3.7.1: a multi boot manager.
- Bootmagic 8.0: This tool is for multi boot operating systems.
- MBRWizard 2.0b: Directly update and modify the MBR (Master Boot Record).

BIOS / CMOS Tools

- CMOS 0.93: CMOS Save / Restore Tool.
- BIOS Cracker 4.8: BIOS password remover (cmospwd).
- BIOS Cracker 1.4: BIOS password remover (cmospwc).
- BIOS Utility 1.35.0: BIOS Informations, password, beep codes and more.
- !BIOS 3.20: a powerfull utility for bios and cmos.
- DISKMAN4: a powerful all in one utility.
- UniFlash 1.40: bios flash utility.;
- Kill CMOS: a tiny utility to wipe cmos.
- Award DMI Configuration Utility 2.43: DMI Configuration utility for modifying/viewing the MIDF contents.

MultiMedia Tools

- Picture Viewer 1.94: Picture viewer for dos, supports more then 40 filetypes.
- QuickView Pro 2.58: movie viewer for dos, supports many format including divx.
- MpxPlay 1.56: a small Music Player for dos.

Password Tools

- Active Password Changer 3.0.420: To Reset User Password on windows NT/2000/XP/2003/Vista (FAT/NTFS).
- Offline NT/2K/XP Password Changer: utility to reset windows nt/2000/xp administrator/user password.
- Registry Reanimator 1.02: Check and Restore structure of the Damaged Registry files of NT/2K/XP.
- NTPWD: utility to reset windows nt/2000/xp administrator/user password.
- Registry Viewer 4.2: Registry Viewer/Editor for Win9x/Me/NT/2K/XP.
- ATAPWD 1.2: Hard Disk Password Utility.
- TrueCrypt 6.2: On-the-fly disk encryption tool, can create a virtual encrypted disk within a file and mount it as a real disk, can also encrypt an entire HDD/Partition/USB Drive.
- Content Advisor Password Remover 1.0: It Removes Content Advisor Password from Internet Explorer.
- Password Renew 1.1: Utility to (re)set windows passwords.
- WindowsGate 1.1: Enables/Disables Windows logon password validation.
- WinKeyFinder 1.73: Allows you to View and Change Windows XP/2003 Product Keys, backup and restore activation related files, backup Microsoft Office 97, 2000 SP2, XP/2003 keys etc.
- XP Key Reader 2.7: Can decode the XP-key on Local or Remote systems.
- ProduKey 1.35: Recovers lost the product key of your Windows/Office.
- Wireless Key View 1.26: Recovers all wireless network keys (WEP/WPA) stored in your computer by WZC.
- MessenPass 1.24: A password recovery tool that reveals the passwords of several instant messangers.
- Mail PassView 1.51: Recovers mail passwords of Outlook Express, MS Outlook, IncrediMail, Eudora, etc.
- Asterisk Logger 1.04: Reveal passwords hidden behind asterisk characters.

NTFS (FileSystems) Tools

- NTFS Dos Pro 5.0: To access ntfs partitions from Dos.
- NTFS 4 Dos 1.9: To access ntfs partitions from Dos.
- Paragon Mount Everything 3.0: To access NTFS, Ext2FS, Ext3FS partitions from dos.
- NTFS Dos 3.02: To access ntfs partitions from Dos.
- EditBINI 1.01: to Edit boot.ini on NTFS Partition.

Browsers / File Managers

- Volkov Commander 4.99: Dos File Manager with LongFileName/ntfs support (Similar to Norton Commander).
- Dos Command Center 5.1: Classic dos-based file manager.
- File Wizard 1.35: a file manager - colored files, drag and drop copy, move, delete etc.
- File Maven 3.5: an advanced Dos file manager with high speed PC-to-PC file transfers via serial or parallel cable.
- FastLynx 2.0: Dos file manager with Pc to Pc file transfer capability.
- LapLink 5.0: the smart way to transfer files and directories between PCs.
- Dos Navigator 6.4.0: Dos File Manager, Norton Commander clone but has much more features.
- Mini Windows 98: Can run from Ram Drive, with ntfs support, Added 7-Zip, Disk Defragmenter, Notepad / RichText Editor, Image Viewer, .avi .mpg .divx .xvid Movie Player, etc...
- Mini Windows Xp: Portable Windows Xp that runs from CD/USB/Ram Drive, with Network and SATA support.
- 7-Zip 4.65: File Manager/Archiver Supports 7z, ZIP, GZIP, BZIP2, TAR, RAR, CAB, ISO, ARJ, LZH, CHM, MSI, WIM, Z, CPIO, RPM, DEB and NSIS formats.
- Opera Web Browser 8.53: One of the fastest, smallest and smartest full-featured web browser.

