Forwarded from UNDERCODE SECURITY
π¦The role of the command is to output all the backed up reg files to "ziqidong.txt", so that if a virus is found to add a self-starting item, the self-starting value is exported with the last time. Use the FC command introduced above to compare the two txt files before and after, Can quickly find new self-starting items.
1οΈβ£Use reg delete to delete the newly added self-starting key.
For example: through the above method in [HKER_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run], find a "Logon" self-starting item, the startup program is "c:\windows\winlogon.exe", now enter the following command to delete the virus self-starting key value:
reg delete HKLM\software\Microssoft\Windows\
CurrentVersion\Run /f
2οΈβ£ Use reg import to restore the registry.
Reg de-lete delete is the entire RUN key value, now you can use the backup reg file to restore, enter the following command to quickly restore the registry: reg import f:\hklmrun.reg
3οΈβ£The above introduces several system commands for manual antivirus. In fact, as long as these commands are used well, we can basically kill most of the viruses. Of course, we must do backup work normally.
#Tip: The above operations can also be operated manually in the registry editor, but the REG command has the advantage that even if the registry editor is disabled by a virus, you can use the above commands to export/delete/import operations at a faster speed fast!
4οΈβ£bundled wooden mark-FIND
The above introduces the use of system commands to kill and kill general viruses, and the following introduces a "FIND" command to detect bundled Trojans.
It is believed that many networms have encountered bundled wooden knives. These "wolves with sheepskins" are often hiding behind pictures, FLASH, and even music files.
When we opened these files, although what was displayed in the current window was indeed a picture (or playing FLASH), the abominable Trojan was already quietly running in the background.
#Forexample, recently I received a super girl wallpaper from my friends from QQ, but when I opened the picture, I found that the picture had been opened with the "Picture and Fax Viewer", but the hard disk indicator kept flashing.
Obviously, when I open the picture, there are unknown programs running in the background.
Now use the FIND command to check whether the picture is bundled with a Trojan, and type:
FIND /c /I "This program" g:\chaonv.jpe.exe where:
g:\chaonv.jpe.exe indicates the file to be detected
The prompt returned by the FIND command is "___G:CHAONV.EXE: 2", which indicates that "G:, CHAONV.EXE" does indeed bundle other files.
Because of the detection of the FIND command: if it is an EXE file, the return value should be "1" under normal circumstances; if it is an unexecutable file, the return value should be "0" under normal circumstances, and other results should be noted.
π¦Tip: In fact, many bundled Trojans use Windows' default "hide file extensions of known types" to confuse us, such as "chaonv.jpe.exe" in this example, because this file uses the icon of the JPG file, it is fooled.
Open "My Computer", click "Tools β Folder Options", "Click" and "View", remove the check mark in front of "Hide file extensions of known types" to see the true face of "Wolf".
#Summary
Finally, let's summarize the process of manual poisoning:
Use TSKLIST to back up the process list β find the virus through the FC comparison file β use NETSTAT to determine the process β use FIND to terminate the process β search to find the virus and delete it β use the REG command to repair the registry.
In this way, from discovering viruses, deleting viruses, and repairing the registry, have you completed the entire manual virus detection and antivirus process, have you learned? For more exciting tutorials, please pay attention to Script House!
FULL MALWARE GUIDE WRITTEN BY UNDERCODE
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
1οΈβ£Use reg delete to delete the newly added self-starting key.
For example: through the above method in [HKER_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run], find a "Logon" self-starting item, the startup program is "c:\windows\winlogon.exe", now enter the following command to delete the virus self-starting key value:
reg delete HKLM\software\Microssoft\Windows\
CurrentVersion\Run /f
2οΈβ£ Use reg import to restore the registry.
Reg de-lete delete is the entire RUN key value, now you can use the backup reg file to restore, enter the following command to quickly restore the registry: reg import f:\hklmrun.reg
3οΈβ£The above introduces several system commands for manual antivirus. In fact, as long as these commands are used well, we can basically kill most of the viruses. Of course, we must do backup work normally.
#Tip: The above operations can also be operated manually in the registry editor, but the REG command has the advantage that even if the registry editor is disabled by a virus, you can use the above commands to export/delete/import operations at a faster speed fast!
