无忧启动论坛

 找回密码
 注册
搜索
系统gho:最纯净好用系统下载站投放广告、加入VIP会员,请联系 微信:wuyouceo
查看: 3234|回复: 14
打印 上一主题 下一主题

[分享] 64位写字板wordpad.exe添加到RE为底本的骨头版的折腾过程中的一些手记盼有益于后来者

[复制链接]
跳转到指定楼层
1#
发表于 2021-12-17 20:29:45 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 sairen139 于 2021-12-20 14:18 编辑

64位写字板wordpad.exe添加到RE为底本的骨头版的折腾过程中的一些手记盼有益于后来者

初衷是88mb的骨头网络版pe里不想大动干戈加Office套件那么大体积的东西,想了下微软系统自带的一直被Word光芒所遮掩的写字板程序就挺好的。
因为写字板wordpad.exe只有2mb多的体积。而且wordpad能够创建、打开和修改docx格式的word文档,这对于pe里偶尔要查看修改该格式文档和新建该格式文档倒是颇有裨益!

关于64位wordpad.exe写字板程序的添加手记的折腾过程:首先我运用依赖查询文件找到wordpad.exe的pe依赖文件,然后把这些文件添加到骨头版里依然无法运行写字板程序。后来发现@我是小青蛙的pe加上写字板的几个文件就能运行而且打开docx文件功能正常,大喜之下我把小青蛙的pe削减到能打开写字板为止的一百mb多的骨头版依然可以打开64位的wordpad.exe程序。再然后我把我的骨头版加到和小青蛙pe削减到的文件一摸一样,RE削减出来的骨头版pe里却依然还是无法打开64位的WordPad.exe写字板程序。经询问@我是小青蛙 才知道他的注册表里的唯一没有用RE的文件是software他用了install.wim里的63mb的software注册表文件。我把63mb的software拷贝替换掉我自己骨头版里的9mb的software文件之后,果然能打开wordpad.exe写字板程序了。原来唯一的差别就在software注册表文件里。后来据@slore大神说software里的classes需要补充注册表片段才行,以后有空再测试好了。


最终骨头版pe增加下列64位写字板wordpad.exe组件程序的依赖文件48个即可:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\WordpadFilter.dll
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\shellstyle.dll
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\OpcServices.dll
\Windows\SYSTEM32\ADVAPI32.dll
\Windows\SYSTEM32\bcrypt.dll
\Windows\SYSTEM32\bcryptPrimitives.dll
\Windows\SYSTEM32\combase.dll
\Windows\SYSTEM32\COMDLG32.dll
\Windows\SYSTEM32\dwmapi.dll
\Windows\SYSTEM32\GDI32.dll
\Windows\SYSTEM32\gdi32full.dll
\Windows\SYSTEM32\iertutil.dll
\Windows\SYSTEM32\IMM32.DLL
\Windows\SYSTEM32\kernel.appcore.dll
\Windows\SYSTEM32\KERNEL32.DLL
\Windows\SYSTEM32\KERNELBASE.dll
\Windows\SYSTEM32\MFC42u.dll
\Windows\SYSTEM32\MSCTF.dll
\Windows\SYSTEM32\MSFTEDIT.DLL
\Windows\SYSTEM32\msvcp_win.dll
\Windows\SYSTEM32\msvcrt.dll
\Windows\SYSTEM32\msxml3.dll
\Windows\SYSTEM32\ntdll.dll
\Windows\SYSTEM32\ntmarta.dll
\Windows\SYSTEM32\OLE32.dll
\Windows\SYSTEM32\oleacc.dll
\Windows\SYSTEM32\OLEAUT32.dll
\Windows\SYSTEM32\PROPSYS.dll
\Windows\SYSTEM32\RPCRT4.dll
\Windows\SYSTEM32\sechost.dll
\Windows\SYSTEM32\shcore.dll
\Windows\SYSTEM32\SHELL32.dll
\Windows\SYSTEM32\SHLWAPI.dll
\Windows\SYSTEM32\TextShaping.dll
\Windows\SYSTEM32\ucrtbase.dll
\Windows\SYSTEM32\urlmon.dll
\Windows\SYSTEM32\USER32.dll
\Windows\SYSTEM32\uxtheme.dll
\Windows\SYSTEM32\win32u.dll
\Windows\SYSTEM32\windows.storage.dll
\Windows\SYSTEM32\windowscodecs.dll
\Windows\SYSTEM32\WINMM.dll
\Windows\SYSTEM32\WINSPOOL.DRV
\Windows\SYSTEM32\wintypes.dll
\Windows\SYSTEM32\Wldp.dll
\Windows\SYSTEM32\WS2_32.dll
\Windows\SYSTEM32\XmlLite.dll