Other Tools

- Ghost Walker 11.5: utility that changes the security ID (SID) for Windows NT, 2000 and XP.
- DosCDroast beta 2: Dos CD Burning Tools.
- Universal TCP/IP Network 6.4: MSDOS Network Client to connect via TCP/IP to a Microsoft based network. The network can either be a peer-to-peer or a server based network, it contains 91 different network card drivers.
- NewSID 4.10: utility that changes the security ID (SID) for Windows NT, 2000 and XP.
- Registry Editor PE 0.9c: Easy editing of remote registry hives and user profiles.
- Registry Restore Wizard 1.0.4: Restores a corrupted system registry from Xp System Restore.

Dos Tools

- USB CD-Rom Driver 1: Standard usb_cd.sys driver for cd drive.
- Universal USB Driver 2: Panasonic v2.20 ASPI Manager for USB mass storage.
- ASUSTeK USB Driver 3: ASUS USB CD-ROM Device Driver Version 1.00.
- SCSI Support: SCSI Drivers for Dos.
- SATA Support: SATA Driver (gcdrom.sys) and JMicron JMB361 (xcdrom.sys) for Dos.
- 1394 Firewire Support: 1394 Firewire Drivers for Dos.
- Interlnk support at COM1: To access another computer from COM port.
- Interlnk support at LPT1: To access another computer from LPT port.

and too many great dos tools, very good collection of dos utilities

extract.exe, pkzip.exe, pkunzip.exe, unrar.exe, rar.exe
ace.exe, lha.exe, gzip.exe, uharcd.exe, mouse.com
attrib.com, deltree.exe, xcopy.exe, diskcopy.com, imgExtrc.exe
undelete.com, edit.com, fdisk.exe, fdisk2.exe, fdisk3.exe
lf.exe, delpart.exe, wipe.com, zap.com, format.com
move.exe, more.com, find.exe, hex.exe, debug.exe
split.exe, mem.exe, mi.com, sys.com, smartdrv.exe
xmsdsk.exe, killer.exe, share.exe, scandisk.exe, scanreg.exe
guest.exe, doskey.exe, duse.exe, biosdtct.exe, setver.exe
intersvr.exe, interlnk.exe, loadlin.exe, lfndos.exe, doslfn.com

Cleaners

- SpaceMonger 1.4: keeping track of the free space on your computer.
- WinDirStat 1.1.2.80: a disk usage statistics viewer and cleanup tool for Windows.
- CCleaner 2.20.920: Crap Cleaner is a freeware system optimization and privacy tool.

Optimizers

- PageDfrg 2.32: System file Defragmenter For NT/2k/XP.
- NT Registry Optimizer 1.1j: Registry Optimization for Windows NT/2000/2003/XP/Vista.
- DefragNT 1.9: This tool presents the user with many options for disk defragmenting.
- JkDefrag 3.36: Free disk defragment and optimize utility for Windows 2000/2003/XP/Vista.
- Process Tools: IB Process Manager 1.04 a little process manager for 9x/2k, shows dll info etc.
- Process Explorer 11.33: shows you information about which handles and DLLs processes have opened or loaded.
- Pocket KillBox 2.0.0.978: can be used to get rid of files that stubbornly refuse to allow you to delete them.
- Unlocker 1.8.7: This tool can delete file/folder when you get this message - Cannot delete file: Access is denied, The file is in use by another program etc.
- CurrPorts 1.65: displays the list of all currently opened TCP and UDP ports on your computer.