4οΈβ£bundled wooden mark-FIND
The above introduces the use of system commands to kill and kill general viruses, and the following introduces a "FIND" command to detect bundled Trojans.
It is believed that many networms have encountered bundled wooden knives. These "wolves with sheepskins" are often hiding behind pictures, FLASH, and even music files.
When we opened these files, although what was displayed in the current window was indeed a picture (or playing FLASH), the abominable Trojan was already quietly running in the background.
#Forexample, recently I received a super girl wallpaper from my friends from QQ, but when I opened the picture, I found that the picture had been opened with the "Picture and Fax Viewer", but the hard disk indicator kept flashing.
Obviously, when I open the picture, there are unknown programs running in the background.
Now use the FIND command to check whether the picture is bundled with a Trojan, and type:
FIND /c /I "This program" g:\chaonv.jpe.exe where:
g:\chaonv.jpe.exe indicates the file to be detected
The prompt returned by the FIND command is "___G:CHAONV.EXE: 2", which indicates that "G:, CHAONV.EXE" does indeed bundle other files.
Because of the detection of the FIND command: if it is an EXE file, the return value should be "1" under normal circumstances; if it is an unexecutable file, the return value should be "0" under normal circumstances, and other results should be noted.
π¦Tip: In fact, many bundled Trojans use Windows' default "hide file extensions of known types" to confuse us, such as "chaonv.jpe.exe" in this example, because this file uses the icon of the JPG file, it is fooled.
Open "My Computer", click "Tools β Folder Options", "Click" and "View", remove the check mark in front of "Hide file extensions of known types" to see the true face of "Wolf".
#Summary
Finally, let's summarize the process of manual poisoning:
Use TSKLIST to back up the process list β find the virus through the FC comparison file β use NETSTAT to determine the process β use FIND to terminate the process β search to find the virus and delete it β use the REG command to repair the registry.
In this way, from discovering viruses, deleting viruses, and repairing the registry, have you completed the entire manual virus detection and antivirus process, have you learned? For more exciting tutorials, please pay attention to Script House!
FULL MALWARE GUIDE WRITTEN BY UNDERCODE
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#tip law enforcement recover deleted files?
1) Before we dive into the technical issues, it is worth discussing the boring procedural and legal aspects of computer forensics in a law enforcement context.
2) First, let's dispel the old myth that a law enforcement officer always needs a warrant to check a digital device like a phone or computer. While this is usually the case, many loopholes (for lack of a better word) can be found in the structure of the law.
3) Many jurisdictions, such as the United Kingdom and the United States, allow customs and immigration officials to inspect electronic devices without a warrant. US border guards can also investigate the contents of devices without a warrant if there is a threat of destruction of evidence, as confirmed by a 2018 11th District decision .
4) Compared to their American counterparts, British police officers tend to have more ability to seize the contents of devices without seeking the help of a judge or magistrate. They can, for example, download phone content through a piece of legislation called the Police and Criminal Evidence Act (PACE) , regardless of whether any charges are filed. However, if the police ultimately decide that they wish to examine the contents, they will need court permission.
5) The legislation also gives the UK Police the right to inspect devices without a warrant in certain circumstances when there is an urgent need, for example, in the case of terrorism or when there is real reason to believe that a child may have been sexually abused.
6) Ultimately, no matter how, confiscating a computer is simply the beginning of a lengthy process that starts with placing a laptop or phone in a tamper-proof plastic bag and often ends with the presentation of evidence to the courtroom.
7) The police must adhere to a set of rules and procedures to ensure the admissibility of evidence. Forensic teams document their every action so that other experts can repeat the same steps if necessary and achieve the same results. They use special tools to ensure the integrity of the files. One example is a "write blocker" that allows forensic experts to retrieve information while protecting against inadvertent alteration of the evidence under investigation.
8) The success of a computer forensic investigation is determined by the legal basis and the severity of the procedures, not by technical complexity.
π¦Despite the legal challenges, it is always interesting to note the many factors that can determine how easily deleted files can be recovered by law enforcement agencies. These include the type of disk used, whether encryption was used, and the file system of the disk.