PS:至于这些依赖dll文件相对应的\Windows\System32\zh-CN文件夹里的语言配置文件请对照dll自行添加mui后缀的语言文件即可!


还有一个可加可不加的\Windows\write.exe是用来启动wordpad.exe写字板程序用的,不加也不影响写字板的使用!


最终离线注入WinRE.wim生效的具体注册表只有三行Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"



[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}]
@="rtf persistent handler"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{e2403e98-663b-4df6-b234-687789db8560}"

[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{3037B4CD-A40B-401B-B676-2017EE8FAFF4}]
@="Wordpad DOCX Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{3037B4CD-A40B-401B-B676-2017EE8FAFF4}\InprocServer32]
@="X:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{6047F837-D527-467E-9DC1-6D51F92D9E45}]
@="Wordpad ODT Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{6047F837-D527-467E-9DC1-6D51F92D9E45}\InprocServer32]
@="X:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}]
@="Wordpad OOXML Document Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{3037B4CD-A40B-401B-B676-2017EE8FAFF4}"

[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}]
@="Wordpad ODT Document Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{6047F837-D527-467E-9DC1-6D51F92D9E45}"



[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx]
@="docxfile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx\PersistentHandler]
@="{698A4FFC-63A3-4E70-8F00-376AD29363FB}"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile]
@="OOXML Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
  00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
  77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
  00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
  2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,30,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,2c,00,32,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell]

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
  00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
  22,00,00,00



[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt]
@="odtfile"
"PerceivedType"="document"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\OpenWithList\WordPad.exe]
@=""

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\PersistentHandler]
@="{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}"





[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile]
@="ODF Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
  00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
  77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
  00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
  2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,31,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,2c,00,33,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open]

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
  00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
  22,00,00,00



[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf]
@="rtffile"
"PerceivedType"="document"

[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\OpenWithList\WordPad.exe]
@=""

[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\PersistentHandler]
@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile]
@="Rich Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
  00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
  77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
  00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
  2e,00,45,00,58,00,45,00,2c,00,2d,00,31,00,39,00,30,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\CLSID]
@="{73FDDC80-AEA9-101A-98A7-00AA00374959}"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,2c,00,31,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell]

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
  00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
  22,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]
@="{a42c2ccb-67d3-46fa-abe6-7d2f3488c7a3}"










80FA80AA-ED6E-484D-9EF4-A0EAA8C6CF6A.jpeg (3.35 MB, 下载次数: 87)

pe中写字板程序能正常打开docx文件并修改也能直接创建docx文件!

pe中写字板程序能正常打开docx文件并修改也能直接创建docx文件!

C72C5660-290C-4088-AA0A-79097F73D8B9.jpeg (2.19 MB, 下载次数: 99)

纯64位pe中找出了打开64位写字板程序和software注册表里的Classes下面的注册表项目相关!直接导出Classes项 ...

纯64位pe中找出了打开64位写字板程序和software注册表里的Classes下面的注册表项目相关!直接导出Classes项 ...