Startup Tools

- Autoruns 9.50: Displays All the entries from startup folder, Run, RunOnce, and other Registry keys, Explorer shell extensions,toolbars, browser helper objects, Winlogon notifications, auto-start services, Scheduled Tasks, Winsock, LSA Providers, Remove Drivers and much more which helps to remove nasty spyware/adware and viruses.
- Silent Runners Revision 59: A free script that helps detect spyware, malware and adware in the startup process.
- Startup Control Panel 2.8: a tool to edit startup programs.
- Startup Monitor 1.02: it notifies you when any program registers itself to run at system startup.
- HijackThis 2.0.2: a general homepage hijackers detector and remover and more.

Tweakers

- Dial a Fix 0.60.0.24: Fix errors and problems with COM/ActiveX object errors and missing registry entries, Automatic Updates, SSL, HTTPS, and Cryptography service (signing/verification) issues, Reinstall internet explorer etc. comes with the policy scanner.
- Ultimate Windows Tweaker 1.2: A TweakUI Utility for tweaking and optimizing Windows Vista.
- TweakUI 2.10: This PowerToy gives you access to system settings that are not exposed in the Windows Xp.
- Xp-AntiSpy 3.97.3: it tweaks some Windows XP functions, and disables some unneeded Windows services quickly.
- Shell Extensions Manager (ShellExView) 1.37: An excellent tool to View and Manage all installed Context-menu/Shell extensions.
- EzPcFix 1.0.0.16: Helpful tool when trying to remove viruses, spyware, and malware.

Antivirus Tools

- Kaspersky Virus Removal Tool 7.0.0.290 (0906): Free on-demand virus scanner from Kaspersky Lab to remove viruses.
- Spybot - Search & Destroy 1.6.2 (0906): Application to scan for spyware, adware, hijackers and other malicious software.
- Malwarebytes' Anti-Malware 1.34 (0906): anti-malware application that can thoroughly remove even the most advanced malware.
- SpywareBlaster 4.2 (0906): Prevent the installation of spyware and other potentially unwanted software.
- SmitFraudFix 2.419: This removes Some of the popular Desktop Hijack malware.
- ComboFix (0906): Designed to cleanup malware infections and restore settings modified by malware.
- CWShredder 2.19: Popular CoolWebSearch Trojan Remover tool.
- RootkitRevealer 1.7.1: Rootkit Revealer is an advanced patent-pending root kit detection utility.
- SuperAntispyware 4.26 (0906): Remove Malware, Rootkits, Spyware, Adware, Worms, Parasites (a must have tool).

