Posts Tagged ‘autorun’

my sexy new multifunctional bootable autorunning switchblade, drive.

Dec 18, 2007 Tech

So ive had my 4gb u3 enabled cruzer micro (I may actually buy a cruzer titanium because the plastic case feels a bit thin on this one) usb flash drive for a while now, and id been planning to setup a number of things on it.

  1. an implementation of switchblade.
  2. a portable applications menu.
  3. a bootable version of winPE.

Ive just finished setting up all of these on my drive, and now it rocks :-)

The implementation of switchblade is pretty good as its sets to run completly from the u3 partition so that any anti virus software that thinks its a virus cant delete any of the files as the u3 partition is basically an emulated cd rom drive and as such is read only. log files are saved the the flash partition of the drive but theyre hardly likely to be detected as viruses :) this autoruns in the background on the drive when i plug it in. no popup windows or anything, thanks to CHP.exe ;) the options of this ‘payload’ are configurable from a configuration program that is kept on the root of the flash drive, which is handy. One improvement to this that i might consider looking into is packing some of the ‘detected’ files with a uPX packer or something similar this should make them less detectable by anti virus softwares.

Btw, for the uniformed, Switchblade is a set of applications and scripts setup in such a way that they run silently when the drive is plugged in, these scripts applications, rip & decrypt usernames and passwords for windows, IE, firefox, email accounts, IM accounts such as MSN/WML/IRC etc, /network usernames and passwords, wireless keys, internal and external ip addresses and probably a lot more. it also sets vnc up as well as a mail server that sends email thorugh a secure tunnel to a specified email address, the emails contain attachments of the files that are ripped from pendrive and usb drives that are plugged in after mine. yeah im nosey. there is an option rip the contents of the my documents folder to the pendrive too, but ive left that option disabled just incase the mydocuments folder turns out to be like 8gb and then a copy error shows up, that’d be hard to explain lol.

the portable apps menu doesnt run automatically, but thats because its contained in a portable truecrypt partition. when plugging the drive in, truecrypt will auto start up and ask me for a password to the partition, upon entering this password i have full access to a whole load of applications tyhat i use normally on my home pc (the whole encrypted truecrypt partition only takes up 512mb so theres penty of space) if i dont enter the password i can just use the drive as a normal storage drive if i dont need to access my applications. Im also using a forked version of the portable apps menu which gives a lot more functionality and flexibility in terms of menu organisation.

The drive is also formatted as FAT (yes just FAT) so that it can be set bootable, there is an installation of BartPE on the drive which boots when you plug the drive in. Unfortunatly my motherboard doesnt support USB Booting :( So i havent been able to test it, VMware doesnt give me much luck either, but it should work depending on if the motherboard supports it, hopefully more motherboards will start to support it soon. This brings me onto my next project which i will talk about in a bit.

Also on both the u3 volume and the flash partition there are custom autorun.inf files that define custom context menu items ahd control what the default action is on a double click of that drive. I always hated that “autorun” or “autoplay” because the default action when there was a CD or autorun USB stick in the drive. So ive changed those back to “open” which just opens the “Files” folder on the flash drive when you double click it. same for both partitions, except for the u3 partition where its the root of the drive. but you wont find much there as all the files have been hidden. (as in hidden from windows too, you cant access them from explorer or DOS.) the context menu entries include an option to run truecrypt and an option to dismount all truecrypt partitions, as well as the autorun option which i cant seem to get rid of but that doesnt bother me really, and then theres the other uselless options that windows adss like explore and search. the autorun files also define the icon and the label for each drive, the icons are kept on the flash part so they dont default to windows icons, bu you know what windows is like, it still refuses to set my virtual drives to the same icon as my actual optical drive but never mind. the icons arnt a big deal tbh, just a nice feature.

Some more techincal details of how the drive is setup:

I used UltraISO to create a custom ISO to be ‘flashed’ to my u3 partition using universal customiser, my custom ISO is about 9.30MB so the original sandisk installer wont work, i think it can only handle an ISO thats around 3-4MB.