64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg.TXT

10.98 KB, 下载次数: 3, 下载积分: 无忧币 -2

64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg

64位wordpad写字板程序的pe依赖文件SYSTEM32下zh-CN目录里的配套语言文件请自己添加.txt

2.14 KB, 下载次数: 3, 下载积分: 无忧币 -2

64位wordpad写字板程序的pe依赖文件SYSTEM32下zh-CN目录里的配套语言文件请自己添加.txt

评分

参与人数 1无忧币 +5 收起 理由
2010hook + 5 有益!

查看全部评分

2#
 楼主| 发表于 2021-12-17 20:32:31 | 只看该作者
本帖最后由 sairen139 于 2021-12-19 22:08 编辑

1早前粗略找了下能让88mb骨头网络版pe里的64位wordpad.exe写字板能运行的software注册表配置文件里可离线导入的涵盖范围条目如下:

2最终离线注入WinRE.wim生效的具体注册表只有三行
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"


全部和缩小到5mb的software里的Classes子项可导入使用.7z

1.22 MB, 下载次数: 4, 下载积分: 无忧币 -2

全部和缩小到5mb的software里的Classes子项64位wordpad.exe可导入使用

64位wordpad写字板运行的离线注入RE的关键注册表.reg.TXT

1.11 KB, 下载次数: 2, 下载积分: 无忧币 -2

64位wordpad写字板运行的离线注入RE的关键注册表.reg.TXT

64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg.TXT

10.71 KB, 下载次数: 2, 下载积分: 无忧币 -2

64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg

点评

给88mb骨头版pe增加下列64位写字板wordpad.exe组件程序的依赖文件5个即可: \Program Files\Windows NT\Accessories\wordpad.exe \Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui \Windows\SYSTEM3  详情 回复 发表于 2021-12-22 22:00
回复

使用道具 举报

3#
发表于 2021-12-18 06:19:06 | 只看该作者
谢谢楼主
回复

使用道具 举报

4#
 楼主| 发表于 2021-12-18 10:32:13 | 只看该作者
本帖最后由 sairen139 于 2021-12-18 10:47 编辑

只要导出Classes子项为reg文件然后把的WOW6432开始的支持32位程序全删除,接着离线把software文件替换进pe减少一半software注册表文件体积!
回复

使用道具 举报

5#
发表于 2021-12-18 14:03:21 | 只看该作者
写得上不。。。。。。。。。。。
回复

使用道具 举报

6#
发表于 2021-12-18 19:43:14 | 只看该作者
说实话,没用过,文本文档倒是老用。
回复

使用道具 举报

7#
发表于 2021-12-20 10:21:49 | 只看该作者
请问大佬,您说的“依赖查询文件”是用的什么工具?

点评

http://bbs.wuyou.net/forum.php?mod=viewthread&tid=416500就有这种工具。 请在我上面贴出的这个帖子主题帖下载!!!!提取程序的依赖文件.zip  详情 回复 发表于 2021-12-20 10:26
回复

使用道具 举报

8#
 楼主| 发表于 2021-12-20 10:26:09 | 只看该作者
某些人 发表于 2021-12-20 10:21
请问大佬,您说的“依赖查询文件”是用的什么工具?

http://bbs.wuyou.net/forum.php?mod=viewthread&tid=416500就有这种工具。
请在我上面贴出的这个帖子主题帖下载!!!!提取程序的依赖文件.zip
回复

使用道具 举报

9#
 楼主| 发表于 2021-12-20 14:20:18 | 只看该作者
WinRE.wim里缺失需要从install.wim里提取的写字板组件及其依赖共7个文件和离线注册表reg片段:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\WordpadFilter.dll
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\shellstyle.dll
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\UIRibbon.dll\zh-CN\UIRibbon.dll.mui

wordpad写字板组件install里提取的7个文件和离线导入注册表片段.zip

2.98 MB, 下载次数: 4, 下载积分: 无忧币 -2

wordpad写字板组件install里提取的7个文件和离线导入注册表片段

回复

使用道具 举报

10#
发表于 2021-12-21 10:56:24 | 只看该作者
本帖最后由 fkltd-123 于 2021-12-21 11:03 编辑

123456789

2021.12.12-.png (1.15 MB, 下载次数: 95)