출처 : http://blog.paran.com/franc3sco/33307420


/* ChkRegLastChange 프로그램은 윈도우즈 레지스트리 value 및 data에 대한 생성 및 변경 시간 체크 프로그램입니다. 작성자 : 김태훈(kimfrancesco@gmail.com) 라이센스 : Freeware 첨언 : 용도에 맞게 제작된 작은 사이즈 프로그램입니다. */ #include <windows.h> #include <commctrl.h> #include <windowsx.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <winuser.h> #include <commdlg.h> #include "resource9.h" LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); void RegEnum(HKEY *key, DWORD entry_count, char *string); DWORD GetAbsDayfromsystime(SYSTEMTIME st); HINSTANCE g_hInst; LPSTR lpszClass = "RegistryTimeCheck"; HWND g_hWndMain; #ifndef NMAXFILE #define NMAXFILE 512 #endif #ifndef TEXTMAXBUF #define TEXTMAXBUF 512 #endif HKEY HKEY_ENTRY[4] = { HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG }; DWORD start_time_value; DWORD end_time_value; int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdParam, int nCmdShow) { HWND hWnd; MSG Message; WNDCLASS WndClass; g_hInst = hInstance; WndClass.cbClsExtra = 0; WndClass.cbWndExtra = 0; WndClass.hbrBackground = (HBRUSH)(COLOR_BTNFACE + 1); WndClass.hCursor = LoadCursor(NULL, IDC_ARROW); WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION); WndClass.hInstance = hInstance; WndClass.lpfnWndProc = (WNDPROC)WndProc; WndClass.lpszClassName = lpszClass; WndClass.lpszMenuName = MAKEINTRESOURCE(IDR_MENU1); WndClass.style = CS_HREDRAW | CS_VREDRAW; RegisterClass(&WndClass); hWnd = CreateWindow(lpszClass, lpszClass, WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX | WS_CLIPCHILDREN, 100, 100, 550, 310, NULL, (HMENU)NULL, hInstance, NULL); ShowWindow(hWnd, nCmdShow); g_hWndMain = hWnd; while ( GetMessage(&Message, 0, 0, 0)) { TranslateMessage(&Message); DispatchMessage(&Message); } return Message.wParam; } // Child 윈도우 컨트롤 #define ID_LISTBOX 100 #define ID_EDIT 101 #define ID_BUTTON 102 HWND hList; HWND hButton; HWND hStatic; HWND hStatic2; HWND hEDtp; HWND hSDtp; HWND hState; HWND hsTime; HWND heTime; // 윈도우 메시지 처리 프로시저 함수 정의 LRESULT CALLBACK WndProc(HWND hWnd, UINT iMessage, WPARAM wParam, LPARAM lParam) { HKEY key; OPENFILENAME ofn; HANDLE fichier; int i_dummy; char psz_text[TEXTMAXBUF]; char entry_item[TEXTMAXBUF]; char szFileName[NMAXFILE] = ""; char start_time[255]; char end_time[255]; char str[MAX_PATH]; char sHourTimeString[4] = { 0 }; char eHourTimeString[4] = { 0 }; DWORD sHourTime = 0; DWORD eHourTime = 0; DWORD entry_count = 0; LVCOLUMN COL; LVITEM LI; switch (iMessage) { case WM_CREATE: //InitCommonControls(); INITCOMMONCONTROLSEX InitCtrlEx; InitCtrlEx.dwSize = sizeof(INITCOMMONCONTROLSEX); InitCtrlEx.dwICC = ICC_PROGRESS_CLASS | ICC_BAR_CLASSES | ICC_LISTVIEW_CLASSES | ICC_DATE_CLASSES; InitCommonControlsEx(&InitCtrlEx); hList = CreateWindow(WC_LISTVIEW, NULL, WS_CHILD | WS_VISIBLE | WS_BORDER | LVS_REPORT, 10, 50, 530, 200, hWnd, NULL, g_hInst, NULL); hSDtp = CreateWindow(DATETIMEPICK_CLASS, "기간_시작", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_SHORTDATEFORMAT, 30, 10, 100, 25, hWnd, NULL, g_hInst, NULL); hsTime = CreateWindow(DATETIMEPICK_CLASS, "기간_시작", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_TIMEFORMAT, 130, 10, 100, 25, hWnd, NULL, g_hInst, NULL); hStatic = CreateWindow("static","~", WS_CHILD | SS_CENTER | WS_VISIBLE, 240, 15, 10, 25, hWnd, (HMENU)-1, g_hInst, NULL); hEDtp = CreateWindow(DATETIMEPICK_CLASS, "기간_종료", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_SHORTDATEFORMAT, 260, 10, 100, 25, hWnd, NULL, g_hInst, NULL); heTime = CreateWindow(DATETIMEPICK_CLASS, "기간_시작", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_TIMEFORMAT, 360, 10, 100, 25, hWnd, NULL, g_hInst, NULL); hButton = CreateWindow("Button","Check", WS_CHILD | WS_VISIBLE | BS_PUSHBUTTON, 480, 10, 50, 25, hWnd, (HMENU)ID_BUTTON, g_hInst, NULL); //hStatic2=CreateWindow("static", NULL, WS_CHILD | WS_VISIBLE | SS_SIMPLE | SS_GRAYRECT, //10, 250, 530, 280, hWnd, NULL, g_hInst, NULL); hState = CreateStatusWindow(WS_CHILD | WS_VISIBLE, "Written by Kim, Tae Hoon(kimfrancesco@gmail.com) - registry 생성/변경 날짜 체크 툴", hWnd, 0); COL.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM; COL.fmt = LVCFMT_LEFT; COL.cx = 150; COL.pszText = "ROOT KEY"; COL.iSubItem = 0; SendMessage(hList, LVM_INSERTCOLUMN, 0, (LPARAM)&COL); COL.pszText = "SUB KEY"; COL.iSubItem = 1; SendMessage(hList, LVM_INSERTCOLUMN, 1, (LPARAM)&COL); COL.cx = 300; COL.pszText = "Time(Create/Modify)"; COL.iSubItem = 2; SendMessage(hList, LVM_INSERTCOLUMN, 2, (LPARAM)&COL); return 0; case WM_COMMAND: switch(LOWORD(wParam)) { case ID_BUTTON: SYSTEMTIME s_tm; SYSTEMTIME e_tm; SYSTEMTIME s_time; SYSTEMTIME e_time; DateTime_GetSystemtime(hSDtp, &s_tm); DateTime_GetSystemtime(hEDtp, &e_tm); DateTime_GetSystemtime(hsTime, &s_time); DateTime_GetSystemtime(heTime, &e_time); s_tm.wHour = 0; e_tm.wHour = 0; s_tm.wHour = s_time.wHour; e_tm.wHour = e_time.wHour; s_tm.wMinute = s_time.wMinute; e_tm.wMinute = e_time.wMinute; s_tm.wSecond = s_time.wSecond; e_tm.wSecond = e_time.wSecond; start_time_value = GetAbsDayfromsystime(s_tm); end_time_value = GetAbsDayfromsystime(e_tm); SendMessage(hList, LVM_DELETEALLITEMS, 0, (LPARAM)&LI); for (entry_count; entry_count<sizeof(HKEY_ENTRY)/sizeof(HKEY); entry_count++) { RegEnum(&HKEY_ENTRY[0], entry_count, ""); } break; case ID_FILE_SAVE40001: memset(&(ofn), 0, sizeof(ofn)); ofn.lStructSize = sizeof(ofn); ofn.hwndOwner = hWnd; ofn.lpstrFile = szFileName; ofn.nMaxFile = NMAXFILE; ofn.lpstrFilter = "Text (*.txt)\0*.txt\0"; ofn.lpstrTitle = "Save File As"; ofn.Flags = OFN_HIDEREADONLY; ofn.lpstrDefExt = "txt"; if ( GetSaveFileName( (LPOPENFILENAME) &ofn)) { fichier = CreateFile(ofn.lpstrFile, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if ( fichier != INVALID_HANDLE_VALUE ) { int idx, n; for ( idx = 0; idx < ListView_GetItemCount(hList); idx++ ) { memset(entry_item, 0, sizeof(entry_item)); for ( n = 0; n < 3; n++ ) { memset(psz_text, 0, sizeof(psz_text)); ListView_GetItemText(hList, idx, n, psz_text, TEXTMAXBUF); if ( n == 0 ) { lstrcpy(entry_item, psz_text); lstrcat(entry_item, "\t\t"); } else { lstrcat(entry_item, "\t"); lstrcat(entry_item, psz_text); } } lstrcat(entry_item,"\r\n"); WriteFile(fichier, entry_item, strlen(entry_item), (LPDWORD)&i_dummy, NULL); } FlushFileBuffers(fichier); CloseHandle(fichier); } } break; case ID_FILE_EXIT: DestroyWindow(hWnd); break; } return 0; case WM_SIZE: //MoveWindow(hEdit, 10, 10, LOWORD(lParam) - 130, 25, TRUE); //MoveWindow(hButton, LOWORD(lParam) - 