Take hard drives, for example. Although they have been largely surpassed by faster solid state drives (SSDs), mechanical hard drives (HDDs) have been the predominant storage mechanism for over 30 years.
Hard drives used magnetic platters to store data. If you've ever taken apart a hard drive, you've probably noticed that it looks a bit like a CD. They are round and silver in color.
In use, these plates rotate at incredible speeds - typically 5400 or 7200 rpm, and in some cases even 15000 rpm. These plates are connected to special "heads" that perform read and write operations. When you save a file to disk, this βheadβ moves to a specific part of the disk and converts an electric current into a magnetic field, thereby changing the properties of the disk.
But how does she know where to go? Well, she looks at a so-called allocation table, which contains a record of every file stored on disk. But what happens when the file is deleted?
Short answer? Little.
Here's the long answer: the entry for this file is deleted in the allocation table, allowing you to later overwrite the space it occupied on the hard disk. However, the data remains physically present on the magnetic platters and is only really deleted when new data is added to that particular location on the platter (that is, when other information overwrites that location on the disk).
π¦#tip law enforcement recover deleted files?
1) Before we dive into the technical issues, it is worth discussing the boring procedural and legal aspects of computer forensics in a law enforcement context.
2) First, let's dispel the old myth that a law enforcement officer always needs a warrant to check a digital device like a phone or computer. While this is usually the case, many loopholes (for lack of a better word) can be found in the structure of the law.
3) Many jurisdictions, such as the United Kingdom and the United States, allow customs and immigration officials to inspect electronic devices without a warrant. US border guards can also investigate the contents of devices without a warrant if there is a threat of destruction of evidence, as confirmed by a 2018 11th District decision .
4) Compared to their American counterparts, British police officers tend to have more ability to seize the contents of devices without seeking the help of a judge or magistrate. They can, for example, download phone content through a piece of legislation called the Police and Criminal Evidence Act (PACE) , regardless of whether any charges are filed. However, if the police ultimately decide that they wish to examine the contents, they will need court permission.
5) The legislation also gives the UK Police the right to inspect devices without a warrant in certain circumstances when there is an urgent need, for example, in the case of terrorism or when there is real reason to believe that a child may have been sexually abused.
6) Ultimately, no matter how, confiscating a computer is simply the beginning of a lengthy process that starts with placing a laptop or phone in a tamper-proof plastic bag and often ends with the presentation of evidence to the courtroom.
7) The police must adhere to a set of rules and procedures to ensure the admissibility of evidence. Forensic teams document their every action so that other experts can repeat the same steps if necessary and achieve the same results. They use special tools to ensure the integrity of the files. One example is a "write blocker" that allows forensic experts to retrieve information while protecting against inadvertent alteration of the evidence under investigation.
8) The success of a computer forensic investigation is determined by the legal basis and the severity of the procedures, not by technical complexity.
π¦Despite the legal challenges, it is always interesting to note the many factors that can determine how easily deleted files can be recovered by law enforcement agencies. These include the type of disk used, whether encryption was used, and the file system of the disk.
Take hard drives, for example. Although they have been largely surpassed by faster solid state drives (SSDs), mechanical hard drives (HDDs) have been the predominant storage mechanism for over 30 years.
Hard drives used magnetic platters to store data. If you've ever taken apart a hard drive, you've probably noticed that it looks a bit like a CD. They are round and silver in color.
In use, these plates rotate at incredible speeds - typically 5400 or 7200 rpm, and in some cases even 15000 rpm. These plates are connected to special "heads" that perform read and write operations. When you save a file to disk, this βheadβ moves to a specific part of the disk and converts an electric current into a magnetic field, thereby changing the properties of the disk.
But how does she know where to go? Well, she looks at a so-called allocation table, which contains a record of every file stored on disk. But what happens when the file is deleted?
Short answer? Little.
Here's the long answer: the entry for this file is deleted in the allocation table, allowing you to later overwrite the space it occupied on the hard disk. However, the data remains physically present on the magnetic platters and is only really deleted when new data is added to that particular location on the platter (that is, when other information overwrites that location on the disk).
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦New mobile phone battery is dangerous to charge for 12 hours in the first three times :
#Tip
>< How to choose a safe and reliable battery and how to use the mobile phone battery correctly to reduce accidents?