The custom ISO contains:

  1. Smithtech applauncher.
  2. Custom autorun.inf
  3. Switchblade implentation.

the autorun file is set to automatically run applauncher on start. this application will then run the 3 programs defined in its configuration. the configuration file is kept on the flash partition. in addition to running the defined applications it will also set a system variable of my choosing (I chose “U3CD”) this means i can use %U3CD% in paths to certain files and applications and it will point to the letter currently assigned to the u3 partition of the pendrive. this is because the drive letter may change from pc to pc due to the different drive letter configurations.

the first application the applauncher runs is drivevar. this program is solely for setting a system variable (%PA_DRV%) from the flash partition of the usb drive, I dont mind that you cant customise this one though, its still usable :) . this runs with the paramenter -a which will add the system variable without prompting the user.

The next application it runs is “chp.exe” this small .exe file is used for creating and starting hidden processes, hence the name CHP (Create hidden process) this is run with the parameter of go.exe (this is a small .exe file i made myself that simly runs a .vbs file from the u3 flash partition. this is what starts the payload running. Yes that is a long winded way of getting it to run but thats because applauncher has a few limitations when it comes to running programs/files. the applauncher cant run an application from the drive its running for (e.g. the u3 partition) and it also seems it can run anything but .exe files. (hence not being able to just put the vbs file on the flash partition – plus this saves it from deletion by an anti virus as mentioned earlier).

the 3rd program that is set to run truecrypt, this runns with a few paramenters which means it just pops up a password box asking for my password, which is handy.

the way the switchblade is implemented also has some error ‘managment’ too, if for some reason the system variable for the u3 partition doesnt get set, instead of not doing anything or producing error messages on screen, it runs a substitue vbs file that simply pops up a dialog welcoming me. this is so that i know the payload hasnt run but anyone watching would just think it was a cool ‘toy’ that i’d set up. this works because there is an identically named vbs file on the root of the flash drive, if the system variable isnt set then the .exe file assumes it should run the vbs file from “\” (current directory) which turns out to be the vbs file that pops up the “cool” welcome message.

as well as error managment the switchblade is setup to check for a certain file on the root of the c drive before running, if it finds this file it will not run (it wont do anything at all) this is so that i can plug the drive into my own machine safely without owning myself with my own payload :p

as i said earlier, the drive is formatted in FAT and has been set bootable, also the volume boot sector id has been set to 0×80, this is what makes the usb drive bootable. (again, this depends on the motherboard/BIOS and if it supports booting from usb devices).

To do all this I used PetoUSB. You’ll need a bartpe build source directory. this will copy bartpe to the disk too so all you need to do is setup your bios to bott from usb, restart and test if it works.

As I said earlier, this beings me onto my next project:

A Bootable DOS CD.

Yes, I know it doesnt sound as exciting but this will enable me to use my bartPE stick on a lot more computers, for example if the computer doesnt support booting to usb devices, like mine, then i can boot from a CD and launch bartpe from that.

for this to work i’ll have to look into loading usb drivers in DOS and accessing devices from DOS.

maybe setup an autorun so that when the CD boots up it automatically looks for the USB drive and boots bartpe from there automatically.

I’ll probably attempt this sometime in the new year, get christmas over with first.

after that my next project will be something similar but with the ability to emulate drives or mount .iso files in DOS.

this is so I can create a customised version of a windows install, maybe an unattended install, and install it from the usb drive, without having to carry around CDs all the time.

When i finally get one of these other projects finished, i may post here to say how i did it :)

I might post a tutorial sometime on how to do this, although this post pretty much explains the majority of it.

Thats all for now, folks.

Yes, that was a very long post.

In other news: I’ve recently discovered the awesomeness that is ill nino, it really is a mystery why I havent heard of this band before.

Tags: , , , , , , , , ,