110, 10, 100, 25, TRUE); //MoveWindow(hList, 10, 50, LOWORD(lParam)-20, HIWORD(lParam)-80, TRUE); //MoveWindow(hStatic, 10, HIWORD(lParam)-30, LOWORD(lParam)-20, 25, TRUE); SendMessage(hState, WM_SIZE, wParam, lParam); return 0; // case WM_MOVE: // SetStatusText(hWnd); case WM_DESTROY: PostQuitMessage(0); return 0; } return (DefWindowProc(hWnd, iMessage, wParam, lParam)); } void RegEnum(HKEY *PHKEY_ENTRY, DWORD entry_count, char *str) { char lpSubKey[MAX_PATH]; char lpValue[MAX_PATH]; char key_path[4096]; DWORD i; LONG Result; DWORD Size; FILETIME FileTime; FILETIME LC_FileTime; SYSTEMTIME SysTime; HKEY key; char path_buffer[4096]={0}; DWORD crmd_time_value = 0; LVITEM LI; DWORD item_index = 0; char crmd_time[32] = { 0 }; char root_key[32] = { 0 }; if ( RegOpenKeyEx((HKEY)PHKEY_ENTRY[entry_count], str, 0, KEY_ALL_ACCESS, &key) != ERROR_SUCCESS) return ; LI.mask = LVIF_TEXT; LI.state = 0; LI.stateMask = 0; switch( (DWORD)PHKEY_ENTRY[entry_count]) { case (DWORD)HKEY_CURRENT_USER: strncpy(root_key, "HKEY_CURRENT_USER", sizeof(root_key)); break; case (DWORD)HKEY_LOCAL_MACHINE: strncpy(root_key, "HKEY_LOCAL_MACHINE", sizeof(root_key)); break; case (DWORD)HKEY_USERS: strncpy(root_key, "HKEY_USERS", sizeof(root_key)); break; case (DWORD)HKEY_CURRENT_CONFIG: strncpy(root_key, "HKEY_CURRENT_CONFIG", sizeof(root_key)); break; } // 서브키의 목록의 조사해 리스트 박스에 채워 넣는다. Result=ERROR_SUCCESS; for (i=0;Result==ERROR_SUCCESS;i++) { Size=MAX_PATH; Result=RegEnumKeyEx(key,i,lpSubKey,&Size,NULL,NULL,NULL,&FileTime); if (Result==ERROR_SUCCESS) { if ( ! strcmp(str, "") ) { wsprintf(path_buffer, "%s",lpSubKey); }else { wsprintf(path_buffer, "%s\\%s", str, (char *)lpSubKey); } wsprintf(key_path,"%s\\%s", root_key, path_buffer); // 진행 상황 출력 SendMessage(hState, SB_SETTEXT, 0, (LPARAM)key_path); FileTimeToLocalFileTime(&FileTime, &LC_FileTime); FileTimeToSystemTime(&LC_FileTime,&SysTime); crmd_time_value = GetAbsDayfromsystime(SysTime); if ( crmd_time_value >= start_time_value && crmd_time_value <= end_time_value) { wsprintf(crmd_time,"%d-%d-%d:%d-%d-%d",SysTime.wYear, SysTime.wMonth, SysTime.wDay,SysTime.wHour, SysTime.wMinute, SysTime.wSecond); for ( item_index = 0; item_index < 3; item_index ++ ) { LI.iSubItem = item_index; if ( ! item_index ) { LI.iItem = 0; LI.pszText =root_key; SendMessage(hList, LVM_INSERTITEM, 0, (LPARAM)&LI); } if ( item_index == 1 ) { LI.pszText = path_buffer; SendMessage(hList, LVM_SETITEM, 0, (LPARAM)&LI); } if ( item_index == 2 ) { LI.pszText = crmd_time; SendMessage(hList, LVM_SETITEM, 0, (LPARAM)&LI); } } } RegEnum(PHKEY_ENTRY, entry_count, path_buffer); } } RegCloseKey(key); } DWORD GetAbsDayfromsystime(SYSTEMTIME st) { INT64 i64; FILETIME fst; char debug_msg[16] = {0 }; st.wMilliseconds=st.wDayOfWeek=0; SystemTimeToFileTime(&st,&fst); i64=(((INT64)fst.dwHighDateTime) << 32) + fst.dwLowDateTime; i64 = i64 / 10000000 - (INT64)144000 * 86400; return (DWORD)i64; }

보안컨설턴트이신 김태훈 님의 작품

EnCase의 Registry Scan이나 Timeline Analysis로도 가능하지만...

소스까지 공개해주시다니 넘넘 감사합니다.

출처 : http://blog.paran.com/franc3sco/33307420

한 시스템에서 IE5.5 에서 IE8까지 테스트 가능


꽤 쓸만할 듯 합니다.

IE7이 설치된 XP, VISTA, Win7에서 동작한다는군요.

http://www.my-debugbar.com/wiki/IETester/HomePage