2021.12.12-.png

点评

请教这个右键新建RTF文档怎么修改注册表搞出来的?  详情 回复 发表于 2021-12-21 12:10
回复

使用道具 举报

11#
 楼主| 发表于 2021-12-21 12:10:36 | 只看该作者

请教这个右键新建RTF文档怎么修改注册表搞出来的?
回复

使用道具 举报

12#
发表于 2021-12-21 13:18:02 来自手机 | 只看该作者
去win10搬,classes下的. txt之类的。
回复

使用道具 举报

13#
 楼主| 发表于 2021-12-22 22:00:50 | 只看该作者
sairen139 发表于 2021-12-17 20:32
1早前粗略找了下能让88mb骨头网络版pe里的64位wordpad.exe写字板能运行的software注册表配置文件里可离线导 ...

给88mb骨头版pe增加下列64位写字板wordpad.exe组件程序的依赖文件5个即可:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\OpcServices.dll
\Windows\SYSTEM32\MFC42u.dll
\Windows\SYSTEM32\MSFTEDIT.DLL


右键新建菜单能直接生成docx和RTF文档的添加wordpad写字板组件所需的注册表如下:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
  52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"



[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx\ShellNew]
"NullFile"=""

[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx]
"PerceivedType"="document"
@="docxfile"

[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx\OpenWithList\WordPad.exe]
@=""

[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx\PersistentHandler]
@="{698A4FFC-63A3-4E70-8F00-376AD29363FB}"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile]
@="OOXML Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
  00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
  77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
  00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
  2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,30,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,2c,00,32,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00


[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\ShellNew]
"Data"="{\\rtf1}"
"ItemName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
  00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,\
  69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,\
  00,58,00,45,00,2c,00,2d,00,32,00,31,00,33,00,00,00

[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf]
"PerceivedType"="document"
@="rtffile"

[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\OpenWithList\WordPad.exe]
@=""

[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\PersistentHandler]
@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"

[HKEY_LOCAL_MACHINE\pe-software\Classes\rtffile]
@="Rich Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
  00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
  77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
  00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
  2e,00,45,00,58,00,45,00,2c,00,2d,00,31,00,39,00,30,00,00,00

[HKEY_LOCAL_MACHINE\pe-software\Classes\rtffile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,2c,00,31,00,00,00

[HKEY_LOCAL_MACHINE\pe-software\Classes\rtffile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00




[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt]
@="odtfile"
"PerceivedType"="document"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\OpenWithList\WordPad.exe]
@=""

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\PersistentHandler]
@="{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}"

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile]
@="ODF Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
  00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
  77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
  00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
  2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,31,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,2c,00,33,00,00,00

[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
  00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
  45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00

WordPad写字板依赖文件注册表生效三条和配置.7z

3.97 MB, 下载次数: 15, 下载积分: 无忧币 -2

WordPad写字板依赖文件注册表生效三条和配置.7z

回复

使用道具 举报

14#
发表于 2024-10-19 19:59:57 | 只看该作者
在我的豪华版骨头PE里,用wordpad.exe关联文件,只需要下述3个文件及对应mui文件,以及在PE里在线添加注册表即可:

wordpad.exe
UIRibbon.dll
UIRibbonRes.dll

[HKEY_CLASSES_ROOT\.doc\shell\open\command]  
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""

[HKEY_CLASSES_ROOT\.docx\shell\open\command]  
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""

[HKEY_CLASSES_ROOT\.rtf\shell\open\command]  
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""

[HKEY_CLASSES_ROOT\.odt\shell\open\command]  
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""
回复

使用道具 举报

15#
发表于 2024-11-5 22:10:10 | 只看该作者
感谢分享
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|捐助支持|无忧启动 ( 闽ICP备05002490号-1 )

闽公网安备 35020302032614号

GMT+8, 2024-11-22 20:13

Powered by Discuz! X3.3

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表