When we input or run the command, we usually use CMD to do it. You can use it to enter the registry or some hidden places in the system. If the virus passes through cmd, the consequences will be unimaginable. Hold the cmd off?
A preface
Open the intrusion data on the network and see it! Most of the intrusions are done under cmd, and the typical ones are overflowed. A system permission cmdshell, and then plant a Tcmd and other backdoors bound to cmd.exe. There are also exploits of web applications to get a webshell and then use the low-privileged cmdshell to enhance permissions, and finally plant backdoors … … various attacks indicate that the intrusion and cmd.exe are related, because a cmd.exe is An interface that a user interacts with the system is the primary target of the intruder entering the system. Of course, we can't sit here and wait, how to prevent others from getting your cmdshell through overflow, how to know that others have entered the system and get cmdshell, how to catch the intruder when someone logs in to our machine? Now let us create a cmd The ultimate defense line.
二原理
One of the more preventive methods on the network is to set permissions on cmd.exe, which can really play a big role, but the permissions are more difficult to determine. And if someone else uploads cmd.exe, they can still break through, and then use cmc.exe to bind cmd.exe to a port or get cmdshell. Today I introduce a new method to everyone, do not need to set the permissions of cmd! First talk about the principle, or open your cmd command window, run the command cmd /?, see what you got! Figure 1.
Note the following:
If /D is not specified on the command line, when CMD.EXE starts, it looks for the following REG_SZ/REG_EXPAND_SZ registry variable. If one or both of them exist, these two variables will be executed first.
HKEY_LOCAL_MACHINESoftwareMicrosoftCommand ProcessorAutoRun
and/or
HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun
This means that if there are two key values HKEY_LOCAL_MACHINESoftwareMicrosoftCommand ProcessorAutoRun and HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun and you are not using Cmd.exe /D to start the cmd process will execute the two key-valued programs before starting cmd.exe. Hey, what do you think of, since you can execute your own program or script before cmd.exe, we can completely control the action of cmd.exe.
In the process of using the computer, it is inevitable that some problems will be encountered, such
setlocal command is used to initiate localization of environment variables in a batch file. Localiza
I believe many users have encountered the same with me. After inserting the USB flash drive into the
Recently, some users have reflected Photoshop CS6 installed in the computer, and a window of “Config
What is the difference between a flash drive and a USB flash drive?
What is the recovery folder? Can the recovery folder be deleted?
Implement copy and paste function in CMD command line and PowerShell
QQ mailbox can not receive the mail how to solve?
How does the Windows system computer enter the BIOS settings?
The "My Documents" icon disappeared how to solve it?
Solution for loss or damage of winload.exe after booting the computer
Experts share the way to modify the resolution under the Linux operating system
The source and processing method of shutting down the host computer noise
Restart Apache commands under Linux
Solution for the whistle of the speaker under Vista
Win7 system blue screen prompt code error "win32k.sys" What should I do?
Win8.1 upgrade Win10 user extraction free key has expired Microsoft official closed
WinXP system AGP texture acceleration is not available solution
Windows8 application default installation path modification tutorial
Computer-connected amp speakers full contact
Linux LAMP service rpm package installation and configuration basic tutorial