γγ
> When buying a mobile phone or changing the battery of a mobile phone, the shopping guide lady will repeatedly ask: charge the battery of the mobile phone for the first three times and charge it for 12 hours, which can extend the service life. In fact, this kind of mobile phone battery usage method is very incorrect, which can easily lead to danger. Mobile phone batteries, no matter how old or new, just need to be fully charged. If it is charged for twelve hours, the possibility of explosion will greatly increase.
γγ
> This also reminds us that we should stop as soon as the battery is fully charged when charging the mobile phone battery. This is often ignored by consumers. Normally charging the mobile phone, as long as two to four hours is enough. The habit of many consumers is to charge when sleeping at night and stop charging when they wake up the next day. In this way, the mobile phone battery far exceeds the normal charging time. Get up in the morning and take the cell phone battery that is being charged. We can obviously feel that the temperature of the cell phone battery is much higher. This is a dangerous sign.
γγ
> In order to prevent the occurrence of mobile phone battery explosion accidents, the most credible is to use original batteries. At present, there are a lot of unqualified fake and shoddy mobile phone batteries on the market, and the price is relatively cheap. Many consumers prefer to choose cheap "counterfeit batteries" when changing batteries. This creates hidden dangers for mobile phone battery accidents. Experts suggest that even if you change the battery of your mobile phone, it is best to buy the original manufacturer's mobile phone battery at a regular store.
γγ
> In addition, high temperature occasions, violent impact, and direct connection of the positive and negative poles of the mobile phone battery with conductors, etc., can easily cause the mobile phone battery to explode.
γγ
> Not afraid of ten thousand, just in case. Now mobile phones have become a must-have for us to carry around, and in many cases are inseparable. The correct choice and use of mobile phone batteries, avoid accidents, and build a safety line of defense for our lives are the wishes of every consumer.
γγ
>Finally, give consumers a warm reminder: try not to put the mobile phone directly in your pocket, so that even if an accident occurs, there will be a buffer zone to avoid possible injuries.
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦New mobile phone battery is dangerous to charge for 12 hours in the first three times :
#Tip
>< How to choose a safe and reliable battery and how to use the mobile phone battery correctly to reduce accidents?
γγ
> When buying a mobile phone or changing the battery of a mobile phone, the shopping guide lady will repeatedly ask: charge the battery of the mobile phone for the first three times and charge it for 12 hours, which can extend the service life. In fact, this kind of mobile phone battery usage method is very incorrect, which can easily lead to danger. Mobile phone batteries, no matter how old or new, just need to be fully charged. If it is charged for twelve hours, the possibility of explosion will greatly increase.
γγ
> This also reminds us that we should stop as soon as the battery is fully charged when charging the mobile phone battery. This is often ignored by consumers. Normally charging the mobile phone, as long as two to four hours is enough. The habit of many consumers is to charge when sleeping at night and stop charging when they wake up the next day. In this way, the mobile phone battery far exceeds the normal charging time. Get up in the morning and take the cell phone battery that is being charged. We can obviously feel that the temperature of the cell phone battery is much higher. This is a dangerous sign.
γγ
> In order to prevent the occurrence of mobile phone battery explosion accidents, the most credible is to use original batteries. At present, there are a lot of unqualified fake and shoddy mobile phone batteries on the market, and the price is relatively cheap. Many consumers prefer to choose cheap "counterfeit batteries" when changing batteries. This creates hidden dangers for mobile phone battery accidents. Experts suggest that even if you change the battery of your mobile phone, it is best to buy the original manufacturer's mobile phone battery at a regular store.
γγ
> In addition, high temperature occasions, violent impact, and direct connection of the positive and negative poles of the mobile phone battery with conductors, etc., can easily cause the mobile phone battery to explode.
γγ
> Not afraid of ten thousand, just in case. Now mobile phones have become a must-have for us to carry around, and in many cases are inseparable. The correct choice and use of mobile phone batteries, avoid accidents, and build a safety line of defense for our lives are the wishes of every consumer.
γγ
>Finally, give consumers a warm reminder: try not to put the mobile phone directly in your pocket, so that even if an accident occurs, there will be a buffer zone to avoid possible injuries.
