本帖最后由 sairen139 于 2021-12-20 14:18 编辑
64位写字板wordpad.exe添加到RE为底本的骨头版的折腾过程中的一些手记盼有益于后来者
初衷是88mb的骨头网络版pe里不想大动干戈加Office套件那么大体积的东西,想了下微软系统自带的一直被Word光芒所遮掩的写字板程序就挺好的。
因为写字板wordpad.exe只有2mb多的体积。而且wordpad能够创建、打开和修改docx格式的word文档,这对于pe里偶尔要查看修改该格式文档和新建该格式文档倒是颇有裨益!
关于64位wordpad.exe写字板程序的添加手记的折腾过程:首先我运用依赖查询文件找到wordpad.exe的pe依赖文件,然后把这些文件添加到骨头版里依然无法运行写字板程序。后来发现@我是小青蛙的pe加上写字板的几个文件就能运行而且打开docx文件功能正常,大喜之下我把小青蛙的pe削减到能打开写字板为止的一百mb多的骨头版依然可以打开64位的wordpad.exe程序。再然后我把我的骨头版加到和小青蛙pe削减到的文件一摸一样,RE削减出来的骨头版pe里却依然还是无法打开64位的WordPad.exe写字板程序。经询问@我是小青蛙 才知道他的注册表里的唯一没有用RE的文件是software他用了install.wim里的63mb的software注册表文件。我把63mb的software拷贝替换掉我自己骨头版里的9mb的software文件之后,果然能打开wordpad.exe写字板程序了。原来唯一的差别就在software注册表文件里。后来据@slore大神说software里的classes需要补充注册表片段才行,以后有空再测试好了。
最终骨头版pe增加下列64位写字板wordpad.exe组件程序的依赖文件48个即可:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\WordpadFilter.dll
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\shellstyle.dll
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\OpcServices.dll
\Windows\SYSTEM32\ADVAPI32.dll
\Windows\SYSTEM32\bcrypt.dll
\Windows\SYSTEM32\bcryptPrimitives.dll
\Windows\SYSTEM32\combase.dll
\Windows\SYSTEM32\COMDLG32.dll
\Windows\SYSTEM32\dwmapi.dll
\Windows\SYSTEM32\GDI32.dll
\Windows\SYSTEM32\gdi32full.dll
\Windows\SYSTEM32\iertutil.dll
\Windows\SYSTEM32\IMM32.DLL
\Windows\SYSTEM32\kernel.appcore.dll
\Windows\SYSTEM32\KERNEL32.DLL
\Windows\SYSTEM32\KERNELBASE.dll
\Windows\SYSTEM32\MFC42u.dll
\Windows\SYSTEM32\MSCTF.dll
\Windows\SYSTEM32\MSFTEDIT.DLL
\Windows\SYSTEM32\msvcp_win.dll
\Windows\SYSTEM32\msvcrt.dll
\Windows\SYSTEM32\msxml3.dll
\Windows\SYSTEM32\ntdll.dll
\Windows\SYSTEM32\ntmarta.dll
\Windows\SYSTEM32\OLE32.dll
\Windows\SYSTEM32\oleacc.dll
\Windows\SYSTEM32\OLEAUT32.dll
\Windows\SYSTEM32\PROPSYS.dll
\Windows\SYSTEM32\RPCRT4.dll
\Windows\SYSTEM32\sechost.dll
\Windows\SYSTEM32\shcore.dll
\Windows\SYSTEM32\SHELL32.dll
\Windows\SYSTEM32\SHLWAPI.dll
\Windows\SYSTEM32\TextShaping.dll
\Windows\SYSTEM32\ucrtbase.dll
\Windows\SYSTEM32\urlmon.dll
\Windows\SYSTEM32\USER32.dll
\Windows\SYSTEM32\uxtheme.dll
\Windows\SYSTEM32\win32u.dll
\Windows\SYSTEM32\windows.storage.dll
\Windows\SYSTEM32\windowscodecs.dll
\Windows\SYSTEM32\WINMM.dll
\Windows\SYSTEM32\WINSPOOL.DRV
\Windows\SYSTEM32\wintypes.dll
\Windows\SYSTEM32\Wldp.dll
\Windows\SYSTEM32\WS2_32.dll
\Windows\SYSTEM32\XmlLite.dll
PS:至于这些依赖dll文件相对应的\Windows\System32\zh-CN文件夹里的语言配置文件请对照dll自行添加mui后缀的语言文件即可!
还有一个可加可不加的\Windows\write.exe是用来启动wordpad.exe写字板程序用的,不加也不影响写字板的使用!
最终离线注入WinRE.wim生效的具体注册表只有三行Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}]
@="rtf persistent handler"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{e2403e98-663b-4df6-b234-687789db8560}"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{3037B4CD-A40B-401B-B676-2017EE8FAFF4}]
@="Wordpad DOCX Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{3037B4CD-A40B-401B-B676-2017EE8FAFF4}\InprocServer32]
@="X:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{6047F837-D527-467E-9DC1-6D51F92D9E45}]
@="Wordpad ODT Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{6047F837-D527-467E-9DC1-6D51F92D9E45}\InprocServer32]
@="X:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}]
@="Wordpad OOXML Document Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{3037B4CD-A40B-401B-B676-2017EE8FAFF4}"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}]
@="Wordpad ODT Document Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{6047F837-D527-467E-9DC1-6D51F92D9E45}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx]
@="docxfile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx\PersistentHandler]
@="{698A4FFC-63A3-4E70-8F00-376AD29363FB}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile]
@="OOXML Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,30,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,32,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell]
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt]
@="odtfile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\PersistentHandler]
@="{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile]
@="ODF Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,31,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,33,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open]
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
22,00,00,00
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf]
@="rtffile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\PersistentHandler]
@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile]
@="Rich Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,31,00,39,00,30,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\CLSID]
@="{73FDDC80-AEA9-101A-98A7-00AA00374959}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,31,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell]
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]
@="{a42c2ccb-67d3-46fa-abe6-7d2f3488c7a3}"
|
IP卡
狗仔卡
发表于 2021-12-17 20:29:45
收藏
支持
反对
提升卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
楼主