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
TODAY TOPIC :
COMMAND AND CONTROL WEBSITE/WMI
https://t.me/UnderCodeTesting/11804
https://t.me/UnderCodeTesting/11805
SQLMAP GUIDE & ALOT OF STUFFS PDF
https://t.me/UnderCodeTesting/11806
Become a professional trader 4GB
https://t.me/UnderCodeTesting/11815
New mobile phone battery is dangerous to charge for 12 hours in the first three times #Tip
https://t.me/UnderCodeTesting/11816
run postfix with smtp authentication (sasldb) in a docker container. TLS and OpenDKIM support are optional #tool
https://t.me/UnderCodeTesting/11817
HACK ANY LINUX
https://t.me/UnderCodeTesting/11819
XSS-Finder: a super powerful and advanced cross-site scripting scanner
https://t.me/UnderCodeTesting/11820
How to find out the creation time of a file on Linux using Debugfs
https://t.me/UnderCodeTesting/11821
2020 Update #Decryption - A command line that recreates the famous data decryption effect seen in the 1992 movie Sneakers.
https://t.me/UnderCodeTesting/11822
How to track traffic from a smartphone using Wireshark & hack wifi/phone.... ALL VIDEOS
https://t.me/UnderCodeTesting/11823
Install TWRP on Android devices
https://t.me/UnderCodeTesting/11824
A Lessons about database
https://t.me/UnderCodeTesting/11825
Wifi Hacking/network applications 2020 new list
https://t.me/UnderCodeTesting/11826
How to configure Apache as an external proxy for Node.js
https://t.me/UnderCodeTesting/11827
What is DOM (Document Object Model)?
Setting up Android Studio and Emulators
Basics of adb
Decompiling apks
Insecure Logging
Hardcoding Issues
Insecure Data Storage
Input Valdiation Issues
Drozer
Finding Attack Surfaces
Access Control Issues
Content Provider Injections
General Bug Hunting Tips
https://t.me/UnderCodeTesting/11828
LEANR Awesome course
https://t.me/UnderCodeTesting/11829
COMMAND AND CONTROL WEBSITE/WMI
https://t.me/UnderCodeTesting/11804
https://t.me/UnderCodeTesting/11805
SQLMAP GUIDE & ALOT OF STUFFS PDF
https://t.me/UnderCodeTesting/11806
Become a professional trader 4GB
https://t.me/UnderCodeTesting/11815
New mobile phone battery is dangerous to charge for 12 hours in the first three times #Tip
https://t.me/UnderCodeTesting/11816
run postfix with smtp authentication (sasldb) in a docker container. TLS and OpenDKIM support are optional #tool
https://t.me/UnderCodeTesting/11817
HACK ANY LINUX
https://t.me/UnderCodeTesting/11819
XSS-Finder: a super powerful and advanced cross-site scripting scanner
https://t.me/UnderCodeTesting/11820
How to find out the creation time of a file on Linux using Debugfs
https://t.me/UnderCodeTesting/11821
2020 Update #Decryption - A command line that recreates the famous data decryption effect seen in the 1992 movie Sneakers.
https://t.me/UnderCodeTesting/11822
How to track traffic from a smartphone using Wireshark & hack wifi/phone.... ALL VIDEOS
https://t.me/UnderCodeTesting/11823
Install TWRP on Android devices
https://t.me/UnderCodeTesting/11824
A Lessons about database
https://t.me/UnderCodeTesting/11825
Wifi Hacking/network applications 2020 new list
https://t.me/UnderCodeTesting/11826
How to configure Apache as an external proxy for Node.js
https://t.me/UnderCodeTesting/11827
What is DOM (Document Object Model)?
Setting up Android Studio and Emulators
Basics of adb
Decompiling apks
Insecure Logging
Hardcoding Issues
Insecure Data Storage
Input Valdiation Issues
Drozer
Finding Attack Surfaces
Access Control Issues
Content Provider Injections
General Bug Hunting Tips
https://t.me/UnderCodeTesting/11828
LEANR Awesome course
https://t.me/UnderCodeTesting/11829
Forwarded from UNDERCODE TESTING